Cannot use SSH to fetch advisory DB

[jbg]

Describe the bug
If an SSH Git URL is provided for the advisory DB, cargo-deny exits with "error: advisory database url is not https".

To Reproduce
Steps to reproduce the behavior:

1. Set something like db-urls = ["ssh://git@git.yourcompany.com/yourcompany/rustsec-advisory-db.git"] in deny.toml
2. Run cargo deny
3. See error

Expected behavior
The advisory DB was cloned over SSH.

Additional context
The check is here: https://github.com/EmbarkStudios/cargo-deny/blob/main/src/advisories/cfg.rs#L131

This crate seems to delegate cloning Git repositories to the git2 crate (update: or, since #420, optionally the Git executable) so I see no reason why the SSH clone would not work if this check was removed.

[Jake-Shadle]

That code was added specifically because rustsec doesn't support non-https urls. Please file an issue on rustsec if you want this supported in cargo-deny.

[jbg]

I don't really understand this, because cargo-deny seems to do the cloning itself and pass the git repository as a local filesystem path to rustsec, so rustsec only sees a local path, never the actual URL (whether SSH or HTTPS).

A quick search of this repo doesn't seem to turn up any place where the rustsec method you linked (Repository::fetch()) is called — Repository::open() is used instead, with the local path.

Can you clarify why rustsec's limitation is relevant here?

[jbg]

With the check removed, I'm able to clone an advisory DB over SSH without any problem. I opened #426 to remove the check.

[Jake-Shadle]

Sorry, had closed this issue before I did #422 but had vaguely remembered it since I included ssh https://github.com/EmbarkStudios/cargo-deny/pull/422/files#diff-ec77dabc8549946f0798d5f19ef476febb6891063bda87f22a42223d10543937R219 as a valid scheme.