search

J4YB3 / discord-movie-night-bot

A discord bot for managing movies and deciding on which movie should be watched next.
0 stars 1 forks source link

Fix potentially vulnerable dependencies #60

Open JulianDroste opened 1 year ago

JulianDroste commented 1 year ago

I just ran cargo audit on the cargo.toml with the following output:

Crate:     hyper
Version:   0.10.16
Title:     Lenient `hyper` header parsing of `Content-Length` could allow request smuggling
Date:      2021-07-07
ID:        RUSTSEC-2021-0078
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0078
Severity:  5.3 (medium)
Solution:  Upgrade to >=0.14.10
Dependency tree:
hyper 0.10.16
├── websocket 0.18.0
│   └── discord 0.9.0
│       └── discord_movie_night 0.1.0
├── hyper-native-tls 0.3.0
│   └── discord 0.9.0
└── discord 0.9.0

Crate:     hyper
Version:   0.10.16
Title:     Integer overflow in `hyper`'s parsing of the `Transfer-Encoding` header leads to data loss
Date:      2021-07-07
ID:        RUSTSEC-2021-0079
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0079
Severity:  9.1 (critical)
Solution:  Upgrade to >=0.14.10

Crate:     hyper
Version:   0.12.36
Title:     Lenient `hyper` header parsing of `Content-Length` could allow request smuggling
Date:      2021-07-07
ID:        RUSTSEC-2021-0078
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0078
Severity:  5.3 (medium)
Solution:  Upgrade to >=0.14.10
Dependency tree:
hyper 0.12.36
├── reqwest 0.9.24
│   └── tmdb 3.0.0
│       └── discord_movie_night 0.1.0
└── hyper-tls 0.3.2
    └── reqwest 0.9.24

Crate:     hyper
Version:   0.12.36
Title:     Integer overflow in `hyper`'s parsing of the `Transfer-Encoding` header leads to data loss
Date:      2021-07-07
ID:        RUSTSEC-2021-0079
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0079
Severity:  9.1 (critical)
Solution:  Upgrade to >=0.14.10

Crate:     rustc-serialize
Version:   0.3.24
Title:     Stack overflow in rustc_serialize when parsing deeply nested JSON
Date:      2022-01-01
ID:        RUSTSEC-2022-0004
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0004
Solution:  No fixed upgrade is available!
Dependency tree:
rustc-serialize 0.3.24
└── websocket 0.18.0
    └── discord 0.9.0
        └── discord_movie_night 0.1.0

Crate:     time
Version:   0.1.45
Title:     Potential segfault in the time crate
Date:      2020-11-18
ID:        RUSTSEC-2020-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0071
Severity:  6.2 (medium)
Solution:  Upgrade to >=0.2.23
Dependency tree:
time 0.1.45
├── reqwest 0.9.24
│   └── tmdb 3.0.0
│       └── discord_movie_night 0.1.0
├── hyper 0.12.36
│   ├── reqwest 0.9.24
│   └── hyper-tls 0.3.2
│       └── reqwest 0.9.24
├── hyper 0.10.16
│   ├── websocket 0.18.0
│   │   └── discord 0.9.0
│   │       └── discord_movie_night 0.1.0
│   ├── hyper-native-tls 0.3.0
│   │   └── discord 0.9.0
│   └── discord 0.9.0
├── cookie_store 0.7.0
│   └── reqwest 0.9.24
├── cookie 0.12.0
│   ├── reqwest 0.9.24
│   └── cookie_store 0.7.0
└── chrono 0.4.24
    ├── discord_movie_night 0.1.0
    └── discord 0.9.0

Crate:     tokio
Version:   0.1.22
Title:     Data race when sending and receiving after closing a `oneshot` channel
Date:      2021-11-16
ID:        RUSTSEC-2021-0124
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0124
Solution:  Upgrade to >=1.8.4, <1.9.0 OR >=1.13.1
Dependency tree:
tokio 0.1.22
├── reqwest 0.9.24
│   └── tmdb 3.0.0
│       └── discord_movie_night 0.1.0
└── hyper 0.12.36
    ├── reqwest 0.9.24
    └── hyper-tls 0.3.2
        └── reqwest 0.9.24

Crate:     failure
Version:   0.1.8
Warning:   unmaintained
Title:     failure is officially deprecated/unmaintained
Date:      2020-05-02
ID:        RUSTSEC-2020-0036
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0036
Severity:  9.8 (critical)
Dependency tree:
failure 0.1.8
└── cookie_store 0.7.0
    └── reqwest 0.9.24
        └── tmdb 3.0.0
            └── discord_movie_night 0.1.0

Crate:     net2
Version:   0.2.38
Warning:   unmaintained
Title:     `net2` crate has been deprecated; use `socket2` instead
Date:      2020-05-01
ID:        RUSTSEC-2020-0016
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0016
Dependency tree:
net2 0.2.38
├── websocket 0.18.0
│   └── discord 0.9.0
│       └── discord_movie_night 0.1.0
├── miow 0.2.2
│   └── mio 0.6.23
│       ├── tokio-tcp 0.1.4
│       │   ├── tokio 0.1.22
│       │   │   ├── reqwest 0.9.24
│       │   │   │   └── tmdb 3.0.0
│       │   │   │       └── discord_movie_night 0.1.0
│       │   │   └── hyper 0.12.36
│       │   │       ├── reqwest 0.9.24
│       │   │       └── hyper-tls 0.3.2
│       │   │           └── reqwest 0.9.24
│       │   └── hyper 0.12.36
│       ├── tokio-reactor 0.1.12
│       │   ├── tokio-tcp 0.1.4
│       │   ├── tokio 0.1.22
│       │   └── hyper 0.12.36
│       └── tokio 0.1.22
├── mio 0.6.23
└── hyper 0.12.36

Crate:     sodiumoxide
Version:   0.2.7
Warning:   unmaintained
Title:     sodiumoxide is deprecated
Date:      2021-10-22
ID:        RUSTSEC-2021-0137
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0137
Dependency tree:
sodiumoxide 0.2.7
└── discord 0.9.0
    └── discord_movie_night 0.1.0

Crate:     traitobject
Version:   0.1.0
Warning:   unmaintained
Title:     traitobject is Unmaintained
Date:      2021-10-04
ID:        RUSTSEC-2021-0144
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0144
Dependency tree:
traitobject 0.1.0
└── hyper 0.10.16
    ├── websocket 0.18.0
    │   └── discord 0.9.0
    │       └── discord_movie_night 0.1.0
    ├── hyper-native-tls 0.3.0
    │   └── discord 0.9.0
    └── discord 0.9.0

Crate:     crossbeam-utils
Version:   0.7.2
Warning:   unsound
Title:     Unsoundness of AtomicCell<*64> arithmetics on 32-bit targets that support Atomic*64
Date:      2022-02-05
ID:        RUSTSEC-2022-0041
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0041
Dependency tree:
crossbeam-utils 0.7.2
├── tokio-timer 0.2.13
│   ├── tokio 0.1.22
│   │   ├── reqwest 0.9.24
│   │   │   └── tmdb 3.0.0
│   │   │       └── discord_movie_night 0.1.0
│   │   └── hyper 0.12.36
│   │       ├── reqwest 0.9.24
│   │       └── hyper-tls 0.3.2
│   │           └── reqwest 0.9.24
│   ├── reqwest 0.9.24
│   └── hyper 0.12.36
├── tokio-threadpool 0.1.18
│   ├── tokio 0.1.22
│   ├── reqwest 0.9.24
│   └── hyper 0.12.36
├── tokio-reactor 0.1.12
│   ├── tokio-tcp 0.1.4
│   │   ├── tokio 0.1.22
│   │   └── hyper 0.12.36
│   ├── tokio 0.1.22
│   └── hyper 0.12.36
├── tokio-executor 0.1.10
│   ├── tokio-timer 0.2.13
│   ├── tokio-threadpool 0.1.18
│   ├── tokio-reactor 0.1.12
│   ├── tokio-current-thread 0.1.7
│   │   └── tokio 0.1.22
│   ├── tokio 0.1.22
│   ├── reqwest 0.9.24
│   └── hyper 0.12.36
├── crossbeam-queue 0.2.3
│   └── tokio-threadpool 0.1.18
├── crossbeam-epoch 0.8.2
│   └── crossbeam-deque 0.7.4
│       └── tokio-threadpool 0.1.18
└── crossbeam-deque 0.7.4

Crate:     failure
Version:   0.1.8
Warning:   unsound
Title:     Type confusion if __private_get_type_id__ is overridden
Date:      2019-11-13
ID:        RUSTSEC-2019-0036
URL:       https://rustsec.org/advisories/RUSTSEC-2019-0036
Severity:  9.8 (critical)

Crate:     hyper
Version:   0.10.16
Warning:   unsound
Title:     Parser creates invalid uninitialized value
Date:      2022-05-10
ID:        RUSTSEC-2022-0022
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0022

Crate:     hyper
Version:   0.12.36
Warning:   unsound
Title:     Parser creates invalid uninitialized value
Date:      2022-05-10
ID:        RUSTSEC-2022-0022
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0022

Crate:     lock_api
Version:   0.3.4
Warning:   unsound
Title:     Some lock_api lock guard objects can cause data races
Date:      2020-11-08
ID:        RUSTSEC-2020-0070
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0070
Dependency tree:
lock_api 0.3.4
└── parking_lot 0.9.0
    └── tokio-reactor 0.1.12
        ├── tokio-tcp 0.1.4
        │   ├── tokio 0.1.22
        │   │   ├── reqwest 0.9.24
        │   │   │   └── tmdb 3.0.0
        │   │   │       └── discord_movie_night 0.1.0
        │   │   └── hyper 0.12.36
        │   │       ├── reqwest 0.9.24
        │   │       └── hyper-tls 0.3.2
        │   │           └── reqwest 0.9.24
        │   └── hyper 0.12.36
        ├── tokio 0.1.22
        └── hyper 0.12.36

Crate:     traitobject
Version:   0.1.0
Warning:   unsound
Title:     traitobject assumes the layout of fat pointers
Date:      2020-06-01
ID:        RUSTSEC-2020-0027
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0027
Severity:  9.8 (critical)

error: 7 vulnerabilities found!
warning: 10 allowed warnings found

This mainly affects the crates tmdb and discord. I'll raise isses at those teams as well but I just wanted to let you know. I can only recommend to regularly check your dependencies via i.e. GH Actions.

JulianDroste commented 1 year ago

Additionally consider running cargo clippy to furthermore improve the code.

JulianDroste commented 1 year ago

related - https://gitlab.com/Cir0X/tmdb-rs/-/issues/5