search

MindFlavor / prometheus_wireguard_exporter

A Prometheus exporter for WireGuard, written in Rust.
https://mindflavor.github.io/prometheus_wireguard_exporter
MIT License
463 stars 49 forks source link

cargo audit flagging some known vulnerabilities #122

Open iamasmith opened 3 months ago

iamasmith commented 3 months ago

Thanks for putting in the effort to create this btw!, I really appreciate it. I actually got a link to this when I was beginning to design my own exporter and was looking at comparative ways of naming and labelling the metrics to be most in keeping with other similar metrics. I saw this, and it had all the tests in place, and pretty much matched what I was going to to anyway. Plus I get another language to study which is good 👍

The build does seem to work fine for me after a full cargo update for all packages but I'm only using it on a very specific OS/arch so a broad update probably needs full tests but today when I ran cargo audit prior to updating I got...

prometheus_wireguard_exporter % cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 615 security advisories (from /Users/andrews/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (121 crate dependencies)
Crate:     mio
Version:   0.8.5
Title:     Tokens for named pipes may be delivered after deregistration
Date:      2024-03-04
ID:        RUSTSEC-2024-0019
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0019
Solution:  Upgrade to >=0.8.11
Dependency tree:
mio 0.8.5
└── tokio 1.22.0
    ├── tokio-rustls 0.23.4
    │   └── hyper-rustls 0.23.1
    │       └── prometheus_exporter_base 1.4.0
    │           └── prometheus_wireguard_exporter 3.6.6
    ├── prometheus_wireguard_exporter 3.6.6
    ├── hyper-rustls 0.23.1
    └── hyper 0.14.23
        ├── prometheus_wireguard_exporter 3.6.6
        ├── prometheus_exporter_base 1.4.0
        └── hyper-rustls 0.23.1

Crate:     tokio
Version:   1.22.0
Title:     reject_remote_clients Configuration corruption
Date:      2023-01-04
ID:        RUSTSEC-2023-0001
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0001
Solution:  Upgrade to >=1.18.4, <1.19.0 OR >=1.20.3, <1.21.0 OR >=1.23.1
Dependency tree:
tokio 1.22.0
├── tokio-rustls 0.23.4
│   └── hyper-rustls 0.23.1
│       └── prometheus_exporter_base 1.4.0
│           └── prometheus_wireguard_exporter 3.6.6
├── prometheus_wireguard_exporter 3.6.6
├── hyper-rustls 0.23.1
└── hyper 0.14.23
    ├── prometheus_wireguard_exporter 3.6.6
    ├── prometheus_exporter_base 1.4.0
    └── hyper-rustls 0.23.1

Crate:     webpki
Version:   0.22.0
Title:     webpki: CPU denial of service in certificate path building
Date:      2023-08-22
ID:        RUSTSEC-2023-0052
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0052
Severity:  7.5 (high)
Solution:  Upgrade to >=0.22.2
Dependency tree:
webpki 0.22.0
├── tokio-rustls 0.23.4
│   └── hyper-rustls 0.23.1
│       └── prometheus_exporter_base 1.4.0
│           └── prometheus_wireguard_exporter 3.6.6
└── rustls 0.20.7
    ├── tokio-rustls 0.23.4
    └── hyper-rustls 0.23.1

Crate:     term
Version:   0.5.2
Warning:   unmaintained
Title:     term is looking for a new maintainer
Date:      2018-11-19
ID:        RUSTSEC-2018-0015
URL:       https://rustsec.org/advisories/RUSTSEC-2018-0015
Dependency tree:
term 0.5.2
└── clippy 0.0.302
    └── prometheus_wireguard_exporter 3.6.6

Crate:     atty
Version:   0.2.14
Warning:   unsound
Title:     Potential unaligned read
Date:      2021-07-04
ID:        RUSTSEC-2021-0145
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0145
Dependency tree:
atty 0.2.14
├── env_logger 0.9.3
│   ├── prometheus_wireguard_exporter 3.6.6
│   └── prometheus_exporter_base 1.4.0
│       └── prometheus_wireguard_exporter 3.6.6
└── clap 4.0.26
    └── prometheus_wireguard_exporter 3.6.6

Crate:     tokio
Version:   1.22.0
Warning:   unsound
Title:     `tokio::io::ReadHalf<T>::unsplit` is Unsound
Date:      2023-01-11
ID:        RUSTSEC-2023-0005
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0005

Crate:     crossbeam-utils
Version:   0.8.13
Warning:   yanked
Dependency tree:
crossbeam-utils 0.8.13
└── rust-argon2 0.8.3
    └── redox_users 0.3.5
        └── dirs 1.0.5
            └── term 0.5.2
                └── clippy 0.0.302
                    └── prometheus_wireguard_exporter 3.6.6

error: 3 vulnerabilities found!
warning: 4 allowed warnings found
prometheus_wireguard_exporter %
iamasmith commented 3 months ago

Following update (which builds and runs fine for me) it just flags the two unmaintained deps.

prometheus_wireguard_exporter % cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 615 security advisories (from /Users/andrews/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (145 crate dependencies)
Crate:     term
Version:   0.5.2
Warning:   unmaintained
Title:     term is looking for a new maintainer
Date:      2018-11-19
ID:        RUSTSEC-2018-0015
URL:       https://rustsec.org/advisories/RUSTSEC-2018-0015
Dependency tree:
term 0.5.2
└── clippy 0.0.302
    └── prometheus_wireguard_exporter 3.6.6

Crate:     atty
Version:   0.2.14
Warning:   unsound
Title:     Potential unaligned read
Date:      2021-07-04
ID:        RUSTSEC-2021-0145
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0145
Dependency tree:
atty 0.2.14
└── env_logger 0.9.3
    ├── prometheus_wireguard_exporter 3.6.6
    └── prometheus_exporter_base 1.4.0
        └── prometheus_wireguard_exporter 3.6.6

warning: 2 allowed warnings found
prometheus_wireguard_exporter %