change rayon dependency from rayon = "1.3" to rayon = "1.5"

[cHiv0rz]

I use trivy to check vulnerabilities on my dockers once they are built. One of them that I'm trying to create is with ansible, and trivy raised a critical alert on base64-1.3.0:

Following the change, I realized that the requirement comes from a dependency of criterion, Rayon 1.3. Rayon 1.3 has dependency on crossbeam-deque 0.7.3, and this version has CVE.

Rayon 1.5.0 starting to use the patched crossbeam-deque 0.8.0, so could you upgrade to this new version?

[rukai]

A cargo update on your side should fix the issue for you. Its not the responsibility of a library to update its dependencies unless there is an actual major version change.

[cHiv0rz]

It's not my library, the library is base64 that is actually used but so many projects. I cannot update the library because it still requires criterion library, and the lastest version of the library is 0.3.5, that depensd on rayon 1.3, the library that has the dependency on a library that has theCVE.

As I said, rayon has a new version that uses the fixed version of crosbeam-deque It was changed here. I think a CVE is a good reason to update a library

[rukai]

I think you are misunderstanding how cargo dependencies work. When a Cargo.toml specifies a dependency like: rayon = 1.3 or in this case rayon = { version = "1.3", optional = true } that means the library is compatible with any version of rayon >= 1.3.0 and < 2.0.0 It works like this because of the gaurantees given by semantic versioning: https://semver.org/ As a result any project that uses criterion can freely choose the version of the rayon dependency as long as the version is >= 1.3.0 and < 2.0.0 The version of rayon might be locked to an older version in the Cargo.lock but that can be updated by running cargo update

You can demonstrate that the base64 crate is not tied to rayon 1.3 by doing the following:

rukai@memes foo$ git clone https://github.com/marshallpierce/rust-base64
Cloning into 'rust-base64'...
remote: Enumerating objects: 1705, done.
remote: Counting objects: 100% (149/149), done.
remote: Compressing objects: 100% (102/102), done.
remote: Total 1705 (delta 63), reused 97 (delta 40), pack-reused 1556
Receiving objects: 100% (1705/1705), 507.50 KiB | 6.19 MiB/s, done.
Resolving deltas: 100% (980/980), done.
rukai@memes foo$ cd rust-base64/
rukai@memes rust-base64$ cargo tree
    Updating crates.io index
  Downloaded autocfg v0.1.8
  Downloaded rstest_reuse v0.1.3
  Downloaded rstest v0.11.0
  Downloaded 3 crates (929.5 KB) in 1.74s
base64 v0.20.0-alpha.1 (/home/rukai/Foo/foo/rust-base64)
[dev-dependencies]
├── criterion v0.3.5
│   ├── atty v0.2.14
│   │   └── libc v0.2.119
│   ├── cast v0.2.7
│   │   [build-dependencies]
│   │   └── rustc_version v0.4.0
│   │       └── semver v1.0.6
│   ├── clap v2.34.0
│   │   ├── ansi_term v0.12.1
│   │   ├── atty v0.2.14 (*)
│   │   ├── bitflags v1.3.2
│   │   ├── strsim v0.8.0
│   │   ├── textwrap v0.11.0
│   │   │   └── unicode-width v0.1.9
│   │   ├── unicode-width v0.1.9
│   │   └── vec_map v0.8.2
│   ├── criterion-plot v0.4.4
│   │   ├── cast v0.2.7 (*)
│   │   └── itertools v0.10.3
│   │       └── either v1.6.1
│   ├── csv v1.1.6
│   │   ├── bstr v0.2.17
│   │   │   ├── lazy_static v1.4.0
│   │   │   ├── memchr v2.4.1
│   │   │   ├── regex-automata v0.1.10
│   │   │   └── serde v1.0.136
│   │   ├── csv-core v0.1.10
│   │   │   └── memchr v2.4.1
│   │   ├── itoa v0.4.8
│   │   ├── ryu v1.0.9
│   │   └── serde v1.0.136
│   ├── itertools v0.10.3 (*)
│   ├── lazy_static v1.4.0
│   ├── num-traits v0.2.14
│   │   [build-dependencies]
│   │   └── autocfg v1.1.0
│   ├── oorandom v11.1.3
│   ├── plotters v0.3.1
│   │   ├── num-traits v0.2.14 (*)
│   │   ├── plotters-backend v0.3.2
│   │   └── plotters-svg v0.3.1
│   │       └── plotters-backend v0.3.2
│   ├── rayon v1.5.1
│   │   ├── crossbeam-deque v0.8.1
│   │   │   ├── cfg-if v1.0.0
│   │   │   ├── crossbeam-epoch v0.9.7
│   │   │   │   ├── cfg-if v1.0.0
│   │   │   │   ├── crossbeam-utils v0.8.7
│   │   │   │   │   ├── cfg-if v1.0.0
│   │   │   │   │   └── lazy_static v1.4.0
│   │   │   │   ├── lazy_static v1.4.0
│   │   │   │   ├── memoffset v0.6.5
│   │   │   │   │   [build-dependencies]
│   │   │   │   │   └── autocfg v1.1.0
│   │   │   │   └── scopeguard v1.1.0
│   │   │   └── crossbeam-utils v0.8.7 (*)
│   │   ├── either v1.6.1
│   │   └── rayon-core v1.9.1
│   │       ├── crossbeam-channel v0.5.2
│   │       │   ├── cfg-if v1.0.0
│   │       │   └── crossbeam-utils v0.8.7 (*)
│   │       ├── crossbeam-deque v0.8.1 (*)
│   │       ├── crossbeam-utils v0.8.7 (*)
│   │       ├── lazy_static v1.4.0
│   │       └── num_cpus v1.13.1
│   │           └── libc v0.2.119
│   │   [build-dependencies]
│   │   └── autocfg v1.1.0
│   ├── regex v1.5.4
│   │   └── regex-syntax v0.6.25
│   ├── serde v1.0.136
│   ├── serde_cbor v0.11.2
│   │   ├── half v1.8.2
│   │   └── serde v1.0.136
│   ├── serde_derive v1.0.136 (proc-macro)
│   │   ├── proc-macro2 v1.0.36
│   │   │   └── unicode-xid v0.2.2
│   │   ├── quote v1.0.15
│   │   │   └── proc-macro2 v1.0.36 (*)
│   │   └── syn v1.0.86
│   │       ├── proc-macro2 v1.0.36 (*)
│   │       ├── quote v1.0.15 (*)
│   │       └── unicode-xid v0.2.2
│   ├── serde_json v1.0.79
│   │   ├── itoa v1.0.1
│   │   ├── ryu v1.0.9
│   │   └── serde v1.0.136
│   ├── tinytemplate v1.2.1
│   │   ├── serde v1.0.136
│   │   └── serde_json v1.0.79 (*)
│   └── walkdir v2.3.2
│       └── same-file v1.0.6
├── rand v0.6.5
│   ├── libc v0.2.119
│   ├── rand_chacha v0.1.1
│   │   └── rand_core v0.3.1
│   │       └── rand_core v0.4.2
│   │   [build-dependencies]
│   │   └── autocfg v0.1.8
│   │       └── autocfg v1.1.0
│   ├── rand_core v0.4.2
│   ├── rand_hc v0.1.0
│   │   └── rand_core v0.3.1 (*)
│   ├── rand_isaac v0.1.1
│   │   └── rand_core v0.3.1 (*)
│   ├── rand_jitter v0.1.4
│   │   └── rand_core v0.4.2
│   ├── rand_os v0.1.3
│   │   ├── libc v0.2.119
│   │   └── rand_core v0.4.2
│   ├── rand_pcg v0.1.2
│   │   └── rand_core v0.4.2
│   │   [build-dependencies]
│   │   └── autocfg v0.1.8 (*)
│   └── rand_xorshift v0.1.1
│       └── rand_core v0.3.1 (*)
│   [build-dependencies]
│   └── autocfg v0.1.8 (*)
├── rstest v0.11.0 (proc-macro)
│   ├── cfg-if v1.0.0
│   ├── proc-macro2 v1.0.36 (*)
│   ├── quote v1.0.15 (*)
│   └── syn v1.0.86 (*)
│   [build-dependencies]
│   └── rustc_version v0.4.0 (*)
├── rstest_reuse v0.1.3 (proc-macro)
│   ├── quote v1.0.15 (*)
│   └── syn v1.0.86 (*)
│   [build-dependencies]
│   └── rustc_version v0.3.3
│       └── semver v0.11.0
│           └── semver-parser v0.10.2
│               └── pest v2.1.3
│                   └── ucd-trie v0.1.3
└── structopt v0.3.26
    ├── clap v2.34.0 (*)
    ├── lazy_static v1.4.0
    └── structopt-derive v0.4.18 (proc-macro)
        ├── heck v0.3.3
        │   └── unicode-segmentation v1.9.0
        ├── proc-macro-error v1.0.4
        │   ├── proc-macro-error-attr v1.0.4 (proc-macro)
        │   │   ├── proc-macro2 v1.0.36 (*)
        │   │   └── quote v1.0.15 (*)
        │   │   [build-dependencies]
        │   │   └── version_check v0.9.4
        │   ├── proc-macro2 v1.0.36 (*)
        │   ├── quote v1.0.15 (*)
        │   └── syn v1.0.86 (*)
        │   [build-dependencies]
        │   └── version_check v0.9.4
        ├── proc-macro2 v1.0.36 (*)
        ├── quote v1.0.15 (*)
        └── syn v1.0.86 (*)

[cHiv0rz]

Thanks for the explanation @rukai, and sorry for the noise. I'm not sure If I can do your suggestion, since I'm installing cryptography from the binary, not compiling it.