search

bitcoindevkit / bdk-cli

A CLI wallet library and REPL tool to demo and test the BDK library
Other
108 stars 64 forks source link

AUDIT failure due to bdk + cbf dependency `rocksdb` #119

Closed rajarshimaitra closed 1 year ago

rajarshimaitra commented 2 years ago

This is to document the recent cargo-audit failures happening in CI.

$ cargo-audit audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 456 security advisories (from /home/raj/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (280 crate dependencies)
Crate:         rocksdb
Version:       0.14.0
Title:         Out-of-bounds read when opening multiple column families with TTL
Date:          2022-05-11
ID:            RUSTSEC-2022-0046
URL:           https://rustsec.org/advisories/RUSTSEC-2022-0046
Solution:      Upgrade to >=0.19.0
Dependency tree: 
rocksdb 0.14.0
└── bdk 0.22.0
    ├── bdk-reserves 0.22.0
    │   └── bdk-cli 0.5.0
    └── bdk-cli 0.5.0

Crate:         ansi_term
Version:       0.12.1
Warning:       unmaintained
Title:         ansi_term is Unmaintained
Date:          2021-08-18
ID:            RUSTSEC-2021-0139
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0139
Dependency tree: 
ansi_term 0.12.1
└── clap 2.34.0
    └── structopt 0.3.26
        └── bdk-cli 0.5.0

Crate:         stdweb
Version:       0.4.20
Warning:       unmaintained
Title:         stdweb is unmaintained
Date:          2020-05-04
ID:            RUSTSEC-2020-0056
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0056
Dependency tree: 
stdweb 0.4.20
└── time 0.2.27
    ├── cookie_store 0.12.0
    │   └── ureq 1.5.5
    └── cookie 0.14.4
        ├── ureq 1.5.5
        └── cookie_store 0.12.0

error: 1 vulnerability found!
warning: 2 allowed warnings found

There is a vulnerability in rocksdb which was originally reported by @afilini here https://github.com/bitcoindevkit/bdk/pull/724.

Depending on the outcome of experimentation with nakamoto for cbf, we might be able to get rid of rocksdb fully from our dep tree.

Till then I guess we have to live with this audit failure?

Or we can disable compact_filters temporarily in bdk-cli..

notmandatory commented 1 year ago

I support temporarily removing compact_filters support to resolve this audit issue.