Closed rajarshimaitra closed 1 year ago
This is to document the recent cargo-audit failures happening in CI.
cargo-audit
$ cargo-audit audit Fetching advisory database from `https://github.com/RustSec/advisory-db.git` Loaded 456 security advisories (from /home/raj/.cargo/advisory-db) Updating crates.io index Scanning Cargo.lock for vulnerabilities (280 crate dependencies) Crate: rocksdb Version: 0.14.0 Title: Out-of-bounds read when opening multiple column families with TTL Date: 2022-05-11 ID: RUSTSEC-2022-0046 URL: https://rustsec.org/advisories/RUSTSEC-2022-0046 Solution: Upgrade to >=0.19.0 Dependency tree: rocksdb 0.14.0 └── bdk 0.22.0 ├── bdk-reserves 0.22.0 │ └── bdk-cli 0.5.0 └── bdk-cli 0.5.0 Crate: ansi_term Version: 0.12.1 Warning: unmaintained Title: ansi_term is Unmaintained Date: 2021-08-18 ID: RUSTSEC-2021-0139 URL: https://rustsec.org/advisories/RUSTSEC-2021-0139 Dependency tree: ansi_term 0.12.1 └── clap 2.34.0 └── structopt 0.3.26 └── bdk-cli 0.5.0 Crate: stdweb Version: 0.4.20 Warning: unmaintained Title: stdweb is unmaintained Date: 2020-05-04 ID: RUSTSEC-2020-0056 URL: https://rustsec.org/advisories/RUSTSEC-2020-0056 Dependency tree: stdweb 0.4.20 └── time 0.2.27 ├── cookie_store 0.12.0 │ └── ureq 1.5.5 └── cookie 0.14.4 ├── ureq 1.5.5 └── cookie_store 0.12.0 error: 1 vulnerability found! warning: 2 allowed warnings found
There is a vulnerability in rocksdb which was originally reported by @afilini here https://github.com/bitcoindevkit/bdk/pull/724.
rocksdb
Depending on the outcome of experimentation with nakamoto for cbf, we might be able to get rid of rocksdb fully from our dep tree.
Till then I guess we have to live with this audit failure?
Or we can disable compact_filters temporarily in bdk-cli..
compact_filters
I support temporarily removing compact_filters support to resolve this audit issue.
This is to document the recent
cargo-audit
failures happening in CI.There is a vulnerability in
rocksdb
which was originally reported by @afilini here https://github.com/bitcoindevkit/bdk/pull/724.Depending on the outcome of experimentation with nakamoto for cbf, we might be able to get rid of rocksdb fully from our dep tree.
Till then I guess we have to live with this audit failure?
Or we can disable
compact_filters
temporarily in bdk-cli..