search

containerd / ttrpc-rust

Rust implementation of ttrpc (GRPC for low-memory environments)
Apache License 2.0
195 stars 45 forks source link

Add cargo deny to CI #109

Closed mxpv closed 2 years ago

mxpv commented 2 years ago

cargo-deny is a popular Rust tool to lint project's dependencies to make sure they meet expectations. It can track dependencies without license, with vulnerabilities, deprecated, yanked, etc.

Links:

Example:

  ┌─ /Users/mxpv/Github/ttrpc-rust/Cargo.lock:8:1
  │
8 │ nix 0.16.1 registry+https://github.com/rust-lang/crates.io-index
  │ ---------------------------------------------------------------- security vulnerability detected
  │
  = ID: RUSTSEC-2021-0119
  = Advisory: https://rustsec.org/advisories/RUSTSEC-2021-0119
  = On certain platforms, if a user has more than 16 groups, the
    `nix::unistd::getgrouplist` function will call the libc `getgrouplist`
    function with a length parameter greater than the size of the buffer it
    provides, resulting in an out-of-bounds write and memory corruption.

    The libc `getgrouplist` function takes an in/out parameter `ngroups`
    specifying the size of the group buffer. When the buffer is too small to
    hold all of the reqested user's group memberships, some libc
    implementations, including glibc and Solaris libc, will modify `ngroups`
    to indicate the actual number of groups for the user, in addition to
    returning an error. The version of `nix::unistd::getgrouplist` in nix
    0.16.0 and up will resize the buffer to twice its size, but will not
    read or modify the `ngroups` variable. Thus, if the user has more than
    twice as many groups as the initial buffer size of 8, the next call to
    `getgrouplist` will then write past the end of the buffer.

    The issue would require editing /etc/groups to exploit, which is usually
    only editable by the root user.
  = Announcement: https://github.com/nix-rust/nix/issues/1541
  = Solution: Upgrade to >=0.20.2, <0.21.0 OR >=0.21.2, <0.22.0 OR >=0.22.2, <0.23.0 OR >=0.23.0
  = nix v0.16.1
    └── ttrpc v0.5.1

advisories FAILED, bans ok, licenses ok, sources ok

Signed-off-by: Maksym Pavlenko pavlenko.maksym@gmail.com

mxpv commented 2 years ago

(vsock needs a release on crates.io that includes latest version of nix crate)

Tim-Zhang commented 2 years ago

(vsock needs a release on crates.io that includes latest version of nix crate)

https://github.com/rust-vsock/vsock-rs/pull/20

Tim-Zhang commented 2 years ago

@mxpv The new version 0.2.5 of vsock has just been released.

mxpv commented 2 years ago

ttrpc-rust uses vsock crate via tokio-vsock (the example in the PR's title is from master branch earlier today).

   = nix v0.19.1
     └── vsock v0.2.4
         └── tokio-vsock v0.3.1
             └── ttrpc v0.5.1

~I've open a PR against tokio-vsock: https://github.com/rust-vsock/tokio-vsock/pull/16 @Tim-Zhang can we pls bump its version and publish on crates.io? I'll then update this PR to include latest tokio-vsock, so it'll pass CI.~

See the comment below.

Tim-Zhang commented 2 years ago

@mxpv How about increase the tokio-vsock version directly in your pr?

mxpv commented 2 years ago

@Tim-Zhang actually ignore me, we don't need to update anything. Cargo will use 0.2.5.

``` ^1.2.3 := >=1.2.3, <2.0.0 ^1.2 := >=1.2.0, <2.0.0 ^1 := >=1.0.0, <2.0.0 ^0.2.3 := >=0.2.3, <0.3.0 <--- this will bump from 0.2.4 to 0.2.5 automatically ^0.2 := >=0.2.0, <0.3.0 ^0.0.3 := >=0.0.3, <0.0.4 ^0.0 := >=0.0.0, <0.1.0 ^0 := >=0.0.0, <1.0.0 ``` https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html