possible vulnerability in rustc-serialize?

[johanneskastl]

I just stumbled upon this and wanted to package it for openSUSE.

The preparation spits out a warning regarding a vulnerability in rustc-serialize. I have too little knowledge of rust to say anything about this, so I wanted to report and make you aware of this just in case.

2023-11-10T09:24:37.795201Z  INFO cargo_vendor: 🎢 Starting OBS Service Cargo Vendor.
2023-11-10T09:24:37.795314Z  INFO obs_service_cargo::utils: 🍿 Vendoring for src 'kubectl-view-allocations'
2023-11-10T09:24:37.799178Z  INFO obs_service_cargo::utils: 📗 Project does not use a workspace!
2023-11-10T09:24:37.799294Z  INFO obs_service_cargo::vendor: ⏫ Updating dependencies before vendor
2023-11-10T09:24:39.998346Z  INFO obs_service_cargo::vendor: ⏫ Successfully ran cargo update
2023-11-10T09:24:40.032242Z  WARN obs_service_cargo::audit: ⚠  1 vulnerability found.
2023-11-10T09:24:40.032258Z  WARN obs_service_cargo::audit: - RUSTSEC-2022-0004 rustc-serialize 0.3.24 - categories denial-of-service - cvss unset
2023-11-10T09:24:40.032271Z ERROR obs_service_cargo::audit: ⚠  You must action these before submitting this package.
2023-11-10T09:24:40.032278Z ERROR obs_service_cargo::audit: 🛑 Vulnerabilities found in application dependencies. These must be actioned to proceed with vendoring.
2023-11-10T09:24:40.032287Z ERROR obs_service_cargo::cli: err=kind: security audit is actionable

[davidB]

The transtive dependencies rustc-serialize comes from a test library (spectral). I remove spectral with version 0.18.1.

Thanks for the report and for creating the package for openSUSE.

[johanneskastl]

Thanks! I could successfully create the required packages and obs_service_cargo::audit does no longer complain!

I'll see if the package builds properly later.