search

dylanhart / ulid-rs

This is a Rust implementation of the ulid project
https://crates.io/crates/ulid
MIT License
381 stars 36 forks source link

CVEs in CLI #76

Open jayvdb opened 6 months ago

jayvdb commented 6 months ago

Using https://github.com/google/osv-scanner

ulid-rs> osv-scanner --lockfile Cargo.lock 
Scanned /home/jayvdb/rust/ulid-rs/Cargo.lock file and found 83 packages
╭─────────────────────────────────────┬──────┬───────────┬───────────┬─────────┬────────────╮
│ OSV URL                             │ CVSS │ ECOSYSTEM │ PACKAGE   │ VERSION │ SOURCE     │
├─────────────────────────────────────┼──────┼───────────┼───────────┼─────────┼────────────┤
│ https://osv.dev/RUSTSEC-2021-0139   │      │ crates.io │ ansi_term │ 0.12.1  │ Cargo.lock │
│ https://osv.dev/GHSA-g98v-hv3f-hcfr │      │ crates.io │ atty      │ 0.2.14  │ Cargo.lock │
│ https://osv.dev/RUSTSEC-2021-0145   │      │           │           │         │            │
╰─────────────────────────────────────┴──────┴───────────┴───────────┴─────────┴────────────╯

https://osv.dev/RUSTSEC-2021-0145 is a different identifier for https://osv.dev/GHSA-g98v-hv3f-hcfr

jayvdb commented 6 months ago

The ansi_term and atty CVEs are coming in via the CLI structopt = "0.2". Upgrading to 0.3 has no effect as it still only uses clap 2 where these CVEs come from. c.f. https://crates.io/crates/structopt