search

massalabs / massa

The Decentralized and Scaled Blockchain
https://massa.net
5.56k stars 712 forks source link

cargo audit reports few issues #4396

Open sydhds opened 1 year ago

sydhds commented 1 year ago

Running cargo-audit 0.18.1 on massa code testnet 26 reports a few issue that might be interested to fix...

setup

cargo install cargo-audit && cargo audit

AurelienFT commented 1 year ago

Report for each issue : 

Crate:     ansi_term
Version:   0.12.1
Warning:   unmaintained
Title:     ansi_term is Unmaintained
Date:      2021-08-18
ID:        RUSTSEC-2021-0139
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0139
Dependency tree:
ansi_term 0.12.1
└── clap 2.34.0
    └── structopt 0.3.26
        ├── massa-node 0.26.1
        └── massa-client 0.26.1

By looking in the readme of structopt they say that everything is in clap now and so we should make the transition

Crate:     mach
Version:   0.3.2
Warning:   unmaintained
Title:     mach is unmaintained
Date:      2020-07-14
ID:        RUSTSEC-2020-0168
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0168
Dependency tree:
mach 0.3.2
├── wasmer-vm 4.2.0
│   ├── wasmer-middlewares 4.2.0
│   │   └── massa-sc-runtime 0.10.0

Rust sec propose mach2 instead so I will open an issue in wasmer (EDIT: https://github.com/wasmerio/wasmer/issues/4222)

Crate:     atty
Version:   0.2.14
Warning:   unsound
Title:     Potential unaligned read
Date:      2021-07-04
ID:        RUSTSEC-2021-0145
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0145
Dependency tree:
atty 0.2.14
├── massa-client 0.26.1
└── clap 2.34.0
    └── structopt 0.3.26
        ├── massa-node 0.26.1
        └── massa-client 0.26.1

Should be fixed by using clap 4 otherwise rustsec propose other alternative crates

Crate:     borsh
Version:   0.10.3
Warning:   unsound
Title:     Parsing borsh messages with ZST which are not-copy/clone is unsound
Date:      2023-04-12
ID:        RUSTSEC-2023-0033
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0033
Dependency tree:
borsh 0.10.3
└── rust_decimal 1.32.0

Blocked : https://github.com/paupino/rust-decimal/issues/595#issuecomment-1671984639

sydhds commented 1 year ago

Would be nice to include this in the CI as well :)

AurelienFT commented 1 year ago

Would be nice to include this in the CI as well :)

I'm not a big fan of this as some warnings dependents on other project like wasmer and so it will block our CI for something that we don't control

sydhds commented 1 year ago

Would be nice to include this in the CI as well :)

I'm not a big fan of this as some warnings dependents on other project like wasmer and so it will block our CI for something that we don't control

Would it be possible to add it as warnings?

sydhds commented 1 year ago

Note: the only remaining warning with cargo audit is the one with mach (dependency of wasmer), issue is here: https://github.com/wasmerio/wasmer/issues/4222