RUSTSEC-2021-0139: ansi_term is Unmaintained

mrl5 / vulner

Discover CVEs for packages installed by the portage

Mozilla Public License 2.0

7 stars 1 forks source link

RUSTSEC-2021-0139: ansi_term is Unmaintained #59

Closed github-actions[bot] closed 2 years ago

github-actions[bot] commented 2 years ago

ansi_term is Unmaintained

Details
Status	unmaintained
Package	`ansi_term`
Version	`0.12.1`
URL	https://github.com/ogham/rust-ansi-term/issues/72
Date	2021-08-18

The maintainer has adviced this crate is deprecated and will not receive any maintenance.

The crate does not seem to have much dependencies and may or may not be ok to use as-is.

Last release seems to have been three years ago.

Possible Alternative(s)

The below list has not been vetted in any way and may or may not contain alternatives;

See advisory page for additional details.

mrl5 commented 2 years ago

dependency chain for ansi_term is:

ansi_term pulled byclap-2.34.0: https://github.com/mrl5/vulner/blob/2f585d7318e9a3cdcf66d7acbfe0e22559a2877b/Cargo.lock#L154-L160
clap-2.34.0 pulled by structopt-0.3.26: https://github.com/mrl5/vulner/blob/5beafc06d3e4867370939a6a2823a81930580390/Cargo.lock#L1582-L1588
structopt-0.3.26 is direct vulner dependency in cli crate: https://github.com/mrl5/vulner/blob/5beafc06d3e4867370939a6a2823a81930580390/Cargo.lock#L182-L199

structopt is used here: https://github.com/mrl5/vulner/blob/5beafc06d3e4867370939a6a2823a81930580390/crates/cli/src/main.rs#L10 - introduced in commit https://github.com/mrl5/vulner/commit/78b0d8d7790073080eb10616dcbdc81b23e4d07e

clap stopped using ansi_term since version 3 but structopt-0.3.26 explicitly wants 2.34.0 version of clap

mrl5 commented 2 years ago

this is blocked until structopt switches to clap-3 (because ansi_term is not used since clap-3)

if ansi_term will have some vulnerability periodic cargo security audit should detect it

mrl5 commented 2 years ago

based on this answer: https://github.com/TeXitoi/structopt/issues/528#issuecomment-1221293811

and this post: https://www.reddit.com/r/rust/comments/pkzde6/comment/hc7x5s7/

I guess in order to fix this issue structopt dependency should be replaced with clap-3

epage commented 2 years ago

We've tried to raise awareness of clap superseding `structopt

Pinned issue
Note on docs.rs

Technically, it is still somewhat maintained to a degree, so classifying it as unmaintained in rustsec probably isn't appropriate to raise visibility.

In general, I wish there was a way for a crate like structopt to communicate that the upgrade path is a different crate.

mrl5 commented 2 years ago

thanks for clarification @epage - I appreciate it :) I guess eventually I will migrate from structopt to clap-3

mrl5 commented 2 years ago

as per https://github.com/advisories/GHSA-74w3-p89x-ffgh

This advisory has been withdrawn because it does not discuss a particular vulnerability in the code of ansi_term.