Closed RockyGitHub closed 1 year ago
Why would cargo-audit care about a dev dependency of one of your dependencies?
I was wondering why it cared about a dev dependency too. but for example, this comes up now when running cargo audit on my project,
Crate: remove_dir_all
Version: 0.5.3
Title: Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)
Date: 2023-02-24
ID: RUSTSEC-2023-0018
URL: https://rustsec.org/advisories/RUSTSEC-2023-0018
Solution: Upgrade to >=0.8.0
Dependency tree:
remove_dir_all 0.5.3
└── tempfile 3.3.0
└── native-tls 0.2.11
├── tokio-native-tls 0.3.0
│ └── hyper-tls 0.5.0
│ └── reqwest 0.11.14
├── reqwest 0.11.14
└── hyper-tls 0.5.0
That tree doesn't contain test-cert-gen.
Run cargo update
.
It just skipped that level of the printout it seems. If you run cargo audit from the rust-native-tls directory, this is the output
Crate: remove_dir_all
Version: 0.5.3
Title: Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)
Date: 2023-02-24
ID: RUSTSEC-2023-0018
URL: https://rustsec.org/advisories/RUSTSEC-2023-0018
Solution: Upgrade to >=0.8.0
Dependency tree:
remove_dir_all 0.5.3
└── tempdir 0.3.7
└── test-cert-gen 0.7.0
└── native-tls 0.2.11
I did try cargo update, that had no effect. Updating test-cert-gen in the Cargo.toml seems to resolve the issue
I added updating tempfile to 3.4.0. < 3.3.0 used remove_dir_all which is where the original vuln came from. 3.4.0 removes that dependency. This should eliminate all cargo audit errors
I cannot reproduce these audit failures:
[package]
name = "foo"
version = "0.1.0"
edition = "2021"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[dependencies]
reqwest = "0.11"
$ cargo audit
Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
Loaded 516 security advisories (from /Users/sfackler/.cargo/advisory-db)
Updating crates.io index
Scanning Cargo.lock for vulnerabilities (108 crate dependencies)
$ cargo tree -i -p tempfile
tempfile v3.4.0
└── native-tls v0.2.11
├── hyper-tls v0.5.0
│ └── reqwest v0.11.14
│ └── foo v0.1.0 (/Users/sfackler/foo)
├── reqwest v0.11.14 (*)
└── tokio-native-tls v0.3.1
├── hyper-tls v0.5.0 (*)
└── reqwest v0.11.14 (*)
Please provide a self contained example of a project with a fully updated lockfile that encounters these errors.
I did as such and I came to a similar conclusion... no cargo audit issues..
I rm Cargo.lock
and re-ran the audit. No issues.
I feel bad for the fuss now, my apologies. I have learned something new today
This deals with the
cargo audit
issue where a critical vuln,RUSTSEC-2023-0018
comes up.Updating the test-cert-gen issue fixes it :)
This vulnerability causes other libraries to fail the audit, such as reqwest