Clear cargo audit critical vuln. Update test-cert-gen version

sfackler / rust-native-tls

Apache License 2.0

468 stars 197 forks source link

Clear cargo audit critical vuln. Update test-cert-gen version #253

Closed RockyGitHub closed 1 year ago

RockyGitHub commented 1 year ago

This deals with the cargo audit issue where a critical vuln, RUSTSEC-2023-0018 comes up.

Updating the test-cert-gen issue fixes it :)

This vulnerability causes other libraries to fail the audit, such as reqwest

sfackler commented 1 year ago

Why would cargo-audit care about a dev dependency of one of your dependencies?

RockyGitHub commented 1 year ago

I was wondering why it cared about a dev dependency too. but for example, this comes up now when running cargo audit on my project,

Crate:     remove_dir_all
Version:   0.5.3
Title:     Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)
Date:      2023-02-24
ID:        RUSTSEC-2023-0018
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0018
Solution:  Upgrade to >=0.8.0
Dependency tree:
remove_dir_all 0.5.3
└── tempfile 3.3.0
    └── native-tls 0.2.11
        ├── tokio-native-tls 0.3.0
        │   └── hyper-tls 0.5.0
        │       └── reqwest 0.11.14
        ├── reqwest 0.11.14
        └── hyper-tls 0.5.0

sfackler commented 1 year ago

That tree doesn't contain test-cert-gen.

Run cargo update.

RockyGitHub commented 1 year ago

It just skipped that level of the printout it seems. If you run cargo audit from the rust-native-tls directory, this is the output

Crate:     remove_dir_all
Version:   0.5.3
Title:     Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)
Date:      2023-02-24
ID:        RUSTSEC-2023-0018
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0018
Solution:  Upgrade to >=0.8.0
Dependency tree:
remove_dir_all 0.5.3
└── tempdir 0.3.7
    └── test-cert-gen 0.7.0
        └── native-tls 0.2.11

I did try cargo update, that had no effect. Updating test-cert-gen in the Cargo.toml seems to resolve the issue

RockyGitHub commented 1 year ago

I added updating tempfile to 3.4.0. < 3.3.0 used remove_dir_all which is where the original vuln came from. 3.4.0 removes that dependency. This should eliminate all cargo audit errors

sfackler commented 1 year ago

I cannot reproduce these audit failures:

[package]
name = "foo"
version = "0.1.0"
edition = "2021"

# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

[dependencies]
reqwest = "0.11"

$ cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 516 security advisories (from /Users/sfackler/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (108 crate dependencies)
$ cargo tree -i -p tempfile
tempfile v3.4.0
└── native-tls v0.2.11
    ├── hyper-tls v0.5.0
    │   └── reqwest v0.11.14
    │       └── foo v0.1.0 (/Users/sfackler/foo)
    ├── reqwest v0.11.14 (*)
    └── tokio-native-tls v0.3.1
        ├── hyper-tls v0.5.0 (*)
        └── reqwest v0.11.14 (*)

Please provide a self contained example of a project with a fully updated lockfile that encounters these errors.

RockyGitHub commented 1 year ago

I did as such and I came to a similar conclusion... no cargo audit issues.. I rm Cargo.lock and re-ran the audit. No issues. I feel bad for the fuss now, my apologies. I have learned something new today