search

tag1consulting / goose

Load testing framework, inspired by Locust
https://tag1.com/goose
Apache License 2.0
813 stars 71 forks source link

cargo audit vulnerability report on goose > simplelog > chrono > time crate dependency #517

Closed ashokkjag closed 2 years ago

ashokkjag commented 2 years ago 
Crate:     time
Version:   0.1.44
Title:     Potential segfault in the time crate
Date:      2020-11-18
ID:        RUSTSEC-2020-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:  Upgrade to >=0.2.23
Dependency tree:
time 0.1.44
└── chrono 0.4.22
    ├── simplelog 0.10.2
    │   └── goose 0.16.4-dev
    │       └── loadtest 0.1.0
    └── goose 0.16.4-dev
jeremyandrews commented 2 years ago

See https://github.com/chronotope/chrono/issues/602#issuecomment-1075915577

This is a non-issue, as chrono does not use the problematic function in the time crate. This false-positive will go away when chrono 0.5 is released (as then the time crate will not be used at all).