search

zcash / librustzcash

Rust-language assets for Zcash
Other
333 stars 249 forks source link

Address `cargo audit` vulns and warnings. #816

Open nathan-at-least opened 1 year ago

nathan-at-least commented 1 year ago

Problem

The cargo audit tool shows vulnerabilities and warnings.

2023-06-17 Update: As dependencies and audit reports evolve, I've updated the content here for commit d2f105efe9e4a9aa3cb71010a090a5661a748a62.

Vulnerabilities

Warnings:

Proposed Solution

  1. If possible resolve all vulnerabilities & warnings by dependency upgrades.
  2. If not possible, analyze each report to determine attack surface for our crates. If we can prove the dependency attack surface is not exposed by any usage of our crates, we can suppress the audit report for the specific advisory tag (see Ignoring advisories, and I suggest we always add rationale doc in audit.toml as a policy.)

Preventative Solution

As soon as we get to a state of cargo audit passing, we should institute CI on cargo audit.

Reproduction

  1. run cargo install cargo-audit (if not previously done)
  2. run cargo audit
nathan-at-least commented 1 year ago

Note: github has a distinct advisory system that automatically notifies projects, whereas cargo audit tracks a rust-lang-specific advisory database. This comment explains the distinction. We should rely on both.

nathan-at-least commented 1 year ago

I started digging in on resolving the vulnerabilities. First blocker: schemer-rusqlite does not have a release which mitigates this. I submitted https://github.com/aschampion/schemer/pull/20 to move that along.

nathan-at-least commented 1 year ago

Just submitted #818 which is the "easy one" of the three failures: a simple version upgrade on a dev-dependency.

nathan-at-least commented 1 year ago

Next blocker on RUSTSEC-2023-0001:

The vulnerability is present in tonic v0.9.1, but that's the latest release, so mitigating this requires tonic to upgrade.

Unlike schemer-rusqlite which was easy to patch, I'm out of time today and I assume upgrading tokio within tonic will be a heftier project.

I filed https://github.com/hyperium/tonic/issues/1355 for good measure.

nathan-at-least commented 1 year ago

Looks like the rusqlite dependency upgrade has been released (PR discussion linkhttps://github.com/aschampion/schemer/pull/20#issuecomment-1512835049), so at least 1 error out of 3 is a simple cargo dependency requirements upgrade.