Open nathan-at-least opened 1 year ago
Note: github has a distinct advisory system that automatically notifies projects, whereas cargo audit
tracks a rust-lang-specific advisory database. This comment explains the distinction. We should rely on both.
I started digging in on resolving the vulnerabilities. First blocker: schemer-rusqlite
does not have a release which mitigates this. I submitted https://github.com/aschampion/schemer/pull/20 to move that along.
Just submitted #818 which is the "easy one" of the three failures: a simple version upgrade on a dev-dependency.
Next blocker on RUSTSEC-2023-0001:
The vulnerability is present in tonic
v0.9.1, but that's the latest release, so mitigating this requires tonic
to upgrade.
Unlike schemer-rusqlite
which was easy to patch, I'm out of time today and I assume upgrading tokio
within tonic
will be a heftier project.
I filed https://github.com/hyperium/tonic/issues/1355 for good measure.
Looks like the rusqlite
dependency upgrade has been released (PR discussion linkhttps://github.com/aschampion/schemer/pull/20#issuecomment-1512835049), so at least 1 error out of 3 is a simple cargo dependency requirements upgrade.
Problem
The
cargo audit
tool shows vulnerabilities and warnings.2023-06-17 Update: As dependencies and audit reports evolve, I've updated the content here for commit d2f105efe9e4a9aa3cb71010a090a5661a748a62.
Vulnerabilities
libsqlite3-sys
: RUSTSEC-2022-0090tokio
: RUSTSEC-2023-0001Warnings:
stdweb
: unmaintained, RUSTSEC-2020-0056crossbeam-channel
: yankedh2
: yankedProposed Solution
audit.toml
as a policy.)Preventative Solution
As soon as we get to a state of
cargo audit
passing, we should institute CI oncargo audit
.Reproduction
cargo install cargo-audit
(if not previously done)cargo audit