Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handling of pre-release versions #30

Closed
hatzel opened this issue Jul 23, 2018 · 2 comments
Closed

Handling of pre-release versions #30

hatzel opened this issue Jul 23, 2018 · 2 comments

Comments

@hatzel
Copy link

hatzel commented Jul 23, 2018

I have the master version of cookies-rs as a dependency. Unfortunately cargo-audit lists '0.11.0-dev' as vulnerable even though it seems clearly >= 0.7.6.

Output

ID:	 RUSTSEC-2017-0005
Crate:	 cookie
Version: 0.11.0-dev
Date:	 2017-05-06
URL:	 https://github.com/alexcrichton/cookie-rs/pull/86
Title:	 Large cookie Max-Age values can cause a denial of service
Solution: upgrade to: < 0.6.0 OR ^0.6.2 OR >= 0.7.6

Desired Output

I am not sure. In this case the version is clearly not vulnerable but for the general case I am not too sure.

Take this example:

  • Version of 0.6 of my-cool-crate is vulnerable.
  • Vulnerability is noticed while 0.7-dev is out there
  • Security advisory gets issued for 0.6, dev version gets silently fixed

In the end the user would not be warned, although you could argue a wrong advisory is at fault.

This matter probably needs some careful consideration.

Steps to reproduce

  1. Add cookie = { git = "https://github.com/alexcrichton/cookie-rs.git" } to dependencies in Cargo.toml
  2. Run cargo build and cargo audit

Or alternatively and in case cookies-rs changes its version just pull this repo and run cargo audit.
@tarcieri
Copy link
Member

Other relevant issues for this:

dtolnay/semver#172
#17

@tarcieri
Copy link
Member

This was fixed upstream in the RustSec crate in https://github.com/RustSec/rustsec-crate/pull/69 however to be fixed in cargo-audit that crate needs another release, and cargo-audit needs to be updated.

@tarcieri tarcieri mentioned this issue Sep 10, 2019
Closed
tarcieri added a commit that referenced this issue May 7, 2021
@tarcieri
Merge pull request #30 from RustSec/advisory-iterator
1dc91bd 
Refactor advisory iterator
tarcieri added a commit that referenced this issue May 7, 2021
@tarcieri
Add support Cargo.lock patch and root (fixes #30)
86ffa97 
This commit should bring parity between Cargo's `EncodableResolve` type
(i.e. serialization type for Cargo.lock) and our `Lockfile` type.

It adds support for the legacy `root` dependency, along with the
`[[patch.unused]]` section.
tarcieri added a commit that referenced this issue May 7, 2021
@tarcieri
Merge pull request #33 from RustSec/lockfile-patch-and-root
95492f2 
Add support Cargo.lock `patch` and `root` (fixes #30)
tarcieri pushed a commit that referenced this issue May 7, 2021
@JavedNissar
Resolves #30
c6dbf86
tarcieri added a commit that referenced this issue May 7, 2021
@tarcieri
v1.0.3 (#30)
59b85d0
@tarcieri tarcieri mentioned this issue May 7, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tarcieri @hatzel