cargo audit reports few issues #4396

sydhds · 2023-09-07T12:34:22Z

Running cargo-audit 0.18.1 on massa code testnet 26 reports a few issue that might be interested to fix...

setup

cargo install cargo-audit && cargo audit

AurelienFT · 2023-09-20T10:08:37Z

Report for each issue :

Crate:     ansi_term
Version:   0.12.1
Warning:   unmaintained
Title:     ansi_term is Unmaintained
Date:      2021-08-18
ID:        RUSTSEC-2021-0139
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0139
Dependency tree:
ansi_term 0.12.1
└── clap 2.34.0
    └── structopt 0.3.26
        ├── massa-node 0.26.1
        └── massa-client 0.26.1

By looking in the readme of structopt they say that everything is in clap now and so we should make the transition

Crate:     mach
Version:   0.3.2
Warning:   unmaintained
Title:     mach is unmaintained
Date:      2020-07-14
ID:        RUSTSEC-2020-0168
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0168
Dependency tree:
mach 0.3.2
├── wasmer-vm 4.2.0
│   ├── wasmer-middlewares 4.2.0
│   │   └── massa-sc-runtime 0.10.0

Rust sec propose mach2 instead so I will open an issue in wasmer (EDIT: wasmerio/wasmer#4222)

Crate:     atty
Version:   0.2.14
Warning:   unsound
Title:     Potential unaligned read
Date:      2021-07-04
ID:        RUSTSEC-2021-0145
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0145
Dependency tree:
atty 0.2.14
├── massa-client 0.26.1
└── clap 2.34.0
    └── structopt 0.3.26
        ├── massa-node 0.26.1
        └── massa-client 0.26.1

Should be fixed by using clap 4 otherwise rustsec propose other alternative crates

Crate:     borsh
Version:   0.10.3
Warning:   unsound
Title:     Parsing borsh messages with ZST which are not-copy/clone is unsound
Date:      2023-04-12
ID:        RUSTSEC-2023-0033
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0033
Dependency tree:
borsh 0.10.3
└── rust_decimal 1.32.0

Blocked : paupino/rust-decimal#595 (comment)

sydhds · 2023-09-20T12:20:21Z

Would be nice to include this in the CI as well :)

AurelienFT · 2023-09-20T12:30:58Z

Would be nice to include this in the CI as well :)

I'm not a big fan of this as some warnings dependents on other project like wasmer and so it will block our CI for something that we don't control

sydhds · 2023-09-20T13:03:07Z

Would be nice to include this in the CI as well :)

I'm not a big fan of this as some warnings dependents on other project like wasmer and so it will block our CI for something that we don't control

Would it be possible to add it as warnings?

sydhds · 2023-10-10T12:34:42Z

Note: the only remaining warning with cargo audit is the one with mach (dependency of wasmer), issue is here: wasmerio/wasmer#4222

AurelienFT mentioned this issue Sep 20, 2023

Node security meta-issue #4415

Open

45 tasks

AurelienFT mentioned this issue Sep 28, 2023

Review of Codebase Security #4431

Closed

sydhds self-assigned this Sep 29, 2023

sydhds linked a pull request Sep 29, 2023 that will close this issue

Use is_terminal instead of atty crate + update rust_decimal to 1.32 (… #4436

Merged

8 tasks

sydhds closed this as completed in #4436 Oct 2, 2023

AurelienFT reopened this Oct 10, 2023

AurelienFT added bug Something isn't working global Issue that concern the whole codebase labels Mar 28, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

cargo audit reports few issues #4396

cargo audit reports few issues #4396

sydhds commented Sep 7, 2023

AurelienFT commented Sep 20, 2023 •

edited

sydhds commented Sep 20, 2023

AurelienFT commented Sep 20, 2023

sydhds commented Sep 20, 2023

sydhds commented Oct 10, 2023

cargo audit reports few issues #4396

cargo audit reports few issues #4396

Comments

sydhds commented Sep 7, 2023

setup

AurelienFT commented Sep 20, 2023 • edited

sydhds commented Sep 20, 2023

AurelienFT commented Sep 20, 2023

sydhds commented Sep 20, 2023

sydhds commented Oct 10, 2023

AurelienFT commented Sep 20, 2023 •

edited