Summary
The OSSF Scorecard Vulnerabilities check reports 13 outstanding advisories across Rust and Go dependencies (1 critical, 1 high, 11 low). Remediating these will lift the Vulnerabilities sub-score and reduce known-CVE supply-chain exposure.
Advisories
| # |
Advisory |
Severity |
Ecosystem |
| 1 |
RUSTSEC-2024-0384 |
Low |
Rust (unmaintained) |
| 2 |
RUSTSEC-2024-0436 |
Low |
Rust (unmaintained) |
| 3 |
RUSTSEC-2025-0134 |
Low |
Rust |
| 4 |
RUSTSEC-2026-0097 |
Low |
Rust |
| 5 |
RUSTSEC-2026-0098 |
Low |
Rust |
| 6 |
RUSTSEC-2026-0099 |
Low |
Rust |
| 7-12 |
(additional low-severity Rust advisories surfaced by Scorecard) |
Low |
Rust |
| 13 |
GO-2025-3922 |
Critical/High |
Go modules |
Final per-advisory severity, affected crate/module, and fixed version should be confirmed by re-running cargo audit and govulncheck (or letting the Scorecard workflow re-emit results) before opening remediation PRs.
Suggested Approach
- Re-run advisory scanners to refresh the list and capture exact crate/module + version pairs:
cargo audit over the workspace Cargo.tomlgovulncheck ./... in blueprints/full-single-node-cluster/tests and any other Go modules
- Group remediations by ecosystem and crate to minimize PR churn (one PR per crate family where possible).
- Prioritize the Go critical/high advisory (
GO-2025-3922) first, then Rust advisories with available fixed versions, then unmaintained-crate replacements.
- For unmaintained crates (e.g.,
RUSTSEC-2024-0384, RUSTSEC-2024-0436): evaluate maintained alternatives or document an accepted-risk exception with cargo audit ignore.
- Update lockfiles (
Cargo.lock, go.sum) and re-run the Scorecard workflow to confirm the Vulnerabilities count drops.
Related
Acceptance Criteria
Summary
The OSSF Scorecard
Vulnerabilitiescheck reports 13 outstanding advisories across Rust and Go dependencies (1 critical, 1 high, 11 low). Remediating these will lift the Vulnerabilities sub-score and reduce known-CVE supply-chain exposure.Advisories
Suggested Approach
cargo auditover the workspaceCargo.tomlgovulncheck ./...inblueprints/full-single-node-cluster/testsand any other Go modulesGO-2025-3922) first, then Rust advisories with available fixed versions, then unmaintained-crate replacements.RUSTSEC-2024-0384,RUSTSEC-2024-0436): evaluate maintained alternatives or document an accepted-risk exception withcargo audit ignore.Cargo.lock,go.sum) and re-run the Scorecard workflow to confirm the Vulnerabilities count drops.Related
Acceptance Criteria
Vulnerabilitiescheck shows 0 known advisories on next run