Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use a released version of cargo-audit. #8148

Merged
merged 2 commits into from Aug 10, 2019

Conversation

@jsirois
Copy link
Member

commented Aug 7, 2019

The latest release includes the --ignore feature we use, so upgrade to
0.7.0.

Testing this locally revealed a new vulnerability:

$ ./build-support/bin/ci.py --cargo-audit
...
    Finished release [optimized] target(s) in 6m 11s
   Replacing /home/jsirois/.cache/pants/rust/cargo/bin/cargo-audit
    Replaced package `cargo-audit v0.7.0` with `cargo-audit v0.6.1 (https://github.com/RustSec/cargo-audit?rev=1c298bcda2c74f4a1bd8f0d8482b3577ee94fbb3#1c298bcd)` (executable `cargo-audit`)
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 33 security advisories (from /home/jsirois/.cache/pants/rust/cargo/advisory-db)
    Scanning src/rust/engine/Cargo.lock for vulnerabilities (334 crate dependencies)
error: Vulnerable crates found!

ID:	 RUSTSEC-2019-0011
Crate:	 memoffset
Version: 0.2.1
Date:	 2019-07-16
URL:	 https://github.com/Gilnaa/memoffset/issues/9#issuecomment-505461490
Title:	 Flaw in offset_of and span_of causes SIGILL, drops uninitialized memory of arbitrary type on panic in client code
Solution: upgrade to: >= 0.5.0

error: 1 vulnerability found!
Cargo audit failure

We don't directly depend on memoffset, our root direct dep here is
tokio-threadpool:

$ .cd src/rust/engine && ./../../build-support/bin/native/cargo tree -p memoffset -i
memoffset v0.2.1
└── crossbeam-epoch v0.7.1
    └── crossbeam-deque v0.7.1
        └── tokio-threadpool v0.1.15
            ...
            ├── store v0.1.0 (/home/jsirois/dev/pantsbuild/pants/src/rust/engine/fs/store)
            ...

There is no newer version of tokio-threadpool, but a targeted update
solves the issue and gets us to memoffest 0.5.11:

$ ./build-support/bin/native/cargo update --manifest-path src/rust/engine/Cargo.toml -p tokio-threadpool --aggressive
    Updating crates.io index
    Updating arrayvec v0.4.10 -> v0.4.11
    Updating autocfg v0.1.4 -> v0.1.5
    Updating crossbeam-epoch v0.7.1 -> v0.7.2
    Updating crossbeam-utils v0.6.5 -> v0.6.6
    Updating libc v0.2.59 -> v0.2.60
    Updating log v0.4.6 -> v0.4.8
    Updating memoffset v0.2.1 -> v0.5.1
    Updating rand_core v0.4.0 -> v0.4.2
      Adding scopeguard v1.0.0
    Updating spin v0.5.0 -> v0.5.1

@jsirois jsirois requested a review from stuhood Aug 7, 2019

@stuhood
stuhood approved these changes Aug 7, 2019
Copy link
Member

left a comment

Thank you!

@jsirois jsirois force-pushed the jsirois:cargo-audit/upgrade branch from 9ffaf35 to d100212 Aug 9, 2019

jsirois added 2 commits Aug 7, 2019
Use a released version of cargo-audit.
The latest release includes the `--ignore` feature we use, so upgrade to
`0.7.0`.

Testing this locally revealed a new vulnerability:
```
$ ./build-support/bin/ci.py --cargo-audit
...
    Finished release [optimized] target(s) in 6m 11s
   Replacing /home/jsirois/.cache/pants/rust/cargo/bin/cargo-audit
    Replaced package `cargo-audit v0.7.0` with `cargo-audit v0.6.1 (https://github.com/RustSec/cargo-audit?rev=1c298bcda2c74f4a1bd8f0d8482b3577ee94fbb3#1c298bcd)` (executable `cargo-audit`)
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 33 security advisories (from /home/jsirois/.cache/pants/rust/cargo/advisory-db)
    Scanning src/rust/engine/Cargo.lock for vulnerabilities (334 crate dependencies)
error: Vulnerable crates found!

ID:	 RUSTSEC-2019-0011
Crate:	 memoffset
Version: 0.2.1
Date:	 2019-07-16
URL:	 Gilnaa/memoffset#9 (comment)
Title:	 Flaw in offset_of and span_of causes SIGILL, drops uninitialized memory of arbitrary type on panic in client code
Solution: upgrade to: >= 0.5.0

error: 1 vulnerability found!
Cargo audit failure
```

We don't directly depend on `memoffset`, our root direct dep here is
`tokio-threadpool`:
```
$ .cd src/rust/engine && ./../../build-support/bin/native/cargo tree -p memoffset -i
memoffset v0.2.1
└── crossbeam-epoch v0.7.1
    └── crossbeam-deque v0.7.1
        └── tokio-threadpool v0.1.15
            ...
            ├── store v0.1.0 (/home/jsirois/dev/pantsbuild/pants/src/rust/engine/fs/store)
            ...
```

There is no newer version of `tokio-threadpool`, but a target update
solves the issue and gets us to `memoffest` `0.5.11`:
```
$ ./build-support/bin/native/cargo update --manifest-path src/rust/engine/Cargo.toml -p tokio-threadpool --aggressive
    Updating crates.io index
    Updating arrayvec v0.4.10 -> v0.4.11
    Updating autocfg v0.1.4 -> v0.1.5
    Updating crossbeam-epoch v0.7.1 -> v0.7.2
    Updating crossbeam-utils v0.6.5 -> v0.6.6
    Updating libc v0.2.59 -> v0.2.60
    Updating log v0.4.6 -> v0.4.8
    Updating memoffset v0.2.1 -> v0.5.1
    Updating rand_core v0.4.0 -> v0.4.2
      Adding scopeguard v1.0.0
    Updating spin v0.5.0 -> v0.5.1
```

@jsirois jsirois force-pushed the jsirois:cargo-audit/upgrade branch from d100212 to 3e23b2d Aug 10, 2019

@jsirois jsirois merged commit dafd168 into pantsbuild:master Aug 10, 2019

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

@jsirois jsirois deleted the jsirois:cargo-audit/upgrade branch Aug 10, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.