Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tungstenite 0.17.x has an open RUSTSEC advisory #5198

Closed
eric-seppanen opened this issue Feb 15, 2024 · 0 comments · Fixed by #5200
Closed

tungstenite 0.17.x has an open RUSTSEC advisory #5198

eric-seppanen opened this issue Feb 15, 2024 · 0 comments · Fixed by #5200
Assignees
@emilk
Labels
🪳 bug Something isn't working 👀 needs triage This issue needs to be triaged by the Rerun team

Comments

@eric-seppanen
Copy link

Describe the bug
The tungstenite dependency has an open RUSTSEC advisory.

To Reproduce
Running cargo deny show advisories on a crate including rerun will display:

     = ID: RUSTSEC-2023-0065
     = Advisory: https://rustsec.org/advisories/RUSTSEC-2023-0065
     = The Tungstenite crate through 0.20.0 for Rust allows remote attackers to cause
       a denial of service (minutes of CPU consumption) via an excessive length of an
       HTTP header in a client handshake. The length affects both how many times a parse
       is attempted (e.g., thousands of times) and the average amount of data for each
       parse attempt (e.g., millions of bytes).
     = Announcement: https://github.com/snapview/tungstenite-rs/issues/376
     = Solution: Upgrade to >=0.20.1 (try `cargo update -p tungstenite`)
     = tungstenite v0.17.3
       ├── re_ws_comms v0.12.1
       │   ├── re_data_source v0.12.1
       │   │   └── rerun v0.12.1
       │   │       └── my_crate v0.1.0
       │   ├── re_sdk v0.12.1
       │   │   └── rerun v0.12.1 (*)
       │   └── rerun v0.12.1 (*)
       └── tokio-tungstenite v0.17.2
           └── re_ws_comms v0.12.1 (*)

Expected behavior
Dependencies should be clean of open advisories. Even if it's unlikely for the tungstenite issue to cause problems with rerun, it's still a time-consuming issue for downstream users that run automated advisory checks.
@eric-seppanen eric-seppanen added 👀 needs triage This issue needs to be triaged by the Rerun team 🪳 bug Something isn't working labels Feb 15, 2024
@emilk emilk self-assigned this Feb 15, 2024
@emilk emilk mentioned this issue Feb 15, 2024
Merged
6 tasks
emilk added a commit that referenced this issue Feb 15, 2024
@emilk
Update tungstenite to remove RUSTSEC warning (#5200)
d3f5b7c 
### What
* Closes #5198

### Checklist
* [x] I have read and agree to [Contributor
Guide](https://github.com/rerun-io/rerun/blob/main/CONTRIBUTING.md) and
the [Code of
Conduct](https://github.com/rerun-io/rerun/blob/main/CODE_OF_CONDUCT.md)
* [x] I've included a screenshot or gif (if applicable)
* [x] I have tested the web demo (if applicable):
* Using newly built examples:
[app.rerun.io](https://app.rerun.io/pr/5200/index.html)
* Using examples from latest `main` build:
[app.rerun.io](https://app.rerun.io/pr/5200/index.html?manifest_url=https://app.rerun.io/version/main/examples_manifest.json)
* Using full set of examples from `nightly` build:
[app.rerun.io](https://app.rerun.io/pr/5200/index.html?manifest_url=https://app.rerun.io/version/nightly/examples_manifest.json)
* [x] The PR title and labels are set such as to maximize their
usefulness for the next release's CHANGELOG
* [x] If applicable, add a new check to the [release
checklist](https://github.com/rerun-io/rerun/blob/main/tests/python/release_checklist)!
* [x] Test

- [PR Build Summary](https://build.rerun.io/pr/5200)
- [Docs
preview](https://rerun.io/preview/029e67941c7494d4c4c1cfbd98c6bf8401e5892b/docs)
<!--DOCS-PREVIEW-->
- [Examples
preview](https://rerun.io/preview/029e67941c7494d4c4c1cfbd98c6bf8401e5892b/examples)
<!--EXAMPLES-PREVIEW-->
- [Recent benchmark results](https://build.rerun.io/graphs/crates.html)
- [Wasm size tracking](https://build.rerun.io/graphs/sizes.html)
Wumpf pushed a commit that referenced this issue Feb 21, 2024
@emilk @Wumpf
Update tungstenite to remove RUSTSEC warning (#5200)
0890ddb 
### What
* Closes #5198

### Checklist
* [x] I have read and agree to [Contributor
Guide](https://github.com/rerun-io/rerun/blob/main/CONTRIBUTING.md) and
the [Code of
Conduct](https://github.com/rerun-io/rerun/blob/main/CODE_OF_CONDUCT.md)
* [x] I've included a screenshot or gif (if applicable)
* [x] I have tested the web demo (if applicable):
* Using newly built examples:
[app.rerun.io](https://app.rerun.io/pr/5200/index.html)
* Using examples from latest `main` build:
[app.rerun.io](https://app.rerun.io/pr/5200/index.html?manifest_url=https://app.rerun.io/version/main/examples_manifest.json)
* Using full set of examples from `nightly` build:
[app.rerun.io](https://app.rerun.io/pr/5200/index.html?manifest_url=https://app.rerun.io/version/nightly/examples_manifest.json)
* [x] The PR title and labels are set such as to maximize their
usefulness for the next release's CHANGELOG
* [x] If applicable, add a new check to the [release
checklist](https://github.com/rerun-io/rerun/blob/main/tests/python/release_checklist)!
* [x] Test

- [PR Build Summary](https://build.rerun.io/pr/5200)
- [Docs
preview](https://rerun.io/preview/029e67941c7494d4c4c1cfbd98c6bf8401e5892b/docs)
<!--DOCS-PREVIEW-->
- [Examples
preview](https://rerun.io/preview/029e67941c7494d4c4c1cfbd98c6bf8401e5892b/examples)
<!--EXAMPLES-PREVIEW-->
- [Recent benchmark results](https://build.rerun.io/graphs/crates.html)
- [Wasm size tracking](https://build.rerun.io/graphs/sizes.html)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@emilk emilk

Labels
🪳 bug Something isn't working 👀 needs triage This issue needs to be triaged by the Rerun team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update tungstenite to remove RUSTSEC warning rerun-io/rerun
2 participants
@emilk @eric-seppanen