From 0dc77f0cc22c667364afab4265da04d327369282 Mon Sep 17 00:00:00 2001 From: Denis Cornehl Date: Sat, 22 Feb 2025 11:00:05 +0100 Subject: [PATCH 1/3] add `ring` unmaintained to audit ignores --- .cargo/audit.toml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.cargo/audit.toml b/.cargo/audit.toml index 84ff4b30c..136881a20 100644 --- a/.cargo/audit.toml +++ b/.cargo/audit.toml @@ -17,6 +17,9 @@ ignore = [ # We have plenty of places where user input ends up in sql, for example the inner doc path for doc pages, crate names etc. # But in all these places, the user content is part of the path of the URL. # Since URL length is limited by cloudfront, and also by nginx, to something much smaller than 4 GiB, I don't think this issue affects us. + + "RUSTSEC-2025-0007", # `ring` is unmaintained. Not much we can do about it. + # https://github.com/rust-lang/docs.rs/issues/2741 ] informational_warnings = ["unmaintained"] # warn for categories of informational advisories severity_threshold = "low" # CVSS severity ("none", "low", "medium", "high", "critical") From 464692e91d3af34b5f37802468c15a11328150d9 Mon Sep 17 00:00:00 2001 From: Denis Cornehl Date: Sat, 22 Feb 2025 11:05:13 +0100 Subject: [PATCH 2/3] add `proc-macro-error` to ignored audit warnings --- .cargo/audit.toml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.cargo/audit.toml b/.cargo/audit.toml index 136881a20..88d3eb0c2 100644 --- a/.cargo/audit.toml +++ b/.cargo/audit.toml @@ -18,6 +18,9 @@ ignore = [ # But in all these places, the user content is part of the path of the URL. # Since URL length is limited by cloudfront, and also by nginx, to something much smaller than 4 GiB, I don't think this issue affects us. + "RUSTSEC-2024-0370", # proc-macro-error is unmaintained + # https://github.com/rust-lang/docs.rs/issues/2595 + "RUSTSEC-2025-0007", # `ring` is unmaintained. Not much we can do about it. # https://github.com/rust-lang/docs.rs/issues/2741 ] From 21a7cd53f304b1410b5e34b210b292e807b5b325 Mon Sep 17 00:00:00 2001 From: Denis Cornehl Date: Sat, 22 Feb 2025 11:07:01 +0100 Subject: [PATCH 3/3] remove resolved audit ignores --- .cargo/audit.toml | 15 +-------------- 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/.cargo/audit.toml b/.cargo/audit.toml index 88d3eb0c2..3abe27aab 100644 --- a/.cargo/audit.toml +++ b/.cargo/audit.toml @@ -1,23 +1,10 @@ [advisories] ignore = [ - "RUSTSEC-2023-0018", # rustwide -> remove_dir_all,TOCTOU / Race Condition - # https://github.com/rust-lang/docs.rs/issues/2074 - - "RUSTSEC-2023-0071", # potential key recovery through timing sidechannels - - "RUSTSEC-2024-0013", # Memory corruption, denial of service, and arbitrary code execution in libgit2 - # https://github.com/rust-lang/docs.rs/issues/2414 + "RUSTSEC-2023-0071", # rsa: potential key recovery through timing sidechannels "RUSTSEC-2024-0320", # yaml-rust is unmaintained. # https://github.com/rust-lang/docs.rs/issues/2469 - "RUSTSEC-2024-0363", # sqlx, Binary Protocol Misinterpretation caused by Truncating or Overflowing Cast - # https://github.com/rust-lang/docs.rs/issues/2588 - # SECURITY: - # We have plenty of places where user input ends up in sql, for example the inner doc path for doc pages, crate names etc. - # But in all these places, the user content is part of the path of the URL. - # Since URL length is limited by cloudfront, and also by nginx, to something much smaller than 4 GiB, I don't think this issue affects us. - "RUSTSEC-2024-0370", # proc-macro-error is unmaintained # https://github.com/rust-lang/docs.rs/issues/2595