Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

make audit is failing #2698

Closed
winksaville opened this issue Oct 10, 2021 · 1 comment
Closed

make audit is failing #2698

winksaville opened this issue Oct 10, 2021 · 1 comment

Comments

@winksaville
Copy link
Contributor

Description

When executing make audit it fails because of RUSTSEC-2021-0119.

Version

Unstable at commit 7c7ba77

$ git log -1 --pretty=oneline
7c7ba770decb3db6b36b4638f545694179b9f05c (HEAD -> unstable, upstream/unstable, origin/unstable) Update broken api links (#2665)
``

## Present Behaviour

Running `make audit` fails

$ make audit
cargo install --force cargo-audit
Updating crates.io index
Installing cargo-audit v0.15.2
Compiling proc-macro2 v1.0.29
Compiling unicode-xid v0.2.2
Compiling libc v0.2.103
...
Compiling rustsec v0.24.3
Compiling cargo-audit v0.15.2
Finished release [optimized] target(s) in 34.16s
Replacing /home/wink/.cargo/bin/cargo-audit
Replaced package cargo-audit v0.15.2 with cargo-audit v0.15.2 (executable cargo-audit)
cargo audit
Fetching advisory database from https://github.com/RustSec/advisory-db.git
Loaded 367 security advisories (from /home/wink/.cargo/advisory-db)
Updating crates.io index
Scanning Cargo.lock for vulnerabilities (651 crate dependencies)
Crate: nix
Version: 0.17.0
Title: Out-of-bounds write in nix::unistd::getgrouplist
Date: 2021-09-27
ID: RUSTSEC-2021-0119
URL: https://rustsec.org/advisories/RUSTSEC-2021-0119
Solution: Upgrade to ^0.20.2 OR ^0.21.2 OR ^0.22.2 OR >=0.23.0
Dependency tree:
nix 0.17.0

Crate: nix
Version: 0.22.0
Title: Out-of-bounds write in nix::unistd::getgrouplist
Date: 2021-09-27
ID: RUSTSEC-2021-0119
URL: https://rustsec.org/advisories/RUSTSEC-2021-0119
Solution: Upgrade to ^0.20.2 OR ^0.21.2 OR ^0.22.2 OR >=0.23.0
Dependency tree:
nix 0.22.0

Crate: stdweb
Version: 0.4.20
Warning: unmaintained
Title: stdweb is unmaintained
Date: 2020-05-04
ID: RUSTSEC-2020-0056
URL: https://rustsec.org/advisories/RUSTSEC-2020-0056
Dependency tree:
stdweb 0.4.20
└── time 0.2.27

error: 2 vulnerabilities found!
warning: 1 allowed warning found
make: *** [Makefile:154: audit] Error 1


## Expected Behaviour

`make audit` should succeed

## Steps to resolve

Two known soludions:
1. Get rust-psutil to merge [this pull PR 93](https://github.com/rust-psutil/rust-psutil/pull/93) and then change common/eth2/Cargo.toml to use the latest psutil.
2. Create a local change that fixes it, such as #2697
@winksaville winksaville mentioned this issue Oct 10, 2021
Closed
@michaelsproul michaelsproul mentioned this issue Oct 10, 2021
Closed
bors bot pushed a commit that referenced this issue Oct 11, 2021
@michaelsproul
Fix cargo audit warns for nix, psutil, time (#2699)
708557a 
## Issue Addressed

Fix `cargo audit` failures on `unstable`

Closes #2698

## Proposed Changes

The main culprit is `nix`, which is vulnerable for versions below v0.23.0. We can't get by with a straight-forward `cargo update` because `psutil` depends on an old version of `nix` (cf. rust-psutil/rust-psutil#93). Hence I've temporarily forked `psutil` under the `sigp` org, where I've included the update to `nix` v0.23.0.

Additionally, I took the chance to update the `time` dependency to v0.3, which removed a bunch of stale deps including `stdweb` which is no longer maintained. Lighthouse only uses the `time` crate in the notifier to do some pretty printing, and so wasn't affected by any of the breaking changes in v0.3 ([changelog here](https://github.com/time-rs/time/blob/main/CHANGELOG.md#030-2021-07-30)).
@michaelsproul
Copy link
Member

Fixed by #2699

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@winksaville @michaelsproul