Workaround make audit failure for rust-nix #2697
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The workaround is to add common/rust-psutil and change it's Cargo.toml
to use v0.22.2. And then change common/eth2/Cargo.toml to point to
../common/rust-psutil.
Also updated Makefile:
- lint: target to Allow needless_borrow to
pass the `cargo lint` action.
- test-release, test-debug: addded --exclude psutil if Windows_NT
The failure is:
Compiling cargo-audit v0.15.2
Finished release [optimized] target(s) in 3m 34s
Replacing /home/runner/.cargo/bin/cargo-audit
Replaced package `cargo-audit v0.15.2` with `cargo-audit v0.15.2` (executable `cargo-audit`)
cargo audit
Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
Loaded 367 security advisories (from /home/runner/.cargo/advisory-db)
Updating crates.io index
Scanning Cargo.lock for vulnerabilities (652 crate dependencies)
Crate: nix
error: 2 vulnerabilities found!
Version: 0.17.0
Title: Out-of-bounds write in nix::unistd::getgrouplist
Date: 2021-09-27
ID: RUSTSEC-2021-0119
URL: https://rustsec.org/advisories/RUSTSEC-2021-0119
Solution: Upgrade to ^0.20.2 OR ^0.21.2 OR ^0.22.2 OR >=0.23.0
Dependency tree:
nix 0.17.0
Crate: nix
Version: 0.22.0
Title: Out-of-bounds write in nix::unistd::getgrouplist
Date: 2021-09-27
ID: RUSTSEC-2021-0119
URL: https://rustsec.org/advisories/RUSTSEC-2021-0119
Solution: Upgrade to ^0.20.2 OR ^0.21.2 OR ^0.22.2 OR >=0.23.0
Dependency tree:
nix 0.22.0
Crate: stdweb
Version: 0.4.20
Warning: unmaintained
Title: stdweb is unmaintained
Date: 2020-05-04
ID: RUSTSEC-2020-0056
URL: https://rustsec.org/advisories/RUSTSEC-2020-0056
Dependency tree:
stdweb 0.4.20
└── time 0.2.27
warning: 1 allowed warning found
make: *** [Makefile:154: audit] Error 1
Error: Process completed with exit code 2.
winksaville
changed the title
|
One way to fix #2698 |
|
Thanks for the report and digging into the root cause! Rather than vendoring |
|
SG, I figured there was a better way :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The workaround is to add common/rust-psutil and change it's Cargo.toml
to use v0.22.2. And then change common/eth2/Cargo.toml to point to
../common/rust-psutil.
Also updated Makefile:
pass the
cargo lintaction.The failure is: