Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable cargo audit in the GHA pipelines #357

Open
surajssd opened this issue Sep 12, 2023 · 0 comments
Open

Enable cargo audit in the GHA pipelines #357

surajssd opened this issue Sep 12, 2023 · 0 comments

Comments

@surajssd
Copy link
Member

Running a basic cargo audit on the project root shows that a bunch of deps are vulnerable.

Complete Output 
$ cargo audit -c never
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 567 security advisories (from /home/suraj/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (626 crate dependencies)
Crate:     ed25519-dalek
Version:   1.0.1
Title:     Double Public Key Signing Function Oracle Attack on `ed25519-dalek`
Date:      2022-06-11
ID:        RUSTSEC-2022-0093
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0093
Solution:  Upgrade to >=2
Dependency tree:
ed25519-dalek 1.0.1
└── sequoia-openpgp 1.16.0
    └── image-rs 0.1.0

Crate:     ed25519-dalek
Version:   2.0.0-pre.0
Title:     Double Public Key Signing Function Oracle Attack on `ed25519-dalek`
Date:      2022-06-11
ID:        RUSTSEC-2022-0093
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0093
Solution:  Upgrade to >=2
Dependency tree:
ed25519-dalek 2.0.0-pre.0
└── sigstore 0.6.0
    └── image-rs 0.1.0

Crate:     rustls-webpki
Version:   0.101.2
Title:     rustls-webpki: CPU denial of service in certificate path building
Date:      2023-08-22
ID:        RUSTSEC-2023-0053
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0053
Severity:  7.5 (high)
Solution:  Upgrade to >=0.100.2, <0.101.0 OR >=0.101.4
Dependency tree:
rustls-webpki 0.101.2
└── rustls 0.21.5
    ├── tokio-rustls 0.24.1
    │   ├── reqwest 0.11.18
    │   │   ├── oci-distribution 0.9.4
    │   │   │   ├── sigstore 0.6.0
    │   │   │   │   └── image-rs 0.1.0
    │   │   │   └── image-rs 0.1.0
    │   │   ├── nydus-storage 0.6.3
    │   │   │   ├── nydus-service 0.3.0
    │   │   │   │   └── image-rs 0.1.0
    │   │   │   └── nydus-rafs 0.3.1
    │   │   │       └── nydus-service 0.3.0
    │   │   ├── kms 0.1.0
    │   │   │   ├── secret 0.1.0
    │   │   │   │   └── confidential-data-hub 0.1.0
    │   │   │   └── confidential-data-hub 0.1.0
    │   │   ├── kbs_protocol 0.1.0
    │   │   │   ├── kms 0.1.0
    │   │   │   ├── kbc 0.1.0
    │   │   │   │   ├── ocicrypt-rs 0.1.0
    │   │   │   │   │   └── image-rs 0.1.0
    │   │   │   │   └── attestation_agent 0.1.0
    │   │   │   │       ├── ocicrypt-rs 0.1.0
    │   │   │   │       ├── image-rs 0.1.0
    │   │   │   │       └── attestation-agent 0.1.0
    │   │   │   └── attestation_agent 0.1.0
    │   │   └── coco_keyprovider 0.1.0
    │   └── hyper-rustls 0.24.1
    │       └── reqwest 0.11.18
    ├── reqwest 0.11.18
    └── hyper-rustls 0.24.1

Crate:     time
Version:   0.1.45
Title:     Potential segfault in the time crate
Date:      2020-11-18
ID:        RUSTSEC-2020-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0071
Severity:  6.2 (medium)
Solution:  Upgrade to >=0.2.23
Dependency tree:
time 0.1.45
└── chrono 0.4.26
    ├── sigstore 0.6.0
    │   └── image-rs 0.1.0
    ├── sequoia-openpgp 1.16.0
    │   └── image-rs 0.1.0
    ├── oci-distribution 0.9.4
    │   ├── sigstore 0.6.0
    │   └── image-rs 0.1.0
    ├── kms 0.1.0
    │   ├── secret 0.1.0
    │   │   └── confidential-data-hub 0.1.0
    │   └── confidential-data-hub 0.1.0
    └── bollard-stubs 1.41.0
        └── testcontainers 0.14.0
            └── kbs_protocol 0.1.0
                ├── kms 0.1.0
                ├── kbc 0.1.0
                │   ├── ocicrypt-rs 0.1.0
                │   │   └── image-rs 0.1.0
                │   └── attestation_agent 0.1.0
                │       ├── ocicrypt-rs 0.1.0
                │       ├── image-rs 0.1.0
                │       └── attestation-agent 0.1.0
                └── attestation_agent 0.1.0

Crate:     webpki
Version:   0.22.0
Title:     webpki: CPU denial of service in certificate path building
Date:      2023-08-22
ID:        RUSTSEC-2023-0052
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0052
Severity:  7.5 (high)
Solution:  Upgrade to >=0.22.1
Dependency tree:
webpki 0.22.0
└── webpki-roots 0.22.6
    └── reqwest 0.11.18
        ├── oci-distribution 0.9.4
        │   ├── sigstore 0.6.0
        │   │   └── image-rs 0.1.0
        │   └── image-rs 0.1.0
        ├── nydus-storage 0.6.3
        │   ├── nydus-service 0.3.0
        │   │   └── image-rs 0.1.0
        │   └── nydus-rafs 0.3.1
        │       └── nydus-service 0.3.0
        ├── kms 0.1.0
        │   ├── secret 0.1.0
        │   │   └── confidential-data-hub 0.1.0
        │   └── confidential-data-hub 0.1.0
        ├── kbs_protocol 0.1.0
        │   ├── kms 0.1.0
        │   ├── kbc 0.1.0
        │   │   ├── ocicrypt-rs 0.1.0
        │   │   │   └── image-rs 0.1.0
        │   │   └── attestation_agent 0.1.0
        │   │       ├── ocicrypt-rs 0.1.0
        │   │       ├── image-rs 0.1.0
        │   │       └── attestation-agent 0.1.0
        │   └── attestation_agent 0.1.0
        └── coco_keyprovider 0.1.0

Crate:     ansi_term
Version:   0.12.1
Warning:   unmaintained
Title:     ansi_term is Unmaintained
Date:      2021-08-18
ID:        RUSTSEC-2021-0139
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0139
Dependency tree:
ansi_term 0.12.1
└── clap 2.34.0
    └── bindgen 0.59.2
        └── tdx-attest-sys 0.1.0
            └── tdx-attest-rs 0.1.2
                └── attester 0.1.0
                    ├── test-binaries 0.1.0
                    ├── kbs_protocol 0.1.0
                    │   ├── kms 0.1.0
                    │   │   ├── secret 0.1.0
                    │   │   │   └── confidential-data-hub 0.1.0
                    │   │   └── confidential-data-hub 0.1.0
                    │   ├── kbc 0.1.0
                    │   │   ├── ocicrypt-rs 0.1.0
                    │   │   │   └── image-rs 0.1.0
                    │   │   └── attestation_agent 0.1.0
                    │   │       ├── ocicrypt-rs 0.1.0
                    │   │       ├── image-rs 0.1.0
                    │   │       └── attestation-agent 0.1.0
                    │   └── attestation_agent 0.1.0
                    └── attestation_agent 0.1.0

Crate:     xsalsa20poly1305
Version:   0.9.1
Warning:   unmaintained
Title:     crate has been renamed to `crypto_secretbox`
Date:      2023-05-16
ID:        RUSTSEC-2023-0037
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0037
Dependency tree:
xsalsa20poly1305 0.9.1
└── sigstore 0.6.0
    └── image-rs 0.1.0

Crate:     atty
Version:   0.2.14
Warning:   unsound
Title:     Potential unaligned read
Date:      2021-07-04
ID:        RUSTSEC-2021-0145
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0145
Dependency tree:
atty 0.2.14
├── env_logger 0.9.3
│   └── bindgen 0.59.2
│       └── tdx-attest-sys 0.1.0
│           └── tdx-attest-rs 0.1.2
│               └── attester 0.1.0
│                   ├── test-binaries 0.1.0
│                   ├── kbs_protocol 0.1.0
│                   │   ├── kms 0.1.0
│                   │   │   ├── secret 0.1.0
│                   │   │   │   └── confidential-data-hub 0.1.0
│                   │   │   └── confidential-data-hub 0.1.0
│                   │   ├── kbc 0.1.0
│                   │   │   ├── ocicrypt-rs 0.1.0
│                   │   │   │   └── image-rs 0.1.0
│                   │   │   └── attestation_agent 0.1.0
│                   │   │       ├── ocicrypt-rs 0.1.0
│                   │   │       ├── image-rs 0.1.0
│                   │   │       └── attestation-agent 0.1.0
│                   │   └── attestation_agent 0.1.0
│                   └── attestation_agent 0.1.0
└── clap 2.34.0
    └── bindgen 0.59.2

Crate:     vm-memory
Version:   0.9.0
Warning:   unsound
Title:     Default functions in VolatileMemory trait lack bounds checks, potentially leading to out-of-bounds memory accesses
Date:      2023-09-01
ID:        RUSTSEC-2023-0056
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0056
Severity:  2.5 (low)
Dependency tree:
vm-memory 0.9.0
├── nydus-storage 0.6.3
│   ├── nydus-service 0.3.0
│   │   └── image-rs 0.1.0
│   └── nydus-rafs 0.3.1
│       └── nydus-service 0.3.0
├── nydus-rafs 0.3.1
└── fuse-backend-rs 0.10.4
    ├── nydus-storage 0.6.3
    ├── nydus-service 0.3.0
    └── nydus-rafs 0.3.1

error: 5 vulnerabilities found!
warning: 4 allowed warnings found
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@surajssd