bdk-cli
bdk-cli copied to clipboard
bitcoindevkit
AUDIT failure due to bdk + cbf dependency `rocksdb`
This is to document the recent cargo-audit failures happening in CI.
$ cargo-audit audit
Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
Loaded 456 security advisories (from /home/raj/.cargo/advisory-db)
Updating crates.io index
Scanning Cargo.lock for vulnerabilities (280 crate dependencies)
Crate: rocksdb
Version: 0.14.0
Title: Out-of-bounds read when opening multiple column families with TTL
Date: 2022-05-11
ID: RUSTSEC-2022-0046
URL: https://rustsec.org/advisories/RUSTSEC-2022-0046
Solution: Upgrade to >=0.19.0
Dependency tree:
rocksdb 0.14.0
└── bdk 0.22.0
├── bdk-reserves 0.22.0
│ └── bdk-cli 0.5.0
└── bdk-cli 0.5.0
Crate: ansi_term
Version: 0.12.1
Warning: unmaintained
Title: ansi_term is Unmaintained
Date: 2021-08-18
ID: RUSTSEC-2021-0139
URL: https://rustsec.org/advisories/RUSTSEC-2021-0139
Dependency tree:
ansi_term 0.12.1
└── clap 2.34.0
└── structopt 0.3.26
└── bdk-cli 0.5.0
Crate: stdweb
Version: 0.4.20
Warning: unmaintained
Title: stdweb is unmaintained
Date: 2020-05-04
ID: RUSTSEC-2020-0056
URL: https://rustsec.org/advisories/RUSTSEC-2020-0056
Dependency tree:
stdweb 0.4.20
└── time 0.2.27
├── cookie_store 0.12.0
│ └── ureq 1.5.5
└── cookie 0.14.4
├── ureq 1.5.5
└── cookie_store 0.12.0
error: 1 vulnerability found!
warning: 2 allowed warnings found
There is a vulnerability in rocksdb which was originally reported by @afilini here https://github.com/bitcoindevkit/bdk/pull/724.
Depending on the outcome of experimentation with nakamoto for cbf, we might be able to get rid of rocksdb fully from our dep tree.
Till then I guess we have to live with this audit failure?
Or we can disable compact_filters temporarily in bdk-cli..
I support temporarily removing compact_filters support to resolve this audit issue.
