sn0int icon indicating copy to clipboard operation
sn0int copied to clipboard

Published 20 hours ago verified publisher icon kpcyrd

RUSTSEC advisories

Open VaiTon opened this issue 5 months ago • 0 comments

While packaging for openSUSE Tumbleweed, I encountered some problems while cargo auditing the package.

Every package must have no unresolved RUSTSEC advisories to be submitted, otherwise I can decide to ignore some of them but it must be documented why it doesn't apply.

Has the project taken into consideration updating some of the dependencies to fix these advisories?

Thanks!

Versions

  • sn0int --version: 0.26.1

Vendoring log

2024-09-15T15:41:29.887418Z  INFO obs_service_cargo::utils: 🍿 Vendoring for src 'sn0int'
2024-09-15T15:41:29.910947Z  INFO obs_service_cargo::utils: 📚 Project uses a workspace!
2024-09-15T15:41:29.911050Z  INFO obs_service_cargo::vendor: ⏫ Updating dependencies before vendor
2024-09-15T15:41:31.802097Z  INFO obs_service_cargo::vendor: ⏫ Successfully ran cargo update
2024-09-15T15:41:31.848731Z  WARN obs_service_cargo::audit: ⚠️  15 vulnerabilities found.
2024-09-15T15:41:31.848766Z  WARN obs_service_cargo::audit: - RUSTSEC-2024-0365 diesel 1.4.8 - categories format-injection - cvss unset
2024-09-15T15:41:31.848778Z  WARN obs_service_cargo::audit: - RUSTSEC-2023-0034 h2 0.1.26 - categories denial-of-service - cvss unset
2024-09-15T15:41:31.848788Z  WARN obs_service_cargo::audit: - RUSTSEC-2024-0003 h2 0.1.26 - categories denial-of-service - cvss unset
2024-09-15T15:41:31.848798Z  WARN obs_service_cargo::audit: - RUSTSEC-2024-0332 h2 0.1.26 - categories denial-of-service - cvss unset
2024-09-15T15:41:31.849251Z  WARN obs_service_cargo::audit: - RUSTSEC-2021-0078 hyper 0.10.16 - categories - cvss 5.3
2024-09-15T15:41:31.849275Z  WARN obs_service_cargo::audit: - RUSTSEC-2021-0079 hyper 0.10.16 - categories - cvss 9.1
2024-09-15T15:41:31.849284Z  WARN obs_service_cargo::audit: - RUSTSEC-2021-0078 hyper 0.12.36 - categories - cvss 5.3
2024-09-15T15:41:31.849295Z  WARN obs_service_cargo::audit: - RUSTSEC-2021-0079 hyper 0.12.36 - categories - cvss 9.1
2024-09-15T15:41:31.849311Z  WARN obs_service_cargo::audit: - RUSTSEC-2022-0090 libsqlite3-sys 0.22.2 - categories denial-of-service code-execution - cvss 7.5
2024-09-15T15:41:31.849322Z  WARN obs_service_cargo::audit: - RUSTSEC-2024-0336 rustls 0.16.0 - categories denial-of-service - cvss 7.5
2024-09-15T15:41:31.849334Z  WARN obs_service_cargo::audit: - RUSTSEC-2024-0336 rustls 0.18.1 - categories denial-of-service - cvss 7.5
2024-09-15T15:41:31.849345Z  WARN obs_service_cargo::audit: - RUSTSEC-2021-0124 tokio 0.1.22 - categories memory-corruption thread-safety - cvss unset
2024-09-15T15:41:31.849358Z  WARN obs_service_cargo::audit: - RUSTSEC-2023-0080 transpose 0.1.0 - categories memory-corruption - cvss unset
2024-09-15T15:41:31.849373Z  WARN obs_service_cargo::audit: - RUSTSEC-2023-0065 tungstenite 0.13.0 - categories denial-of-service - cvss 7.5
2024-09-15T15:41:31.849387Z  WARN obs_service_cargo::audit: - RUSTSEC-2023-0052 webpki 0.21.4 - categories denial-of-service - cvss 7.5
2024-09-15T15:41:31.849433Z ERROR obs_service_cargo::audit: ⚠️  You must action these before submitting this package.
2024-09-15T15:41:31.849443Z ERROR obs_service_cargo::audit: 🛑 Vulnerabilities found in application dependencies. These must be actioned to proceed with vendoring.

VaiTon avatar Sep 15 '24 15:09 VaiTon