iroh icon indicating copy to clipboard operation
iroh copied to clipboard
verified publisher icon n0-computer

Fix cargo audit errors

Open Arqu opened this issue 3 years ago • 0 comments 

    Is this ticket stale? The `cargo-audit` invocation itself works fine but we're currently failing audit due to two dependencies:

$ git rev-parse HEAD
5114380c98045067e5ffeb6875b280a0095bcc2b
$ cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 462 security advisories (from /home/jmcph4/.cargo/advisory-db)
    Updating crates.io index
    Updating git repository `https://github.com/dignifiedquire/rust-libp2p`
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (613 crate dependencies)
Crate:     time
Version:   0.1.43
Title:     Potential segfault in the time crate
Date:      2020-11-18
ID:        RUSTSEC-2020-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:  Upgrade to >=0.2.23
Dependency tree:
time 0.1.43
└── chrono 0.4.22
    ├── serde_with 2.0.1
    │   └── iroh-rpc-types 0.1.0
    │       ├── iroh-store 0.1.0
    │       │   ├── iroh-share 0.1.0
    │       │   ├── iroh-resolver 0.1.0
    │       │   │   ├── iroh-share 0.1.0
    │       │   │   ├── iroh-one 0.1.0
    │       │   │   ├── iroh-gateway 0.1.0
    │       │   │   │   └── iroh-one 0.1.0
    │       │   │   ├── iroh-examples 0.1.0
    │       │   │   └── iroh-api 0.1.0
    │       │   │       └── iroh 0.1.0
    │       │   │           ├── xtask 0.1.0
    │       │   │           └── iroh 0.1.0
    │       │   ├── iroh-one 0.1.0
    │       │   └── iroh-gateway 0.1.0
    │       ├── iroh-share 0.1.0
    │       ├── iroh-rpc-client 0.1.0
    │       │   ├── iroh-store 0.1.0
    │       │   ├── iroh-share 0.1.0
    │       │   ├── iroh-resolver 0.1.0
    │       │   ├── iroh-p2p 0.1.0
    │       │   │   ├── iroh-share 0.1.0
    │       │   │   └── iroh-one 0.1.0
    │       │   ├── iroh-one 0.1.0
    │       │   ├── iroh-gateway 0.1.0
    │       │   ├── iroh-examples 0.1.0
    │       │   └── iroh-api 0.1.0
    │       ├── iroh-resolver 0.1.0
    │       ├── iroh-p2p 0.1.0
    │       ├── iroh-one 0.1.0
    │       ├── iroh-gateway 0.1.0
    │       └── iroh-api 0.1.0
    └── caches 0.2.2
        ├── iroh-p2p 0.1.0
        └── iroh-bitswap 0.1.0
            └── iroh-p2p 0.1.0

Crate:     tempdir
Version:   0.3.7
Warning:   unmaintained
Title:     `tempdir` crate has been deprecated; use `tempfile` instead
Date:      2018-02-13
ID:        RUSTSEC-2018-0017
URL:       https://rustsec.org/advisories/RUSTSEC-2018-0017
Dependency tree:
tempdir 0.3.7
├── iroh-one 0.1.0
└── iroh-api 0.1.0
    └── iroh 0.1.0
        ├── xtask 0.1.0
        └── iroh 0.1.0

error: 1 vulnerability found!
warning: 1 allowed warning found

The chrono one is notorious and is definitely solved. As for tempdir, the advisory seems pretty clear to use tempfile instead now.

At the moment, our use of tempdir seems both pretty straightforward and only in tests, which bodes well for the simplicity of a potential patch:

https://github.com/n0-computer/iroh/blob/5114380c98045067e5ffeb6875b280a0095bcc2b/iroh-api/src/api_ext.rs#L112

I guess this ticket is resolved by:

  • Fixing the upstream offenders
    • Fix chrono by using the correct feature guards
    • Use tempfile over tempdir in tests
  • Add cargo-audit invocation to CI

Originally posted by @jmcph4 in https://github.com/n0-computer/iroh/issues/8#issuecomment-1283415098

Arqu avatar Oct 20 '22 11:10 Arqu