librustzcash icon indicating copy to clipboard operation
librustzcash copied to clipboard

Published 20 hours ago verified publisher icon zcash

Add CI step that reports `cargo audit` vulns and warnings.

Open nathan-at-least opened this issue 1 year ago • 5 comments

Problem

The cargo audit tool shows vulnerabilities and warnings.

2023-06-17 Update: As dependencies and audit reports evolve, I've updated the content here for commit d2f105efe9e4a9aa3cb71010a090a5661a748a62.

Vulnerabilities

Warnings:

Proposed Solution

  1. If possible resolve all vulnerabilities & warnings by dependency upgrades.
  2. If not possible, analyze each report to determine attack surface for our crates. If we can prove the dependency attack surface is not exposed by any usage of our crates, we can suppress the audit report for the specific advisory tag (see Ignoring advisories, and I suggest we always add rationale doc in audit.toml as a policy.)

Preventative Solution

As soon as we get to a state of cargo audit passing, we should institute CI on cargo audit.

Reproduction

  1. run cargo install cargo-audit (if not previously done)
  2. run cargo audit

nathan-at-least avatar Apr 14 '23 22:04 nathan-at-least