Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix cargo audit issues and add non-blocking CI action for cargo audit #2548

Closed
ysaito1001 opened this issue Apr 5, 2023 · 1 comment
Closed

Fix cargo audit issues and add non-blocking CI action for cargo audit #2548

ysaito1001 opened this issue Apr 5, 2023 · 1 comment
Assignees
@ysaito1001
Labels
ops Improves our operations and release process

Comments

@ysaito1001
Copy link
Contributor

cargo audit has reported the following vulnerabilities in smithy-rs:
(from aws/rust-runtime)

Crate:     remove_dir_all
Version:   0.5.3
Title:     Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)
Date:      2023-02-24
ID:        RUSTSEC-2023-0018
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0018
Solution:  Upgrade to >=0.8.0
Dependency tree:
remove_dir_all 0.5.3
└── tempfile 3.3.0
    ├── rusty-fork 0.3.0
    │   └── proptest 1.0.0
    │       ├── aws-sigv4 0.0.0-smithy-rs-head
    │       │   └── aws-sig-auth 0.0.0-smithy-rs-head
    │       │       └── aws-inlineable 0.0.0-smithy-rs-head
    │       └── aws-http 0.0.0-smithy-rs-head
    │           └── aws-inlineable 0.0.0-smithy-rs-head
    ├── proptest 1.0.0
    └── aws-inlineable 0.0.0-smithy-rs-head

error: 1 vulnerability found!

(from rust-runtime)

Crate:     openssl
Version:   0.10.45
Title:     `openssl` `SubjectAlternativeName` and `ExtendedKeyUsage::other` allow arbitrary file read
Date:      2023-03-24
ID:        RUSTSEC-2023-0023
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0023
Solution:  Upgrade to >=0.10.48
Dependency tree:
openssl 0.10.45
└── native-tls 0.2.11
    ├── tokio-native-tls 0.3.0
    │   └── hyper-tls 0.5.0
    │       └── aws-smithy-client 0.0.0-smithy-rs-head
    └── hyper-tls 0.5.0

Crate:     openssl
Version:   0.10.45
Title:     `openssl` `X509NameBuilder::build` returned object is not thread safe
Date:      2023-03-24
ID:        RUSTSEC-2023-0022
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0022
Solution:  Upgrade to >=0.10.48

Crate:     openssl
Version:   0.10.45
Title:     `openssl` `X509Extension::new` and `X509Extension::new_nid` null pointer dereference
Date:      2023-03-24
ID:        RUSTSEC-2023-0024
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0024
Solution:  Upgrade to >=0.10.48

Crate:     remove_dir_all
Version:   0.5.3
Title:     Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)
Date:      2023-02-24
ID:        RUSTSEC-2023-0018
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0018
Solution:  Upgrade to >=0.8.0
Dependency tree:

error: 4 vulnerabilities found!

These need to be fixed.

On top of that, we need to add a non-blocking CI action to check for vulnerabilities (the check only runs in aws-sdk-rust today so vulnerabilities won't get caught until later).
@ysaito1001 ysaito1001 added the ops Improves our operations and release process label Apr 5, 2023
@ysaito1001 ysaito1001 self-assigned this Apr 5, 2023
This was referenced Apr 5, 2023
Closed
Closed
@jdisanti
Copy link
Collaborator

jdisanti commented Apr 5, 2024

I believe this was fixed.

@jdisanti jdisanti closed this as completed Apr 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ysaito1001 ysaito1001

Labels
ops Improves our operations and release process
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jdisanti @ysaito1001