Ignore clap yaml-rust advisory (#4611)

* Ignore clap yaml-rust advisory * Fix nom moved into a main branch * Regens dependency summaries
mozilla · Nov 2, 2021 · a3d0f9e · a3d0f9e
1 parent 5eea186
commit a3d0f9e
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 4 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -177,7 +177,11 @@ commands:
             #                       fix this: https://github.com/chronotope/chrono/pull/578
             #                       note that both the Nimbus-SDK and glean use chrono, so if we would like to move away from it, both projects
             #                       need to do that before we can remove the ignores (assuming `chrono` doesn't release a fixed version)
-            cargo audit --ignore RUSTSEC-2021-0019 --ignore RUSTSEC-2020-0159 --ignore RUSTSEC-2020-0071
+            #  * RUSTSEC-2018-0006: Uncontrolled recursion in `yaml-rust`, which is included by `clap` v2. `clap` itself already updated to a safe
+            #                       version of `yaml-rust`, which will be released in `v3` and additionally, 
+            #                       reading https://github.com/rustsec/advisory-db/issues/288, this is a false
+            #                       positive for clap and based on our dependency tree, we only use `yaml-rust` in `clap`.
+            cargo audit --ignore RUSTSEC-2021-0019 --ignore RUSTSEC-2020-0159 --ignore RUSTSEC-2020-0071 --ignore RUSTSEC-2018-0006
       - run:
           name: Check for any unrecorded changes in our dependency trees
           command: |

diff --git a/megazords/full/android/dependency-licenses.xml b/megazords/full/android/dependency-licenses.xml
@@ -102,7 +102,7 @@ the details of which are reproduced below.
   </license>
   <license>
     <name>Apache License 2.0: cc</name>
-    <url>https://github.com/alexcrichton/cc-rs/blob/master/LICENSE-APACHE</url>
+    <url>https://github.com/alexcrichton/cc-rs/blob/main/LICENSE-APACHE</url>
   </license>
   <license>
     <name>Apache License 2.0: cfg-if</name>
@@ -506,11 +506,11 @@ the details of which are reproduced below.
   </license>
   <license>
     <name>MIT License: nom</name>
-    <url>https://github.com/Geal/nom/blob/master/LICENSE</url>
+    <url>https://github.com/Geal/nom/blob/main/LICENSE</url>
   </license>
   <license>
     <name>MIT License: nom</name>
-    <url>https://github.com/Geal/nom/blob/master/LICENSE</url>
+    <url>https://github.com/Geal/nom/blob/main/LICENSE</url>
   </license>
   <license>
     <name>MIT License: ordered-float</name>