From a3d0f9e0e3d3be67bb58a712f4dc1803a22da23e Mon Sep 17 00:00:00 2001
From: Tarik Eshaq <teshaq@mozilla.com>
Date: Tue, 2 Nov 2021 08:51:59 -0700
Subject: [PATCH] Ignore clap yaml-rust advisory (#4611)

* Ignore clap yaml-rust advisory

* Fix nom moved into a main branch

* Regens dependency summaries
---
 .circleci/config.yml                           | 6 +++++-
 megazords/full/android/dependency-licenses.xml | 6 +++---
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 7d17f78e67..2dfa762e5c 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -177,7 +177,11 @@ commands:
             #                       fix this: https://github.com/chronotope/chrono/pull/578
             #                       note that both the Nimbus-SDK and glean use chrono, so if we would like to move away from it, both projects
             #                       need to do that before we can remove the ignores (assuming `chrono` doesn't release a fixed version)
-            cargo audit --ignore RUSTSEC-2021-0019 --ignore RUSTSEC-2020-0159 --ignore RUSTSEC-2020-0071
+            #  * RUSTSEC-2018-0006: Uncontrolled recursion in `yaml-rust`, which is included by `clap` v2. `clap` itself already updated to a safe
+            #                       version of `yaml-rust`, which will be released in `v3` and additionally, 
+            #                       reading https://github.com/rustsec/advisory-db/issues/288, this is a false
+            #                       positive for clap and based on our dependency tree, we only use `yaml-rust` in `clap`.
+            cargo audit --ignore RUSTSEC-2021-0019 --ignore RUSTSEC-2020-0159 --ignore RUSTSEC-2020-0071 --ignore RUSTSEC-2018-0006
       - run:
           name: Check for any unrecorded changes in our dependency trees
           command: |
diff --git a/megazords/full/android/dependency-licenses.xml b/megazords/full/android/dependency-licenses.xml
index e76ccd73de..1d2e419cb8 100644
--- a/megazords/full/android/dependency-licenses.xml
+++ b/megazords/full/android/dependency-licenses.xml
@@ -102,7 +102,7 @@ the details of which are reproduced below.
   </license>
   <license>
     <name>Apache License 2.0: cc</name>
-    <url>https://github.com/alexcrichton/cc-rs/blob/master/LICENSE-APACHE</url>
+    <url>https://github.com/alexcrichton/cc-rs/blob/main/LICENSE-APACHE</url>
   </license>
   <license>
     <name>Apache License 2.0: cfg-if</name>
@@ -506,11 +506,11 @@ the details of which are reproduced below.
   </license>
   <license>
     <name>MIT License: nom</name>
-    <url>https://github.com/Geal/nom/blob/master/LICENSE</url>
+    <url>https://github.com/Geal/nom/blob/main/LICENSE</url>
   </license>
   <license>
     <name>MIT License: nom</name>
-    <url>https://github.com/Geal/nom/blob/master/LICENSE</url>
+    <url>https://github.com/Geal/nom/blob/main/LICENSE</url>
   </license>
   <license>
     <name>MIT License: ordered-float</name>