Merge #2266

2266: fix: use forked metrics and forked sentry to fix RUSTSEC-2020-0041 temporarily r=yangby-cryptape a=yangby-cryptape

### Commits

- [chore(deps): bump crossbeam-channel from 0.4.3 to 0.4.4](728f5c3)
- [chore: remove direct dependencies of metrics exporters and observers](de3173a)
- [chore(deps): bump sentry from 0.16.0 to 0.19.1](e6b00c5)
  - [The module `sentry::internals` was deprecated.](https://github.com/getsentry/sentry-rust/blob/0.19.1/sentry/src/lib.rs#L133)
  - [`Sentry` will set itself as the panic handler automatically on setup, so no need to do that manually](../../../../getsentry/sentry-rust/issues/235#issuecomment-654832365)
- [chore: replace several dependencies sentry by sentry-core and sentry-log](80af819)
- [fix: use patched versions of metrics and sentry to fix RUSTSEC-2020-0041 temporarily](1eb9e0b)
  - [Changes of forked `metrics`](nervosnetwork/sentry-rust@1cdb9ff)
  - [Changes of forked `sentry`](nervosnetwork/metrics-rs@4fd13f6)

### References

- [RUSTSEC-2020-0041](../../../../rustsec/advisory-db/pull/381)

Co-authored-by: Boyu Yang <[email protected]>

Cargo.toml

@@ -81,3 +81,11 @@ jemallocator = { version = "0.3.0", features = ["unprefixed_malloc_on_supported_
 default = []
 deadlock_detection = ["ckb-bin/deadlock_detection"]
 profiling = ["jemallocator/profiling", "ckb-bin/profiling"]
+
+[patch.crates-io]
+# Interim patch to fix RUSTSEC-2020-0041.
+metrics         = { git = "https://github.com/nervosnetwork/metrics-rs", tag = "metrics-runtime-v0.13.1-patch.1" }
+metrics-runtime = { git = "https://github.com/nervosnetwork/metrics-rs", tag = "metrics-runtime-v0.13.1-patch.1" }
+metrics-core    = { git = "https://github.com/nervosnetwork/metrics-rs", tag = "metrics-runtime-v0.13.1-patch.1" }
+sentry      = { git = "https://github.com/nervosnetwork/sentry-rust", tag = "sentry-v0.19.1-patch.1" }
+sentry-core = { git = "https://github.com/nervosnetwork/sentry-rust", tag = "sentry-v0.19.1-patch.1" }

ckb-bin/Cargo.toml

@@ -37,7 +37,7 @@ ckb-verification = { path = "../verification" }
 base64 = "0.10.1"
 tempfile = "3.0"
 rayon = "1.0"
-sentry = "0.16.0"
+sentry = "0.19.1"
 
 [features]
 deadlock_detection = ["ckb-util/deadlock_detection"]

ckb-bin/src/setup_guard.rs

@@ -6,7 +6,7 @@ use ckb_metrics_service::{self, Guard as MetricsInitGuard};
 
 pub struct SetupGuard {
     _logger_guard: LoggerInitGuard,
-    _sentry_guard: Option<sentry::internals::ClientInitGuard>,
+    _sentry_guard: Option<sentry::ClientInitGuard>,
     _metrics_guard: MetricsInitGuard,
 }
 

network/Cargo.toml

@@ -19,7 +19,7 @@ p2p = { version="0.3.0", package="tentacle", features = ["molc"] }
 faketime = "0.2.0"
 lazy_static = "1.3.0"
 bs58 = "0.3.0"
-sentry = "0.16.0"
+sentry-core = "0.19.1"
 faster-hex = "0.4"
 ckb-hash = {path = "../util/hash"}
 secp256k1 = {version = "0.17", features = ["recovery"] }

network/src/network.rs

@@ -375,7 +375,7 @@ impl NetworkState {
                 addr
             );
             if dial_started.elapsed() > DIAL_HANG_TIMEOUT {
-                use sentry::{capture_message, with_scope, Level};
+                use sentry_core::{capture_message, with_scope, Level};
                 with_scope(
                     |scope| scope.set_fingerprint(Some(&["ckb-network", "dialing-timeout"])),
                     || {
@@ -640,7 +640,7 @@ impl<T: ExitHandler> ServiceHandle for EventHandler<T> {
             }
             ServiceError::ProtocolHandleError { proto_id, error } => {
                 debug!("ProtocolHandleError: {:?}, proto_id: {}", error, proto_id);
-                use sentry::{capture_message, with_scope, Level};
+                use sentry_core::{capture_message, with_scope, Level};
                 with_scope(
                     |scope| scope.set_fingerprint(Some(&["ckb-network", "p2p-service-error"])),
                     || {

sync/Cargo.toml

@@ -24,7 +24,7 @@ ckb-channel = { path = "../util/channel" }
 ckb-traits = { path = "../traits" }
 failure = "0.1.5"
 lru-cache = { git = "https://github.com/nervosnetwork/lru-cache", rev = "a35fdb8" }
-sentry = "0.16.0"
+sentry-core = "0.19.1"
 futures = "0.3"
 ckb-error = {path = "../error"}
 ckb-tx-pool = { path = "../tx-pool" }

sync/src/relayer/mod.rs

@@ -664,7 +664,7 @@ impl CKBProtocolHandler for Relayer {
             msg.item_name(),
             peer_index
         );
-        let sentry_hub = sentry::Hub::current();
+        let sentry_hub = sentry_core::Hub::current();
         let _scope_guard = sentry_hub.push_scope();
         sentry_hub.configure_scope(|scope| {
             scope.set_tag("p2p.protocol", "relayer");

sync/src/relayer/transactions_process.rs

@@ -11,7 +11,7 @@ use ckb_types::{
 use ckb_util::LinkedHashSet;
 use ckb_verification::cache::CacheEntry;
 use ckb_verification::TransactionError;
-use sentry::{capture_message, with_scope, Level};
+use sentry_core::{capture_message, with_scope, Level};
 use std::sync::Arc;
 use std::time::Duration;
 

sync/src/synchronizer/mod.rs

@@ -557,7 +557,7 @@ impl CKBProtocolHandler for Synchronizer {
         };
 
         debug!("received msg {} from {}", msg.item_name(), peer_index);
-        let sentry_hub = sentry::Hub::current();
+        let sentry_hub = sentry_core::Hub::current();
         let _scope_guard = sentry_hub.push_scope();
         sentry_hub.configure_scope(|scope| {
             scope.set_tag("p2p.protocol", "synchronizer");

util/app-config/Cargo.toml

@@ -14,7 +14,7 @@ path-clean = "0.1.0"
 ckb-logger = { path = "../../util/logger" }
 ckb-logger-config = { path = "../../util/logger-config" }
 ckb-metrics-config = { path = "../../util/metrics-config" }
-sentry = "0.16.0"
+sentry = "0.19.1"
 ckb-chain-spec = {path = "../../spec"}
 ckb-jsonrpc-types = {path = "../jsonrpc-types"}
 ckb-pow = { path = "../../pow" }

util/app-config/src/sentry_config.rs

@@ -1,10 +1,6 @@
 use ckb_build_info::Version;
 use sentry::{
-    configure_scope, init,
-    integrations::panic::register_panic_handler,
-    internals::{ClientInitGuard, Dsn},
-    protocol::Event,
-    ClientOptions, Level,
+    configure_scope, init, protocol::Event, types::Dsn, ClientInitGuard, ClientOptions, Level,
 };
 use serde::{Deserialize, Serialize};
 use std::borrow::Cow;
@@ -31,8 +27,6 @@ impl SentryConfig {
                     scope.set_extra("org_contact", org_contact.clone().into());
                 }
             });
-
-            register_panic_handler();
         }
 
         guard

util/logger-service/Cargo.toml

@@ -16,4 +16,5 @@ once_cell = "1.3.1"
 regex = "1.1.6"
 chrono = "0.4"
 backtrace = "0.3"
-sentry = "0.16.0"
+sentry-core = "0.19.1"
+sentry-log = "0.19.1"

util/logger-service/src/lib.rs

@@ -406,7 +406,8 @@ impl Log for Logger {
             .collect::<Vec<_>>();
         if is_match || !extras.is_empty() {
             if self.emit_sentry_breadcrumbs {
-                use sentry::{add_breadcrumb, integrations::log::breadcrumb_from_record};
+                use sentry_core::add_breadcrumb;
+                use sentry_log::breadcrumb_from_record;
                 add_breadcrumb(|| breadcrumb_from_record(record));
             }
 

util/metrics-service/Cargo.toml

@@ -12,10 +12,5 @@ ckb-stop-handler = { path = "../stop-handler" }
 ckb-util = { path = ".." }
 metrics-runtime = "~0.13.1"
 metrics-core = "~0.5.2"
-metrics-exporter-log = "~0.4.0"
-metrics-exporter-http = "~0.3.0"
-metrics-observer-json = "~0.1.1"
-metrics-observer-yaml = "~0.1.1"
-metrics-observer-prometheus = "~0.1.4"
 log = "0.4"
 tokio = { version = "0.2", features = ["sync", "blocking", "rt-threaded", "time", "io-driver"] }

util/metrics-service/src/lib.rs

@@ -1,12 +1,11 @@
 use std::{net::SocketAddr, time::Duration};
 
 use metrics_core::Observe;
-use metrics_exporter_http::HttpExporter;
-use metrics_exporter_log::LogExporter;
-use metrics_observer_json::JsonBuilder;
-use metrics_observer_prometheus::PrometheusBuilder;
-use metrics_observer_yaml::YamlBuilder;
-use metrics_runtime::Receiver;
+use metrics_runtime::{
+    exporters::{HttpExporter, LogExporter},
+    observers::{JsonBuilder, PrometheusBuilder, YamlBuilder},
+    Receiver,
+};
 use tokio::sync::oneshot;
 
 use ckb_async_runtime::{new_runtime, Builder, Handle};