cargo audit fails due to RUSTSEC-2020-0159

[romanz]

chronotope/chrono#499

[romanz]

https://github.com/romanz/electrs/runs/3933536627

[romanz]

https://www.reddit.com/r/rust/comments/qamgyh/is_the_chrono_crate_unmaintained

[Kixunil]

Hmm, not a huge issue since we don't call setenv. We only need chrono for formatting logs, right?

[Kixunil]

Maybe worth looking into removing time like they did here: rusqlite/rusqlite#1031
IDK if we need it or not.

[romanz]

IIUC, it is used by tiny_http:

electrs/Cargo.lock

Line 1154 in e3ea373

"chrono",

[Kixunil]

Looks like the fix is in 0.9 tiny-http/tiny-http@a8260ff

[romanz]

It still doesn't work, since latest tiny-http doesn't pass cargo audio 😞

$ git lg -1
* 9a2566c Richard Bradfield:  (HEAD -> master, tag: 0.9.0, origin/master, origin/HEAD) Prepare for 0.9.0 release (5 days ago)

$ cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 370 security advisories (from /home/roman/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (34 crate dependencies)
Crate:         chrono
Version:       0.4.19
Title:         Potential segfault in `localtime_r` invocations
Date:          2020-11-10
ID:            RUSTSEC-2020-0159
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0159
Solution:      No safe upgrade is available!
Dependency tree: 
chrono 0.4.19
└── tiny_http 0.9.0

error: 1 vulnerability found!

[romanz]

Hmm, not a huge issue since we don't call setenv. We only need chrono for formatting logs, right?

Agree - @tiny-http doesn't seem to be vulnerable (CC: @bradfier).

[romanz]

for a new chrono release :)

[bradfier]

Hmm, not a huge issue since we don't call setenv. We only need chrono for formatting logs, right?

Agree - @tiny-http doesn't seem to be vulnerable (CC: @bradfier).

Indeed, thanks for the @ but you're correct, we only use chrono types in one place, where we use it to store a UTC date-time and then print it out in RFC 1123 format: https://github.com/tiny-http/tiny-http/blob/9a2566c15ea0295e85ceab5eeb74cc744adefbfc/src/common.rs#L398-L414

Is there a way in the RUSTSEC database I can mark tiny-http as not vulnerable due to exactly how we use the library?

[romanz]

... but you're correct, we only use chrono types in one place, where we use it to store a UTC date-time and then print it out in RFC 1123 format: https://github.com/tiny-http/tiny-http/blob/9a2566c15ea0295e85ceab5eeb74cc744adefbfc/src/common.rs#L398-L414

Cool, many thanks for the update!

[romanz]

Is there a way in the RUSTSEC database I can mark tiny-http as not vulnerable due to exactly how we use the library?

Not sure, maybe it's possible to ask here (following rustsec/advisory-db#1082).

[romanz]

Maybe chronotope/chrono#602 (comment) can help here...