Fix cargo audit issue on chrono #1907
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 2 commits
October 25, 2022 15:59
This commit is in response to RUSTSEC-2020-0071 where there is a potential segfault in the time crate. The aws-smithy-types-convert crate now disables the default features of the chrono crate so that it will not depend on the time crate.
This commit updates the version of lambda_http used by aws-smithy-http-server and aws-smithy-http-server-python to 0.7.0. The prior version 0.6.0 of lambda_http used the chrono crate in a way that exposed a security issue described in RUSTSEC-2020-0071. By switching to 0.7.0 of lambda_http, those two crates do not exhibit vulnerabilities as reported by cargo audit.
ysaito1001
pushed a commit
to awslabs/aws-sdk-rust
that referenced
this pull request
Oct 25, 2022
This commit removes --ignore flags for cargo audit related to the chrono crate. It is an accompanying PR for smithy-lang/smithy-rs#1907
|
A new generated diff is ready to view.
A new doc preview is ready to view. |
|
A new generated diff is ready to view.
A new doc preview is ready to view. |
This commit updates the version of `lambda_http` used by `pokemon-service` from 0.6.0 to 0.7.0. This is in sync with the fact that both `aws-smithy-http-server` and `aws-smithy-http-server-python` now depend on 0.7.0 of `lambda_http`. Failing to do so would cause `pokemon-service` to fail to compile due to an error at `lambda_http::run(handler)` in the main function of the `pokemon-service-lambda` binary: the trait `Service<lambda_http::http::Request<lambda_http::Body>>` is not implemented for `LambdaHandler<aws_smithy_http_server::routing::Router>`
|
A new generated diff is ready to view.
A new doc preview is ready to view. |
2 tasks
added 2 commits
October 28, 2022 14:36
This commit updates the version of `lambda_http` from 0.7.0 to 0.7.1 in the crates within the top-level `rust-runtime` workspace. These updates are needed to solve the issue described in awslabs/aws-lambda-rust-runtime#556
|
A new generated diff is ready to view.
A new doc preview is ready to view. |
|
A new generated diff is ready to view.
A new doc preview is ready to view. |
jjant
approved these changes
Oct 31, 2022
|
A new generated diff is ready to view.
A new doc preview is ready to view. |
aws-sdk-rust-ci
referenced
this pull request
in awslabs/aws-sdk-rust
Dec 14, 2022
* Avoid the chrono crate depending on the time crate This commit is in response to RUSTSEC-2020-0071 where there is a potential segfault in the time crate. The aws-smithy-types-convert crate now disables the default features of the chrono crate so that it will not depend on the time crate. * Depend on lambda_http without RUSTSEC-2020-0071 This commit updates the version of lambda_http used by aws-smithy-http-server and aws-smithy-http-server-python to 0.7.0. The prior version 0.6.0 of lambda_http used the chrono crate in a way that exposed a security issue described in RUSTSEC-2020-0071. By switching to 0.7.0 of lambda_http, those two crates do not exhibit vulnerabilities as reported by cargo audit. * Bump minor version of lambda_http in pokemon-service This commit updates the version of `lambda_http` used by `pokemon-service` from 0.6.0 to 0.7.0. This is in sync with the fact that both `aws-smithy-http-server` and `aws-smithy-http-server-python` now depend on 0.7.0 of `lambda_http`. Failing to do so would cause `pokemon-service` to fail to compile due to an error at `lambda_http::run(handler)` in the main function of the `pokemon-service-lambda` binary: the trait `Service<lambda_http::http::Request<lambda_http::Body>>` is not implemented for `LambdaHandler<aws_smithy_http_server::routing::Router>` * Depend on lambda-http 0.7.1 This commit updates the version of `lambda_http` from 0.7.0 to 0.7.1 in the crates within the top-level `rust-runtime` workspace. These updates are needed to solve the issue described in awslabs/aws-lambda-rust-runtime#556 * Update CHANGELOG.next.toml * Address https://github.com/awslabs/smithy-rs/pull/1907\#pullrequestreview-1161609833 Co-authored-by: Saito <[email protected]> Co-authored-by: Zelda Hessler <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation and Context
This PR addresses a cargo audit issue described in awslabs/aws-sdk-rust#643.
This will remain a draft until awslabs/aws-lambda-rust-runtime#556 is resolved.Description
Within the top-level rust-runtime workspace, we can see the following report generated when running
cargo audit:To work around the issue, we follow this to avoid bringing in the
timecrate via thechronocrate. To that goal, this PR edits fourCargo.tomlfiles.Cargo.tomlinaws-smithy-types-convertThis implements the said workaround.
Cargo.tomls inaws-smithy-http-server-pythonandaws-smithy-http-serverThese crates indirectly stepped on the RustSec vulnerability in question from
aws_lambda_events0.6.3 (throughlambda_http0.6.2).aws_lambda_eventsaddressed it as of 0.7.1 (PR) andlambda_http0.7.10.7.0, in turn, depended on a safe version ofaws_lambda_events(PR). Thus, bothaws-smithy-http-server-pythonandaws-smithy-http-servernow depend onlambda_http0.7.10.7.0.Cargo.tomlinpokemon-serviceThis is due to b1cb5fa.
Testing
Ran
cargo auditfrom within the top-levelrust-runtimeworkspace:This is the output as a result of running
cargo auditin this branch. We can see no vulnerabilities detected.Checklist
CHANGELOG.next.tomlif I made changes to the smithy-rs codegen or runtime cratesBy submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.