Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cargo audit flagging some known vulnerabilities #122

Open
iamasmith opened this issue Mar 29, 2024 · 1 comment
Open

cargo audit flagging some known vulnerabilities #122

iamasmith opened this issue Mar 29, 2024 · 1 comment

Comments

@iamasmith
Copy link

iamasmith commented Mar 29, 2024

Thanks for putting in the effort to create this btw!, I really appreciate it. I actually got a link to this when I was beginning to design my own exporter and was looking at comparative ways of naming and labelling the metrics to be most in keeping with other similar metrics. I saw this, and it had all the tests in place, and pretty much matched what I was going to to anyway. Plus I get another language to study which is good 👍

The build does seem to work fine for me after a full cargo update for all packages but I'm only using it on a very specific OS/arch so a broad update probably needs full tests but today when I ran cargo audit prior to updating I got...

prometheus_wireguard_exporter % cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 615 security advisories (from /Users/andrews/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (121 crate dependencies)
Crate:     mio
Version:   0.8.5
Title:     Tokens for named pipes may be delivered after deregistration
Date:      2024-03-04
ID:        RUSTSEC-2024-0019
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0019
Solution:  Upgrade to >=0.8.11
Dependency tree:
mio 0.8.5
└── tokio 1.22.0
    ├── tokio-rustls 0.23.4
    │   └── hyper-rustls 0.23.1
    │       └── prometheus_exporter_base 1.4.0
    │           └── prometheus_wireguard_exporter 3.6.6
    ├── prometheus_wireguard_exporter 3.6.6
    ├── hyper-rustls 0.23.1
    └── hyper 0.14.23
        ├── prometheus_wireguard_exporter 3.6.6
        ├── prometheus_exporter_base 1.4.0
        └── hyper-rustls 0.23.1

Crate:     tokio
Version:   1.22.0
Title:     reject_remote_clients Configuration corruption
Date:      2023-01-04
ID:        RUSTSEC-2023-0001
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0001
Solution:  Upgrade to >=1.18.4, <1.19.0 OR >=1.20.3, <1.21.0 OR >=1.23.1
Dependency tree:
tokio 1.22.0
├── tokio-rustls 0.23.4
│   └── hyper-rustls 0.23.1
│       └── prometheus_exporter_base 1.4.0
│           └── prometheus_wireguard_exporter 3.6.6
├── prometheus_wireguard_exporter 3.6.6
├── hyper-rustls 0.23.1
└── hyper 0.14.23
    ├── prometheus_wireguard_exporter 3.6.6
    ├── prometheus_exporter_base 1.4.0
    └── hyper-rustls 0.23.1

Crate:     webpki
Version:   0.22.0
Title:     webpki: CPU denial of service in certificate path building
Date:      2023-08-22
ID:        RUSTSEC-2023-0052
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0052
Severity:  7.5 (high)
Solution:  Upgrade to >=0.22.2
Dependency tree:
webpki 0.22.0
├── tokio-rustls 0.23.4
│   └── hyper-rustls 0.23.1
│       └── prometheus_exporter_base 1.4.0
│           └── prometheus_wireguard_exporter 3.6.6
└── rustls 0.20.7
    ├── tokio-rustls 0.23.4
    └── hyper-rustls 0.23.1

Crate:     term
Version:   0.5.2
Warning:   unmaintained
Title:     term is looking for a new maintainer
Date:      2018-11-19
ID:        RUSTSEC-2018-0015
URL:       https://rustsec.org/advisories/RUSTSEC-2018-0015
Dependency tree:
term 0.5.2
└── clippy 0.0.302
    └── prometheus_wireguard_exporter 3.6.6

Crate:     atty
Version:   0.2.14
Warning:   unsound
Title:     Potential unaligned read
Date:      2021-07-04
ID:        RUSTSEC-2021-0145
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0145
Dependency tree:
atty 0.2.14
├── env_logger 0.9.3
│   ├── prometheus_wireguard_exporter 3.6.6
│   └── prometheus_exporter_base 1.4.0
│       └── prometheus_wireguard_exporter 3.6.6
└── clap 4.0.26
    └── prometheus_wireguard_exporter 3.6.6

Crate:     tokio
Version:   1.22.0
Warning:   unsound
Title:     `tokio::io::ReadHalf<T>::unsplit` is Unsound
Date:      2023-01-11
ID:        RUSTSEC-2023-0005
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0005

Crate:     crossbeam-utils
Version:   0.8.13
Warning:   yanked
Dependency tree:
crossbeam-utils 0.8.13
└── rust-argon2 0.8.3
    └── redox_users 0.3.5
        └── dirs 1.0.5
            └── term 0.5.2
                └── clippy 0.0.302
                    └── prometheus_wireguard_exporter 3.6.6

error: 3 vulnerabilities found!
warning: 4 allowed warnings found
prometheus_wireguard_exporter % 
@iamasmith
Copy link
Author

Following update (which builds and runs fine for me) it just flags the two unmaintained deps.

prometheus_wireguard_exporter % cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 615 security advisories (from /Users/andrews/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (145 crate dependencies)
Crate:     term
Version:   0.5.2
Warning:   unmaintained
Title:     term is looking for a new maintainer
Date:      2018-11-19
ID:        RUSTSEC-2018-0015
URL:       https://rustsec.org/advisories/RUSTSEC-2018-0015
Dependency tree:
term 0.5.2
└── clippy 0.0.302
    └── prometheus_wireguard_exporter 3.6.6

Crate:     atty
Version:   0.2.14
Warning:   unsound
Title:     Potential unaligned read
Date:      2021-07-04
ID:        RUSTSEC-2021-0145
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0145
Dependency tree:
atty 0.2.14
└── env_logger 0.9.3
    ├── prometheus_wireguard_exporter 3.6.6
    └── prometheus_exporter_base 1.4.0
        └── prometheus_wireguard_exporter 3.6.6

warning: 2 allowed warnings found
prometheus_wireguard_exporter % 

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant