Vulnerabilities found through cargo audit

[uncomfyhalomacro]

Hello, I was planning to package this software for opensuse and possibly push it to their Factory repository. Just notifying you that the openSUSE commandline tool for openSUSE Build Service osc has detected some vulnerabilties.

INFO:obs-service-cargo_audit: Running OBS Source Service 🛒: obs-service-cargo_audit
ERROR:obs-service-cargo_audit: 🚨 possible vulnerabilties: 5
ERROR:obs-service-cargo_audit: /tmp/tmp47gf11ov/tokei/fuzz/Cargo.lock
ERROR:obs-service-cargo_audit: For more information you SHOULD inspect the output of cargo audit manually
ERROR:obs-service-cargo_audit: * RUSTSEC-2021-0093 -> crate: crossbeam-deque, cvss: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, class: ['memory-corruption']
ERROR:obs-service-cargo_audit: * RUSTSEC-2020-0151 -> crate: generator, cvss: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H, class: ['memory-corruption']
ERROR:obs-service-cargo_audit: * RUSTSEC-2020-0146 -> crate: generic-array, cvss: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, class: ['memory-corruption']
ERROR:obs-service-cargo_audit: * RUSTSEC-2022-0013 -> crate: regex, cvss: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, class: ['denial-of-service']
ERROR:obs-service-cargo_audit: * RUSTSEC-2022-0006 -> crate: thread_local, cvss: None, class: ['memory-corruption']
ERROR:obs-service-cargo_audit: ⚠️  Vulnerabilities may have been found. You must review these.

Maybe an update to the latest versions of the following crate will mitigate the issues.

[qtfkwk]

As of today:

$ cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 645 security advisories (from /home/qtfkwk/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (199 crate dependencies)
Crate:     libgit2-sys
Version:   0.15.2+1.6.4
Title:     Memory corruption, denial of service, and arbitrary code execution in libgit2
Date:      2024-02-06
ID:        RUSTSEC-2024-0013
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0013
Severity:  8.6 (high)
Solution:  Upgrade to >=0.16.2
Dependency tree:
libgit2-sys 0.15.2+1.6.4
└── git2 0.17.2
    └── tokei 13.0.0-alpha.1

Crate:     serde_cbor
Version:   0.11.2
Warning:   unmaintained
Title:     serde_cbor is unmaintained
Date:      2021-08-15
ID:        RUSTSEC-2021-0127
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0127
Dependency tree:
serde_cbor 0.11.2
└── tokei 13.0.0-alpha.1

Crate:     term_size
Version:   0.3.2
Warning:   unmaintained
Title:     `term_size` is unmaintained; use `terminal_size` instead
Date:      2020-11-03
ID:        RUSTSEC-2020-0163
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0163
Dependency tree:
term_size 0.3.2
└── tokei 13.0.0-alpha.1

Crate:     atty
Version:   0.2.14
Warning:   unsound
Title:     Potential unaligned read
Date:      2021-07-04
ID:        RUSTSEC-2021-0145
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0145
Dependency tree:
atty 0.2.14
└── clap 3.2.25
    └── tokei 13.0.0-alpha.1

Crate:     unsafe-libyaml
Version:   0.2.9
Warning:   unsound
Title:     Unaligned write of u64 on 32-bit and 16-bit platforms
Date:      2023-12-20
ID:        RUSTSEC-2023-0075
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0075
Dependency tree:
unsafe-libyaml 0.2.9
└── serde_yaml 0.9.25
    └── tokei 13.0.0-alpha.1

error: 1 vulnerability found!
warning: 4 allowed warnings found

Following cargo upgrade -i && cargo update... still a couple warnings:

$ cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 645 security advisories (from /home/qtfkwk/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (202 crate dependencies)
Crate:     serde_cbor
Version:   0.11.2
Warning:   unmaintained
Title:     serde_cbor is unmaintained
Date:      2021-08-15
ID:        RUSTSEC-2021-0127
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0127
Dependency tree:
serde_cbor 0.11.2
└── tokei 13.0.0-alpha.1

Crate:     term_size
Version:   0.3.2
Warning:   unmaintained
Title:     `term_size` is unmaintained; use `terminal_size` instead
Date:      2020-11-03
ID:        RUSTSEC-2020-0163
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0163
Dependency tree:
term_size 0.3.2
└── tokei 13.0.0-alpha.1

warning: 2 allowed warnings found

[XAMPPRocky]

Thank you for your issue!

Unmaintained is not a security vulnerability. The code fulfils it's purpose, unless and until there is actual vulnerability in that code, it isn't considered a vulnerability.

[qtfkwk]

The others are warnings, but this is a vulnerability:

Crate:     libgit2-sys
Version:   0.15.2+1.6.4
Title:     Memory corruption, denial of service, and arbitrary code execution in libgit2
Date:      2024-02-06
ID:        RUSTSEC-2024-0013
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0013
Severity:  8.6 (high)
Solution:  Upgrade to >=0.16.2
Dependency tree:
libgit2-sys 0.15.2+1.6.4
└── git2 0.17.2
    └── tokei 13.0.0-alpha.1

[uncomfyhalomacro]

Closing. CVE metrics is an exaggerated form of security paranoia.

[qtfkwk]

Hot take and poor security management honestly. You really could handle this much better.

Is there some reason tokei depends on old git2?

If not, update it.

If so, state it.

If the vulnerability does not affect tokei, state that (which is kind of what you did, but fairly dismissively).

Honestly I quite agree with the potential for excessive paranoia, but there's a reasonable way to manage your own dependencies.

[XAMPPRocky]

I'm going to lock this issue, this is not the place for general security opinions. If you have specific improvements, feel free create a PR or issue.