AUDIT failure due to bdk + cbf dependency `rocksdb` #119

rajarshimaitra · 2022-09-12T03:52:04Z

This is to document the recent cargo-audit failures happening in CI.

$ cargo-audit audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 456 security advisories (from /home/raj/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (280 crate dependencies)
Crate:         rocksdb
Version:       0.14.0
Title:         Out-of-bounds read when opening multiple column families with TTL
Date:          2022-05-11
ID:            RUSTSEC-2022-0046
URL:           https://rustsec.org/advisories/RUSTSEC-2022-0046
Solution:      Upgrade to >=0.19.0
Dependency tree: 
rocksdb 0.14.0
└── bdk 0.22.0
    ├── bdk-reserves 0.22.0
    │   └── bdk-cli 0.5.0
    └── bdk-cli 0.5.0

Crate:         ansi_term
Version:       0.12.1
Warning:       unmaintained
Title:         ansi_term is Unmaintained
Date:          2021-08-18
ID:            RUSTSEC-2021-0139
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0139
Dependency tree: 
ansi_term 0.12.1
└── clap 2.34.0
    └── structopt 0.3.26
        └── bdk-cli 0.5.0

Crate:         stdweb
Version:       0.4.20
Warning:       unmaintained
Title:         stdweb is unmaintained
Date:          2020-05-04
ID:            RUSTSEC-2020-0056
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0056
Dependency tree: 
stdweb 0.4.20
└── time 0.2.27
    ├── cookie_store 0.12.0
    │   └── ureq 1.5.5
    └── cookie 0.14.4
        ├── ureq 1.5.5
        └── cookie_store 0.12.0

error: 1 vulnerability found!
warning: 2 allowed warnings found

There is a vulnerability in rocksdb which was originally reported by @afilini here bitcoindevkit/bdk#724.

Depending on the outcome of experimentation with nakamoto for cbf, we might be able to get rid of rocksdb fully from our dep tree.

Till then I guess we have to live with this audit failure?

Or we can disable compact_filters temporarily in bdk-cli..

The text was updated successfully, but these errors were encountered:

notmandatory · 2022-09-28T21:03:46Z

I support temporarily removing compact_filters support to resolve this audit issue.

notmandatory added this to BDK-CLI Roadmap Sep 13, 2022

notmandatory moved this to Todo in BDK-CLI Roadmap Sep 13, 2022

notmandatory changed the title ~~AUDIT Failure~~ AUDIT Failure due to bdk + cbf dependency rocksdb Sep 13, 2022

notmandatory changed the title ~~AUDIT Failure due to bdk + cbf dependency rocksdb~~ AUDIT failure due to bdk + cbf dependency rocksdb Sep 13, 2022

notmandatory mentioned this issue Sep 13, 2022

W37 BDK Library Team Call bitcoindevkit/.github#22

Closed

26 tasks

notmandatory added this to the Release 0.7.0 milestone Sep 28, 2022

rajarshimaitra linked a pull request Oct 30, 2022 that will close this issue

Remove cbf #125

Merged

3 tasks

notmandatory modified the milestone: Release 0.7.0 Nov 11, 2022

rajarshimaitra self-assigned this Nov 22, 2022

rajarshimaitra moved this from Todo to In Progress in BDK-CLI Roadmap Nov 22, 2022

notmandatory modified the milestones: Release 0.25.0, Release 0.26.0 Jan 3, 2023

notmandatory closed this as completed in #125 Jan 9, 2023

github-project-automation bot moved this from In Progress to Done in BDK-CLI Roadmap Jan 9, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

AUDIT failure due to bdk + cbf dependency `rocksdb` #119

AUDIT failure due to bdk + cbf dependency `rocksdb` #119

rajarshimaitra commented Sep 12, 2022

notmandatory commented Sep 28, 2022

AUDIT failure due to bdk + cbf dependency rocksdb #119

AUDIT failure due to bdk + cbf dependency rocksdb #119

Comments

rajarshimaitra commented Sep 12, 2022

notmandatory commented Sep 28, 2022

AUDIT failure due to bdk + cbf dependency `rocksdb` #119

AUDIT failure due to bdk + cbf dependency `rocksdb` #119