Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove unused dev-dep cross #331

Closed
wants to merge 1 commit into from
Closed

Remove unused dev-dep cross #331

wants to merge 1 commit into from

Conversation

jayvdb
Copy link

@jayvdb jayvdb commented Oct 24, 2024

afaics, cross is not needed as a dev dependency.
It adds a lot of unnecessary dependencies to the lock file, including several CVEs.

@jtmoon79
Copy link
Owner

jtmoon79 commented Oct 27, 2024
edited
Loading

several CVEs.

How did you find the CVEs in cross? I'd like to review them.

@jtmoon79 jtmoon79 self-requested a review October 27, 2024 20:59
@jtmoon79
Copy link
Owner

How did you find the CVEs in cross? I'd like to review them.

@jayvdb do you recall how you ran into this?

@jayvdb
Copy link
Author

jayvdb commented Nov 16, 2024

I use https://github.com/google/osv-scanner and https://github.com/EmbarkStudios/cargo-deny

cross-rs/cross#1578 is one of the CVEs

jtmoon79 added a commit that referenced this pull request Nov 24, 2024
@jtmoon79
(TOOLS) add osv-scanner.sh
9bbc405 
Issue #331
@jtmoon79
Copy link
Owner

jtmoon79 commented Nov 24, 2024
edited
Loading

@jayvdb I ran osv-scanner with cross and without cross in Cargo.toml. There was no difference.

Using osv-scanner version 1.9.0 on Ubuntu 22.04 at 9bbc405

$ cargo --version
cargo 1.73.0 (9c4383fb5 2023-08-26)

$ cargo clean && cargo build

$ osv-scanner scan -r .
...
╭─────────────────────────────────────┬──────┬───────────┬──────────────────┬─────────┬────────────────────────────────╮
│ OSV URL                             │ CVSS │ ECOSYSTEM │ PACKAGE          │ VERSION │ SOURCE                         │
├─────────────────────────────────────┼──────┼───────────┼──────────────────┼─────────┼────────────────────────────────┤
│ https://osv.dev/RUSTSEC-2021-0145   │      │ crates.io │ atty             │ 0.2.14  │ Cargo.lock                     │
│ https://osv.dev/GHSA-g98v-hv3f-hcfr │      │           │                  │         │                                │
│ https://osv.dev/RUSTSEC-2024-0375   │      │ crates.io │ atty             │ 0.2.14  │ Cargo.lock                     │
│ https://osv.dev/RUSTSEC-2021-0153   │      │ crates.io │ encoding         │ 0.2.33  │ Cargo.lock                     │
│ https://osv.dev/RUSTSEC-2024-0384   │      │ crates.io │ instant          │ 0.1.13  │ Cargo.lock                     │
│ https://osv.dev/RUSTSEC-2022-0081   │      │ crates.io │ json             │ 0.12.4  │ Cargo.lock                     │
│ https://osv.dev/RUSTSEC-2024-0019   │ 7.5  │ crates.io │ mio              │ 0.7.14  │ Cargo.lock                     │
│ https://osv.dev/GHSA-r8w9-5wcg-vfj7 │      │           │                  │         │                                │
│ https://osv.dev/RUSTSEC-2024-0370   │      │ crates.io │ proc-macro-error │ 1.0.4   │ Cargo.lock                     │
│ https://osv.dev/RUSTSEC-2024-0336   │ 7.5  │ crates.io │ rustls           │ 0.19.1  │ Cargo.lock                     │
│ https://osv.dev/RUSTSEC-2023-0052   │ 7.5  │ crates.io │ webpki           │ 0.21.4  │ Cargo.lock                     │
│ https://osv.dev/GHSA-8qv2-5vq6-g2g7 │      │           │                  │         │                                │
│ https://osv.dev/RUSTSEC-2021-0139   │      │ crates.io │ ansi_term        │ 0.12.1  │ subprojects/bindgen/Cargo.lock │
│ https://osv.dev/RUSTSEC-2021-0145   │      │ crates.io │ atty             │ 0.2.14  │ subprojects/bindgen/Cargo.lock │
│ https://osv.dev/GHSA-g98v-hv3f-hcfr │      │           │                  │         │                                │
│ https://osv.dev/RUSTSEC-2024-0375   │      │ crates.io │ atty             │ 0.2.14  │ subprojects/bindgen/Cargo.lock │
│ https://osv.dev/RUSTSEC-2024-0006   │      │ crates.io │ shlex            │ 0.1.1   │ subprojects/bindgen/Cargo.lock │
│ https://osv.dev/GHSA-r7qv-8r2h-pg27 │      │           │                  │         │                                │
╰─────────────────────────────────────┴──────┴───────────┴──────────────────┴─────────┴────────────────────────────────╯

# remove from `Cargo.toml` the line `cross = "0.2.5"`

$ cargo clean && cargo build

$ osv-scanner scan -r .
...
╭─────────────────────────────────────┬──────┬───────────┬──────────────────┬─────────┬────────────────────────────────╮
│ OSV URL                             │ CVSS │ ECOSYSTEM │ PACKAGE          │ VERSION │ SOURCE                         │
├─────────────────────────────────────┼──────┼───────────┼──────────────────┼─────────┼────────────────────────────────┤
│ https://osv.dev/RUSTSEC-2021-0145   │      │ crates.io │ atty             │ 0.2.14  │ Cargo.lock                     │
│ https://osv.dev/GHSA-g98v-hv3f-hcfr │      │           │                  │         │                                │
│ https://osv.dev/RUSTSEC-2024-0375   │      │ crates.io │ atty             │ 0.2.14  │ Cargo.lock                     │
│ https://osv.dev/RUSTSEC-2021-0153   │      │ crates.io │ encoding         │ 0.2.33  │ Cargo.lock                     │
│ https://osv.dev/RUSTSEC-2024-0384   │      │ crates.io │ instant          │ 0.1.13  │ Cargo.lock                     │
│ https://osv.dev/RUSTSEC-2022-0081   │      │ crates.io │ json             │ 0.12.4  │ Cargo.lock                     │
│ https://osv.dev/RUSTSEC-2024-0019   │ 7.5  │ crates.io │ mio              │ 0.7.14  │ Cargo.lock                     │
│ https://osv.dev/GHSA-r8w9-5wcg-vfj7 │      │           │                  │         │                                │
│ https://osv.dev/RUSTSEC-2024-0370   │      │ crates.io │ proc-macro-error │ 1.0.4   │ Cargo.lock                     │
│ https://osv.dev/RUSTSEC-2024-0336   │ 7.5  │ crates.io │ rustls           │ 0.19.1  │ Cargo.lock                     │
│ https://osv.dev/RUSTSEC-2023-0052   │ 7.5  │ crates.io │ webpki           │ 0.21.4  │ Cargo.lock                     │
│ https://osv.dev/GHSA-8qv2-5vq6-g2g7 │      │           │                  │         │                                │
│ https://osv.dev/RUSTSEC-2021-0139   │      │ crates.io │ ansi_term        │ 0.12.1  │ subprojects/bindgen/Cargo.lock │
│ https://osv.dev/RUSTSEC-2021-0145   │      │ crates.io │ atty             │ 0.2.14  │ subprojects/bindgen/Cargo.lock │
│ https://osv.dev/GHSA-g98v-hv3f-hcfr │      │           │                  │         │                                │
│ https://osv.dev/RUSTSEC-2024-0375   │      │ crates.io │ atty             │ 0.2.14  │ subprojects/bindgen/Cargo.lock │
│ https://osv.dev/RUSTSEC-2024-0006   │      │ crates.io │ shlex            │ 0.1.1   │ subprojects/bindgen/Cargo.lock │
│ https://osv.dev/GHSA-r7qv-8r2h-pg27 │      │           │                  │         │                                │
╰─────────────────────────────────────┴──────┴───────────┴──────────────────┴─────────┴────────────────────────────────╯

jtmoon79 added a commit that referenced this pull request Nov 24, 2024
@jtmoon79
(TOOLS) add cargo-deny.sh
c5d5c69 
Issue #331
jtmoon79 added a commit that referenced this pull request Nov 24, 2024
@jtmoon79
(LIB) cargo update wasm-bindgen=0.2.95 crc-catalog=2.4.0 futures-util…
64f7cc3 
…=0.3.31 bytes=1.8.0

Issue #331
@jtmoon79
Copy link
Owner

I get the same warnings with cargo-deny when run with cross = "0.2.5" and without it.

Run on Ubuntu 22.04

$ cargo --version
cargo 1.73.0 (9c4383fb5 2023-08-26)

$ cargo deny --version
cargo-deny 0.16.2

$ (cargo clean && cargo build) &> /dev/null

$ cargo deny check --show-stats advisories ban bans sources
...
 advisories FAILED: 9 errors, 0 warnings, 0 notes
           bans ok: 0 errors, 15 warnings, 0 notes
        sources ok: 0 errors, 0 warnings, 0 notes

# remove `cross` from `Cargo.toml`

$ (cargo clean && cargo build) &> /dev/null

$ cargo deny check --show-stats advisories ban bans sources
...
 advisories FAILED: 9 errors, 0 warnings, 0 notes
           bans ok: 0 errors, 15 warnings, 0 notes
        sources ok: 0 errors, 0 warnings, 0 notes

jtmoon79 added a commit that referenced this pull request Nov 24, 2024
@jtmoon79
(TOOLS) add cargo-deny.sh
22852ea 
Issue #331
jtmoon79 added a commit that referenced this pull request Nov 24, 2024
@jtmoon79
(LIB) cargo update wasm-bindgen=0.2.95 crc-catalog=2.4.0 futures-util…
b2d6d85 
…=0.3.31 bytes=1.8.0

Issue #331
jtmoon79 added a commit that referenced this pull request Nov 24, 2024
@jtmoon79
(LIB) cargo update wasm-bindgen=0.2.95 crc-catalog=2.4.0 futures-util…
aeb2414 
…=0.3.31 bytes=1.8.0

Issue #331
@jtmoon79
Copy link
Owner

Closing.

Comments above note no difference with or without cross = "0.2.5" in Cargo.toml, using tools osv-scanner and cargo-deny.

Thanks for reporting @jayvdb 😄 . Please re-open if you can provide steps demonstrating a difference.

@jtmoon79 jtmoon79 closed this Nov 24, 2024
jtmoon79 added a commit that referenced this pull request Nov 24, 2024
@jtmoon79
(LIB) cargo update wasm-bindgen=0.2.95 crc-catalog=2.4.0 futures-util…
07d2537 
…=0.3.31 bytes=1.8.0

Issue #331
@jtmoon79 jtmoon79 mentioned this pull request Nov 25, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jtmoon79 jtmoon79 Awaiting requested review from jtmoon79

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jayvdb @jtmoon79