Update chrono to avoid RUSTSEC-2020-0159. Fixes mozilla#4590

.github/workflows/dependency-check.yaml

@@ -55,18 +55,13 @@ jobs:
         run: |
             cargo install cargo-audit
             # Explanation for ignored issues:
-            #  * RUSTSEC-2020-0159:  A possible Segfault in `chrono`'s `localtime_r' invocation, at the time of this
-            #                        patch, there is no fixed versions available, but an issue is filed on chrono: https://github.com/chronotope/chrono/issues/602
-            #  * RUSTSEC-2020-0071: Related to the one above, `chrono` pulls in a version of `time` that has the same problem, where invocations of
-            #                       `localtime_r` could segfault, our code base doesn't trigger this, there is a PR on chrono that should
-            #                       fix this: https://github.com/chronotope/chrono/pull/578
-            #                       note that both the Nimbus-SDK and glean use chrono, so if we would like to move away from it, both projects
-            #                       need to do that before we can remove the ignores (assuming `chrono` doesn't release a fixed version)
+            #  * RUSTSEC-2020-0071: `time` has a problem where invocations of `localtime_r` could segfault, our code base doesn't trigger this,
+            #                       but time is a transitive dependency for other crates so is difficult to update.
             #  * RUSTSEC-2018-0006: Uncontrolled recursion in `yaml-rust`, which is included by `clap` v2. `clap` itself already updated to a safe
             #                       version of `yaml-rust`, which will be released in `v3` and additionally, 
             #                       reading https://github.com/rustsec/advisory-db/issues/288, this is a false
             #                       positive for clap and based on our dependency tree, we only use `yaml-rust` in `clap`.
-            cargo audit --ignore RUSTSEC-2020-0159 --ignore RUSTSEC-2020-0071 --ignore RUSTSEC-2018-0006
+            cargo audit --ignore RUSTSEC-2020-0071 --ignore RUSTSEC-2018-0006
       - name: Check for any unrecorded changes in our dependency trees
         run: |
             cargo metadata --locked > /dev/null

DEPENDENCIES.md

@@ -444,6 +444,7 @@ Exhibit B - "Incompatible With Secondary Licenses" Notice
 
 The following text applies to code linked from these dependencies:
 [ahash](https://github.com/tkaitchuck/ahash),
+[android_system_properties](https://github.com/nical/android_system_properties),
 [anyhow](https://github.com/dtolnay/anyhow),
 [askama](https://github.com/djc/askama),
 [askama_derive](https://github.com/djc/askama),
@@ -490,6 +491,7 @@ The following text applies to code linked from these dependencies:
 [httparse](https://github.com/seanmonstar/httparse),
 [httpdate](https://github.com/pyfisch/httpdate),
 [hyper-tls](https://github.com/hyperium/hyper-tls),
+[iana-time-zone](https://github.com/strawlab/iana-time-zone),
 [id-arena](https://github.com/fitzgen/id-arena),
 [idna](https://github.com/servo/rust-url/),
 [indexmap](https://github.com/bluss/indexmap),

components/nimbus/src/behavior.rs

@@ -5,7 +5,7 @@
 
 use crate::error::{BehaviorError, NimbusError, Result};
 use crate::persistence::{Database, StoreId};
-use chrono::{DateTime, Datelike, Duration, Utc};
+use chrono::{DateTime, Datelike, Duration, TimeZone, Utc};
 use serde::{Deserialize, Serialize};
 use serde_json::Value;
 use std::collections::vec_deque::Iter;
@@ -131,14 +131,17 @@ impl IntervalData {
         };
         data.buckets.push_front(0);
         // Set the starting instant to Jan 1 00:00:00 in order to sync rotations
-        data.starting_instant = data
-            .starting_instant
-            .with_month(1)
-            .unwrap()
-            .with_day(1)
-            .unwrap()
-            .date()
-            .and_hms(0, 0, 0);
+        data.starting_instant = Utc.from_utc_datetime(
+            &data
+                .starting_instant
+                .with_month(1)
+                .unwrap()
+                .with_day(1)
+                .unwrap()
+                .date_naive()
+                .and_hms_opt(0, 0, 0)
+                .unwrap(),
+        );
         data
     }
 
@@ -233,8 +236,7 @@ impl SingleIntervalCounter {
             .interval
             .num_rotations(self.data.starting_instant, now)?;
         if rotations > 0 {
-            self.data.starting_instant =
-                self.data.starting_instant + self.config.interval.to_duration(rotations.into());
+            self.data.starting_instant += self.config.interval.to_duration(rotations.into());
             return self.data.rotate(rotations);
         }
         Ok(())

components/nimbus/src/lib.rs

@@ -372,7 +372,7 @@ impl NimbusClient {
         // we first check our context
         if let Some(context_installation_date) = self.app_context.installation_date {
             let res = DateTime::<Utc>::from_utc(
-                NaiveDateTime::from_timestamp(context_installation_date / 1_000, 0),
+                NaiveDateTime::from_timestamp_opt(context_installation_date / 1_000, 0).unwrap(),
                 Utc,
             );
             log::info!("[Nimbus] Retrieved date from Context: {}", res);

components/nimbus/src/tests/test_behavior.rs

@@ -1407,7 +1407,7 @@ mod event_store_tests {
                 then.weekday(),
                 same_week(now, then)
             );
-            now = now + one_day;
+            now += one_day;
         }
 
         Ok(())

megazords/full/DEPENDENCIES.md

@@ -428,6 +428,7 @@ Exhibit B - "Incompatible With Secondary Licenses" Notice
 
 The following text applies to code linked from these dependencies:
 [ahash](https://github.com/tkaitchuck/ahash),
+[android_system_properties](https://github.com/nical/android_system_properties),
 [anyhow](https://github.com/dtolnay/anyhow),
 [askama](https://github.com/djc/askama),
 [askama_derive](https://github.com/djc/askama),
@@ -442,6 +443,7 @@ The following text applies to code linked from these dependencies:
 [cc](https://github.com/alexcrichton/cc-rs),
 [cfg-if](https://github.com/alexcrichton/cfg-if),
 [chrono](https://github.com/chronotope/chrono),
+[core-foundation-sys](https://github.com/servo/core-foundation-rs),
 [cpufeatures](https://github.com/RustCrypto/utils),
 [digest](https://github.com/RustCrypto/traits),
 [dogear](https://github.com/mozilla/dogear),
@@ -459,6 +461,7 @@ The following text applies to code linked from these dependencies:
 [hashlink](https://github.com/kyren/hashlink),
 [heck](https://github.com/withoutboats/heck),
 [hex](https://github.com/KokaKiwi/rust-hex),
+[iana-time-zone](https://github.com/strawlab/iana-time-zone),
 [id-arena](https://github.com/fitzgen/id-arena),
 [idna](https://github.com/servo/rust-url/),
 [io-lifetimes](https://github.com/sunfishcode/io-lifetimes),

megazords/full/android/dependency-licenses.xml

@@ -64,6 +64,10 @@ the details of which are reproduced below.
     <name>Apache License 2.0: ahash</name>
     <url>https://github.com/tkaitchuck/ahash/blob/master/LICENSE-APACHE</url>
   </license>
+  <license>
+    <name>Apache License 2.0: android_system_properties</name>
+    <url>https://github.com/nical/android_system_properties/blob/main/LICENSE-APACHE</url>
+  </license>
   <license>
     <name>Apache License 2.0: anyhow</name>
     <url>https://github.com/dtolnay/anyhow/blob/master/LICENSE-APACHE</url>
@@ -128,6 +132,10 @@ the details of which are reproduced below.
     <name>Apache License 2.0: chrono</name>
     <url>https://github.com/chronotope/chrono/blob/main/LICENSE.txt</url>
   </license>
+  <license>
+    <name>Apache License 2.0: core-foundation-sys</name>
+    <url>https://github.com/servo/core-foundation-rs/blob/master/LICENSE-APACHE</url>
+  </license>
   <license>
     <name>Apache License 2.0: cpufeatures</name>
     <url>https://github.com/RustCrypto/utils/blob/master/cpufeatures/LICENSE-APACHE</url>
@@ -196,6 +204,10 @@ the details of which are reproduced below.
     <name>Apache License 2.0: hex</name>
     <url>https://github.com/KokaKiwi/rust-hex/blob/main/LICENSE-APACHE</url>
   </license>
+  <license>
+    <name>Apache License 2.0: iana-time-zone</name>
+    <url>https://github.com/strawlab/iana-time-zone/blob/main/LICENSE-APACHE</url>
+  </license>
   <license>
     <name>Apache License 2.0: id-arena</name>
     <url>https://github.com/fitzgen/id-arena/blob/master/LICENSE-APACHE</url>