Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NOTICE: Converting advisories to V2 format on March 1st, 2020 #228

Closed
tarcieri opened this issue Jan 24, 2020 · 1 comment · Fixed by dfinity/sdk#424
Closed

NOTICE: Converting advisories to V2 format on March 1st, 2020 #228

tarcieri opened this issue Jan 24, 2020 · 1 comment · Fixed by dfinity/sdk#424

Comments

@tarcieri
Copy link
Member

tarcieri commented Jan 24, 2020
edited
Loading

The Refactor advisory types: add [affected] and [versions] sections PRto the rustsec crate from August 2019 performed some refactoring of the internal data structures used to store advisories, splitting out separate [affected] and [versions] sections:

Advisory V1 Format

https://github.com/RustSec/rustsec-crate/blob/af751d912/tests/support/example_advisory_v1.toml

# Example of a V1 RustSec advisory
# This uses the legacy `patched_versions` field, which we need to support until
# all users have upgraded to parsers which understand the V2 format

[advisory]
id = "RUSTSEC-2001-2101"
package = "base"
title = "All your base are belong to us"
description = "You have no chance to survive. Make your time."
date = "2001-02-03"
url = "https://www.youtube.com/watch?v=jQE66WA2s-A"
keywords = ["how", "are", "you", "gentlemen"]
aliases = ["CVE-2001-2101"]
cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
patched_versions = [">= 1.2.3"]

[affected]
arch = ["x86"]
os = ["windows"]
functions = { "base::belongs::All" = ["< 1.2.3"] }

Advisory V2 Format

https://github.com/RustSec/rustsec-crate/blob/af751d912/tests/support/example_advisory_v2.toml

# Example of a V2 RustSec advisory
# This uses the new `[versions]` subsection, which we'd eventually like to
# switch to, but we need to make sure all users have a `cargo-audit` which
# supports the new format first.

[advisory]
id = "RUSTSEC-2001-2101"
package = "base"
title = "All your base are belong to us"
description = "You have no chance to survive. Make your time."
date = "2001-02-03"
url = "https://www.youtube.com/watch?v=jQE66WA2s-A"
keywords = ["how", "are", "you", "gentlemen"]
aliases = ["CVE-2001-2101"]
cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"

[versions]
patched = [">= 1.2.3"]

[affected]
arch = ["x86"]
os = ["windows"]
functions = { "base::belongs::All" = ["< 1.2.3"] }

Support

The V2 advisory format shipped in September 23rd, 2019 and is supported by:

  • rustsec crate >= v0.13 (current release: 0.17)
  • cargo-audit >= 0.9 (current release: 0.11)

Transition Plan

The plan is to convert all advisories to the new V2 format on March 1st, 2020.

After transitioning to the V2 format, all versions of these crates (and third party tools directly parsing advisories) will cease to work due to parse errors for the latest_versions field.

Unfortunately, there was no way in these releases to signal that we are retiring earlier releases of cargo-audit and the rustsec crate (new versions check the RustSec Advisory DB for vulnerabilities filed against themselves and will allow us to display warning messages for obsolete versions), so this will be a breaking change that will force people to upgrade.

After making the change, support for the V1 format will be removed from future versions of the rustsec crate and Cargo audit.

Hopefully this is the only breaking change we'll make to the advisory format in the foreseeable future.
tarcieri added a commit that referenced this issue Mar 1, 2020
@tarcieri
Migrate all advisories to V2 format (closes #228)
b15532a 
As announced in #228, this commit migrates all advisories to the new V2
format, which splits version information into a separate section, and
now has a structure which corresponds to the internal code structure of
the `rustsec` crate.

This is a breaking change for users of `cargo-audit` < 0.9, and anyone
who has written a 3rd party advisory format parser.
@tarcieri tarcieri mentioned this issue Mar 1, 2020
Merged
tarcieri added a commit that referenced this issue Mar 1, 2020
@tarcieri
Merge pull request #236 from RustSec/migrate-to-v2-format
3d7688c 
Migrate all advisories to V2 format (closes #228)
@tarcieri
Copy link
Member Author

tarcieri commented Mar 1, 2020

All advisories were updated to the V2 format in #236.

We hope this doesn't have too much collateral damage, and also want to do an additional "V3" format change prior to a 1.0 release of the rustsec crate and cargo-audit, so if this did impact you, that would be good to know so we can coordinate that change.

dfinity-bot added a commit to dfinity/sdk that referenced this issue Mar 5, 2020
@dfinity-bot
## Changelog for advisory-db:
cd01476 
Commits: [rustsec/advisory-db@891a872b...19196c29](rustsec/advisory-db@891a872...19196c2)

* [`6da6344b`](rustsec/advisory-db@6da6344) Add advisory for deprecated/unmaintained quickersort
* [`36b8de69`](rustsec/advisory-db@36b8de6) hyperium/http/issues/352
* [`ba2df66b`](rustsec/advisory-db@ba2df66) hyperium/http/issues/354,355
* [`0e59ecb7`](rustsec/advisory-db@0e59ecb) Assign RUSTSEC-2019-0033 to http
* [`526892a1`](rustsec/advisory-db@526892a) Assign RUSTSEC-2019-0034 to http
* [`200651cf`](rustsec/advisory-db@200651c) Correct affected version range on RUSTSEC-2019-003[34] to patched at 0.1.20
* [`57f553ee`](rustsec/advisory-db@57f553e) Add advisory for prost stack overflow
* [`7a0d254b`](rustsec/advisory-db@7a0d254) fixup! Add advisory for prost stack overflow
* [`a5b6099b`](rustsec/advisory-db@a5b6099) Assign RUSTSEC-2020-0002 to prost
* [`8b072513`](rustsec/advisory-db@8b07251) Fix typo
* [`e30a06a6`](rustsec/advisory-db@e30a06a) RUSTSEC-2016-0005: add note about rust-crypto vs RustCrypto
* [`17e82e13`](rustsec/advisory-db@17e82e1) Assign RUSTSEC-2018-0016 to quickersort
* [`b300fa84`](rustsec/advisory-db@b300fa8) Add unmaintained crate informational advisory: rust_sodium
* [`f8ff9cfc`](rustsec/advisory-db@f8ff9cf) Add lucet-runtime-internals sigstack allocation vuln advisory
* [`3f1f71de`](rustsec/advisory-db@3f1f71d) Update crates/lucet-runtime-internals/RUSTSEC-0000-0000.toml
* [`0271003e`](rustsec/advisory-db@0271003) Update crates/lucet-runtime-internals/RUSTSEC-0000-0000.toml
* [`2b82281e`](rustsec/advisory-db@2b82281) Assign RUSTSEC-2020-0003 (informational) to rust_sodium
* [`d8e872fd`](rustsec/advisory-db@d8e872f) Assign RUSTSEC-2020-0004 to lucet-runtime-internals
* [`df7657d3`](rustsec/advisory-db@df7657d) Fix broken/malformatted outbound links
* [`64c17acf`](rustsec/advisory-db@64c17ac) Migrate all advisories to V2 format (closes rustsec/advisory-db#228)
* [`38626513`](rustsec/advisory-db@3862651) .github: cache installation of rustsec-admin
* [`ce781096`](rustsec/advisory-db@ce78109) .github: fix rustsec-admin install caching
* [`f0ee46e9`](rustsec/advisory-db@f0ee46e) Migrate `rust/` advisories to V2 format
@dfinity-bot dfinity-bot mentioned this issue Mar 5, 2020
Merged
mergify bot added a commit to dfinity/sdk that referenced this issue Mar 9, 2020
@dfinity-bot @mergify
## Changelog for advisory-db: (#424)
afbd54f 
Commits: [rustsec/advisory-db@891a872b...19196c29](rustsec/advisory-db@891a872...19196c2)

* [`6da6344b`](rustsec/advisory-db@6da6344) Add advisory for deprecated/unmaintained quickersort
* [`36b8de69`](rustsec/advisory-db@36b8de6) hyperium/http/issues/352
* [`ba2df66b`](rustsec/advisory-db@ba2df66) hyperium/http/issues/354,355
* [`0e59ecb7`](rustsec/advisory-db@0e59ecb) Assign RUSTSEC-2019-0033 to http
* [`526892a1`](rustsec/advisory-db@526892a) Assign RUSTSEC-2019-0034 to http
* [`200651cf`](rustsec/advisory-db@200651c) Correct affected version range on RUSTSEC-2019-003[34] to patched at 0.1.20
* [`57f553ee`](rustsec/advisory-db@57f553e) Add advisory for prost stack overflow
* [`7a0d254b`](rustsec/advisory-db@7a0d254) fixup! Add advisory for prost stack overflow
* [`a5b6099b`](rustsec/advisory-db@a5b6099) Assign RUSTSEC-2020-0002 to prost
* [`8b072513`](rustsec/advisory-db@8b07251) Fix typo
* [`e30a06a6`](rustsec/advisory-db@e30a06a) RUSTSEC-2016-0005: add note about rust-crypto vs RustCrypto
* [`17e82e13`](rustsec/advisory-db@17e82e1) Assign RUSTSEC-2018-0016 to quickersort
* [`b300fa84`](rustsec/advisory-db@b300fa8) Add unmaintained crate informational advisory: rust_sodium
* [`f8ff9cfc`](rustsec/advisory-db@f8ff9cf) Add lucet-runtime-internals sigstack allocation vuln advisory
* [`3f1f71de`](rustsec/advisory-db@3f1f71d) Update crates/lucet-runtime-internals/RUSTSEC-0000-0000.toml
* [`0271003e`](rustsec/advisory-db@0271003) Update crates/lucet-runtime-internals/RUSTSEC-0000-0000.toml
* [`2b82281e`](rustsec/advisory-db@2b82281) Assign RUSTSEC-2020-0003 (informational) to rust_sodium
* [`d8e872fd`](rustsec/advisory-db@d8e872f) Assign RUSTSEC-2020-0004 to lucet-runtime-internals
* [`df7657d3`](rustsec/advisory-db@df7657d) Fix broken/malformatted outbound links
* [`64c17acf`](rustsec/advisory-db@64c17ac) Migrate all advisories to V2 format (closes rustsec/advisory-db#228)
* [`38626513`](rustsec/advisory-db@3862651) .github: cache installation of rustsec-admin
* [`ce781096`](rustsec/advisory-db@ce78109) .github: fix rustsec-admin install caching
* [`f0ee46e9`](rustsec/advisory-db@f0ee46e) Migrate `rust/` advisories to V2 format

Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
@sbs2001 sbs2001 mentioned this issue Apr 4, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

niv advisory-db: update 891a872b -> 19196c29 dfinity/sdk
1 participant
@tarcieri