Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

qdrant/1.12.4-r0: cve remediation #35979

Closed
wants to merge 1 commit into from
Closed

qdrant/1.12.4-r0: cve remediation #35979

wants to merge 1 commit into from

Conversation

octo-sts[bot]
Copy link
Contributor

@octo-sts octo-sts bot commented Dec 6, 2024

@octo-sts Octo STS
Copy link
Contributor Author

octo-sts bot commented Dec 6, 2024

Gen AI suggestions to solve the build error:

• Detected Error:

Error: failed to parse the pom file: failed to run cargo update 'error: There are multiple `hashbrown` packages in your project, and the specification `hashbrown` is ambiguous.
Please re-run this command with one of the following specifications:
  hashbrown@0.12.3
  hashbrown@0.14.2
  hashbrown@0.15.0'

• Error Category: Dependency

• Failure Point: During rust/cargobump step

• Root Cause Analysis: The cargobump tool is failing because there are multiple versions of the hashbrown crate in the dependency tree, and it cannot automatically determine which version to use.

• Suggested Fix:
Create a file named cargobump-deps.yaml in the root directory with specific version constraints:

dependencies:
  hashbrown: "0.15.0"  # Use the latest version

Or modify the pipeline section to skip cargobump:

  - uses: rust/cargo
    with:
      command: build
      args: --release --bin qdrant

• Explanation:
The error occurs because the project has multiple versions of hashbrown as transitive dependencies. By either specifying the exact version in cargobump-deps.yaml or bypassing the cargobump step entirely, we can resolve the ambiguity.

• Additional Notes:

  • Using the latest hashbrown version (0.15.0) is recommended unless there are specific compatibility requirements
  • The cargo build step will still work without cargobump as Cargo.lock will manage dependencies
  • This is a common issue in Rust projects with complex dependency trees

• References:

@mamccorm
Copy link
Member

mamccorm commented Dec 8, 2024

Unfortunately we cannot remediate either of these three CVE's. The upstream project relies on multiple versions of each of the affected dependencies. Advisories created:

@mamccorm mamccorm self-assigned this Dec 8, 2024
@mamccorm
Copy link
Member

mamccorm commented Dec 8, 2024

Closing as advisory raised:

@mamccorm mamccorm closed this Dec 8, 2024
@mamccorm mamccorm deleted the cve-qdrant-e4317f56834a7b4ffb353620e6cedc77 branch December 8, 2024 16:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@mamccorm mamccorm

Labels
automated pr GHSA-gw5w-5j7f-jmjj GHSA-qg5g-gv98-5ffh GHSA-wwq9-3cpr-mm53 P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. qdrant/1.12.4-r0 request-cve-remediation rust/cargobump
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@mamccorm