Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Workaround make audit failure for rust-nix #2697

Conversation

winksaville
Copy link
Contributor

@winksaville winksaville commented Oct 10, 2021

The workaround is to add common/rust-psutil and change it's Cargo.toml
to use v0.22.2. And then change common/eth2/Cargo.toml to point to
../common/rust-psutil.

Also updated Makefile:

  • lint: target to Allow needless_borrow to
    pass the cargo lint action.
  • test-release, test-debug: addded --exclude psutil if Windows_NT

The failure is:

     Compiling cargo-audit v0.15.2
      Finished release [optimized] target(s) in 3m 34s
     Replacing /home/runner/.cargo/bin/cargo-audit
      Replaced package `cargo-audit v0.15.2` with `cargo-audit v0.15.2` (executable `cargo-audit`)
  cargo audit
      Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
        Loaded 367 security advisories (from /home/runner/.cargo/advisory-db)
      Updating crates.io index
      Scanning Cargo.lock for vulnerabilities (652 crate dependencies)
  Crate:         nix
  error: 2 vulnerabilities found!
  Version:       0.17.0
  Title:         Out-of-bounds write in nix::unistd::getgrouplist
  Date:          2021-09-27
  ID:            RUSTSEC-2021-0119
  URL:           https://rustsec.org/advisories/RUSTSEC-2021-0119
  Solution:      Upgrade to ^0.20.2 OR ^0.21.2 OR ^0.22.2 OR >=0.23.0
  Dependency tree:
  nix 0.17.0

  Crate:         nix
  Version:       0.22.0
  Title:         Out-of-bounds write in nix::unistd::getgrouplist
  Date:          2021-09-27
  ID:            RUSTSEC-2021-0119
  URL:           https://rustsec.org/advisories/RUSTSEC-2021-0119
  Solution:      Upgrade to ^0.20.2 OR ^0.21.2 OR ^0.22.2 OR >=0.23.0
  Dependency tree:
  nix 0.22.0

  Crate:         stdweb
  Version:       0.4.20
  Warning:       unmaintained
  Title:         stdweb is unmaintained
  Date:          2020-05-04
  ID:            RUSTSEC-2020-0056
  URL:           https://rustsec.org/advisories/RUSTSEC-2020-0056
  Dependency tree:
  stdweb 0.4.20
  └── time 0.2.27

  warning: 1 allowed warning found
  make: *** [Makefile:154: audit] Error 1
  Error: Process completed with exit code 2.

The workaround is to add common/rust-psutil and change it's Cargo.toml
to use v0.22.2. And then change common/eth2/Cargo.toml to point to
../common/rust-psutil.

Also updated Makefile:
 - lint: target to Allow needless_borrow to
   pass the `cargo lint` action.
 - test-release, test-debug: addded --exclude psutil if Windows_NT

The failure is:

     Compiling cargo-audit v0.15.2
      Finished release [optimized] target(s) in 3m 34s
     Replacing /home/runner/.cargo/bin/cargo-audit
      Replaced package `cargo-audit v0.15.2` with `cargo-audit v0.15.2` (executable `cargo-audit`)
  cargo audit
      Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
        Loaded 367 security advisories (from /home/runner/.cargo/advisory-db)
      Updating crates.io index
      Scanning Cargo.lock for vulnerabilities (652 crate dependencies)
  Crate:         nix
  error: 2 vulnerabilities found!
  Version:       0.17.0
  Title:         Out-of-bounds write in nix::unistd::getgrouplist
  Date:          2021-09-27
  ID:            RUSTSEC-2021-0119
  URL:           https://rustsec.org/advisories/RUSTSEC-2021-0119
  Solution:      Upgrade to ^0.20.2 OR ^0.21.2 OR ^0.22.2 OR >=0.23.0
  Dependency tree:
  nix 0.17.0

  Crate:         nix
  Version:       0.22.0
  Title:         Out-of-bounds write in nix::unistd::getgrouplist
  Date:          2021-09-27
  ID:            RUSTSEC-2021-0119
  URL:           https://rustsec.org/advisories/RUSTSEC-2021-0119
  Solution:      Upgrade to ^0.20.2 OR ^0.21.2 OR ^0.22.2 OR >=0.23.0
  Dependency tree:
  nix 0.22.0

  Crate:         stdweb
  Version:       0.4.20
  Warning:       unmaintained
  Title:         stdweb is unmaintained
  Date:          2020-05-04
  ID:            RUSTSEC-2020-0056
  URL:           https://rustsec.org/advisories/RUSTSEC-2020-0056
  Dependency tree:
  stdweb 0.4.20
  └── time 0.2.27

  warning: 1 allowed warning found
  make: *** [Makefile:154: audit] Error 1
  Error: Process completed with exit code 2.
@winksaville winksaville changed the title Workaround cargo audit failure for rust-nix Workaround make audit failure for rust-nix Oct 10, 2021
@winksaville
Copy link
Contributor Author

winksaville commented Oct 10, 2021

One way to fix #2698

@michaelsproul
Copy link
Member

Thanks for the report and digging into the root cause!

Rather than vendoring rust-psutil I've forked it and pointed our dependency at the fork in this PR: #2699. We try to avoid vendoring code as it destroys the original git history and creates a maintenance burden. I've opened an issue to track migrating back to upstream psutil or an alternative here: #2700

@winksaville winksaville deleted the Workaround-make-audit-failure-for-rust-nix branch October 11, 2021 00:26
@winksaville
Copy link
Contributor Author

SG, I figured there was a better way :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants