Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add RSA rustsec warning to ignores, we don't use that dependency #2343

Merged
merged 1 commit into from
Nov 29, 2023
Merged

add RSA rustsec warning to ignores, we don't use that dependency #2343

merged 1 commit into from
Nov 29, 2023

Conversation

syphar
Copy link
Member

@syphar syphar commented Nov 28, 2023
edited
Loading

fixes #2346 Interestingly there is no issue created.

Also I don't seem to find the reason why cargo audit warns here,

Crate:     rsa
Version:   0.9.4
Title:     Marvin Attack: potential key recovery through timing sidechannels
Date:      2023-11-22
ID:        RUSTSEC-2023-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0071
Severity:  7.4 (high)
Solution:  No fixed upgrade is available!
Dependency tree:
rsa 0.9.4
└── sqlx-mysql 0.7.2
    ├── sqlx-macros-core 0.7.2
    │   └── sqlx-macros 0.7.2
    │       └── sqlx 0.7.2
    │           └── docs-rs 0.6.0
    └── sqlx 0.7.2

( while th mysql feature is not active from our side)

@syphar syphar requested a review from a team as a code owner November 28, 2023 16:14
@github-actions github-actions bot added S-waiting-on-review Status: This pull request has been implemented and needs to be reviewed labels Nov 28, 2023
@GuillaumeGomez
Copy link
Member

Maybe it only checks for all features enabled by default?

@syphar
Copy link
Member Author

syphar commented Nov 28, 2023

I tried cargo tree -i rsa --target all --all-features and the output was empty.

@Nemo157
Copy link
Member

Nemo157 commented Nov 28, 2023

cargo audit checks the lockfile, which lists all dependencies that might be activated if you activate (transitive) dependencies features, it doesn't limit itself to checking just the dependencies which are used.

@Nemo157
Copy link
Member

Nemo157 commented Nov 28, 2023

rustsec/rustsec#681 seems to have the most relevant discussion

@syphar syphar merged commit 19e343a into rust-lang:master Nov 29, 2023
13 checks passed
@syphar syphar deleted the audit-warning branch November 29, 2023 06:45
@github-actions github-actions bot added S-waiting-on-deploy This PR is ready to be merged, but is waiting for an admin to have time to deploy it and removed S-waiting-on-review Status: This pull request has been implemented and needs to be reviewed labels Nov 29, 2023
@syphar syphar removed the S-waiting-on-deploy This PR is ready to be merged, but is waiting for an admin to have time to deploy it label Nov 29, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Nemo157 Nemo157 Nemo157 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

RUSTSEC-2023-0071: Marvin Attack: potential key recovery through timing sidechannels
3 participants
@syphar @GuillaumeGomez @Nemo157