-
Notifications
You must be signed in to change notification settings - Fork 196
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix cargo audit issue on chrono #1907
Conversation
This commit is in response to RUSTSEC-2020-0071 where there is a potential segfault in the time crate. The aws-smithy-types-convert crate now disables the default features of the chrono crate so that it will not depend on the time crate.
This commit updates the version of lambda_http used by aws-smithy-http-server and aws-smithy-http-server-python to 0.7.0. The prior version 0.6.0 of lambda_http used the chrono crate in a way that exposed a security issue described in RUSTSEC-2020-0071. By switching to 0.7.0 of lambda_http, those two crates do not exhibit vulnerabilities as reported by cargo audit.
This commit removes --ignore flags for cargo audit related to the chrono crate. It is an accompanying PR for smithy-lang/smithy-rs#1907
A new generated diff is ready to view.
A new doc preview is ready to view. |
A new generated diff is ready to view.
A new doc preview is ready to view. |
This commit updates the version of `lambda_http` used by `pokemon-service` from 0.6.0 to 0.7.0. This is in sync with the fact that both `aws-smithy-http-server` and `aws-smithy-http-server-python` now depend on 0.7.0 of `lambda_http`. Failing to do so would cause `pokemon-service` to fail to compile due to an error at `lambda_http::run(handler)` in the main function of the `pokemon-service-lambda` binary: the trait `Service<lambda_http::http::Request<lambda_http::Body>>` is not implemented for `LambdaHandler<aws_smithy_http_server::routing::Router>`
A new generated diff is ready to view.
A new doc preview is ready to view. |
This commit updates the version of `lambda_http` from 0.7.0 to 0.7.1 in the crates within the top-level `rust-runtime` workspace. These updates are needed to solve the issue described in awslabs/aws-lambda-rust-runtime#556
A new generated diff is ready to view.
A new doc preview is ready to view. |
A new generated diff is ready to view.
A new doc preview is ready to view. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice work on this!
A new generated diff is ready to view.
A new doc preview is ready to view. |
* Avoid the chrono crate depending on the time crate This commit is in response to RUSTSEC-2020-0071 where there is a potential segfault in the time crate. The aws-smithy-types-convert crate now disables the default features of the chrono crate so that it will not depend on the time crate. * Depend on lambda_http without RUSTSEC-2020-0071 This commit updates the version of lambda_http used by aws-smithy-http-server and aws-smithy-http-server-python to 0.7.0. The prior version 0.6.0 of lambda_http used the chrono crate in a way that exposed a security issue described in RUSTSEC-2020-0071. By switching to 0.7.0 of lambda_http, those two crates do not exhibit vulnerabilities as reported by cargo audit. * Bump minor version of lambda_http in pokemon-service This commit updates the version of `lambda_http` used by `pokemon-service` from 0.6.0 to 0.7.0. This is in sync with the fact that both `aws-smithy-http-server` and `aws-smithy-http-server-python` now depend on 0.7.0 of `lambda_http`. Failing to do so would cause `pokemon-service` to fail to compile due to an error at `lambda_http::run(handler)` in the main function of the `pokemon-service-lambda` binary: the trait `Service<lambda_http::http::Request<lambda_http::Body>>` is not implemented for `LambdaHandler<aws_smithy_http_server::routing::Router>` * Depend on lambda-http 0.7.1 This commit updates the version of `lambda_http` from 0.7.0 to 0.7.1 in the crates within the top-level `rust-runtime` workspace. These updates are needed to solve the issue described in awslabs/aws-lambda-rust-runtime#556 * Update CHANGELOG.next.toml * Address https://github.com/awslabs/smithy-rs/pull/1907\#pullrequestreview-1161609833 Co-authored-by: Saito <[email protected]> Co-authored-by: Zelda Hessler <[email protected]>
Motivation and Context
This PR addresses a cargo audit issue described in awslabs/aws-sdk-rust#643.
This will remain a draft until awslabs/aws-lambda-rust-runtime#556 is resolved.Description
Within the top-level rust-runtime workspace, we can see the following report generated when running
cargo audit
:To work around the issue, we follow this to avoid bringing in the
time
crate via thechrono
crate. To that goal, this PR edits fourCargo.toml
files.Cargo.toml
inaws-smithy-types-convert
This implements the said workaround.
Cargo.toml
s inaws-smithy-http-server-python
andaws-smithy-http-server
These crates indirectly stepped on the RustSec vulnerability in question from
aws_lambda_events
0.6.3 (throughlambda_http
0.6.2).aws_lambda_events
addressed it as of 0.7.1 (PR) andlambda_http
0.7.10.7.0, in turn, depended on a safe version ofaws_lambda_events
(PR). Thus, bothaws-smithy-http-server-python
andaws-smithy-http-server
now depend onlambda_http
0.7.10.7.0.Cargo.toml
inpokemon-service
This is due to b1cb5fa.
Testing
Ran
cargo audit
from within the top-levelrust-runtime
workspace:This is the output as a result of running
cargo audit
in this branch. We can see no vulnerabilities detected.Checklist
CHANGELOG.next.toml
if I made changes to the smithy-rs codegen or runtime cratesBy submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.