Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lots of CVEs #5077

Closed
jayvdb opened this issue Sep 9, 2024 · 2 comments · Fixed by #5181
Closed

Lots of CVEs #5077

jayvdb opened this issue Sep 9, 2024 · 2 comments · Fixed by #5181
Assignees
@xdoardo
Milestone
v5.0

Comments

@jayvdb
Copy link

jayvdb commented Sep 9, 2024
edited
Loading

Describe the bug

There are lots of CVEs in the lock file. Some of these might be dev-deps because osv-scanner isnt that smart, however some are in real deps.

#5076 for using a smarter tool to detect CVEs only in dependencies.

Steps to reproduce

> osv-scanner --lockfile Cargo.lock
Scanned /home/jayvdb/rust/wasmer/Cargo.lock file and found 737 packages
╭─────────────────────────────────────┬──────┬───────────┬──────────────────┬─────────┬────────────╮
│ OSV URL                             │ CVSS │ ECOSYSTEM │ PACKAGE          │ VERSION │ SOURCE     │
├─────────────────────────────────────┼──────┼───────────┼──────────────────┼─────────┼────────────┤
│ https://osv.dev/GHSA-qc84-gqf4-9926 │ 8.1  │ crates.io │ crossbeam-utils  │ 0.7.2   │ Cargo.lock │
│ https://osv.dev/RUSTSEC-2022-0041   │      │           │                  │         │            │
│ https://osv.dev/GHSA-5wg8-7c9q-794v │ 5.5  │ crates.io │ lock_api         │ 0.3.4   │ Cargo.lock │
│ https://osv.dev/GHSA-gmv4-vmx3-x9f3 │      │           │                  │         │            │
│ https://osv.dev/GHSA-hj9h-wrgg-hgmx │      │           │                  │         │            │
│ https://osv.dev/GHSA-ppj3-7jw3-8vc4 │      │           │                  │         │            │
│ https://osv.dev/GHSA-vh4p-6j7g-f4j9 │      │           │                  │         │            │
│ https://osv.dev/RUSTSEC-2020-0070   │      │           │                  │         │            │
│ https://osv.dev/GHSA-wfg4-322g-9vqv │      │ crates.io │ memoffset        │ 0.5.6   │ Cargo.lock │
│ https://osv.dev/RUSTSEC-2023-0045   │      │           │                  │         │            │
│ https://osv.dev/RUSTSEC-2020-0016   │      │ crates.io │ net2             │ 0.2.39  │ Cargo.lock │
│ https://osv.dev/RUSTSEC-2024-0370   │      │ crates.io │ proc-macro-error │ 1.0.4   │ Cargo.lock │
│ https://osv.dev/GHSA-vr26-jcq5-fjj8 │ 8.7  │ crates.io │ quinn-proto      │ 0.11.3  │ Cargo.lock │
│ https://osv.dev/RUSTSEC-2024-0373   │      │           │                  │         │            │
│ https://osv.dev/GHSA-255r-3prx-mf99 │      │ crates.io │ rmp-serde        │ 0.15.5  │ Cargo.lock │
│ https://osv.dev/RUSTSEC-2022-0092   │      │           │                  │         │            │
│ https://osv.dev/RUSTSEC-2021-0127   │      │ crates.io │ serde_cbor       │ 0.11.2  │ Cargo.lock │
│ https://osv.dev/GHSA-wcg3-cvx6-7396 │ 6.2  │ crates.io │ time             │ 0.1.45  │ Cargo.lock │
│ https://osv.dev/RUSTSEC-2020-0071   │      │           │                  │         │            │
│ https://osv.dev/GHSA-fg7r-2g4j-5cgr │ 8.1  │ crates.io │ tokio            │ 0.1.22  │ Cargo.lock │
│ https://osv.dev/RUSTSEC-2021-0124   │      │           │                  │         │            │
│ https://osv.dev/RUSTSEC-2024-0320   │      │ crates.io │ yaml-rust        │ 0.4.5   │ Cargo.lock │
╰─────────────────────────────────────┴──────┴───────────┴──────────────────┴─────────┴────────────╯

Expected behavior

Actual behavior

Additional context
@xdoardo
Copy link
Contributor

xdoardo commented Sep 12, 2024

Thanks for the report! We will make sure to allocate the time to update the interested crates.

@xdoardo xdoardo self-assigned this Sep 12, 2024
@syrusakbary
Copy link
Member

Related: #5081

@xdoardo xdoardo added this to the v5.0 milestone Oct 17, 2024
@xdoardo xdoardo mentioned this issue Oct 25, 2024
Merged
@xdoardo xdoardo linked a pull request Oct 25, 2024 that will close this issue
Sunset wasmer-registry, wasmer-interface and update misc dependencies #5181
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@xdoardo xdoardo

Labels
None yet
Projects
None yet
Milestone
v5.0
Development

Successfully merging a pull request may close this issue.

Sunset wasmer-registry, wasmer-interface and update misc dependencies wasmerio/wasmer
3 participants
@jayvdb @syrusakbary @xdoardo