cargo audit vulnerability found on the time crate
endafarrell opened this issue · comments
$ cargo audit
Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
Loaded 457 security advisories (from /usr/local/cargo/advisory-db)
Updating crates.io index
Scanning Cargo.lock for vulnerabilities (46 crate dependencies)
Crate: time
Version: 0.1.44
Title: Potential segfault in the time crate
Date: 2020-11-18
ID: RUSTSEC-2020-0071
URL: https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution: Upgrade to >=0.2.23
Dependency tree:
time 0.1.44
└── pbr 1.0.4
└── split-building-footprints 0.1.0 (my code)
error: 1 vulnerability found!
Hi. I've just started using pbr
and cargo add pbr
gave me version 1.0.4 but a cargo audit
has found a vulnerability on the version of time
used.
I observe that pbr
doesn't have a dependency on the time crate - so it ... might ... be a false positive.
Searching through the code shows that all "time" is from the std::time
. Is it possible that line 8 of the [examples/multi_bg.rs](https://github.com/endafarrell/pb/tree/master/examples/multi_bg.rs)
might have a role to play in this?
See: #113 (comment)
Thanks for rasing it up.