possible vulnerability in rustc-serialize?
johanneskastl opened this issue Β· comments
I just stumbled upon this and wanted to package it for openSUSE.
The preparation spits out a warning regarding a vulnerability in rustc-serialize. I have too little knowledge of rust to say anything about this, so I wanted to report and make you aware of this just in case.
2023-11-10T09:24:37.795201Z INFO cargo_vendor: π’ Starting OBS Service Cargo Vendor.
2023-11-10T09:24:37.795314Z INFO obs_service_cargo::utils: πΏ Vendoring for src 'kubectl-view-allocations'
2023-11-10T09:24:37.799178Z INFO obs_service_cargo::utils: π Project does not use a workspace!
2023-11-10T09:24:37.799294Z INFO obs_service_cargo::vendor: β« Updating dependencies before vendor
2023-11-10T09:24:39.998346Z INFO obs_service_cargo::vendor: β« Successfully ran cargo update
2023-11-10T09:24:40.032242Z WARN obs_service_cargo::audit: β 1 vulnerability found.
2023-11-10T09:24:40.032258Z WARN obs_service_cargo::audit: - RUSTSEC-2022-0004 rustc-serialize 0.3.24 - categories denial-of-service - cvss unset
2023-11-10T09:24:40.032271Z ERROR obs_service_cargo::audit: β You must action these before submitting this package.
2023-11-10T09:24:40.032278Z ERROR obs_service_cargo::audit: π Vulnerabilities found in application dependencies. These must be actioned to proceed with vendoring.
2023-11-10T09:24:40.032287Z ERROR obs_service_cargo::cli: err=kind: security audit is actionable
The transtive dependencies rustc-serialize comes from a test library (spectral).
I remove spectral with version 0.18.1.
Thanks for the report and for creating the package for openSUSE.
Thanks! I could successfully create the required packages and obs_service_cargo::audit does no longer complain!
I'll see if the package builds properly later.