From: David Disseldorp <ddiss@suse.de>
To: linux-bcachefs@vger.kernel.org
Subject: Re: [PATCH] make-release-tarball.sh: run cargo audit
Date: Tue, 5 Mar 2024 11:49:09 +1100 [thread overview]
Message-ID: <20240305114909.537c6080@echidna> (raw)
In-Reply-To: <20240130070356.8174-1-ddiss@suse.de>
Any feedback on this change?
Thanks, David
On Tue, 30 Jan 2024 18:03:56 +1100, David Disseldorp wrote:
> cargo audit can be used to check bcachefs dependencies for
> vulnerabilities published in the advisory database at
> https://github.com/RustSec/advisory-db.git
>
> Given the significant size of dependency sources (currently ~292M),
> manual audit is mostly unviable, so rely on this for now.
>
> Audit failure will halt tarball generation with e.g. v1.4.1:
> Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
> Loaded 595 security advisories (from /home/david/.cargo/advisory-db)
> Updating crates.io index
> Scanning rust-src/Cargo.lock for vulnerabilities (98 crate dependencies)
> Crate: shlex
> Version: 1.2.0
> Title: Multiple issues involving quote API
> Date: 2024-01-21
> ID: RUSTSEC-2024-0006
> URL: https://rustsec.org/advisories/RUSTSEC-2024-0006
> Solution: Upgrade to >=1.3.0
> Dependency tree:
> shlex 1.2.0
> └── bindgen 0.64.0
> └── bch_bindgen 0.1.0
> └── bcachefs-rust 0.3.1
>
> Crate: atty
> Version: 0.2.14
> Warning: unsound
> Title: Potential unaligned read
> Date: 2021-07-04
> ID: RUSTSEC-2021-0145
> URL: https://rustsec.org/advisories/RUSTSEC-2021-0145
> Dependency tree:
> atty 0.2.14
> └── bcachefs-rust 0.3.1
>
> error: 1 vulnerability found!
> warning: 1 allowed warning found
>
> Signed-off-by: David Disseldorp <ddiss@suse.de>
> ---
> make-release-tarball.sh | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/make-release-tarball.sh b/make-release-tarball.sh
> index c468da7..51875b0 100755
> --- a/make-release-tarball.sh
> +++ b/make-release-tarball.sh
> @@ -7,6 +7,8 @@ version=$1
> git checkout v$version
> git clean -xfd
>
> +cargo audit
> +
> cargo license > COPYING.rust-dependencies
>
> git ls-files|
next prev parent reply other threads:[~2024-03-05 0:49 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-30 7:03 [PATCH] make-release-tarball.sh: run cargo audit David Disseldorp
2024-03-05 0:49 ` David Disseldorp [this message]
2024-03-08 2:16 ` Kent Overstreet
2024-03-08 3:59 ` David Disseldorp
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240305114909.537c6080@echidna \
--to=ddiss@suse.de \
--cc=linux-bcachefs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox