Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependencies and use more specific versions for dependencies with known CVEs #2462

Merged
merged 10 commits into from
May 16, 2024
Merged

Update dependencies and use more specific versions for dependencies with known CVEs #2462

merged 10 commits into from
May 16, 2024

Conversation

jsdanielh
Copy link
Contributor

@jsdanielh jsdanielh commented May 9, 2024
edited

What's in this pull request?

  • Use a more specific version for the rand_core dependency than versions with known CVEs.
    This fixes rand_core in keys should use a more specific version greater than known CVE #2454.
  • Use a more specific version for the futures-util dependency than versions with known CVEs.
    This fixes futures-util in web-client should use a more specific version greater than known CVEs #2457.
  • Use a more specific version for the tracing dependency than versions with known CVEs.
    This fixes tracing in network-libp2p should use a more specific version greater than known CVE #2453.
  • Use a more specific version for the regex dependency than versions with known CVEs.
  • Update the itertools dependency to the latest version (0.12.1) as for some reason this hasn't been flagged by GH dependabot.
  • Update the hyper dependency to the latest version (1.3.1) for the metrics-server subcrate.
  • Updated the crossbeam-channel dependency from version 0.5.7 to 0.5.12 (latest) since the former version was already yanked as pointed by cargo audit.
  • Switch to a maintained version of the dotenv dependency: dotenvy since the former is flagged by cargo audit as unmaintained.
  • Switch to a maintained version of the ansi-term dependency: ansiterm since the former was flagged by cargo audit as unmaintained.
  • Add Github workflow to check for security vulnerabilities using cargo audit.
    This workflow was set up to run every Wednesday at 2:00 UTC.

Pull request checklist

  • All tests pass. The project builds and runs.
  • I have resolved any merge conflicts.
  • I have resolved all clippy and rustfmt warnings.

@jsdanielh jsdanielh requested a review from hrxi May 9, 2024 18:45
@jsdanielh jsdanielh changed the title Update dependencis and use more specific versions for dependencies with known CVEs Update dependencies and use more specific versions for dependencies with known CVEs May 10, 2024
hrxi
hrxi reviewed May 10, 2024
View reviewed changes
keys/Cargo.toml Show resolved Hide resolved
@hrxi
Copy link
Contributor

hrxi commented May 13, 2024

Could we perhaps move these dependencies to the global Cargo.toml so that we don't have to update the version number in several places?

How do we notice that we specify a version in Cargo.toml that is lower than a CVE?

@Eligioo
Copy link
Member

Eligioo commented May 13, 2024
edited

@hrxi deps.rs is one effort I know though it doesn't actively notify you about versions lower than a CVE. But it's a badge in the README of this repo already.

futures-util doesn't show up there for example because it's already locked at 0.3.30.

https://github.com/rustsec/audit-check might be interesting

@jsdanielh
Copy link
Contributor Author

Could we perhaps move these dependencies to the global Cargo.toml so that we don't have to update the version number in several places?

Done. Only did it for futures and log since the rest only seemed to be use in a single crate.

How do we notice that we specify a version in Cargo.toml that is lower than a CVE?

Yeah, as @Eligioo mentioned we already have deps.rs and then there is also cargo audit which I can see if I can add it to GH actions.

@jsdanielh jsdanielh requested a review from hrxi May 15, 2024 19:34
@jsdanielh
keys: Use a more specific version for rand_core
98aed3f 
Use a more specific version for the `rand_core` dependency than
versions with known CVEs.
This fixes #2454.
@jsdanielh
Copy link
Contributor Author

Could we perhaps move these dependencies to the global Cargo.toml so that we don't have to update the version number in several places?

Done. Only did it for futures and log since the rest only seemed to be use in a single crate.

How do we notice that we specify a version in Cargo.toml that is lower than a CVE?

Yeah, as @Eligioo mentioned we already have deps.rs and then there is also cargo audit which I can see if I can add it to GH actions.

Done. Just added a GH action that is going to be run periodically to check for cargo audit warnings.

hrxi
hrxi approved these changes May 16, 2024
View reviewed changes
Copy link
Contributor

@hrxi hrxi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM otherwise.

web-client/Cargo.toml Outdated Show resolved Hide resolved
@jsdanielh jsdanielh force-pushed the jsdanielh/dependencies branch 2 times, most recently from 4518a7b to 76ffee6 Compare May 16, 2024 17:30
@jsdanielh
Use a more specific version for futures-util
6079e35 
Use a more specific version for the `futures-util` dependency than
versions with known CVEs.
This fixes #2457.
@jsdanielh
Use a more specific version for tracing
33055b8 
Use a more specific version for the `tracing` dependency than
versions with known CVEs.
This fixes #2453.
@jsdanielh
key-derivation: Use a more specific version for regex
7c1c1e2 
Use a more specific version for the `regex` dependency than versions
with known CVEs.
@jsdanielh
keys: Update the itertools depdency to the latest version
281a35a 
Update the `itertools` dependency to the latest version (0.12.1) as
for some reason this hasn't been flagged by GH dependabot.
@jsdanielh
metrics-server: Update the hyper depdency to the latest version
4226911 
Update the `hyper` dependency to the latest version (1.3.1) for the
`metrics-server` subcrate.
@jsdanielh
Update the crossbeam-channel dependency to the latest version
5a06860 
Updated the `crossbeam-channel` dependency from version 0.5.7 to
0.5.12 (latest) since the former version was already yanked as
pointed by `cargo audit`.
@jsdanielh
rpc-client: Switch to a maintained version of the dotenv dependency
f410a17 
Switch to a maintained version of the `dotenv` dependency: `dotenvy`
since the former is flagged by `cargo audit` as unmaintained.
@jsdanielh
log: Switch to a maintained version of the ansi-term dependency
e7ef79b 
Switch to a maintained version of the `ansi-term` dependency:
`ansiterm` since the former was flagged by `cargo audit` as
unmaintained.
@jsdanielh
Add GH workflow to check for security vulnerabilities
7164eab 
Add Github workflow to check for security vulnerabilities using
`cargo audit`.
This workflow was set up to run every Wednesday at 2:00 UTC.
@jsdanielh jsdanielh merged commit 7164eab into albatross May 16, 2024
6 checks passed
@jsdanielh jsdanielh deleted the jsdanielh/dependencies branch May 16, 2024 18:33
@jsdanielh jsdanielh added this to the Nimiq PoS Mainnet milestone May 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Eligioo Eligioo Eligioo left review comments

@hrxi hrxi hrxi approved these changes

Assignees
No one assigned
Labels
dependency
Projects
None yet
Milestone
Nimiq PoS Mainnet
4 participants
@jsdanielh @hrxi @Eligioo @sisou