Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerable to: RUSTSEC-2024-0370 #1421

Open
SchahinRohani opened this issue Oct 20, 2024 · 2 comments
Open

Vulnerable to: RUSTSEC-2024-0370 #1421

SchahinRohani opened this issue Oct 20, 2024 · 2 comments
Labels
dependencies Pull requests that update a dependency file help wanted Extra attention is needed security Issues that have security implications

Comments

@SchahinRohani
Copy link
Contributor

SchahinRohani commented Oct 20, 2024
edited
Loading

Nativelink uses the proc-macro-error crate which is unmaintained for longer then 2 years.

Observed in Vulnerabilities: https://securityscorecards.dev/viewer/?uri=github.com/TraceMachina/nativelink

RUSTSEC-2024-0370
@SchahinRohani SchahinRohani added dependencies Pull requests that update a dependency file security Issues that have security implications labels Oct 20, 2024
@aaronmondal
Copy link
Member

This is pulled in by aws-smithy-protocol-test as a test-only dependency. As such it's not pretty in the vuln logs but (currently) doesn't affect runtime code.

The fix here would be to bump/change these dependencies in the AWS Rust SDK upstream (which initially seems surprisingly straightforward) or to remove our dependence on the affected crate (which initially seems like a nontrivial effort).

@aaronmondal aaronmondal added the help wanted Extra attention is needed label Oct 25, 2024
@SchahinRohani
Copy link
Contributor Author

SchahinRohani commented Oct 25, 2024
edited
Loading

In aws-smithy-protocol-test, the dependency on assert-json-diff was originally set to ^1.1, which brought in extend as a dependency (^0.1.0). However, starting with assert-json-diff 2.0.2, extend is no longer required. Additionally, extend itself resolved this issue in version 1.2 by removing its dependency on proc-macro-error. So, updating either assert-json-diff to 2.0.2 or extend to 1.2+ will clear the vulnerability entirely

I have tried to update it, but it seems i can't get rid of the proc-macro-error...

aaronmondal added a commit to aaronmondal/nativelink that referenced this issue Oct 25, 2024
@aaronmondal
Bump aws sdk
566c091 
Towards TraceMachina#1421
@aaronmondal aaronmondal mentioned this issue Oct 25, 2024
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file help wanted Extra attention is needed security Issues that have security implications
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@SchahinRohani @aaronmondal