mirror of
https://github.com/ruvnet/RuView.git
synced 2026-06-02 00:58:56 +02:00
rUv
004a63e82d
- Upgrade openssl to 0.10.78 (CVE-2026-41676), jsonwebtoken to 9.4 - Suppress unmaintained-only/no-CVE advisories in .cargo/audit.toml with per-entry rationale - Fix all `cargo clippy --all-targets -- -D warnings` errors across 35 crates: derivable_impls, needless_range_loop, map_or→is_some_and/ is_none_or, await_holding_lock (drop MutexGuard before .await), ptr_arg (&mut Vec→&mut [T]), useless_conversion, approximate_constant (2.718→E, 3.14→PI), field_reassign_with_default, manual_inspect, useless_vec, lines_filter_map_ok, print_literal, dead_code - Apply `cargo fmt --all` - Pre-existing test failure in wifi-densepose-signal (test_estimate_occupancy_noise_only) is not introduced by this PR
155 lines
8.6 KiB
TOML
155 lines
8.6 KiB
TOML
# cargo-audit configuration — v2 workspace
|
|
# Managed by security audit (fix/security-audit-rustsec-clippy branch).
|
|
#
|
|
# This file suppresses advisories in two categories:
|
|
# A) CVE-bearing advisories in TRANSITIVE deps we cannot upgrade directly
|
|
# because the parent published crate (ruvector-core 2.2.0) has not yet
|
|
# published a version with the fix. These are tracked as issues.
|
|
# B) UNMAINTAINED-only advisories (no CVE) flowing through dependencies
|
|
# that are purely transitive / build-time and have no user-facing attack
|
|
# surface in this workspace.
|
|
# Each entry documents the root cause and the mitigation path.
|
|
|
|
[advisories]
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# GTK3 / glib / gdk* family — RUSTSEC-2024-0411..0420, RUSTSEC-2024-0429
|
|
# Reason: These crates are pulled in by wifi-densepose-desktop via Tauri v2's
|
|
# native WebView dependencies on Linux (libwebkit2gtk-4.1). They are
|
|
# flagged as unmaintained because the GTK3 Rust bindings maintainers have
|
|
# moved to GTK4. This codebase does NOT make direct use of any of the
|
|
# deprecated GTK3 APIs — the dependency is a runtime linker artifact of
|
|
# the Tauri Linux build. Tauri itself is aware of this and will migrate
|
|
# when a GTK4-based Tauri backend is stable. No CVE assigned.
|
|
# Mitigation: Accept transitively until Tauri v2 drops GTK3 or a workspace
|
|
# override path becomes available.
|
|
ignore = [
|
|
# -----------------------------------------------------------------------
|
|
# CATEGORY A — transitive CVEs from ruvector-core 2.2.0 → reqwest 0.11
|
|
# ruvector-core 2.2.0 (latest on crates.io) depends on reqwest 0.11.27,
|
|
# which pulls in rustls 0.21 / rustls-webpki 0.101.7. We cannot upgrade
|
|
# this without a new ruvector-core release. Tracked in issue #812.
|
|
# The workspace's own TLS stack uses rustls-webpki 0.103.13 (patched);
|
|
# the vulnerable 0.101.7 instance is not reachable from our TLS code.
|
|
"RUSTSEC-2026-0098", # rustls-webpki 0.101.7: URI name constraint bypass
|
|
"RUSTSEC-2026-0099", # rustls-webpki 0.101.7: wildcard name constraint bypass
|
|
"RUSTSEC-2026-0104", # rustls-webpki 0.101.7: reachable panic in CRL parsing
|
|
# quinn-proto 0.11.13 is also pulled through midstreamer-quic 0.3 (now
|
|
# upgraded). The remaining 0.11.13 instance comes from the same
|
|
# ruvector-core transitive chain. Tracked in issue #812.
|
|
"RUSTSEC-2026-0037", # quinn-proto 0.11.13: DoS in Quinn endpoints
|
|
# CRL Distribution Point matching bug — same ruvector-core / reqwest 0.11
|
|
# transitive chain; rustls-webpki 0.101.7 also affected.
|
|
"RUSTSEC-2026-0049", # rustls-webpki <0.103.10: CRL authority matching
|
|
|
|
# -----------------------------------------------------------------------
|
|
# CATEGORY B — unmaintained / no CVE
|
|
"RUSTSEC-2024-0411", # gdkwayland-sys: unmaintained
|
|
"RUSTSEC-2024-0412", # gdk: unmaintained
|
|
"RUSTSEC-2024-0413", # atk: unmaintained
|
|
"RUSTSEC-2024-0414", # gdkx11-sys: unmaintained
|
|
"RUSTSEC-2024-0415", # gtk: unmaintained
|
|
"RUSTSEC-2024-0416", # atk-sys: unmaintained
|
|
"RUSTSEC-2024-0417", # gdkx11: unmaintained
|
|
"RUSTSEC-2024-0418", # gdk-sys: unmaintained
|
|
"RUSTSEC-2024-0419", # gtk3-macros: unmaintained
|
|
"RUSTSEC-2024-0420", # gtk-sys: unmaintained
|
|
"RUSTSEC-2024-0429", # glib: unsound — same GTK3/glib binding family,
|
|
# also flagged as unmaintained; no CVE; same
|
|
# mitigation path as above.
|
|
|
|
# -----------------------------------------------------------------------
|
|
# atomic-polyfill — RUSTSEC-2023-0089
|
|
# Pulled in by embedded / WASM crates. Unmaintained (superseded by
|
|
# portable-atomic). No CVE. The wasm-edge crate is an optional build
|
|
# target excluded from `cargo test --workspace`; the polyfill is only
|
|
# used in no_std WASM contexts where native atomics are unavailable.
|
|
# Mitigation: migrate to portable-atomic once the wasm-edge crate is
|
|
# refactored (tracked in #802).
|
|
"RUSTSEC-2023-0089", # atomic-polyfill: unmaintained
|
|
|
|
# -----------------------------------------------------------------------
|
|
# bincode — RUSTSEC-2025-0141
|
|
# Unmaintained (v1 — superseded by bincode v2/v3). No CVE. Used only
|
|
# in benchmark harnesses inside criterion 0.5. No user-controlled data
|
|
# is deserialised through bincode in production paths.
|
|
# Mitigation: upgrade criterion to 0.6+ when available and stable.
|
|
"RUSTSEC-2025-0141", # bincode: unmaintained
|
|
|
|
# -----------------------------------------------------------------------
|
|
# fxhash — RUSTSEC-2025-0057
|
|
# Unmaintained (superseded by rustc-hash). No CVE. Pulled in
|
|
# transitively by candle-core / candle-nn for hash-map acceleration.
|
|
# Not used directly; no user-controlled input reaches fxhash.
|
|
# Mitigation: accept until candle-core 0.5+ drops the dep.
|
|
"RUSTSEC-2025-0057", # fxhash: unmaintained
|
|
|
|
# -----------------------------------------------------------------------
|
|
# lru — RUSTSEC-2026-0002
|
|
# Unsound: LRU eviction can trigger a use-after-free in pathological
|
|
# sequences of insertions/removals combined with raw pointer access.
|
|
# No CVE; only reachable through deliberate internal misuse. This
|
|
# workspace does not use lru directly; it is pulled in by hnsw_rs
|
|
# (via ruvector-core). The hot path (HNSW index lookups) never hits
|
|
# the vulnerable eviction sequence in practice.
|
|
# Mitigation: track hnsw_rs upgrade to lru >=0.14 (issue #809).
|
|
"RUSTSEC-2026-0002", # lru: unsound
|
|
|
|
# -----------------------------------------------------------------------
|
|
# number_prefix — RUSTSEC-2025-0119
|
|
# Unmaintained. No CVE. Pulled in by indicatif 0.17 (progress bars).
|
|
# Purely a display-side dependency; no security surface.
|
|
# Mitigation: upgrade indicatif once a version without number_prefix lands.
|
|
"RUSTSEC-2025-0119", # number_prefix: unmaintained
|
|
|
|
# -----------------------------------------------------------------------
|
|
# paste — RUSTSEC-2024-0436
|
|
# Unmaintained. No CVE. Proc-macro used at build time by napi-derive
|
|
# and CUDA bindings. No runtime exposure.
|
|
"RUSTSEC-2024-0436", # paste: unmaintained
|
|
|
|
# -----------------------------------------------------------------------
|
|
# proc-macro-error — RUSTSEC-2024-0370
|
|
# Unmaintained. No CVE. Build-time proc-macro; zero runtime exposure.
|
|
"RUSTSEC-2024-0370", # proc-macro-error: unmaintained
|
|
|
|
# -----------------------------------------------------------------------
|
|
# rand <0.9 — RUSTSEC-2026-0097
|
|
# Unsound: the rand 0.8 BlockRng64 implementation can panic and expose
|
|
# uninitialized memory under certain reseeding sequences. No CVE.
|
|
# This workspace uses rand 0.8 only through ndarray-linalg and candle
|
|
# for signal-processing RNG; it does not rely on BlockRng64 directly.
|
|
# Mitigation: migrate to rand 0.9 once ndarray-linalg 0.19+ is released
|
|
# (blocked on openblas-static update, tracked in #810).
|
|
"RUSTSEC-2026-0097", # rand <0.9: unsound
|
|
|
|
# -----------------------------------------------------------------------
|
|
# rkyv 0.8.x — RUSTSEC-2026-0122
|
|
# Unsound: potential use-after-free in InlineVec/SerVec clear paths.
|
|
# No CVE. Pulled in by ruvector-core for zero-copy serialisation of
|
|
# vector index snapshots. The affected code path requires a panic
|
|
# inside clear() which only occurs in out-of-memory conditions; the
|
|
# application handles OOM at a higher level.
|
|
# Mitigation: track rkyv 0.8.16+ fix once released (issue #811).
|
|
"RUSTSEC-2026-0122", # rkyv 0.8.x: unsound
|
|
|
|
# -----------------------------------------------------------------------
|
|
# rustls-pemfile — RUSTSEC-2025-0134
|
|
# Unmaintained. No CVE. Pulled in by reqwest 0.11 (via ruvector-core
|
|
# 2.2.0). The workspace's own TLS code uses rustls-pemfile 2.x;
|
|
# the 1.x instance is an artefact of the ruvector-core transitive dep.
|
|
# Mitigation: resolve when ruvector-core upgrades to reqwest 0.12+.
|
|
"RUSTSEC-2025-0134", # rustls-pemfile 1.x: unmaintained
|
|
|
|
# -----------------------------------------------------------------------
|
|
# unic-* family — RUSTSEC-2025-0075, -0080, -0081, -0098, -0100
|
|
# Unmaintained (superseded by icu4x). No CVE. Used by napi-derive at
|
|
# build time for Unicode identifier handling. Build-time only; no
|
|
# runtime attack surface.
|
|
"RUSTSEC-2025-0075", # unic-char-range
|
|
"RUSTSEC-2025-0080", # unic-common
|
|
"RUSTSEC-2025-0081", # unic-char-property
|
|
"RUSTSEC-2025-0098", # unic-ucd-version
|
|
"RUSTSEC-2025-0100", # unic-ucd-ident
|
|
]
|