Track and fix cargo deny warnings in all repos #677
Description
Motivation: Currently all our CI pipelines are failing (we can merge anyway), because of failing CI checks.
Using the current deny.toml from operator-templating on operator-rs we get the following warnings (full log attached at the end):
- OpenSSL license from
aws-lc-sysnot allowed => chore: Allow OpenSSL license (needed for ring and aws-lc-sys crates) operator-templating#464 -
derivativecrate is unmaintained => refactor!: Replace unmaintained derivative create with educe operator-rs#907 and RUSTSEC-2024-0388:derivativeis unmaintained; consider using an alternative operator-rs#905 -
instantcrate is unmaintained => chore: Silence two Rust advisories operator-templating#468 and Migrate kube-rs away from backoff/instant operator-rs#921 -
rsa 0.9.6crate: Marvin Attack: potential key recovery through timing sidechannels => chore: Silence two Rust advisories operator-templating#468 -
rustls 0.23.15rustls network-reachable panic inAcceptor::accept=> chore: Bump rustls from 0.23.15 to 0.23.19 to fix RUSTSEC-2024-0399 operator-rs#917 and RUSTSEC-2024-0399: rustls network-reachable panic inAcceptor::acceptoperator-rs#916 - Remove https://github.com/stackabletech/operator-templating/blob/8f71d5d2be569535f4a7772252f30850c9d72ecd/template/deny.toml#L13-L31 silencing again =>
➜ operator-rs git:(main) ✗ cargo deny check
error[rejected]: failed to satisfy license requirements
┌─ registry+https://github.com/rust-lang/crates.io-index#aws-lc-sys@0.22.0:4:44
│
4 │ license = "ISC AND (Apache-2.0 OR ISC) AND OpenSSL"
│ ────────────────────────────────━━━━━━━
│ │ │
│ │ rejected: license is not explicitly allowed
│ license expression retrieved via Cargo.toml `license`
│
├ OpenSSL - OpenSSL License:
├ - FSF Free/Libre
├ aws-lc-sys v0.22.0
└── aws-lc-rs v1.10.0
├── rustls v0.23.15
│ ├── hyper-rustls v0.27.3
│ │ └── kube-client v0.96.0
│ │ ├── kube v0.96.0
│ │ │ ├── stackable-certs v0.3.1
│ │ │ │ └── stackable-webhook v0.3.1
│ │ │ │ └── (dev) stackable-telemetry v0.2.0
│ │ │ │ └── stackable-webhook v0.3.1 (*)
│ │ │ ├── stackable-operator v0.82.0
│ │ │ │ ├── stackable-certs v0.3.1 (*)
│ │ │ │ ├── (dev) stackable-operator-derive v0.3.1
│ │ │ │ │ └── stackable-operator v0.82.0 (*)
│ │ │ │ └── stackable-webhook v0.3.1 (*)
│ │ │ ├── stackable-shared v0.0.1
│ │ │ │ ├── stackable-operator v0.82.0 (*)
│ │ │ │ ├── stackable-versioned v0.4.1
│ │ │ │ │ └── (dev) stackable-versioned-macros v0.4.1
│ │ │ │ │ └── stackable-versioned v0.4.1 (*)
│ │ │ │ └── stackable-versioned-macros v0.4.1 (*)
│ │ │ ├── stackable-versioned v0.4.1 (*)
│ │ │ ├── stackable-versioned-macros v0.4.1 (*)
│ │ │ └── stackable-webhook v0.3.1 (*)
│ │ └── kube-runtime v0.96.0
│ │ └── kube v0.96.0 (*)
│ ├── kube-client v0.96.0 (*)
│ └── tokio-rustls v0.26.0
│ ├── hyper-rustls v0.27.3 (*)
│ ├── stackable-certs v0.3.1 (*)
│ └── stackable-webhook v0.3.1 (*)
└── rustls-webpki v0.102.8
└── rustls v0.23.15 (*)
error[unmaintained]: `derivative` is unmaintained; consider using an alternative
┌─ /home/sbernauer/stackable/operator-rs/Cargo.lock:65:1
│
65 │ derivative 2.2.0 registry+https://github.com/rust-lang/crates.io-index
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ unmaintained advisory detected
│
├ ID: RUSTSEC-2024-0388
├ Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0388
├ The [`derivative`](https://crates.io/crates/derivative) crate is no longer maintained.
Consider using any alternative, for instance:
- [derive_more](https://crates.io/crates/derive_more)
- [derive-where](https://crates.io/crates/derive-where)
- [educe](https://crates.io/crates/educe)
├ Announcement: https://github.com/mcarton/rust-derivative/issues/117
├ Solution: No safe upgrade is available!
├ derivative v2.2.0
└── stackable-operator v0.82.0
├── stackable-certs v0.3.1
│ └── stackable-webhook v0.3.1
│ └── (dev) stackable-telemetry v0.2.0
│ └── stackable-webhook v0.3.1 (*)
├── (dev) stackable-operator-derive v0.3.1
│ └── stackable-operator v0.82.0 (*)
└── stackable-webhook v0.3.1 (*)
error[unmaintained]: `instant` is unmaintained
┌─ /home/sbernauer/stackable/operator-rs/Cargo.lock:132:1
│
132 │ instant 0.1.13 registry+https://github.com/rust-lang/crates.io-index
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ unmaintained advisory detected
│
├ ID: RUSTSEC-2024-0384
├ Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0384
├ This crate is no longer maintained, and the author recommends using the maintained [`web-time`] crate instead.
[`web-time`]: https://crates.io/crates/web-time
├ Solution: No safe upgrade is available!
├ instant v0.1.13
└── backoff v0.4.0
└── kube-runtime v0.96.0
└── kube v0.96.0
├── stackable-certs v0.3.1
│ └── stackable-webhook v0.3.1
│ └── (dev) stackable-telemetry v0.2.0
│ └── stackable-webhook v0.3.1 (*)
├── stackable-operator v0.82.0
│ ├── stackable-certs v0.3.1 (*)
│ ├── (dev) stackable-operator-derive v0.3.1
│ │ └── stackable-operator v0.82.0 (*)
│ └── stackable-webhook v0.3.1 (*)
├── stackable-shared v0.0.1
│ ├── stackable-operator v0.82.0 (*)
│ ├── stackable-versioned v0.4.1
│ │ └── (dev) stackable-versioned-macros v0.4.1
│ │ └── stackable-versioned v0.4.1 (*)
│ └── stackable-versioned-macros v0.4.1 (*)
├── stackable-versioned v0.4.1 (*)
├── stackable-versioned-macros v0.4.1 (*)
└── stackable-webhook v0.3.1 (*)
error[vulnerability]: Marvin Attack: potential key recovery through timing sidechannels
┌─ /home/sbernauer/stackable/operator-rs/Cargo.lock:222:1
│
222 │ rsa 0.9.6 registry+https://github.com/rust-lang/crates.io-index
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
│
├ ID: RUSTSEC-2023-0071
├ Advisory: https://rustsec.org/advisories/RUSTSEC-2023-0071
├ ### Impact
Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key.
### Patches
No patch is yet available, however work is underway to migrate to a fully constant-time implementation.
### Workarounds
The only currently available workaround is to avoid using the `rsa` crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer is fine.
### References
This vulnerability was discovered as part of the "[Marvin Attack]", which revealed several implementations of RSA including OpenSSL had not properly mitigated timing sidechannel attacks.
[Marvin Attack]: https://people.redhat.com/~hkario/marvin/
├ Announcement: https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643
├ Solution: No safe upgrade is available!
├ rsa v0.9.6
└── stackable-certs v0.3.1
└── stackable-webhook v0.3.1
└── (dev) stackable-telemetry v0.2.0
└── stackable-webhook v0.3.1 (*)
error[vulnerability]: rustls network-reachable panic in `Acceptor::accept`
┌─ /home/sbernauer/stackable/operator-rs/Cargo.lock:228:1
│
228 │ rustls 0.23.15 registry+https://github.com/rust-lang/crates.io-index
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
│
├ ID: RUSTSEC-2024-0399
├ Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0399
├ A bug introduced in rustls 0.23.13 leads to a panic if the received
TLS ClientHello is fragmented. Only servers that use
`rustls::server::Acceptor::accept()` are affected.
Servers that use `tokio-rustls`'s `LazyConfigAcceptor` API are affected.
Servers that use `tokio-rustls`'s `TlsAcceptor` API are not affected.
Servers that use `rustls-ffi`'s `rustls_acceptor_accept` API are affected.
├ Announcement: https://github.com/rustls/rustls/issues/2227
├ Solution: Upgrade to >=0.23.18 (try `cargo update -p rustls`)
├ rustls v0.23.15
├── hyper-rustls v0.27.3
│ └── kube-client v0.96.0
│ ├── kube v0.96.0
│ │ ├── stackable-certs v0.3.1
│ │ │ └── stackable-webhook v0.3.1
│ │ │ └── (dev) stackable-telemetry v0.2.0
│ │ │ └── stackable-webhook v0.3.1 (*)
│ │ ├── stackable-operator v0.82.0
│ │ │ ├── stackable-certs v0.3.1 (*)
│ │ │ ├── (dev) stackable-operator-derive v0.3.1
│ │ │ │ └── stackable-operator v0.82.0 (*)
│ │ │ └── stackable-webhook v0.3.1 (*)
│ │ ├── stackable-shared v0.0.1
│ │ │ ├── stackable-operator v0.82.0 (*)
│ │ │ ├── stackable-versioned v0.4.1
│ │ │ │ └── (dev) stackable-versioned-macros v0.4.1
│ │ │ │ └── stackable-versioned v0.4.1 (*)
│ │ │ └── stackable-versioned-macros v0.4.1 (*)
│ │ ├── stackable-versioned v0.4.1 (*)
│ │ ├── stackable-versioned-macros v0.4.1 (*)
│ │ └── stackable-webhook v0.3.1 (*)
│ └── kube-runtime v0.96.0
│ └── kube v0.96.0 (*)
├── kube-client v0.96.0 (*)
└── tokio-rustls v0.26.0
├── hyper-rustls v0.27.3 (*)
├── stackable-certs v0.3.1 (*)
└── stackable-webhook v0.3.1 (*)
advisories FAILED, bans ok, licenses FAILED, sources ok
Metadata
Metadata
Assignees
Labels
No labels