kylechamberlin / insert Goto Github PK

View Code? Open in Web Editor NEW

0.0 0.0 0.0 41 KB

Insert is a simple template rendering tool for development teams

License: GNU General Public License v3.0

Rust 100.00%

insert's People

Contributors

Watchers

insert's Issues

clap-4.3.0: 1 vulnerabilities (highest severity is: 5.5)

Vulnerable Library - clap-4.3.0

Path to dependency file: /Cargo.toml

Path to vulnerable library: /Cargo.toml

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (clap version)	Remediation Possible**
WS-2023-0366	Medium	5.5	rustix-0.37.19.crate	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

WS-2023-0366

Vulnerable Library - rustix-0.37.19.crate

Safe Rust bindings to POSIX/Unix/Linux/Winsock2-like syscalls

Library home page: https://crates.io/api/v1/crates/rustix/0.37.19/download

Path to dependency file: /Cargo.toml

Path to vulnerable library: /Cargo.toml

Dependency Hierarchy:

clap-4.3.0 (Root Library)
- clap_builder-4.3.0
  - anstream-0.3.2.crate
    - is-terminal-0.4.7.crate
      - ❌ rustix-0.37.19.crate (Vulnerable Library)

Found in base branch: main

Vulnerability Details

rustix's rustix::fs::Dir iterator with the linux_raw backend can cause memory explosion

Publish Date: 2023-10-18

URL: WS-2023-0366

CVSS 3 Score Details (5.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-c827-hfw6-qwvm

Release Date: 2023-10-18

Fix Resolution: rustix - 0.35.15,0.36.16,0.37.25,0.38.19

Step up your Open Source Security Game with Mend here

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Awaiting Schedule

These updates are awaiting their schedule. Click on a checkbox to get an update now.

Lock file maintenance

Detected dependencies

cargo

Cargo.toml

clap 4.3.0

github-actions

.github/workflows/audit.yml

actions/checkout v3

actions-rust-lang/audit v1.1.6

.github/workflows/check.yml

actions/checkout v3

actions-rust-lang/setup-rust-toolchain v1

actions-rust-lang/rustfmt v1

github/codeql-action v2

actions/checkout v3

actions-rust-lang/setup-rust-toolchain v1

.github/workflows/create_release.yml

actions/checkout v3

actions/checkout v3

actions-rust-lang/setup-rust-toolchain v1

Check this box to trigger a request for Renovate to run again on this repository

Action Required: Fix Renovate Configuration

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Location: renovate.json
Error type: Invalid JSON (parsing failed)
Message: Syntax error near ",
],

RUSTSEC-2021-0139: ansi_term is Unmaintained

Details
Package	`ansi_term`
Version	`0.12.1`
Warning	unmaintained
URL	ogham/rust-ansi-term#72
Patched Versions	n/a

The maintainer has adviced that this crate is deprecated and will not receive any maintenance.

The crate does not seem to have much dependencies and may or may not be ok to use as-is.

Last release seems to have been three years ago.

Possible Alternative(s)

The below list has not been vetted in any way and may or may not contain alternatives;

Dependency Specific Migration(s)

structopt, clap2

Crate hermit-abi 0.3.1 is yanked

Switch to a different version of hermit-abi to resolve this issue.