Skip to content

Vulnerable gix-features is not only a dev dependency #50

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
EliahKagan opened this issue Apr 17, 2025 · 0 comments · Fixed by #51
Closed

Vulnerable gix-features is not only a dev dependency #50

EliahKagan opened this issue Apr 17, 2025 · 0 comments · Fixed by #51

Comments

@EliahKagan
Copy link
Member

EliahKagan commented Apr 17, 2025
edited
Loading

It turns out the production (i.e. non-dev) dependencies on gix-* crates are still a version behind, so they use a version of gix-features that is affected by RUSTSEC-2025-0021.

Dependabot does show security advisories for this, which is why there are 18 open Dependabot advisories, rather than the 9 that there would be if the only use of affected gix-* crates were through gix-testtools. (For example, compare the Dependabot alerts page for this repository to the one for gitoxide.)

Dependabot is unable to create a security update for this. The reason is that it tries to update affected crates to unaffected versions across the whole dependency tree, but this is currently infeasible due to each version of gix-testtools depending on a previous major version of gix-* crates, as discussed in GitoxideLabs/gitoxide#1510 and GitoxideLabs/gitoxide#1886.

Just in case, though I didn't expect it to work, I changed the setting to use grouped security updates and manually triggered an attempt to create an update. As expected, this did not work.

I wondered if Dependabot version updates might be able and willing to proceed by updating everything as much as it can even though it is not perfect. The fork-internal experiment in EliahKagan#5 reveals that, while enabling Dependabot version updates would bump various other dependencies in potentially valuable ways (though also would require code changes to make tests pass), it would not include gix-features, nor any other gix-* crates, among those updated.

Thus, although it is my view is that grouped Dependabot version updates should be enabled for Rust dependencies in this repository (#52), that wouldn't do anything to fix this issue.

Running cargo update looks like a good way to fix this and like it would be the easiest way to do so. It looks like doing so will require at least one adjustment to make clippy happy, but that it is otherwise workable and effective.

I'm opening this issue anyway, mainly in case I don't manage to get around to doing that, so that this is not forgotten, but also because I would include these details in the PR anyway if they weren't here. Edit: I've done it in #51.

A clearer way to see the effect of upgrading is shown in this gist. For convenience:

C:\Users\ek\source\repos\cargo-smart-release [run-ci/cargo-update]> cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 752 security advisories (from C:\Users\ek\.cargo\advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (310 crate dependencies)
Crate:     gix-features
Version:   0.38.2
Title:     SHA-1 collision attacks are not detected
Date:      2025-04-03
ID:        RUSTSEC-2025-0021
URL:       https://rustsec.org/advisories/RUSTSEC-2025-0021
Severity:  6.8 (medium)
Solution:  Upgrade to >=0.41.0
Dependency tree:
gix-features 0.38.2
├── gix-worktree 0.34.1
│   └── gix-testtools 0.15.0
│       └── cargo-smart-release 0.21.6
├── gix-ref 0.44.1
│   └── gix-discover 0.32.0
│       └── gix-testtools 0.15.0
├── gix-object 0.42.3
│   ├── gix-worktree 0.34.1
│   ├── gix-traverse 0.39.2
│   │   └── gix-index 0.33.1
│   │       ├── gix-worktree 0.34.1
│   │       └── gix-testtools 0.15.0
│   ├── gix-revwalk 0.13.2
│   │   └── gix-traverse 0.39.2
│   ├── gix-ref 0.44.1
│   └── gix-index 0.33.1
├── gix-index 0.33.1
├── gix-glob 0.16.5
│   ├── gix-worktree 0.34.1
│   ├── gix-ignore 0.11.4
│   │   ├── gix-worktree 0.34.1
│   │   └── gix-testtools 0.15.0
│   └── gix-attributes 0.22.5
│       └── gix-worktree 0.34.1
├── gix-fs 0.11.3
│   ├── gix-worktree 0.34.1
│   ├── gix-testtools 0.15.0
│   ├── gix-tempfile 14.0.2
│   │   ├── gix-testtools 0.15.0
│   │   ├── gix-ref 0.44.1
│   │   └── gix-lock 14.0.0
│   │       ├── gix-testtools 0.15.0
│   │       ├── gix-ref 0.44.1
│   │       └── gix-index 0.33.1
│   ├── gix-ref 0.44.1
│   ├── gix-index 0.33.1
│   └── gix-discover 0.32.0
└── gix-commitgraph 0.24.3
    ├── gix-traverse 0.39.2
    └── gix-revwalk 0.13.2

Crate:     gix-features
Version:   0.39.1
Title:     SHA-1 collision attacks are not detected
Date:      2025-04-03
ID:        RUSTSEC-2025-0021
URL:       https://rustsec.org/advisories/RUSTSEC-2025-0021
Severity:  6.8 (medium)
Solution:  Upgrade to >=0.41.0
Dependency tree:
gix-features 0.39.1
├── gix-worktree 0.38.0
│   └── gix 0.69.1
│       └── crates-index 3.5.0
│           └── cargo-smart-release 0.21.6
├── gix-url 0.28.2
│   ├── gix-transport 0.44.0
│   │   ├── gix-protocol 0.47.0
│   │   │   └── gix 0.69.1
│   │   └── gix 0.69.1
│   ├── gix-submodule 0.16.0
│   │   └── gix 0.69.1
│   ├── gix-credentials 0.26.0
│   │   ├── gix-transport 0.44.0
│   │   ├── gix-protocol 0.47.0
│   │   └── gix 0.69.1
│   └── gix 0.69.1
├── gix-transport 0.44.0
├── gix-ref 0.49.1
│   ├── gix-protocol 0.47.0
│   ├── gix-discover 0.37.0
│   │   └── gix 0.69.1
│   ├── gix-config 0.42.0
│   │   ├── gix-submodule 0.16.0
│   │   └── gix 0.69.1
│   └── gix 0.69.1
├── gix-protocol 0.47.0
├── gix-pack 0.56.0
│   ├── gix-odb 0.66.0
│   │   └── gix 0.69.1
│   └── gix 0.69.1
├── gix-odb 0.66.0
├── gix-object 0.46.1
│   ├── gix-worktree 0.38.0
│   ├── gix-traverse 0.43.1
│   │   ├── gix-index 0.37.0
│   │   │   ├── gix-worktree 0.38.0
│   │   │   └── gix 0.69.1
│   │   └── gix 0.69.1
│   ├── gix-revwalk 0.17.0
│   │   ├── gix-traverse 0.43.1
│   │   ├── gix-revision 0.31.1
│   │   │   ├── gix-refspec 0.27.0
│   │   │   │   ├── gix-submodule 0.16.0
│   │   │   │   ├── gix-protocol 0.47.0
│   │   │   │   └── gix 0.69.1
│   │   │   └── gix 0.69.1
│   │   ├── gix-protocol 0.47.0
│   │   ├── gix-negotiate 0.17.0
│   │   │   ├── gix-protocol 0.47.0
│   │   │   └── gix 0.69.1
│   │   └── gix 0.69.1
│   ├── gix-revision 0.31.1
│   ├── gix-ref 0.49.1
│   ├── gix-protocol 0.47.0
│   ├── gix-pack 0.56.0
│   ├── gix-odb 0.66.0
│   ├── gix-negotiate 0.17.0
│   ├── gix-index 0.37.0
│   ├── gix-filter 0.16.0
│   │   └── gix 0.69.1
│   ├── gix-diff 0.49.0
│   │   └── gix 0.69.1
│   └── gix 0.69.1
├── gix-index 0.37.0
├── gix-glob 0.17.1
│   ├── gix-worktree 0.38.0
│   ├── gix-pathspec 0.8.1
│   │   ├── gix-submodule 0.16.0
│   │   └── gix 0.69.1
│   ├── gix-ignore 0.12.1
│   │   ├── gix-worktree 0.38.0
│   │   └── gix 0.69.1
│   ├── gix-config 0.42.0
│   ├── gix-attributes 0.23.1
│   │   ├── gix-worktree 0.38.0
│   │   ├── gix-pathspec 0.8.1
│   │   ├── gix-filter 0.16.0
│   │   └── gix 0.69.1
│   └── gix 0.69.1
├── gix-fs 0.12.1
│   ├── gix-worktree 0.38.0
│   ├── gix-tempfile 15.0.0
│   │   ├── gix-ref 0.49.1
│   │   ├── gix-pack 0.56.0
│   │   ├── gix-lock 15.0.1
│   │   │   ├── gix-shallow 0.1.0
│   │   │   │   ├── gix-protocol 0.47.0
│   │   │   │   └── gix 0.69.1
│   │   │   ├── gix-ref 0.49.1
│   │   │   ├── gix-protocol 0.47.0
│   │   │   ├── gix-index 0.37.0
│   │   │   └── gix 0.69.1
│   │   └── gix 0.69.1
│   ├── gix-ref 0.49.1
│   ├── gix-odb 0.66.0
│   ├── gix-index 0.37.0
│   ├── gix-discover 0.37.0
│   └── gix 0.69.1
├── gix-config 0.42.0
├── gix-commitgraph 0.25.1
│   ├── gix-traverse 0.43.1
│   ├── gix-revwalk 0.17.0
│   ├── gix-revision 0.31.1
│   ├── gix-negotiate 0.17.0
│   └── gix 0.69.1
└── gix 0.69.1

error: 2 vulnerabilities found!
C:\Users\ek\source\repos\cargo-smart-release [run-ci/cargo-update]> cargo update
    Updating crates.io index
     Locking 92 packages to latest compatible versions
    Updating anstyle-wincon v3.0.6 -> v3.0.7
    Updating anyhow v1.0.95 -> v1.0.98
    Updating bitflags v2.6.0 -> v2.9.0
    Updating borsh v1.5.3 -> v1.5.7
    Updating bstr v1.11.1 -> v1.12.0
    Updating bytes v1.9.0 -> v1.10.1
    Updating cargo_metadata v0.19.1 -> v0.19.2
    Updating cc v1.2.5 -> v1.2.19
    Updating clap v4.5.23 -> v4.5.36
    Updating clap_builder v4.5.23 -> v4.5.36
    Updating clap_derive v4.5.18 -> v4.5.32
    Updating cmake v0.1.52 -> v0.1.54
    Updating console v0.15.10 -> v0.15.11
    Updating cpufeatures v0.2.16 -> v0.2.17
    Updating crates-index v3.5.0 -> v3.9.0
    Updating curl-sys v0.4.78+curl-8.11.0 -> v0.4.80+curl-8.12.1
    Updating deranged v0.3.11 -> v0.4.0
    Removing doc-comment v0.3.3
    Updating env_logger v0.11.6 -> v0.11.8
    Updating equivalent v1.0.1 -> v1.0.2
    Updating errno v0.3.10 -> v0.3.11
      Adding getrandom v0.3.2
    Updating git-conventional v0.12.7 -> v0.12.9
    Removing gix v0.69.1
    Removing gix-actor v0.33.1
    Updating gix-attributes v0.23.1 -> v0.25.0
    Updating gix-bitmap v0.2.13 -> v0.2.14
    Removing gix-command v0.4.0
    Removing gix-commitgraph v0.25.1
    Removing gix-config v0.42.0
    Updating gix-credentials v0.26.0 -> v0.28.0
    Removing gix-diff v0.49.0
    Removing gix-discover v0.37.0
    Removing gix-features v0.39.1
    Updating gix-filter v0.16.0 -> v0.18.0
    Removing gix-fs v0.12.1
    Removing gix-glob v0.17.1
    Removing gix-hash v0.15.1
    Removing gix-hashtable v0.6.0
    Updating gix-ignore v0.12.1 -> v0.14.0
    Updating gix-index v0.37.0 -> v0.39.0
    Removing gix-lock v15.0.1
    Updating gix-negotiate v0.17.0 -> v0.19.0
    Removing gix-object v0.46.1
    Removing gix-odb v0.66.0
    Removing gix-pack v0.56.0
    Updating gix-packetline-blocking v0.18.1 -> v0.18.3
    Updating gix-pathspec v0.8.1 -> v0.10.0
    Updating gix-prompt v0.9.0 -> v0.10.0
    Removing gix-protocol v0.47.0
    Updating gix-quote v0.4.14 -> v0.4.15
    Removing gix-ref v0.49.1
    Removing gix-refspec v0.27.0
    Removing gix-revision v0.31.1
    Removing gix-revwalk v0.17.0
    Removing gix-shallow v0.1.0
    Updating gix-submodule v0.16.0 -> v0.18.0
    Removing gix-tempfile v15.0.0
    Removing gix-transport v0.44.0
    Removing gix-traverse v0.43.1
    Removing gix-url v0.28.2
    Updating gix-utils v0.1.13 -> v0.1.14
    Updating gix-worktree v0.38.0 -> v0.40.0
    Removing humantime v2.1.0
    Updating icu_locid_transform_data v1.5.0 -> v1.5.1
    Updating icu_normalizer_data v1.5.0 -> v1.5.1
    Updating icu_properties_data v1.5.0 -> v1.5.1
    Updating indexmap v2.7.0 -> v2.9.0
    Updating insta v1.41.1 -> v1.42.2
    Updating itoa v1.0.14 -> v1.0.15
    Removing jiff v0.1.15
    Removing jiff v0.2.6
      Adding jiff v0.1.29 (available: v0.2.8)
      Adding jiff v0.2.8
    Updating jiff-static v0.2.6 -> v0.2.8
    Removing lazy_static v1.5.0
    Updating libc v0.2.169 -> v0.2.172
    Updating libz-ng-sys v1.1.20 -> v1.1.22
    Updating libz-sys v1.1.20 -> v1.1.22
    Removing linux-raw-sys v0.4.14
      Adding linux-raw-sys v0.4.15
      Adding linux-raw-sys v0.9.4
    Updating litemap v0.7.4 -> v0.7.5
    Updating log v0.4.22 -> v0.4.27
    Updating once_cell v1.20.2 -> v1.21.3
    Updating openssl-probe v0.1.5 -> v0.1.6
    Updating openssl-sys v0.9.104 -> v0.9.107
      Adding pin-project v1.1.10
      Adding pin-project-internal v1.1.10
    Updating pkg-config v0.3.31 -> v0.3.32
    Updating proc-macro2 v1.0.94 -> v1.0.95
    Updating prodash v29.0.1 -> v29.0.2
      Adding r-efi v5.2.0
    Updating redox_syscall v0.5.8 -> v0.5.11
    Updating rustc-hash v2.1.0 -> v2.1.1
      Adding rustc-stable-hash v0.1.2
    Removing rustix v0.38.42
      Adding rustix v0.38.44
      Adding rustix v1.0.5
    Updating ryu v1.0.18 -> v1.0.20
    Updating semver v1.0.24 -> v1.0.26
    Updating serde v1.0.216 -> v1.0.219
    Updating serde_derive v1.0.216 -> v1.0.219
    Updating serde_json v1.0.134 -> v1.0.140
    Removing sha1-asm v0.5.3
    Updating similar v2.6.0 -> v2.7.0
    Updating smallvec v1.13.2 -> v1.15.0
    Updating socket2 v0.5.8 -> v0.5.9
    Updating tar v0.4.43 -> v0.4.44
    Updating tempfile v3.14.0 -> v3.19.1
    Updating thiserror v2.0.9 -> v2.0.12
    Updating thiserror-impl v2.0.9 -> v2.0.12
    Updating time v0.3.37 -> v0.3.41
    Updating time-core v0.1.2 -> v0.1.4
    Updating time-macros v0.2.19 -> v0.2.22
    Updating tinyvec v1.8.1 -> v1.9.0
    Updating toml v0.8.19 -> v0.8.20
    Updating toml_edit v0.22.22 -> v0.22.24
    Updating typenum v1.17.0 -> v1.18.0
    Updating unicase v2.8.0 -> v2.8.1
    Updating unicode-ident v1.0.14 -> v1.0.18
      Adding wasi v0.14.2+wasi-0.2.4
    Updating winnow v0.6.20 -> v0.6.26 (available: v0.7.6)
      Adding wit-bindgen-rt v0.39.0
    Updating zerofrom v0.1.5 -> v0.1.6
    Updating zerofrom-derive v0.1.5 -> v0.1.6
note: pass `--verbose` to see 2 unchanged dependencies behind latest
C:\Users\ek\source\repos\cargo-smart-release [run-ci/cargo-update +0 ~1 -0 !]> cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 752 security advisories (from C:\Users\ek\.cargo\advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (289 crate dependencies)
Crate:     gix-features
Version:   0.38.2
Title:     SHA-1 collision attacks are not detected
Date:      2025-04-03
ID:        RUSTSEC-2025-0021
URL:       https://rustsec.org/advisories/RUSTSEC-2025-0021
Severity:  6.8 (medium)
Solution:  Upgrade to >=0.41.0
Dependency tree:
gix-features 0.38.2
├── gix-worktree 0.34.1
│   └── gix-testtools 0.15.0
│       └── cargo-smart-release 0.21.6
├── gix-ref 0.44.1
│   └── gix-discover 0.32.0
│       └── gix-testtools 0.15.0
├── gix-object 0.42.3
│   ├── gix-worktree 0.34.1
│   ├── gix-traverse 0.39.2
│   │   └── gix-index 0.33.1
│   │       ├── gix-worktree 0.34.1
│   │       └── gix-testtools 0.15.0
│   ├── gix-revwalk 0.13.2
│   │   └── gix-traverse 0.39.2
│   ├── gix-ref 0.44.1
│   └── gix-index 0.33.1
├── gix-index 0.33.1
├── gix-glob 0.16.5
│   ├── gix-worktree 0.34.1
│   ├── gix-ignore 0.11.4
│   │   ├── gix-worktree 0.34.1
│   │   └── gix-testtools 0.15.0
│   └── gix-attributes 0.22.5
│       └── gix-worktree 0.34.1
├── gix-fs 0.11.3
│   ├── gix-worktree 0.34.1
│   ├── gix-testtools 0.15.0
│   ├── gix-tempfile 14.0.2
│   │   ├── gix-testtools 0.15.0
│   │   ├── gix-ref 0.44.1
│   │   └── gix-lock 14.0.0
│   │       ├── gix-testtools 0.15.0
│   │       ├── gix-ref 0.44.1
│   │       └── gix-index 0.33.1
│   ├── gix-ref 0.44.1
│   ├── gix-index 0.33.1
│   └── gix-discover 0.32.0
└── gix-commitgraph 0.24.3
    ├── gix-traverse 0.39.2
    └── gix-revwalk 0.13.2

error: 1 vulnerability found!

This suggests that cargo update will bring us from using two vulnerable versions of gix-features one of which is used even outside the dev dependency on gix-testtools, to one version that is only used through gix-testtools. Thus, I will go with that unless I am unable to do so, or unless some problem arises with it.

Edit: I've opened #51, which I believe successfully fixes this.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bump locked dependencies to avoid overuse of old gix-features EliahKagan/cargo-smart-release
1 participant
@EliahKagan