From a7df2c67faee5663889579d7b803e8f0577579ff Mon Sep 17 00:00:00 2001 From: Jos Dehaes Date: Wed, 2 Apr 2025 11:36:22 +0200 Subject: [PATCH 1/4] chore: add audit.toml to ignore known unmaintained crates --- .cargo/audit.toml | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 .cargo/audit.toml diff --git a/.cargo/audit.toml b/.cargo/audit.toml new file mode 100644 index 0000000000..b61cb26345 --- /dev/null +++ b/.cargo/audit.toml @@ -0,0 +1,2 @@ +[advisories] +ignore = ["RUSTSEC-2024-0436", "RUSTSEC-2021-0139"] From 151c849c781ce769379372d9e470c37d9cba1380 Mon Sep 17 00:00:00 2001 From: Jos Dehaes Date: Wed, 2 Apr 2025 15:09:06 +0200 Subject: [PATCH 2/4] chore: review comments --- .cargo/audit.toml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.cargo/audit.toml b/.cargo/audit.toml index b61cb26345..fcd137f369 100644 --- a/.cargo/audit.toml +++ b/.cargo/audit.toml @@ -1,2 +1,8 @@ [advisories] -ignore = ["RUSTSEC-2024-0436", "RUSTSEC-2021-0139"] +ignore = [ + # As the rust community considers the paste crate 'done', we can safely ignore this warning. + # see https://users.rust-lang.org/t/paste-alternatives/126787/2 + "RUSTSEC-2024-0436", + # ansi_term crate is unmaintained since 2021, we can ignore this warning. + "RUSTSEC-2021-0139", +] From 5f17e0d3bbb0557527033149e2bd0029b90df168 Mon Sep 17 00:00:00 2001 From: Jos Dehaes Date: Tue, 8 Apr 2025 20:32:56 +0200 Subject: [PATCH 3/4] fix: remove ansi-term dependency so it can also be removed from audit.toml --- .cargo/audit.toml | 2 - .integration/Cargo.toml | 37 ++++++ Cargo.lock | 242 ++++------------------------------------ node/bft/Cargo.toml | 2 +- 4 files changed, 62 insertions(+), 221 deletions(-) create mode 100644 .integration/Cargo.toml diff --git a/.cargo/audit.toml b/.cargo/audit.toml index fcd137f369..f73d09e2ec 100644 --- a/.cargo/audit.toml +++ b/.cargo/audit.toml @@ -3,6 +3,4 @@ ignore = [ # As the rust community considers the paste crate 'done', we can safely ignore this warning. # see https://users.rust-lang.org/t/paste-alternatives/126787/2 "RUSTSEC-2024-0436", - # ansi_term crate is unmaintained since 2021, we can ignore this warning. - "RUSTSEC-2021-0139", ] diff --git a/.integration/Cargo.toml b/.integration/Cargo.toml new file mode 100644 index 0000000000..b5fa376961 --- /dev/null +++ b/.integration/Cargo.toml @@ -0,0 +1,37 @@ +[package] +name = "snarkos-integration" +version = "3.5.0" +authors = [ "The Aleo Team " ] +description = "A integration testing suite for a decentralized operating system" +homepage = "https://aleo.org" +repository = "https://github.com/ProvableHQ/snarkOS" +keywords = [ + "aleo", + "cryptography", + "blockchain", + "decentralized", + "zero-knowledge" +] +categories = [ "cryptography", "cryptography::cryptocurrencies", "os" ] +license = "Apache-2.0" +edition = "2021" + +[dev-dependencies.aleo-std] +workspace = true + +[dev-dependencies.snarkos-node-cdn] +path = "../node/cdn" + +[dev-dependencies.snarkvm] +workspace = true +features = [ "synthesizer" ] + +[dev-dependencies.tokio] +version = "1.28" +features = [ "rt" ] + +[dev-dependencies.tracing] +version = "0.1" + +[dev-dependencies.tracing-test] +version = "0.2" diff --git a/Cargo.lock b/Cargo.lock index d8627693ce..b0ce5e9495 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -112,35 +112,11 @@ version = "0.2.21" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "683d7910e743518b0e34f1186f92494becacb047c7b6bf616c96772180fef923" -[[package]] -name = "android-tzdata" -version = "0.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e999941b234f3131b00bc13c22d06e8c5ff726d1b6318ac7eb276997bbb4fef0" - -[[package]] -name = "android_system_properties" -version = "0.1.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "819e7219dbd41043ac279b19830f2efc897156490d7fd6ea916720117ee66311" -dependencies = [ - "libc", -] - -[[package]] -name = "ansi_term" -version = "0.12.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d52a9bb7ec0cf484c551830a7ce27bd20d67eac647e1befb56b0be4ee39a55d2" -dependencies = [ - "winapi", -] - [[package]] name = "anstream" -version = "0.6.18" +version = "0.6.19" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8acc5369981196006228e28809f761875c0327210a891e941f4c683b3a99529b" +checksum = "301af1932e46185686725e0fad2f8f2aa7da69dd70bf6ecc44d6b703844a3933" dependencies = [ "anstyle", "anstyle-parse", @@ -153,33 +129,33 @@ dependencies = [ [[package]] name = "anstyle" -version = "1.0.10" +version = "1.0.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "55cc3b69f167a1ef2e161439aa98aed94e6028e5f9a59be9a6ffb47aef1651f9" +checksum = "862ed96ca487e809f1c8e5a8447f6ee2cf102f846893800b20cebdf541fc6bbd" [[package]] name = "anstyle-parse" -version = "0.2.6" +version = "0.2.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3b2d16507662817a6a20a9ea92df6652ee4f94f914589377d69f3b21bc5798a9" +checksum = "4e7644824f0aa2c7b9384579234ef10eb7efb6a0deb83f9630a49594dd9c15c2" dependencies = [ "utf8parse", ] [[package]] name = "anstyle-query" -version = "1.1.2" +version = "1.1.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "79947af37f4177cfead1110013d678905c37501914fba0efea834c3fe9a8d60c" +checksum = "6c8bdeb6047d8983be085bab0ba1472e6dc604e7041dbf6fcd5e71523014fae9" dependencies = [ "windows-sys 0.59.0", ] [[package]] name = "anstyle-wincon" -version = "3.0.8" +version = "3.0.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6680de5231bd6ee4c6191b8a1325daa282b415391ec9d3a37bd34f2060dc73fa" +checksum = "403f75924867bb1033c59fbf0797484329750cfbe3c4325cd33127941fabc882" dependencies = [ "anstyle", "once_cell_polyfill", @@ -557,18 +533,6 @@ version = "1.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" -[[package]] -name = "chrono" -version = "0.4.41" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c469d952047f47f91b68d1cba3f10d63c11d73e4636f24f08daf0278abf01c4d" -dependencies = [ - "android-tzdata", - "iana-time-zone", - "num-traits", - "windows-link", -] - [[package]] name = "ci_info" version = "0.10.2" @@ -631,9 +595,9 @@ checksum = "f46ad14479a25103f283c0f10005961cf086d8dc42205bb44c46ac563475dca6" [[package]] name = "colorchoice" -version = "1.0.3" +version = "1.0.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5b63caa9aa9397e2d9480a9b13673856c78d8ac123288526c37d7839f2a86990" +checksum = "b05b61dc5112cbb17e4b6cd61790d9845d13888356391624cbe7e41efeac1e75" [[package]] name = "colored" @@ -1587,9 +1551,9 @@ dependencies = [ [[package]] name = "hyper-util" -version = "0.1.13" +version = "0.1.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b1c293b6b3d21eca78250dc7dbebd6b9210ec5530e038cbfe0661b5c47ab06e8" +checksum = "dc2fdfdbff08affe55bb779f33b053aa1fe5dd5b54c257343c17edfa55711bdb" dependencies = [ "base64 0.22.1", "bytes", @@ -1609,30 +1573,6 @@ dependencies = [ "tracing", ] -[[package]] -name = "iana-time-zone" -version = "0.1.63" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b0c919e5debc312ad217002b8048a17b7d83f80703865bbfcfebb0458b0b27d8" -dependencies = [ - "android_system_properties", - "core-foundation-sys", - "iana-time-zone-haiku", - "js-sys", - "log", - "wasm-bindgen", - "windows-core", -] - -[[package]] -name = "iana-time-zone-haiku" -version = "0.1.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f31827a206f56af32e590ba56d5d2d085f558508192593743f16b2306495269f" -dependencies = [ - "cc", -] - [[package]] name = "icu_collections" version = "2.0.0" @@ -2035,15 +1975,6 @@ dependencies = [ "libc", ] -[[package]] -name = "matchers" -version = "0.0.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f099785f7595cc4b4553a174ce30dd7589ef93391ff414dbb67f62392b9e0ce1" -dependencies = [ - "regex-automata 0.1.10", -] - [[package]] name = "matchers" version = "0.1.0" @@ -3531,7 +3462,7 @@ dependencies = [ "time", "tokio", "tracing", - "tracing-subscriber 0.3.19", + "tracing-subscriber", "ureq", "zeroize", ] @@ -3581,7 +3512,7 @@ dependencies = [ "tokio", "tokio-util", "tracing", - "tracing-subscriber 0.3.19", + "tracing-subscriber", ] [[package]] @@ -3629,8 +3560,8 @@ dependencies = [ "tokio-util", "tower-http", "tracing", - "tracing-subscriber 0.3.19", - "tracing-test 0.1.0", + "tracing-subscriber", + "tracing-test", ] [[package]] @@ -3721,7 +3652,7 @@ dependencies = [ "snarkvm", "tokio", "tracing", - "tracing-test 0.2.5", + "tracing-test", ] [[package]] @@ -3795,7 +3726,7 @@ dependencies = [ "tokio-stream", "tokio-util", "tracing", - "tracing-subscriber 0.3.19", + "tracing-subscriber", ] [[package]] @@ -5409,17 +5340,6 @@ dependencies = [ "valuable", ] -[[package]] -name = "tracing-log" -version = "0.1.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f751112709b4e791d8ce53e32c4ed2d353565a795ce84da2285393f41557bdf2" -dependencies = [ - "log", - "once_cell", - "tracing-core", -] - [[package]] name = "tracing-log" version = "0.2.0" @@ -5431,45 +5351,13 @@ dependencies = [ "tracing-core", ] -[[package]] -name = "tracing-serde" -version = "0.1.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bc6b213177105856957181934e4920de57730fc69bf42c37ee5bb664d406d9e1" -dependencies = [ - "serde", - "tracing-core", -] - -[[package]] -name = "tracing-subscriber" -version = "0.2.25" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0e0d2eaa99c3c2e41547cfa109e910a68ea03823cccad4a0525dcbc9b01e8c71" -dependencies = [ - "ansi_term", - "chrono", - "lazy_static", - "matchers 0.0.1", - "regex", - "serde", - "serde_json", - "sharded-slab", - "smallvec", - "thread_local", - "tracing", - "tracing-core", - "tracing-log 0.1.4", - "tracing-serde", -] - [[package]] name = "tracing-subscriber" version = "0.3.19" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e8189decb5ac0fa7bc8b96b7cb9b2701d60d48805aca84a238004d665fcc4008" dependencies = [ - "matchers 0.1.0", + "matchers", "nu-ansi-term", "once_cell", "regex", @@ -5478,19 +5366,7 @@ dependencies = [ "thread_local", "tracing", "tracing-core", - "tracing-log 0.2.0", -] - -[[package]] -name = "tracing-test" -version = "0.1.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a3b48778c2d401c6a7fcf38a0e3c55dc8e8e753cbd381044a8cdb6fd69a29f53" -dependencies = [ - "lazy_static", - "tracing-core", - "tracing-subscriber 0.2.25", - "tracing-test-macro 0.1.0", + "tracing-log", ] [[package]] @@ -5500,19 +5376,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "557b891436fe0d5e0e363427fc7f217abf9ccd510d5136549847bdcbcd011d68" dependencies = [ "tracing-core", - "tracing-subscriber 0.3.19", - "tracing-test-macro 0.2.5", -] - -[[package]] -name = "tracing-test-macro" -version = "0.1.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c49adbab879d2e0dd7f75edace5f0ac2156939ecb7e6a1e8fa14e53728328c48" -dependencies = [ - "lazy_static", - "quote 1.0.40", - "syn 1.0.109", + "tracing-subscriber", + "tracing-test-macro", ] [[package]] @@ -5861,65 +5726,6 @@ version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" -[[package]] -name = "windows-core" -version = "0.61.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c0fdd3ddb90610c7638aa2b3a3ab2904fb9e5cdbecc643ddb3647212781c4ae3" -dependencies = [ - "windows-implement", - "windows-interface", - "windows-link", - "windows-result", - "windows-strings", -] - -[[package]] -name = "windows-implement" -version = "0.60.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a47fddd13af08290e67f4acabf4b459f647552718f683a7b415d290ac744a836" -dependencies = [ - "proc-macro2", - "quote 1.0.40", - "syn 2.0.101", -] - -[[package]] -name = "windows-interface" -version = "0.59.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bd9211b69f8dcdfa817bfd14bf1c97c9188afa36f4750130fcdf3f400eca9fa8" -dependencies = [ - "proc-macro2", - "quote 1.0.40", - "syn 2.0.101", -] - -[[package]] -name = "windows-link" -version = "0.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "76840935b766e1b0a05c0066835fb9ec80071d4c09a16f6bd5f7e655e3c14c38" - -[[package]] -name = "windows-result" -version = "0.3.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "56f42bd332cc6c8eac5af113fc0c1fd6a8fd2aa08a0119358686e5160d0586c6" -dependencies = [ - "windows-link", -] - -[[package]] -name = "windows-strings" -version = "0.4.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "56e6c93f3a0c3b36176cb1327a4958a0353d5d166c2a35cb268ace15e91d3b57" -dependencies = [ - "windows-link", -] - [[package]] name = "windows-sys" version = "0.48.0" diff --git a/node/bft/Cargo.toml b/node/bft/Cargo.toml index a3473963ab..47f6a29f4b 100644 --- a/node/bft/Cargo.toml +++ b/node/bft/Cargo.toml @@ -201,7 +201,7 @@ version = "0.3" features = [ "env-filter" ] [dev-dependencies.tracing-test] -version = "0.1" +version = "0.2" [dev-dependencies.mockall] version = "0.12.1" From b8550fe775a9c5b492bc363a4912e290a38c4829 Mon Sep 17 00:00:00 2001 From: Jos Dehaes Date: Wed, 9 Apr 2025 09:18:11 +0200 Subject: [PATCH 4/4] feature: workflow for cargo audit --- .circleci/config.yml | 22 ++++++++++++++++++++-- .integration/Cargo.toml | 37 ------------------------------------- 2 files changed, 20 insertions(+), 39 deletions(-) delete mode 100644 .integration/Cargo.toml diff --git a/.circleci/config.yml b/.circleci/config.yml index c0aa5d5e2a..84a380e7b5 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -400,16 +400,33 @@ jobs: steps: - checkout - setup_environment: - cache_key: v3.3.1-rust-1.83.0--cache + cache_key: v3.3.1-rust-1.83.0-machete-cache - run: name: Check for unused dependencies - no_output_timeout: 35m + no_output_timeout: 10m command: | cargo install cargo-machete@0.7.0 cargo machete - clear_environment: cache_key: v3.3.1-rust-1.83.0-machete-cache + check-cargo-audit: + docker: + - image: cimg/rust:1.83.0 # Attention - Change the MSRV in Cargo.toml and rust-toolchain as well + resource_class: << pipeline.parameters.medium >> + steps: + - checkout + - setup_environment: + cache_key: v3.3.1-rust-1.83.0-cargo-audit-cache + - run: + name: Check for security vulnerabilities + no_output_timeout: 10m + command: | + cargo install cargo-audit@0.21.2 --locked + cargo audit -D warnings + - clear_environment: + cache_key: v3.3.1-rust-1.83.0-cargo-audit-cache + check-clippy: docker: - image: cimg/rust:1.83.0 # Attention - Change the MSRV in Cargo.toml and rust-toolchain as well @@ -466,6 +483,7 @@ workflows: - check-fmt - check-clippy - check-unused-dependencies + - check-cargo-audit - devnet-test windows-workflow: diff --git a/.integration/Cargo.toml b/.integration/Cargo.toml deleted file mode 100644 index b5fa376961..0000000000 --- a/.integration/Cargo.toml +++ /dev/null @@ -1,37 +0,0 @@ -[package] -name = "snarkos-integration" -version = "3.5.0" -authors = [ "The Aleo Team " ] -description = "A integration testing suite for a decentralized operating system" -homepage = "https://aleo.org" -repository = "https://github.com/ProvableHQ/snarkOS" -keywords = [ - "aleo", - "cryptography", - "blockchain", - "decentralized", - "zero-knowledge" -] -categories = [ "cryptography", "cryptography::cryptocurrencies", "os" ] -license = "Apache-2.0" -edition = "2021" - -[dev-dependencies.aleo-std] -workspace = true - -[dev-dependencies.snarkos-node-cdn] -path = "../node/cdn" - -[dev-dependencies.snarkvm] -workspace = true -features = [ "synthesizer" ] - -[dev-dependencies.tokio] -version = "1.28" -features = [ "rt" ] - -[dev-dependencies.tracing] -version = "0.1" - -[dev-dependencies.tracing-test] -version = "0.2"