Unverified Commit 168184e5 authored by ysaito1001's avatar ysaito1001 Committed by GitHub
Browse files

Address vulnerabilities reported within the tools directory (#2633) 

## Motivation and Context
Addresses vulnerabilities reported by `cargo audit` within the
repository.

## Description
This commit addresses vulnerabilities within the tools directory
reported by `cargo audit`. Mostly they have been fixed by regenerating
`Cargo.lock` files. Two exceptions:
- `crate-hasher` needs to drop the `temp_dir` crate and switch over to
the `tempfile` crate
- `canary-runner` needs to upgrade the `octorust` crate

## Testing
After the PR, no vulnerabilities reported from the crates that have been
patched. Ran `cargo t` on the updated crates.
Furthermore, no vulnerabilities reported currently within `rust-runtime`
and `aws/rust-runtime`:
```
➜  rust-runtime git:(ysaito/fix-cargo-audit) pwd
smithy-rs/rust-runtime
➜  rust-runtime git:(ysaito/fix-cargo-audit) rm Cargo.lock && cargo generate-lockfile && cargo audit
    Updating crates.io index
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 543 security advisories
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (314 crate dependencies)

➜  rust-runtime git:(ysaito/fix-cargo-audit) pwd
smithy-rs/aws/rust-runtime
➜  rust-runtime git:(ysaito/fix-cargo-audit) rm Cargo.lock && cargo generate-lockfile && cargo audit
    Updating crates.io index
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`


      Loaded 543 security advisories
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (249 crate dependencies)
```

----

_By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice._

Co-authored-by: default avatarYuki Saito <awsaito@amazon.com>
parent b50f1e92

tools/ci-build/changelogger/Cargo.lock

+363 −196

File changed.

Preview size limit exceeded, changes collapsed.

tools/ci-build/crate-hasher/Cargo.lock

+294 −144

File changed.

Preview size limit exceeded, changes collapsed.

tools/ci-build/crate-hasher/Cargo.toml

+1 −1
Original line number Diff line number Diff line
@@ -24,4 +24,4 @@ sha256 = "1.1" 
flate2 = "1.0"

pretty_assertions = "1.3"

tar = "0.4"

tempdir = "0.3"
 
tempfile = "3.5.0"

tools/ci-build/crate-hasher/tests/test.rs

+10 −10
Original line number Diff line number Diff line
@@ -8,7 +8,7 @@ use flate2::read::GzDecoder; 
use std::fs::File;

use std::process::Command;

use tar::Archive;

use tempdir::TempDir;

use tempfile::TempDir;



use crate_hasher::file_list::FileList;
@@ -25,32 +25,32 @@ fn assert_correct_aws_smithy_async_hash(file_list: &FileList) { 


#[test]

fn test_against_aws_smithy_async() -> Result<()> {

    let dir = TempDir::new("test_against_aws_smithy_async")?;

    let dir = TempDir::new()?.path().join("test_against_aws_smithy_async");



    let tar = GzDecoder::new(File::open("tests/aws-smithy-async-2022-04-08.tar.gz")?);

    let mut archive = Archive::new(tar);

    archive.unpack(&dir)?;



    let file_list = FileList::discover(&dir.as_ref().join("aws-smithy-async"))?;

    let file_list = FileList::discover(&dir.as_path().join("aws-smithy-async"))?;

    assert_correct_aws_smithy_async_hash(&file_list);

    Ok(())

}



#[test]

fn test_against_aws_smithy_async_with_ignored_files() -> Result<()> {

    let dir = TempDir::new("test_against_aws_smithy_async")?;

    let dir = TempDir::new()?.path().join("test_against_aws_smithy_async");



    let tar = GzDecoder::new(File::open("tests/aws-smithy-async-2022-04-08.tar.gz")?);

    let mut archive = Archive::new(tar);

    archive.unpack(&dir)?;



    std::fs::create_dir(dir.as_ref().join("target"))?;

    std::fs::create_dir(&dir.as_path().join("target"))?;

    std::fs::write(

        dir.as_ref().join("target/something"),

        &dir.as_path().join("target/something"),

        b"some data that should be excluded",

    )?;



    let file_list = FileList::discover(&dir.as_ref().join("aws-smithy-async"))?;

    let file_list = FileList::discover(&dir.as_path().join("aws-smithy-async"))?;

    assert_correct_aws_smithy_async_hash(&file_list);



    Ok(())
@@ -58,7 +58,7 @@ fn test_against_aws_smithy_async_with_ignored_files() -> Result<()> { 


#[test]

fn test_against_aws_smithy_async_with_git_repo() -> Result<()> {

    let dir = TempDir::new("test_against_aws_smithy_async")?;

    let dir = TempDir::new()?.path().join("test_against_aws_smithy_async");



    let tar = GzDecoder::new(File::open("tests/aws-smithy-async-2022-04-08.tar.gz")?);

    let mut archive = Archive::new(tar);
@@ -68,10 +68,10 @@ fn test_against_aws_smithy_async_with_git_repo() -> Result<()> { 
    Command::new("git")

        .arg("init")

        .arg(".")

        .current_dir(dir.as_ref().join("aws-smithy-async"))

        .current_dir(&dir.as_path().join("aws-smithy-async"))

        .output()?;



    let file_list = FileList::discover(&dir.as_ref().join("aws-smithy-async"))?;

    let file_list = FileList::discover(&dir.as_path().join("aws-smithy-async"))?;

    assert_correct_aws_smithy_async_hash(&file_list);



    Ok(())

tools/ci-build/publisher/Cargo.lock

+337 −236

File changed.

Preview size limit exceeded, changes collapsed.