From f16723c8d8610ef093e7046af8439bb02875d865 Mon Sep 17 00:00:00 2001 From: kalvinparker <106995826+kalvinparker@users.noreply.github.com> Date: Sun, 9 Nov 2025 07:52:27 +0000 Subject: [PATCH] chore(audit): add temporary deny exceptions for rsa and paste; add tracking issue and document in audit note --- SECURITY-AUDIT-2025-11-09.md | 10 +++++ deny.toml | 11 +++++- issues/TRACK-2025-11-09-RSA-PASTE.md | 56 ++++++++++++++++++++++++++++ 3 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 issues/TRACK-2025-11-09-RSA-PASTE.md diff --git a/SECURITY-AUDIT-2025-11-09.md b/SECURITY-AUDIT-2025-11-09.md index a0b1fca8..4fe69658 100644 --- a/SECURITY-AUDIT-2025-11-09.md +++ b/SECURITY-AUDIT-2025-11-09.md @@ -34,6 +34,16 @@ Recommended next steps - Review `deny.toml` added to the repository as a starting policy. Adjust `licenses.allowed` to match project licensing policy. - For crates that are necessary but have unapproved licenses, add specific exceptions with justification and target remediation dates. +Temporary exceptions +-------------------- + +To unblock CI while we triage and remediate, this PR (branch `remediations/audit-2025-11-09`) adds temporary, timeboxed exceptions for two advisories in `deny.toml`: + +- RUSTSEC-2023-0071 — `rsa = 0.9.8` (transitive via `openidconnect`). No safe published upgrade was available at audit time. A temporary exception is recorded with an expiration date and linked tracking issue. +- RUSTSEC-2024-0436 — `paste = 1.0.15` (transitive via `rmp`/`rmpv`). Crate is marked unmaintained; a temporary exception is recorded while we plan a migration/replacement. + +These exceptions are intended to be short-lived. See `issues/TRACK-2025-11-09-RSA-PASTE.md` for the remediation plan, owner, and ETA. The exceptions include an `expires` date and rationale; they should be removed when the underlying transitive dependency is replaced or a safe upgrade is published. + 4. CI integration - The PR adds a GitHub Actions workflow `.github/workflows/audit.yml` which runs `cargo-audit` and `cargo-deny`. Tweak versions and failure behavior to match your release policy (block PRs or open warnings). diff --git a/deny.toml b/deny.toml index 06e6a774..5179a91c 100644 --- a/deny.toml +++ b/deny.toml @@ -7,4 +7,13 @@ [licenses] # Allowlist of licenses. Edit to match project policy. allow = ["AGPL-3.0-only", "MIT", "Apache-2.0", "BSD-3-Clause"] -exceptions = [] +## Temporary exceptions added by remediations/audit-2025-11-09 +## These exceptions are timeboxed and tracked in issues/TRACK-2025-11-09-RSA-PASTE.md +exceptions = [ + # Allow RUSTSEC-2023-0071 (rsa 0.9.8) transitively required today via openidconnect + # Rationale: no safe published upgrade available at audit date; risk acknowledged and tracked. + { crate = "rsa", version = "=0.9.8", reason = "RUSTSEC-2023-0071: no safe upgrade available; temporary exception; see issues/TRACK-2025-11-09-RSA-PASTE.md", expires = "2026-02-01" }, + # Allow RUSTSEC-2024-0436 (paste 1.0.15) transitively required today via rmp/rmpv + # Rationale: crate marked unmaintained; temporary exception while replacement plan is executed. + { crate = "paste", version = "=1.0.15", reason = "RUSTSEC-2024-0436: unmaintained; temporary exception; see issues/TRACK-2025-11-09-RSA-PASTE.md", expires = "2026-02-01" } +] diff --git a/issues/TRACK-2025-11-09-RSA-PASTE.md b/issues/TRACK-2025-11-09-RSA-PASTE.md new file mode 100644 index 00000000..0f6158ee --- /dev/null +++ b/issues/TRACK-2025-11-09-RSA-PASTE.md @@ -0,0 +1,56 @@ +# TRACK-2025-11-09: Remediate transitive `rsa` and `paste` advisories + +Status: Open +Owner: @maintainers (please assign) +Created: 2025-11-09 + +Summary +------- + +This tracking issue records the planned remediation work for two transitive advisories found during the local audit on 2025-11-09: + +- RUSTSEC-2023-0071 — `rsa = 0.9.8` (Marvin Attack). No safe published upgrade was available at audit time. Transitive path: `openidconnect` -> `...` -> `rsa`. +- RUSTSEC-2024-0436 — `paste = 1.0.15` (unmaintained). Transitive path: `rmp`/`rmpv` -> `paste`. + +Goals +----- + +1. Remove or replace the transitive dependency on `rsa` so the project does not depend on the vulnerable crate. +2. Replace or remove `paste` usage by migrating to a maintained alternative (e.g., `pastey`) or removing the transitive dependency chain. +3. Remove the temporary exceptions from `deny.toml` once remediation is complete. + +Plan +---- + +1. Repro steps + - Run `cargo tree -i rsa` and `cargo tree -i paste` to show the reverse dependency chain and confirm the top-level crate(s) importing them. + +2. Investigate fixes + - For `rsa`: identify whether `openidconnect` or another dependency directly pulls `rsa`. Check if newer published versions of the top-level crate avoid `rsa`. + - If no published version removes `rsa`, assess vendor or patch options: + - Replace `openidconnect` with an alternative OIDC client that avoids `rsa` (e.g., a crate using ring/openssl for crypto), or + - Submit a PR to upstream crates to adopt a constant-time implementation, or + - Vendor a small shim that provides the needed functionality using a vetted crypto library. + + - For `paste`: check if `rmp`/`rmpv` can be upgraded to eliminate `paste` or if a maintained fork (e.g., `pastey`) can be used. + +3. Tests and validation + - Add unit/integration tests for the replaced functionality (auth flows, message formats) to ensure behavior parity. + - Re-run audit tooling in CI and verify `cargo-deny` no longer reports the advisories. + +4. Timeline and owner + - Target ETA: 2026-02-01 (three months). Adjust based on investigation findings. + - Owner: @maintainers or assign a specific engineer. + +5. Rollback/compensating controls + - If remediation requires longer work, consider adding hardened monitoring, limiting feature usage, or using runtime mitigations where possible. + +Links +----- + +- Audit note: SECURITY-AUDIT-2025-11-09.md +- PR branch: remediations/audit-2025-11-09 + +Next steps +---------- +- Assign an owner, run `cargo tree -i rsa` and `cargo tree -i paste`, and update this issue with findings and the chosen remediation path.