chore(audit): add temporary deny exceptions for rsa and paste; add tracking issue and document in audit note

3 months ago · f16723c8d8
3 changed files with 76 additions and 1 deletions
--- a/SECURITY-AUDIT-2025-11-09.md
+++ b/SECURITY-AUDIT-2025-11-09.md
@ -34,6 +34,16 @@ Recommended next steps
   - Review `deny.toml` added to the repository as a starting policy. Adjust `licenses.allowed` to match project licensing policy.
   - For crates that are necessary but have unapproved licenses, add specific exceptions with justification and target remediation dates.
 Temporary exceptions
 --------------------
 To unblock CI while we triage and remediate, this PR (branch `remediations/audit-2025-11-09`) adds temporary, timeboxed exceptions for two advisories in `deny.toml`:
 - RUSTSEC-2023-0071 — `rsa = 0.9.8` (transitive via `openidconnect`). No safe published upgrade was available at audit time. A temporary exception is recorded with an expiration date and linked tracking issue.
 - RUSTSEC-2024-0436 — `paste = 1.0.15` (transitive via `rmp`/`rmpv`). Crate is marked unmaintained; a temporary exception is recorded while we plan a migration/replacement.
 These exceptions are intended to be short-lived. See `issues/TRACK-2025-11-09-RSA-PASTE.md` for the remediation plan, owner, and ETA. The exceptions include an `expires` date and rationale; they should be removed when the underlying transitive dependency is replaced or a safe upgrade is published.
 4. CI integration
   - The PR adds a GitHub Actions workflow `.github/workflows/audit.yml` which runs `cargo-audit` and `cargo-deny`. Tweak versions and failure behavior to match your release policy (block PRs or open warnings).
--- a/deny.toml
+++ b/deny.toml
@ -7,4 +7,13 @@
 [licenses]
 # Allowlist of licenses. Edit to match project policy.
 allow = ["AGPL-3.0-only", "MIT", "Apache-2.0", "BSD-3-Clause"]
-exceptions = []
+## Temporary exceptions added by remediations/audit-2025-11-09
 ## These exceptions are timeboxed and tracked in issues/TRACK-2025-11-09-RSA-PASTE.md
 exceptions = [
 	# Allow RUSTSEC-2023-0071 (rsa 0.9.8) transitively required today via openidconnect
 	# Rationale: no safe published upgrade available at audit date; risk acknowledged and tracked.
 	{ crate = "rsa", version = "=0.9.8", reason = "RUSTSEC-2023-0071: no safe upgrade available; temporary exception; see issues/TRACK-2025-11-09-RSA-PASTE.md", expires = "2026-02-01" },
 	# Allow RUSTSEC-2024-0436 (paste 1.0.15) transitively required today via rmp/rmpv
 	# Rationale: crate marked unmaintained; temporary exception while replacement plan is executed.
 	{ crate = "paste", version = "=1.0.15", reason = "RUSTSEC-2024-0436: unmaintained; temporary exception; see issues/TRACK-2025-11-09-RSA-PASTE.md", expires = "2026-02-01" }
 ]
--- a/issues/TRACK-2025-11-09-RSA-PASTE.md
+++ b/issues/TRACK-2025-11-09-RSA-PASTE.md
@ -0,0 +1,56 @@
 # TRACK-2025-11-09: Remediate transitive `rsa` and `paste` advisories
 Status: Open
 Owner: @maintainers (please assign)
 Created: 2025-11-09
 Summary
 -------
 This tracking issue records the planned remediation work for two transitive advisories found during the local audit on 2025-11-09:
 - RUSTSEC-2023-0071 — `rsa = 0.9.8` (Marvin Attack). No safe published upgrade was available at audit time. Transitive path: `openidconnect` -> `...` -> `rsa`.
 - RUSTSEC-2024-0436 — `paste = 1.0.15` (unmaintained). Transitive path: `rmp`/`rmpv` -> `paste`.
 Goals
 -----
 1. Remove or replace the transitive dependency on `rsa` so the project does not depend on the vulnerable crate.
 2. Replace or remove `paste` usage by migrating to a maintained alternative (e.g., `pastey`) or removing the transitive dependency chain.
 3. Remove the temporary exceptions from `deny.toml` once remediation is complete.
 Plan
 ----
 1. Repro steps
   - Run `cargo tree -i rsa` and `cargo tree -i paste` to show the reverse dependency chain and confirm the top-level crate(s) importing them.
 2. Investigate fixes
   - For `rsa`: identify whether `openidconnect` or another dependency directly pulls `rsa`. Check if newer published versions of the top-level crate avoid `rsa`.
   - If no published version removes `rsa`, assess vendor or patch options:
     - Replace `openidconnect` with an alternative OIDC client that avoids `rsa` (e.g., a crate using ring/openssl for crypto), or
     - Submit a PR to upstream crates to adopt a constant-time implementation, or
     - Vendor a small shim that provides the needed functionality using a vetted crypto library.
   - For `paste`: check if `rmp`/`rmpv` can be upgraded to eliminate `paste` or if a maintained fork (e.g., `pastey`) can be used.
 3. Tests and validation
   - Add unit/integration tests for the replaced functionality (auth flows, message formats) to ensure behavior parity.
   - Re-run audit tooling in CI and verify `cargo-deny` no longer reports the advisories.
 4. Timeline and owner
   - Target ETA: 2026-02-01 (three months). Adjust based on investigation findings.
   - Owner: @maintainers or assign a specific engineer.
 5. Rollback/compensating controls
   - If remediation requires longer work, consider adding hardened monitoring, limiting feature usage, or using runtime mitigations where possible.
 Links
 -----
 - Audit note: SECURITY-AUDIT-2025-11-09.md
 - PR branch: remediations/audit-2025-11-09
 Next steps
 ----------
 - Assign an owner, run `cargo tree -i rsa` and `cargo tree -i paste`, and update this issue with findings and the chosen remediation path.