-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: implement security auditing checks #139
Conversation
Can this be migrated into The below PR would move this step into This way it would be running several times per day, which should remove the need for the daily cron trigger |
Its possible, however, if we want to maintain the chron job, I'm not sure it is. We may want to run this exclusively as a chron job to avoid the noise of running for every PR push, perhaps. |
Sorry forgot to approve. PR looks good however you decide to implement. I would have a preference for just including the job in ci.yml to run on PR as it only takes 30 seconds and could potentially highlight new vulnerabilities introduced in a branch before they are merged |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like this can stop PRs that change Cargo.toml
from being merged even if the audit failure doesn't come from their changes, just some committed version having a new vulnerability. Ideally we'd be able to merge changes that don't introduce issues, but I don't think that's possible to do with this tool. Perhaps we should just run this on cron?
As is, I did not make this a required check so it wouldn't block merge in that way. However, I've also thought about just setting a cron job (in this cut of the PR it is both). The downside seems like less visibility. |
`cargo-audit` and the RustSec Advisory DB see: https://rustsec.org/
Feel free to re-open when work in this is restarted |
We have an ignore list that we review when we upgrade substrate: # No known fix yet:
# RUSTSEC-2023-0071 rsa crate indirectly used by db-sync-follower
#
# Things that should be fixed by an upcoming sidechains/substrate upgrade:
# RUSTSEC-2024-0336 rustls 0.20.9 used by libp2p. newer libp2p fixes this.
#
# Unmaintained crates (no known vulnerabilites):
# RUSTSEC-2021-0139 ansi_term unmaintained: no fix available yet (Aug24).
# RUSTSEC-2020-0168 mach unmaintained: longterm mitigation: switching wasm to risc.
# RUSTSEC-2022-0061 parity-wasm unmaintained: longterm mitigation: switching wasm to risc.
# RUSTSEC-2024-0320 yaml-rust crate used by config unmaintained.
#
# False positives:
# RUSTSEC-2023-0071 rsa sidechannel. False positive: in a feature we don't use: `cargo tree | rg rsa` 0 hits.
RUN --no-cache cargo audit -c always \
--ignore RUSTSEC-2023-0071 \
--ignore RUSTSEC-2024-0336 \
--ignore RUSTSEC-2023-0071 \
--ignore RUSTSEC-2022-0061 \
--ignore RUSTSEC-2021-0139 \
--ignore RUSTSEC-2020-0168 \
--ignore RUSTSEC-2023-0033 \
--ignore RUSTSEC-2024-0320 |
Description
uses
cargo-audit
and the RustSec Advisory DBsee: https://rustsec.org/
The config file is pretty minimal to start.
It is possible to add irrelevant (to us) issues in the ignore list though. Issues can be reviewed in a nice formatted form after
the Action has run in a follow up job.
It is still debatable how we would like to run this. On every push for PRs (as is configured now), or perhaps simply just on a
regular interval (currently every day at midnight). We probably don't want to make this a hard requirement to merge PRs though, as it may take dedicated time and effort to:
However, perhaps we have a regular review, in the form of a meeting or just async, to ensure we never get too far behind. Currently, we have 3 vulnerabilities that are reported and several warnings.
Checklist
changelog.md
for affected crateNote on CI
If your PR is from a fork, the necessary CI jobs won't trigger automatically for security reasons.
You will need to get someone with write privileges. Please contact IOG Partner Chains developers to do this
for you.