[deps,bazel] Rust dependency updates for build determinism & cargo audit
#25795
+659
−306
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Updates the `object` and `rustix` crate dependencies to later versions, in order to pull in upstream fixes for their non-determinism during compilation, which can affect FPGA test caching in Bazel and cause tooling to require unecessary rebuilds. These fixes ensure the output directory is cleaned appropriately, removing all references to relative filepaths when the build scripts of the `thiserror-core` and `rustix` invoke rustc directly, such that compilation is deterministic. The two commands run are: cargo update -p object cargo update -p rustix --precise 0.38.42 Signed-off-by: Alex Jones <[email protected]>
Updates the mdBook dependendency from pinned version 0.4.31 to the latest version 0.4.43. This update is made because: - mdBook (transitively) depends on the `idna` crate, but version 0.4.31 of mdBook used idna 0.4.0, which is vulnerable: https://rustsec.org/advisories/RUSTSEC-2024-0421 - mdBook uses shlex 1.1.0, which is vulnerable: https://rustsec.org/advisories/RUSTSEC-2024-0006 This also involved manually updated the mdBook patch to the newest version - the patch is the same, but it had to be re-performed on the newer version. Signed-off-by: Alex Jones <[email protected]>
The rust-crypto dependency has been previously introduced but is not
being used, and is currently the cause of some security issues within
our dependencies. Specifically:
- `rust-crypto` itself is un-maintained and has vulnerabilities:
https://rustsec.org/advisories/RUSTSEC-2022-0011
- It uses `time` 0.1.45: https://rustsec.org/advisories/RUSTSEC-2020-0071
- It uses `rustc-serialize` 0.3.25:
https://rustsec.org/advisories/RUSTSEC-2022-0004
Because this crate is unused, unmaintained and vulnerable, this commit
drops this rust dependency.
Signed-off-by: Alex Jones <[email protected]>
AlexJones0
changed the title
cargo audit
|
I think it might worth separating out mdbook into a separate dependency like tock EDIT: opened #25797 |
This commit includes a variety of updates to the `Cargo.toml` and `Cargo.lock` files used by OpenTitan to manage rust dependencies, such that the majority of the issues/vulnerabilities reported by `cargo audit` are appropriately addressed. This was chosen in lieu of a full `cargo update` for now, because that seemed to cause some builds to break. The packages updated in this way include: - `zerocopy` (vulnerable, version yanked). - `indicatif` (used `instant`, which is un-maintained). - `rsa` (side-channel vulnerability still remains) - `openssl` (vulnerability) - `mio` (vulnerability) - `idna` (vulnerability) - `url` (depends on `idna`) - `smallvec` (dependency of `url` and `rsa`) Signed-off-by: Alex Jones <[email protected]>
AlexJones0
force-pushed
the
cargo_crate_updates
branch
from
1a3dc53 to
d000706
Compare
pamaury
approved these changes
Jan 8, 2025
There was a problem hiding this comment.
Thanks @AlexJones0 for the great effort in addressing non-determinism in the build Regarding cargo audit, we should really have an automated test to make sure that we do not regress without realizing.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR updates the rust dependencies found in
third_party/rustto solve determinism and security issues. Primarily due to the usage of outdated versions ofmdbook(due to patching) and the unusedrust-cryptocrate, we had a lot of transitive dependencies with security advisories / vulnerabilities. There is also a separate commit for directly pulling in updates to therustixandobjectcrates which had build determinism issues (see commit message).It might be nice to do a more general
cargo update, but I'm conservatively updating only what is necessary for now as I was running into build issues in CI that presumably need fixes.See the commit messages for more details.