osv-scanner results

[jayvdb]

Bug Report

Version

master right now 91ca0e0

> rustup run stable cargo tree | grep tracing
tracing v0.2.0 (/home/jayvdb/rust/tracing/tracing)
├── tracing-attributes v0.2.0 (proc-macro) (/home/jayvdb/rust/tracing/tracing-attributes)
│   ├── tracing v0.2.0 (/home/jayvdb/rust/tracing/tracing) (*)
│   ├── tracing-mock v0.2.0 (/home/jayvdb/rust/tracing/tracing-mock)
│   │   ├── tracing v0.2.0 (/home/jayvdb/rust/tracing/tracing) (*)
│   │   ├── tracing-core v0.2.0 (/home/jayvdb/rust/tracing/tracing-core)
│   │   └── tracing-subscriber v0.3.0 (/home/jayvdb/rust/tracing/tracing-subscriber)
│   │       ├── tracing v0.2.0 (/home/jayvdb/rust/tracing/tracing) (*)
│   │       ├── tracing-core v0.2.0 (/home/jayvdb/rust/tracing/tracing-core) (*)
│   │       └── tracing-log v0.2.0 (/home/jayvdb/rust/tracing/tracing-log)
│   │           └── tracing-core v0.2.0 (/home/jayvdb/rust/tracing/tracing-core) (*)
│   │           └── tracing v0.2.0 (/home/jayvdb/rust/tracing/tracing) (*)
│   │       ├── tracing v0.2.0 (/home/jayvdb/rust/tracing/tracing) (*)
│   │       ├── tracing-futures v0.3.0 (/home/jayvdb/rust/tracing/tracing-futures)
│   │       │   └── tracing v0.2.0 (/home/jayvdb/rust/tracing/tracing) (*)
│   │       │   ├── tracing-core v0.2.0 (/home/jayvdb/rust/tracing/tracing-core) (*)
│   │       │   ├── tracing-mock v0.2.0 (/home/jayvdb/rust/tracing/tracing-mock) (*)
│   │       │   └── tracing-test v0.1.0 (/home/jayvdb/rust/tracing/tracing-test)
│   │       ├── tracing-log v0.2.0 (/home/jayvdb/rust/tracing/tracing-log) (*)
│   │       └── tracing-mock v0.2.0 (/home/jayvdb/rust/tracing/tracing-mock) (*)
│   ├── tracing-subscriber v0.3.0 (/home/jayvdb/rust/tracing/tracing-subscriber) (*)
│   ├── tracing-test v0.1.0 (/home/jayvdb/rust/tracing/tracing-test) (*)
└── tracing-core v0.2.0 (/home/jayvdb/rust/tracing/tracing-core) (*)
└── tracing-mock v0.2.0 (/home/jayvdb/rust/tracing/tracing-mock) (*)
tracing-appender v0.2.0 (/home/jayvdb/rust/tracing/tracing-appender)
└── tracing-subscriber v0.3.0 (/home/jayvdb/rust/tracing/tracing-subscriber)
    ├── tracing v0.2.0 (/home/jayvdb/rust/tracing/tracing) (*)
    ├── tracing-core v0.2.0 (/home/jayvdb/rust/tracing/tracing-core) (*)
    ├── tracing-log v0.2.0 (/home/jayvdb/rust/tracing/tracing-log)
    │   └── tracing-core v0.2.0 (/home/jayvdb/rust/tracing/tracing-core) (*)
    │   └── tracing v0.2.0 (/home/jayvdb/rust/tracing/tracing) (*)
    └── tracing-serde v0.2.0 (/home/jayvdb/rust/tracing/tracing-serde)
        └── tracing-core v0.2.0 (/home/jayvdb/rust/tracing/tracing-core) (*)
    ├── tracing v0.2.0 (/home/jayvdb/rust/tracing/tracing) (*)
    ├── tracing-futures v0.3.0 (/home/jayvdb/rust/tracing/tracing-futures)
    │   └── tracing v0.2.0 (/home/jayvdb/rust/tracing/tracing) (*)
    │   ├── tracing-core v0.2.0 (/home/jayvdb/rust/tracing/tracing-core) (*)
    │   ├── tracing-mock v0.2.0 (/home/jayvdb/rust/tracing/tracing-mock) (*)
    │   └── tracing-test v0.1.0 (/home/jayvdb/rust/tracing/tracing-test) (*)
    ├── tracing-log v0.2.0 (/home/jayvdb/rust/tracing/tracing-log) (*)
    └── tracing-mock v0.2.0 (/home/jayvdb/rust/tracing/tracing-mock) (*)
└── tracing v0.2.0 (/home/jayvdb/rust/tracing/tracing) (*)
tracing-attributes v0.2.0 (proc-macro) (/home/jayvdb/rust/tracing/tracing-attributes) (*)
tracing-core v0.2.0 (/home/jayvdb/rust/tracing/tracing-core) (*)
tracing-error v0.2.0 (/home/jayvdb/rust/tracing/tracing-error)
├── tracing v0.2.0 (/home/jayvdb/rust/tracing/tracing) (*)
└── tracing-subscriber v0.3.0 (/home/jayvdb/rust/tracing/tracing-subscriber) (*)
tracing-examples v0.0.0 (/home/jayvdb/rust/tracing/examples)
│   │   │   └── tracing v0.1.40
│   │   │       └── tracing-core v0.1.32
│   │   └── tracing v0.1.40 (*)
│   ├── tracing v0.1.40 (*)
│   └── tracing v0.1.40 (*)
├── tracing v0.2.0 (/home/jayvdb/rust/tracing/tracing) (*)
├── tracing-appender v0.2.0 (/home/jayvdb/rust/tracing/tracing-appender) (*)
├── tracing-attributes v0.2.0 (proc-macro) (/home/jayvdb/rust/tracing/tracing-attributes) (*)
├── tracing-core v0.2.0 (/home/jayvdb/rust/tracing/tracing-core) (*)
├── tracing-error v0.2.0 (/home/jayvdb/rust/tracing/tracing-error) (*)
├── tracing-flame v0.2.0 (/home/jayvdb/rust/tracing/tracing-flame)
│   ├── tracing v0.2.0 (/home/jayvdb/rust/tracing/tracing) (*)
│   └── tracing-subscriber v0.3.0 (/home/jayvdb/rust/tracing/tracing-subscriber) (*)
├── tracing-futures v0.3.0 (/home/jayvdb/rust/tracing/tracing-futures) (*)
├── tracing-journald v0.2.0 (/home/jayvdb/rust/tracing/tracing-journald)
│   ├── tracing-core v0.2.0 (/home/jayvdb/rust/tracing/tracing-core) (*)
│   └── tracing-subscriber v0.3.0 (/home/jayvdb/rust/tracing/tracing-subscriber) (*)
│   └── tracing v0.2.0 (/home/jayvdb/rust/tracing/tracing) (*)
├── tracing-log v0.2.0 (/home/jayvdb/rust/tracing/tracing-log) (*)
├── tracing-serde v0.2.0 (/home/jayvdb/rust/tracing/tracing-serde) (*)
├── tracing-subscriber v0.3.0 (/home/jayvdb/rust/tracing/tracing-subscriber) (*)
└── tracing-tower v0.1.0 (/home/jayvdb/rust/tracing/tracing-tower)
    ├── tracing v0.2.0 (/home/jayvdb/rust/tracing/tracing) (*)
    └── tracing-futures v0.3.0 (/home/jayvdb/rust/tracing/tracing-futures) (*)
tracing-flame v0.2.0 (/home/jayvdb/rust/tracing/tracing-flame) (*)
tracing-futures v0.3.0 (/home/jayvdb/rust/tracing/tracing-futures) (*)
tracing-futures v0.3.0 (/home/jayvdb/rust/tracing/tracing-futures) (*)
tracing-journald v0.2.0 (/home/jayvdb/rust/tracing/tracing-journald) (*)
tracing-log v0.2.0 (/home/jayvdb/rust/tracing/tracing-log) (*)
tracing-log v0.2.0 (/home/jayvdb/rust/tracing/tracing-log) (*)
tracing-macros v0.1.0 (/home/jayvdb/rust/tracing/tracing-macros)
└── tracing v0.2.0 (/home/jayvdb/rust/tracing/tracing) (*)
└── tracing-subscriber v0.3.0 (/home/jayvdb/rust/tracing/tracing-subscriber) (*)
tracing-mock v0.2.0 (/home/jayvdb/rust/tracing/tracing-mock) (*)
tracing-serde v0.2.0 (/home/jayvdb/rust/tracing/tracing-serde) (*)
tracing-subscriber v0.3.0 (/home/jayvdb/rust/tracing/tracing-subscriber) (*)
tracing-subscriber v0.3.0 (/home/jayvdb/rust/tracing/tracing-subscriber) (*)
tracing-test v0.1.0 (/home/jayvdb/rust/tracing/tracing-test) (*)
tracing-tower v0.1.0 (/home/jayvdb/rust/tracing/tracing-tower) (*)

Platform

Linux 192-168-1-102.tpgi.com.au 6.5.9-1-default #1 SMP PREEMPT_DYNAMIC Wed Oct 25 10:31:37 UTC 2023 (29edc7c) x86_64 x86_64 x86_64 GNU/Linux

Crates

I believe the main problem is in tracing-futures.

Description

Some of these are mentioned in other issues, but I couldnt find a few.

This report uses https://github.com/google/osv-scanner

~/rust/tracing> osv-scanner --lockfile Cargo.lock 
Scanned /home/jayvdb/rust/tracing/Cargo.lock file and found 280 packages
╭─────────────────────────────────────┬──────┬───────────┬─────────────────┬─────────┬────────────╮
│ OSV URL                             │ CVSS │ ECOSYSTEM │ PACKAGE         │ VERSION │ SOURCE     │
├─────────────────────────────────────┼──────┼───────────┼─────────────────┼─────────┼────────────┤
│ https://osv.dev/GHSA-g98v-hv3f-hcfr │      │ crates.io │ atty            │ 0.2.14  │ Cargo.lock │
│ https://osv.dev/RUSTSEC-2021-0145   │      │           │                 │         │            │
│ https://osv.dev/GHSA-qc84-gqf4-9926 │ 8.1  │ crates.io │ crossbeam-utils │ 0.7.2   │ Cargo.lock │
│ https://osv.dev/RUSTSEC-2022-0041   │      │           │                 │         │            │
│ https://osv.dev/GHSA-5wg8-7c9q-794v │ 5.5  │ crates.io │ lock_api        │ 0.3.4   │ Cargo.lock │
│ https://osv.dev/GHSA-gmv4-vmx3-x9f3 │      │           │                 │         │            │
│ https://osv.dev/GHSA-hj9h-wrgg-hgmx │      │           │                 │         │            │
│ https://osv.dev/GHSA-ppj3-7jw3-8vc4 │      │           │                 │         │            │
│ https://osv.dev/GHSA-vh4p-6j7g-f4j9 │      │           │                 │         │            │
│ https://osv.dev/RUSTSEC-2020-0070   │      │           │                 │         │            │
│ https://osv.dev/GHSA-wfg4-322g-9vqv │      │ crates.io │ memoffset       │ 0.5.6   │ Cargo.lock │
│ https://osv.dev/RUSTSEC-2023-0045   │      │           │                 │         │            │
│ https://osv.dev/RUSTSEC-2020-0016   │      │ crates.io │ net2            │ 0.2.39  │ Cargo.lock │
│ https://osv.dev/RUSTSEC-2021-0127   │      │ crates.io │ serde_cbor      │ 0.11.2  │ Cargo.lock │
│ https://osv.dev/GHSA-fg7r-2g4j-5cgr │ 8.1  │ crates.io │ tokio           │ 0.1.22  │ Cargo.lock │
│ https://osv.dev/RUSTSEC-2021-0124   │      │           │                 │         │            │
╰─────────────────────────────────────┴──────┴───────────┴─────────────────┴─────────┴────────────╯

This effects other crates which want to use the relevant features. e.g. geofmureithi/apalis#203

[jayvdb]

note osv-scanner include dev-dependencies found in the lock file, i.e. google/osv-scanner#332

so this might be more useful:

~/rust/tracing> rustup run stable cargo deny check advisories 2>&1 | grep warning
warning[unsound]: memoffset allows reading uninitialized memory
warning[unmaintained]: serde_cbor is unmaintained
warning[unsound]: Potential unaligned read
warning[unsound]: Unsoundness of AtomicCell<*64> arithmetics on 32-bit targets that support Atomic*64
warning[unmaintained]: `net2` crate has been deprecated; use `socket2` instead

[jayvdb]

The note in https://github.com/tokio-rs/tracing/blob/master/.cargo/audit.toml explains why tokio 0.1 is ending up in those results, but ...

a) why is tokio 0.1 ending up in https://github.com/geofmureithi/apalis , c.f. geofmureithi/apalis#203
b) why does cargo audit fail...

~/rust/tracing> rustup run stable cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 578 security advisories (from /home/jayvdb/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (280 crate dependencies)
Crate:     tokio
Version:   0.1.22
Title:     Data race when sending and receiving after closing a `oneshot` channel
Date:      2021-11-16
ID:        RUSTSEC-2021-0124
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0124
Solution:  Upgrade to >=1.8.4, <1.9.0 OR >=1.13.1
Dependency tree:
tokio 0.1.22
└── tracing-futures 0.3.0
...

[hawkw]

tracing-futures depends on tokio 0.1 because that crate includes support for instrumenting types provided by tokio v0.1.x and v0.2.x. We cannot fix any advisories for those tokio dependencies without removing that support for tracing-futures.

In fact, that's the main difference between tracing-futures and the version of the Instrument extension trait provided by the tracing crate. If you're not using outdated tokio versions from the v0.1.x or v0.2.x releases, you probably don't need to be using tracing-futures at all, and you should instead use the core tracing crate's instrument module. We should probably deprecate that crate entirely, and remove it from the repo.

Regarding:

a) why is tokio 0.1 ending up in https://github.com/geofmureithi/apalis , c.f. geofmureithi/apalis#203

It looks like apalis-core is explicitly enabling the tracing-futures crate's tokio feature flag, which enables the dependency on tokio v0.1. However, apalis-core is using the current release version of tokio, v1.x, so it does not actually need that feature flag at all: the feature just enables trait implementations for tokio v0.1.x types, which apalis-core is not using.

apalis-core can either remove that feature flag from its tracing-futures dependency, or remove the tracing-futures crate entirely and use the tracing crate's Instrument trait instead (which would be my suggested solution).

[jayvdb]

Thank you so much.
I had missed this line of the tracing-futures feature matrix.

tokio = ["tokio_01"]

I am guessing feature name tokio is needed for backwards compatibility

I've created #2802 to make this clearer.

Also #2800 about the cargo audit problem.