diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 570c281..345d81d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -24,7 +24,7 @@ concurrency: jobs: rust: - uses: resq-software/.github/.github/workflows/rust-ci.yml@f4b51a620aa1bf89c0bce4f434b36f92ff7d517d + uses: resq-software/.github/.github/workflows/rust-ci.yml@40fa987f5bc78d7569b9b76274f24d032ac0d7c8 with: toolchain: stable run-fmt: true diff --git a/Cargo.lock b/Cargo.lock index 9dc1f90..a08bd99 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -152,7 +152,7 @@ dependencies = [ "crossbeam-channel", "log", "lz4", - "rand 0.8.5", + "rand 0.8.6", "regex", "semver", "solana-accounts-db", @@ -589,7 +589,7 @@ dependencies = [ "fastbloom", "getrandom 0.3.4", "lru-slab", - "rand 0.9.2", + "rand 0.9.3", "ring", "rustc-hash", "rustls", @@ -853,7 +853,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "94893f1e0c6eeab764ade8dc4c0db24caf4fe7cbbaafc0eba0a9030f447b5185" dependencies = [ "num-traits", - "rand 0.8.5", + "rand 0.8.6", ] [[package]] @@ -863,7 +863,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "246a225cc6131e9ee4f24619af0f19d67761fff15d7ccc22e42b80846e69449a" dependencies = [ "num-traits", - "rand 0.8.5", + "rand 0.8.6", ] [[package]] @@ -2051,7 +2051,7 @@ checksum = "4e7f34442dbe69c60fe8eaf58a8cafff81a1f278816d8ab4db255b3bef4ac3c4" dependencies = [ "getrandom 0.3.4", "libm", - "rand 0.9.2", + "rand 0.9.3", "siphasher 1.0.2", ] @@ -2379,7 +2379,7 @@ dependencies = [ "parking_lot", "portable-atomic", "quanta", - "rand 0.8.5", + "rand 0.8.6", "smallvec", "spinning_top", ] @@ -2391,7 +2391,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f0f9ef7462f7c099f518d754361858f86d8a07af53ba9af0fe635bbccb151a63" dependencies = [ "ff", - "rand 0.8.5", + "rand 0.8.6", "rand_core 0.6.4", "rand_xorshift", "subtle", @@ -3570,7 +3570,7 @@ dependencies = [ "lazy_static", "percent-encoding", "pin-project", - "rand 0.8.5", + "rand 0.8.6", "thiserror 1.0.69", ] @@ -3905,7 +3905,7 @@ dependencies = [ "bytes", "getrandom 0.3.4", "lru-slab", - "rand 0.9.2", + "rand 0.9.3", "ring", "rustc-hash", "rustls", @@ -3973,9 +3973,9 @@ dependencies = [ [[package]] name = "rand" -version = "0.8.5" +version = "0.8.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404" +checksum = "5ca0ecfa931c29007047d1bc58e623ab12e5590e8c7cc53200d5202b69266d8a" dependencies = [ "libc", "rand_chacha 0.3.1", @@ -3984,9 +3984,9 @@ dependencies = [ [[package]] name = "rand" -version = "0.9.2" +version = "0.9.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6db2770f06117d490610c7488547d543617b21bfa07796d7a12f6f1bd53850d1" +checksum = "7ec095654a25171c2124e9e3393a930bddbffdc939556c914957a4c3e0a87166" dependencies = [ "rand_chacha 0.9.0", "rand_core 0.9.5", @@ -4378,9 +4378,9 @@ checksum = "f87165f0995f63a9fbeea62b64d10b4d9d8e78ec6d7d51fb2125fda7bb36788f" [[package]] name = "rustls-webpki" -version = "0.103.10" +version = "0.103.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "df33b2b81ac578cabaf06b89b0631153a3f416b0a886e8a7a1707fb51abbd1ef" +checksum = "8279bb85272c9f10811ae6a6c547ff594d6a7f3c6c6b02ee9726d1d0dcfcdd06" dependencies = [ "ring", "rustls-pki-types", @@ -4861,7 +4861,7 @@ dependencies = [ "modular-bitfield", "num_cpus", "num_enum", - "rand 0.8.5", + "rand 0.8.6", "rayon", "seqlock", "serde", @@ -4918,7 +4918,7 @@ dependencies = [ "curve25519-dalek 4.1.3", "five8", "five8_const", - "rand 0.9.2", + "rand 0.9.3", "serde", "serde_derive", "sha2-const-stable", @@ -5082,7 +5082,7 @@ dependencies = [ "ff", "group", "pairing", - "rand 0.8.5", + "rand 0.8.6", "serde", "serde_json", "serde_with", @@ -5157,7 +5157,7 @@ dependencies = [ "memmap2 0.9.10", "modular-bitfield", "num_enum", - "rand 0.8.5", + "rand 0.8.6", "solana-clock", "solana-measure", "solana-pubkey 3.0.0", @@ -5385,7 +5385,7 @@ dependencies = [ "futures-util", "indexmap", "log", - "rand 0.8.5", + "rand 0.8.6", "rayon", "solana-keypair", "solana-measure", @@ -5770,7 +5770,7 @@ dependencies = [ "ed25519-dalek-bip32", "five8", "five8_core", - "rand 0.9.2", + "rand 0.9.3", "solana-address 2.3.0", "solana-derivation-path", "solana-seed-derivable", @@ -5949,7 +5949,7 @@ dependencies = [ "itertools 0.12.1", "log", "nix", - "rand 0.8.5", + "rand 0.8.6", "serde", "socket2", "solana-serde", @@ -6037,7 +6037,7 @@ dependencies = [ "libc", "log", "nix", - "rand 0.8.5", + "rand 0.8.6", "rayon", "serde", "solana-hash 3.1.0", @@ -6218,7 +6218,7 @@ dependencies = [ "itertools 0.12.1", "log", "percentage", - "rand 0.8.5", + "rand 0.8.6", "serde", "solana-account 3.4.0", "solana-account-info", @@ -6322,7 +6322,7 @@ version = "3.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8909d399deb0851aa524420beeb5646b115fd253ef446e35fe4504c904da3941" dependencies = [ - "rand 0.8.5", + "rand 0.8.6", "solana-address 1.1.0", ] @@ -6332,7 +6332,7 @@ version = "4.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1b06bd918d60111ee1f97de817113e2040ca0cedb740099ee8d646233f6b906c" dependencies = [ - "rand 0.9.2", + "rand 0.9.3", "solana-address 2.3.0", ] @@ -6593,7 +6593,7 @@ dependencies = [ "num_enum", "percentage", "qualifier_attr", - "rand 0.8.5", + "rand 0.8.6", "rayon", "regex", "semver", @@ -6728,7 +6728,7 @@ dependencies = [ "hash32", "libc", "log", - "rand 0.8.5", + "rand 0.8.6", "rustc-demangle", "thiserror 2.0.18", "winapi", @@ -6946,7 +6946,7 @@ checksum = "132a93134f1262aa832f1849b83bec6c9945669b866da18661a427943b9e801e" dependencies = [ "ed25519-dalek 2.2.0", "five8", - "rand 0.9.2", + "rand 0.9.3", "serde", "serde-big-array", "serde_derive", @@ -7044,7 +7044,7 @@ dependencies = [ "num_cpus", "pem", "percentage", - "rand 0.8.5", + "rand 0.8.6", "rustls", "smallvec", "socket2", @@ -7175,7 +7175,7 @@ version = "3.1.10" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "51b2ea7c2f849cd6d190e2607c2af779d3dad2792784cc13c0e9342e429c87a1" dependencies = [ - "rand 0.8.5", + "rand 0.8.6", ] [[package]] @@ -7487,7 +7487,7 @@ dependencies = [ "base64 0.22.1", "bincode", "log", - "rand 0.8.5", + "rand 0.8.6", "solana-packet", "solana-perf", "solana-short-vec", @@ -7555,7 +7555,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "17a9c5d23a31d8f34aac59812099c9d8d76203a447d04b65824f5c913ced9072" dependencies = [ "agave-feature-set", - "rand 0.8.5", + "rand 0.8.6", "semver", "serde", "solana-sanitize", @@ -7682,7 +7682,7 @@ dependencies = [ "merlin", "num-derive", "num-traits", - "rand 0.8.5", + "rand 0.8.6", "serde", "serde_derive", "serde_json", @@ -7734,7 +7734,7 @@ dependencies = [ "merlin", "num-derive", "num-traits", - "rand 0.8.5", + "rand 0.8.6", "serde", "serde_json", "sha3", @@ -8105,7 +8105,7 @@ dependencies = [ "humantime", "opentelemetry", "pin-project", - "rand 0.8.5", + "rand 0.8.6", "serde", "static_assertions", "tarpc-plugins", @@ -8566,7 +8566,7 @@ dependencies = [ "http 1.4.0", "httparse", "log", - "rand 0.9.2", + "rand 0.9.3", "rustls", "rustls-pki-types", "sha1", diff --git a/osv-scanner.toml b/osv-scanner.toml new file mode 100644 index 0000000..0a293e0 --- /dev/null +++ b/osv-scanner.toml @@ -0,0 +1,58 @@ +# OSV-Scanner configuration for resq-software/programs. +# +# Each [[IgnoredVulns]] block carries a rationale for why the advisory cannot +# be fixed in this workspace today. Revisit on any Solana / Anchor major bump. +# +# Format: https://google.github.io/osv-scanner/configuration/ +# Note: OSV-Scanner v2 expects PascalCase keys (IgnoredVulns); snake_case is rejected. + +# ── Unmaintained-crate advisories (informational, no known exploit) ────────── + +[[IgnoredVulns]] +id = "RUSTSEC-2025-0141" +# bincode 1.3.3 is unmaintained; bincode 2.x is available but breaks the +# Anchor 1.0.0-rc.2 serialization API. Blocked on Anchor upstream migration. +reason = "bincode 1.x transitive via anchor-lang; await upstream Anchor bump to bincode 2.x" + +[[IgnoredVulns]] +id = "RUSTSEC-2024-0388" +# derivative is unmaintained. Transitive via anchor-lang's macro machinery. +reason = "derivative 2.2.0 transitive via anchor-lang; await upstream migration to derive-more or similar" + +[[IgnoredVulns]] +id = "RUSTSEC-2024-0436" +# paste is unmaintained. Transitive via anchor-lang macros. +reason = "paste 1.0.15 transitive via anchor-lang macros; await upstream migration" + +[[IgnoredVulns]] +id = "RUSTSEC-2025-0161" +# libsecp256k1 0.6.0 is effectively frozen; Solana pins this version. +reason = "libsecp256k1 0.6.0 transitive via solana-* crates; fix requires upstream Solana bump" + +# ── Old dalek / rand pins (transitive via Solana; on-chain BPF unaffected) ─── + +[[IgnoredVulns]] +id = "RUSTSEC-2024-0344" +# curve25519-dalek 3.2.0 has a timing side channel in Scalar::from_canonical_bytes. +# Pinned by solana-zk-token-sdk and older solana-program versions which we pull +# transitively. On-chain BPF code does not execute this crate (programs verify +# via syscalls, not userspace dalek). Risk is confined to host-side tests. +reason = "curve25519-dalek 3.2.0 transitive via solana-zk-token-sdk; on-chain BPF unaffected; await upstream Solana bump to dalek 4.x across the stack" + +[[IgnoredVulns]] +id = "RUSTSEC-2022-0093" +# ed25519-dalek 1.0.1 has a signature-oracle vulnerability in specific API misuse +# patterns. Programs in this workspace never call ed25519-dalek directly; it comes +# in via vendored solana-program-test (a dev-dependency only). +reason = "ed25519-dalek 1.0.1 transitive via vendored solana-program-test (dev-dep only); on-chain programs do not call dalek directly" + +[[IgnoredVulns]] +id = "RUSTSEC-2026-0097" +# rand 0.7.3 is unsound when rand::rng() is called with a custom logger installed. +# We pin rand 0.7.3 only transitively via old solana-* deps. No workspace code uses +# custom loggers with rand; the 0.8.x and 0.9.x pins are already on fixed versions. +reason = "rand 0.7.3 transitive via solana-* deps; fixed versions (0.8.6, 0.9.3) already pinned for first-order users; no custom-logger code paths" + +# Vendor-only advisories live in vendor/solana-program-test/osv-scanner.toml. +# OSV-scanner treats each discovered lockfile directory as its own scan-config +# scope, so vendor entries here would be reported as "unused ignores". diff --git a/vendor/solana-program-test/osv-scanner.toml b/vendor/solana-program-test/osv-scanner.toml new file mode 100644 index 0000000..9eda678 --- /dev/null +++ b/vendor/solana-program-test/osv-scanner.toml @@ -0,0 +1,93 @@ +# OSV-Scanner config for the vendored solana-program-test lockfile. +# +# This file is picked up when osv-scanner scans the directory as its own +# project (it discovers Cargo.lock and looks for `osv-scanner.toml` in the +# same dir). Root-level config at the repo root does NOT propagate here — +# each lockfile is its own scan project. +# +# `solana-program-test` is a vendored copy of upstream Solana's test +# harness, consumed only as a dev-dependency from the workspace root. +# On-chain program bytecode ships none of this. Every advisory below is +# ignored with a reason; re-vendor from a newer Solana release to clear. +# +# Format: https://google.github.io/osv-scanner/configuration/ +# Note: OSV-Scanner v2 expects PascalCase keys (IgnoredVulns); snake_case +# is rejected (checked against v2.3.5). + +# ── Same advisories as the root config, re-declared here for this scan ────── + +[[IgnoredVulns]] +id = "RUSTSEC-2025-0141" +reason = "bincode 1.x — dev-only in vendored solana-program-test; await upstream Anchor/Solana bump to bincode 2.x" + +[[IgnoredVulns]] +id = "RUSTSEC-2024-0388" +reason = "derivative 2.2.0 — dev-only in vendored solana-program-test; await upstream migration" + +[[IgnoredVulns]] +id = "RUSTSEC-2024-0436" +reason = "paste 1.0.9 — dev-only in vendored solana-program-test; unmaintained crate" + +[[IgnoredVulns]] +id = "RUSTSEC-2025-0161" +reason = "libsecp256k1 0.6.0 — dev-only in vendored solana-program-test; solana-* frozen pin" + +[[IgnoredVulns]] +id = "RUSTSEC-2024-0344" +reason = "curve25519-dalek 3.2.0 — dev-only in vendored solana-program-test; on-chain BPF unaffected" + +[[IgnoredVulns]] +id = "RUSTSEC-2022-0093" +reason = "ed25519-dalek 1.0.1 — dev-only in vendored solana-program-test; on-chain programs do not call dalek directly" + +[[IgnoredVulns]] +id = "RUSTSEC-2026-0097" +reason = "rand 0.7.3 / 0.8.5 / 0.9.0 — dev-only in vendored solana-program-test; no custom-logger code paths" + +# ── Advisories unique to this vendored lockfile ───────────────────────────── +# (fixed upstream in the main workspace but still pinned in this older vendor +# of solana-program-test; safe because the vendor is dev-only) + +[[IgnoredVulns]] +id = "RUSTSEC-2025-0056" +reason = "adler 1.0.2 unmaintained — dev-only; await Solana adler2 migration" + +[[IgnoredVulns]] +id = "RUSTSEC-2026-0007" +reason = "bytes 1.10.1 — dev-only; main workspace already on 1.11.1" + +[[IgnoredVulns]] +id = "RUSTSEC-2026-0012" +reason = "keccak 0.1.5 — dev-only; main workspace already on 0.1.6" + +[[IgnoredVulns]] +id = "RUSTSEC-2024-0370" +reason = "proc-macro-error 1.0.4 — dev-only; unmaintained; upstream replacement is proc-macro-error2" + +[[IgnoredVulns]] +id = "RUSTSEC-2026-0037" +reason = "quinn-proto 0.11.13 — dev-only; main workspace already on 0.11.14; on-chain programs never execute quinn" + +[[IgnoredVulns]] +id = "RUSTSEC-2026-0049" +reason = "rustls-webpki 0.103.6 — dev-only; main workspace already on 0.103.12" + +[[IgnoredVulns]] +id = "RUSTSEC-2026-0098" +reason = "rustls-webpki 0.103.6 — dev-only; main workspace already on 0.103.12" + +[[IgnoredVulns]] +id = "RUSTSEC-2026-0099" +reason = "rustls-webpki 0.103.6 — dev-only; main workspace already on 0.103.12" + +[[IgnoredVulns]] +id = "RUSTSEC-2026-0067" +reason = "tar 0.4.44 — dev-only test harness; no user-controlled archives" + +[[IgnoredVulns]] +id = "RUSTSEC-2026-0068" +reason = "tar 0.4.44 — dev-only test harness; no user-controlled archives" + +[[IgnoredVulns]] +id = "RUSTSEC-2026-0009" +reason = "time 0.3.9 — dev-only; await upstream Solana bump"