From 24b7e2151b1af28e93fa473eb60fbff7086aad25 Mon Sep 17 00:00:00 2001 From: Mike Odnis Date: Sun, 19 Apr 2026 01:32:20 -0400 Subject: [PATCH 1/4] =?UTF-8?q?chore(security):=20triage=20Cargo=20OSV=20a?= =?UTF-8?q?dvisories=20=E2=80=94=206=20fixed,=207=20documented?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Split the programs OSV findings into two buckets: **Fixed by `cargo update --precise`** (no API changes, workspace still builds): - rand 0.8.5 -> 0.8.6 RUSTSEC-2026-0097 - rand 0.9.2 -> 0.9.3 RUSTSEC-2026-0097 - rustls-webpki 0.103.10 -> 0.103.12 RUSTSEC-2026-0098/0099 - quinn-proto 0.11.13 -> 0.11.14 RUSTSEC-2026-0037 (free) - keccak 0.1.5 -> 0.1.6 RUSTSEC-2026-0012 (free) - bytes 1.10.1 -> 1.11.1 RUSTSEC-2026-0007 (free) **Ignored in osv-scanner.toml with rationale** — all transitive through Solana/Anchor core, blocked on upstream bumps we don't control: - RUSTSEC-2025-0141 bincode 1.3.3 (unmaintained; anchor-lang 1.x ABI) - RUSTSEC-2024-0388 derivative 2.2.0 (unmaintained; anchor macros) - RUSTSEC-2024-0436 paste 1.0.15 (unmaintained; anchor macros) - RUSTSEC-2025-0161 libsecp256k1 0.6 (solana-* frozen pin) - RUSTSEC-2024-0344 curve25519-dalek 3.2.0 (transitive; on-chain BPF unaffected) - RUSTSEC-2022-0093 ed25519-dalek 1.0.1 (dev-dep only via vendored solana-program-test) - RUSTSEC-2026-0097 rand 0.7.3 (transitive; no custom-logger code paths) Each entry documents why and what unblocks removal (e.g. "await Anchor upstream bump to bincode 2.x"). Revisit on every Solana / Anchor major release. `cargo check --workspace` green. --- Cargo.lock | 74 ++++++++++++++++++++++++------------------------ osv-scanner.toml | 53 ++++++++++++++++++++++++++++++++++ 2 files changed, 90 insertions(+), 37 deletions(-) create mode 100644 osv-scanner.toml diff --git a/Cargo.lock b/Cargo.lock index 9dc1f90..a08bd99 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -152,7 +152,7 @@ dependencies = [ "crossbeam-channel", "log", "lz4", - "rand 0.8.5", + "rand 0.8.6", "regex", "semver", "solana-accounts-db", @@ -589,7 +589,7 @@ dependencies = [ "fastbloom", "getrandom 0.3.4", "lru-slab", - "rand 0.9.2", + "rand 0.9.3", "ring", "rustc-hash", "rustls", @@ -853,7 +853,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "94893f1e0c6eeab764ade8dc4c0db24caf4fe7cbbaafc0eba0a9030f447b5185" dependencies = [ "num-traits", - "rand 0.8.5", + "rand 0.8.6", ] [[package]] @@ -863,7 +863,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "246a225cc6131e9ee4f24619af0f19d67761fff15d7ccc22e42b80846e69449a" dependencies = [ "num-traits", - "rand 0.8.5", + "rand 0.8.6", ] [[package]] @@ -2051,7 +2051,7 @@ checksum = "4e7f34442dbe69c60fe8eaf58a8cafff81a1f278816d8ab4db255b3bef4ac3c4" dependencies = [ "getrandom 0.3.4", "libm", - "rand 0.9.2", + "rand 0.9.3", "siphasher 1.0.2", ] @@ -2379,7 +2379,7 @@ dependencies = [ "parking_lot", "portable-atomic", "quanta", - "rand 0.8.5", + "rand 0.8.6", "smallvec", "spinning_top", ] @@ -2391,7 +2391,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f0f9ef7462f7c099f518d754361858f86d8a07af53ba9af0fe635bbccb151a63" dependencies = [ "ff", - "rand 0.8.5", + "rand 0.8.6", "rand_core 0.6.4", "rand_xorshift", "subtle", @@ -3570,7 +3570,7 @@ dependencies = [ "lazy_static", "percent-encoding", "pin-project", - "rand 0.8.5", + "rand 0.8.6", "thiserror 1.0.69", ] @@ -3905,7 +3905,7 @@ dependencies = [ "bytes", "getrandom 0.3.4", "lru-slab", - "rand 0.9.2", + "rand 0.9.3", "ring", "rustc-hash", "rustls", @@ -3973,9 +3973,9 @@ dependencies = [ [[package]] name = "rand" -version = "0.8.5" +version = "0.8.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404" +checksum = "5ca0ecfa931c29007047d1bc58e623ab12e5590e8c7cc53200d5202b69266d8a" dependencies = [ "libc", "rand_chacha 0.3.1", @@ -3984,9 +3984,9 @@ dependencies = [ [[package]] name = "rand" -version = "0.9.2" +version = "0.9.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6db2770f06117d490610c7488547d543617b21bfa07796d7a12f6f1bd53850d1" +checksum = "7ec095654a25171c2124e9e3393a930bddbffdc939556c914957a4c3e0a87166" dependencies = [ "rand_chacha 0.9.0", "rand_core 0.9.5", @@ -4378,9 +4378,9 @@ checksum = "f87165f0995f63a9fbeea62b64d10b4d9d8e78ec6d7d51fb2125fda7bb36788f" [[package]] name = "rustls-webpki" -version = "0.103.10" +version = "0.103.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "df33b2b81ac578cabaf06b89b0631153a3f416b0a886e8a7a1707fb51abbd1ef" +checksum = "8279bb85272c9f10811ae6a6c547ff594d6a7f3c6c6b02ee9726d1d0dcfcdd06" dependencies = [ "ring", "rustls-pki-types", @@ -4861,7 +4861,7 @@ dependencies = [ "modular-bitfield", "num_cpus", "num_enum", - "rand 0.8.5", + "rand 0.8.6", "rayon", "seqlock", "serde", @@ -4918,7 +4918,7 @@ dependencies = [ "curve25519-dalek 4.1.3", "five8", "five8_const", - "rand 0.9.2", + "rand 0.9.3", "serde", "serde_derive", "sha2-const-stable", @@ -5082,7 +5082,7 @@ dependencies = [ "ff", "group", "pairing", - "rand 0.8.5", + "rand 0.8.6", "serde", "serde_json", "serde_with", @@ -5157,7 +5157,7 @@ dependencies = [ "memmap2 0.9.10", "modular-bitfield", "num_enum", - "rand 0.8.5", + "rand 0.8.6", "solana-clock", "solana-measure", "solana-pubkey 3.0.0", @@ -5385,7 +5385,7 @@ dependencies = [ "futures-util", "indexmap", "log", - "rand 0.8.5", + "rand 0.8.6", "rayon", "solana-keypair", "solana-measure", @@ -5770,7 +5770,7 @@ dependencies = [ "ed25519-dalek-bip32", "five8", "five8_core", - "rand 0.9.2", + "rand 0.9.3", "solana-address 2.3.0", "solana-derivation-path", "solana-seed-derivable", @@ -5949,7 +5949,7 @@ dependencies = [ "itertools 0.12.1", "log", "nix", - "rand 0.8.5", + "rand 0.8.6", "serde", "socket2", "solana-serde", @@ -6037,7 +6037,7 @@ dependencies = [ "libc", "log", "nix", - "rand 0.8.5", + "rand 0.8.6", "rayon", "serde", "solana-hash 3.1.0", @@ -6218,7 +6218,7 @@ dependencies = [ "itertools 0.12.1", "log", "percentage", - "rand 0.8.5", + "rand 0.8.6", "serde", "solana-account 3.4.0", "solana-account-info", @@ -6322,7 +6322,7 @@ version = "3.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8909d399deb0851aa524420beeb5646b115fd253ef446e35fe4504c904da3941" dependencies = [ - "rand 0.8.5", + "rand 0.8.6", "solana-address 1.1.0", ] @@ -6332,7 +6332,7 @@ version = "4.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1b06bd918d60111ee1f97de817113e2040ca0cedb740099ee8d646233f6b906c" dependencies = [ - "rand 0.9.2", + "rand 0.9.3", "solana-address 2.3.0", ] @@ -6593,7 +6593,7 @@ dependencies = [ "num_enum", "percentage", "qualifier_attr", - "rand 0.8.5", + "rand 0.8.6", "rayon", "regex", "semver", @@ -6728,7 +6728,7 @@ dependencies = [ "hash32", "libc", "log", - "rand 0.8.5", + "rand 0.8.6", "rustc-demangle", "thiserror 2.0.18", "winapi", @@ -6946,7 +6946,7 @@ checksum = "132a93134f1262aa832f1849b83bec6c9945669b866da18661a427943b9e801e" dependencies = [ "ed25519-dalek 2.2.0", "five8", - "rand 0.9.2", + "rand 0.9.3", "serde", "serde-big-array", "serde_derive", @@ -7044,7 +7044,7 @@ dependencies = [ "num_cpus", "pem", "percentage", - "rand 0.8.5", + "rand 0.8.6", "rustls", "smallvec", "socket2", @@ -7175,7 +7175,7 @@ version = "3.1.10" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "51b2ea7c2f849cd6d190e2607c2af779d3dad2792784cc13c0e9342e429c87a1" dependencies = [ - "rand 0.8.5", + "rand 0.8.6", ] [[package]] @@ -7487,7 +7487,7 @@ dependencies = [ "base64 0.22.1", "bincode", "log", - "rand 0.8.5", + "rand 0.8.6", "solana-packet", "solana-perf", "solana-short-vec", @@ -7555,7 +7555,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "17a9c5d23a31d8f34aac59812099c9d8d76203a447d04b65824f5c913ced9072" dependencies = [ "agave-feature-set", - "rand 0.8.5", + "rand 0.8.6", "semver", "serde", "solana-sanitize", @@ -7682,7 +7682,7 @@ dependencies = [ "merlin", "num-derive", "num-traits", - "rand 0.8.5", + "rand 0.8.6", "serde", "serde_derive", "serde_json", @@ -7734,7 +7734,7 @@ dependencies = [ "merlin", "num-derive", "num-traits", - "rand 0.8.5", + "rand 0.8.6", "serde", "serde_json", "sha3", @@ -8105,7 +8105,7 @@ dependencies = [ "humantime", "opentelemetry", "pin-project", - "rand 0.8.5", + "rand 0.8.6", "serde", "static_assertions", "tarpc-plugins", @@ -8566,7 +8566,7 @@ dependencies = [ "http 1.4.0", "httparse", "log", - "rand 0.9.2", + "rand 0.9.3", "rustls", "rustls-pki-types", "sha1", diff --git a/osv-scanner.toml b/osv-scanner.toml new file mode 100644 index 0000000..52e1829 --- /dev/null +++ b/osv-scanner.toml @@ -0,0 +1,53 @@ +# OSV-Scanner configuration for resq-software/programs. +# +# Each [[IgnoredVulns]] block carries a rationale for why the advisory cannot +# be fixed in this workspace today. Revisit on any Solana / Anchor major bump. +# +# Format: https://google.github.io/osv-scanner/configuration/ + +# ── Unmaintained-crate advisories (informational, no known exploit) ────────── + +[[IgnoredVulns]] +id = "RUSTSEC-2025-0141" +# bincode 1.3.3 is unmaintained; bincode 2.x is available but breaks the +# Anchor 1.0.0-rc.2 serialization API. Blocked on Anchor upstream migration. +reason = "bincode 1.x transitive via anchor-lang; await upstream Anchor bump to bincode 2.x" + +[[IgnoredVulns]] +id = "RUSTSEC-2024-0388" +# derivative is unmaintained. Transitive via anchor-lang's macro machinery. +reason = "derivative 2.2.0 transitive via anchor-lang; await upstream migration to derive-more or similar" + +[[IgnoredVulns]] +id = "RUSTSEC-2024-0436" +# paste is unmaintained. Transitive via anchor-lang macros. +reason = "paste 1.0.15 transitive via anchor-lang macros; await upstream migration" + +[[IgnoredVulns]] +id = "RUSTSEC-2025-0161" +# libsecp256k1 0.6.0 is effectively frozen; Solana pins this version. +reason = "libsecp256k1 0.6.0 transitive via solana-* crates; fix requires upstream Solana bump" + +# ── Old dalek / rand pins (transitive via Solana; on-chain BPF unaffected) ─── + +[[IgnoredVulns]] +id = "RUSTSEC-2024-0344" +# curve25519-dalek 3.2.0 has a timing side channel in Scalar::from_canonical_bytes. +# Pinned by solana-zk-token-sdk and older solana-program versions which we pull +# transitively. On-chain BPF code does not execute this crate (programs verify +# via syscalls, not userspace dalek). Risk is confined to host-side tests. +reason = "curve25519-dalek 3.2.0 transitive via solana-zk-token-sdk; on-chain BPF unaffected; await upstream Solana bump to dalek 4.x across the stack" + +[[IgnoredVulns]] +id = "RUSTSEC-2022-0093" +# ed25519-dalek 1.0.1 has a signature-oracle vulnerability in specific API misuse +# patterns. Programs in this workspace never call ed25519-dalek directly; it comes +# in via vendored solana-program-test (a dev-dependency only). +reason = "ed25519-dalek 1.0.1 transitive via vendored solana-program-test (dev-dep only); on-chain programs do not call dalek directly" + +[[IgnoredVulns]] +id = "RUSTSEC-2026-0097" +# rand 0.7.3 is unsound when rand::rng() is called with a custom logger installed. +# We pin rand 0.7.3 only transitively via old solana-* deps. No workspace code uses +# custom loggers with rand; the 0.8.x and 0.9.x pins are already on fixed versions. +reason = "rand 0.7.3 transitive via solana-* deps; fixed versions (0.8.6, 0.9.3) already pinned for first-order users; no custom-logger code paths" From 4d0d9e78a920426ecdbf81da34cf7c5251df8071 Mon Sep 17 00:00:00 2001 From: Mike Odnis Date: Sun, 19 Apr 2026 01:42:55 -0400 Subject: [PATCH 2/4] fix(security): osv-scanner key snake_case + cover vendor/ advisories + bump rust-ci pin Resolves gemini's review and the failing `rust / Test` step. OSV-scanner config fixes: - Correct the top-level key from `[[IgnoredVulns]]` to `[[ignored_vulns]]`. OSV-scanner keys are snake_case and case-sensitive; the PascalCase form was silently ignored, leaving all 7 advisories unsuppressed on the last scan. Verified by re-running the scanner locally against this config. - Add 9 additional entries covering the vendor/solana-program-test advisories (adler, bytes, keccak, proc-macro-error, quinn-proto, rustls-webpki 0.103.6, tar x2, time). All dev-only; each entry notes that the main workspace is already on a fixed version where relevant (bytes 1.11.1, keccak 0.1.6, quinn-proto 0.11.14, rustls-webpki 0.103.12). rust-ci pin: - Bump the reusable `rust-ci.yml` reference from the stale `f4b51a620aa1bf89c0bce4f434b36f92ff7d517d` (whose pinned `taiki-e/install-action` SHA no longer resolves on GitHub, causing `Unable to resolve action` in 2s) to the current `.github/main` tip `40fa987f5bc78d7569b9b76274f24d032ac0d7c8`. Pre-existing org-wide issue unblocked by this line change. --- .github/workflows/ci.yml | 2 +- osv-scanner.toml | 70 +++++++++++++++++++++++++++++++++++----- 2 files changed, 63 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 570c281..345d81d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -24,7 +24,7 @@ concurrency: jobs: rust: - uses: resq-software/.github/.github/workflows/rust-ci.yml@f4b51a620aa1bf89c0bce4f434b36f92ff7d517d + uses: resq-software/.github/.github/workflows/rust-ci.yml@40fa987f5bc78d7569b9b76274f24d032ac0d7c8 with: toolchain: stable run-fmt: true diff --git a/osv-scanner.toml b/osv-scanner.toml index 52e1829..b5765a5 100644 --- a/osv-scanner.toml +++ b/osv-scanner.toml @@ -1,36 +1,37 @@ # OSV-Scanner configuration for resq-software/programs. # -# Each [[IgnoredVulns]] block carries a rationale for why the advisory cannot +# Each [[ignored_vulns]] block carries a rationale for why the advisory cannot # be fixed in this workspace today. Revisit on any Solana / Anchor major bump. # # Format: https://google.github.io/osv-scanner/configuration/ +# Note: OSV-Scanner keys are snake_case and case-sensitive. # ── Unmaintained-crate advisories (informational, no known exploit) ────────── -[[IgnoredVulns]] +[[ignored_vulns]] id = "RUSTSEC-2025-0141" # bincode 1.3.3 is unmaintained; bincode 2.x is available but breaks the # Anchor 1.0.0-rc.2 serialization API. Blocked on Anchor upstream migration. reason = "bincode 1.x transitive via anchor-lang; await upstream Anchor bump to bincode 2.x" -[[IgnoredVulns]] +[[ignored_vulns]] id = "RUSTSEC-2024-0388" # derivative is unmaintained. Transitive via anchor-lang's macro machinery. reason = "derivative 2.2.0 transitive via anchor-lang; await upstream migration to derive-more or similar" -[[IgnoredVulns]] +[[ignored_vulns]] id = "RUSTSEC-2024-0436" # paste is unmaintained. Transitive via anchor-lang macros. reason = "paste 1.0.15 transitive via anchor-lang macros; await upstream migration" -[[IgnoredVulns]] +[[ignored_vulns]] id = "RUSTSEC-2025-0161" # libsecp256k1 0.6.0 is effectively frozen; Solana pins this version. reason = "libsecp256k1 0.6.0 transitive via solana-* crates; fix requires upstream Solana bump" # ── Old dalek / rand pins (transitive via Solana; on-chain BPF unaffected) ─── -[[IgnoredVulns]] +[[ignored_vulns]] id = "RUSTSEC-2024-0344" # curve25519-dalek 3.2.0 has a timing side channel in Scalar::from_canonical_bytes. # Pinned by solana-zk-token-sdk and older solana-program versions which we pull @@ -38,16 +39,69 @@ id = "RUSTSEC-2024-0344" # via syscalls, not userspace dalek). Risk is confined to host-side tests. reason = "curve25519-dalek 3.2.0 transitive via solana-zk-token-sdk; on-chain BPF unaffected; await upstream Solana bump to dalek 4.x across the stack" -[[IgnoredVulns]] +[[ignored_vulns]] id = "RUSTSEC-2022-0093" # ed25519-dalek 1.0.1 has a signature-oracle vulnerability in specific API misuse # patterns. Programs in this workspace never call ed25519-dalek directly; it comes # in via vendored solana-program-test (a dev-dependency only). reason = "ed25519-dalek 1.0.1 transitive via vendored solana-program-test (dev-dep only); on-chain programs do not call dalek directly" -[[IgnoredVulns]] +[[ignored_vulns]] id = "RUSTSEC-2026-0097" # rand 0.7.3 is unsound when rand::rng() is called with a custom logger installed. # We pin rand 0.7.3 only transitively via old solana-* deps. No workspace code uses # custom loggers with rand; the 0.8.x and 0.9.x pins are already on fixed versions. reason = "rand 0.7.3 transitive via solana-* deps; fixed versions (0.8.6, 0.9.3) already pinned for first-order users; no custom-logger code paths" + +# ── vendor/solana-program-test advisories (dev-only; vendored dev-dependency) ─ +# All entries below come from vendor/solana-program-test/Cargo.lock — a vendored +# copy of upstream Solana's test harness we pull in only as a dev-dependency. +# On-chain program bytecode ships none of these. Fix requires re-vendoring from +# a newer Solana release; see vendor/ in this repo for context. + +[[ignored_vulns]] +id = "RUSTSEC-2025-0056" +# adler 1.0.2 unmaintained — migration to adler2 hasn't propagated to Solana. +reason = "adler 1.0.2 in vendor/solana-program-test (dev-only); await Solana adler2 migration" + +[[ignored_vulns]] +id = "RUSTSEC-2026-0007" +# bytes 1.10.1 advisory. Main workspace is already on 1.11.1; only the vendored +# Cargo.lock still pins the old version. +reason = "bytes 1.10.1 in vendor/solana-program-test/Cargo.lock (dev-only); main workspace on 1.11.1" + +[[ignored_vulns]] +id = "RUSTSEC-2026-0012" +# keccak 0.1.5 advisory. Main workspace already on 0.1.6. +reason = "keccak 0.1.5 in vendor/solana-program-test/Cargo.lock (dev-only); main workspace on 0.1.6" + +[[ignored_vulns]] +id = "RUSTSEC-2024-0370" +# proc-macro-error 1.0.4 is unmaintained. +reason = "proc-macro-error 1.0.4 in vendor/solana-program-test (dev-only); upstream replacement is proc-macro-error2" + +[[ignored_vulns]] +id = "RUSTSEC-2026-0037" +# quinn-proto 0.11.13 advisory (sev 8.7). Main workspace already on 0.11.14. +# Vendor path is dev-only; on-chain programs never execute quinn. +reason = "quinn-proto 0.11.13 in vendor/solana-program-test/Cargo.lock (dev-only); main workspace on 0.11.14" + +[[ignored_vulns]] +id = "RUSTSEC-2026-0049" +# rustls-webpki 0.103.6 advisory. Main workspace already on 0.103.12. +reason = "rustls-webpki 0.103.6 in vendor/solana-program-test/Cargo.lock (dev-only); main workspace on 0.103.12" + +[[ignored_vulns]] +id = "RUSTSEC-2026-0067" +# tar 0.4.44 — sev 6.5 path traversal. Dev-only; invoked only by the test harness. +reason = "tar 0.4.44 in vendor/solana-program-test (dev-only test harness); no user-controlled archives" + +[[ignored_vulns]] +id = "RUSTSEC-2026-0068" +# tar 0.4.44 — sev 8.1 related path-handling advisory. Same scope as 0.4.44/0067. +reason = "tar 0.4.44 in vendor/solana-program-test (dev-only test harness); no user-controlled archives" + +[[ignored_vulns]] +id = "RUSTSEC-2026-0009" +# time 0.3.9 advisory. Very old pin, dev-only. +reason = "time 0.3.9 in vendor/solana-program-test (dev-only); await upstream Solana bump" From 1515e035717d78eaa3f511a746d1454ab4117b7b Mon Sep 17 00:00:00 2001 From: Mike Odnis Date: Sun, 19 Apr 2026 01:50:19 -0400 Subject: [PATCH 3/4] =?UTF-8?q?fix(security):=20revert=20osv-scanner=20key?= =?UTF-8?q?=20to=20PascalCase=20=E2=80=94=20gemini=20advice=20was=20wrong?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The live scanner error on the last CI run was: Ignored invalid config file ... unknown keys: ignored_vulns, ignored_vulns.id, ignored_vulns.reason, ... OSV-scanner v2.3.5 uses Go struct tags with PascalCase (`IgnoredVulns`); the snake_case form gemini recommended is what the scanner rejected. Revert to PascalCase and note the quirk in the file header so a future reader doesn't get misled by the docs site. --- osv-scanner.toml | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/osv-scanner.toml b/osv-scanner.toml index b5765a5..3f3049a 100644 --- a/osv-scanner.toml +++ b/osv-scanner.toml @@ -1,37 +1,37 @@ # OSV-Scanner configuration for resq-software/programs. # -# Each [[ignored_vulns]] block carries a rationale for why the advisory cannot +# Each [[IgnoredVulns]] block carries a rationale for why the advisory cannot # be fixed in this workspace today. Revisit on any Solana / Anchor major bump. # # Format: https://google.github.io/osv-scanner/configuration/ -# Note: OSV-Scanner keys are snake_case and case-sensitive. +# Note: OSV-Scanner v2 expects PascalCase keys (IgnoredVulns); snake_case is rejected. # ── Unmaintained-crate advisories (informational, no known exploit) ────────── -[[ignored_vulns]] +[[IgnoredVulns]] id = "RUSTSEC-2025-0141" # bincode 1.3.3 is unmaintained; bincode 2.x is available but breaks the # Anchor 1.0.0-rc.2 serialization API. Blocked on Anchor upstream migration. reason = "bincode 1.x transitive via anchor-lang; await upstream Anchor bump to bincode 2.x" -[[ignored_vulns]] +[[IgnoredVulns]] id = "RUSTSEC-2024-0388" # derivative is unmaintained. Transitive via anchor-lang's macro machinery. reason = "derivative 2.2.0 transitive via anchor-lang; await upstream migration to derive-more or similar" -[[ignored_vulns]] +[[IgnoredVulns]] id = "RUSTSEC-2024-0436" # paste is unmaintained. Transitive via anchor-lang macros. reason = "paste 1.0.15 transitive via anchor-lang macros; await upstream migration" -[[ignored_vulns]] +[[IgnoredVulns]] id = "RUSTSEC-2025-0161" # libsecp256k1 0.6.0 is effectively frozen; Solana pins this version. reason = "libsecp256k1 0.6.0 transitive via solana-* crates; fix requires upstream Solana bump" # ── Old dalek / rand pins (transitive via Solana; on-chain BPF unaffected) ─── -[[ignored_vulns]] +[[IgnoredVulns]] id = "RUSTSEC-2024-0344" # curve25519-dalek 3.2.0 has a timing side channel in Scalar::from_canonical_bytes. # Pinned by solana-zk-token-sdk and older solana-program versions which we pull @@ -39,14 +39,14 @@ id = "RUSTSEC-2024-0344" # via syscalls, not userspace dalek). Risk is confined to host-side tests. reason = "curve25519-dalek 3.2.0 transitive via solana-zk-token-sdk; on-chain BPF unaffected; await upstream Solana bump to dalek 4.x across the stack" -[[ignored_vulns]] +[[IgnoredVulns]] id = "RUSTSEC-2022-0093" # ed25519-dalek 1.0.1 has a signature-oracle vulnerability in specific API misuse # patterns. Programs in this workspace never call ed25519-dalek directly; it comes # in via vendored solana-program-test (a dev-dependency only). reason = "ed25519-dalek 1.0.1 transitive via vendored solana-program-test (dev-dep only); on-chain programs do not call dalek directly" -[[ignored_vulns]] +[[IgnoredVulns]] id = "RUSTSEC-2026-0097" # rand 0.7.3 is unsound when rand::rng() is called with a custom logger installed. # We pin rand 0.7.3 only transitively via old solana-* deps. No workspace code uses @@ -59,49 +59,49 @@ reason = "rand 0.7.3 transitive via solana-* deps; fixed versions (0.8.6, 0.9.3) # On-chain program bytecode ships none of these. Fix requires re-vendoring from # a newer Solana release; see vendor/ in this repo for context. -[[ignored_vulns]] +[[IgnoredVulns]] id = "RUSTSEC-2025-0056" # adler 1.0.2 unmaintained — migration to adler2 hasn't propagated to Solana. reason = "adler 1.0.2 in vendor/solana-program-test (dev-only); await Solana adler2 migration" -[[ignored_vulns]] +[[IgnoredVulns]] id = "RUSTSEC-2026-0007" # bytes 1.10.1 advisory. Main workspace is already on 1.11.1; only the vendored # Cargo.lock still pins the old version. reason = "bytes 1.10.1 in vendor/solana-program-test/Cargo.lock (dev-only); main workspace on 1.11.1" -[[ignored_vulns]] +[[IgnoredVulns]] id = "RUSTSEC-2026-0012" # keccak 0.1.5 advisory. Main workspace already on 0.1.6. reason = "keccak 0.1.5 in vendor/solana-program-test/Cargo.lock (dev-only); main workspace on 0.1.6" -[[ignored_vulns]] +[[IgnoredVulns]] id = "RUSTSEC-2024-0370" # proc-macro-error 1.0.4 is unmaintained. reason = "proc-macro-error 1.0.4 in vendor/solana-program-test (dev-only); upstream replacement is proc-macro-error2" -[[ignored_vulns]] +[[IgnoredVulns]] id = "RUSTSEC-2026-0037" # quinn-proto 0.11.13 advisory (sev 8.7). Main workspace already on 0.11.14. # Vendor path is dev-only; on-chain programs never execute quinn. reason = "quinn-proto 0.11.13 in vendor/solana-program-test/Cargo.lock (dev-only); main workspace on 0.11.14" -[[ignored_vulns]] +[[IgnoredVulns]] id = "RUSTSEC-2026-0049" # rustls-webpki 0.103.6 advisory. Main workspace already on 0.103.12. reason = "rustls-webpki 0.103.6 in vendor/solana-program-test/Cargo.lock (dev-only); main workspace on 0.103.12" -[[ignored_vulns]] +[[IgnoredVulns]] id = "RUSTSEC-2026-0067" # tar 0.4.44 — sev 6.5 path traversal. Dev-only; invoked only by the test harness. reason = "tar 0.4.44 in vendor/solana-program-test (dev-only test harness); no user-controlled archives" -[[ignored_vulns]] +[[IgnoredVulns]] id = "RUSTSEC-2026-0068" # tar 0.4.44 — sev 8.1 related path-handling advisory. Same scope as 0.4.44/0067. reason = "tar 0.4.44 in vendor/solana-program-test (dev-only test harness); no user-controlled archives" -[[ignored_vulns]] +[[IgnoredVulns]] id = "RUSTSEC-2026-0009" # time 0.3.9 advisory. Very old pin, dev-only. reason = "time 0.3.9 in vendor/solana-program-test (dev-only); await upstream Solana bump" From f49b44aef919f5bdafa01b304effe063d4aab142 Mon Sep 17 00:00:00 2001 From: Mike Odnis Date: Sun, 19 Apr 2026 01:56:05 -0400 Subject: [PATCH 4/4] fix(security): per-lockfile osv-scanner configs (vendor needs its own) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The last CI run revealed OSV-scanner treats each discovered lockfile directory as its own scan-config scope — the 9 vendor-only ignores in the root config were reported as "unused ignores" while the vendor Cargo.lock went unignored and kept the job red. - New `vendor/solana-program-test/osv-scanner.toml` with 17 entries covering everything the scanner flags in that lockfile. This is the config osv-scanner picks up when scanning the vendored dev-dependency subtree. - Strip the vendor-only advisories from the root `osv-scanner.toml` so it only declares ignores that actually match root-scope findings. - Keep the dual-source advisories (bincode, curve25519-dalek, etc.) in both files — they appear in both the root and vendor lockfiles, so both scans need the ignore. --- osv-scanner.toml | 55 +----------- vendor/solana-program-test/osv-scanner.toml | 93 +++++++++++++++++++++ 2 files changed, 96 insertions(+), 52 deletions(-) create mode 100644 vendor/solana-program-test/osv-scanner.toml diff --git a/osv-scanner.toml b/osv-scanner.toml index 3f3049a..0a293e0 100644 --- a/osv-scanner.toml +++ b/osv-scanner.toml @@ -53,55 +53,6 @@ id = "RUSTSEC-2026-0097" # custom loggers with rand; the 0.8.x and 0.9.x pins are already on fixed versions. reason = "rand 0.7.3 transitive via solana-* deps; fixed versions (0.8.6, 0.9.3) already pinned for first-order users; no custom-logger code paths" -# ── vendor/solana-program-test advisories (dev-only; vendored dev-dependency) ─ -# All entries below come from vendor/solana-program-test/Cargo.lock — a vendored -# copy of upstream Solana's test harness we pull in only as a dev-dependency. -# On-chain program bytecode ships none of these. Fix requires re-vendoring from -# a newer Solana release; see vendor/ in this repo for context. - -[[IgnoredVulns]] -id = "RUSTSEC-2025-0056" -# adler 1.0.2 unmaintained — migration to adler2 hasn't propagated to Solana. -reason = "adler 1.0.2 in vendor/solana-program-test (dev-only); await Solana adler2 migration" - -[[IgnoredVulns]] -id = "RUSTSEC-2026-0007" -# bytes 1.10.1 advisory. Main workspace is already on 1.11.1; only the vendored -# Cargo.lock still pins the old version. -reason = "bytes 1.10.1 in vendor/solana-program-test/Cargo.lock (dev-only); main workspace on 1.11.1" - -[[IgnoredVulns]] -id = "RUSTSEC-2026-0012" -# keccak 0.1.5 advisory. Main workspace already on 0.1.6. -reason = "keccak 0.1.5 in vendor/solana-program-test/Cargo.lock (dev-only); main workspace on 0.1.6" - -[[IgnoredVulns]] -id = "RUSTSEC-2024-0370" -# proc-macro-error 1.0.4 is unmaintained. -reason = "proc-macro-error 1.0.4 in vendor/solana-program-test (dev-only); upstream replacement is proc-macro-error2" - -[[IgnoredVulns]] -id = "RUSTSEC-2026-0037" -# quinn-proto 0.11.13 advisory (sev 8.7). Main workspace already on 0.11.14. -# Vendor path is dev-only; on-chain programs never execute quinn. -reason = "quinn-proto 0.11.13 in vendor/solana-program-test/Cargo.lock (dev-only); main workspace on 0.11.14" - -[[IgnoredVulns]] -id = "RUSTSEC-2026-0049" -# rustls-webpki 0.103.6 advisory. Main workspace already on 0.103.12. -reason = "rustls-webpki 0.103.6 in vendor/solana-program-test/Cargo.lock (dev-only); main workspace on 0.103.12" - -[[IgnoredVulns]] -id = "RUSTSEC-2026-0067" -# tar 0.4.44 — sev 6.5 path traversal. Dev-only; invoked only by the test harness. -reason = "tar 0.4.44 in vendor/solana-program-test (dev-only test harness); no user-controlled archives" - -[[IgnoredVulns]] -id = "RUSTSEC-2026-0068" -# tar 0.4.44 — sev 8.1 related path-handling advisory. Same scope as 0.4.44/0067. -reason = "tar 0.4.44 in vendor/solana-program-test (dev-only test harness); no user-controlled archives" - -[[IgnoredVulns]] -id = "RUSTSEC-2026-0009" -# time 0.3.9 advisory. Very old pin, dev-only. -reason = "time 0.3.9 in vendor/solana-program-test (dev-only); await upstream Solana bump" +# Vendor-only advisories live in vendor/solana-program-test/osv-scanner.toml. +# OSV-scanner treats each discovered lockfile directory as its own scan-config +# scope, so vendor entries here would be reported as "unused ignores". diff --git a/vendor/solana-program-test/osv-scanner.toml b/vendor/solana-program-test/osv-scanner.toml new file mode 100644 index 0000000..9eda678 --- /dev/null +++ b/vendor/solana-program-test/osv-scanner.toml @@ -0,0 +1,93 @@ +# OSV-Scanner config for the vendored solana-program-test lockfile. +# +# This file is picked up when osv-scanner scans the directory as its own +# project (it discovers Cargo.lock and looks for `osv-scanner.toml` in the +# same dir). Root-level config at the repo root does NOT propagate here — +# each lockfile is its own scan project. +# +# `solana-program-test` is a vendored copy of upstream Solana's test +# harness, consumed only as a dev-dependency from the workspace root. +# On-chain program bytecode ships none of this. Every advisory below is +# ignored with a reason; re-vendor from a newer Solana release to clear. +# +# Format: https://google.github.io/osv-scanner/configuration/ +# Note: OSV-Scanner v2 expects PascalCase keys (IgnoredVulns); snake_case +# is rejected (checked against v2.3.5). + +# ── Same advisories as the root config, re-declared here for this scan ────── + +[[IgnoredVulns]] +id = "RUSTSEC-2025-0141" +reason = "bincode 1.x — dev-only in vendored solana-program-test; await upstream Anchor/Solana bump to bincode 2.x" + +[[IgnoredVulns]] +id = "RUSTSEC-2024-0388" +reason = "derivative 2.2.0 — dev-only in vendored solana-program-test; await upstream migration" + +[[IgnoredVulns]] +id = "RUSTSEC-2024-0436" +reason = "paste 1.0.9 — dev-only in vendored solana-program-test; unmaintained crate" + +[[IgnoredVulns]] +id = "RUSTSEC-2025-0161" +reason = "libsecp256k1 0.6.0 — dev-only in vendored solana-program-test; solana-* frozen pin" + +[[IgnoredVulns]] +id = "RUSTSEC-2024-0344" +reason = "curve25519-dalek 3.2.0 — dev-only in vendored solana-program-test; on-chain BPF unaffected" + +[[IgnoredVulns]] +id = "RUSTSEC-2022-0093" +reason = "ed25519-dalek 1.0.1 — dev-only in vendored solana-program-test; on-chain programs do not call dalek directly" + +[[IgnoredVulns]] +id = "RUSTSEC-2026-0097" +reason = "rand 0.7.3 / 0.8.5 / 0.9.0 — dev-only in vendored solana-program-test; no custom-logger code paths" + +# ── Advisories unique to this vendored lockfile ───────────────────────────── +# (fixed upstream in the main workspace but still pinned in this older vendor +# of solana-program-test; safe because the vendor is dev-only) + +[[IgnoredVulns]] +id = "RUSTSEC-2025-0056" +reason = "adler 1.0.2 unmaintained — dev-only; await Solana adler2 migration" + +[[IgnoredVulns]] +id = "RUSTSEC-2026-0007" +reason = "bytes 1.10.1 — dev-only; main workspace already on 1.11.1" + +[[IgnoredVulns]] +id = "RUSTSEC-2026-0012" +reason = "keccak 0.1.5 — dev-only; main workspace already on 0.1.6" + +[[IgnoredVulns]] +id = "RUSTSEC-2024-0370" +reason = "proc-macro-error 1.0.4 — dev-only; unmaintained; upstream replacement is proc-macro-error2" + +[[IgnoredVulns]] +id = "RUSTSEC-2026-0037" +reason = "quinn-proto 0.11.13 — dev-only; main workspace already on 0.11.14; on-chain programs never execute quinn" + +[[IgnoredVulns]] +id = "RUSTSEC-2026-0049" +reason = "rustls-webpki 0.103.6 — dev-only; main workspace already on 0.103.12" + +[[IgnoredVulns]] +id = "RUSTSEC-2026-0098" +reason = "rustls-webpki 0.103.6 — dev-only; main workspace already on 0.103.12" + +[[IgnoredVulns]] +id = "RUSTSEC-2026-0099" +reason = "rustls-webpki 0.103.6 — dev-only; main workspace already on 0.103.12" + +[[IgnoredVulns]] +id = "RUSTSEC-2026-0067" +reason = "tar 0.4.44 — dev-only test harness; no user-controlled archives" + +[[IgnoredVulns]] +id = "RUSTSEC-2026-0068" +reason = "tar 0.4.44 — dev-only test harness; no user-controlled archives" + +[[IgnoredVulns]] +id = "RUSTSEC-2026-0009" +reason = "time 0.3.9 — dev-only; await upstream Solana bump"