resq-software · WomB0ComB0 · Apr 19, 2026 · Apr 19, 2026 · Apr 19, 2026 · Apr 19, 2026
@@ -24,7 +24,7 @@ concurrency:
 
 jobs:
   rust:
-    uses: resq-software/.github/.github/workflows/rust-ci.yml@f4b51a620aa1bf89c0bce4f434b36f92ff7d517d
+    uses: resq-software/.github/.github/workflows/rust-ci.yml@40fa987f5bc78d7569b9b76274f24d032ac0d7c8
     with:
       toolchain: stable
       run-fmt: true

@@ -0,0 +1,58 @@
+# OSV-Scanner configuration for resq-software/programs.
+#
+# Each [[IgnoredVulns]] block carries a rationale for why the advisory cannot
+# be fixed in this workspace today. Revisit on any Solana / Anchor major bump.
+#
+# Format: https://google.github.io/osv-scanner/configuration/
+# Note: OSV-Scanner v2 expects PascalCase keys (IgnoredVulns); snake_case is rejected.
+
+# ── Unmaintained-crate advisories (informational, no known exploit) ──────────
+
+[[IgnoredVulns]]
+id = "RUSTSEC-2025-0141"
+# bincode 1.3.3 is unmaintained; bincode 2.x is available but breaks the
+# Anchor 1.0.0-rc.2 serialization API. Blocked on Anchor upstream migration.
+reason = "bincode 1.x transitive via anchor-lang; await upstream Anchor bump to bincode 2.x"
+
+[[IgnoredVulns]]
+id = "RUSTSEC-2024-0388"
+# derivative is unmaintained. Transitive via anchor-lang's macro machinery.
+reason = "derivative 2.2.0 transitive via anchor-lang; await upstream migration to derive-more or similar"
+
+[[IgnoredVulns]]
+id = "RUSTSEC-2024-0436"
+# paste is unmaintained. Transitive via anchor-lang macros.
+reason = "paste 1.0.15 transitive via anchor-lang macros; await upstream migration"
+
+[[IgnoredVulns]]
+id = "RUSTSEC-2025-0161"
+# libsecp256k1 0.6.0 is effectively frozen; Solana pins this version.
+reason = "libsecp256k1 0.6.0 transitive via solana-* crates; fix requires upstream Solana bump"
+
+# ── Old dalek / rand pins (transitive via Solana; on-chain BPF unaffected) ───
+
+[[IgnoredVulns]]
+id = "RUSTSEC-2024-0344"
+# curve25519-dalek 3.2.0 has a timing side channel in Scalar::from_canonical_bytes.
+# Pinned by solana-zk-token-sdk and older solana-program versions which we pull
+# transitively. On-chain BPF code does not execute this crate (programs verify
+# via syscalls, not userspace dalek). Risk is confined to host-side tests.
+reason = "curve25519-dalek 3.2.0 transitive via solana-zk-token-sdk; on-chain BPF unaffected; await upstream Solana bump to dalek 4.x across the stack"
+
+[[IgnoredVulns]]
+id = "RUSTSEC-2022-0093"
+# ed25519-dalek 1.0.1 has a signature-oracle vulnerability in specific API misuse
+# patterns. Programs in this workspace never call ed25519-dalek directly; it comes
+# in via vendored solana-program-test (a dev-dependency only).
+reason = "ed25519-dalek 1.0.1 transitive via vendored solana-program-test (dev-dep only); on-chain programs do not call dalek directly"
+
+[[IgnoredVulns]]
+id = "RUSTSEC-2026-0097"
+# rand 0.7.3 is unsound when rand::rng() is called with a custom logger installed.
+# We pin rand 0.7.3 only transitively via old solana-* deps. No workspace code uses
+# custom loggers with rand; the 0.8.x and 0.9.x pins are already on fixed versions.
+reason = "rand 0.7.3 transitive via solana-* deps; fixed versions (0.8.6, 0.9.3) already pinned for first-order users; no custom-logger code paths"
+
+# Vendor-only advisories live in vendor/solana-program-test/osv-scanner.toml.
+# OSV-scanner treats each discovered lockfile directory as its own scan-config
+# scope, so vendor entries here would be reported as "unused ignores".