diff --git a/.cargo/audit.toml b/.cargo/audit.toml new file mode 100644 index 00000000..26015fe4 --- /dev/null +++ b/.cargo/audit.toml @@ -0,0 +1,39 @@ +# cargo-audit configuration for the security-audit CI job +# (.github/workflows/security-audit.yml). +# +# Every ignore entry must carry a justification and a removal condition. + +[advisories] +ignore = [ + # RUSTSEC-2026-0041 (CVE-2026-32829): lz4_flex < 0.11.6 block decompression + # can leak uninitialized memory / reused-buffer contents on invalid input. + # lz4_flex 0.10.0 is pulled in by zenoh-transport, which pins ^0.10.0; no + # patched 0.10.x exists, so the lockfile cannot be bumped. Mitigated by + # building zenoh without the transport_compression feature (workspace + # Cargo.toml), which removes every lz4_flex call site from our binaries; + # phoxal-bus also never enables zenoh compression at runtime. + # Remove once zenoh releases with lz4_flex >= 0.11.6 + # (https://github.com/eclipse-zenoh/zenoh/pull/2499) and the workspace + # zenoh dependency is bumped to that release. + "RUSTSEC-2026-0041", + + # RUSTSEC-2026-0194 / RUSTSEC-2026-0195: quick-xml < 0.41 has quadratic + # runtime on duplicate-attribute checks and unbounded namespace-declaration + # allocation (DoS class). quick-xml 0.36 is pulled in by urdf-rs 0.9.0 + # (latest release, pins ^0.36). Phoxal only parses URDF from local, + # operator-installed component definitions (component/*/structure.urdf), + # never network input, so the DoS vector is not attacker-reachable. + # Remove once urdf-rs releases with quick-xml >= 0.41 + # (https://github.com/openrr/urdf-rs/issues/134) and the workspace + # urdf-rs dependency is bumped. + "RUSTSEC-2026-0194", + "RUSTSEC-2026-0195", + + # RUSTSEC-2023-0071 (Marvin timing side channel): no fixed rsa release + # exists. rsa is pulled in by zenoh-transport's auth_pubkey feature, which + # transport_multilink requires at compile time. Phoxal never configures + # zenoh public-key auth at runtime (phoxal-bus/src/session.rs builds the + # config programmatically), so no RSA operations run in our deployments. + # Remove once the rsa crate ships a constant-time fix and zenoh adopts it. + "RUSTSEC-2023-0071", +] diff --git a/.github/workflows/security-audit.yml b/.github/workflows/security-audit.yml new file mode 100644 index 00000000..48e71931 --- /dev/null +++ b/.github/workflows/security-audit.yml @@ -0,0 +1,41 @@ +# Audits Cargo.lock against the RUSTSEC advisory database. +# +# The daily schedule is the important trigger: advisories are published +# independently of pushes, so a lockfile that was clean yesterday can be +# vulnerable today without any commit landing. +# +# Ignored advisories live in .cargo/audit.toml; each entry must carry a +# justification and a removal condition. +name: security-audit + +on: + pull_request: + paths: + - "**/Cargo.toml" + - Cargo.lock + - .cargo/audit.toml + - .github/workflows/security-audit.yml + push: + branches: [main] + paths: + - "**/Cargo.toml" + - Cargo.lock + - .cargo/audit.toml + - .github/workflows/security-audit.yml + schedule: + - cron: "17 5 * * *" + workflow_dispatch: + +jobs: + audit: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Install cargo-audit + uses: taiki-e/install-action@v2 + with: + tool: cargo-audit + + - name: Audit Cargo.lock against RUSTSEC advisories + run: cargo audit diff --git a/Cargo.lock b/Cargo.lock index 24bb596f..4d715d43 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -98,7 +98,7 @@ version = "1.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "40c48f72fd53cd289104fc64099abca73db4166ad86ea0b4341abe65af83dadc" dependencies = [ - "windows-sys 0.61.2", + "windows-sys 0.60.2", ] [[package]] @@ -109,14 +109,14 @@ checksum = "291e6a250ff86cd4a820112fb8898808a366d8f9f58ce16d1f538353ad55747d" dependencies = [ "anstyle", "once_cell_polyfill", - "windows-sys 0.61.2", + "windows-sys 0.60.2", ] [[package]] name = "anyhow" -version = "1.0.102" +version = "1.0.103" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7f202df86484c868dbad7eaa557ef785d5c66295e41b460ef922eca0723b842c" +checksum = "2a4385e2e34eb35d6b3efe798b9eb88096925d87726c0798709bf56d9ed84af3" [[package]] name = "approx" @@ -663,7 +663,7 @@ dependencies = [ "libc", "option-ext", "redox_users", - "windows-sys 0.61.2", + "windows-sys 0.60.2", ] [[package]] @@ -708,7 +708,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb" dependencies = [ "libc", - "windows-sys 0.61.2", + "windows-sys 0.60.2", ] [[package]] @@ -1726,7 +1726,7 @@ version = "0.50.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7957b9740744892f114936ab4a57b3f487491bbeafaf8083688b16841a4240e5" dependencies = [ - "windows-sys 0.61.2", + "windows-sys 0.60.2", ] [[package]] @@ -2462,9 +2462,9 @@ dependencies = [ [[package]] name = "quinn-proto" -version = "0.11.14" +version = "0.11.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "434b42fec591c96ef50e21e886936e66d3cc3f737104fdb9b737c40ffb94c098" +checksum = "4fcb935c5bec503c2f0e306bdd3e58bb9029dcb14fa8d9ac76e3a5256ac0763e" dependencies = [ "bytes", "fastbloom", @@ -2777,7 +2777,7 @@ dependencies = [ "errno", "libc", "linux-raw-sys", - "windows-sys 0.61.2", + "windows-sys 0.60.2", ] [[package]] @@ -2844,7 +2844,7 @@ dependencies = [ "security-framework", "security-framework-sys", "webpki-root-certs", - "windows-sys 0.61.2", + "windows-sys 0.60.2", ] [[package]] @@ -3297,7 +3297,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3a766e1110788c36f4fa1c2b71b387a7815aa65f88ce0229841826633d93723e" dependencies = [ "libc", - "windows-sys 0.61.2", + "windows-sys 0.60.2", ] [[package]] @@ -3444,7 +3444,7 @@ dependencies = [ "getrandom 0.4.2", "once_cell", "rustix", - "windows-sys 0.61.2", + "windows-sys 0.60.2", ] [[package]] @@ -4154,7 +4154,7 @@ version = "0.1.11" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22" dependencies = [ - "windows-sys 0.61.2", + "windows-sys 0.60.2", ] [[package]] diff --git a/Cargo.toml b/Cargo.toml index 3a0f573d..3077139b 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -107,7 +107,24 @@ tracing = "0.1.44" tracing-subscriber = { version = "0.3.23", features = ["env-filter"] } trybuild = "1" urdf-rs = "0.9.0" -zenoh = { version = "1.9.0" } +# Default features minus transport_compression: zenoh-transport's lz4_flex pin +# (^0.10.0) has no release with the RUSTSEC-2026-0041 fix, so keep the affected +# block-decompression path out of shipped binaries. Phoxal never enables zenoh +# compression at runtime, so no behavior changes. Re-enable defaults only after +# zenoh ships lz4_flex >= 0.11.6 (eclipse-zenoh/zenoh#2499) and the ignore in +# .cargo/audit.toml is removed. +zenoh = { version = "1.9.0", default-features = false, features = [ + "auth_pubkey", + "auth_usrpwd", + "transport_multilink", + "transport_quic", + "transport_quic_datagram", + "transport_tcp", + "transport_tls", + "transport_udp", + "transport_unixsock-stream", + "transport_ws", +] } # Carry a version (not just a path) on every internal dep: cargo strips the path # on publish/package and resolves the dep by version from the index. Without it, # `cargo package` fails ("all dependencies must have a version requirement") - this