Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 39 additions & 0 deletions .cargo/audit.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
# cargo-audit configuration for the security-audit CI job
# (.github/workflows/security-audit.yml).
#
# Every ignore entry must carry a justification and a removal condition.

[advisories]
ignore = [
# RUSTSEC-2026-0041 (CVE-2026-32829): lz4_flex < 0.11.6 block decompression
# can leak uninitialized memory / reused-buffer contents on invalid input.
# lz4_flex 0.10.0 is pulled in by zenoh-transport, which pins ^0.10.0; no
# patched 0.10.x exists, so the lockfile cannot be bumped. Mitigated by
# building zenoh without the transport_compression feature (workspace
# Cargo.toml), which removes every lz4_flex call site from our binaries;
# phoxal-bus also never enables zenoh compression at runtime.
# Remove once zenoh releases with lz4_flex >= 0.11.6
# (https://github.com/eclipse-zenoh/zenoh/pull/2499) and the workspace
# zenoh dependency is bumped to that release.
"RUSTSEC-2026-0041",

# RUSTSEC-2026-0194 / RUSTSEC-2026-0195: quick-xml < 0.41 has quadratic
# runtime on duplicate-attribute checks and unbounded namespace-declaration
# allocation (DoS class). quick-xml 0.36 is pulled in by urdf-rs 0.9.0
# (latest release, pins ^0.36). Phoxal only parses URDF from local,
# operator-installed component definitions (component/*/structure.urdf),
# never network input, so the DoS vector is not attacker-reachable.
# Remove once urdf-rs releases with quick-xml >= 0.41
# (https://github.com/openrr/urdf-rs/issues/134) and the workspace
# urdf-rs dependency is bumped.
"RUSTSEC-2026-0194",
"RUSTSEC-2026-0195",

# RUSTSEC-2023-0071 (Marvin timing side channel): no fixed rsa release
# exists. rsa is pulled in by zenoh-transport's auth_pubkey feature, which
# transport_multilink requires at compile time. Phoxal never configures
# zenoh public-key auth at runtime (phoxal-bus/src/session.rs builds the
# config programmatically), so no RSA operations run in our deployments.
# Remove once the rsa crate ships a constant-time fix and zenoh adopts it.
"RUSTSEC-2023-0071",
]
41 changes: 41 additions & 0 deletions .github/workflows/security-audit.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
# Audits Cargo.lock against the RUSTSEC advisory database.
#
# The daily schedule is the important trigger: advisories are published
# independently of pushes, so a lockfile that was clean yesterday can be
# vulnerable today without any commit landing.
#
# Ignored advisories live in .cargo/audit.toml; each entry must carry a
# justification and a removal condition.
name: security-audit

on:
pull_request:
paths:
- "**/Cargo.toml"
- Cargo.lock
- .cargo/audit.toml
- .github/workflows/security-audit.yml
push:
branches: [main]
paths:
- "**/Cargo.toml"
- Cargo.lock
- .cargo/audit.toml
- .github/workflows/security-audit.yml
schedule:
- cron: "17 5 * * *"
workflow_dispatch:

jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- name: Install cargo-audit
uses: taiki-e/install-action@v2
with:
tool: cargo-audit

- name: Audit Cargo.lock against RUSTSEC advisories
run: cargo audit
28 changes: 14 additions & 14 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

19 changes: 18 additions & 1 deletion Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,24 @@ tracing = "0.1.44"
tracing-subscriber = { version = "0.3.23", features = ["env-filter"] }
trybuild = "1"
urdf-rs = "0.9.0"
zenoh = { version = "1.9.0" }
# Default features minus transport_compression: zenoh-transport's lz4_flex pin
# (^0.10.0) has no release with the RUSTSEC-2026-0041 fix, so keep the affected
# block-decompression path out of shipped binaries. Phoxal never enables zenoh
# compression at runtime, so no behavior changes. Re-enable defaults only after
# zenoh ships lz4_flex >= 0.11.6 (eclipse-zenoh/zenoh#2499) and the ignore in
# .cargo/audit.toml is removed.
zenoh = { version = "1.9.0", default-features = false, features = [
"auth_pubkey",
"auth_usrpwd",
"transport_multilink",
"transport_quic",
"transport_quic_datagram",
"transport_tcp",
"transport_tls",
"transport_udp",
"transport_unixsock-stream",
"transport_ws",
] }
# Carry a version (not just a path) on every internal dep: cargo strips the path
# on publish/package and resolves the dep by version from the index. Without it,
# `cargo package` fails ("all dependencies must have a version requirement") - this
Expand Down
Loading