kylechamberlin / hoe Goto Github PK
View Code? Open in Web Editor NEWA Hoe for managing your personal digital garden.
License: GNU General Public License v3.0
hoe's People
Contributors
![mend-bolt-for-github[bot] avatar](https://avatars.githubusercontent.com/in/16809?v=4 "mend-bolt-for-github[bot]")
Watchers
hoe's Issues
Action Required: Fix Renovate Configuration
There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.
Location: renovate.json
Error type: Invalid JSON (parsing failed)
Message: Syntax error near ",
],
inquire-0.5.3.crate: 1 vulnerabilities (highest severity is: 9.1)
Vulnerable Library - inquire-0.5.3.crate
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml
Found in HEAD commit: d43b65b46abdd2099d9494c7b0ddf0fa11f9e9e1
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (inquire version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| WS-2023-0045 |  Critical |
9.1 | remove_dir_all-0.5.3.crate | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
WS-2023-0045
Vulnerable Library - remove_dir_all-0.5.3.crate
A safe, reliable implementation of remove_dir_all for Windows
Library home page: https://crates.io/api/v1/crates/remove_dir_all/0.5.3/download
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml
Dependency Hierarchy:
- inquire-0.5.3.crate (Root Library)
- tempfile-3.3.0.crate
- ❌ remove_dir_all-0.5.3.crate (Vulnerable Library)
- tempfile-3.3.0.crate
Found in HEAD commit: d43b65b46abdd2099d9494c7b0ddf0fa11f9e9e1
Found in base branch: main
Vulnerability Details
The remove_dir_all crate is a Rust library that offers additional features over the Rust standard library fs::remove_dir_all function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.
Publish Date: 2023-02-24
URL: WS-2023-0045
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-mc8h-8q98-g5hr
Release Date: 2023-02-24
Fix Resolution: remove_dir_all - 0.8.0
Step up your Open Source Security Game with Mend here
clap-4.1.4.crate: 1 vulnerabilities (highest severity is: 5.5)
Vulnerable Library - clap-4.1.4.crate
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml
Found in HEAD commit: d43b65b46abdd2099d9494c7b0ddf0fa11f9e9e1
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (clap version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| WS-2023-0366 |  Medium |
5.5 | rustix-0.36.7.crate | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
WS-2023-0366
Vulnerable Library - rustix-0.36.7.crate
Safe Rust bindings to POSIX/Unix/Linux/Winsock2-like syscalls
Library home page: https://crates.io/api/v1/crates/rustix/0.36.7/download
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml
Dependency Hierarchy:
- clap-4.1.4.crate (Root Library)
- is-terminal-0.4.2.crate
- ❌ rustix-0.36.7.crate (Vulnerable Library)
- is-terminal-0.4.2.crate
Found in HEAD commit: d43b65b46abdd2099d9494c7b0ddf0fa11f9e9e1
Found in base branch: main
Vulnerability Details
rustix's rustix::fs::Dir iterator with the linux_raw backend can cause memory explosion
Publish Date: 2023-10-18
URL: WS-2023-0366
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-c827-hfw6-qwvm
Release Date: 2023-10-18
Fix Resolution: rustix - 0.35.15,0.36.16,0.37.25,0.38.19
Step up your Open Source Security Game with Mend here
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.