Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Detecting yanked versions #1417

Open
jayvdb opened this issue Nov 25, 2024 · 0 comments
Open

Detecting yanked versions #1417

jayvdb opened this issue Nov 25, 2024 · 0 comments
Labels
enhancement New feature or request good first issue Good for newcomers

Comments

@jayvdb
Copy link

jayvdb commented Nov 25, 2024

osv-scanner doesnt detect yanked versions, such as yanked crate version https://crates.io/crates/url/2.5.3

deps.dev knows this version is deprecated - see https://deps.dev/cargo/url/2.5.3

There is no CVE listed for this https://osv.dev/list?q=url&ecosystem=crates.io

But given that servo/rust-url#999 is the only PR in v2.5.4 , and it landed in v2.5.3 , there is a good chance that it is the problem.

And very likely that problem is a large one, probably even CVE territory.

And that is commonly why versions are yanked - a problem is found & fixed before a CVE has been created.

And because it is a yanked version, quite likely nobody will invest in creating a CVE.

Note https://github.com/EmbarkStudios/cargo-deny does detect yanked versions in the lock file, and most Rust projects will be using cargo-deny (however I am often asked why we use both cargo-deny and osv-scanner), so it isnt an urgent problem for me. cargo deny output (in red!)

error[yanked]: detected yanked crate (try `cargo update -p url`)
    ┌─ /home/jayvdb/work/rosalind/Cargo.lock:726:1
    │
726 │ url 2.5.3 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ yanked version

That said, the tooling for other ecosystems may not be tuned to treat yanked versions as probable CVEs. NPM's left-pad yanking problem probably still has many people wary of trusting yanks ("unpublish"), so it would be good IMO to have osv-scanner detecting & reporting these.

There is a bit of overlap with google/osv.dev#2407

@cuixq cuixq added enhancement New feature or request good first issue Good for newcomers labels Nov 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request good first issue Good for newcomers
Projects
None yet
Development

No branches or pull requests

2 participants