Resolve CVE-2023-22742 stemming from git2 dependency. #830
Description
Problem: My crate's dependency on cargo-audit 0.17.4 triggers this Github security advisory for git2.
Primary Solution: Upgrade rustsec dependencies to include a new version of git2 which mitigates this vulnerability.
Bonus/secondary Issue: Why doesn't cargo audit itself catch this vulnerability? My first guess is github and rustsec use different advisory databases. Is there any way to integrate them so that cargo-audit reports on a superset of findings, or is that out-of-scope? If it's out-of-scope, is there a different tool that reports on the union of vulnerability reports from the commandline (because I wish to rely on local client rather than GH website for audit reports).
Detail:
In cargo-checkmate when I push branches, I see this dependabot security advisory for cargo-checkmate, which links to this upstream github advisory for git2.
However, when I run cargo audit on cargo-checkmate it does not report this vulnerability:
$ cargo-audit --version
cargo-audit 0.17.4
$ cargo-audit audit
Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
Loaded 527 security advisories (from /home/user/.cargo/advisory-db)
Updating crates.io index
Scanning Cargo.lock for vulnerabilities (135 crate dependencies)
Crate: atty
Version: 0.2.14
Warning: unsound
Title: Potential unaligned read
Date: 2021-07-04
ID: RUSTSEC-2021-0145
URL: https://rustsec.org/advisories/RUSTSEC-2021-0145
Dependency tree:
atty 0.2.14
├── colored 2.0.0
│ └── cargo-checkmate 0.1.12
└── clap 3.2.23
├── cargo-checkmate 0.1.12
├── cargo-audit 0.17.4
│ └── cargo-checkmate 0.1.12
└── abscissa_core 0.6.0
├── cargo-checkmate 0.1.12
└── cargo-audit 0.17.4
warning: 1 allowed warning found