{"id":17298553,"url":"https://github.com/amousset/vulnerable_crate","last_synced_at":"2025-03-26T21:22:03.312Z","repository":{"id":189347129,"uuid":"680432130","full_name":"amousset/vulnerable_crate","owner":"amousset","description":"For testing only, includes vulnerable dependencies on pupose","archived":false,"fork":false,"pushed_at":"2023-08-19T15:05:46.000Z","size":83,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-17T18:21:29.419Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/amousset.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2023-08-19T08:09:02.000Z","updated_at":"2023-08-19T08:11:20.000Z","dependencies_parsed_at":"2023-08-19T15:14:48.280Z","dependency_job_id":null,"html_url":"https://github.com/amousset/vulnerable_crate","commit_stats":null,"previous_names":["amousset/vulnerable_crate"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/amousset%2Fvulnerable_crate","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/amousset%2Fvulnerable_crate/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/amousset%2Fvulnerable_crate/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/amousset%2Fvulnerable_crate/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/amousset","download_url":"https://codeload.github.com/amousset/vulnerable_crate/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245736371,"owners_count":20663888,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-15T11:19:25.623Z","updated_at":"2025-03-26T21:22:03.287Z","avatar_url":"https://github.com/amousset.png","language":"Rust","readme":"# vulnerable_crate\n\nThis crate is intended for testing purposes only, and uses vulnerable dependencies on purpose.\nIts goal is to allow checking and comparing outputs of various auditing tools\nable to work on Rust sources or binaries.\n\n## Vulnerabilities\n\nThis crate includes different cases in its dependencies:\n\n* An `informational = \"notice\"` [advisory](https://rustsec.org/advisories/RUSTSEC-2022-0058.html)\n* An `informational = \"unsound\"` [advisory](https://rustsec.org/advisories/RUSTSEC-2023-0047.html)\n* An `informational = \"unmaintained\"` [advisory](https://rustsec.org/advisories/RUSTSEC-2023-0040.html)\n* A non-informational [advisory](https://rustsec.org/advisories/RUSTSEC-2022-0083.html)\n* A withdrawn `informational = \"unmaintained\"` [advisory](https://rustsec.org/advisories/RUSTSEC-2021-0147.html)\n\n## Audit outputs\n\nNote: For binary audits mentioned below, the binary needs to be built with:\n\n```shell\ncargo install cargo-auditable\n# to audit production code\ncargo auditable build --release\n```\n\n### cargo-deny\n\nInformational advisories are considered as warnings by default, and non-informational advisories are treated as errors.\nUsers can pass `--deny/--allow/--warn` flags to change the behavior on specific advisory types.\n\nNote: notice advisories appear as `warning[notice]` (and not as a \"note\" output type that also exists in `cargo-deny`).\n\n```shell\n$ cargo install cargo-deny\n# Ignore other checks\n$ cargo deny check advisories\nwarning[unsound]: impl `FromMdbValue` for bool is unsound\n   ┌─ /home/amousset/projects/vulnerable_crate/Cargo.lock:40:1\n   │\n40 │ lmdb-rs 0.7.6 registry+https://github.com/rust-lang/crates.io-index\n   │ ------------------------------------------------------------------- unsound advisory detected\n   │\n   = ID: RUSTSEC-2023-0047\n   = Advisory: https://rustsec.org/advisories/RUSTSEC-2023-0047\n   = The implementation of `FromMdbValue` have [...]\n   = Announcement: https://github.com/vhbit/lmdb-rs/issues/67\n   = Solution: No safe upgrade is available!\n   = lmdb-rs v0.7.6\n     └── vulnerable_crate v0.1.0\n\nwarning[unmaintained]: `users` crate is unmaintained\n   ┌─ /home/amousset/projects/vulnerable_crate/Cargo.lock:77:1\n   │\n77 │ users 0.11.0 registry+https://github.com/rust-lang/crates.io-index\n   │ ------------------------------------------------------------------ unmaintained advisory detected\n   │\n   = ID: RUSTSEC-2023-0040\n   = Advisory: https://rustsec.org/advisories/RUSTSEC-2023-0040\n   = The `users` crate hasn't seen any [...]\n   = Announcement: https://github.com/ogham/rust-users/issues/54\n   = Solution: No safe upgrade is available!\n   = users v0.11.0\n     └── vulnerable_crate v0.1.0\n\nwarning[notice]: Library exclusively intended to inject UB into safe Rust.\n   ┌─ /home/amousset/projects/vulnerable_crate/Cargo.lock:35:1\n   │\n35 │ inconceivable 0.9.0 registry+https://github.com/rust-lang/crates.io-index\n   │ ------------------------------------------------------------------------- notice advisory detected\n   │\n   = ID: RUSTSEC-2022-0058\n   = Advisory: https://rustsec.org/advisories/RUSTSEC-2022-0058\n   = Quoting from the crate description [...]\n   = Announcement: https://crates.io/crates/inconceivable\n   = Solution: No safe upgrade is available!\n   = inconceivable v0.9.0\n     └── vulnerable_crate v0.1.0\n\nerror[vulnerability]: evm incorrect state transition\n   ┌─ /home/amousset/projects/vulnerable_crate/Cargo.lock:20:1\n   │\n20 │ evm 0.35.0 registry+https://github.com/rust-lang/crates.io-index\n   │ ---------------------------------------------------------------- security vulnerability detected\n   │\n   = ID: RUSTSEC-2022-0083\n   = Advisory: https://rustsec.org/advisories/RUSTSEC-2022-0083\n   = SputnikVM, also called evm, [...]\n   = Announcement: https://github.com/rust-blockchain/evm/pull/133\n   = Solution: Upgrade to \u003e=0.36.0 (try `cargo update -p evm`)\n   = evm v0.35.0\n     └── vulnerable_crate v0.1.0\n\nadvisories FAILED\n```\n\n### cargo-audit\n\nInformational advisories are considered as warnings by default, and non-informational advisories are treated as errors.\nUsers can pass a `--deny` flag to treat some warnings as errors.\n\n```shell\n$ cargo install cargo-audit\n$ cargo audit\n❯ cargo audit\n    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`\n      Loaded 559 security advisories (from /home/amousset/.cargo/advisory-db)\n    Updating crates.io index\n    Scanning Cargo.lock for vulnerabilities (87 crate dependencies)\nCrate:     evm\nVersion:   0.35.0\nTitle:     evm incorrect state transition\nDate:      2022-10-25\nID:        RUSTSEC-2022-0083\nURL:       https://rustsec.org/advisories/RUSTSEC-2022-0083\nSeverity:  7.5 (high)\nSolution:  Upgrade to \u003e=0.36.0\nDependency tree:\nevm 0.35.0\n└── vulnerable_crate 0.1.0\n\nCrate:     inconceivable\nVersion:   0.9.0\nWarning:   notice\nTitle:     Library exclusively intended to inject UB into safe Rust.\nDate:      2022-09-28\nID:        RUSTSEC-2022-0058\nURL:       https://rustsec.org/advisories/RUSTSEC-2022-0058\nDependency tree:\ninconceivable 0.9.0\n└── vulnerable_crate 0.1.0\n\nCrate:     users\nVersion:   0.11.0\nWarning:   unmaintained\nTitle:     `users` crate is unmaintained\nDate:      2023-06-01\nID:        RUSTSEC-2023-0040\nURL:       https://rustsec.org/advisories/RUSTSEC-2023-0040\nDependency tree:\nusers 0.11.0\n└── vulnerable_crate 0.1.0\n\nCrate:     lmdb-rs\nVersion:   0.7.6\nWarning:   unsound\nTitle:     impl `FromMdbValue` for bool is unsound\nDate:      2023-06-26\nID:        RUSTSEC-2023-0047\nURL:       https://rustsec.org/advisories/RUSTSEC-2023-0047\nDependency tree:\nlmdb-rs 0.7.6\n└── vulnerable_crate 0.1.0\n\nerror: 1 vulnerability found!\nwarning: 3 allowed warnings found\n```\n\nThe binary file audit returns the exact same output.\n\n```shell\ncargo audit bin target/release/vulnerable_crate\n```\n\n### osv-scanner\n\nOSV scanner uses osv.dev and finds advisories from both GitHub and RustSec databases.\n\n```shell\n$ osv-scanner .\nScanning dir .\nScanning /home/amousset/projects/vulnerable_crate/ at commit 00d2c0647947737aa8303dc98d4ea22295e593ec\nScanned /home/amousset/projects/vulnerable_crate/Cargo.lock file and found 87 packages\n╭─────────────────────────────────────┬──────┬───────────┬───────────────┬─────────┬────────────╮\n│ OSV URL                             │ CVSS │ ECOSYSTEM │ PACKAGE       │ VERSION │ SOURCE     │\n├─────────────────────────────────────┼──────┼───────────┼───────────────┼─────────┼────────────┤\n│ https://osv.dev/GHSA-hhc4-47rh-cr34 │ 5.9, │ crates.io │ evm           │ 0.35.0  │ Cargo.lock │\n│ https://osv.dev/RUSTSEC-2022-0083   │ 7.5  │           │               │         │            │\n│ https://osv.dev/RUSTSEC-2022-0058   │      │ crates.io │ inconceivable │ 0.9.0   │ Cargo.lock │\n│ https://osv.dev/GHSA-f9g6-fp84-fv92 │      │ crates.io │ lmdb-rs       │ 0.7.6   │ Cargo.lock │\n│ https://osv.dev/RUSTSEC-2023-0047   │      │           │               │         │            │\n│ https://osv.dev/RUSTSEC-2023-0040   │      │ crates.io │ users         │ 0.11.0  │ Cargo.lock │\n╰─────────────────────────────────────┴──────┴───────────┴───────────────┴─────────┴────────────╯\n```\n\n### GitHub Advisories / Dependabot / etc.\n\nIt looks like:\n\n* Non-informational advisories are imported\n  * e.g.: https://github.com/advisories/GHSA-hhc4-47rh-cr34\n* `informational = \"unsound\"` advisories are imported\n  * e.g.: https://github.com/advisories/GHSA-f9g6-fp84-fv92\n* `informational = \"unmaintained\" / \"notice\"` are not imported (and hence not reported as vulnerabilities)\n\nWhich results in:\n\n* Reported alerts on the repository:\n\n![img.png](img.png)\n\n* A pull request from _dependabot_: https://github.com/amousset/vulnerable_crate/pull/1\n\n### Trivy\n\nThis shows the same output as the GitHub tooling, i.e., only vulnerabilities and unsoundness advisories.\n\nNote: This is because their OSV import [only imports GHSA advisories now](https://github.com/aquasecurity/trivy-db/blob/15ce04b6527c7c14bee72d0bd100653a8450bf3a/pkg/vulnsrc/osv/osv.go#L38).\n\n```shell\n$ trivy fs .\n2023-08-19T16:31:38.396+0200\tINFO\tVulnerability scanning is enabled\n[...]\n2023-08-19T16:31:38.456+0200\tINFO\tDetecting cargo vulnerabilities...\n\nCargo.lock (cargo)\n\nTotal: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)\n\n┌─────────┬─────────────────────┬──────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────┐\n│ Library │    Vulnerability    │ Severity │  Status  │ Installed Version │ Fixed Version │                       Title                       │\n├─────────┼─────────────────────┼──────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────┤\n│ evm     │ CVE-2022-39354      │ MEDIUM   │ fixed    │ 0.35.0            │ 0.36.0        │ Incorrect is_static parameter for custom stateful │\n│         │                     │          │          │                   │               │ precompiles in SputnikVM (evm)                    │\n│         │                     │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-39354        │\n├─────────┼─────────────────────┤          ├──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────┤\n│ lmdb-rs │ GHSA-f9g6-fp84-fv92 │          │ affected │ 0.7.6             │               │ impl `FromMdbValue` for bool is unsound           │\n│         │                     │          │          │                   │               │ https://github.com/advisories/GHSA-f9g6-fp84-fv92 │\n└─────────┴─────────────────────┴──────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────┘\n```\n\n### Grype\n\nSame as GitHub tooling, plus a false positive on the `ethereum` name, confused with\na vulnerability in a C++ implementation\n\n```shell\n$ grype .\n ✔ Vulnerability DB                [no update available]  \n ✔ Indexed file system                                                                                                                                                                     .\n ✔ Cataloged packages              [87 packages]  \n ✔ Scanned for vulnerabilities     [3 vulnerabilities]  \n   ├── 1 critical, 0 high, 2 medium, 0 low, 0 negligible\n   └── 1 fixed\n[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal) from-lib=syft\nNAME      INSTALLED  FIXED-IN  TYPE        VULNERABILITY        SEVERITY \nethereum  0.12.0               rust-crate  CVE-2017-14451       Critical  \nevm       0.35.0     0.36.0    rust-crate  GHSA-hhc4-47rh-cr34  Medium    \nlmdb-rs   0.7.6                rust-crate  GHSA-f9g6-fp84-fv92  Medium\n```","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Famousset%2Fvulnerable_crate","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Famousset%2Fvulnerable_crate","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Famousset%2Fvulnerable_crate/lists"}