Audit-related updates

This commit makes a few cargo-audit-related changes: * updates the lock file with newer, un-yanked versions of futures-... crates * Updates the cargo audit config file to ignore the `chrono` and `time` issues. * Updates the security policy to lay out our approach to handling vulnerability reports. Signed-off-by: Ionut Mihalcea <[email protected]>
parallaxsecond · Feb 21, 2022 · 89de1b2 · 89de1b2
1 parent 796a6a2
commit 89de1b2
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 24 deletions.
diff --git a/.cargo/audit.toml b/.cargo/audit.toml
@@ -1,5 +1,6 @@
 [advisories]
-ignore = []
+ignore = ["RUSTSEC-2020-0159", # Issue has been documented here: https://github.com/parallaxsecond/parsec/security/advisories/GHSA-45w3-v3g4-54pm
+          "RUSTSEC-2020-0071"] # Issue has been documented here: https://github.com/parallaxsecond/parsec/security/advisories/GHSA-45w3-v3g4-54pm
 informational_warnings = ["unmaintained"] # warn for categories of informational advisories
 severity_threshold = "low" # CVSS severity ("none", "low", "medium", "high", "critical")
 
@@ -19,7 +20,6 @@ show_tree = true # Show inverse dependency trees along with advisories
 
 # Target Configuration
 [target]
-arch = "x86_64" # Ignore advisories for CPU architectures other than this one
 os = "linux" # Ignore advisories for operating systems other than this one
 
 [packages]

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/SECURITY.md b/SECURITY.md
@@ -9,10 +9,23 @@ disclosure of security problems are greatly appreciated and your contributions w
 Currently only the most recent version of the Parsec service is eligible for patching. This could
 change in the future.
 
-| Version         | Supported |
-|-----------------|-----------|
-| 0.7.0           | ✅       |
-| 0.6.0 and lower | ❌       |
+| Version          | Supported |
+|------------------|-----------|
+| 0.7.0 and higher | ✅       |
+| 0.6.0 and lower  | ❌       |
+
+## Our disclosure policy
+
+All security vulnerabilities affecting the Parsec service - including those reported using the steps
+highlighted below, those discovered during routine testing, and those found in our dependency tree
+either through `cargo-audit` or otherwise - will receive [security
+advisories](https://github.com/parallaxsecond/parsec/security/advisories) in a timely manner. The
+advisories should include sufficient information about the cause, effect, and possible mitigations
+for the vulnerability. If any information is missing, or you would like to raise a question about
+the advisories, please open an issue in [our repo](https://github.com/parallaxsecond/parsec).
+
+Efforts to mitigate for the reported vulnerabilities will be tracked using Github issues linked to
+the corresponding advisories.
 
 ## Reporting a vulnerability