Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rust package being reported on wrong crates.io entry due to package name reuse #4902

Closed
rhalar opened this issue Oct 14, 2024 · 6 comments
Closed

Rust package being reported on wrong crates.io entry due to package name reuse #4902

rhalar opened this issue Oct 14, 2024 · 6 comments

Comments

@rhalar
Copy link

rhalar commented Oct 14, 2024

So looking at https://osv.dev/vulnerability/GHSA-hw4v-5x4h-c3xm
it seems to point to a vulnerability in https://github.com/paritytech/frontier

However, when looking at
https://crates.io/crates/frontier

This does not seem to be the package in question, but rather
https://github.com/peterc-s/frontier

I have an older entry of the crates.io database dump, which does confirm that at one point pkg:crates.io/frontier did really point to the vulnerable package. It seems it has since been removed and the name claimed by a different author.
I'm not sure what the policy for this would be but I'm guessing it would potentially need to be withdrawn? In which case all of these display the same issue

GHSA-fcmm-54jp-7vf6
GHSA-v57h-6hmh-g2p4
GHSA-mjvm-mhgc-q4gp
GHSA-cjg2-2fjg-fph4
GHSA-vj62-g63v-f8mf
GHSA-hw4v-5x4h-c3xm
@rhalar
Copy link
Author

rhalar commented Oct 15, 2024

I'm closing this, I realized this is probably more of an issue on the OSV side. GHSA Rust advisories do not limit reports to just crates.io so this is legitimate.

@rhalar rhalar closed this as completed Oct 15, 2024
@rhalar rhalar mentioned this issue Oct 15, 2024
Closed
@rhalar
Copy link
Author

rhalar commented Oct 24, 2024
edited
Loading

Seems I'm reopening this.

It was pointed out to me that the GHSA OSV entries are maintained and published by GHSA
google/osv.dev#2737 (comment)

I believe the best thing here would be to change affected packages for GHSA-fcmm-54jp-7vf6 and others to point to the correct (new) crates, as mentioned in the linked comment.

@rhalar rhalar reopened this Oct 24, 2024
@JonathanLEvans
Copy link

Hi @rhalar, thank you for making us aware of this issue. We will make the appropriate changes to the advisories.

Could you go into more detail about how you identified this issue? Have you looked at other packages to see if they have the same issue?

@rhalar
Copy link
Author

rhalar commented Oct 25, 2024
edited
Loading

Partly by chance, we were reviewing our vulnerability mappings for advisories we get from osv.dev, and I noticed the version set didn't make sense, the 0.1.0 version never existed for (the current) pkg:cargo/frontier.
When I dug into it just a bit it was clear that the crate had nothing to do with the advisory, but we weren't aware crates could be reclaimed.

Luckily I had some older crates.io database dumps lying around and was able to verify that the crate ID changed for the relevant crate names. @michaelkedar pointed out the new crates which actually contain the vulnerabilities.

There is some info in this comment and discussion in general
google/osv.dev#2737 (comment)

@JonathanLEvans
Copy link

Thank you for the explanation.

We have updated the packages in the advisories you listed.

@rhalar
Copy link
Author

rhalar commented Oct 29, 2024

Thank you! I can confirm that the vulnerabilities seem to map correctly now. I'll close the issue.

It would not be too difficult to track the database dumps and recognize future such occurrences, or ones that are still present in the dataset. But I'll leave that up to you.

@rhalar rhalar closed this as completed Oct 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rhalar @JonathanLEvans