v1.18: ci: ignore the tonic audit as a temporary stopgap (backport of #…

…3052) (#3062) * ci: ignore the tonic audit as a temporary stopgap (#3052) (cherry picked from commit 9b5525d) # Conflicts: # ci/do-audit.sh * Fix conflicts * Update to mimic v2.0 change --------- Co-authored-by: Yihau Chen <[email protected]> Co-authored-by: WillHickey <[email protected]>
anza-xyz · Oct 4, 2024 · 92ddaa2 · 92ddaa2
1 parent 0e8cfe0
commit 92ddaa2
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/ci/do-audit.sh b/ci/do-audit.sh
@@ -41,6 +41,12 @@ cargo_audit_ignores=(
 
   # openssl
   --ignore RUSTSEC-2024-0357
+
+  # tonic
+  # When using tonic::transport::Server there is a remote DoS attack that can cause
+  # the server to exit cleanly on accepting a tcp/tls stream.
+  # Ignoring because we do not use this functionality.
+  --ignore RUSTSEC-2024-0376
 )
 scripts/cargo-for-all-lock-files.sh audit "${cargo_audit_ignores[@]}" | $dep_tree_filter
 # we want the `cargo audit` exit code, not `$dep_tree_filter`'s