audit.toml: Add Marvin Attack from rsa crate to ignore list #134
Conversation
gowthamsk-arm
force-pushed
the
rsa_sec
branch
from
6e6de18 to
843a7bb
Compare
The rsa crate is only used for testing purpose and the security vulnerability has no impact on this crate. Signed-off-by: Gowtham Suresh Kumar <[email protected]>
gowthamsk-arm
force-pushed
the
rsa_sec
branch
from
843a7bb to
5da2107
Compare
| @@ -0,0 +1,4 @@ | |||
| [advisories] | |||
| ignore = [ | |||
| "RUSTSEC-2023-0071", # `rsa` Marvin Attack not concerning as `rsa` is only used for tests | |||
There was a problem hiding this comment.
What happens if we suddenly use it elsewhere (not in tests) ? Can we ignore it only for certain files?
There was a problem hiding this comment.
As this is an FFI layer for PSA, I can't think of a situation where we would provide an RSA operation from "rsa" crate here. Any particular situation you can think of?
There was a problem hiding this comment.
Not really, but I do think this may be useful for other situations.
If you prefer not to add it in this one, we can keep in mind for future parallaxsecond PRs, as I'm sure a case in which this would apply will happen later.
There was a problem hiding this comment.
Yeah, it might happen in other repos. I'm unaware if there is an option to restrict audit ignores to specific files. Let me have a look.
The
rsacrate is only used for testing purpose and the security vulnerability has no impact on this crate.Signed-off-by: Gowtham Suresh Kumar [email protected]