Two new RUSTSEC advisories landed between 2026-06-18 and 2026-06-30
that started failing every PR's `cargo audit` step:
- RUSTSEC-2026-0185 (quinn-proto 0.11.14): remote memory exhaustion via
unbounded out-of-order stream reassembly. Patched in 0.11.15 (semver-
compatible). `cargo update -p quinn-proto`, no API change.
- RUSTSEC-2026-0189 (rmcp 0.16.0): DNS rebinding in Streamable HTTP
server transport due to missing Host-header validation. Patched in
rmcp >= 1.4.0, which is a major API jump from our pin (rmcp shipped
0.x -> 1.x -> 2.x in three months and the migration touches every
tool handler + the auth middleware just landed in #92).
Added to ignore with justification: our MCP server is exposed at a
public hostname behind orca's TLS-terminating ingress with per-tenant
bearer auth. The attack model (browser DNS-rebinding into a victim's
localhost MCP server) doesn't apply to a public-hostname deployment.
Defense-in-depth Host-header validation remains worthwhile, tracked
as a multi-hour M7.3 follow-up to migrate rmcp 0.16 -> 2.x.
Unblocks #96 and #94.
## Summary
- **Scan produces no results in Orca** — semgrep (`--config=auto`, unbounded memory) and syft (remote license network calls) were getting OOM-killed or hanging in resource-constrained Orca containers. Scan would "complete" with 0 findings/SBOMs silently because each scanner failure is caught and logged as a warning.
- **Dashboard Script error spam** — `document::Script` in Dioxus 0.7 needs a single text node child for inline scripts; `dangerous_inner_html` was invalid and spammed the error log on every unauthenticated page load.
## Changes
| File | Change |
|------|--------|
| `semgrep.rs` | Add `--max-memory 500 --jobs 1`; 10-minute timeout |
| `syft.rs` | Remove remote license lookup env vars; 5-minute timeout |
| `gitleaks.rs` | 5-minute timeout |
| `app_shell.rs` | Fix `dangerous_inner_html` → text child in `document::Script` |
## Test plan
- [ ] Trigger a scan on a repo in Orca — findings and SBOM entries should now appear
- [ ] Agent logs should show timeout/error warnings rather than silent empty results when tools are killed
- [ ] Navigate to dashboard unauthenticated — Script error gone from logs
- [ ] Verify scans work end-to-end with `docker compose up`
---------
Co-authored-by: Sharang Parnerkar <30073382+mighty840@users.noreply.github.com>
Reviewed-on: #78