Files
compliance-scanner-agent/.cargo/audit.toml
T
Sharang Parnerkar fce9f1cbf1
CI / Check (pull_request) Successful in 8m1s
CI / Detect Changes (pull_request) Has been skipped
CI / Deploy Agent (pull_request) Has been skipped
CI / Deploy Dashboard (pull_request) Has been skipped
CI / Deploy Docs (pull_request) Has been skipped
CI / Deploy MCP (pull_request) Has been skipped
fix(audit): bump quinn-proto + ignore rmcp DNS-rebinding advisory
Two new RUSTSEC advisories landed between 2026-06-18 and 2026-06-30
that started failing every PR's `cargo audit` step:

- RUSTSEC-2026-0185 (quinn-proto 0.11.14): remote memory exhaustion via
  unbounded out-of-order stream reassembly. Patched in 0.11.15 (semver-
  compatible). `cargo update -p quinn-proto`, no API change.

- RUSTSEC-2026-0189 (rmcp 0.16.0): DNS rebinding in Streamable HTTP
  server transport due to missing Host-header validation. Patched in
  rmcp >= 1.4.0, which is a major API jump from our pin (rmcp shipped
  0.x -> 1.x -> 2.x in three months and the migration touches every
  tool handler + the auth middleware just landed in #92).

  Added to ignore with justification: our MCP server is exposed at a
  public hostname behind orca's TLS-terminating ingress with per-tenant
  bearer auth. The attack model (browser DNS-rebinding into a victim's
  localhost MCP server) doesn't apply to a public-hostname deployment.
  Defense-in-depth Host-header validation remains worthwhile, tracked
  as a multi-hour M7.3 follow-up to migrate rmcp 0.16 -> 2.x.

Unblocks #96 and #94.
2026-06-30 17:48:42 +02:00

24 lines
1.4 KiB
TOML

[advisories]
ignore = [
# hickory-proto 0.25.x pulled in transitively via mongodb → hickory-resolver.
# MongoDB 3.x has not yet released with hickory-resolver 0.26.x, so we cannot
# upgrade past this without a mongodb release. Both are DNS-layer DoS vectors
# requiring a MITM/controlled DNS server against MongoDB's hostname resolution —
# not a realistic attack surface here. Revisit when mongodb bumps hickory.
"RUSTSEC-2026-0118", # NSEC3 loop, no fix available upstream
"RUSTSEC-2026-0119", # O(n²) name compression, fixed in hickory-proto >=0.26.1
# rmcp 0.16.0 — DNS rebinding in Streamable HTTP server transport (missing
# Host header validation). Patched in rmcp >= 1.4.0, which is a major API
# version jump from our pin; rmcp shipped 0.x → 1.x → 2.x in three months
# and the migration touches every tool handler + the auth middleware we
# just landed in #92. Threat model in our deployment: the MCP server is
# exposed at a public hostname (comp-mcp-dev.meghsakha.com) behind orca's
# TLS-terminating ingress with per-tenant bearer auth — the attack model
# (browser DNS-rebinding into localhost MCP server) doesn't directly apply.
# Defense-in-depth Host-header check is still a worthwhile follow-up.
# FOLLOW-UP: bump rmcp to 2.x in a dedicated PR (M7.3 follow-up, sized
# multi-hour due to API surface change).
"RUSTSEC-2026-0189",
]