Skip to content

rust/cargo: ignore RUSTSEC-2026-0009 for time crate#14767

Open
inashivb wants to merge 1 commit intoOISF:mainfrom
inashivb:rust-time-crate/v3
Open

rust/cargo: ignore RUSTSEC-2026-0009 for time crate#14767
inashivb wants to merge 1 commit intoOISF:mainfrom
inashivb:rust-time-crate/v3

Conversation

@inashivb
Copy link
Member

@inashivb inashivb commented Feb 7, 2026

Previous PR: #14763

Changes since v2:

  • change commit title prefix as per review

Link to ticket: https://redmine.openinfosecfoundation.org/issues/8269

@inashivb
rust/cargo: ignore RUSTSEC-2026-0009 for time crate
11b2860 
cargo audit reports this security issue with the time crate but Suricata
remains unaffected as no influenced fn is used by Suricata.
Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0009

The MSRV for newer time crate versions are higher than the MSRV for
Suricata right now: 1.75.0

Hence, the best course of action is to suppress this warning.

Ticket: 8269
@inashivb inashivb requested a review from jasonish as a code owner February 7, 2026 10:05
@codecov
Copy link

codecov bot commented Feb 7, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 82.15%. Comparing base (364d2c0) to head (11b2860).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main   #14767   +/-   ##
=======================================
  Coverage   82.15%   82.15%           
=======================================
  Files        1003     1003           
  Lines      263674   263674           
=======================================
+ Hits       216611   216612    +1     
+ Misses      47063    47062    -1
Flag Coverage Δ
fuzzcorpus 60.19% <ø> (+<0.01%) ⬆️
livemode 18.78% <ø> (+0.04%) ⬆️
netns 18.54% <ø> (-0.01%) ⬇️
pcap 44.64% <ø> (+0.01%) ⬆️
suricata-verify 65.45% <ø> (+<0.01%) ⬆️
unittests 59.23% <ø> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@suricata-qa
Copy link

suricata-qa commented Feb 7, 2026

Information: QA skipped due to no C or rust code changed detected. Set to force a run.

Pipeline = code

@victorjulien
Copy link
Member

victorjulien commented Feb 8, 2026

The function(s) aren't used by Suricata directly, but what about indirectly? Is the crate an indirect dependency where other crates may be using the affected functionality anyway?

@jasonish
Copy link
Member

jasonish commented Feb 8, 2026

No rfc 2822 parsing appears to happen in the dependency chain. x509 does format as rfc 2822, but this issue is with respect to parsing.

@victorjulien
Copy link
Member

victorjulien commented Feb 8, 2026

No rfc 2822 parsing appears to happen in the dependency chain. x509 does format as rfc 2822, but this issue is with respect to parsing.

Is there a way w/o manually reviewing to find out if future changes in our code or in our dependencies would use the affected functions?

@jasonish
Copy link
Member

jasonish commented Feb 8, 2026

No rfc 2822 parsing appears to happen in the dependency chain. x509 does format as rfc 2822, but this issue is with respect to parsing.

Is there a way w/o manually reviewing to find out if future changes in our code or in our dependencies would use the affected functions?

AFAIK, only if we build something to do that.

Other option is to fork and patch so we can keep our MSRV requirements.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasonish jasonish jasonish approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@inashivb @suricata-qa @victorjulien @jasonish