resloved RUSTSEC-2023-0071

Signed-off-by: Marcel Guzik <marcel.guzik@cumulocity.com>

Author: Bravo555

.cargo/audit.toml

@@ -0,0 +1,44 @@
+# https://github.com/rustsec/rustsec/blob/main/cargo-audit/audit.toml.example
+#
+# Example audit config file
+#
+# It may be located in the user home (`~/.cargo/audit.toml`) or in the project
+# root (`.cargo/audit.toml`).
+#
+# All of the options which can be passed via CLI arguments can also be
+# permanently specified in this file.
+
+[advisories]
+# advisory IDs to ignore e.g. ["RUSTSEC-2019-0001", ...]
+ignore = [
+    # The vulnerability regards attacker's ability to recover parts of the private key by observing
+    # the timings of the decryption operation. We only use the crate to construct the public key
+    # from components, so this doesn't affect us. To make sure we don't use affected API,
+    # appropriate entries should be added to clippy.toml to disallow these methods.
+    "RUSTSEC-2023-0071"
+] 
+informational_warnings = ["unmaintained"] # warn for categories of informational advisories
+severity_threshold = "low" # CVSS severity ("none", "low", "medium", "high", "critical")
+
+# Advisory Database Configuration
+# [database]
+# path = "~/.cargo/advisory-db" # Path where advisory git repo will be cloned
+# url = "https://github.com/RustSec/advisory-db.git" # URL to git repo
+# fetch = true # Perform a `git fetch` before auditing (default: true)
+# stale = false # Allow stale advisory DB (i.e. no commits for 90 days, default: false)
+
+# Output Configuration
+# [output]
+# deny = ["unmaintained"] # exit on error if unmaintained dependencies are found
+# format = "terminal" # "terminal" (human readable report) or "json"
+# quiet = false # Only print information on error
+# show_tree = true # Show inverse dependency trees along with advisories (default: true)
+
+# Target Configuration
+# [target]
+# arch = ["x86_64"] # Ignore advisories for CPU architectures other than these
+# os = ["linux", "windows"] # Ignore advisories for operating systems other than these
+
+[yanked]
+enabled = true # Warn for yanked crates in Cargo.lock (default: true)
+update_index = true # Auto-update the crates.io index (default: true)

clippy.toml

@@ -1,9 +1,17 @@
 disallowed-types = [
     { path = "reqwest::ClientBuilder", reason = "Use `certificate::CloudRootCerts` type instead to take root_cert_path configurations into account" },
+    
+    # advisory resolved by forbidding these methods and types; see audit.toml
+    {path = "rsa::traits::Decryptor", reason="RUSTSEC-2023-0071"},
+    {path = "rsa::RsaPrivateKey", reason="RUSTSEC-2023-0071"},
+    {path = "rsa::pkcs1v15::DecryptingKey", reason="RUSTSEC-2023-0071"},
+    {path = "rsa::oaep::Oaep", reason="RUSTSEC-2023-0071"},
+    {path = "rsa::oaep::DecryptingKey", reason="RUSTSEC-2023-0071"},
 ]
 disallowed-methods = [
     { path = "reqwest::Client::builder", reason = "Use `certificate::CloudRootCerts` type instead to take root_cert_path configurations into account" },
     { path = "reqwest::Client::new", reason = "Use `certificate::CloudRootCerts` type instead to take root_cert_path configurations into account" },
     { path = "hyper_rustls::HttpsConnectorBuilder::with_native_roots", reason = "Use .with_tls_config(tedge_config.cloud_client_tls_config()) instead to use configured root certificate paths for the connected cloud" },
+    {path = "rsa::RsaPrivateKey::decrypt"},
 ]
 large-error-threshold = 256