Summary
The aws-lc-sys Rust crate at version 0.32.3 has three High severity vulnerabilities. This is a transitive dependency in the Rust HTTP connector broker, pulled in via the rustls → aws-lc-rs → aws-lc-sys dependency chain. The fix version (>= 0.38.0) should be reachable via cargo update.
Grype ignore rules were added in PR #240 to unblock CI. This issue tracks the actual dependency fix and subsequent removal of those ignore rules.
Severity
High — 3 vulnerabilities
Affected Files
src/500-application/502-rust-http-connector/services/broker/Cargo.lock — aws-lc-sys 0.32.3src/500-application/502-rust-http-connector/services/broker/Cargo.toml — direct dependency rustls = "0.23.8" (resolves to 0.23.33, which transitively pulls aws-lc-sys)
Dependency Chain
rustls 0.23.33
└── aws-lc-rs 1.14.1
└── aws-lc-sys 0.32.3 ← vulnerable
rustls-webpki 0.103.7
└── aws-lc-rs 1.14.1
└── aws-lc-sys 0.32.3 ← vulnerable
aws-lc-sys is not a direct dependency. It is transitive via aws-lc-rs, which is used by rustls and rustls-webpki.
Vulnerability Details
Remediation Steps
- In
src/500-application/502-rust-http-connector/services/broker/, run cargo update to pull the latest compatible versions of aws-lc-rs and aws-lc-sys
- If
cargo update alone does not pull aws-lc-sys >= 0.38.0, consider updating the rustls version constraint in Cargo.toml (currently "0.23.8")
- Verify
Cargo.lock no longer references aws-lc-sys < 0.38.0
- Remove the three grype ignore rules from
.grype.yaml:
GHSA-65p9-r9h6-22vjGHSA-hfpc-8r3f-gw53GHSA-vw5v-4f2q-w9xf
- Run grype locally to confirm the findings are resolved:
grype dir:. --config .grype.yaml
- Build and test the broker to verify no regressions:
cargo build && cargo test
Acceptance Criteria
Related
Summary
The
aws-lc-sysRust crate at version 0.32.3 has three High severity vulnerabilities. This is a transitive dependency in the Rust HTTP connector broker, pulled in via therustls→aws-lc-rs→aws-lc-sysdependency chain. The fix version (>= 0.38.0) should be reachable viacargo update.Grype ignore rules were added in PR #240 to unblock CI. This issue tracks the actual dependency fix and subsequent removal of those ignore rules.
Severity
High — 3 vulnerabilities
Affected Files
src/500-application/502-rust-http-connector/services/broker/Cargo.lock— aws-lc-sys 0.32.3src/500-application/502-rust-http-connector/services/broker/Cargo.toml— direct dependencyrustls = "0.23.8"(resolves to 0.23.33, which transitively pulls aws-lc-sys)Dependency Chain
aws-lc-sysis not a direct dependency. It is transitive viaaws-lc-rs, which is used byrustlsandrustls-webpki.Vulnerability Details
Remediation Steps
src/500-application/502-rust-http-connector/services/broker/, runcargo updateto pull the latest compatible versions ofaws-lc-rsandaws-lc-syscargo updatealone does not pull aws-lc-sys >= 0.38.0, consider updating therustlsversion constraint inCargo.toml(currently"0.23.8")Cargo.lockno longer references aws-lc-sys < 0.38.0.grype.yaml:GHSA-65p9-r9h6-22vjGHSA-hfpc-8r3f-gw53GHSA-vw5v-4f2q-w9xfgrype dir:. --config .grype.yamlcargo build && cargo testAcceptance Criteria
aws-lc-sysupdated to >= 0.38.0 in brokerCargo.lockGHSA-65p9-r9h6-22vj,GHSA-hfpc-8r3f-gw53,GHSA-vw5v-4f2q-w9xfremoved from.grype.yamlRelated