You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This report tracks Clippy allow annotations for specific rules, showing how they've changed in this PR. Decreasing the number of these annotations generally improves code quality.
⚠️4 issue(s) found, showing only errors (advisories, bans, sources)
📦 libdd-crashtracker - 4 error(s)
Show output
error[unsound]: Rand is unsound with a custom logger using `rand::rng()`
┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:200:1
│
200 │ rand 0.8.5 registry+https://github.com/rust-lang/crates.io-index
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ unsound advisory detected
│
├ ID: RUSTSEC-2026-0097
├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0097
├ It has been reported (by @lopopolo) that the `rand` library is [unsound](https://rust-lang.github.io/unsafe-code-guidelines/glossary.html#soundness-of-code--of-a-library) (i.e. that safe code using the public API can cause Undefined Behaviour) when all the following conditions are met:
- The `log` and `thread_rng` features are enabled
- A [custom logger](https://docs.rs/log/latest/log/#implementing-a-logger) is defined
- The custom logger accesses `rand::rng()` (previously `rand::thread_rng()`) and calls any `TryRng` (previously `RngCore`) methods on `ThreadRng`
- The `ThreadRng` (attempts to) reseed while called from the custom logger (this happens every 64 kB of generated data)
- Trace-level logging is enabled or warn-level logging is enabled and the random source (the `getrandom` crate) is unable to provide a new seed
`TryRng` (previously `RngCore`) methods for `ThreadRng` use `unsafe` code to cast `*mut BlockRng<ReseedingCore>` to `&mut BlockRng<ReseedingCore>`. When all the above conditions are met this results in an aliased mutable reference, violating the Stacked Borrows rules. Miri is able to detect this violation in sample code. Since construction of [aliased mutable references is Undefined Behaviour](https://doc.rust-lang.org/stable/nomicon/references.html), the behaviour of optimized builds is hard to predict.
├ Announcement: https://github.com/rust-random/rand/pull/1763
├ Solution: Upgrade to >=0.10.1 OR <0.10.0, >=0.9.3 OR <0.9.0, >=0.8.6 (try `cargo update -p rand`)
├ rand v0.8.5
├── libdd-common v4.2.0
│ ├── libdd-capabilities-impl v2.0.0
│ │ └── libdd-shared-runtime v1.0.0
│ │ └── libdd-telemetry v5.0.1
│ │ └── libdd-crashtracker v1.0.0
│ ├── (build) libdd-crashtracker v1.0.0 (*)
│ ├── libdd-shared-runtime v1.0.0 (*)
│ └── libdd-telemetry v5.0.1 (*)
└── libdd-crashtracker v1.0.0 (*)
error[vulnerability]: Name constraints for URI names were incorrectly accepted
┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:215:1
│
215 │ rustls-webpki 0.103.10 registry+https://github.com/rust-lang/crates.io-index
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
│
├ ID: RUSTSEC-2026-0098
├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0098
├ Name constraints for URI names were ignored and therefore accepted.
Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented. URI name constraints are now rejected unconditionally.
Since name constraints are restrictions on otherwise properly-issued certificates, this bug is reachable only after signature verification and requires misissuance to exploit.
This vulnerability is identified as [GHSA-965h-392x-2mh5](https://github.com/rustls/webpki/security/advisories/GHSA-965h-392x-2mh5). Thank you to @1seal for the report.
├ Solution: Upgrade to >=0.103.12, <0.104.0-alpha.1 OR >=0.104.0-alpha.6 (try `cargo update -p rustls-webpki`)
├ rustls-webpki v0.103.10
└── rustls v0.23.37
├── hyper-rustls v0.27.7
│ └── libdd-common v4.2.0
│ ├── libdd-capabilities-impl v2.0.0
│ │ └── libdd-shared-runtime v1.0.0
│ │ └── libdd-telemetry v5.0.1
│ │ └── libdd-crashtracker v1.0.0
│ ├── (build) libdd-crashtracker v1.0.0 (*)
│ ├── libdd-shared-runtime v1.0.0 (*)
│ └── libdd-telemetry v5.0.1 (*)
├── libdd-common v4.2.0 (*)
└── tokio-rustls v0.26.0
├── hyper-rustls v0.27.7 (*)
└── libdd-common v4.2.0 (*)
error[vulnerability]: Name constraints were accepted for certificates asserting a wildcard name
┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:215:1
│
215 │ rustls-webpki 0.103.10 registry+https://github.com/rust-lang/crates.io-index
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
│
├ ID: RUSTSEC-2026-0099
├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0099
├ Permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name.
This was incorrect because, given a name constraint of `accept.example.com`, `*.example.com` could feasibly allow a name of `reject.example.com` which is outside the constraint.
This is very similar to [CVE-2025-61727](https://go.dev/issue/76442).
Since name constraints are restrictions on otherwise properly-issued certificates, this bug is reachable only after signature verification and requires misissuance to exploit.
This vulnerability is identified as [GHSA-xgp8-3hg3-c2mh](https://github.com/rustls/webpki/security/advisories/GHSA-xgp8-3hg3-c2mh). Thank you to @1seal for the report.
├ Solution: Upgrade to >=0.103.12, <0.104.0-alpha.1 OR >=0.104.0-alpha.6 (try `cargo update -p rustls-webpki`)
├ rustls-webpki v0.103.10
└── rustls v0.23.37
├── hyper-rustls v0.27.7
│ └── libdd-common v4.2.0
│ ├── libdd-capabilities-impl v2.0.0
│ │ └── libdd-shared-runtime v1.0.0
│ │ └── libdd-telemetry v5.0.1
│ │ └── libdd-crashtracker v1.0.0
│ ├── (build) libdd-crashtracker v1.0.0 (*)
│ ├── libdd-shared-runtime v1.0.0 (*)
│ └── libdd-telemetry v5.0.1 (*)
├── libdd-common v4.2.0 (*)
└── tokio-rustls v0.26.0
├── hyper-rustls v0.27.7 (*)
└── libdd-common v4.2.0 (*)
error[vulnerability]: Reachable panic in certificate revocation list parsing
┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:215:1
│
215 │ rustls-webpki 0.103.10 registry+https://github.com/rust-lang/crates.io-index
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
│
├ ID: RUSTSEC-2026-0104
├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0104
├ A panic was reachable when parsing certificate revocation lists via [`BorrowedCertRevocationList::from_der`]
or [`OwnedCertRevocationList::from_der`]. This was the result of mishandling a syntactically valid empty
`BIT STRING` appearing in the `onlySomeReasons` element of a `IssuingDistributionPoint` CRL extension.
This panic is reachable prior to a CRL's signature being verified.
Applications that do not use CRLs are not affected.
Thank you to @tynus3 for the report.
├ Solution: Upgrade to >=0.103.13, <0.104.0-alpha.1 OR >=0.104.0-alpha.7 (try `cargo update -p rustls-webpki`)
├ rustls-webpki v0.103.10
└── rustls v0.23.37
├── hyper-rustls v0.27.7
│ └── libdd-common v4.2.0
│ ├── libdd-capabilities-impl v2.0.0
│ │ └── libdd-shared-runtime v1.0.0
│ │ └── libdd-telemetry v5.0.1
│ │ └── libdd-crashtracker v1.0.0
│ ├── (build) libdd-crashtracker v1.0.0 (*)
│ ├── libdd-shared-runtime v1.0.0 (*)
│ └── libdd-telemetry v5.0.1 (*)
├── libdd-common v4.2.0 (*)
└── tokio-rustls v0.26.0
├── hyper-rustls v0.27.7 (*)
└── libdd-common v4.2.0 (*)
advisories FAILED, bans ok, sources ok
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
gyuheon0h
changed the title
What does this PR do?
A brief description of the change being made with this pull request.
Motivation
What inspired you to submit this pull request?
Additional Notes
Anything else we should know when reviewing?
How to test the change?
Describe here in detail how the change can be validated.