Merge pull request #6483 from Xuanwo/update-audit

chore: Update ignored CVE reported by cargo-audit

.cargo/audit.toml

@@ -1,12 +1,7 @@
 [advisories]
 ignore = [
-    # https://github.com/datafuselabs/databend/issues/2565
-    # need to fix upstream rusoto dependencies on credential and sts for this issue as well
-    "RUSTSEC-2020-0159",
-    "RUSTSEC-2020-0071",
-    # https://github.com/datafuselabs/databend/issues/2690
-    "RUSTSEC-2021-0122",
-    # https://github.com/datafuselabs/databend/issues/4335
-    "RUSTSEC-2022-0012"
-
+    # time: Potential segfault in the time crate
+    # We are not accected by this CVE.
+    # And there is no actions we can take, waiting for upstream.
+    "RUSTSEC-2020-0071"
 ]

Cargo.toml

@@ -42,6 +42,10 @@ members = [
     "tools/fuzz",
     "tools/metabench",
     "tools/metactl",
+
+    # Hack
+    # This crate is used to hack our cargo.lock to resovle CVEs and so on.
+    "common/dep-hack",
 ]
 
 [profile.release]

common/dep-hack/Cargo.toml

@@ -0,0 +1,10 @@
+[package]
+name = "common-dep-hack"
+version = "0.1.0"
+edition = "2021"
+
+[package.metadata.cargo-udeps.ignore]
+normal = ["openssl-src"]
+
+[dependencies]
+openssl-src = { version = "111.22" }

common/dep-hack/src/lib.rs

@@ -0,0 +1,17 @@
+// Copyright 2021 Datafuse Labs.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! This crate is used to hack our dependencies to resolve CVEs and so on.
+//!
+//! PLEASE DON'T TRY TO USE OR LINK THIS CRATE.