ignore sqlx security alert for audit

rust-lang · Aug 19, 2024 · bd7080a · bd7080a
1 parent 832a3ca
commit bd7080a
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/.cargo/audit.toml b/.cargo/audit.toml
@@ -10,6 +10,13 @@ ignore = [
 
     "RUSTSEC-2024-0320", # yaml-rust is unmaintained. 
     # https://github.com/rust-lang/docs.rs/issues/2469
+
+    "RUSTSEC-2024-0363", # sqlx, Binary Protocol Misinterpretation caused by Truncating or Overflowing Cast
+    # https://github.com/rust-lang/docs.rs/issues/2588
+    # SECURITY: 
+    # We have plenty of places where user input ends up in sql, for example the inner doc path for doc pages, crate names etc.
+    # But in all these places, the user content is part of the path of the URL.
+    # Since URL length is limited by cloudfront, and also by nginx, to something much smaller than 4 GiB, I don't think this issue affects us.
 ]
 informational_warnings = ["unmaintained"] # warn for categories of informational advisories
 severity_threshold = "low" # CVSS severity ("none", "low", "medium", "high", "critical")