From 90741cc16a9017dde18fb0f534e7a663f969649a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Mon, 9 Feb 2026 12:30:01 +0100 Subject: [PATCH 1/7] try adding missing dependency to cross setup --- Cross.toml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Cross.toml b/Cross.toml index 3b193b35..0a1eae19 100644 --- a/Cross.toml +++ b/Cross.toml @@ -2,7 +2,7 @@ image = "ghcr.io/defguard/cross:x86_64-unknown-linux-gnu" pre-build = [ "dpkg --add-architecture $CROSS_DEB_ARCH", - "apt-get update && apt-get install --assume-yes unzip libnftnl-dev:$CROSS_DEB_ARCH libmnl-dev:$CROSS_DEB_ARCH", + "apt-get update && apt-get install --assume-yes unzip libnftnl-dev:$CROSS_DEB_ARCH libmnl-dev:$CROSS_DEB_ARCH libssl-dev:$CROSS_DEB_ARCH", "PB_REL='https://github.com/protocolbuffers/protobuf/releases'", "PB_VERSION='3.20.0' && curl -LO $PB_REL/download/v$PB_VERSION/protoc-$PB_VERSION-linux-x86_64.zip", "unzip protoc-$PB_VERSION-linux-x86_64.zip bin/protoc include/google/* -d /usr", @@ -12,7 +12,7 @@ pre-build = [ image = "ghcr.io/defguard/cross:armv7-unknown-linux-gnueabihf" pre-build = [ "dpkg --add-architecture $CROSS_DEB_ARCH", - "apt-get update && apt-get install --assume-yes unzip libnftnl-dev:$CROSS_DEB_ARCH libmnl-dev:$CROSS_DEB_ARCH", + "apt-get update && apt-get install --assume-yes unzip libnftnl-dev:$CROSS_DEB_ARCH libmnl-dev:$CROSS_DEB_ARCH libssl-dev:$CROSS_DEB_ARCH", "PB_REL='https://github.com/protocolbuffers/protobuf/releases'", "PB_VERSION='3.20.0' && curl -LO $PB_REL/download/v$PB_VERSION/protoc-$PB_VERSION-linux-x86_64.zip", "unzip protoc-$PB_VERSION-linux-x86_64.zip bin/protoc include/google/* -d /usr", @@ -23,7 +23,7 @@ pre-build = [ image = "ghcr.io/defguard/cross:aarch64-unknown-linux-gnu" pre-build = [ "dpkg --add-architecture $CROSS_DEB_ARCH", - "apt-get update && apt-get install --assume-yes unzip libnftnl-dev libnftnl-dev:$CROSS_DEB_ARCH libmnl-dev libmnl-dev:$CROSS_DEB_ARCH", + "apt-get update && apt-get install --assume-yes unzip libnftnl-dev libnftnl-dev:$CROSS_DEB_ARCH libmnl-dev libmnl-dev:$CROSS_DEB_ARCH libssl-dev:$CROSS_DEB_ARCH", "PB_REL='https://github.com/protocolbuffers/protobuf/releases'", "PB_VERSION='3.20.0' && curl -LO $PB_REL/download/v$PB_VERSION/protoc-$PB_VERSION-linux-x86_64.zip", "unzip protoc-$PB_VERSION-linux-x86_64.zip bin/protoc include/google/* -d /usr", @@ -32,7 +32,7 @@ pre-build = [ [target.x86_64-unknown-freebsd] image = "ghcr.io/defguard/cross:x86_64-unknown-freebsd" pre-build = [ - "apt-get update && apt-get install --assume-yes unzip", + "apt-get update && apt-get install --assume-yes unzip libssl-dev:$CROSS_DEB_ARCH", "PB_REL='https://github.com/protocolbuffers/protobuf/releases'", "PB_VERSION='3.20.0' && curl -LO $PB_REL/download/v$PB_VERSION/protoc-$PB_VERSION-linux-x86_64.zip", "unzip protoc-$PB_VERSION-linux-x86_64.zip bin/protoc include/google/* -d /usr", From 518b01b22505357c34e28455aa0ec9107a1fdbd7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Mon, 9 Feb 2026 12:48:26 +0100 Subject: [PATCH 2/7] maybe this way --- Cross.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cross.toml b/Cross.toml index 0a1eae19..310189a6 100644 --- a/Cross.toml +++ b/Cross.toml @@ -23,7 +23,7 @@ pre-build = [ image = "ghcr.io/defguard/cross:aarch64-unknown-linux-gnu" pre-build = [ "dpkg --add-architecture $CROSS_DEB_ARCH", - "apt-get update && apt-get install --assume-yes unzip libnftnl-dev libnftnl-dev:$CROSS_DEB_ARCH libmnl-dev libmnl-dev:$CROSS_DEB_ARCH libssl-dev:$CROSS_DEB_ARCH", + "apt-get update && apt-get install --assume-yes unzip libnftnl-dev libnftnl-dev:$CROSS_DEB_ARCH libmnl-dev libmnl-dev:$CROSS_DEB_ARCH libssl-dev libssl-dev:$CROSS_DEB_ARCH", "PB_REL='https://github.com/protocolbuffers/protobuf/releases'", "PB_VERSION='3.20.0' && curl -LO $PB_REL/download/v$PB_VERSION/protoc-$PB_VERSION-linux-x86_64.zip", "unzip protoc-$PB_VERSION-linux-x86_64.zip bin/protoc include/google/* -d /usr", @@ -32,7 +32,7 @@ pre-build = [ [target.x86_64-unknown-freebsd] image = "ghcr.io/defguard/cross:x86_64-unknown-freebsd" pre-build = [ - "apt-get update && apt-get install --assume-yes unzip libssl-dev:$CROSS_DEB_ARCH", + "apt-get update && apt-get install --assume-yes unzip libssl-dev", "PB_REL='https://github.com/protocolbuffers/protobuf/releases'", "PB_VERSION='3.20.0' && curl -LO $PB_REL/download/v$PB_VERSION/protoc-$PB_VERSION-linux-x86_64.zip", "unzip protoc-$PB_VERSION-linux-x86_64.zip bin/protoc include/google/* -d /usr", From 5a5948d0d0c903d5f349aeda8374431ad3987f36 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Mon, 9 Feb 2026 13:03:05 +0100 Subject: [PATCH 3/7] another try --- Cross.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Cross.toml b/Cross.toml index 310189a6..46508368 100644 --- a/Cross.toml +++ b/Cross.toml @@ -23,7 +23,7 @@ pre-build = [ image = "ghcr.io/defguard/cross:aarch64-unknown-linux-gnu" pre-build = [ "dpkg --add-architecture $CROSS_DEB_ARCH", - "apt-get update && apt-get install --assume-yes unzip libnftnl-dev libnftnl-dev:$CROSS_DEB_ARCH libmnl-dev libmnl-dev:$CROSS_DEB_ARCH libssl-dev libssl-dev:$CROSS_DEB_ARCH", + "apt-get update && apt-get install --assume-yes unzip libnftnl-dev libnftnl-dev:$CROSS_DEB_ARCH libmnl-dev libmnl-dev:$CROSS_DEB_ARCH libssl-dev", "PB_REL='https://github.com/protocolbuffers/protobuf/releases'", "PB_VERSION='3.20.0' && curl -LO $PB_REL/download/v$PB_VERSION/protoc-$PB_VERSION-linux-x86_64.zip", "unzip protoc-$PB_VERSION-linux-x86_64.zip bin/protoc include/google/* -d /usr", From ac7aa731a9cc2a3c0af2a131ed447da8503f7bd8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Mon, 9 Feb 2026 13:18:42 +0100 Subject: [PATCH 4/7] pin toolchain version --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0507d8a7..06e4800a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -99,7 +99,7 @@ jobs: - name: Install Rust stable uses: actions-rs/toolchain@v1 with: - toolchain: stable + toolchain: 1.89.0 # "stable" causes rust-lld: error on aarch64-linux target: ${{ matrix.target }} override: true From 2191d39324857bec2e107807b3e8be59f140d60c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Mon, 9 Feb 2026 13:18:57 +0100 Subject: [PATCH 5/7] Revert "another try" This reverts commit 5a5948d0d0c903d5f349aeda8374431ad3987f36. --- Cross.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Cross.toml b/Cross.toml index 46508368..310189a6 100644 --- a/Cross.toml +++ b/Cross.toml @@ -23,7 +23,7 @@ pre-build = [ image = "ghcr.io/defguard/cross:aarch64-unknown-linux-gnu" pre-build = [ "dpkg --add-architecture $CROSS_DEB_ARCH", - "apt-get update && apt-get install --assume-yes unzip libnftnl-dev libnftnl-dev:$CROSS_DEB_ARCH libmnl-dev libmnl-dev:$CROSS_DEB_ARCH libssl-dev", + "apt-get update && apt-get install --assume-yes unzip libnftnl-dev libnftnl-dev:$CROSS_DEB_ARCH libmnl-dev libmnl-dev:$CROSS_DEB_ARCH libssl-dev libssl-dev:$CROSS_DEB_ARCH", "PB_REL='https://github.com/protocolbuffers/protobuf/releases'", "PB_VERSION='3.20.0' && curl -LO $PB_REL/download/v$PB_VERSION/protoc-$PB_VERSION-linux-x86_64.zip", "unzip protoc-$PB_VERSION-linux-x86_64.zip bin/protoc include/google/* -d /usr", From b89f501ed86eed0c75c3ab846a01ec14f2c1e412 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Mon, 9 Feb 2026 13:58:03 +0100 Subject: [PATCH 6/7] update dependencies --- Cargo.lock | 225 ++++++++++++++++++++++++++++------------------------- flake.lock | 12 +-- flake.nix | 1 + 3 files changed, 125 insertions(+), 113 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index e5d58f45..64d6db15 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -94,15 +94,15 @@ dependencies = [ [[package]] name = "anyhow" -version = "1.0.100" +version = "1.0.101" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a23eb6b1614318a8071c9b2521f36b424b2c83db5eb3a0fead4a6c0809af6e61" +checksum = "5f0e0fee31ef5ed1ba1316088939cea399010ed7731dba877ed44aeb407a75ea" [[package]] name = "askama" -version = "0.13.1" +version = "0.14.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5d4744ed2eef2645831b441d8f5459689ade2ab27c854488fbab1fbe94fce1a7" +checksum = "f75363874b771be265f4ffe307ca705ef6f3baa19011c149da8674a87f1b75c4" dependencies = [ "askama_derive", "itoa", @@ -113,9 +113,9 @@ dependencies = [ [[package]] name = "askama_derive" -version = "0.13.1" +version = "0.14.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d661e0f57be36a5c14c48f78d09011e67e0cb618f269cca9f2fd8d15b68c46ac" +checksum = "129397200fe83088e8a68407a8e2b1f826cf0086b21ccdb866a722c8bcd3a94f" dependencies = [ "askama_parser", "basic-toml", @@ -130,9 +130,9 @@ dependencies = [ [[package]] name = "askama_parser" -version = "0.13.0" +version = "0.14.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cf315ce6524c857bb129ff794935cf6d42c82a6cff60526fe2a63593de4d0d4f" +checksum = "d6ab5630b3d5eaf232620167977f95eb51f3432fc76852328774afbd242d4358" dependencies = [ "memchr", "serde", @@ -334,9 +334,9 @@ checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b" [[package]] name = "bytes" -version = "1.11.0" +version = "1.11.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b35204fbdc0b3f4446b89fc1ac2cf84a8a68971995d0bf2e925ec7cd960f9cb3" +checksum = "1e748733b7cbc798e1434b6ac524f0c1ff2ab456fe201501e6497c8417a4fc33" [[package]] name = "camino" @@ -372,9 +372,9 @@ dependencies = [ [[package]] name = "cc" -version = "1.2.54" +version = "1.2.55" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6354c81bbfd62d9cfa9cb3c773c2b7b2a3a482d569de977fd0e961f6e7c00583" +checksum = "47b26a0954ae34af09b50f0de26458fa95369a0d478d8236d3f93082b219bd29" dependencies = [ "find-msvc-tools", "jobserver", @@ -444,9 +444,9 @@ dependencies = [ [[package]] name = "clap" -version = "4.5.54" +version = "4.5.57" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c6e6ff9dcd79cff5cd969a17a545d79e84ab086e444102a591e288a8aa3ce394" +checksum = "6899ea499e3fb9305a65d5ebf6e3d2248c5fab291f300ad0a704fbe142eae31a" dependencies = [ "clap_builder", "clap_derive", @@ -454,9 +454,9 @@ dependencies = [ [[package]] name = "clap_builder" -version = "4.5.54" +version = "4.5.57" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fa42cf4d2b7a41bc8f663a7cab4031ebafa1bf3875705bfaf8466dc60ab52c00" +checksum = "7b12c8b680195a62a8364d16b8447b01b6c2c8f9aaf68bee653be34d4245e238" dependencies = [ "anstream", "anstyle", @@ -466,9 +466,9 @@ dependencies = [ [[package]] name = "clap_derive" -version = "4.5.49" +version = "4.5.55" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2a0b5487afeab2deb2ff4e03a807ad1a03ac532ff5a2cee5d86884440c7f7671" +checksum = "a92793da1a46a5f2a02a6f4c46c6496b28c43638adea8306fcb0caa1634f24e5" dependencies = [ "heck", "proc-macro2", @@ -673,7 +673,7 @@ dependencies = [ "log", "mnl", "nftnl", - "nix", + "nix 0.30.1", "prost", "serde", "syslog", @@ -693,9 +693,9 @@ dependencies = [ [[package]] name = "defguard_boringtun" -version = "0.6.3" +version = "0.6.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e226ae51c414f475137460063382d0bb6b5a1b1b1a2b135d4b3b830ab43f06ec" +checksum = "a609d0ae26a17360fc4f7c7263f72da96665eaa9f73dc6e803b13dbfd184c385" dependencies = [ "aead", "base64", @@ -706,7 +706,7 @@ dependencies = [ "ip_network", "ip_network_table", "libc", - "nix", + "nix 0.31.1", "parking_lot", "ring", "socket2", @@ -765,7 +765,7 @@ dependencies = [ "netlink-packet-utils", "netlink-packet-wireguard", "netlink-sys", - "nix", + "nix 0.30.1", "regex", "serde", "thiserror 2.0.18", @@ -962,9 +962,9 @@ checksum = "28dea519a9695b9977216879a3ebfddf92f1c08c05d984f8996aecd6ecdc811d" [[package]] name = "find-msvc-tools" -version = "0.1.8" +version = "0.1.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8591b0bcc8a98a64310a2fae1bb3e9b8564dd10e381e6e28010fde8e8e8568db" +checksum = "5baebc0774151f905a1a2cc41989300b1e6fbb29aff0ceffa1064fdd3088d582" [[package]] name = "fixedbitset" @@ -974,9 +974,9 @@ checksum = "1d674e81391d1e1ab681a28d99df07927c6d4aa5b027d7da16ba32d1d21ecd99" [[package]] name = "flate2" -version = "1.1.8" +version = "1.1.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b375d6465b98090a5f25b1c7703f3859783755aa9a80433b36e0379a3ec2f369" +checksum = "843fba2746e448b37e26a819579957415c8cef339bf08564fe8b7ddbd959573c" dependencies = [ "crc32fast", "miniz_oxide", @@ -1155,9 +1155,9 @@ dependencies = [ [[package]] name = "git2" -version = "0.20.3" +version = "0.20.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3e2b37e2f62729cdada11f0e6b3b6fe383c69c29fc619e391223e12856af308c" +checksum = "7b88256088d75a56f8ecfa070513a775dd9107f6530ef14919dac831af9cfe2b" dependencies = [ "bitflags", "libc", @@ -1361,13 +1361,12 @@ dependencies = [ [[package]] name = "hyper-util" -version = "0.1.19" +version = "0.1.20" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "727805d60e7938b76b826a6ef209eb70eaa1812794f9424d4a4e2d740662df5f" +checksum = "96547c2556ec9d12fb1578c4eaf448b04993e7fb79cbaad930a656880a6bdfa0" dependencies = [ "bytes", "futures-channel", - "futures-core", "futures-util", "http", "http-body", @@ -1382,9 +1381,9 @@ dependencies = [ [[package]] name = "iana-time-zone" -version = "0.1.64" +version = "0.1.65" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "33e57f83510bb73707521ebaffa789ec8caf86f9657cad665b092b581d40e9fb" +checksum = "e31bc9ad994ba00e440a8aa5c9ef0ec67d5cb5e5cb0cc7f8b744a35b389cc470" dependencies = [ "android_system_properties", "core-foundation-sys", @@ -1599,9 +1598,9 @@ checksum = "92ecc6618181def0457392ccd0ee51198e065e016d1d527a7ac1b6dc7c1f09d2" [[package]] name = "jiff" -version = "0.2.18" +version = "0.2.19" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e67e8da4c49d6d9909fe03361f9b620f58898859f5c7aded68351e85e71ecf50" +checksum = "d89a5b5e10d5a9ad6e5d1f4bd58225f655d6fe9767575a5e8ac5a6fe64e04495" dependencies = [ "jiff-static", "log", @@ -1612,9 +1611,9 @@ dependencies = [ [[package]] name = "jiff-static" -version = "0.2.18" +version = "0.2.19" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e0c84ee7f197eca9a86c6fd6cb771e55eb991632f15f2bc3ca6ec838929e6e78" +checksum = "ff7a39c8862fc1369215ccf0a8f12dd4598c7f6484704359f0351bd617034dbf" dependencies = [ "proc-macro2", "quote", @@ -1680,9 +1679,9 @@ dependencies = [ [[package]] name = "libm" -version = "0.2.15" +version = "0.2.16" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f9fbbcab51052fe104eb5e5d351cf728d30a5be1fe14d9be8a3b097481fb97de" +checksum = "b6d2cec3eae94f9f509c767b45932f1ada8350c4bdb85af2fcab4a3c14807981" [[package]] name = "libredox" @@ -1771,9 +1770,9 @@ dependencies = [ [[package]] name = "memchr" -version = "2.7.6" +version = "2.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f52b00d39961fc5b2736ea853c9cc86238e165017a493d1d5c8eac6bdc4cc273" +checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79" [[package]] name = "memoffset" @@ -1958,6 +1957,18 @@ dependencies = [ "memoffset", ] +[[package]] +name = "nix" +version = "0.31.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "225e7cfe711e0ba79a68baeddb2982723e4235247aefce1482f2f16c27865b66" +dependencies = [ + "bitflags", + "cfg-if", + "cfg_aliases", + "libc", +] + [[package]] name = "nom" version = "7.1.3" @@ -2005,9 +2016,9 @@ dependencies = [ [[package]] name = "num-conv" -version = "0.1.0" +version = "0.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "51d515d32fb182ee37cda2ccdcb92950d6a3c2893aa280e540671c2cd0f3b1d9" +checksum = "cf97ec579c3c42f953ef76dbf8d55ac91fb219dde70e49aa4a6b7d74e9919050" [[package]] name = "num-integer" @@ -2292,7 +2303,7 @@ checksum = "e4022a17595a00d6a369236fdae483f0de7f0a339960a53118b818238e132224" dependencies = [ "android_system_properties", "log", - "nix", + "nix 0.30.1", "objc2", "objc2-foundation", "objc2-ui-kit", @@ -2455,15 +2466,15 @@ dependencies = [ [[package]] name = "portable-atomic" -version = "1.13.0" +version = "1.13.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f89776e4d69bb58bc6993e99ffa1d11f228b839984854c7daeb5d37f87cbe950" +checksum = "c33a9471896f1c69cecef8d20cbe2f7accd12527ce60845ff44c153bb2a21b49" [[package]] name = "portable-atomic-util" -version = "0.2.4" +version = "0.2.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d8a2f0d8d040d7848a709caf78912debcc3f33ee4b3cac47d73d1e1069e83507" +checksum = "7a9db96d7fa8782dd8c15ce32ffe8680bbd1e978a43bf51a34d39483540495f5" dependencies = [ "portable-atomic", ] @@ -2663,9 +2674,9 @@ dependencies = [ [[package]] name = "regex" -version = "1.12.2" +version = "1.12.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "843bc0191f75f3e22651ae5f1e72939ab2f72a4bc30fa80a066bd66edefc24d4" +checksum = "e10754a14b9137dd7b1e3e5b0493cc9171fdd105e0ab477f51b72e7f3ac0e276" dependencies = [ "aho-corasick", "memchr", @@ -2675,9 +2686,9 @@ dependencies = [ [[package]] name = "regex-automata" -version = "0.4.13" +version = "0.4.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5276caf25ac86c8d810222b3dbb938e512c55c6831a10f3e6ed1c93b84041f1c" +checksum = "6e1dd4122fc1595e8162618945476892eefca7b88c52820e74af6262213cae8f" dependencies = [ "aho-corasick", "memchr", @@ -2686,9 +2697,9 @@ dependencies = [ [[package]] name = "regex-syntax" -version = "0.8.8" +version = "0.8.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7a2d987857b319362043e95f5353c0535c1f58eec5336fdfcf626430af7def58" +checksum = "a96887878f22d7bad8a3b6dc5b7440e0ada9a245242924394987b21cf2210a4c" [[package]] name = "ring" @@ -2816,9 +2827,9 @@ checksum = "b39cdef0fa800fc44525c84ccb54a029961a8215f9619753635a9c0d2538d46d" [[package]] name = "ryu" -version = "1.0.22" +version = "1.0.23" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a50f4cf475b65d88e057964e0e9bb1f0aa9bbb2036dc65c64596b42932536984" +checksum = "9774ba4a74de5f7b1c1451ed6cd5285a32eddb5cccb8cc655a4e50009e06477f" [[package]] name = "schannel" @@ -3041,15 +3052,15 @@ checksum = "e320a6c5ad31d271ad523dcf3ad13e2767ad8b1cb8f047f75a8aeaf8da139da2" [[package]] name = "siphasher" -version = "0.3.11" +version = "1.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "38b58827f4464d87d377d175e90bf58eb00fd8716ff0a62f80356b5e61555d0d" +checksum = "b2aa850e253778c88a04c3d7323b043aeda9d3e30d5971937c1855769763678e" [[package]] name = "slab" -version = "0.4.11" +version = "0.4.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7a2ae44ef20feb57a68b23d846850f861394c2e02dc425a50098ae8c90267589" +checksum = "0c790de23124f9ab44544d7ac05d60440adc586479ce501c1d6d7da3cd8c9cf5" [[package]] name = "smallvec" @@ -3068,9 +3079,9 @@ checksum = "b7c388c1b5e93756d0c740965c41e8822f866621d41acbdf6336a6a168f8840c" [[package]] name = "socket2" -version = "0.6.1" +version = "0.6.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "17129e116933cf371d018bb80ae557e889637989d8638274fb25622827b03881" +checksum = "86f4aa3ad99f2088c990dfa82d367e19cb29268ed67c574d10d0a4bfe71f07e0" dependencies = [ "libc", "windows-sys 0.60.2", @@ -3442,9 +3453,9 @@ dependencies = [ [[package]] name = "time" -version = "0.3.45" +version = "0.3.47" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f9e442fc33d7fdb45aa9bfeb312c095964abdf596f7567261062b2a7107aaabd" +checksum = "743bd48c283afc0388f9b8827b976905fb217ad9e647fae3a379a9283c4def2c" dependencies = [ "deranged", "itoa", @@ -3459,15 +3470,15 @@ dependencies = [ [[package]] name = "time-core" -version = "0.1.7" +version = "0.1.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8b36ee98fd31ec7426d599183e8fe26932a8dc1fb76ddb6214d05493377d34ca" +checksum = "7694e1cfe791f8d31026952abf09c69ca6f6fa4e1a1229e18988f06a04a12dca" [[package]] name = "time-macros" -version = "0.2.25" +version = "0.2.27" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "71e552d1249bf61ac2a52db88179fd0673def1e1ad8243a00d9ec9ed71fee3dd" +checksum = "2e70e4c5a0e0a8a4823ad65dfe1a6930e4f4d756dcd9dd7939022b5e8c501215" dependencies = [ "num-conv", "time-core", @@ -3600,9 +3611,9 @@ checksum = "ab16f14aed21ee8bfd8ec22513f7287cd4a91aa92e44edfe2c17ddd004e92607" [[package]] name = "tonic" -version = "0.14.2" +version = "0.14.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eb7613188ce9f7df5bfe185db26c5814347d110db17920415cf2fbcad85e7203" +checksum = "a286e33f82f8a1ee2df63f4fa35c0becf4a85a0cb03091a15fd7bf0b402dc94a" dependencies = [ "async-trait", "axum", @@ -3632,9 +3643,9 @@ dependencies = [ [[package]] name = "tonic-build" -version = "0.14.2" +version = "0.14.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4c40aaccc9f9eccf2cd82ebc111adc13030d23e887244bc9cfa5d1d636049de3" +checksum = "27aac809edf60b741e2d7db6367214d078856b8a5bff0087e94ff330fb97b6fc" dependencies = [ "prettyplease", "proc-macro2", @@ -3644,9 +3655,9 @@ dependencies = [ [[package]] name = "tonic-prost" -version = "0.14.2" +version = "0.14.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "66bd50ad6ce1252d87ef024b3d64fe4c3cf54a86fb9ef4c631fdd0ded7aeaa67" +checksum = "d6c55a2d6a14174563de34409c9f92ff981d006f56da9c6ecd40d9d4a31500b0" dependencies = [ "bytes", "prost", @@ -3655,9 +3666,9 @@ dependencies = [ [[package]] name = "tonic-prost-build" -version = "0.14.2" +version = "0.14.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b4a16cba4043dc3ff43fcb3f96b4c5c154c64cbd18ca8dce2ab2c6a451d058a2" +checksum = "a4556786613791cfef4ed134aa670b61a85cfcacf71543ef33e8d801abae988f" dependencies = [ "prettyplease", "proc-macro2", @@ -3788,9 +3799,9 @@ checksum = "5c1cb5db39152898a79168971543b1cb5020dff7fe43c8dc468b0885f5e29df5" [[package]] name = "unicode-ident" -version = "1.0.22" +version = "1.0.23" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9312f7c4f6ff9069b165498234ce8be658059c6728633667c526e27dc2cf1df5" +checksum = "537dd038a89878be9b64dd4bd1b260315c1bb94f4d784956b81e27a088d9a09e" [[package]] name = "unicode-normalization" @@ -3809,9 +3820,9 @@ checksum = "7df058c713841ad818f1dc5d3fd88063241cc61f49f5fbea4b951e8cf5a8d71d" [[package]] name = "uniffi" -version = "0.30.0" +version = "0.31.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c866f627c3f04c3df068b68bb2d725492caaa539dd313e2a9d26bb85b1a32f4e" +checksum = "b8c6dec3fc6645f71a16a3fa9ff57991028153bd194ca97f4b55e610c73ce66a" dependencies = [ "anyhow", "camino", @@ -3826,9 +3837,9 @@ dependencies = [ [[package]] name = "uniffi_bindgen" -version = "0.30.0" +version = "0.31.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7c8ca600167641ebe7c8ba9254af40492dda3397c528cc3b2f511bd23e8541a5" +checksum = "4ed0150801958d4825da56a41c71f000a457ac3a4613fa9647df78ac4b6b6881" dependencies = [ "anyhow", "askama", @@ -3852,9 +3863,9 @@ dependencies = [ [[package]] name = "uniffi_build" -version = "0.30.0" +version = "0.31.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3e55c05228f4858bb258f651d21d743fcc1fe5a2ec20d3c0f9daefddb105ee4d" +checksum = "b78fd9271a4c2e85bd2c266c5a9ede1fac676eb39fd77f636c27eaf67426fd5f" dependencies = [ "anyhow", "camino", @@ -3863,9 +3874,9 @@ dependencies = [ [[package]] name = "uniffi_core" -version = "0.30.0" +version = "0.31.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7e7a5a038ebffe8f4cf91416b154ef3c2468b18e828b7009e01b1b99938089f9" +checksum = "b0ef62e69762fbb9386dcb6c87cd3dd05d525fa8a3a579a290892e60ddbda47e" dependencies = [ "anyhow", "bytes", @@ -3875,9 +3886,9 @@ dependencies = [ [[package]] name = "uniffi_internal_macros" -version = "0.30.0" +version = "0.31.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e3c2a6f93e7b73726e2015696ece25ca0ac5a5f1cf8d6a7ab5214dd0a01d2edf" +checksum = "98f51ebca0d9a4b2aa6c644d5ede45c56f73906b96403c08a1985e75ccb64a01" dependencies = [ "anyhow", "indexmap", @@ -3888,9 +3899,9 @@ dependencies = [ [[package]] name = "uniffi_macros" -version = "0.30.0" +version = "0.31.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "64c6309fc36c7992afc03bc0c5b059c656bccbef3f2a4bc362980017f8936141" +checksum = "db9d12529f1223d014fd501e5f29ca0884d15d6ed5ddddd9f506e55350327dc3" dependencies = [ "camino", "fs-err", @@ -3905,9 +3916,9 @@ dependencies = [ [[package]] name = "uniffi_meta" -version = "0.30.0" +version = "0.31.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0a138823392dba19b0aa494872689f97d0ee157de5852e2bec157ce6de9cdc22" +checksum = "9df6d413db2827c68588f8149d30d49b71d540d46539e435b23a7f7dbd4d4f86" dependencies = [ "anyhow", "siphasher", @@ -3917,9 +3928,9 @@ dependencies = [ [[package]] name = "uniffi_pipeline" -version = "0.30.0" +version = "0.31.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8c27c4b515d25f8e53cc918e238c39a79c3144a40eaf2e51c4a7958973422c29" +checksum = "a806dddc8208f22efd7e95a5cdf88ed43d0f3271e8f63b47e757a8bbdb43b63a" dependencies = [ "anyhow", "heck", @@ -3930,9 +3941,9 @@ dependencies = [ [[package]] name = "uniffi_udl" -version = "0.30.0" +version = "0.31.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d0adacdd848aeed7af4f5af7d2f621d5e82531325d405e29463482becfdeafca" +checksum = "0d1a7339539bf6f6fa3e9b534dece13f778bda2d54b1a6d4e40b4d6090ac26e7" dependencies = [ "anyhow", "textwrap", @@ -3982,9 +3993,9 @@ checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821" [[package]] name = "uuid" -version = "1.19.0" +version = "1.20.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e2e054861b4bd027cd373e18e8d8d8e6548085000e41290d95ce0c373a654b4a" +checksum = "ee48d38b119b0cd71fe4141b30f5ba9c7c5d9f4e7a3a8b4a674e4b6ef789976f" dependencies = [ "js-sys", "wasm-bindgen", @@ -4550,9 +4561,9 @@ dependencies = [ [[package]] name = "x509-parser" -version = "0.18.0" +version = "0.18.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eb3e137310115a65136898d2079f003ce33331a6c4b0d51f1531d1be082b6425" +checksum = "d43b0f71ce057da06bc0851b23ee24f3f86190b07203dd8f567d0b706a185202" dependencies = [ "asn1-rs", "data-encoding", @@ -4600,18 +4611,18 @@ dependencies = [ [[package]] name = "zerocopy" -version = "0.8.33" +version = "0.8.39" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "668f5168d10b9ee831de31933dc111a459c97ec93225beb307aed970d1372dfd" +checksum = "db6d35d663eadb6c932438e763b262fe1a70987f9ae936e60158176d710cae4a" dependencies = [ "zerocopy-derive", ] [[package]] name = "zerocopy-derive" -version = "0.8.33" +version = "0.8.39" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2c7962b26b0a8685668b671ee4b54d007a67d4eaf05fda79ac0ecf41e32270f1" +checksum = "4122cd3169e94605190e77839c9a40d40ed048d305bfdc146e7df40ab0f3e517" dependencies = [ "proc-macro2", "quote", @@ -4694,6 +4705,6 @@ dependencies = [ [[package]] name = "zmij" -version = "1.0.16" +version = "1.0.20" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dfcd145825aace48cff44a8844de64bf75feec3080e0aa5cdbde72961ae51a65" +checksum = "4de98dfa5d5b7fef4ee834d0073d560c9ca7b6c46a71d058c48db7960f8cfaf7" diff --git a/flake.lock b/flake.lock index 9889879c..eb020e0c 100644 --- a/flake.lock +++ b/flake.lock @@ -20,11 +20,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1761907660, - "narHash": "sha256-kJ8lIZsiPOmbkJypG+B5sReDXSD1KGu2VEPNqhRa/ew=", + "lastModified": 1770562336, + "narHash": "sha256-ub1gpAONMFsT/GU2hV6ZWJjur8rJ6kKxdm9IlCT0j84=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2fb006b87f04c4d3bdf08cfdbc7fab9c13d94a15", + "rev": "d6c71932130818840fc8fe9509cf50be8c64634f", "type": "github" }, "original": { @@ -48,11 +48,11 @@ ] }, "locked": { - "lastModified": 1762137611, - "narHash": "sha256-sTqb10FR/YQCuGbw16qxliX0NFlYg6evSEjN8w+9IYE=", + "lastModified": 1770606655, + "narHash": "sha256-rpJf+kxvLWv32ivcgu8d+JeJooog3boJCT8J3joJvvM=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "3a0ebe5d2965692f990cb27e62f501ad35e3deeb", + "rev": "11a396520bf911e4ed01e78e11633d3fc63b350e", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 0d06e026..cec27964 100644 --- a/flake.nix +++ b/flake.nix @@ -37,6 +37,7 @@ rustToolchain libnftnl libmnl + trivy ]; }; }); From 467cab73bb1d9e8830ec0d9faa38a885b7434144 Mon Sep 17 00:00:00 2001 From: Maciek <19913370+wojcik91@users.noreply.github.com> Date: Mon, 12 Jan 2026 10:54:56 +0100 Subject: [PATCH 7/7] update trivy config (#247) * update nix flake * add trivyignore config * use ignore config in CI pipelines * update cargo deny config --- .github/workflows/build-docker.yml | 3 +++ .github/workflows/ci.yml | 7 +++++-- .github/workflows/sbom.yml | 32 ++++++++++++++++++++---------- .trivyignore.yaml | 4 ++++ 4 files changed, 34 insertions(+), 12 deletions(-) create mode 100644 .trivyignore.yaml diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml index f0f95075..4d35c945 100644 --- a/.github/workflows/build-docker.yml +++ b/.github/workflows/build-docker.yml @@ -75,6 +75,9 @@ jobs: - name: Scan image with Trivy uses: aquasecurity/trivy-action@0.33.1 + env: + TRIVY_SHOW_SUPPRESSED: 1 + TRIVY_IGNOREFILE: "./.trivyignore.yaml" with: image-ref: "${{ env.GHCR_REPO }}:${{ github.sha }}-${{ matrix.tag }}" format: "table" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4d79ae06..fd655b65 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,9 +35,12 @@ jobs: - name: Scan code with Trivy uses: aquasecurity/trivy-action@0.33.1 + env: + TRIVY_SHOW_SUPPRESSED: 1 + TRIVY_IGNOREFILE: "./.trivyignore.yaml" with: - scan-type: 'fs' - scan-ref: '.' + scan-type: "fs" + scan-ref: "." exit-code: "1" ignore-unfixed: true severity: "CRITICAL,HIGH,MEDIUM" diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 9f2fc8bb..066d77c4 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -34,40 +34,52 @@ jobs: - name: Create SBOM with Trivy uses: aquasecurity/trivy-action@0.33.1 + env: + TRIVY_SHOW_SUPPRESSED: 1 + TRIVY_IGNOREFILE: "./.trivyignore.yaml" with: - scan-type: 'fs' - format: 'spdx-json' + scan-type: "fs" + format: "spdx-json" output: "defguard-gateway-${{ steps.vars.outputs.VERSION }}.sbom.json" - scan-ref: '.' + scan-ref: "." severity: "CRITICAL,HIGH,MEDIUM,LOW" scanners: "vuln" - name: Create docker image SBOM with Trivy uses: aquasecurity/trivy-action@0.33.1 + env: + TRIVY_SHOW_SUPPRESSED: 1 + TRIVY_IGNOREFILE: "./.trivyignore.yaml" with: image-ref: "ghcr.io/defguard/gateway:${{ steps.vars.outputs.VERSION }}" - scan-type: 'image' - format: 'spdx-json' + scan-type: "image" + format: "spdx-json" output: "defguard-gateway-${{ steps.vars.outputs.VERSION }}-docker.sbom.json" severity: "CRITICAL,HIGH,MEDIUM,LOW" scanners: "vuln" - name: Create security advisory file with Trivy uses: aquasecurity/trivy-action@0.33.1 + env: + TRIVY_SHOW_SUPPRESSED: 1 + TRIVY_IGNOREFILE: "./.trivyignore.yaml" with: - scan-type: 'fs' - format: 'json' + scan-type: "fs" + format: "json" output: "defguard-gateway-${{ steps.vars.outputs.VERSION }}.advisories.json" - scan-ref: '.' + scan-ref: "." severity: "CRITICAL,HIGH,MEDIUM,LOW" scanners: "vuln" - name: Create docker image security advisory file with Trivy uses: aquasecurity/trivy-action@0.33.1 + env: + TRIVY_SHOW_SUPPRESSED: 1 + TRIVY_IGNOREFILE: "./.trivyignore.yaml" with: image-ref: "ghcr.io/defguard/gateway:${{ steps.vars.outputs.VERSION }}" - scan-type: 'image' - format: 'json' + scan-type: "image" + format: "json" output: "defguard-gateway-${{ steps.vars.outputs.VERSION }}-docker.advisories.json" severity: "CRITICAL,HIGH,MEDIUM,LOW" scanners: "vuln" diff --git a/.trivyignore.yaml b/.trivyignore.yaml new file mode 100644 index 00000000..5c7dedd4 --- /dev/null +++ b/.trivyignore.yaml @@ -0,0 +1,4 @@ +vulnerabilities: + - id: GHSA-585q-cm62-757j + expired_at: 2026-02-12 + statement: "No fixed version available yet. The Mullvad team intends to fix it in the coming weeks: https://github.com/mullvad/mnl-rs/issues/15"