Known Security Advisories and Mitigations - Wikipedia-Style Article#

Lead Section#

Overview#

Known Security Advisories and Mitigations in DBSurveyor is a comprehensive security management system that tracks acknowledged security vulnerabilities, assesses their impact on the database surveying toolchain, and implements specific mitigation strategies. The system currently acknowledges one primary security advisory: RUSTSEC-2023-0071, a medium-severity timing side-channel vulnerability (Marvin Attack) affecting the RSA crate used in MySQL connections.

Scope and Impact#

The advisory tracking system employs a defense-in-depth approach that combines feature-gated compilation, automated dependency scanning, and documented exception handling with scheduled reviews. MySQL support is disabled by default to mitigate the RUSTSEC-2023-0071 vulnerability, with PostgreSQL and SQLite recommended as production alternatives. The system includes cargo-deny configuration and OSSF Scorecard automated scanning to provide continuous supply chain security monitoring.

Security Philosophy#

DBSurveyor's approach to security advisories emphasizes transparency, regular review cycles, and pragmatic risk management. The system documents accepted risks with detailed rationale and mitigation strategies, ensuring that security decisions are periodically reassessed.

Primary Security Advisory: RUSTSEC-2023-0071#

Vulnerability Details#

RUSTSEC-2023-0071 is a timing side-channel vulnerability (Marvin Attack) affecting the RSA crate version used in SQLx's MySQL driver. The vulnerability allows potential attackers to recover private RSA keys through precise timing analysis of cryptographic operations. This is classified as a medium-severity issue that only affects MySQL connections and requires very specific conditions to exploit.

Impact Assessment#

The vulnerability only affects MySQL connections through a transitive dependency in sqlx-mysql and does not impact PostgreSQL or SQLite database drivers. Since MySQL support is disabled by default in DBSurveyor, the vulnerability poses minimal risk to default installations. Users must explicitly enable MySQL support via --features mysql build flag to expose the vulnerability.

Mitigation Strategies#

Primary Mitigation: Feature-Gated Compilation#

MySQL is explicitly excluded from default features in the Cargo.toml configuration:

[features]
default = ["postgresql", "sqlite"]
mysql = ["sqlx", "sqlx/mysql"]

Users building with default features will not include the vulnerable dependency in their binary.

Alternative Database Recommendations#

PostgreSQL and SQLite are recommended for production use as they are unaffected by this vulnerability. Both database drivers provide full support and are included in default builds.

Upstream Tracking#

No fix is currently available upstream; the advisory is tracked for future SQLx updates. The project maintains a review date of 2025-09-01 for periodic reassessment.

Configuration Files#

The advisory is documented and handled in configuration files:

deny.toml: Ignores RUSTSEC-2023-0071 in cargo-deny checks with comment "no fix available, in sqlx-mysql transitive dependency"
justfile: CI audit command explicitly ignores this advisory

Security Configuration and Controls#

Cargo-Deny Configuration#

The deny.toml file implements comprehensive supply chain security controls:

License Enforcement#

Allows only business-friendly open source licenses: Apache-2.0, MIT, BSD-2-Clause, BSD-3-Clause, BSL-1.0, CC0-1.0, ISC, MPL-2.0, OpenSSL, Unicode-3.0, Unlicense, and Zlib. Excludes copyleft licenses like GPL.

Banned Dependencies#

Three crates are explicitly banned:

git2: Suggests using gix instead
libssh2-sys: Banned without replacement
cmake: Suggests using cc instead

Source Validation#

Only allows dependencies from the official crates.io registry. Denies unknown registries and git sources to prevent supply chain attacks.

Platform Coverage#

Validates dependencies for five target platforms: Apple Silicon (aarch64-apple-darwin), ARM64 Linux, x86-64 Linux (glibc and musl), and Windows (MSVC).

Cargo-Audit Integration#

Security advisories are tracked through the cargo-deny configuration in deny.toml, which provides structured exception handling with documented rationale and periodic review cycles.

Automated Security Scanning#

OSSF Scorecard#

Automated weekly security posture analysis via OSSF Scorecard evaluates:

Branch protection rules
Dependency update practices
Code review processes
Security policy presence
Results published to GitHub Security tab

Daily Dependency Audits#

Security workflow runs daily at 6 AM UTC:

Executes cargo deny check for policy enforcement
Runs cargo audit to check for security advisories in dependencies
Runs cargo outdated --depth=1 to report stale dependencies (informational only, does not fail the build)

Database Security Considerations#

PostgreSQL (Recommended)#

Full support enabled by default. No known security advisories affecting DBSurveyor. Comprehensive data type support including JSONB and custom types. Advanced security features for read-only users.

MySQL (Limited)#

Partial support, disabled by default due to RUSTSEC-2023-0071. Users requiring MySQL must explicitly enable via --features mysql and accept the documented security risk. Check constraints only supported in MySQL 8.0+.

SQLite (Recommended)#

Full support enabled by default. No network dependency, no known security advisories. Best for local or airgapped environments. Supports read-only mode at connection level.

Additional Security Advisories#

Resolved: RUSTSEC-2026-0098, RUSTSEC-2026-0099, RUSTSEC-2026-0104#

Three rustls-webpki vulnerabilities (panic on CRL parsing, name-constraint bypasses for URI/wildcard names) were resolved by switching tiberius (SQL Server adapter) from the rustls TLS feature to native-tls. This change eliminates the entire vulnerable rustls dependency chain (rustls, rustls-webpki, tokio-rustls, rustls-pemfile, rustls-native-certs) from the dependency tree. TDS/SQL Server connections now use the OS TLS stack (OpenSSL on Linux, Secure Transport on macOS, SChannel on Windows).

Supply Chain Security Architecture#

Release Artifact Security#

GoReleaser v2 configuration (.goreleaser.yaml) builds multiple database-specific variants with comprehensive security features:

Build Variants: 7 distinct builds (1 postprocessor + 6 database-specific collectors: all, postgresql, mysql, sqlite, mongodb, mssql)
Cross-platform: 6 target platforms via cargo-zigbuild (Linux gnu/musl, macOS Intel/ARM, Windows)
Cosign Keyless Signing: Automated cryptographic signing of checksums using OIDC identity
Syft SBOM Generation: Automatic Software Bill of Materials for all release archives
SHA256 Checksums: Integrity verification for all artifacts
Reproducible Builds: Consistent builds using commit timestamps
Linux Packages: Native deb, rpm, and apk packages for the all-features variant
Homebrew Distribution: Automated cask updates via EvilBit-Labs/homebrew-tap

Automated Release Security#

Release workflow (.github/workflows/release.yml) integrates security tooling:

Cosign Installation: Automated keyless signing with OIDC identity
Syft Integration: SBOM generation for supply chain transparency
Signature Verification: Release checksums signed and verifiable via Cosign
Multi-variant Artifacts: Each database driver available as separate download option

Implemented Security Features#

The project implements the following security features in automated workflows:

OSSF Scorecard: Weekly automated security posture scans
cargo-deny: Automated supply chain policy enforcement
cargo-audit: Automated security advisory checks for dependencies
cargo-outdated: Daily automated dependency freshness reports
Cosign Signing: Keyless cryptographic signing of release artifacts
Syft SBOM: Automated Software Bill of Materials generation for releases
GoReleaser v2: Multi-variant builds with reproducible artifact generation

Security Testing and Validation#

Security Test Suite#

Security tests are integrated into the test framework as a dedicated test group with sequential execution for isolation:

Credential protection tests: Verify no credential leakage in outputs
Encryption tests: AES-GCM implementation validation
Offline operation tests: Verify airgap compatibility

Validation Commands#

Security validation is available via justfile commands:

just security-full: Complete security validation
just test-encryption: Test encryption capabilities
just test-offline: Verify offline operation
just test-credential-security: Check for credential leakage
just audit: Security audit

Security Policy and Reporting#

Advisory Review Process#

The project maintains a structured review process:

Security advisories are documented in multiple locations (README, deny.toml, security documentation)
Review dates scheduled periodically for reassessment
Mitigation strategies documented and validated
Upstream dependency updates monitored for fixes

Vulnerability Reporting#

To report security vulnerabilities:

DO NOT create public GitHub issues
Email: security@evilbitlabs.io
Include detailed reproduction steps and impact assessment
Responsible disclosure with 48-hour acknowledgment target

Core Security Guarantees#

Offline-Only Operation: No network calls beyond initial database connection
Credential Protection: Immediate sanitization in all error messages and logs
AES-GCM Encryption: 256-bit encryption with Argon2id key derivation
Read-Only Database Operations: Only SELECT/DESCRIBE, no modifications
Memory Safety: Secure handling via zeroize crate

Threat Model#

In Scope:

Credential exposure prevention
Data at rest protection
Network isolation
Memory safety

Out of Scope:

Network transport security (user responsibility)
Database server security
Host system security
Social engineering

Relevant Code Files#

File Path	Purpose	URL
`deny.toml`	Cargo-deny supply chain security configuration	View
`.github/workflows/scorecard.yml`	OSSF Scorecard automated scanning	View
`.github/workflows/security.yml`	Daily dependency audit workflow	View
`.github/workflows/release.yml`	Release workflow with Cosign signing and SBOM generation	View
`.goreleaser.yaml`	GoReleaser v2 multi-variant build configuration	View
`dbsurveyor-core/Cargo.toml`	Feature flag configuration for database drivers	View
`docs/src/security.md`	Comprehensive security documentation	View

Database Support: Feature flags and database driver architecture
Supply Chain Security: Dependency management and validation
Security Architecture: Credential protection, encryption, and threat model
Release Engineering: Build reproducibility and artifact attestation
Testing Strategy: Security-focused test suite and validation commands