Skip to content

build(deps): bump rand and rustls-webpki in Rust service lockfiles#413

Open
katriendg wants to merge 2 commits intomainfrom
chore/412-grype
Open

build(deps): bump rand and rustls-webpki in Rust service lockfiles#413
katriendg wants to merge 2 commits intomainfrom
chore/412-grype

Conversation

@katriendg
Copy link
Copy Markdown
Collaborator

@katriendg katriendg commented Apr 20, 2026

Description

Bumps transitive Rust dependencies across src/500-application services to clear Grype security findings for rand (GHSA-cq8v-f236-94qc) and rustls-webpki (GHSA-965h-392x-2mh5, GHSA-xgp8-3hg3-c2mh). Only Cargo.lock files changed — no Cargo.toml, API, or behavior changes.

rand upgrades

  • rand 0.9.2 → 0.9.4 across 501-rust-telemetry/receiver, 501-rust-telemetry/sender, 504-mqtt-otel-trace-exporter, and 507-ai-inference.
  • rand 0.10.0 → 0.10.1 in 507-ai-inference.
  • rand 0.8.5 → 0.8.6 across 501-rust-telemetry/{receiver,sender}, 502-rust-http-connector/{broker,subscriber}, 503-media-capture-service, 504-mqtt-otel-trace-exporter, 507-ai-inference, and 512-avro-to-json.

Grype still flags rand 0.8.x because the advisory's "fixed in" is 0.9.3. All rand 0.8 usage in this repo is transitive (primarily from azure_iot_operations_mqtt 0.9.0, plus tokio-retry, tower/tonic, opentelemetry_sdk, and tungstenite). Resolving the residual finding requires upstream crate bumps — see Follow-up Tasks.

rustls-webpki upgrade

  • rustls-webpki 0.103.10 → 0.103.12 in 502-rust-http-connector/broker — clears both advisories.

Related Issue

Related to #412
Related to #298

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Blueprint modification or addition
  • Component modification or addition
  • Documentation update
  • CI/CD pipeline change
  • Other (please describe):

Implementation Details

Ran cargo update -p <crate>@<version> per affected workspace to pick the latest compatible patch release for each version of rand and rustls-webpki already resolved in the lockfile. No Cargo.toml manifests were edited; all updates stayed within each dependency's existing semver range. The upgraded lockfiles still resolve to the same top-level crate graph.

Testing Performed

  • Terraform plan/apply
  • Blueprint deployment test
  • Unit tests
  • Integration tests
  • Bug fix includes regression test (see Test Policy)
  • Manual validation
  • Other: Grype rescan

Post-update Grype scan (grype dir:src/500-application --only-fixed) confirmed that rand 0.9.4, rand 0.10.1, and rustls-webpki 0.103.12 no longer appear in the report. rand 0.8.6 remains flagged (see Notes).

Validation Steps

  1. cd into any affected service (for example, src/500-application/501-rust-telemetry/services/receiver).
  2. Run cargo metadata --format-version 1 | jq '.packages[] | select(.name=="rand" or .name=="rustls-webpki") | {name, version}' and confirm versions match the table below.
  3. Optionally run grype dir:src/500-application --only-fixed and confirm rand 0.9.x, rand 0.10.x, and rustls-webpki findings are absent.
Crate Expected versions after merge
rand 0.8.6, 0.9.4, 0.10.1
rustls-webpki 0.103.12

Checklist

  • I have updated the documentation accordingly
  • I have added tests to cover my changes
  • All new and existing tests passed
  • I have run terraform fmt on all Terraform code
  • I have run terraform validate on all Terraform code
  • I have run az bicep format on all Bicep code
  • I have run az bicep build to validate all Bicep code
  • I have checked for any sensitive data/tokens that should not be committed
  • Lint checks pass (run applicable linters for changed file types)

Security Review

  • No credentials, secrets, or tokens are hardcoded or logged
  • RBAC and identity changes follow least-privilege principles
  • No new network exposure or public endpoints introduced without justification
  • Dependency additions or updates have been reviewed for known vulnerabilities
  • Container image changes use pinned digests or SHA references

Additional Notes

rand 0.8.6 will continue to appear in Grype scans until upstream dependents bump off the 0.8 line. The primary blocker is azure_iot_operations_mqtt 0.9.0, which still pins rand = "0.8.5" even in the GA 1.0.1 release targeted by #298. Other transitive sources: tokio-retry 0.3.0, tower 0.4.13 (via tonic 0.12.3), opentelemetry_sdk 0.26.0 (via tracing-opentelemetry 0.27.0), and tungstenite 0.21.0 (via warp 0.3.7).

Follow-up Tasks

  • File an upstream issue on Azure/iot-operations-sdks to bump rand to 0.9.x in azure_iot_operations_mqtt.
  • Track bumps of tonic/tower, opentelemetry*, and warp/tungstenite in the affected 500-application services to eliminate the remaining rand 0.8.x graph nodes.
  • Consider adding a scoped Grype suppression for GHSA-cq8v-f236-94qc on rand 0.8.x until the upstream bumps land.

@katriendg
build: bump rand and rustls-webpki in Rust service lockfiles (#412)
a7f5137 
- update rand 0.9.2→0.9.4 and 0.10.0→0.10.1 (GHSA-cq8v-f236-94qc)
- update rustls-webpki 0.103.10→0.103.12 (GHSA-965h-392x-2mh5, GHSA-xgp8-3hg3-c2mh)
- bump rand 0.8.5→0.8.6 across affected 500-application services

🔒 - Generated by Copilot
@katriendg katriendg requested a review from a team as a code owner April 20, 2026 07:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@WilliamBerryiii WilliamBerryiii WilliamBerryiii approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@katriendg @WilliamBerryiii