fix(security): clear OSV/Scorecard advisories on dev-only benchmark deps#240
Conversation
OpenSSF Scorecard / OSV flagged ~20 advisories on main after the BEIR benchmark landed (#237). ALL are dev/benchmark tooling — none reach the published `ordvec` crate or the `ordvec` PyPI wheel. Python (benchmarks/beir/requirements.txt): the deps were UNPINNED, so OSV flagged each against its entire historical CVE list (an unconstrained version cannot be ruled non-vulnerable). The actual resolved-latest versions are already patched. Lower-bound-pin every package at its first patched release — clears the flags (OSV excludes a `>=fixed` range) while `>=` keeps installs on the latest compatible wheel, incl. recent CPython: - requests>=2.32.4 (GHSA-9hjg-9r4m-mvj7 .netrc leak + all older requests CVEs) - hnswlib>=0.8.0 (GHSA-xwc8-rf6m-xr86 double free) - numpy>=1.26.0 (symlink-write + incorrect-comparison CVEs) - safe floors for scipy/pandas/tqdm/tabulate/huggingface-hub/faiss-cpu/ pytrec-eval-terrier/matplotlib. Verified the local cp314 venv satisfies all. Rust (RUSTSEC-2025-0141): bincode 1.x is UNMAINTAINED (informational advisory, not a vulnerability), pulled only transitively via hnsw_rs in the dev-only benchmarks/beir-bench harness. `cargo tree -p ordvec` is clean of bincode, so it does not reach the shipped crate. Add a documented deny.toml ignore so cargo-deny (configured to error on unmaintained crates) stays green; revisit if a maintained HNSW crate that does not pull bincode 1.x is adopted. Verified: `cargo tree -p ordvec` clean of bincode; `cargo deny check advisories` ok; benchmark venv versions satisfy the new floors. Signed-off-by: Nelson Spence <nelson@projectnavi.ai>
Nelson Spence (Fieldnote-Echo)
requested a review
from Navi Bot (project-navi-bot)
as a code owner
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request addresses security advisories in the dev-only BEIR benchmark tooling by lower-bound-pinning dependencies in benchmarks/beir/requirements.txt to their first patched releases. It also adds an ignore rule in deny.toml for the informational RUSTSEC-2025-0141 advisory regarding bincode 1.x, which is only transitively used in benchmarks and does not affect the published crate. These changes are documented in CHANGELOG.md. There are no review comments, and I have no feedback to provide.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
Code Review by Qodo
1. Global advisory ignore drift
|
PR Summary by QodoClear OSV/Scorecard advisories for dev-only BEIR benchmark dependencies WalkthroughsDescription• Add lower-bound pins for BEIR benchmark Python dependencies to satisfy OSV/Scorecard. • Document and ignore the dev-only bincode unmaintained advisory in cargo-deny. • Record the security-triage rationale in the changelog for reviewer/auditor clarity. Diagramgraph TD
S{{"OSV / Scorecard"}} --> R["BEIR requirements.txt"] --> P["Pinned floors (>= fixed)" ]
C["cargo-deny" ] --> D["deny.toml" ] --> I["Ignore RUSTSEC-2025-0141" ]
B["beir-bench (dev)" ] --> L["Cargo.lock deps" ]
L --> I
subgraph Legend
direction LR
_ext{{"External scanner"}} ~~~ _tool["Tooling" ] ~~~ _file["Repo file" ]
end
High-Level AssessmentThe following are alternative approaches to this PR: 1. Pin exact versions (fully locked requirements)
2. Use pip-tools (constraints.txt) + hashed lock for benchmarks
3. Remove/avoid committing benchmark lockfiles to hide transitive advisories
Recommendation: The chosen approach (lower-bound floors for Python + a documented cargo-deny ignore for a dev-only informational Rust advisory) is the best trade-off for this repo: it clears false-positive/noise advisories while preserving install flexibility for modern CPython and keeping the triage explicit. Full locking via pip-tools is a reasonable future enhancement if benchmark reproducibility becomes a higher priority, but it is not necessary to address the current Scorecard/OSV findings. File ChangesDocumentation (1)
Other (2)
|
2 participants
OpenSSF Scorecard / OSV flagged ~20 advisories on
mainafter the BEIR benchmark landed (#237). Triaged: every one is dev/benchmark tooling — none reach the publishedordveccrate or theordvecPyPI wheel.Diagnosis (reproduced with
cargo audit+ the OSV API)benchmarks/beir/requirements.txtrequests,numpy,hnswlib(+ precautionary others)Cargo.lock(viabenchmarks/beir-bench)bincode1.xhnsw_rsThe actual resolved-latest Python versions are already patched (the flags are unpinned-conservatism, not real exposure), and
cargo tree -p ordvecis clean ofbincode.Fix
Python — pin lower-bound floors at the first patched release (clears the flags because OSV excludes a
>=fixedrange;>=keeps installs on the latest compatible wheel incl. recent CPython):requests>=2.32.4(GHSA-9hjg-9r4m-mvj7 .netrc leak + all older requests CVEs)hnswlib>=0.8.0(GHSA-xwc8-rf6m-xr86 double free)numpy>=1.26.0(symlink-write + incorrect-comparison)Rust —
bincode(RUSTSEC-2025-0141, unmaintained): documenteddeny.tomlignore (cargo-deny is configured to error on unmaintained, so the next run would fail without it). It is not in the published crate; revisit if a maintained HNSW crate withoutbincode1.x is adopted. (Deliberately did NOT hide it by de-committing the bench lockfile — that would conceal rather than fix.)Verification
cargo tree -p ordvec --all-features --edges normal,build,dev— clean ofbincode(shipped crate unaffected)cargo deny check advisories→advisories okmainreflects the cleared countNo changes to the published crate or wheel;
benchmarks/is excluded from the packaged crate.