Cargo audit failing

[ionut-arm]

As can be seen here, cargo-audit fails due to a number of issues occurring lower in the crate dependency tree. Thus we cannot fix any of the issues directly by updating dependencies of Parsec (yet), but we might be able to help with updating our dependencies in that regard.

The main issue that must be fixed is the segfault that was discovered in time, which is ultimately a dependency of spiffe. Currently a fix for this is blocked because the PR attempting to bump the import in chrono is stalled (see here).

The other issues regarding yanked versions of const-oid and der are waiting for updates up in the chain, which end up feeding into spiffe again. Our plan of action should be to report this to the owner of spiffe, and whenever updates are available to help with patching them there.

• time dependency fixed
• der and const-oid dependencies fixed

[ionut-arm]

The more pressing, time-related vulnerability has the following "culprits" in our dependency tree (NOTE that although these crates use the vulnerable versions of time and chrono, they don't necessarily use the vulnerable methods):

Crate:         chrono
Version:       0.4.19
error: 3 vulnerabilities found!
Title:         Potential segfault in `localtime_r` invocations
Date:          2020-11-10
ID:            RUSTSEC-2020-0159
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0159
Solution:      No safe upgrade is available!
Dependency tree: 
chrono 0.4.19
├── x509-parser 0.9.2
│   └── spiffe 0.2.0
│       └── parsec-service 0.8.1
├── spiffe 0.2.0
├── simple_asn1 0.5.4
└── simple_asn1 0.4.1

Crate:         time
Version:       0.1.44
Title:         Potential segfault in the time crate
Date:          2020-11-18
ID:            RUSTSEC-2020-0071
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:      Upgrade to >=0.2.23
Dependency tree: 
time 0.1.44
└── chrono 0.4.19
    ├── x509-parser 0.9.2
    │   └── spiffe 0.2.0
    │       └── parsec-service 0.8.1
    ├── spiffe 0.2.0
    ├── simple_asn1 0.5.4
    └── simple_asn1 0.4.1

There is also a problem with rusqlite that I will fix in a new PR shortly( cc @MattDavis00 ):

Crate:         rusqlite
Version:       0.25.3
Title:         Incorrect Lifetime Bounds on Closures in `rusqlite`
Date:          2021-12-07
ID:            RUSTSEC-2021-0128
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0128
Solution:      Upgrade to >=0.26.2 OR ^0.25.4
Dependency tree: 
rusqlite 0.25.3
└── parsec-service 0.8.1

[ionut-arm]

The vulnerability related to chrono/time has been posted as a security advisory here and this PR is removing it from the list of vulnerabilities reported by cargo-audit.