cargobump - detect ambiguous package matching

[hectorj2f]

It could happen that we have the same package with different version in the same Cargo.lock file. We need to detect the older and attempt to bump it to the non-vulnerable version.

e.g. https://github.com/wolfi-dev/os/pull/29876/files#diff-f0ef7284b84894411029f23dec21b84b1b872d273302ff36c76ec0b68990096a

[hectorj2f]

related to: #3

[luhring]

I believe this is another instance of this:

wolfi-dev/os#36084

From the logs:

Error: failed to parse the pom file: failed to run cargo update 'error: There are multiple `rustls` packages in your project, and the specification `rustls` is ambiguous.

This results in the automation PRs adding cargobump steps that are bound to fail.

If we should track what I'm seeing in a different project/repo, just lmk and I'll move it there!

[mamccorm]

Hey @hectorj2f - besides the suggested enhancements to cargo/bump here, what is the best practice when it comes to these use-cases? Is it safe to bump the oldest version in Cargo.lock file?

If there are multiple versions defined then i'd assume there is a reason for this (intended), and bumping will cause issues. If not, then we can draft a process for patching in absence of this fix / enhancement

[hectorj2f]

what is the best practice when it comes to these use-cases? Is it safe to bump the oldest version in Cargo.lock file?

@mamccorm The best use case is to select the vulnerable dependency with the lower version.

Is it safe to bump the oldest version in Cargo.lock file?

Yes, I haven't found any instances when we needed to update both dependencies.

If there are multiple versions defined then i'd assume there is a reason for this (intended), and bumping will cause issues. If not, then we can draft a process for patching in absence of this fix / enhancement

Generally it should work when bumping the lower version to a non-vulnerable one. However, it is common to find situations when it is not possible to upgrade the version, and thus mark these CVEs as pending-upstream-fix.