[nightshift] Dependency risk analysis: 2 P0, 11 P1, 5 P2 findings (yara-x blast radius 63%)

[nightshift-micr]

Nightshift v3 — Dependency Risk Analysis

Repo: Microck/jarspect
Language: Rust
Task: dependency-risk
Date: 2026-04-17

Executive Summary

446 crates total (Cargo.lock), 22 direct dependencies. 2 P0 critical findings, 11 P1, 5 P2, 4 P3. Primary risk driver: yara-x transitively pulls in wasmtime (19 open CVEs) and serde_yml (unsound/unmaintained).

---

Risk Summary

Severity	Count	Key Issue
P0	2	wasmtime sandbox escape CVEs; serde_yml unsound
P1	11	wasmtime CVEs; RSA timing attack; rustls-webpki flaws; intaglio confusion
P2	5	Duplicate deps; bincode unmaintained; rand unsound
P3	4	Version pinning; transitive count; feature audit

---

P0: wasmtime Sandbox Escape (via yara-x)

Path: jarspect → yara-x 1.13.0 → wasmtime 40.0.3

12 active CVEs including two CVSS 9.0 Critical sandbox escapes:

• RUSTSEC-2026-0096: Miscompiled guest heap access on aarch64 Cranelift
• RUSTSEC-2026-0095: Winch compiler sandbox-escaping memory access

Fix: Upgrade yara-x to use wasmtime ≥42.0.2. Pin via [patch.crates-io] if needed.

P0: serde_yml Unsound and Unmaintained

Path: jarspect → serde_yml 0.0.12

• RUSTSEC-2025-0068: Unsound and unmaintained
• RUSTSEC-2025-0067: libyml unsound

Fix: Replace with serde_yaml_ng or another maintained YAML crate.

P1: rustls-webpki Certificate Validation (via reqwest)

Path: jarspect → reqwest → rustls-webpki 0.103.9

3 CVEs: CRL matching, wildcard name constraints, URI name constraints.

Fix: Upgrade reqwest to pull rustls-webpki ≥0.103.12.

P1: RSA Timing Side-Channel (via yara-x)

Path: jarspect → yara-x → rsa 0.9.10

RUSTSEC-2023-0071: Marvin Attack — key recovery through timing. No fix available.

P1: intaglio Symbol Confusion (via yara-x)

RUSTSEC-2026-0078: Symbol confusion after hasher panic. Fix in ≥1.13.3.

P2: Duplicate Dependencies

Notable duplications:

• zip: 2.4.2 + 6.0.0 (different bzip2 backends: C vs pure Rust)
• getrandom: 3 versions (0.2, 0.3, 0.4)
• hashbrown: 4 versions (0.12–0.16)
• thiserror: v1 + v2
• bitflags: v1 + v2 (cafebabe pins v1)

Fix: Upgrade direct zip from 2.4 to 6.0 to eliminate bzip2-sys C dependency.

Blast Radius

Dep	Transitive Crates	% of Total
yara-x	~280	63%
reqwest	~60	13%
axum	~40	9%
All others	~66	15%

yara-x is responsible for 63% of all dependencies and 100% of critical CVEs.

---

Recommendations

Immediate (P0):

1. Replace serde_yml with serde_yaml_ng
2. Upgrade yara-x for wasmtime CVE fixes

Short-term (P1):
3. Upgrade reqwest for rustls-webpki fixes
4. Configure reqwest to use rustls-tls only (eliminate OpenSSL)

Medium-term (P2):
5. Upgrade direct zip from 2.4 to 6.0
6. Add cargo audit to CI pipeline

Automated by Nightshift v3 (GLM 5.1)