Skip to content

[Security] Track upstream-owned quick-xml 0.39.4 RustSec exceptions #542

Description

@seonghobae

Role

  • 직무 / O0: v0.2 sale-readiness security diligence
  • 업무 / O1: Rust desktop dependency exception lifecycle
  • 과업 / O2~O3: keep quick-xml 0.39.4 RustSec exceptions narrow, auditable, and removable
  • 작업 / O4~O7: owner-chain verification, upstream watch, lockfile refresh, exception removal

Current evidence

RUSTSEC-2026-0194 and RUSTSEC-2026-0195 remain because quick-xml 0.39.4 is inherited through the current Tauri/plist runtime metadata handling path and rfd/wayland-scanner build-time owner chain. Current compatible upstream crates do not yet allow quick-xml >=0.41.0.

BandScope user-facing audio import, YouTube import, project load/save, export, rehearsal role, cue, and chart data paths do not parse attacker-supplied XML through those owners. The exception must remain tied to the documented owner chain and be removed once compatible upstream crates move to a patched quick-xml version.

Acceptance criteria

  • apps/desktop/src-tauri/osv-scanner.toml documents both quick-xml advisories with concrete owner and entry-point scope.
  • scripts/checks/verify_supply_chain.py continues to fail closed if the exception broadens beyond the documented owner chain.
  • A future compatible Tauri/plist/rfd/wayland-scanner update is tested with a lockfile refresh.
  • When quick-xml >=0.41.0 is reachable through compatible upstream crates, remove the OSV exceptions and close this issue with scan evidence.

Security notes

  • Untrusted inputs: no new runtime input path is introduced by this tracking issue.
  • Trust boundary: XML parser exposure is limited to upstream desktop framework metadata/build-time owner paths, not BandScope user content parsing.
  • Safe failure: supply-chain policy checks should fail closed on unexpected owners or advisory drift.
  • Test points: python3 scripts/checks/verify_supply_chain.py, npm run check:security-notes, and desktop Vitest coverage for affected UI changes.

Blocked-by: compatible Tauri/plist/rfd/wayland-scanner dependency chain allowing quick-xml >=0.41.0.

Metadata

Metadata

Assignees

No one assigned

    Labels

    dependenciesPull requests that update a dependency filerustPull requests that update rust code

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions