Role
- 직무 / O0: v0.2 sale-readiness security diligence
- 업무 / O1: Rust desktop dependency exception lifecycle
- 과업 / O2~O3: keep quick-xml 0.39.4 RustSec exceptions narrow, auditable, and removable
- 작업 / O4~O7: owner-chain verification, upstream watch, lockfile refresh, exception removal
Current evidence
RUSTSEC-2026-0194 and RUSTSEC-2026-0195 remain because quick-xml 0.39.4 is inherited through the current Tauri/plist runtime metadata handling path and rfd/wayland-scanner build-time owner chain. Current compatible upstream crates do not yet allow quick-xml >=0.41.0.
BandScope user-facing audio import, YouTube import, project load/save, export, rehearsal role, cue, and chart data paths do not parse attacker-supplied XML through those owners. The exception must remain tied to the documented owner chain and be removed once compatible upstream crates move to a patched quick-xml version.
Acceptance criteria
apps/desktop/src-tauri/osv-scanner.toml documents both quick-xml advisories with concrete owner and entry-point scope.
scripts/checks/verify_supply_chain.py continues to fail closed if the exception broadens beyond the documented owner chain.
- A future compatible Tauri/plist/rfd/wayland-scanner update is tested with a lockfile refresh.
- When
quick-xml >=0.41.0 is reachable through compatible upstream crates, remove the OSV exceptions and close this issue with scan evidence.
Security notes
- Untrusted inputs: no new runtime input path is introduced by this tracking issue.
- Trust boundary: XML parser exposure is limited to upstream desktop framework metadata/build-time owner paths, not BandScope user content parsing.
- Safe failure: supply-chain policy checks should fail closed on unexpected owners or advisory drift.
- Test points:
python3 scripts/checks/verify_supply_chain.py, npm run check:security-notes, and desktop Vitest coverage for affected UI changes.
Blocked-by: compatible Tauri/plist/rfd/wayland-scanner dependency chain allowing quick-xml >=0.41.0.
Role
Current evidence
RUSTSEC-2026-0194andRUSTSEC-2026-0195remain becausequick-xml 0.39.4is inherited through the current Tauri/plist runtime metadata handling path and rfd/wayland-scanner build-time owner chain. Current compatible upstream crates do not yet allowquick-xml >=0.41.0.BandScope user-facing audio import, YouTube import, project load/save, export, rehearsal role, cue, and chart data paths do not parse attacker-supplied XML through those owners. The exception must remain tied to the documented owner chain and be removed once compatible upstream crates move to a patched quick-xml version.
Acceptance criteria
apps/desktop/src-tauri/osv-scanner.tomldocuments both quick-xml advisories with concrete owner and entry-point scope.scripts/checks/verify_supply_chain.pycontinues to fail closed if the exception broadens beyond the documented owner chain.quick-xml >=0.41.0is reachable through compatible upstream crates, remove the OSV exceptions and close this issue with scan evidence.Security notes
python3 scripts/checks/verify_supply_chain.py,npm run check:security-notes, and desktop Vitest coverage for affected UI changes.Blocked-by: compatible Tauri/plist/rfd/wayland-scanner dependency chain allowing
quick-xml >=0.41.0.