CI security-scan blocked by openssl 0.10.78 (GHSA-xp3w-r5p5-63rr) across Rust services

[bindsi]

Summary

The reusable security-scan.yml workflow (run via pr-validation.yml) is failing on every PR because Grype flags a High severity advisory in the Rust openssl crate that is pinned across 8 Cargo lockfiles in src/500-application/. This is pre-existing on main and not specific to any PR.

Finding

NAME     INSTALLED  FIXED IN  TYPE        VULNERABILITY        SEVERITY
openssl  0.10.78    0.10.79   rust-crate  GHSA-xp3w-r5p5-63rr  High

Advisory: GHSA-xp3w-r5p5-63rr

Affected lockfiles

All pin openssl = 0.10.78:

• src/500-application/501-rust-telemetry/services/receiver/Cargo.lock
• src/500-application/501-rust-telemetry/services/sender/Cargo.lock
• src/500-application/502-rust-http-connector/services/broker/Cargo.lock
• src/500-application/502-rust-http-connector/services/subscriber/Cargo.lock
• src/500-application/503-media-capture-service/services/media-capture-service/Cargo.lock
• src/500-application/504-mqtt-otel-trace-exporter/services/mqtt-otel-trace-exporter/Cargo.lock
• src/500-application/507-ai-inference/services/ai-edge-inference-crate/Cargo.lock
• src/500-application/507-ai-inference/services/ai-edge-inference/Cargo.lock

Remediation

Bump the transitive openssl crate to 0.10.79 or later in each affected service:

cd src/500-application/<service-path>
cargo update -p openssl --precise 0.10.79

Then commit the updated Cargo.lock files. Verify each service still builds (cargo check).

Impact

Until fixed, every PR's security-scan job hard-fails (grype-soft-fail: false in .github/workflows/pr-validation.yml), blocking unrelated changes from merging.

Related

• Surfaced by failing run on PR fix(docs): silence TS5101 baseUrl deprecation in docusaurus tsconfig #475 (unrelated tsconfig change).