dependabot: s2n-tls-sys Cargo.template

[dougch]

Security issue notifications

If you discover a potential security issue in s2n we ask that you notify
AWS Security via our vulnerability reporting page. Please do not create a public github issue.

Problem:

Dependabot is failing to find and update s2n-tls-sys/Cargo.toml, as we're building it from a template.

updater | 2024/12/11 08:47:09 ERROR <job_931053004> Error during file fetching; aborting: /bindings/rust/s2n-tls-sys/Cargo.toml not found

https://github.com/aws/s2n-tls/actions/runs/12272726234/job/34242059678

Solution:

Exclude this path, or find a way to run generate.sh prior to dependabot's main execution.

Requirements / Acceptance Criteria:

What must a solution address in order to solve the problem? How do we know the solution is complete?

• RFC links: Links to relevant RFC(s)
• Related Issues: Link any relevant issues
• Will the Usage Guide or other documentation need to be updated?
• Testing: How will this change be tested? Call out new integration tests, functional tests, or particularly interesting/important unit tests.
  • Will this change trigger SAW changes? Changes to the state machine, the s2n_handshake_io code that controls state transitions, the DRBG, or the corking/uncorking logic could trigger SAW failures.
  • Should this change be fuzz tested? Will it handle untrusted input? Create a separate issue to track the fuzzing work.

Out of scope:

Is there anything the solution will intentionally NOT address?

[dougch]

Question came up offline: are we missing anything because of this failure?

A: Dependabot is failing to open PRs, but the security issues are still flagged under the Security->Dependabot section. There is currently one other outstanding issue marked low: https://github.com/aws/s2n-tls/security/dependabot/1