chore(security): drop unused vendored solana-program-test lockfile

[WomB0ComB0]

Follow-up to #32. With the security workflow running again, its osv-scanner job surfaced 10 advisories in vendor/solana-program-test/Cargo.lock (openssl 0.10.74, rustls-webpki 0.103.6, tar 0.4.44).

Root cause: the nested lockfile is unused

solana-program-test is a [patch.crates-io] path dependency (Cargo.toml:54). Cargo resolves it through the root Cargo.lock and never reads vendor/solana-program-test/Cargo.lock. The root lockfile already carries the patched versions (openssl 0.10.80, rustls-webpki 0.103.13, tar 0.4.46 — via #31), so every advisory osv-scanner reported from the nested file is a false positive.

Fix (per @gemini-code-assist review)

Initially I added the advisory IDs to the vendor ignore-list. Gemini correctly pointed out the cleaner fix: delete the unused nested lockfile and its osv-scanner.toml entirely. This:

• removes the false-positive source instead of maintaining an ever-growing ignore list,
• matches the sibling vendored crates vendor/solana-invoke and vendor/solana-keypair, which ship no lockfile,
• has zero build impact (Cargo never used the file).

Verification

osv-scanner scan source --recursive --config=osv-scanner.toml .
→ No issues found

cargo metadata resolves unchanged. Root Cargo.lock confirmed pinning openssl 0.10.80 / rustls-webpki 0.103.13 / tar 0.4.46.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates the OSV-Scanner configuration for the vendored solana-program-test package by adding vulnerability exemptions. It introduces a new section for openssl 0.10.74 with multiple GHSA advisory IDs and adds explicit GHSA/RUSTSEC alias mappings for rustls-webpki and tar to ensure consistent advisory identification.

Changes

OSV-Scanner Configuration

Layer / File(s)	Summary
Dependency vulnerability exemptions vendor/solana-program-test/osv-scanner.toml	Adds IgnoredVulns entries for openssl 0.10.74 with multiple GHSA advisories, and explicit GHSA/RUSTSEC alias entries for rustls-webpki and tar to handle differing advisory identifier formats.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

• resq-software/programs#22: Prior PR modifying osv-scanner.toml to add similar IgnoredVulns entries and GHSA/RUSTSEC advisory mappings for vulnerability suppression.

Poem

🐰 Vulnerabilities vanish in the allowlist so bright,
openssl and rustls now pass the scanner's sight,
With GHSA aliases neatly mapped and aligned,
The solana program rests, secure by design! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title states 'drop unused vendored solana-program-test lockfile' but the actual change adds security ignores to the osv-scanner.toml file, not removing/dropping the lockfile.	Update the title to accurately reflect the actual change, such as: 'chore(security): ignore vendored solana-program-test openssl/webpki/tar advisories'

✅ Passed checks (4 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/osv-vendor-openssl-advisories

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request adds several vulnerability exclusions to the osv-scanner.toml configuration for the vendored solana-program-test dependency. The reviewer suggests a more robust alternative: deleting the unused Cargo.lock file inside the vendored directory. Since Cargo ignores internal lockfiles of path dependencies, removing it will eliminate the false-positive vulnerability reports entirely, allowing you to delete the osv-scanner.toml file and avoid maintaining this ignore list.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.