Resolve security advisories (#3746)

* disable unused sqlx drivers

`sqlx-mysql` pulls in the vulnerable `rsa` crate. Janus only works with
PostgreSQL, so we don't need that driver at all. `janus_aggregator_core`
already enables the slim feature set we need, so we add
`default-features = false` to the workspace level dependency to turn off
the rest (`cargo` is unhappy if we put `default-features = false` in
`aggregator_core/Cargo.toml`).

Note that due to an outstanding `cargo` issue ([1], [2]), `sqlx-mysql` and
`sqlx-sqlite` still appear in `Cargo.lock`, but are never used or even
compiled.

[1]: launchbadge/sqlx#2579
[2]: rust-lang/cargo#10801

* add `cargo deny advisories` exemption for protobuf

We can't update the dependency until `opentelemetry-prometheus` either
moves to a fixed `protobuf` or adds a feature letting us opt out of
protobuf support. Either way, this advisory doesn't apply to Janus per
the reasoning in deny.toml.

Author: tgeoghegan

Cargo.lock

@@ -99,7 +99,10 @@ serde_urlencoded = "0.7.1"
 serde_yaml = "0.9.34"
 signal-hook = "0.3.17"
 signal-hook-tokio = "0.3.1"
-sqlx = "0.8.3"
+# Disable default features to avoid pulling in drivers for databases we don't use, such as
+# sqlx-mysql which pulls in the vulnerable rsa crate
+# https://github.com/divviup/janus/security/dependabot/29
+sqlx = { version = "0.8.3", default-features = false }
 stopper = "0.2.8"
 tempfile = "3.19.0"
 testcontainers = "0.22.0"

Cargo.toml

@@ -11,6 +11,10 @@ ignore = [
     # `instant` is unmaintained, but it is feature-complete and small, so it is unlikely to have
     # bugs or security vulnerabilities.
     "RUSTSEC-2024-0384",
+
+    # Janus never uses the protobuf format for exposing metrics, and in any case we would not be
+    # handling untrusted input.
+    "RUSTSEC-2024-0437",
 ]
 
 [bans]