security: update aws-lc-sys to fix 3 High severity vulnerabilities in Rust broker

## Summary

The `aws-lc-sys` Rust crate at version 0.32.3 has **three High severity** vulnerabilities. This is a transitive dependency in the Rust HTTP connector broker, pulled in via the `rustls` → `aws-lc-rs` → `aws-lc-sys` dependency chain. The fix version (>= 0.38.0) should be reachable via `cargo update`.

Grype ignore rules were added in PR #240 to unblock CI. This issue tracks the actual dependency fix and subsequent removal of those ignore rules.

## Severity

**High** — 3 vulnerabilities

## Affected Files

- `src/500-application/502-rust-http-connector/services/broker/Cargo.lock` — aws-lc-sys 0.32.3
- `src/500-application/502-rust-http-connector/services/broker/Cargo.toml` — direct dependency `rustls = "0.23.8"` (resolves to 0.23.33, which transitively pulls aws-lc-sys)

## Dependency Chain

```
rustls 0.23.33
  └── aws-lc-rs 1.14.1
        └── aws-lc-sys 0.32.3  ← vulnerable

rustls-webpki 0.103.7
  └── aws-lc-rs 1.14.1
        └── aws-lc-sys 0.32.3  ← vulnerable
```

`aws-lc-sys` is **not** a direct dependency. It is transitive via `aws-lc-rs`, which is used by `rustls` and `rustls-webpki`.

## Vulnerability Details

| Advisory | Severity | Fixed In |
|----------|----------|----------|
| [GHSA-65p9-r9h6-22vj](https://github.com/advisories/GHSA-65p9-r9h6-22vj) | High | aws-lc-sys >= 0.38.0 |
| [GHSA-hfpc-8r3f-gw53](https://github.com/advisories/GHSA-hfpc-8r3f-gw53) | High | aws-lc-sys >= 0.38.0 |
| [GHSA-vw5v-4f2q-w9xf](https://github.com/advisories/GHSA-vw5v-4f2q-w9xf) | High | aws-lc-sys >= 0.38.0 |

## Remediation Steps

1. In `src/500-application/502-rust-http-connector/services/broker/`, run `cargo update` to pull the latest compatible versions of `aws-lc-rs` and `aws-lc-sys`
2. If `cargo update` alone does not pull aws-lc-sys >= 0.38.0, consider updating the `rustls` version constraint in `Cargo.toml` (currently `"0.23.8"`)
3. Verify `Cargo.lock` no longer references aws-lc-sys < 0.38.0
4. Remove the three grype ignore rules from `.grype.yaml`:
   - `GHSA-65p9-r9h6-22vj`
   - `GHSA-hfpc-8r3f-gw53`
   - `GHSA-vw5v-4f2q-w9xf`
5. Run grype locally to confirm the findings are resolved: `grype dir:. --config .grype.yaml`
6. Build and test the broker to verify no regressions: `cargo build && cargo test`

## Acceptance Criteria

- [ ] `aws-lc-sys` updated to >= 0.38.0 in broker `Cargo.lock`
- [ ] Grype ignore rules for `GHSA-65p9-r9h6-22vj`, `GHSA-hfpc-8r3f-gw53`, `GHSA-vw5v-4f2q-w9xf` removed from `.grype.yaml`
- [ ] Rust broker builds and tests pass
- [ ] CI Security Scan passes without the ignore rules

## Related

- PR #240 — Introduced grype CI scanning and temporary ignore rules
- [GHSA-65p9-r9h6-22vj](https://github.com/advisories/GHSA-65p9-r9h6-22vj)
- [GHSA-hfpc-8r3f-gw53](https://github.com/advisories/GHSA-hfpc-8r3f-gw53)
- [GHSA-vw5v-4f2q-w9xf](https://github.com/advisories/GHSA-vw5v-4f2q-w9xf)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

security: update aws-lc-sys to fix 3 High severity vulnerabilities in Rust broker #259

Summary

Severity

Affected Files

Dependency Chain

Vulnerability Details

Remediation Steps

Acceptance Criteria

Related

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Advisory	Severity	Fixed In
GHSA-65p9-r9h6-22vj	High	aws-lc-sys >= 0.38.0
GHSA-hfpc-8r3f-gw53	High	aws-lc-sys >= 0.38.0
GHSA-vw5v-4f2q-w9xf	High	aws-lc-sys >= 0.38.0

security: update aws-lc-sys to fix 3 High severity vulnerabilities in Rust broker #259

Description

Summary

Severity

Affected Files

Dependency Chain

Vulnerability Details

Remediation Steps

Acceptance Criteria

Related

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions