fix: patch llguidance to remove reference to ring crate (#1948)

sanaa-hamel-microsoft · web-flow · commit 90cb011ce0d3 · 2026-01-22T10:43:29.000-08:00
Fix MVS-2022-374v-6mvc by purging references to `ring` from
`Cargo.lock`.
diff --git a/cmake/external/llguidance/remove-ring-ref-in-cargo-lock.patch b/cmake/external/llguidance/remove-ring-ref-in-cargo-lock.patch
@@ -0,0 +1,49 @@
+diff --git a/Cargo.toml b/Cargo.toml
+index c23c372..8637592 100644
+--- a/Cargo.toml
++++ b/Cargo.toml
+@@ -1,23 +1,23 @@
+ [workspace]
+ members = [
+-    "python_ext",
++    # "python_ext",
+     "parser",
+-    "sample_parser",
+-    "json_stats",
++    # "sample_parser",
++    # "json_stats",
+     "toktrie",
+-    "toktrie_hf_tokenizers",
+-    "toktrie_hf_downloader",
+-    "toktrie_tiktoken",
++    # "toktrie_hf_tokenizers",
++    # "toktrie_hf_downloader",
++    # "toktrie_tiktoken",
+ ]
+ # just exclude python_ext since it doesn't build without maturin
+ default-members = [
+     "parser",
+-    "sample_parser",
+-    "json_stats",
++    # "sample_parser",
++    # "json_stats",
+     "toktrie",
+-    "toktrie_hf_tokenizers",
+-    "toktrie_hf_downloader",
+-    "toktrie_tiktoken",
++    # "toktrie_hf_tokenizers",
++    # "toktrie_hf_downloader",
++    # "toktrie_tiktoken",
+ ]
+ resolver = "2"
+ 
+@@ -41,6 +41,6 @@ opt-level = 3
+ [workspace.dependencies]
+ toktrie = { path = "toktrie" }
+ llguidance = { path = "parser" }
+-toktrie_hf_tokenizers = { path = "toktrie_hf_tokenizers" }
+-toktrie_hf_downloader = { path = "toktrie_hf_downloader" }
+-toktrie_tiktoken = { path = "toktrie_tiktoken" }
++# toktrie_hf_tokenizers = { path = "toktrie_hf_tokenizers" }
++# toktrie_hf_downloader = { path = "toktrie_hf_downloader" }
++# toktrie_tiktoken = { path = "toktrie_tiktoken" }
diff --git a/cmake/external/onnxruntime_external_deps.cmake b/cmake/external/onnxruntime_external_deps.cmake
@@ -107,5 +107,20 @@ if(USE_GUIDANCE)
     GIT_TAG ${DEP_SHA1_llguidance}
   )
   onnxruntime_fetchcontent_makeavailable(llguidance)
+
+  # HACK: Patch llguidance's `/Cargo.toml` to avoid tripping component governance due to unused `ring` dep.
+  #       `ring` is deprecated in favour of `rust-openssl`.
+  #       `ring` is a transitive dep of several (unused by onnx-rt) libs in `llguidance`.
+  #       We only use the `parser` lib.
+  #       Governance trips on `/Cargo.lock` but that is expected to be regenerated as part of the build,
+  #       dropping the reference to `ring`.
+  if(NOT EXISTS "${llguidance_SOURCE_DIR}/.onnx-rt-applied-remove-ring-ref-in-cargo-lock")
+    execute_process(
+      COMMAND git apply -- "${CMAKE_CURRENT_LIST_DIR}/llguidance/remove-ring-ref-in-cargo-lock.patch"
+      WORKING_DIRECTORY       "${llguidance_SOURCE_DIR}"
+      COMMAND_ERROR_IS_FATAL  ANY
+    )
+    file(TOUCH "${llguidance_SOURCE_DIR}/.onnx-rt-applied-remove-ring-ref-in-cargo-lock")
+  endif()
   corrosion_import_crate(MANIFEST_PATH ${llguidance_SOURCE_DIR}/parser/Cargo.toml)
 endif()
