# Rust Crash Course - 06 - Code Linting and Project Audit

Linting and audit tools analyze code and project properties in order to provide recommendations for higher code quality, performance and security.

In the following, tools are presented that help Rust developers optimize their code.

The contents represent a brief and compact introduction to the topic, inspired by the [Rust Book](https://doc.rust-lang.org/book/), the [Cargo Book](https://doc.rust-lang.org/cargo/), the [Rust Reference](https://doc.rust-lang.org/reference/), and [Rust By Example](https://doc.rust-lang.org/rust-by-example/).

## Preparation

For shell command calls, the Python module ``subprocess`` is used (https://docs.python.org/3/library/subprocess.html).

Run the following code block to provide the function ``execute_command()`` within this notebook.

In [None]:
import subprocess

def execute_command(cmd):
    run = subprocess.run(cmd, universal_newlines=True, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
    print(run.stdout)

Of course, all shell commands given in this tutorial can also be executed directly on a Linux console.

## Linting Rust Code

Linters statically analyze source code for several issues such as unnecessary code, bad performing code, or messy coding style. Every time a Rust project is compiled, the rust compiler uses ``cargo check`` by default to perform basic checks.

The linter in ``rustc`` implements five lint levels. Each lint has a default level and the compiler itself has a default warning level. The five lint levels are the following:

1. ``allow``        (produces no output)


2. ``warn``         (produces a warning)


3. ``force-warn``   (produces a warning)


4. ``deny``         (produces an error)


5. ``forbid``       (produces an error)


Lints with the level ``allow``, ``warn``, and ``deny`` can be overridden with a macro command (just like ``#![deny(missing_docs)]``).
The lints ``force-warn`` and ``forbid`` behave like ``warn`` and ``deny``, respectively, but they cannot be overridden.

In the following, an advanced linting tool is presented that helps increasing Rust source code quality even more.

### Rust Linter ``clippy``

``clippy`` is a superset to ``cargo check`` because it runs ``cargo check`` itself. Additionally, ``clippy`` has certain recommendations about performance optimizations, idiomatic rust and platform independence.

For all possible ``clippy`` lints see:

* https://rust-lang.github.io/rust-clippy/master/

The following commands apply ``clippy``-based linting to a Rust project:

* `cargo clippy` - runs the clippy linter for the project


* `cargo clippy --tests` - runs clippy for the tests of the project


* `cargo clippy --examples` - runs clippy for the examples of the project

### Visual Studio Code Integration

In the default configuration, VS Code with its extension ``rust-analyzer`` automatically lints the current file after saving it.

Problematic code gets underlined, if the linter issued a corresponding warning or error.

The lint details can be seen in a popup when hovering over it.

One can even jump from one problem to the next by pressing ``F8``.

### Exercise 6.1

Use the following cell to open the ``example-math-tools`` project in VS Code.

Analyze the warnings the Rust compiler and ``clippy`` are showing.

Find suitable fixes that lead to a higher quality code.

In [None]:
execute_command('code ../example-math-tools')

Which warnings did the Rust compiler and/or ``clippy`` find and how could they be fixed?

* *TODO*


## Rust Project Audit

Keeping track of security issues across all project dependencies is a tidy and sometimes complex task.

Fortunately, the Rust toolchain provides a tool to support developers facing this challenge.

### Security Auditing with ``cargo audit``

``cargo audit`` is a tool to find known security vulnerabilities in the dependencies of a Rust project.

It is executed at the top level of a project, yields a list of known security issues, and even has an option to fix them.

These commands are useful in this context:

* ``cargo audit`` - checks current project dependencies for vulnerabilities


* ``cargo audit -f <PATH_TO_LOCK>`` - checks specified crate (Cargo.lock) for vulnerabilities


For more information on this tool see:

* https://github.com/RustSec/cargo-audit

### Exercise 6.2

This exercise is based on two external projects: ``libc`` and ``tokio``.

The following cells will checkout a specific version of these projects.

In [None]:
execute_command('git clone https://github.com/rust-lang/libc.git ../libc && cd ../libc && git checkout 895bf0de')
execute_command('git clone https://github.com/tokio-rs/tokio.git ../tokio && cd ../tokio && git checkout adad8fc3')

Use the next cells to analyze their dependencies for known security problems.

In [None]:
execute_command('cd ../libc && cargo audit')

Which security warnings did ``cargo audit`` find for ``libc``?

* *TODO*

How critical are they?

*TODO*


In [None]:
execute_command('cd ../tokio && cargo audit')

Which security warnings did ``cargo audit`` find for ``tokio``?

* *TODO*

How critical are they?

*TODO*
