Skip to content

/wg

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crates.io RustSec Auditor #13

Open
zachreizner opened this Issue Oct 23, 2018 · 8 comments

Comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
5 participants
@zachreizner @alex @tarcieri @Shnatsel @Inventitech
@zachreizner
Copy link

zachreizner commented Oct 23, 2018

The first milestone for this would be a program that cross-references the RustSec advisory-db with the crates.io database and prints crates with vulnerable dependencies.

The second milestone is notifying crates with vulnerable dependencies, so that they may upgrade.
@alex

This comment has been minimized.

Sign in to view
Copy link

alex commented Oct 23, 2018

Will cargo audit currently catch a vulnerable dependency if it's a transitive dependency?
@tarcieri

This comment has been minimized.

Sign in to view
Copy link
Collaborator

tarcieri commented Oct 23, 2018

@alex yes, cargo audit uses the dependency list from Cargo.lock, which includes all transitive dependencies
@alex

This comment has been minimized.

Sign in to view
Copy link

alex commented Oct 23, 2018

👍 -- wanted to confirm that checking crates.io was about being proactive vs. a first line of defense.
@Shnatsel

This comment has been minimized.

Sign in to view
Copy link

Shnatsel commented Jan 6, 2019
edited

https://gitlab.com/zachreizner/crates-audit/ implements checking crates.io index against RustSec advisory database and outputs the result in .json, .bin and .toml formats. It also has a web UI that displays this info. It flags crates with no semver-compatible upgrade path, i.e. the issues that cannot be resolved by running cargo update. As of this writing there are at around 700 such crates.

The tool is pretty much complete aside of a couple trivial issues I've filed on the bug tracker which are now fixed. It has identified, for example, https://crates.io/crates/amqp - a crate with 8,000+ recent downloads - using OpenSSL version so wildly outdated that it doesn't check hostname in certificates and is vulnerable to trivial MitM.

I feel integrating this info into crates.io would prevent serious issues from being masked, like it happened in the amqp case.
@tarcieri

This comment has been minimized.

Sign in to view
Copy link
Collaborator

tarcieri commented Jan 7, 2019

Hear hear @Shnatsel, crates-audit is really starting to shape up. Great work @zachreizner !

One thing I've been trying to facilitate is integrating RustPräzi, a crater-like tool which builds a complete call graph of all of crates.io:

https://internals.rust-lang.org/t/prototype-dev-tool-rustprazi-a-tool-to-build-an-entire-call-graph-of-crates-io/8912

I added support for collecting the relevant metadata (paths to functions) to RustSec advisories. One of the authors of RustPräzi (@Inventitech) took a look at actually trying to consume it and we discovered some issues:

RustSec/advisory-db#68

It should be simple to address, though.
@Shnatsel

This comment has been minimized.

Sign in to view
Copy link

Shnatsel commented Jan 7, 2019

Nice! Is there a repository with a prototype of the RustPrazi-based tool that I could link to?
@tarcieri

This comment has been minimized.

Sign in to view
Copy link
Collaborator

tarcieri commented Jan 7, 2019

I'd suggest asking on their Gitter: https://gitter.im/praezi/rust

@Shnatsel Shnatsel referenced this issue Jan 8, 2019

Open

RustSec integration into crates.io UI #16

@Inventitech

This comment has been minimized.

Sign in to view
Copy link

Inventitech commented Jan 8, 2019

@Shnatsel https://github.com/praezi/rust
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.