crates.io RustSec Auditor

[zachreizner]

The first milestone for this would be a program that cross-references the RustSec advisory-db with the crates.io database and prints crates with vulnerable dependencies.

The second milestone is notifying crates with vulnerable dependencies, so that they may upgrade.

[alex]

Will cargo audit currently catch a vulnerable dependency if it's a transitive dependency?

[tarcieri]

@alex yes, cargo audit uses the dependency list from Cargo.lock, which includes all transitive dependencies

[alex]

👍 -- wanted to confirm that checking crates.io was about being proactive vs. a first line of defense.

[Shnatsel]

https://gitlab.com/zachreizner/crates-audit/ implements checking crates.io index against RustSec advisory database and outputs the result in .json, .bin and .toml formats. It also has a web UI that displays this info. It flags crates with no semver-compatible upgrade path, i.e. the issues that cannot be resolved by running cargo update. As of this writing there are at around 700 such crates.

The tool is pretty much complete aside of a couple trivial issues I've filed on the bug tracker which are now fixed. It has identified, for example, https://crates.io/crates/amqp - a crate with 8,000+ recent downloads - using OpenSSL version so wildly outdated that it doesn't check hostname in certificates and is vulnerable to trivial MitM.

I feel integrating this info into crates.io would prevent serious issues from being masked, like it happened in the amqp case.

[tarcieri]

Hear hear @Shnatsel, crates-audit is really starting to shape up. Great work @zachreizner !

One thing I've been trying to facilitate is integrating RustPräzi, a crater-like tool which builds a complete call graph of all of crates.io:

https://internals.rust-lang.org/t/prototype-dev-tool-rustprazi-a-tool-to-build-an-entire-call-graph-of-crates-io/8912

I added support for collecting the relevant metadata (paths to functions) to RustSec advisories. One of the authors of RustPräzi (@Inventitech) took a look at actually trying to consume it and we discovered some issues:

rustsec/advisory-db#68

It should be simple to address, though.

[Shnatsel]

Nice! Is there a repository with a prototype of the RustPrazi-based tool that I could link to?

[tarcieri]

I'd suggest asking on their Gitter: https://gitter.im/praezi/rust

[Inventitech]

@Shnatsel https://github.com/praezi/rust