Add affected field macros
#664
Labels
advisory-db
advisory-db Data Formats
Comments
|
I am adding call analysis function to https://github.com/google/osv-scanner to use RUSTSEC advisory's affected functions info to determine whether code using a "vulnerable" dependency is actually affected or not. Essentially this #21, but using a more naive approach by relying on the compiler optimizing out uncalled functions, which seems to work pretty well in practice. It'll be very helpful to have macros separated out into it's own field, as it causes false negatives when we can't find the "function" being called, and marking it as not affecting your code, but it actually is cause by it being a macro. (Another example is https://rustsec.org/advisories/RUSTSEC-2023-0045.html) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
So macros can be unsound
e.g. cell-project - gathering ones we need to adjust from
functions = {}in case we support macros in the future:rustsec/advisory-db#1391
Currently we are just putting these into
functions = {}Should there be some more generic'y like
paths = {}that can be used more creatively and which we could standardiseThe text was updated successfully, but these errors were encountered: