-
Notifications
You must be signed in to change notification settings - Fork 127
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Integration with Siderophile #89
Labels
Comments
tarcieri
added a commit
that referenced
this issue
May 7, 2021
report: Generate warnings for selected informational advisories
tarcieri
pushed a commit
that referenced
this issue
May 7, 2021
Bumps [toml](https://github.com/alexcrichton/toml-rs) from 0.5.7 to 0.5.8. - [Release notes](https://github.com/alexcrichton/toml-rs/releases) - [Commits](toml-rs/toml-rs@0.5.7...0.5.8) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Siderophile is a utility for locating unsafe hotspots in Rust programs and fuzzing them:
One of the things it does is a call graph analysis, somewhat similar to the ones performed by tools like cargo-geiger and RustPräzi (see also: rustsec/advisory-db#68).
The RustSec Advisory DB already contains metadata about the paths to impacted functions in an advisory as they relate to versions. It would be nice to use Siderophile to compute the call graph across
--all-features
of the parent crate, then use it to (perhaps optionally) test whether or not impacted/functions exist in the call graph.Case study:
memoffset
The following is a real-world RustSec case story where this sort of call graph analysis may have been helpful.
RUSTSEC-2019-0011 filed against the memoffset crate was an interesting vulnerability for several reasons:
memoffset
was using it. This means that a low number of users received an important advisory about a high severity vulnerability, but for many others it was a false positive.memoffset
is used by many high-profile ecosystem crates includingcrossbeam
. At the time we published the advisory there was no upgrade path available for many users, so they got an alert, but it was not actionable.This combination of factors is exactly the sort of situation where it would be nice to eliminate false positives via call graph analysis. For users who were truly impacted by this advisory, it was RCE and they should absolutely be notified, but for most users it was just noise, and without a call graph analysis tool it was completely unclear which of these buckets a particular program fit into.
Eliminating false positives is something that must be done correctly: we don't want to fail to alert impacted users just to spare non-impacted users from annoying false positives. However, I think this sort of call graph analysis can be done precisely to where that is the case.
The text was updated successfully, but these errors were encountered: