Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crates.io RustSec Auditor #13

Open
zachreizner opened this issue Oct 23, 2018 · 8 comments
Open

crates.io RustSec Auditor #13

zachreizner opened this issue Oct 23, 2018 · 8 comments

Comments

@zachreizner
Copy link

The first milestone for this would be a program that cross-references the RustSec advisory-db with the crates.io database and prints crates with vulnerable dependencies.

The second milestone is notifying crates with vulnerable dependencies, so that they may upgrade.
@alex
Copy link
Member

alex commented Oct 23, 2018

Will cargo audit currently catch a vulnerable dependency if it's a transitive dependency?

@tarcieri
Copy link
Member

@alex yes, cargo audit uses the dependency list from Cargo.lock, which includes all transitive dependencies

@alex
Copy link
Member

alex commented Oct 23, 2018

👍 -- wanted to confirm that checking crates.io was about being proactive vs. a first line of defense.

@Shnatsel
Copy link
Member

Shnatsel commented Jan 6, 2019
edited
Loading

https://gitlab.com/zachreizner/crates-audit/ implements checking crates.io index against RustSec advisory database and outputs the result in .json, .bin and .toml formats. It also has a web UI that displays this info. It flags crates with no semver-compatible upgrade path, i.e. the issues that cannot be resolved by running cargo update. As of this writing there are at around 700 such crates.

The tool is pretty much complete aside of a couple trivial issues I've filed on the bug tracker which are now fixed. It has identified, for example, https://crates.io/crates/amqp - a crate with 8,000+ recent downloads - using OpenSSL version so wildly outdated that it doesn't check hostname in certificates and is vulnerable to trivial MitM.

I feel integrating this info into crates.io would prevent serious issues from being masked, like it happened in the amqp case.

@tarcieri
Copy link
Member

tarcieri commented Jan 7, 2019

Hear hear @Shnatsel, crates-audit is really starting to shape up. Great work @zachreizner !

One thing I've been trying to facilitate is integrating RustPräzi, a crater-like tool which builds a complete call graph of all of crates.io:

https://internals.rust-lang.org/t/prototype-dev-tool-rustprazi-a-tool-to-build-an-entire-call-graph-of-crates-io/8912

I added support for collecting the relevant metadata (paths to functions) to RustSec advisories. One of the authors of RustPräzi (@Inventitech) took a look at actually trying to consume it and we discovered some issues:

rustsec/advisory-db#68

It should be simple to address, though.

@Shnatsel
Copy link
Member

Shnatsel commented Jan 7, 2019

Nice! Is there a repository with a prototype of the RustPrazi-based tool that I could link to?

@tarcieri
Copy link
Member

tarcieri commented Jan 7, 2019

I'd suggest asking on their Gitter: https://gitter.im/praezi/rust

@Shnatsel Shnatsel mentioned this issue Jan 8, 2019
Open
@Inventitech
Copy link

@Shnatsel https://github.com/praezi/rust

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@alex @tarcieri @Shnatsel @zachreizner @Inventitech