wg icon indicating copy to clipboard operation
wg copied to clipboard

Published 20 hours ago verified publisher icon rust-secure-code

crates.io RustSec Auditor

Open zachreizner opened this issue 7 years ago • 8 comments

The first milestone for this would be a program that cross-references the RustSec advisory-db with the crates.io database and prints crates with vulnerable dependencies.

The second milestone is notifying crates with vulnerable dependencies, so that they may upgrade.

zachreizner avatar Oct 23 '18 18:10 zachreizner

Will cargo audit currently catch a vulnerable dependency if it's a transitive dependency?

alex avatar Oct 23 '18 18:10 alex

@alex yes, cargo audit uses the dependency list from Cargo.lock, which includes all transitive dependencies

tarcieri avatar Oct 23 '18 18:10 tarcieri

👍 -- wanted to confirm that checking crates.io was about being proactive vs. a first line of defense.

alex avatar Oct 23 '18 18:10 alex

https://gitlab.com/zachreizner/crates-audit/ implements checking crates.io index against RustSec advisory database and outputs the result in .json, .bin and .toml formats. It also has a web UI that displays this info. It flags crates with no semver-compatible upgrade path, i.e. the issues that cannot be resolved by running cargo update. As of this writing there are at around 700 such crates.

The tool is pretty much complete aside of a couple trivial issues ~~I've filed on the bug tracker~~ which are now fixed. It has identified, for example, https://crates.io/crates/amqp - a crate with 8,000+ recent downloads - using OpenSSL version so wildly outdated that it doesn't check hostname in certificates and is vulnerable to trivial MitM.

I feel integrating this info into crates.io would prevent serious issues from being masked, like it happened in the amqp case.

Shnatsel avatar Jan 06 '19 22:01 Shnatsel

Hear hear @Shnatsel, crates-audit is really starting to shape up. Great work @zachreizner !

One thing I've been trying to facilitate is integrating RustPräzi, a crater-like tool which builds a complete call graph of all of crates.io:

https://internals.rust-lang.org/t/prototype-dev-tool-rustprazi-a-tool-to-build-an-entire-call-graph-of-crates-io/8912

I added support for collecting the relevant metadata (paths to functions) to RustSec advisories. One of the authors of RustPräzi (@Inventitech) took a look at actually trying to consume it and we discovered some issues:

https://github.com/RustSec/advisory-db/issues/68

It should be simple to address, though.

tarcieri avatar Jan 07 '19 15:01 tarcieri

Nice! Is there a repository with a prototype of the RustPrazi-based tool that I could link to?

Shnatsel avatar Jan 07 '19 19:01 Shnatsel

I'd suggest asking on their Gitter: https://gitter.im/praezi/rust

tarcieri avatar Jan 07 '19 20:01 tarcieri

@Shnatsel https://github.com/praezi/rust

Inventitech avatar Jan 08 '19 15:01 Inventitech