Sergey "Shnatsel" Davidoff
Sergey "Shnatsel" Davidoff
Cargo's JSON output includes information on the libraries being linked: https://github.com/alilleybrinker/cargo-spdx/issues/11#issue-1299992878 This should let us reliably (?) determine if a C library is being statically linked or not, and the...
https://nvd.nist.gov/vuln/detail/CVE-2023-38633 https://www.canva.dev/blog/engineering/when-url-parsers-disagree-cve-2023-38633/
Most crates that allow self-referential structs are unsound. See https://github.com/Voultapher/self_cell/pull/41 for a list of crates and issues. We have advisories for Ourouboros (RUSTSEC-2023-0042) and owning-ref (https://rustsec.org/advisories/RUSTSEC-2022-0040.html), we should cover the...
https://github.com/golddranks/multi_mut has been written before Rust had an aliasing model, and before `&mut` had `noalias` annotations in LLVM. It violates Stacked Borrows and is likely UB under current LLVM behavior:...
https://github.com/brion/mtpng provides a multi-threaded PNG encoder that is competitive with libpng even in single-threaded configurations. It would be nice to be able to use it from `image`. Since multi-threading "in...
When I published a hotfix for #1142, I didn't fix `rustsec-admin` build to get the main thing out ASAP. This left CI failing for `admin`.
Cargo has just stabilized `Cargo.lock` v4 format: https://github.com/rust-lang/cargo/pull/12852 We may need to update the `cargo-lock` crate to support it.
gix 0.52 has added [native support for extracting signatures](https://docs.rs/gix/0.52.0/gix/struct.Commit.html#method.signature) in https://github.com/Byron/gitoxide/pull/973 We should refactor this code to make use of the upstream function: https://github.com/rustsec/rustsec/blob/7c05b2ec0104a1a7c38322d90baf7627add73a11/rustsec/src/repository/git/commit.rs#L78-L93
Now that crates.io sparse index exists and support for it was added in #923, the only hard dependency on git is in fetching the advisory database. It should not be...
`cargo audit` currently hardcodes how long it will wait to acquire a filesystem lock: https://github.com/rustsec/rustsec/blob/7c05b2ec0104a1a7c38322d90baf7627add73a11/cargo-audit/src/auditor.rs#L17-L18 It would be nice to make it configurable through the configuration file and/or the command-line...