Sergey "Shnatsel" Davidoff
Sergey "Shnatsel" Davidoff
We use `cargo metadata`, so we are affected by this issue: https://github.com/rust-lang/cargo/issues/7754
As suggested by @pinkforest, it would be great to have a "publish auditable binary" Github action that builds the binaries with `cargo auditable`. Ideally people should be able to use...
Cargo has [made it possible to depend on the same version of a given crate with different feature sets](https://doc.rust-lang.org/cargo/reference/resolver.html#feature-resolver-version-2), provided that one version is a runtime dependency and another is...
It is technically possible to support WebAssembly, since they do allow custom sections: https://webassembly.github.io/spec/core/appendix/custom.html This may be useful since the overhead of the audit info is just a few kilobytes...
Right now we have the full extraction pipeline in examples, which is not super complicated but is nevertheless manual. `rust-audit-info` shows how it's all tied together; we should just put...
Apparently there is a number of formats designed to encode package info already: https://gitbom.dev/glossary/sbom/ We need to check if any of them are suitable for our use case. Notably we...
https://github.com/bnjbvr/cargo-machete implements configuration via `[package.metadata.cargo-machete]`, we should consider using this as a configuration mechanism for `cargo-auditable`.
[RUSTSEC-2020-0071](https://github.com/rustsec/advisory-db/blob/main/crates/time/RUSTSEC-2020-0071.md) lists a large number of platforms, some of this are unrecognized by `platforms` crate and end up being treated as unknown by RustSec tooling. For example, [the OSV exported...
I am aware of a number of memory safety issues that are slated to get fixes soon™ but do not have a release shipping yet. My life is a bit...
JIT is quite perilous from the correctness and security standpoints, but this is currently not addressed in the README. If you write an interpreter in Rust you can use `rustc`...