cargo-geiger icon indicating copy to clipboard operation
cargo-geiger copied to clipboard

Published 20 hours ago verified publisher icon rust-secure-code

Serde crate showing question mark

Open schoenenberg opened this issue 4 years ago • 2 comments

Hi, i just have installed cargo-geiger to see, which of my dependencies contain unsafe code and I found the serde crate (1.0.117) with a question mark, although it contains #[forbid(unsafe_code)] (see https://github.com/serde-rs/serde/blob/master/serde/src/lib.rs#L139).

I am not sure if this was already reported. Please close this if this is a duplicate..

Best regards, Maximilian

schoenenberg avatar Nov 10 '20 11:11 schoenenberg

Thanks for the report!

This could be related to #116

anderejd avatar Nov 14 '20 08:11 anderejd

Looking at serde 1.0.117 -

serde/src/lib.rs:#![forbid(unsafe_code)]
test_suite/tests/test_ser.rs:    let path = unsafe { str::from_utf8_unchecked(b"Hello \xF0\x90\x80World") };
test_suite/no_std/src/main.rs:    unsafe {

Yes we will have to manage test suite / dev dep handling differently.

Just curiosity wise as well unrelated to this error -

serde has unsafe as of now

src/ser/impls.rs: serializer.serialize_str(unsafe { str::from_utf8_unchecked(&buf[..written]) }) 

0/0        4/4          0/0    0/0     0/0      !  ├── serde 1.0.133

Action(s) To Resolve The Issue

  • [ ] Figure out the better way to report on development dependencies separately
  • [ ] Document the approach chosen

pinkforest avatar Jan 06 '22 07:01 pinkforest