rustsec icon indicating copy to clipboard operation
rustsec copied to clipboard
verified publisher icon rustsec

Add `affected` field `macros`

Open pinkforest opened this issue 3 years ago • 1 comments

So macros can be unsound

e.g. cell-project - gathering ones we need to adjust from functions = {} in case we support macros in the future: https://github.com/rustsec/advisory-db/pull/1391

Currently we are just putting these into functions = {}

Should there be some more generic'y like paths = {} that can be used more creatively and which we could standardise

pinkforest avatar Aug 27 '22 21:08 pinkforest

I am adding call analysis function to https://github.com/google/osv-scanner to use RUSTSEC advisory's affected functions info to determine whether code using a "vulnerable" dependency is actually affected or not.

Essentially this #21, but using a more naive approach by relying on the compiler optimizing out uncalled functions, which seems to work pretty well in practice.

It'll be very helpful to have macros separated out into it's own field, as it causes false negatives when we can't find the "function" being called, and marking it as not affecting your code, but it actually is cause by it being a macro.

(Another example is https://rustsec.org/advisories/RUSTSEC-2023-0045.html)

another-rex avatar Aug 14 '23 04:08 another-rex