rustsec / rustsec Goto Github PK

View Code? Open in Web Editor NEW

1.5K 19.0 127.0 3.88 MB

RustSec API & Tooling

Home Page: https://rustsec.org/

License: Other

Rust 94.87% CSS 1.13% HTML 3.51% Shell 0.13% JavaScript 0.36%

rust security cargo

rustsec's Introduction

RustSec Crates 🦀🛡️📦

The RustSec Advisory Database is a repository of security advisories filed against Rust crates published via crates.io.

The advisory database itself can be found at:

https://github.com/RustSec/advisory-db

About this repository

This repository contains a Cargo Workspace with all of the crates maintained by the RustSec project:

Name	Description	Crate	Documentation	Build
`cargo‑audit`	Audit Cargo.lock against the advisory DB
`cargo‑lock`	Self-contained Cargo.lock parser
`cvss`	Common Vulnerability Scoring System
`platforms`	Rust platform registry
`rustsec`	Advisory DB client library
`rustsec‑admin`	Linter and web site generator

License

All crates licensed under either of

at your option.

rustsec's People

Contributors

Stargazers

Watchers

Forkers

zmanian chrismacnaughton branan colindean alex keruspe rob-solana renovate-tests isgasho chills42 jsirois duzhanyuan gedigi phosphorus15 aug2uag kegesch thebarristersway jdelamare mmou jd-spence vishalsodani nasrullo blackholefox galich sergeykolchanov brightly-salty firstyear isabella232 00mjk striezel-stash passcod dconnolly samq-randcorp dima2021 shnatsel tweksteen illicitonion amousset qwaz sherekahn w0wpolaris dima2022 frankmariette pombredanne davidarreolam figfox ammaraskar kpcyrd foresterre jsgf advolkov ahkrr liushuyu rajashekary tottoto tmfink apopiak tetcoin i110 akayj johnbatty marvinthepa ahollmann frederick888 linecode redstrike rajivshah3 saethlin pinkforest deg4uss3r matschaffer kornelski threema-danilo uebelandre 00xc sebastienrousseau cognitedata kovacsw alpire licong geekmasher jonhoo green-spaces sidunder thewizzy gmh5225 tranzystorekk folyd likelakers2 sergiogasquez embarkstudios graydon doytsujin cni-kbj dkcumming logarithmus phatblat signed-log simonsan jomocx

rustsec's Issues

New release

Current master builds just fine with recent rust while latest release fails with:

error: unused `#[macro_use]` import                                                                                                                                                                                                                                                                                                                                                                                                      
  --> src/main.rs:12:1                                                                                                                                                                                                                                                                                                                                                                                                                   
   |                                                                                                                                                                                                                                                                                                                                                                                                                                     
12 | #[macro_use]                                                                                                                                                                                                                                                                                                                                                                                                                        
   | ^^^^^^^^^^^^                                                                                                                                                                                                                                                                                                                                                                                                                        
   |                                                                                                                                                                                                                                                                                                                                                                                                                                     
note: lint level defined here                                                                                                                                                                                                                                                                                                                                                                                                            
  --> src/main.rs:5:22                                                                                                                                                                                                                                                                                                                                                                                                                   
   |                                                                                                                                                                                                                                                                                                                                                                                                                                     
5  | #![deny(unsafe_code, warnings, missing_docs, trivial_numeric_casts)]                                                                                                                                                                                                                                                                                                                                                                
   |                      ^^^^^^^^                                                                                                                                                                                                                                                                                                                                                                                                       
   = note: #[deny(unused_imports)] implied by #[deny(warnings)]     error: unused `#[macro_use]` import                                                                                                                                                                                                                                                                                                                                                                                                      
  --> src/main.rs:12:1                                                                                                                                                                                                                                                                                                                                                                                                                   
   |                                                                                                                                                                                                                                                                                                                                                                                                                                     
12 | #[macro_use]                                                                                                                                                                                                                                                                                                                                                                                                                        
   | ^^^^^^^^^^^^                                                                                                                                                                                                                                                                                                                                                                                                                        
   |                                                                                                                                                                                                                                                                                                                                                                                                                                     
note: lint level defined here                                                                                                                                                                                                                                                                                                                                                                                                            
  --> src/main.rs:5:22                                                                                                                                                                                                                                                                                                                                                                                                                   
   |                                                                                                                                                                                                                                                                                                                                                                                                                                     
5  | #![deny(unsafe_code, warnings, missing_docs, trivial_numeric_casts)]                                                                                                                                                                                                                                                                                                                                                                
   |                      ^^^^^^^^                                                                                                                                                                                                                                                                                                                                                                                                       
   = note: #[deny(unused_imports)] implied by #[deny(warnings)]

Missing Cargo.lock in cargo-audit

The repo doesn't contain a Cargo.lock, please consider adding one.

Thanks!

Integration with Siderophile

Siderophile is a utility for locating unsafe hotspots in Rust programs and fuzzing them:

One of the things it does is a call graph analysis, somewhat similar to the ones performed by tools like cargo-geiger and RustPräzi (see also: rustsec/advisory-db#68).

The RustSec Advisory DB already contains metadata about the paths to impacted functions in an advisory as they relate to versions. It would be nice to use Siderophile to compute the call graph across --all-features of the parent crate, then use it to (perhaps optionally) test whether or not impacted/functions exist in the call graph.

Case study: `memoffset`

The following is a real-world RustSec case story where this sort of call graph analysis may have been helpful.

RUSTSEC-2019-0011 filed against the memoffset crate was an interesting vulnerability for several reasons:

High severity: memory exposure and potential RCE. Furthermore, its initial severity was underestimated, and the impacted versions also retroactively expanded.
Low exploitability: whether or not a particular project is impacted or not depended entirely on how the parent dependency which depends on memoffset was using it. This means that a low number of users received an important advisory about a high severity vulnerability, but for many others it was a false positive.
Unclear resolutions: memoffset is used by many high-profile ecosystem crates including crossbeam. At the time we published the advisory there was no upgrade path available for many users, so they got an alert, but it was not actionable.

This combination of factors is exactly the sort of situation where it would be nice to eliminate false positives via call graph analysis. For users who were truly impacted by this advisory, it was RCE and they should absolutely be notified, but for most users it was just noise, and without a call graph analysis tool it was completely unclear which of these buckets a particular program fit into.

Eliminating false positives is something that must be done correctly: we don't want to fail to alert impacted users just to spare non-impacted users from annoying false positives. However, I think this sort of call graph analysis can be done precisely to where that is the case.

cargo audit fails to install - compile error in failure v0.1.3

Tried with rust 1.28.0 and rust 1.31.0.

$ cargo install cargo-audit
    Updating crates.io index
  Downloaded cargo-audit v0.5.2                                                                                                                                                                         
  Downloaded 1 crates (85.6 KB) in 0.58s                                                                                                                                                                
  Installing cargo-audit v0.5.2
  Downloaded gumdrop_derive v0.4.1                                                                                                                                                                      
  Downloaded gumdrop v0.4.0                                                                                                                                                                             
  Downloaded platforms v0.1.4                                                                                                                                                                           
  Downloaded isatty v0.1.9                                                                                                                                                                              
  Downloaded quote v0.5.2                                                                                                                                                                               
  Downloaded syn v0.13.11                                                                                                                                                                               
  Downloaded rustsec v0.9.3                                                                                                                                                                             
  Downloaded proc-macro2 v0.3.8                                                                                                                                                                         
  Downloaded directories v1.0.2                                                                                                                                                                         
  Downloaded git2 v0.7.5                                                                                                                                                                                
  Downloaded backtrace v0.3.10                                                                                                                                                                          
  Downloaded libgit2-sys v0.7.10                                                                                                                                                                        
  Downloaded openssl-sys v0.9.39                                                                                                                                                                        
  Downloaded libz-sys v1.0.25                                                                                                                                                                           
  Downloaded libssh2-sys v0.2.11                                                                                                                                                                        
  Downloaded curl-sys v0.4.15                                                                                                                                                                           
   Compiling proc-macro2 v0.4.24                                                                                                                                                                        
   Compiling libc v0.2.45                                                                                                                                                                               
   Compiling unicode-xid v0.1.0                                                                                                                                                                         
   Compiling pkg-config v0.3.14                                                                                                                                                                         
   Compiling cc v1.0.25                                                                                                                                                                                 
   Compiling num-traits v0.2.6                                                                                                                                                                          
   Compiling matches v0.1.8                                                                                                                                                                             
   Compiling serde v1.0.82                                                                                                                                                                              
   Compiling num-integer v0.1.39                                                                                                                                                                        
   Compiling unicode-normalization v0.1.7                                                                                                                                                               
   Compiling failure_derive v0.1.3                                                                                                                                                                      
   Compiling cfg-if v0.1.6                                                                                                                                                                              
   Compiling percent-encoding v1.0.1                                                                                                                                                                    
   Compiling rustc-demangle v0.1.9                                                                                                                                                                      
   Compiling semver-parser v0.7.0                                                                                                                                                                       
   Compiling bitflags v1.0.4                                                                                                                                                                            
   Compiling byteorder v1.2.7                                                                                                                                                                           
   Compiling lazy_static v1.2.0                                                                                                                                                                         
   Compiling log v0.4.6                                                                                                                                                                                 
   Compiling unicode-bidi v0.3.4                                                                                                                                                                        
   Compiling proc-macro2 v0.3.8                                                                                                                                                                         
   Compiling term v0.5.1                                                                                                                                                                                
   Compiling backtrace v0.3.10                                                                                                                                                                          
   Compiling time v0.1.40                                                                                                                                                                               
   Compiling directories v1.0.2                                                                                                                                                                         
   Compiling isatty v0.1.9                                                                                                                                                                              
   Compiling quote v0.5.2                                                                                                                                                                               
   Compiling openssl-sys v0.9.39                                                                                                                                                                        
   Compiling libz-sys v1.0.25                                                                                                                                                                           
   Compiling curl-sys v0.4.15                                                                                                                                                                           
   Compiling libssh2-sys v0.2.11                                                                                                                                                                        
   Compiling libgit2-sys v0.7.10                                                                                                                                                                        
   Compiling syn v0.13.11                                                                                                                                                                               
   Compiling chrono v0.4.6                                                                                                                                                                              
   Compiling quote v0.6.10                                                                                                                                                                              
   Compiling syn v0.15.22                                                                                                                                                                               
   Compiling toml v0.4.10                                                                                                                                                                               
   Compiling platforms v0.1.4                                                                                                                                                                           
   Compiling semver v0.9.0                                                                                                                                                                              
   Compiling gumdrop_derive v0.4.1                                                                                                                                                                      
   Compiling synstructure v0.10.1                                                                                                                                                                       
   Compiling serde_derive v1.0.82                                                                                                                                                                       
   Compiling gumdrop v0.4.0                                                                                                                                                                             
   Compiling idna v0.1.5                                                                                                                                                                                
   Compiling failure v0.1.3                                                                                                                                                                             
error[E0034]: multiple applicable items in scope                                                                                                                                                        
   --> /Users/pcallahan/.cargo/registry/src/github.com-1ecc6299db9ec823/failure-0.1.3/src/backtrace/mod.rs:132:20                                                                                       
    |                                                                                                                                                                                                   
132 |                 bt.fmt(f)                                                                                                                                                                         
    |                    ^^^ multiple `fmt` found                                                                                                                                                       
    |                                                                                                                                                                                                   
    = note: candidate #1 is defined in an impl of the trait `std::fmt::Debug` for the type `backtrace::backtrace::Backtrace`                                                                            
    = note: candidate #2 is defined in an impl of the trait `std::fmt::Display` for the type `backtrace::backtrace::Backtrace`                                                                          
                                                                                                                                                                                                        
error[E0034]: multiple applicable items in scope                                                                                                                                                        
   --> /Users/pcallahan/.cargo/registry/src/github.com-1ecc6299db9ec823/failure-0.1.3/src/backtrace/mod.rs:140:20                                                                                       
    |                                                                                                                                                                                                   
140 |                 bt.fmt(f)                                                                                                                                                                         
    |                    ^^^ multiple `fmt` found                                                                                                                                                       
    |                                                                                                                                                                                                   
    = note: candidate #1 is defined in an impl of the trait `std::fmt::Debug` for the type `backtrace::backtrace::Backtrace`                                                                            
    = note: candidate #2 is defined in an impl of the trait `std::fmt::Display` for the type `backtrace::backtrace::Backtrace`                                                                          
                                                                                                                                                                                                        
error: aborting due to 2 previous errors                                                                                                                                                                
                                                                                                                                                                                                        
For more information about this error, try `rustc --explain E0034`.                                                                                                                                     
error: Could not compile `failure`.

cargo audit fails if CARGO_HOME doesn't exist

If $CARGO_HOME doesn't exist, cargo audit fails with:

> cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
error: couldn't fetch advisory database: bad parameter: not a directory: /builds/.cargo

It'd be good if cargo-audit handled this case.

`cargo audit` misreporting alpha version

Running cargo audit reports:

ID:      RUSTSEC-2016-0002
Crate:   hyper
Version: 0.13.0-a.0
Date:    2016-05-09
URL:     https://github.com/hyperium/hyper/blob/master/CHANGELOG.md#v094-2016-05-09
Title:   HTTPS MitM vulnerability due to lack of hostname verification
Solution: upgrade to: >= 0.9.4

ID:      RUSTSEC-2017-0002
Crate:   hyper
Version: 0.13.0-a.0
Date:    2017-01-23
URL:     https://github.com/hyperium/hyper/wiki/Security-001
Title:   headers containing newline characters can split messages
Solution: upgrade to: >= 0.10.2 OR < 0.10.0, >= 0.9.18

It looks like it's misinterpreting 0.13.0-a.0 as being older than 0.9.4.

Add a 'fix' command to automatically update dependencies.

Running cargo audit fix or a similar command would install all compatible (as in SemVer compatible, no automatic major version bumps) updates to all vulnerable packages.
This would also rewrite version constraints in Cargo.toml.
I realize this may be a bigger issue, I just wanted to get this idea out there.

Suggested Travis CI usage doesn't cache the build

Despite suggesting using cache: cargo to cache cargo-audit the script force-reinstalls it every time. Until -Z install-upgrade is stabilized I have been using a script like this for installing tools using the cache:

install:
- >
  [[ "$(wasm-bindgen --version)" == "wasm-bindgen 0.2.51" ]]
  || cargo install --force wasm-bindgen-cli --version 0.2.51

(I may open a PR to update this if I get around to setting up cargo-audit on any of my projects CI).

--json output is invalid when there aren't vulnerabilites

Some sort of falsy output that's valid JSON like "", null, {}, or [] would be nice to make cargo-audit output easier to use as an input to other tools e.g.

» cargo audit --json > cargo-audit-output.json
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 20 security advisories (from /home/gguthe/.cargo/advisory-db)
    Scanning Cargo.lock for vulnerabilities (38 crate dependencies)
     Success No vulnerable packages found
» cat cargo-audit-output.json
» cat cargo-audit-output.json | python -m json.tool
Expecting value: line 1 column 1 (char 0)

I'd be happy to submit a PR for this if it's a desirable change.

False-positive elimination (call graph analysis)

Shall cargo-audit, like cargo-geiger, track which functions are used and which are unused by the target crate and filter out vulnerabilities in unreferenced functions?

Otherwise there will be a stream of vulns in seldom used functions in deep dependencies, which would train users to shovel them away without much consideration, as most of then are not to the point. Or, if there would be little advisory traffic, will "penalize" crates or authors by figurating in a report even though the vulnerability is just in a tiny experimental doc-hidden non-default-feature-cfg function which almost nobody knows about (or be a reason against filing such advisories as insignificant).

Error gracefully if Cargo.lock is not present

Running cargo audit in a fresh clone, or a crate that hasn't been built yet, simply panics. It should either trigger generation of the lockfile or gracefully exit without panicking.

Backtrace:

$ RUST_BACKTRACE=1 cargo audit
thread 'main' panicked at 'Couldn't open the lockfile!: Error { repr: Os { code: 2, message: "No such file or directory" } }', /Users/rustbuild/src/rust-buildbot/slave/beta-dist-rustc-mac/build/src/libcore/result.rs:868
stack backtrace:
   1:        0x10ffe919c - std::sys::imp::backtrace::tracing::imp::write::h408ecc5a05e58f58
   2:        0x10ffeadde - std::panicking::default_hook::{{closure}}::h726447131792b5be
   3:        0x10ffeaa80 - std::panicking::default_hook::hfd15aba9d1568185
   4:        0x10ffeb297 - std::panicking::rust_panic_with_hook::hccfc39a27e5d13b4
   5:        0x10ffeb144 - std::panicking::begin_panic::hccbc74bfd8cc5618
   6:        0x10ffeb062 - std::panicking::begin_panic_fmt::h72c157b5e14c69da
   7:        0x10ffeafc7 - rust_begin_unwind
   8:        0x110013280 - core::panicking::panic_fmt::hefe8a0512c8f5fb1
   9:        0x10fb9ded0 - core::result::unwrap_failed::h82afabba2c23d297
  10:        0x10fb982d5 - <core::result::Result<T, E>>::expect::h6b645ca60c76d651
  11:        0x10fbab72f - cargo_audit::load_lockfile::hf3e3b311d9bd0b93
  12:        0x10fbacb21 - cargo_audit::main::h5a22ca0922f89176
  13:        0x10ffec15a - __rust_maybe_catch_panic
  14:        0x10ffeb666 - std::rt::lang_start::hf1490dffe05ecd2e
  15:        0x10fbad6c9 - main

thread 'main' panicked at 'Couldn't fetch advisory database: ServerResponse', libcore/result.rs:945:5

This is the error that will be reported by older (i.e. pre 0.3) versions of cargo-audit after the Advisories.toml file has been removed on September 1st, 2018.

The solution is to upgrade cargo-audit to a newer version (ideally 0.5+).

See the RustSec advisory-db issue on migrating the database format for more information:

rustsec/advisory-db#29

0.9.0 suffers from stack overflow when auditing mozilla/application-services (seemly after it completes successfully)

STR:

git clone https://github.com/mozilla/application-services.git
cd application-services
cargo audit

Results:

    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 48 security advisories (from /Users/thom/.cargo/advisory-db)
    Scanning Cargo.lock for vulnerabilities (316 crate dependencies)
     Success No vulnerable packages found

thread 'main' has overflowed its stack
fatal runtime error: stack overflow
fish: 'cargo audit' terminated by signal SIGABRT (Abort)

You can see this in our CI here, if you care to. https://circleci.com/gh/mozilla/application-services/31924

I would assume that other projects suffer from this as well, but have no reason to think that beyond a vague sense of 'Our project isn't that weird, is it?'

Installation Fail on Alpine Linux

I run a docker container from rust:1.38.0-alpine3.10 image and get an error on installation of cargo-audit

error: failed to compile `cargo-audit v0.10.0`, intermediate artifacts can be found at `/tmp/cargo-install2YeN7N`

Caused by:
  cannot produce proc-macro for `abscissa_derive v0.4.0` as the target `x86_64-unknown-linux-musl` does not support these crate

How can I fix it?

`cargo audit install` fails

$ cargo install audit                                                  
    Updating crates.io index
  Installing audit v0.1.1
error: specified package has no binaries
```

Output report as JSON or TOML or something else easily parsable

It'd be great to be able to execute something like

cargo audit --format json
cargo audit --json

and get the report in a convenient format:

{
  "database": "https://github.com/RustSec/advisory-db.git",
  "database-count": "10",
  "dependencies-count": "215",
  "vulnerabilities-found": true,
  "vulnerabilities": [
    {
      "ID": "RUSTSEC-2018-0003",
      "Crate": "smallvec",
      "Version": "0.2.1",
      "Date": "2018-07-19",
      "URL": "https://github.com/servo/rust-smallvec/issues/96",
      "Title": "Possible double free during unwinding in SmallVec::insert_many",
      "Solution": "upgrade to: >= 0.6.3 OR ^0.3.4 OR ^0.4.5 OR ^0.5.1"
    },
    {
      "ID": "RUSTSEC-2018-0003",
      "Crate": "smallvec",
      "Version": "0.2.1",
      "Date": "2018-07-19",
      "URL": "https://github.com/servo/rust-smallvec/issues/96",
      "Title": "Possible double free during unwinding in SmallVec::insert_many",
      "Solution": "upgrade to: >= 0.6.3 OR ^0.3.4 OR ^0.4.5 OR ^0.5.1"
    }
  ]
}

README should include sample snippet of integrating into travis

See rustmft's readme for example: https://github.com/rust-lang-nursery/rustfmt#checking-style-on-a-ci-server

Usefu for hitting the ground running

skip database fetching option

I would like to use cargo audit in our CI pipeline. But we have a "no internet-dependencies" policy in our build process, so I'd like to download the db on a regular basis outside the build process and then just check the .toml files against the already downloaded db at build time.

As I see it cargo audit has two major functions, 1. downloading the db and 2. checking the dependencies against it.

How about a flag download-db or update-db that defaults to true? I'd be happy to make a PR for it, if there is a consensus that it would be useful.

Hard to find which dependency is pulling in an insecure crate

(or, possibly, there's a bug in cargo audit that reports spurious dependencies)

We have a case where cargo audit is signalling an insecure dependency on smallvec 0.5.1 but there is no crate that use it and it does not appear in Cargo.lock or in the cargo tree output. What's a good strategy to debug this?

To repeat:

check out https://github.com/paritytech/parity-ethereum/pulls
run cargo audit
notice two versions of the smallvec crate are reported: 0.2.1 and 0.5.1
notice smallvec 0.5.1 does not appear in Cargo.lock
notice cargo tree does not mention smallvec 0.5.1 anywhere

Failing to report recent smallvec advisory

I noticed that cargo audit does not report the recent smallvec advisory for my project:

$ grep "smallvec 0.6.9" Cargo.lock 
 "smallvec 0.6.9 (registry+https://github.com/rust-lang/crates.io-index)", 
 "smallvec 0.6.9 (registry+https://github.com/rust-lang/crates.io-index)", 
"checksum smallvec 0.6.9 (registry+https://github.com/rust-lang/crates.io-index)" = "c4488ae950c49d403731982257768f48fada354a5203fe81f9bb6f43ca9002be"
$ 
$ ls ~/.cargo/advisory-db/crates/smallvec/
RUSTSEC-0000-0000.toml  RUSTSEC-2018-0003.toml
$ 
$ cargo audit
Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
Loaded 29 security advisories (from /home/rfk/.cargo/advisory-db)
Scanning Cargo.lock for vulnerabilities (301 crate dependencies)
Success No vulnerable packages found
$

I think it's failing to load the file named RUSTSEC-0000-0000.toml. Manually modifying my copy of the advisory db to rename that file to RUSTSEC-2019-0009.toml causes cargo audit to successfully detect the advisory.

Is this an issue with cargo-audit that it should handle such filenames, or does the file in the advisory db need to be renamed with a unique id?

Handling of pre-release versions

I have the master version of cookies-rs as a dependency. Unfortunately cargo-audit lists '0.11.0-dev' as vulnerable even though it seems clearly >= 0.7.6.

Output

ID:	 RUSTSEC-2017-0005
Crate:	 cookie
Version: 0.11.0-dev
Date:	 2017-05-06
URL:	 https://github.com/alexcrichton/cookie-rs/pull/86
Title:	 Large cookie Max-Age values can cause a denial of service
Solution: upgrade to: < 0.6.0 OR ^0.6.2 OR >= 0.7.6

Desired Output

I am not sure. In this case the version is clearly not vulnerable but for the general case I am not too sure.

Take this example:

Version of 0.6 of my-cool-crate is vulnerable.
Vulnerability is noticed while 0.7-dev is out there
Security advisory gets issued for 0.6, dev version gets silently fixed

In the end the user would not be warned, although you could argue a wrong advisory is at fault.

This matter probably needs some careful consideration.

Steps to reproduce

Add cookie = { git = "https://github.com/alexcrichton/cookie-rs.git" } to dependencies in Cargo.toml
Run cargo build and cargo audit

Or alternatively and in case cookies-rs changes its version just pull this repo and run cargo audit.

cargo audit --help exits with error

[rwalker@nom-de-plume solana]$ cargo audit --version
cargo-audit 0.5.2
[rwalker@nom-de-plume solana]$ echo $?
0
[rwalker@nom-de-plume solana]$ cargo audit --help
Usage: cargo audit [OPTIONS]
...
[rwalker@nom-de-plume solana]$ echo $?
2

expected behavior: exit code == 0
observed behavior: exit code == 2

--version

support for --version was dropped between 0.7 and 0.8?

--version is useful in a lot of ways for CI and keeping installed tools up to date.

Pre-built distribution / releases

It would be nice to have pre-built binaries of the tool available here. This is mostly for CI usage as building the tool in CI inflates build times. This is less an issue with caching, but is still a concern.

Fails to build out of the box on macOS

Build log:

error: failed to run custom build command for `openssl-sys v0.9.52`

Caused by:
process didn't exit successfully: /var/folders/6f/80clx4ds5ps1kfw25c3c0ql80000gn/T/cargo-install24dfBz/release/build/openssl-sys-a97bfcfcd73443d5/build-script-main (exit code: 101)
--- stdout
cargo:rustc-cfg=const_fn
cargo:rerun-if-env-changed=X86_64_APPLE_DARWIN_OPENSSL_LIB_DIR
X86_64_APPLE_DARWIN_OPENSSL_LIB_DIR unset
cargo:rerun-if-env-changed=OPENSSL_LIB_DIR
OPENSSL_LIB_DIR unset
cargo:rerun-if-env-changed=X86_64_APPLE_DARWIN_OPENSSL_INCLUDE_DIR
X86_64_APPLE_DARWIN_OPENSSL_INCLUDE_DIR unset
cargo:rerun-if-env-changed=OPENSSL_INCLUDE_DIR
OPENSSL_INCLUDE_DIR unset
cargo:rerun-if-env-changed=X86_64_APPLE_DARWIN_OPENSSL_DIR
X86_64_APPLE_DARWIN_OPENSSL_DIR unset
cargo:rerun-if-env-changed=OPENSSL_DIR
OPENSSL_DIR unset
run pkg_config fail: "Failed to run \"pkg-config\" \"--libs\" \"--cflags\" \"openssl\": No such file or directory (os error 2)"

--- stderr
thread 'main' panicked at '

Could not find directory of OpenSSL installation, and this -sys crate cannot
proceed without this knowledge. If OpenSSL is installed and this crate had
trouble finding it, you can set the OPENSSL_DIR environment variable for the
compilation process.

Make sure you also have the development packages of openssl installed.
For example, libssl-dev on Ubuntu or openssl-devel on Fedora.

If you're in a situation where you think the directory should be found
automatically, please open a bug at https://github.com/sfackler/rust-openssl
and include information about your system as well as this message.

$HOST = x86_64-apple-darwin
$TARGET = x86_64-apple-darwin
openssl-sys = 0.9.52

It looks like you're compiling on macOS, where the system contains a version of
OpenSSL 0.9.8. This crate no longer supports OpenSSL 0.9.8.

As a consumer of this crate, you can fix this error by using Homebrew to
install the openssl package, or as a maintainer you can use the openssl-sys
0.7 crate for support with OpenSSL 0.9.8.

Unfortunately though the compile cannot continue, so aborting.

', /Users/administrator/.cargo/registry/src/github.com-1ecc6299db9ec823/openssl-sys-0.9.52/build/find_normal.rs:150:5
note: run with RUST_BACKTRACE=1 environment variable to display a backtrace.

warning: build failed, waiting for other jobs to finish...
error: failed to compile cargo-audit v0.10.0, intermediate artifacts can be found at /var/folders/6f/80clx4ds5ps1kfw25c3c0ql80000gn/T/cargo-install24dfBz

Caused by:
build failed

In particular, note this part of the output:

It looks like you're compiling on macOS, where the system contains a version of
OpenSSL 0.9.8. This crate no longer supports OpenSSL 0.9.8.

As a consumer of this crate, you can fix this error by using Homebrew to
install the openssl package, or as a maintainer you can use the openssl-sys
0.7 crate for support with OpenSSL 0.9.8.

Homebrew shouldn't be a prerequisite for cargo-audit. And, really, neither should OpenSSL.

Self-audit

I've tried to check this repo with cargo-audit tool and found an issue:

[denis ./cargo-audit (master)] cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 31 security advisories (from /home/denis/.cargo/advisory-db)
    Scanning Cargo.lock for vulnerabilities (86 crate dependencies)
error: Vulnerable crates found!

ID:	 RUSTSEC-2019-0009
Crate:	 smallvec
Version: 0.6.9
Date:	 2019-06-06
URL:	 https://github.com/servo/rust-smallvec/issues/148
Title:	 Double-free and use-after-free in SmallVec::grow()
Solution: upgrade to: >= 0.6.10

error: 1 vulnerability found!

How about to add this check to CI?

Feature request: Evaluate Cargo.toml

While reading Cargo.lock is straightforward, one could easily have a Cargo.toml file that would allow semver resolution to pick a vulnerable version of a crate even if cargo didn't happen to pick that version in practice. It'd be cool if cargo audit could consume Cargo.toml and enumerate the set of every possibly valid choice of crate versions and emit a warning if any of them have known vulnerabilities. In response to this, the author could tighten the specification of which crate version is required.

Feature request: audit releases based on git tags

It would be nice to be able to run cargo audit in a git repo, and have it not only check the current Cargo.lock file inside the working directory, but also previous versions of Cargo.lock, specifically those that correspond to release tags. For example (assuming a regex to specify a tag pattern):

cargo audit --git-tags="^v[0-9]+"

Add pre-built binaries to Github releases

First of all, thanks for cargo-audit, we've just now caught our first issue with it!

One thing that would nice would be to have pre built binaries for each Github release that can be downloaded, decompressed, and copied somewhere into PATH without having to run cargo install, similar to sccache or cargo-deny. This would make both building CI images as well as adhoc downloading + running in CI faster (though less easily).

Wrong vulnerability detection

cargo-audit thinks hyper 0.12.0-pre.0 is vulnerable to RUSTSEC-2017-0002:

    Fetching advisories `https://raw.githubusercontent.com/RustSec/advisory-db/master/Advisories.toml`
    Scanning 160 crates for vulnerabilities (5 advisories in database)
     Warning Vulnerable crates found!

ID: RUSTSEC-2017-0002
Crate: hyper
Version: 0.12.0-pre.0
Date: 2017-01-23
URL: https://github.com/hyperium/hyper/wiki/Security-001
Title: headers containing newline characters can split messages
Solution: upgrade to: >= 0.10.2, < 0.10.0, >= 0.9.18

Maybe wrong version comparison due to the "-pre.0" suffix?

Panic when running in CircleCI: called `Result::unwrap()` on an `Err` value: ColorOutOfRange

CircleCI might not have a colorful terminal. This is with CircleCI's ubuntu-14.04. Cargo audit works with same project ran from macOS.

$ cargo audit
thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: ColorOutOfRange', /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libcore/result.rs:837
stack backtrace:
   1:     0x7f2c7f8fda3a - std::sys::imp::backtrace::tracing::imp::write::h3188f035833a2635
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:42
   2:     0x7f2c7f9002ff - std::panicking::default_hook::{{closure}}::h6385b6959a2dd25b
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libstd/panicking.rs:349
   3:     0x7f2c7f8ffefe - std::panicking::default_hook::he4f3b61755d7fa95
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libstd/panicking.rs:365
   4:     0x7f2c7f9007a7 - std::panicking::rust_panic_with_hook::hf00b8130f73095ec
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libstd/panicking.rs:553
   5:     0x7f2c7f9005e4 - std::panicking::begin_panic::h6227f62cb2cdaeb4
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libstd/panicking.rs:515
   6:     0x7f2c7f900559 - std::panicking::begin_panic_fmt::h173eadd80ae64bec
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libstd/panicking.rs:499
   7:     0x7f2c7f9004e7 - rust_begin_unwind
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libstd/panicking.rs:475
   8:     0x7f2c7f92c51d - core::panicking::panic_fmt::h3b2d1e30090844ff
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libcore/panicking.rs:69
   9:     0x7f2c7f823e37 - core::result::unwrap_failed::h356962afdab9fbfc
  10:     0x7f2c7f825ac0 - cargo_audit::notify::h7b4d7f4efc53788c
  11:     0x7f2c7f8267f6 - cargo_audit::main::hde81dc6245844138
  12:     0x7f2c7f9076ca - __rust_maybe_catch_panic
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libpanic_unwind/lib.rs:98
  13:     0x7f2c7f900ee6 - std::rt::lang_start::h65647f6e36cffdae
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libstd/panicking.rs:434
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libstd/panic.rs:351
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libstd/rt.rs:57
  14:     0x7f2c7e384f44 - __libc_start_main
  15:     0x7f2c7f8235c8 - <unknown>
  16:                0x0 - <unknown>
$<2>
cargo audit returned exit code 101

Fix display of patched versions

For RUSTSEC-2017-0002, the patched version list looks as follows:

patched_versions = [">= 0.10.2", "< 0.10.0, >= 0.9.18"]

When printed as a warning, it looks like this:

Solution: upgrade to: >= 0.10.2, < 0.10.0, >= 0.9.18

It's not clear anymore where a specifier ends, since the specifiers themselves can also contain commas.

Maybe we could separate the specifiers with the word "or" instead?

panic: "index not found"

cargo audit panics when run on my crate (separate panic from #3).

$ cargo install --debug cargo-audit
$ git clone [email protected]:durka/guard
Cloning into 'guard'...
remote: Counting objects: 221, done.
remote: Total 221 (delta 0), reused 0 (delta 0), pack-reused 221
Receiving objects: 100% (221/221), 30.36 KiB | 0 bytes/s, done.
Resolving deltas: 100% (121/121), done.
$ cd guard
$ cargo build
   Compiling guard v0.3.3
    Finished dev [unoptimized + debuginfo] target(s) in 0.30 secs
$ RUST_BACKTRACE=1 cargo audit
thread 'main' panicked at 'index not found', /Users/rustbuild/src/rust-buildbot/slave/beta-dist-rustc-mac/build/src/libcore/option.rs:715
stack backtrace:
   1:        0x107e5919c - std::sys::imp::backtrace::tracing::imp::write::h408ecc5a05e58f58
   2:        0x107e5adde - std::panicking::default_hook::{{closure}}::h726447131792b5be
   3:        0x107e5aa80 - std::panicking::default_hook::hfd15aba9d1568185
   4:        0x107e5b297 - std::panicking::rust_panic_with_hook::hccfc39a27e5d13b4
   5:        0x107e5b144 - std::panicking::begin_panic::hccbc74bfd8cc5618
   6:        0x107e5b062 - std::panicking::begin_panic_fmt::h72c157b5e14c69da
   7:        0x107e5afc7 - rust_begin_unwind
   8:        0x107e83280 - core::panicking::panic_fmt::hefe8a0512c8f5fb1
   9:        0x107e8330d - core::option::expect_failed::hcdbe6b8fc752fed3
  10:        0x107a04143 - <core::option::Option<T>>::expect::h8c58ee3681693373
  11:        0x107a130ae - <toml::value::Value as core::ops::Index<I>>::index::h4d178eeac1d00c04
  12:        0x107a1b823 - cargo_audit::load_lockfile::hf3e3b311d9bd0b93
  13:        0x107a1cb21 - cargo_audit::main::h5a22ca0922f89176
  14:        0x107e5c15a - __rust_maybe_catch_panic
  15:        0x107e5b666 - std::rt::lang_start::hf1490dffe05ecd2e
  16:        0x107a1d6c9 - main

fails to parse rustc lockfile

lockfile: https://github.com/rust-lang/rust/blob/22bc9e1d9ca49ee4f5cd953088ab09c238a6dd26/Cargo.lock

With cargo audit 0.8.1 the file was parsed fine but cargo audit 0.9.1 fails to parse the lockfile:

error: Couldn't load Cargo.lock: parse error: parse error: parse error: missing version for dependency: memchr for key `package.dependencies` at line 5022 column 1

does not build with latest rustc

rustc 8b94e9e9188b65df38a5f1ae723617dc2dfb3155 (seems to also fail for rustc nightly)

    Checking rustsec v0.12.0
    Checking abscissa_core v0.2.0
error: `X...` range patterns are not supported
  --> /home/matthias/.cargo/registry/src/github.com-1ecc6299db9ec823/rustsec-0.12.0/src/advisory/date.rs:65:20
   |
65 |             Ok($min...$max) => (),
   |                    ^^^ help: try using the maximum value for the type: `YEAR_MIN...MAX`
...
75 |     check_date_part!("year", string, parts, 4, YEAR_MIN, YEAR_MAX);
   |     --------------------------------------------------------------- in this macro invocation

error: expected one of `)` or `,`, found `YEAR_MAX`
  --> /home/matthias/.cargo/registry/src/github.com-1ecc6299db9ec823/rustsec-0.12.0/src/advisory/date.rs:65:23
   |
65 |             Ok($min...$max) => (),
   |                       ^^^^ expected one of `)` or `,` here
...
75 |     check_date_part!("year", string, parts, 4, YEAR_MIN, YEAR_MAX);
   |     --------------------------------------------------------------- in this macro invocation

error: `X...` range patterns are not supported
  --> /home/matthias/.cargo/registry/src/github.com-1ecc6299db9ec823/rustsec-0.12.0/src/advisory/date.rs:65:20
   |
65 |             Ok($min...$max) => (),
   |                    ^^^ help: try using the maximum value for the type: `1...MAX`
...
76 |     check_date_part!("month", string, parts, 2, 1, 12);
   |     --------------------------------------------------- in this macro invocation

error: expected one of `)` or `,`, found `12`
  --> /home/matthias/.cargo/registry/src/github.com-1ecc6299db9ec823/rustsec-0.12.0/src/advisory/date.rs:65:23
   |
65 |             Ok($min...$max) => (),
   |                       ^^^^ expected one of `)` or `,` here
...
76 |     check_date_part!("month", string, parts, 2, 1, 12);
   |     --------------------------------------------------- in this macro invocation

error: `X...` range patterns are not supported
  --> /home/matthias/.cargo/registry/src/github.com-1ecc6299db9ec823/rustsec-0.12.0/src/advisory/date.rs:65:20
   |
65 |             Ok($min...$max) => (),
   |                    ^^^ help: try using the maximum value for the type: `1...MAX`
...
78 |     check_date_part!("day", string, parts, 2, 1, 31);
   |     ------------------------------------------------- in this macro invocation

error: expected one of `)` or `,`, found `31`
  --> /home/matthias/.cargo/registry/src/github.com-1ecc6299db9ec823/rustsec-0.12.0/src/advisory/date.rs:65:23
   |
65 |             Ok($min...$max) => (),
   |                       ^^^^ expected one of `)` or `,` here
...
78 |     check_date_part!("day", string, parts, 2, 1, 31);
   |     ------------------------------------------------- in this macro invocation

error: arbitrary expressions aren't allowed in patterns
  --> /home/matthias/.cargo/registry/src/github.com-1ecc6299db9ec823/rustsec-0.12.0/src/advisory/date.rs:75:58
   |
75 |     check_date_part!("year", string, parts, 4, YEAR_MIN, YEAR_MAX);
   |                                                          ^^^^^^^^

`--target-os` doesn't strip sufficiently

Running cargo audit --target-os linux on https://github.com/slog-rs/term suggests that it's vulnerable to RUSTSEC-2019-0011 on Linux.

# cargo audit --target-os linux
error: Vulnerable crates found!

ID:      RUSTSEC-2019-0011
Crate:   memoffset
Version: 0.2.1
Date:    2019-07-16
URL:     https://github.com/Gilnaa/memoffset/issues/9#issuecomment-505461490
Title:   Flaw in offset_of and span_of causes SIGILL, drops uninitialized memory of arbitrary type on panic in client code
Solution: upgrade to: >= 0.5.0

error: 1 vulnerability found!

Running cargo tree --all-targets -p memoffset:0.2.1 -i shows that the only path is as follows:

memoffset v0.2.1
└── crossbeam-epoch v0.6.1
    └── crossbeam v0.5.0
        └── rust-argon2 v0.5.0
            └── redox_users v0.3.1
                └── dirs v1.0.5
                    └── term v0.5.2
                        └── slog-term v2.4.1 (/src/term)

dirs only uses redox_users when cfg(target_os = "redox") - see https://github.com/soc/dirs-rs/blob/3c3b61ff9611762bece3fc66fd6612b125819e3f/Cargo.toml#L15-L16

It looks like --target-os linux isn't stripping this dependency, despite being specified on the command line.

Surface information about rust-lang advisories

The latest rustsec crate releases added a notion of advisory collections, which are presently:

Collection::Crates: for crates published through crates.io
Collection::Rust: for rust-lang components distributed as part of Rust itself

The RustSec Advisory Database now contains the following advisories filed in Collection::Rust:

Presently these advisories are ignored by cargo-audit, however it might make sense to add features for at least warning if the currently active Rust toolchain is vulnerable.

This issue is for discussing what might make sense in that regard.

error: couldn't fetch advisory database: git operation failed: reference 'refs/heads/master' not found; class=Reference (4); code=NotFound (-3)

I just installed cargo audit:

$ cargo audit --version
cargo-audit 0.3.2

But running it fails with "git operation failed":

$ cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
error: couldn't fetch advisory database: git operation failed: reference 'refs/heads/master' not found; class=Reference (4); code=NotFound (-3)

I tried cloning directly via git clone https://github.com/RustSec/advisory-db.git and that works, so not sure what the problem is.

couldnt fetch db

I just updated from v0.5.2 to v0.6.0 and now cargo audit consistently fails with

    Fetching advisory database from ``
error: couldn't fetch advisory database: bad parameter: expected  to start with https://

rendering the crate useless.

Shall crev's negative reviews automatically get into cargo-audit database?

cargo crev is a distributed code review tool. It has rating: dangerous outcome, and such reviews may be in scope for cargo audit.

Pulling in multiple versions of several dependencies

Two different versions of proc-macro2 (0.4.9, 0.3.8)
Two different versions of unicode-xid (0.1.0, 0.0.4)
Two different versions of winapi (0.3.5 and 0.2.8)
Three different versions of syn (0.13.11, 0.14.5, 0.11.11)
Three different versions of quote (0.6.4, 0.5.2, 0.3.15)

While rust handles this fine, it does mean that the download and build times for a cargo install are a bit more bloated than they need to be

Doesn't seem to be working behind a proxy?

Seems to hang indefinitely when running behind a proxy

➜  seidhe git:(master) ✗ echo $http_proxy
http://localhost:3128/
➜  seidhe git:(master) ✗ echo $https_proxy
http://localhost:3128/
➜  seidhe git:(master) ✗ cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
^C

Network monitor show it makes a request directly to the host instead of to the proxy.

RUSTSEC-2019-0011 advisory version info does not match `cargo audit` guidance when run

(Apologies if this is the wrong place to post this. Happy to close/re-post elsewhere if appropriate.)

In a project that transitively depends on memoffset (with version 0.2.1 in Cargo.lock), running cargo-audit 0.7.0 gives

error: Vulnerable crates found!

ID:      RUSTSEC-2019-0011
Crate:   memoffset
Version: 0.2.1
Date:    2019-07-16
URL:     https://github.com/Gilnaa/memoffset/issues/9#issuecomment-505461490
Title:   Flaw in offset_of and span_of causes SIGILL, drops uninitialized memory of arbitrary type on panic in client code
Solution: upgrade to: >= 0.5.0

error: 1 vulnerability found!

But at https://rustsec.org/advisories/RUSTSEC-2019-0011.html, < 0.3.0 is listed under Unaffected Versions.

0.9.0 panics on rust-analyzer on windows

Windows 10 x64

Clone https://github.com/rust-analyzer/rust-analyzer
Run RUST_BACKTRACE=1 cargo audit

After reporting no vulnerable packages it says:

thread 'main' panicked at 'called Option::unwrap() on a None value', src\libcore\option.rs:347:21
stack backtrace:
0: git_filter_source_repo
1: git_filter_source_repo
2: git_filter_source_repo
3: git_filter_source_repo
4: git_filter_source_repo
5: git_filter_source_repo
6: git_filter_source_repo
7: git_filter_source_repo
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21: git_filter_source_repo
22: git_filter_source_repo
23: git_filter_source_repo
24:
25: git_libgit2_version
26: BaseThreadInitThunk
27: RtlUserThreadStart

Identifying the immediate dependencies with vulnerable transitive dependencies

I've got cargo audit running as a part of my master build process. When it has a result, obviously the build stops and the build output contains the audit output.

All of the problems that it's identified thus far have been vulnerabilities in transitive dependencies, i.e. our dependencies' dependencies. In order to find the immediate dependency, we have to look through Cargo.lock or run cargo tree (after installing it with cargo install cargo-tree) for the out of date dependency.

I'm investigating automating this investigation in some way.

My first thought is to capture the output of cargo audit, parse each report, and then highlight in the output of cargo tree each vulnerable dependency.

Alternatively, there's a way to show the inverted dependency tree: cargo tree -i -p <package>:<version>. I could probably parse the output of cargo audit to get each crate and its version, then output the tree like so.

I think what I'm getting at is that it would be neat if cargo-audit just told me the immediate dependency.

0.9.0 fails to work on cargo crate

Running cargo audit 0.8.1 worked just fine on the cargo git repo:

    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 44 security advisories (from /home/matthias/.cargo/advisory-db)
    Scanning Cargo.lock for vulnerabilities (141 crate dependencies)
     Success No vulnerable packages found

but 0.9.1 errors:

    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 48 security advisories (from /home/matthias/.cargo/advisory-db)
error: Couldn't load Cargo.lock: parse error: parse error: couldn't find root package

It's also strange that the number of advisories differs between cargo-audit versions..?

Shall standard library vulnerabilities also be in scope of cargo-audit?

Example: https://www.reddit.com/r/rust/comments/9hssab/security_announcement_for_strrepeat/

Add an --ignore option

Currently RustSec advisories are only as fine grained as individual crates, however there are circumstances where an advisory is not applicable, e.g. it requires a certain cargo feature to be enabled, or affects an API which a project isn't using.

While it would be nice to make advisories more fine-grained and apply to specific cargo features, or integrate with tools like cargo-geiger to only show advisories that actually impact a particular project, in absence of such features cargo-audit users presently have no mechanism to opt out of advisories which do not apply.

The carrot-and-stick answer would be for them to simply upgrade regardless, however I think adding an --ignore option might be a good stopgap, e.g.:

$ cargo audit --ignore RUSTSEC-2017-0001

This would allow the project to pass an audit despite having a known vulnerability.

While I see downsides to this approach, the bigger worry I'd have is losing cargo-audit users because of false positives and the absence of workarounds or finer-grained auditing features.

Any objections or alternatives people have in mind?

-f option does not accept '-' to denote stdin

cat Cargo.lock | cargo audit -f /dev/stdin works but cat Cargo.lock | cargo audit -f - does not. The error message is:

error: Couldn't find '-'!

Equal or greater than seems broken

Output such as this seems contradictory:

ID:	 RUSTSEC-2019-0003
Crate:	 protobuf
Version: 1.7.5
Date:	 2019-06-08
URL:	 https://github.com/stepancheg/rust-protobuf/issues/411
Title:	 Out of Memory in stream::read_raw_bytes_into()
Solution: upgrade to: >= 1.7.5, >= 2.6.0