Audit Cargo.lock files for dependencies with security vulnerabilities

Related tags

Security tools rust security cargo
Overview

RustSec Crates 🦀 🛡️ 📦

The RustSec Advisory Database is a repository of security advisories filed against Rust crates published via crates.io.

The advisory database itself can be found at:

https://github.com/RustSec/advisory-db

About this repository

This repository contains a Cargo Workspace with all of the crates maintained by the RustSec project:

Name Description Crate Documentation Build
cargo‑audit Audit Cargo.lock against the advisory DB crates.io Documentation CI
cargo‑lock Self-contained Cargo.lock parser crates.io Documentation CI
cvss Common Vulnerability Scoring System crates.io Documentation CI
platforms Rust platform registry crates.io Documentation CI
rustsec Advisory DB client library crates.io Documentation CI
rustsec‑admin Linter and web site generator crates.io Documentation CI

License

All crates licensed under either of

at your option.

Comments
  • Pre-built distribution / releases

    Pre-built distribution / releases

    It would be nice to have pre-built binaries of the tool available here. This is mostly for CI usage as building the tool in CI inflates build times. This is less an issue with caching, but is still a concern.

    opened by passcod 23
  • Add a 'fix' command to automatically update dependencies.

    Add a 'fix' command to automatically update dependencies.

    Similar to https://docs.npmjs.com/cli/audit

    Running cargo audit fix or a similar command would install all compatible (as in SemVer compatible, no automatic major version bumps) updates to all vulnerable packages. This would also rewrite version constraints in Cargo.toml. I realize this may be a bigger issue, I just wanted to get this idea out there.

    enhancement help wanted 
    opened by phansch 23
  • rustsec: add `[advisory.source]`; remove old DB scopes

    rustsec: add `[advisory.source]`; remove old DB scopes

    Fixes #408

    Adds a new optional source field to the advisory metadata: a URL which identifies the source of the package, e.g. the registry where a vulnerable package is published. These map to the source field of Cargo.lock.

    The default is crates.io:

    registry+https://github.com/rust-lang/crates.io-index

    The db::Query type now considers Package::source, checking if it's a registry and if so, checking if the advisory's source URL matches the source of the package. This fixes #408: it ignores packages in Cargo.lock which don't come from a registry (e.g. git, local), and if they do come from a registry, makes sure it's the expected one.

    It also enables filing advisories for 3rd party crate registries, which would mainly be useful if someone spun up an internal RustSec DB, or potentially in a future where there are noteworthy public 3rd party registries in use other than crates.io.

    This commit also removes the previous db::scope::{Registry, Package} originally added in 6f56bfc/0f0a777 for a few reasons:

    • The new implementation "just works" without any additional configuration on the part of the user and accomplishes the same functionality. Convention over configuration!
    • The legacy db::scope system, despite its complexity, was mostly dead code and not actually ever considered in the Query (in fact clippy just recently started failing due to that). The only functionality it actually provided was allowing a user to configure that they only want to consider packages in their Cargo.lock whose source is crates.io
    • In addition to that, the db::scope system duplicated functionality already available in the SourceId type, resulting in needless complexity
    opened by tarcieri 21
  • Binary scanning MVP

    Binary scanning MVP

    This is an MVP, to have some support for cargo auditable on launch.

    Eventually I'd like to extend this with --dir parameter to scan an entire directory, because scanning files one by one causes us to reload the DB every time, which is slow. And once that's in place, make cargo audit bin scan the programs installed by Cargo instead of requiring --file or --dir parameters.

    I'm very open to constructive criticism here.

    opened by Shnatsel 14
  • cargo audit always fails with

    cargo audit always fails with "invalid version 0 on git_proxy_options"

    cargo audit from version 0.15.1 always fails on any project with the following error:

     $ cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
error: couldn't fetch advisory database: git operation failed: invalid version 0 on git_proxy_options; class=Invalid (3)

    Tested on Manjaro, git 2.33.0, Rust 1.55.0.

    opened by ArekPiekarz 14
  • error: couldn't fetch advisory database: git operation failed: reference 'refs/heads/master' not found; class=Reference (4); code=NotFound (-3)

    error: couldn't fetch advisory database: git operation failed: reference 'refs/heads/master' not found; class=Reference (4); code=NotFound (-3)

    I just installed cargo audit:

    $ cargo audit --version
cargo-audit 0.3.2

    But running it fails with "git operation failed":

    $ cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
error: couldn't fetch advisory database: git operation failed: reference 'refs/heads/master' not found; class=Reference (4); code=NotFound (-3)

    I tried cloning directly via git clone https://github.com/RustSec/advisory-db.git and that works, so not sure what the problem is.

    opened by robinst 14
  • Field value exclusion and / or regex pattern

    Field value exclusion and / or regex pattern

    e.g. https://github.com/rustsec/rustsec/issues/671 on potential new field target

    We could say everything windows

    target = ["*windows*"]

    Or we could say everything except windows with a !:

    target = [!"*windows*"]

    All x86_64 targets

    target = ["x86_64*"]

    Or regex:

    target = ["^x86_64.+"]

    etc.

    opened by pinkforest 13
  • Master doesn't exist in the advisory database

    Master doesn't exist in the advisory database

    Currently, cargo-audit tries to fetch from the master branch when it doesn't exist. Is there a command to workaround this?

        Replaced package `cargo-audit v0.17.0` with `cargo-audit v0.17.0 (https://github.com/rustsec/rustsec.git#2a080f17)` (executable `cargo-audit`)
..
cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
error: couldn't fetch advisory database: git operation failed: reference 'refs/heads/master' not found; class=Reference (4); code=NotFound (-3)
    opened by AwesomeIbex 13
  • Improve appearance of home page

    Improve appearance of home page

    Make the about page more visually appealing as it is also used as homepage. This type of design has the drawback or being less dense but given the level of information displayed I think it makes sense.

    Current page: image

    Proposition: image

    previous drafts
    opened by amousset 13
  • Generate release builds with github actions

    Generate release builds with github actions

    Submitted for consideration re #66

    Obviously not end-to-end tested against this repo.

    Some choices/questions:

    • I've named the Windows and macOS sections with their isa (x86-64) even though that's currently the only option, in the optic that perhaps there would eventually be builds for Windows ARM or Apple Silicon.

    • I've selected tar.gz as the archive format (zip on windows) as it's most common but it could be xz or zstd... as you wish

    • I've included the readme, changelog, and license files in the archive. Maybe that's not necessary? Or should the audit.toml.example file be included as well for even more of a batteries-included ux?

    • Should the build be done with --locked to respect the lockfile?

    • Should checksums be generated? (not sure how to do that due to the job layout / parallelism though)

    • Though this is a 1st party github service, some of the actions used are not (from action-rs and softprops). I'm sure it would be possible to avoid these, though that's beyond the level of effort I'm okay expending for this tbqh.

    opened by passcod 13
  • Upgrading to 0.14.0 with existing local advisory-db causes git fetch error

    Upgrading to 0.14.0 with existing local advisory-db causes git fetch error

    Just upgraded to v0.14.0 of cargo audit locally using:

    cargo install cargo-audit -f

    Subsequently, auditing a crate fails with an underlying git error:

    $ cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
error: couldn't fetch advisory database: git operation failed: reference 'refs/heads/main' not found; class=Reference (4); code=NotFound (-3)

    This was resolved by clearing out my local copy of the advisory db with:

    rm -rf ~/.cargo/advisory-db

    I'm guessing you recently renamed master -> main? I don't think this needs a technical fix, maybe just a clarifying note in the changelog.

    opened by tommilligan 13
  • build(deps): bump atom_syndication from 0.11.0 to 0.12.0

    build(deps): bump atom_syndication from 0.11.0 to 0.12.0

    Bumps atom_syndication from 0.11.0 to 0.12.0.

    Changelog

    Sourced from atom_syndication's changelog.

    0.12.0 - 2022-12-29

    Commits
    • 90bdfa2 Release 0.12.0
    • e134189 Remove unused error case
    • a2f5e15 Switch to Rust 2021 Edition
    • 5cf8d16 Allow to configure emitted XML
    • 3b2ba90 Update tests to cover more cases of text (tags, comments, CDATA)
    • bb9d076 Upgrade quick-xml to 0.27
    • 6fabfb7 Fix CDATA handing in extensions
    • 9e993bb Update README to reflect MSRV
    • 13c701c Upgrade GitHub actions
    • eb33b90 Bump MSRV to 1.42.0
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies rust 
    opened by dependabot[bot] 0
  • build(deps): bump actions/cache from 3.0.11 to 3.2.1

    build(deps): bump actions/cache from 3.0.11 to 3.2.1

    Bumps actions/cache from 3.0.11 to 3.2.1.

    Release notes

    Sourced from actions/cache's releases.

    v3.2.1

    What's Changed

    Full Changelog: https://github.com/actions/cache/compare/v3.2.0...v3.2.1

    v3.2.0

    What's Changed

    New Contributors

    Full Changelog: https://github.com/actions/cache/compare/v3...v3.2.0

    v3.2.0-beta.1

    What's Changed

    v3.1.0-beta.3

    What's Changed

    • Bug fixes for bsdtar fallback, if gnutar not available, and gzip fallback, if cache saved using old cache action, on windows.

    Full Changelog: https://github.com/actions/cache/compare/v3.1.0-beta.2...v3.1.0-beta.3

    ... (truncated)

    Changelog

    Sourced from actions/cache's changelog.

    3.0.11

    • Update toolkit version to 3.0.5 to include @actions/core@^1.10.0
    • Update @actions/cache to use updated saveState and setOutput functions from @actions/core@^1.10.0

    3.1.0-beta.1

    • Update @actions/cache on windows to use gnu tar and zstd by default and fallback to bsdtar and zstd if gnu tar is not available. (issue)

    3.1.0-beta.2

    • Added support for fallback to gzip to restore old caches on windows.

    3.1.0-beta.3

    • Bug fixes for bsdtar fallback if gnutar not available and gzip fallback if cache saved using old cache action on windows.

    3.2.0-beta.1

    • Added two new actions - restore and save for granular control on cache.

    3.2.0

    • Released the two new actions - restore and save for granular control on cache

    3.2.1

    • Update @actions/cache on windows to use gnu tar and zstd by default and fallback to bsdtar and zstd if gnu tar is not available. (issue)
    • Added support for fallback to gzip to restore old caches on windows.
    • Added logs for cache version in case of a cache miss.
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies github_actions 
    opened by dependabot[bot] 0
  • build(deps): bump cargo-edit from 0.9.1 to 0.11.7

    build(deps): bump cargo-edit from 0.9.1 to 0.11.7

    Bumps cargo-edit from 0.9.1 to 0.11.7.

    Release notes

    Sourced from cargo-edit's releases.

    v0.11.7

    0.11.7 - 2022-12-23

    Fixes

    • Improved build times

    v0.11.6

    0.11.6 - 2022-11-14

    Fixes

    upgrade

    • Ensure precise version setting runs
    • Remove error blocking precise version setting

    v0.11.5

    0.11.5 - 2022-10-09

    v0.11.4

    0.11.4 - 2022-10-06

    Features

    set-version

    • Modify workspace.package.version and all dependents, when needed

    Fixes

    set-version

    • Update versions in workspace.dependencies in virtual workspaces
    • Be more consistent with rest of cargo in output

    v0.11.3

    0.11.3 - 2022-09-28

    Fixes

    • Polished help output

    v0.11.2

    0.11.2 - 2022-09-22

    Features

    upgrade

    • Upgrade workspace.dependencies (new in Rust 1.64)

    v0.11.1

    0.11.1 - 2022-09-16

    ... (truncated)

    Changelog

    Sourced from cargo-edit's changelog.

    0.11.7 - 2022-12-23

    Fixes

    • Improved build times

    0.11.6 - 2022-11-14

    Fixes

    upgrade

    • Ensure precise version setting runs
    • Remove error blocking precise version setting

    0.11.5 - 2022-10-09

    0.11.4 - 2022-10-06

    Features

    set-version

    • Modify workspace.package.version and all dependents, when needed

    Fixes

    set-version

    • Update versions in workspace.dependencies in virtual workspaces
    • Be more consistent with rest of cargo in output

    0.11.3 - 2022-09-28

    Fixes

    • Polished help output

    0.11.2 - 2022-09-22

    Features

    upgrade

    • Upgrade workspace.dependencies (new in Rust 1.64)

    0.11.1 - 2022-09-16

    Fixes

    upgrade

    • Changed --compatible, --incompatible, and --pinned from accepting true|false to allow|ignore (with aliases for compatibility
      • While we are still working out how we want to express these options, this at least removes the confusion over --compatible false looking like it is the same as --incompatible.

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies rust 
    opened by dependabot[bot] 0
  • actions-rs is unmaintained

    actions-rs is unmaintained

    To integrate cargo audit into github actions, you officially recommend actions-rs/audit-check.

    Sadly, the entire actions-rs suite seems to be unmaintained since 2020. This is not a problem in general, but right now github will soon stop supporting Node12 based actions and recommends all actions to be update to Node16. As this won't happen for audit-check, it will soon seize to work.

    I'm not sure how to deal with this problem, I hoped to raise awareness here.

    opened by Finomnis 1
  • Bump abscissa_core from 0.6.0 to 0.7.0

    Bump abscissa_core from 0.6.0 to 0.7.0

    Bumps abscissa_core from 0.6.0 to 0.7.0.

    Changelog

    Sourced from abscissa_core's changelog.

    [0.7.0] (2022-12-14)

    Changed

    • Update clap to v4; MSRV 1.60 (#779)
    • Use OsString for argument parsing (#791)
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies rust 
    opened by dependabot[bot] 0
  • Add client-side glob expansion on Windows

    Add client-side glob expansion on Windows

    I've bumped version to 0.18.0 because this is technically a breaking change - glob paths now have to be escaped on Windows, which wasn't a requirement previously.

    But I'm not very familiar with argument parsing on Windows so I may be mistaken about the impact of this. In which case erring on the side of caution is prudent.

    opened by Shnatsel 0
Releases(cargo-audit/v0.17.4)
Owner
RustSec
Security advisory database for Rust crates to crates.io. Maintained by the Rust Secure Code WG
RustSec
GitHub https://rustsec.org/
Fuzzer to automatically find side-channel (timing) vulnerabilities

SideFuzz: Fuzzing for side-channel vulnerabilities SideFuzz is an adaptive fuzzer that uses a genetic-algorithm optimizer in combination with t-statis

Patrick Hayes 94 Sep 29, 2022
A library for building tools to determine if vulnerabilities are reachable in a code base.

Overview Vuln Reach is a library for developing tools that determine if a given vulnerability is reachable. Provided to the open source community by P

Phylum 3 May 5, 2023
🕵️‍♀️ Find, locate, and query files for ops and security experts ⚡️⚡️⚡️

Recon Find, locate, and query files for ops and security experts Key Features • How To Use • Download • Contributing • License Key Features Query with

Rusty Ferris Club 11 Dec 16, 2022
Detects usage of unsafe Rust in a Rust crate and its dependencies.

cargo-geiger ☢️ Looking for maintainer: https://github.com/rust-secure-code/cargo-geiger/issues/210 A program that lists statistics related to the usa

Rust Secure Code Working Group 1.1k Jan 4, 2023
Automate device security provisioning with edge intelligence.

UNiD Automate device security provisioning with edge intelligence Features Decentralized PKI(DPKI), DIDs, DKMS, and Credential Management End-to-End E

UNiD 101 Oct 21, 2022
OpenSK is an open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.

OpenSK This repository contains a Rust implementation of a FIDO2 authenticator. We developed OpenSK as a Tock OS application. We intend to bring a ful

Google 2.4k Jan 7, 2023
The Swiss Army Knife for Binary (In)security

binsec Swiss Army Knife for Binary (In)security binsec is a minimal static analysis utility for detecting security capabilities in ELF/PE/Mach-O execu

Alan 15 Dec 16, 2022
A Rust implementation of the Message Layer Security group messaging protocol

Molasses An extremely early implementation of the Message Layer Security group messaging protocol. This repo is based on draft 4 of the MLS protocol s

Trail of Bits 109 Dec 13, 2022
Bindings to the macOS Security.framework

macOS/iOS Security framework for Rust Documentation Bindings to the Apple's Security.framework. Allows use of TLS and Keychain from Rust. License Lice

Kornel 172 Jan 2, 2023
Minimal and persistent key-value store designed with security in mind

microkv Minimal and persistent key-value store designed with security in mind. Introduction microkv is a persistent key-value store implemented in Rus

Alan 17 Jan 2, 2023
Applied offensive security with the Rust programming language

Black Hat Rust Applied offensive security with the Rust programming language Buy the book now! While the Rust Book does an excellent job teaching What

Sylvain Kerkour 2.2k Jan 8, 2023
Security advisory database for Rust crates published through crates.io

RustSec Advisory Database The RustSec Advisory Database is a repository of security advisories filed against Rust crates published via https://crates.

RustSec 682 Jan 1, 2023
irulescan is a static security analyzer for iRules

irulescan is a tool to scan iRules for unexpected/unsafe expressions that may have undesirable effects like double substitution.

Simon Kowallik 2 Dec 18, 2022
A cryptographically verifiable code review system for the cargo (Rust) package manager.

image credit cargo-crev A cryptographically verifiable code review system for the cargo (Rust) package manager. Introduction Crev is a language and ec

crev - Code REView system 1.8k Jan 5, 2023
Checks your files for existence of Unicode BIDI characters which can be misused for supply chain attacks. See CVE-2021-42574

BIDI Character Detector This tool checks your files for existence of Unicode BIDI characters which can be misused for supply chain attacks to mitigate

null 5 Aug 26, 2022
A tiny program that locates and extracts public save files from Windows to your local directory!

Save Game Extractor | Download Save Game Extractor is a tool that automatically locates and copies save files for Windows games in public directories.

popcar2 6 Dec 23, 2021
Verdict-as-a-Service SDKs: Analyze files for malicious content

Verdict-as-a-Service Verdict-as-a-Service (VaaS) is a service that provides a platform for scanning files for malware and other threats. It allows eas

G DATA CyberDefense AG 31 Dec 9, 2022
Cyg will help you to secure files in your repository directly using PGP encryption

cyg: Secure files in your repository Cyg will help you to secure files in your repository directly using PGP encryption. The name "cyg" was inspired b

Hisam Fahri 2 Aug 31, 2022
Audit Cargo.lock files for dependencies with security vulnerabilities

RustSec Crates ?? ??️ ?? The RustSec Advisory Database is a repository of security advisories filed against Rust crates published via crates.io. The a

RustSec 1.2k Jan 5, 2023
Easy c̵̰͠r̵̛̠ö̴̪s̶̩̒s̵̭̀-t̶̲͝h̶̯̚r̵̺͐e̷̖̽ḁ̴̍d̶̖̔ ȓ̵͙ė̶͎ḟ̴͙e̸̖͛r̶̖͗ë̶̱́ṉ̵̒ĉ̷̥e̷͚̍ s̷̹͌h̷̲̉a̵̭͋r̷̫̊ḭ̵̊n̷̬͂g̵̦̃ f̶̻̊ơ̵̜ṟ̸̈́ R̵̞̋ù̵̺s̷̖̅ţ̸͗!̸̼͋

Rust S̵̓i̸̓n̵̉ I̴n̴f̶e̸r̵n̷a̴l mutability! Howdy, friendly Rust developer! Ever had a value get m̵̯̅ð̶͊v̴̮̾ê̴̼͘d away right under your nose just when

null 294 Dec 23, 2022