cargo-crev to cargo-vet code review exporter

Related tags

Cryptography auditing cargo-crev supply-chain-security cargo-vet
Overview

cargo-crev to cargo-vet converter

Crev and Vet are supply-chain security tools for auditing Rust/Cargo dependencies.

This tool (crevette) is a helper for cargo-crev users that exports Crev reviews as an audits.toml file for use with cargo-vet.

Installation

You must have cargo-crev alredy set up, some repos added as trusted and reviews fetched (try cargo crev repo fetch all).

It requires the latest stable version of Rust. If your package manager has an outdated version of Rust, switch to rustup.

cargo install crevette

Usage

In this initial release, the tool has no configuration. It uses your default cargo crev identity and configuration. It exports almost all reviews from all reviewers you (transitively) trust. Running crevette will print location of the audits.toml file. You may want to review it to ensure you agree with its contents.

To generate and upload the audits.toml:

crevette
cargo crev publish

Then on the cargo vet side, go to a Rust/Cargo project that you want to verify, and run:

# cargo vet init (if you haven't already)
cargo vet import 'https://raw.githubusercontent.com/<your github username>/crev-proofs/HEAD/audits.toml'
cargo vet

If you host your repositories elsewhere, adjust the HTTPS link accordingly.

Re-run crevette to generate an updated version of audits.toml whenever you add more Crev reviews.

Important limitations

The tool estimates the safe-to-run and safe-to-deploy criteria based on a fuzzy combination of trust, rating, thoroughtness, and understanding attributes of crev code reviews. Currently negative reviews are not mapped to vet's violation feature, and thefore do not have any effect!

You might also like...
cargo-generate template for Criterion benchmarks

Criterion Benchmark Template This is a cargo-generate template for quickly creating benchmarks using the Criterion benchmarking framework. Usage $ car

Lily Mara 4 Jan 19, 2023
Cargo features alignment tool.

Cargo Featalign Cargo features alignment tool. Introduction The original version of this project can be found at subalfred check features. Upon furthe

Hack Ink 4 Jul 30, 2023
Release complex cargo-workspaces automatically with changelog generation, used by `gitoxide`

cargo smart-release Fearlessly release workspace crates and with beautiful semi-handcrafted changelogs. Key Features zero-configuration cargo smart-re

Sebastian Thiel 24 Oct 11, 2023
A node API for the dprint TypeScript and JavaScript code formatter

dprint-node A node API for the dprint TypeScript and JavaScript code formatter. It's written in Rust for blazing fast speed. Usage Pass a file path an

Devon Govett 431 Dec 24, 2022
My code for the terra.academy course on CosmWasm smart contracts

CosmWasm Starter Pack This is a template to build smart contracts in Rust to run inside a Cosmos SDK module on all chains that enable it. To understan

Alex Incerti 0 Nov 7, 2021
Cryptographic Primitive Code Generation by Fiat

Fiat-Crypto: Synthesizing Correct-by-Construction Code for Cryptographic Primitives Building This repository requires Coq 8.11 or later. Note that if

Programming Languages and Verification Group at MIT CSAIL 538 Jan 7, 2023
Here you'll find the open sourced code for the MOBIX staking contracts.

Mobix Staking Compile: rustup default stable cargo wasm Test: cargo test Optimize: quick and good: RUSTFLAGS='-C link-arg=-s' cargo wasm slow and b

MOBIX.ai 3 Apr 24, 2022
Generates Solidity code to verify EIP-712 style signatures

eip712 Generates Solidity code to verify EIP-712 style signatures. Usage First, create an abstract contract implementing the functionality you want: /

Sam Wilson 11 Dec 22, 2022
A mini CLI tool to detect secrets & credentials in source code
A mini CLI tool to detect secrets & credentials in source code

Fencer Fencer is a mini-CLI tool that can used to scan various kind of secrets/credentials that are hardcoded into a project source code files Feature

Naresh Balaji 17 Aug 23, 2022
Owner
crev - Code REView system
Repositories for the crev project
crev - Code REView system
GitHub https://lib.rs/crevette
EXPERIMENTAL: Bitcoin Core Prometheus exporter based on User-Space, Statically Defined Tracing and eBPF.

bitcoind-observer An experimental Prometheus metric exporter for Bitcoin Core based on Userspace, Statically Defined Tracing and eBPF. This demo is ba

0xB10C 24 Nov 8, 2022
Bitcoin PSBT signer, descriptor exporter and more for offline devices.

KeeChain Description KeeChain is a Bitcoin application to transform your offline computer in an AirGap Signing Device (aka Hardware Wallet). Getting s

Yuki Kishimoto 3 Dec 15, 2022
A terminal-based password manager, generator, and importer/exporter (Firefox, Chrome) backed with a concurrent hashmap

rucksack A terminal-based password manager, generator, and importer/exporter (Firefox, Chrome) backed with a concurrent hashmap Features Password gene

null 6 Jan 18, 2023
deductive verification of Rust code. (semi) automatically prove your code satisfies your specifications!

Le marteau-pilon, forges et aciéries de Saint-Chamond, Joseph-Fortuné LAYRAUD, 1889 About Creusot is a tool for deductive verification of Rust code. I

Xavier Denis 609 Dec 28, 2022
✈️A private, authenticated, permissioned cargo registry

chartered a little dig at creating a private cargo repository with authenticated downloads, the plan is to have git connect to a git server we setup t

Jordan Doyle 121 Dec 26, 2022
Audit Cargo.lock files for dependencies with security vulnerabilities

RustSec Crates ?? ??️ ?? The RustSec Advisory Database is a repository of security advisories filed against Rust crates published via crates.io. The a

RustSec 1.2k Dec 30, 2022
Extends cargo to execute the given command on multiple crates - upstream is at

cargo-multi GitLab CI: master: develop: Travis: master: develop: Extends cargo to execute the given command on multiple crates. Inspired by git multi.

Cyril Plisko 6 Feb 27, 2022
A cargo subcommand for displaying when Rust dependencies are out of date

cargo-outdated Linux: A cargo subcommand for displaying when Rust dependencies are out of date About cargo-outdated is for displaying when dependencie

Kevin K. 911 Dec 30, 2022
A minimal esp-hal application template for use with cargo-generate

{{ project-name }} A minimalist template for use with cargo-generate to create no_std applications targeting Espressif's line of SoCs and modules. At

esp-rs 35 Dec 29, 2022
Formats output of Solana's cargo test-bpf/test-sbf command

solfmt Formats output of Solana's cargo test-bpf/test-sbf command. Installation cargo install solfmt Usage Run the your test command as usual (cargo t

Thorsten Lorenz 4 Dec 22, 2022