cargo-crev
to cargo-vet
converter
Crev and Vet are supply-chain security tools for auditing Rust/Cargo dependencies.
This tool (crevette
) is a helper for cargo-crev
users that exports Crev reviews as an audits.toml
file for use with cargo-vet
.
Installation
You must have cargo-crev
alredy set up, some repos added as trusted and reviews fetched (try cargo crev repo fetch all
).
It requires the latest stable version of Rust. If your package manager has an outdated version of Rust, switch to rustup.
cargo install crevette
Usage
In this initial release, the tool has no configuration. It uses your default cargo crev
identity and configuration. It exports almost all reviews from all reviewers you (transitively) trust. Running crevette
will print location of the audits.toml
file. You may want to review it to ensure you agree with its contents.
To generate and upload the audits.toml
:
crevette
cargo crev publish
Then on the cargo vet
side, go to a Rust/Cargo project that you want to verify, and run:
# cargo vet init (if you haven't already)
cargo vet import 'https://raw.githubusercontent.com/<your github username>/crev-proofs/HEAD/audits.toml'
cargo vet
If you host your repositories elsewhere, adjust the HTTPS link accordingly.
Re-run crevette
to generate an updated version of audits.toml
whenever you add more Crev reviews.
Important limitations
The tool estimates the safe-to-run
and safe-to-deploy
criteria based on a fuzzy combination of trust, rating, thoroughtness, and understanding attributes of crev code reviews. Currently negative reviews are not mapped to vet
's violation
feature, and thefore do not have any effect!