Detects usage of unsafe Rust in a Rust crate and its dependencies.

Overview

cargo-geiger ☢️

Looking for maintainer: https://github.com/rust-secure-code/cargo-geiger/issues/210

Build Status unsafe forbidden Code Coverage crates.io Crates.io

A program that lists statistics related to the usage of unsafe Rust code in a Rust crate and all its dependencies.

This cargo plugin were originally based on the code from two other projects: https://github.com/icefoxen/cargo-osha and https://github.com/sfackler/cargo-tree.

Installation

Try to find and use a system-wide installed OpenSSL library:

cargo install cargo-geiger

Or, build and statically link OpenSSL as part of the cargo-geiger executable:

cargo install cargo-geiger --features vendored-openssl

Usage

  1. Navigate to the same directory as the Cargo.toml you want to analyze.
  2. cargo geiger

Output example

Example output

Why even care about unsafe Rust usage?

When and why to use unsafe Rust is out of scope for this project; it is simply a tool that provides information to aid auditing and hopefully to guide dependency selection. It is, however, the opinion of the author of this project that libraries choosing to abstain from unsafe Rust usage when possible should be promoted.

This project is an attempt to create pressure against unnecessary usage of unsafe Rust in public Rust libraries.

Why the name?

https://en.wikipedia.org/wiki/Geiger_counter

Unsafe code, like ionizing radiation, is unavoidable in some situations and should be safely contained!

Known issues

  • Unsafe code inside macros is not detected. Needs macro expansion(?).
  • Unsafe code generated by build.rs is probably not detected.
  • More on the GitHub issue tracker.

Roadmap

  • There should be no false negatives. All unsafe code should be identified. This is probably too ambitious, but scanning for #![forbid(unsafe_code)] should be a reliable alternative (implemented since 0.6.0). Please see the changelog.
  • An optional whitelist file at the root crate level to specify crates that are trusted to use unsafe (should only have an effect when placed in the project's root).

Libraries

Cargo Geiger exposes three libraries:

  • cargo-geiger - Unversioned and highly unstable library exposing the internals of the cargo-geiger binary. As such, any function contained within this library may be subject to change.
  • cargo-geiger-serde - A library containing the serializable report types
  • geiger - A library containing a few decoupled cargo components used by cargo-geiger

Changelog

View the changelog here

Cargo Geiger Safety Report


Metric output format: x/y
    x = unsafe code used by the build
    y = total unsafe code found in the crate

Symbols: 
    🔒  = No `unsafe` usage found, declares #![forbid(unsafe_code)]
    ❓  = No `unsafe` usage found, missing #![forbid(unsafe_code)]
    ☢️  = `unsafe` usage found

Functions  Expressions  Impls  Traits  Methods  Dependency

0/0        0/0          0/0    0/0     0/0      🔒  cargo-geiger 0.11.1
15/18      432/439      3/3    0/0     11/11    ☢️  ├── anyhow 1.0.40
0/26       0/623        0/6    0/0     0/5      ❓  │   └── backtrace 0.3.56
0/0        0/23         0/0    0/0     0/0      ❓  │       ├── addr2line 0.14.1
0/0        0/51         0/2    0/0     0/0      ❓  │       │   ├── gimli 0.23.0
0/0        37/42        1/1    0/0     0/0      ☢️  │       │   │   └── indexmap 1.6.2
2/2        1006/1098    16/19  0/0     35/39    ☢️  │       │   │       ├── hashbrown 0.9.1
0/0        4/4          0/0    0/0     0/0      ☢️  │       │   │       │   └── serde 1.0.125
0/0        0/0          0/0    0/0     0/0      ❓  │       │   │       │       └── serde_derive 1.0.125
0/0        0/0          0/0    0/0     0/0      ❓  │       │   │       │           ├── proc-macro2 1.0.24
0/0        0/0          0/0    0/0     0/0      🔒  │       │   │       │           │   └── unicode-xid 0.2.1
0/0        0/0          0/0    0/0     0/0      ❓  │       │   │       │           ├── quote 1.0.9
0/0        0/0          0/0    0/0     0/0      ❓  │       │   │       │           │   └── proc-macro2 1.0.24
0/0        45/45        3/3    0/0     2/2      ☢️  │       │   │       │           └── syn 1.0.67
0/0        0/0          0/0    0/0     0/0      ❓  │       │   │       │               ├── proc-macro2 1.0.24
0/0        0/0          0/0    0/0     0/0      ❓  │       │   │       │               ├── quote 1.0.9
0/0        0/0          0/0    0/0     0/0      🔒  │       │   │       │               └── unicode-xid 0.2.1
0/0        4/4          0/0    0/0     0/0      ☢️  │       │   │       └── serde 1.0.125
0/0        0/0          0/0    0/0     0/0      ❓  │       │   ├── rustc-demangle 0.1.18
1/1        392/392      7/7    1/1     13/13    ☢️  │       │   └── smallvec 1.6.1
0/0        4/4          0/0    0/0     0/0      ☢️  │       │       └── serde 1.0.125
0/0        0/0          0/0    0/0     0/0      ❓  │       ├── cfg-if 1.0.0
0/19       10/311       0/0    0/0     5/27     ☢️  │       ├── libc 0.2.92
0/0        0/0          0/0    0/0     0/0      🔒  │       ├── miniz_oxide 0.4.4
0/0        0/0          0/0    0/0     0/0      🔒  │       │   └── adler 1.0.2
0/0        0/21         0/0    0/1     0/0      ❓  │       ├── object 0.23.0
5/6        108/156      0/0    0/0     0/0      ☢️  │       │   ├── crc32fast 1.2.1
0/0        0/0          0/0    0/0     0/0      ❓  │       │   │   └── cfg-if 1.0.0
4/4        129/129      2/2    0/0     2/2      ☢️  │       │   ├── flate2 1.0.20
0/0        0/0          0/0    0/0     0/0      ❓  │       │   │   ├── cfg-if 1.0.0
5/6        108/156      0/0    0/0     0/0      ☢️  │       │   │   ├── crc32fast 1.2.1
0/19       10/311       0/0    0/0     5/27     ☢️  │       │   │   ├── libc 0.2.92
0/0        0/0          0/0    0/0     0/0      ❓  │       │   │   ├── libz-sys 1.1.2
0/19       10/311       0/0    0/0     5/27     ☢️  │       │   │   │   └── libc 0.2.92
0/0        0/0          0/0    0/0     0/0      🔒  │       │   │   └── miniz_oxide 0.4.4
0/0        37/42        1/1    0/0     0/0      ☢️  │       │   └── indexmap 1.6.2
0/0        0/0          0/0    0/0     0/0      ❓  │       ├── rustc-demangle 0.1.18
0/0        4/4          0/0    0/0     0/0      ☢️  │       └── serde 1.0.125
4/4        341/347      0/0    0/0     3/3      ☢️  ├── cargo 0.52.0
15/18      432/439      3/3    0/0     11/11    ☢️  │   ├── anyhow 1.0.40
2/2        45/45        0/0    0/0     0/0      ☢️  │   ├── atty 0.2.14
0/19       10/311       0/0    0/0     5/27     ☢️  │   │   └── libc 0.2.92
0/0        0/0          0/0    0/0     0/0      ❓  │   ├── bytesize 1.0.1
0/0        4/4          0/0    0/0     0/0      ☢️  │   │   └── serde 1.0.125
0/0        0/0          0/0    0/0     0/0      ❓  │   ├── cargo-platform 0.1.1
0/0        4/4          0/0    0/0     0/0      ☢️  │   │   └── serde 1.0.125
0/0        1/1          0/0    0/0     0/0      ☢️  │   ├── clap 2.33.3
0/0        23/23        0/0    0/0     0/0      ☢️  │   │   ├── ansi_term 0.11.0
2/2        45/45        0/0    0/0     0/0      ☢️  │   │   ├── atty 0.2.14
0/0        0/0          0/0    0/0     0/0      ❓  │   │   ├── bitflags 1.2.1
0/0        0/0          0/0    0/0     0/0      ❓  │   │   ├── strsim 0.8.0
0/0        0/0          0/0    0/0     0/0      ❓  │   │   ├── textwrap 0.11.0
0/0        0/0          0/0    0/0     0/0      ❓  │   │   │   └── unicode-width 0.1.8
0/0        0/0          0/0    0/0     0/0      ❓  │   │   ├── unicode-width 0.1.8
0/0        0/0          0/0    0/0     0/0      ❓  │   │   └── vec_map 0.8.2
0/0        4/4          0/0    0/0     0/0      ☢️  │   │       └── serde 1.0.125
0/0        606/606      12/12  4/4     12/12    ☢️  │   ├── core-foundation 0.9.1
0/0        3/3          0/0    0/0     2/2      ☢️  │   │   ├── core-foundation-sys 0.8.2
0/19       10/311       0/0    0/0     5/27     ☢️  │   │   └── libc 0.2.92
0/0        0/0          0/0    0/0     0/0      ❓  │   ├── crates-io 0.33.0
15/18      432/439      3/3    0/0     11/11    ☢️  │   │   ├── anyhow 1.0.40
4/4        875/876      5/5    0/0     2/2      ☢️  │   │   ├── curl 0.4.35
0/0        0/0          0/0    0/0     0/0      ❓  │   │   │   ├── curl-sys 0.4.41+curl-7.75.0
0/19       10/311       0/0    0/0     5/27     ☢️  │   │   │   │   ├── libc 0.2.92
0/0        0/1          0/0    0/0     0/0      ❓  │   │   │   │   ├── libnghttp2-sys 0.1.6+1.43.0
0/19       10/311       0/0    0/0     5/27     ☢️  │   │   │   │   │   └── libc 0.2.92
0/0        0/0          0/0    0/0     0/0      ❓  │   │   │   │   └── libz-sys 1.1.2
0/19       10/311       0/0    0/0     5/27     ☢️  │   │   │   ├── libc 0.2.92
0/0        644/1122     0/0    0/0     5/9      ☢️  │   │   │   └── socket2 0.3.19
0/0        0/0          0/0    0/0     0/0      ❓  │   │   │       ├── cfg-if 1.0.0
0/19       10/311       0/0    0/0     5/27     ☢️  │   │   │       └── libc 0.2.92
0/0        3/3          0/0    0/0     0/0      ☢️  │   │   ├── percent-encoding 2.1.0
0/0        4/4          0/0    0/0     0/0      ☢️  │   │   ├── serde 1.0.125
0/0        6/6          0/0    0/0     0/0      ☢️  │   │   ├── serde_json 1.0.64
0/0        37/42        1/1    0/0     0/0      ☢️  │   │   │   ├── indexmap 1.6.2
0/0        1/1          0/0    0/0     0/0      ☢️  │   │   │   ├── itoa 0.4.7
8/12       674/921      0/0    0/0     2/2      ☢️  │   │   │   ├── ryu 1.0.5
0/0        4/4          0/0    0/0     0/0      ☢️  │   │   │   └── serde 1.0.125
0/0        0/0          0/0    0/0     0/0      ❓  │   │   └── url 2.2.1
0/0        2/2          0/0    0/0     0/0      ☢️  │   │       ├── form_urlencoded 1.0.1
0/0        0/0          0/0    0/0     0/0      ❓  │   │       │   ├── matches 0.1.8
0/0        3/3          0/0    0/0     0/0      ☢️  │   │       │   └── percent-encoding 2.1.0
0/0        0/0          0/0    0/0     0/0      ❓  │   │       ├── idna 0.2.2
0/0        0/0          0/0    0/0     0/0      ❓  │   │       │   ├── matches 0.1.8
0/0        0/0          0/0    0/0     0/0      🔒  │   │       │   ├── unicode-bidi 0.3.4
0/0        0/0          0/0    0/0     0/0      ❓  │   │       │   │   ├── matches 0.1.8
0/0        4/4          0/0    0/0     0/0      ☢️  │   │       │   │   └── serde 1.0.125
0/0        20/20        0/0    0/0     0/0      ☢️  │   │       │   └── unicode-normalization 0.1.17
0/0        0/0          0/0    0/0     0/0      🔒  │   │       │       └── tinyvec 1.1.1
0/0        4/4          0/0    0/0     0/0      ☢️  │   │       │           ├── serde 1.0.125
0/0        0/0          0/0    0/0     0/0      ❓  │   │       │           └── tinyvec_macros 0.1.0
0/0        0/0          0/0    0/0     0/0      ❓  │   │       ├── matches 0.1.8
0/0        3/3          0/0    0/0     0/0      ☢️  │   │       ├── percent-encoding 2.1.0
0/0        4/4          0/0    0/0     0/0      ☢️  │   │       └── serde 1.0.125
4/4        79/79        14/14  0/0     2/2      ☢️  │   ├── crossbeam-utils 0.8.3
0/0        0/0          0/0    0/0     0/0      ❓  │   │   ├── cfg-if 1.0.0
0/0        7/7          1/1    0/0     0/0      ☢️  │   │   └── lazy_static 1.4.0
0/0        0/0          0/0    0/0     0/0      ❓  │   ├── crypto-hash 0.3.4
0/0        23/23        0/0    0/0     0/0      ☢️  │   │   ├── commoncrypto 0.2.0
0/0        0/0          0/0    0/0     0/0      ❓  │   │   │   └── commoncrypto-sys 0.2.0
0/19       10/311       0/0    0/0     5/27     ☢️  │   │   │       └── libc 0.2.92
0/0        0/0          0/0    0/0     0/0      ❓  │   │   └── hex 0.3.2
4/4        875/876      5/5    0/0     2/2      ☢️  │   ├── curl 0.4.35
0/0        0/0          0/0    0/0     0/0      ❓  │   ├── curl-sys 0.4.41+curl-7.75.0
0/0        0/0          0/0    0/0     0/0      ❓  │   ├── env_logger 0.8.3
2/2        45/45        0/0    0/0     0/0      ☢️  │   │   ├── atty 0.2.14
0/0        0/0          0/0    0/0     0/0      🔒  │   │   ├── humantime 2.1.0
1/1        16/16        1/1    0/0     0/0      ☢️  │   │   ├── log 0.4.14
0/0        0/0          0/0    0/0     0/0      ❓  │   │   │   ├── cfg-if 1.0.0
0/0        4/4          0/0    0/0     0/0      ☢️  │   │   │   └── serde 1.0.125
0/0        34/34        1/2    0/0     2/2      ☢️  │   │   ├── regex 1.4.5
19/19      678/678      0/0    0/0     22/22    ☢️  │   │   │   ├── aho-corasick 0.7.15
26/27      1823/1896    0/0    0/0     0/0      ☢️  │   │   │   │   └── memchr 2.3.4
0/19       10/311       0/0    0/0     5/27     ☢️  │   │   │   │       └── libc 0.2.92
26/27      1823/1896    0/0    0/0     0/0      ☢️  │   │   │   ├── memchr 2.3.4
0/0        0/0          0/0    0/0     0/0      🔒  │   │   │   └── regex-syntax 0.6.23
0/0        0/0          0/0    0/0     0/0      ❓  │   │   └── termcolor 1.1.2
0/0        35/78        0/0    0/0     0/0      ☢️  │   ├── filetime 0.2.14
0/0        0/0          0/0    0/0     0/0      ❓  │   │   ├── cfg-if 1.0.0
0/19       10/311       0/0    0/0     5/27     ☢️  │   │   └── libc 0.2.92
4/4        129/129      2/2    0/0     2/2      ☢️  │   ├── flate2 1.0.20
9/9        3745/3765    3/3    0/0     81/81    ☢️  │   ├── git2 0.13.17
0/0        0/0          0/0    0/0     0/0      ❓  │   │   ├── bitflags 1.2.1
0/19       10/311       0/0    0/0     5/27     ☢️  │   │   ├── libc 0.2.92
0/0        18/18        0/0    0/0     0/0      ☢️  │   │   ├── libgit2-sys 0.12.18+1.1.0
0/19       10/311       0/0    0/0     5/27     ☢️  │   │   │   ├── libc 0.2.92
2/2        6/6          0/0    0/0     0/0      ☢️  │   │   │   ├── libssh2-sys 0.2.21
0/19       10/311       0/0    0/0     5/27     ☢️  │   │   │   │   ├── libc 0.2.92
0/0        0/0          0/0    0/0     0/0      ❓  │   │   │   │   ├── libz-sys 1.1.2
42/42      149/149      0/0    0/0     0/0      ☢️  │   │   │   │   └── openssl-sys 0.9.61
0/19       10/311       0/0    0/0     5/27     ☢️  │   │   │   │       └── libc 0.2.92
0/0        0/0          0/0    0/0     0/0      ❓  │   │   │   ├── libz-sys 1.1.2
42/42      149/149      0/0    0/0     0/0      ☢️  │   │   │   └── openssl-sys 0.9.61
1/1        16/16        1/1    0/0     0/0      ☢️  │   │   ├── log 0.4.14
0/0        0/0          0/0    0/0     0/0      ❓  │   │   └── url 2.2.1
1/1        17/19        0/0    0/0     0/0      ☢️  │   ├── git2-curl 0.14.1
4/4        875/876      5/5    0/0     2/2      ☢️  │   │   ├── curl 0.4.35
9/9        3745/3765    3/3    0/0     81/81    ☢️  │   │   ├── git2 0.13.17
1/1        16/16        1/1    0/0     0/0      ☢️  │   │   ├── log 0.4.14
0/0        0/0          0/0    0/0     0/0      ❓  │   │   └── url 2.2.1
0/0        0/0          0/0    0/0     0/0      ❓  │   ├── glob 0.3.0
0/0        0/0          0/0    0/0     0/0      ❓  │   ├── hex 0.4.3
0/0        4/4          0/0    0/0     0/0      ☢️  │   │   └── serde 1.0.125
0/0        0/14         0/0    0/0     0/0      ❓  │   ├── home 0.5.3
0/0        0/0          0/0    0/0     0/0      🔒  │   ├── humantime 2.1.0
0/0        0/0          0/0    0/0     0/0      ❓  │   ├── ignore 0.4.17
4/4        79/79        14/14  0/0     2/2      ☢️  │   │   ├── crossbeam-utils 0.8.3
0/0        0/0          0/0    0/0     0/0      ❓  │   │   ├── globset 0.4.6
19/19      678/678      0/0    0/0     22/22    ☢️  │   │   │   ├── aho-corasick 0.7.15
8/8        377/377      0/0    0/0     0/0      ☢️  │   │   │   ├── bstr 0.2.15
0/0        7/7          1/1    0/0     0/0      ☢️  │   │   │   │   ├── lazy_static 1.4.0
26/27      1823/1896    0/0    0/0     0/0      ☢️  │   │   │   │   ├── memchr 2.3.4
0/0        225/225      5/5    1/1     14/14    ☢️  │   │   │   │   ├── regex-automata 0.1.9
0/1        176/193      0/0    0/0     0/0      ☢️  │   │   │   │   │   ├── byteorder 1.4.3
0/0        0/0          0/0    0/0     0/0      🔒  │   │   │   │   │   └── regex-syntax 0.6.23
0/0        4/4          0/0    0/0     0/0      ☢️  │   │   │   │   └── serde 1.0.125
0/0        0/0          0/0    0/0     0/0      ❓  │   │   │   ├── fnv 1.0.7
1/1        16/16        1/1    0/0     0/0      ☢️  │   │   │   ├── log 0.4.14
0/0        34/34        1/2    0/0     2/2      ☢️  │   │   │   ├── regex 1.4.5
0/0        4/4          0/0    0/0     0/0      ☢️  │   │   │   └── serde 1.0.125
0/0        7/7          1/1    0/0     0/0      ☢️  │   │   ├── lazy_static 1.4.0
1/1        16/16        1/1    0/0     0/0      ☢️  │   │   ├── log 0.4.14
26/27      1823/1896    0/0    0/0     0/0      ☢️  │   │   ├── memchr 2.3.4
0/0        34/34        1/2    0/0     2/2      ☢️  │   │   ├── regex 1.4.5
0/0        3/3          0/0    0/0     0/0      ☢️  │   │   ├── same-file 1.0.6
0/0        109/109      1/1    0/0     4/4      ☢️  │   │   ├── thread_local 1.1.3
1/1        75/94        4/6    0/0     2/3      ☢️  │   │   │   └── once_cell 1.7.2
0/0        0/0          0/0    0/0     0/0      ❓  │   │   └── walkdir 2.3.2
0/0        3/3          0/0    0/0     0/0      ☢️  │   │       └── same-file 1.0.6
1/1        122/122      2/2    0/0     4/4      ☢️  │   ├── im-rc 15.0.0
0/0        100/100      0/0    0/0     9/9      ☢️  │   │   ├── bitmaps 2.1.0
0/0        0/0          0/0    0/0     0/0      🔒  │   │   │   └── typenum 1.13.0
0/0        22/22        0/0    0/0     0/0      ☢️  │   │   ├── rand_core 0.5.1
0/0        4/4          0/0    0/0     0/0      ☢️  │   │   │   └── serde 1.0.125
0/0        0/0          0/0    0/0     0/0      ❓  │   │   ├── rand_xoshiro 0.4.0
0/0        22/22        0/0    0/0     0/0      ☢️  │   │   │   ├── rand_core 0.5.1
0/0        4/4          0/0    0/0     0/0      ☢️  │   │   │   └── serde 1.0.125
0/0        4/4          0/0    0/0     0/0      ☢️  │   │   ├── serde 1.0.125
0/1        311/631      0/0    0/0     20/39    ☢️  │   │   ├── sized-chunks 0.6.4
0/0        100/100      0/0    0/0     9/9      ☢️  │   │   │   ├── bitmaps 2.1.0
0/0        0/0          0/0    0/0     0/0      🔒  │   │   │   └── typenum 1.13.0
0/0        0/0          0/0    0/0     0/0      🔒  │   │   └── typenum 1.13.0
0/0        188/282      0/2    0/0     4/6      ☢️  │   ├── jobserver 0.1.21
0/19       10/311       0/0    0/0     5/27     ☢️  │   │   └── libc 0.2.92
0/0        7/7          1/1    0/0     0/0      ☢️  │   ├── lazy_static 1.4.0
0/0        43/43        2/2    0/0     0/0      ☢️  │   ├── lazycell 1.3.0
0/0        4/4          0/0    0/0     0/0      ☢️  │   │   └── serde 1.0.125
0/19       10/311       0/0    0/0     5/27     ☢️  │   ├── libc 0.2.92
0/0        18/18        0/0    0/0     0/0      ☢️  │   ├── libgit2-sys 0.12.18+1.1.0
1/1        16/16        1/1    0/0     0/0      ☢️  │   ├── log 0.4.14
26/27      1823/1896    0/0    0/0     0/0      ☢️  │   ├── memchr 2.3.4
0/0        65/72        0/0    0/0     0/0      ☢️  │   ├── num_cpus 1.13.0
0/19       10/311       0/0    0/0     5/27     ☢️  │   │   └── libc 0.2.92
0/0        6/6          0/0    0/0     0/0      ☢️  │   ├── opener 0.4.1
30/30      5630/5630    33/33  3/3     16/16    ☢️  │   ├── openssl 0.10.33
0/0        0/0          0/0    0/0     0/0      ❓  │   │   ├── bitflags 1.2.1
0/0        0/0          0/0    0/0     0/0      ❓  │   │   ├── cfg-if 1.0.0
0/0        0/0          0/0    0/0     0/0      ❓  │   │   ├── foreign-types 0.3.2
0/0        0/0          0/0    0/0     0/0      ❓  │   │   │   └── foreign-types-shared 0.1.1
0/19       10/311       0/0    0/0     5/27     ☢️  │   │   ├── libc 0.2.92
1/1        75/94        4/6    0/0     2/3      ☢️  │   │   ├── once_cell 1.7.2
42/42      149/149      0/0    0/0     0/0      ☢️  │   │   └── openssl-sys 0.9.61
0/0        3/3          0/0    0/0     0/0      ☢️  │   ├── percent-encoding 2.1.0
0/0        0/0          0/0    0/0     0/0      ❓  │   ├── rustc-workspace-hack 1.0.0
0/0        0/0          0/0    0/0     0/0      ❓  │   ├── rustfix 0.5.1
15/18      432/439      3/3    0/0     11/11    ☢️  │   │   ├── anyhow 1.0.40
1/1        16/16        1/1    0/0     0/0      ☢️  │   │   ├── log 0.4.14
0/0        4/4          0/0    0/0     0/0      ☢️  │   │   ├── serde 1.0.125
0/0        6/6          0/0    0/0     0/0      ☢️  │   │   └── serde_json 1.0.64
0/0        3/3          0/0    0/0     0/0      ☢️  │   ├── same-file 1.0.6
0/0        0/4          0/0    0/0     0/0      ❓  │   ├── semver 0.10.0
0/0        0/0          0/0    0/0     0/0      ❓  │   │   ├── semver-parser 0.7.0
0/0        4/4          0/0    0/0     0/0      ☢️  │   │   └── serde 1.0.125
0/0        4/4          0/0    0/0     0/0      ☢️  │   ├── serde 1.0.125
0/0        0/0          0/0    0/0     0/0      ❓  │   ├── serde_ignored 0.1.2
0/0        4/4          0/0    0/0     0/0      ☢️  │   │   └── serde 1.0.125
0/0        6/6          0/0    0/0     0/0      ☢️  │   ├── serde_json 1.0.64
0/0        0/0          0/0    0/0     0/0      ❓  │   ├── shell-escape 0.1.5
0/0        0/0          0/0    0/0     0/0      ❓  │   ├── strip-ansi-escapes 0.1.0
0/0        4/5          0/0    0/0     0/0      ☢️  │   │   └── vte 0.3.3
1/1        5/5          0/0    0/0     0/0      ☢️  │   │       └── utf8parse 0.1.1
2/2        52/52        0/0    0/0     0/0      ☢️  │   ├── tar 0.4.33
0/0        35/78        0/0    0/0     0/0      ☢️  │   │   ├── filetime 0.2.14
0/19       10/311       0/0    0/0     5/27     ☢️  │   │   └── libc 0.2.92
0/0        36/82        0/0    0/0     0/0      ☢️  │   ├── tempfile 3.2.0
0/0        0/0          0/0    0/0     0/0      ❓  │   │   ├── cfg-if 1.0.0
0/19       10/311       0/0    0/0     5/27     ☢️  │   │   ├── libc 0.2.92
0/0        20/20        0/0    0/0     0/0      ☢️  │   │   ├── rand 0.8.3
0/19       10/311       0/0    0/0     5/27     ☢️  │   │   │   ├── libc 0.2.92
1/1        16/16        1/1    0/0     0/0      ☢️  │   │   │   ├── log 0.4.14
0/0        0/0          0/0    0/0     0/0      ❓  │   │   │   ├── rand_chacha 0.3.0
2/2        565/641      0/0    0/0     14/22    ☢️  │   │   │   │   ├── ppv-lite86 0.2.10
0/0        15/15        0/0    0/0     0/0      ☢️  │   │   │   │   └── rand_core 0.6.2
1/4        47/144       1/1    0/0     3/3      ☢️  │   │   │   │       ├── getrandom 0.2.2
0/0        0/0          0/0    0/0     0/0      ❓  │   │   │   │       │   ├── cfg-if 1.0.0
0/19       10/311       0/0    0/0     5/27     ☢️  │   │   │   │       │   └── libc 0.2.92
0/0        4/4          0/0    0/0     0/0      ☢️  │   │   │   │       └── serde 1.0.125
0/0        15/15        0/0    0/0     0/0      ☢️  │   │   │   ├── rand_core 0.6.2
0/0        4/4          0/0    0/0     0/0      ☢️  │   │   │   └── serde 1.0.125
0/0        0/79         0/0    0/0     0/0      ❓  │   │   └── remove_dir_all 0.5.3
0/0        0/0          0/0    0/0     0/0      ❓  │   ├── termcolor 1.1.2
0/0        0/0          0/0    0/0     0/0      🔒  │   ├── toml 0.5.8
0/0        37/42        1/1    0/0     0/0      ☢️  │   │   ├── indexmap 1.6.2
0/0        4/4          0/0    0/0     0/0      ☢️  │   │   └── serde 1.0.125
0/0        0/0          0/0    0/0     0/0      ❓  │   ├── unicode-width 0.1.8
0/0        0/0          0/0    0/0     0/0      🔒  │   ├── unicode-xid 0.2.1
0/0        0/0          0/0    0/0     0/0      ❓  │   ├── url 2.2.1
0/0        0/0          0/0    0/0     0/0      ❓  │   └── walkdir 2.3.2
0/0        0/0          0/0    0/0     0/0      🔒  ├── cargo-geiger-serde 0.2.0
0/0        0/4          0/0    0/0     0/0      ❓  │   ├── semver 0.11.0
0/0        0/0          0/0    0/0     0/0      ❓  │   │   ├── semver-parser 0.10.2
2/2        57/57        0/0    0/0     2/2      ☢️  │   │   │   └── pest 2.1.3
0/0        4/4          0/0    0/0     0/0      ☢️  │   │   │       ├── serde 1.0.125
0/0        6/6          0/0    0/0     0/0      ☢️  │   │   │       ├── serde_json 1.0.64
0/0        0/0          0/0    0/0     0/0      ❓  │   │   │       └── ucd-trie 0.1.3
0/0        4/4          0/0    0/0     0/0      ☢️  │   │   └── serde 1.0.125
0/0        4/4          0/0    0/0     0/0      ☢️  │   ├── serde 1.0.125
0/0        0/0          0/0    0/0     0/0      ❓  │   └── url 2.2.1
0/0        0/0          0/0    0/0     0/0      ❓  ├── cargo-platform 0.1.1
0/0        0/0          0/0    0/0     0/0      ❓  ├── cargo_metadata 0.13.1
1/1        50/50        0/0    0/0     2/2      ☢️  │   ├── camino 1.0.4
0/0        4/4          0/0    0/0     0/0      ☢️  │   │   └── serde 1.0.125
0/0        0/0          0/0    0/0     0/0      ❓  │   ├── cargo-platform 0.1.1
0/0        0/4          0/0    0/0     0/0      ❓  │   ├── semver 0.11.0
0/0        0/0          0/0    0/0     0/0      ❓  │   ├── semver-parser 0.10.2
0/0        4/4          0/0    0/0     0/0      ☢️  │   ├── serde 1.0.125
0/0        6/6          0/0    0/0     0/0      ☢️  │   └── serde_json 1.0.64
0/0        13/13        0/0    0/0     0/0      ☢️  ├── colored 2.0.0
2/2        45/45        0/0    0/0     0/0      ☢️  │   ├── atty 0.2.14
0/0        7/7          1/1    0/0     0/0      ☢️  │   └── lazy_static 1.4.0
0/1        55/235       0/0    0/0     0/0      ☢️  ├── console 0.14.1
0/0        7/7          1/1    0/0     0/0      ☢️  │   ├── lazy_static 1.4.0
0/19       10/311       0/0    0/0     5/27     ☢️  │   ├── libc 0.2.92
0/0        34/34        1/2    0/0     2/2      ☢️  │   ├── regex 1.4.5
0/0        5/12         0/0    0/0     0/0      ☢️  │   ├── terminal_size 0.1.16
0/19       10/311       0/0    0/0     5/27     ☢️  │   │   └── libc 0.2.92
0/0        0/0          0/0    0/0     0/0      ❓  │   └── unicode-width 0.1.8
0/0        0/0          0/0    0/0     0/0      🔒  ├── geiger 0.4.6
0/0        0/0          0/0    0/0     0/0      🔒  │   ├── cargo-geiger-serde 0.2.0
0/0        0/0          0/0    0/0     0/0      ❓  │   ├── proc-macro2 1.0.24
0/0        45/45        3/3    0/0     2/2      ☢️  │   └── syn 1.0.67
0/0        0/0          0/0    0/0     0/0      ❓  ├── krates 0.7.0
0/0        0/0          0/0    0/0     0/0      ❓  │   ├── cargo_metadata 0.13.1
0/0        0/0          0/0    0/0     0/0      ❓  │   ├── cfg-expr 0.7.4
1/1        392/392      7/7    1/1     13/13    ☢️  │   │   └── smallvec 1.6.1
2/2        75/75        4/4    1/1     1/1      ☢️  │   ├── petgraph 0.5.1
0/0        62/62        0/0    0/0     0/0      ☢️  │   │   ├── fixedbitset 0.2.0
0/0        37/42        1/1    0/0     0/0      ☢️  │   │   ├── indexmap 1.6.2
0/0        4/4          0/0    0/0     0/0      ☢️  │   │   ├── serde 1.0.125
0/0        0/0          0/0    0/0     0/0      ❓  │   │   └── serde_derive 1.0.125
0/0        0/4          0/0    0/0     0/0      ❓  │   └── semver 0.11.0
2/2        75/75        4/4    1/1     1/1      ☢️  ├── petgraph 0.5.1
0/0        0/0          0/0    0/0     0/0      🔒  ├── pico-args 0.4.0
0/0        34/34        1/2    0/0     2/2      ☢️  ├── regex 1.4.5
0/0        4/4          0/0    0/0     0/0      ☢️  ├── serde 1.0.125
0/0        6/6          0/0    0/0     0/0      ☢️  ├── serde_json 1.0.64
0/0        0/0          0/0    0/0     0/0      ❓  ├── strum 0.20.0
0/0        0/0          0/0    0/0     0/0      ❓  │   └── strum_macros 0.20.1
0/0        0/0          0/0    0/0     0/0      ❓  │       ├── heck 0.3.2
0/0        0/0          0/0    0/0     0/0      ❓  │       │   └── unicode-segmentation 1.7.1
0/0        0/0          0/0    0/0     0/0      ❓  │       ├── proc-macro2 1.0.24
0/0        0/0          0/0    0/0     0/0      ❓  │       ├── quote 1.0.9
0/0        45/45        3/3    0/0     2/2      ☢️  │       └── syn 1.0.67
0/0        0/0          0/0    0/0     0/0      ❓  ├── strum_macros 0.20.1
0/0        0/0          0/0    0/0     0/0      ❓  ├── url 2.2.1
0/0        0/0          0/0    0/0     0/0      ❓  └── walkdir 2.3.2

200/260    20550/23557  121/137 10/11   296/361

Comments
  • Make it available as a library?

    Make it available as a library?

    I want to make a website that gives statistics on various crates, including unsafe usage. Naturally I immediately thought of this, but using cargo-geiger to output data and then attempting to re-parse it seems excessively hard. Would you accept a PR that refactors most of the actual work into a library crate?

    I don't think I would ever really expect a stable API or such, but being able to keep all the processing in one program would be nice.

    enhancement 
    opened by icefoxen 33
  • Use cargo_metadata to explore the dependency tree.

    Use cargo_metadata to explore the dependency tree.

    Switch out the cargo API pieces currently used for exploring the dependency graph and use https://crates.io/crates/cargo_metadata instead.

    Found here: https://github.com/sfackler/cargo-tree/issues/41

    This is a subtask of #69

    Consider using https://crates.io/crates/krates as part of this migration.

    enhancement help wanted important 
    opened by anderejd 17
  • Idea: safety badges

    Idea: safety badges

    I want crate readme files to show their unsafe-ness.

    • badge unsafe for crates without #![forbid(unsafe_code)]
    • badge unsafe-deps for crates with deps that lack #![forbid(unsafe_code)]
    • badge safe for crates with #![forbid(unsafe_code)]

    Clicking on the badge would show the cargo-geiger report for that version of the crate.

    Is anyone else interested in setting up something like this?

    SVG sources: badges-svg.zip

    enhancement question 
    opened by mleonhard 15
  • 'features' flags does not work

    'features' flags does not work

    This one:

            --features <FEATURES>     Space-separated list of features to activate
            --all-features            Activate all available features
            --no-default-features     Do not activate the `default` feature
    
    opened by RazrFalcon 15
  • use ExampleBin by default for example target

    use ExampleBin by default for example target

    This fixes a a part of test failure in #193 - at the moment cargo-geiger sets CustomBuildRoot for code files in examples and as a result itertools/examples/iris.rs also is assumed to be a custom build root.

    opened by qrilka 14
  • Feature: safety report in readme

    Feature: safety report in readme

    I want a tool to automatically update update a safety report section in my project's readme file. Requirements:

    • Run cargo-geiger on the current project
    • Convert the report into Markdown format
    • Look for a # Safety Report section in Readme.md and replace it with the generated report

    Advanced features:

    • An argument with the name of the markdown file to update
    • An argument with the name of the section to replace
    • Check the git repository, see if there's a tag at HEAD in the current branch, and include the tag in the report. This could be a separate program.
    • An option to include the branch name in the report.
    • An option to include the git commit ID in the report.
    • For each unsafe crate, link to a ticket about making the crate safer. So folks can easily express their desire for more safety in code and dependencies. For crates without such tickets, link to a page explaining how to file the ticket and add the link to cargo-geiger (make a PR). When crate maintainers delete tickets that ask for more safety, include a link to a ticket in a different repository. The isaacs/github repository is an example of this technique.

    Similar tools: clog-cli

    opened by mleonhard 14
  • Emoji rendering error under rxvt-unicode which isn't fixed by --charset ascii

    Emoji rendering error under rxvt-unicode which isn't fixed by --charset ascii

    On a brand new cargo-geiger install (cargo install cargo-geiger producing version 0.7.2), I get the following less-than-ideal output when running cargo-geiger under a stack of rxvt-unicode and GNU screen:

    screenshot6

    --charset ascii does change the tree-view line-drawing characters (which render just fine in the default UTF-8 mode), but doesn't change the more important icons.

    (I haven't checked your code but, when using the radioactive symbol emoji in your README for testing, the problem is that rxvt-unicode doesn't like U+FE0F (VARIATION SELECTOR-16))

    bug help wanted 
    opened by ssokolow 13
  • NOISSUE - Create `lib.rs`, to allow documentation tests to be written…

    NOISSUE - Create `lib.rs`, to allow documentation tests to be written…

    … and

    run:

    • Add high level description of public modules in lib.rs
    • Add docs and doc-tests for args module
    • Add clippy level to enforce use of doc markdown

    Signed-off-by: joshmc [email protected]

    opened by jmcconnell26 12
  • Expose the cargo crate feature: vendored-openssl.

    Expose the cargo crate feature: vendored-openssl.

    Fixes: #97

    Is this an acceptable solution? For macOS this seems like the right choice to me. If this PR passes the CI build I'm fine with using the vendored-openssl feature for all platforms.

    opened by anderejd 12
  • Manifest parse errors despite using latest version of Rust

    Manifest parse errors despite using latest version of Rust

    ❯ cargo build
        Finished dev [unoptimized + debuginfo] target(s) in 0.23s
    
    ❯ cargo geiger --version
    cargo-geiger 0.11.3
    
    ❯ cargo geiger
    error: failed to parse manifest at `C:\Path\To\Project\Cargo.toml`
    
    Caused by:
      namespaced features with the `dep:` prefix are only allowed on the nightly channel and requires the `-Z namespaced-features` flag on the command-line
    

    Which is odd, because namespaced features has been stable since 1.60 and none of the other cargo tools I have are choking on my Cargo.toml.

    opened by alexschrod 11
  • panic in .toml parser on some repos

    panic in .toml parser on some repos

    Version: cargo-geiger 0.9.0

    $ cargo geiger
    thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: ()', src/libcore/result.rs:1165:5
    stack backtrace:
    ...
      14: core::result::unwrap_failed
                 at src/libcore/result.rs:1165
      15: cargo::util::canonical_url::CanonicalUrl::new
      16: cargo::core::source::source_id::SourceId::new
      17: cargo::util::toml::DetailedTomlDependency::to_dependency
      18: cargo::util::toml::TomlDependency::to_dependency
      19: cargo::util::toml::TomlManifest::to_real_manifest::process_dependencies
      20: cargo::util::toml::TomlManifest::to_real_manifest
      21: cargo::util::toml::read_manifest
      22: cargo::core::workspace::Packages::load
      23: cargo::core::workspace::Workspace::find_root
      24: cargo::core::workspace::Workspace::new
      25: cargo_geiger::cli::get_workspace
      26: cargo_geiger::main
      27: std::rt::lang_start::{{closure}}
      28: std::rt::lang_start_internal::{{closure}}
                 at src/libstd/rt.rs:48
      29: std::panicking::try::do_call
                 at src/libstd/panicking.rs:287
      30: __rust_maybe_catch_panic
                 at src/libpanic_unwind/lib.rs:78
      31: std::panicking::try
                 at src/libstd/panicking.rs:265
      32: std::panic::catch_unwind
                 at src/libstd/panic.rs:396
      33: std::rt::lang_start_internal
                 at src/libstd/rt.rs:47
      34: main
      35: __libc_start_main
      36: _start
    

    it would be useful to get at least the line number in the .toml file that causes the problem.

    EDIT: I tried eliminating lines in my Cargo.toml to find the offending code, but even with my whole Cargo.toml commented I got the above error. Weird. geiger works fine in some other repos.

    bug help wanted 
    opened by emilk 11
  • build(deps): bump rayon from 1.5.3 to 1.6.1

    build(deps): bump rayon from 1.5.3 to 1.6.1

    Bumps rayon from 1.5.3 to 1.6.1.

    Changelog

    Sourced from rayon's changelog.

    Release rayon 1.6.1 (2022-12-09)

    • Simplified par_bridge to only pull one item at a time from the iterator, without batching. Threads that are waiting for iterator items will now block appropriately rather than spinning CPU. (Thanks @​njaard!)
    • Added protection against recursion in par_bridge, so iterators that also invoke rayon will not cause mutex recursion deadlocks.

    Release rayon-core 1.10.1 (2022-11-18)

    • Fixed a race condition with threads going to sleep while a broadcast starts.

    Release rayon 1.6.0 / rayon-core 1.10.0 (2022-11-18)

    • The minimum supported rustc is now 1.56.
    • The new IndexedParallelIterator::fold_chunks and fold_chunks_with methods work like ParallelIterator::fold and fold_with with fixed-size chunks of items. This may be useful for predictable batching performance, without the allocation overhead of IndexedParallelIterator::chunks.
    • New "broadcast" methods run a given function on all threads in the pool. These run at a sort of reduced priority after each thread has exhausted their local work queue, but before they attempt work-stealing from other threads.
      • The global broadcast function and ThreadPool::broadcast method will block until completion, returning a Vec of all return values.
      • The global spawn_broadcast function and methods on ThreadPool, Scope, and ScopeFifo will run detached, without blocking the current thread.
    • Panicking methods now use #[track_caller] to report the caller's location.
    • Fixed a truncated length in vec::Drain when given an empty range.

    Contributors

    Thanks to all of the contributors for this release!

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies rust 
    opened by dependabot[bot] 0
  • build(deps): bump rstest from 0.15.0 to 0.16.0

    build(deps): bump rstest from 0.15.0 to 0.16.0

    Bumps rstest from 0.15.0 to 0.16.0.

    Release notes

    Sourced from rstest's releases.

    0.16.0

    Use values expression to define test names.

    Changelog

    Sourced from rstest's changelog.

    [0.16.0] 2022/11/27

    Changed

    • Show TEST START banner only when trace some argument: See #158 for details.
    • Add values to test name: See #160 for details.

    Fixed

    • Updated test fixtures to 1.64.0 compiler's error messages.
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies rust 
    opened by dependabot[bot] 0
  • build(deps): bump cargo_metadata from 0.15.0 to 0.15.2

    build(deps): bump cargo_metadata from 0.15.0 to 0.15.2

    Bumps cargo_metadata from 0.15.0 to 0.15.2.

    Changelog

    Sourced from cargo_metadata's changelog.

    Changelog

    Unreleased

    Added

    • Re-exported semver crate directly.

    Changed

    • Made parse_stream more versatile by accepting anything that implements Read.

    Removed

    • Removed re-exports for BuildMetadata and Prerelease from semver crate.

    Fixed

    • Added missing manifest_path field to Artifact. Fixes #187.
    Commits
    • 8319bd6 Publish new version
    • 711710b Merge pull request #213 from messense/fix-212
    • ad8bf92 Add #[serde(default)] to Artifact::manifest_path
    • 1af69df Merge pull request #211 from messense/stderr
    • d9cd00d Allow MetadataCommand to inherit stderr from parent
    • a0f55ac Disable semver again
    • b0a608d Add semver checks to CI
    • feac4af Version bump
    • 2d2998c Merge pull request #205 from msrd0/add-target-is-xxx
    • ecabef4 Add is_lib, is_bin etc to Target
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies rust 
    opened by dependabot[bot] 0
  • build(deps): bump assert_cmd from 2.0.4 to 2.0.5

    build(deps): bump assert_cmd from 2.0.4 to 2.0.5

    Bumps assert_cmd from 2.0.4 to 2.0.5.

    Changelog

    Sourced from assert_cmd's changelog.

    [2.0.5] - 2022-10-20

    Features

    • Added AssertError::assert
    Commits
    • d19ea7e chore: Release
    • fa0c1cb docs: Update changelog
    • 7b0b08b Merge pull request #144 from jbtrystram/assert_error
    • aadf8bb feat: Allow getting the Assert from an AssertError
    • 8d4bfd2 chore: Track lock file for MSRV
    • 5f5abc9 docs(contrib): Update release process
    • 1e73f00 chore(gh): Fix weblink
    • 02449b4 chore: Upgrade boilerplate
    • b7c84f6 chore: Upgrade boilerplate
    • c6accdd chore(ci): Upgrade pre-commits
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies rust 
    opened by dependabot[bot] 0
  • build(deps): bump krates from 0.11.0 to 0.12.6

    build(deps): bump krates from 0.11.0 to 0.12.6

    Bumps krates from 0.11.0 to 0.12.6.

    Release notes

    Sourced from krates's releases.

    Release 0.12.5

    Fixed

    • PR#51 resolved #50 by no longer treating the feature set in the index as authoritative, but rather just merging in the keys that were not already located in the feature set from the crate itself. This would mean that features that are present in both but with different sub-features from the index will now be lost, but that can be fixed later if it is actually an issue.

    Release 0.12.4

    Fixed

    • PR#49 resolved #48 by not entering into an infinite loop in the presence of cyclic features. Oops.

    Release 0.12.3

    Fixed

    • PR#47 resolved #46 by both adding the prefer-index feature to get the actual correct feature information for a crate from the index, rather than the cargo metadata, as well as silently ignoring features that are resolved, but not available from the package manifest if the feature is not enabled.

    Release 0.12.2

    Fixed

    • PR#45 fixed a bug where optional dependencies could be pruned if their name differed from the feature that enabled them.

    Added

    • PR#45 added Krates::direct_dependencies as a complement to Krates::direct_dependents.

    Release 0.12.1

    Added

    • PR#43 and PR#44 added Krates::direct_dependents to more easily obtain the crates that directly depend on the specified crate/node, regardless of any features in between those crates.

    Release 0.12.0

    Added

    • PR#42 added support for features, adding nodes for each unique future, and linking edges between dependencies and features themselves. This (hopefully) properly takes into account the existing ways of pruning the graph via targets, exclusions etc. It also allows the retrieval of that final feature set via Krates::get_enabled_features.

    Fixed

    • PR#42 resolved #41 by properly pruning weak dependencies that were improperly resolved by cargo.
    Changelog

    Sourced from krates's changelog.

    [0.12.6] - 2022-11-25

    Changed

    • PR#52 updated cfg-expr to 0.12.
    • PR#52 changed Krates::search_matches and Krates::search_by_name to use impl Into<String> for the name to search, so that the lifetime of it is not paired with the graph itself.

    [0.12.5] - 2022-11-08

    Fixed

    • PR#51 resolved #50 by no longer treating the feature set in the index as authoritative, but rather just merging in the keys that were not already located in the feature set from the crate itself. This would mean that features that are present in both but with different sub-features from the index will now be lost, but that can be fixed later if it is actually an issue.

    [0.12.4] - 2022-11-02

    Fixed

    • PR#49 resolved #48 by not entering into an infinite loop in the presence of cyclic features. Oops.

    [0.12.3] - 2022-11-01

    Fixed

    • PR#47 resolved #46 by both adding the prefer-index feature to get the actual correct feature information for a crate from the index, rather than the cargo metadata, as well as silently ignoring features that are resolved, but not available from the package manifest if the feature is not enabled.

    [0.12.2] - 2022-10-28

    Fixed

    • PR#45 fixed a bug where optional dependencies could be pruned if their name differed from the feature that enabled them.

    Added

    • PR#45 added Krates::direct_dependencies as a complement to Krates::direct_dependents.

    [0.12.1] - 2022-10-25

    Added

    • PR#43 and PR#44 added Krates::direct_dependents to more easily obtain the crates that directly depend on the specified crate/node, regardless of any features in between those crates.

    [0.12.0] - 2022-10-06

    Added

    • PR#42 added support for features, adding nodes for each unique future, and linking edges between dependencies and features themselves. This (hopefully) properly takes into account the existing ways of pruning the graph via targets, exclusions etc. It also allows the retrieval of that final feature set via Krates::get_enabled_features.

    Fixed

    • PR#42 resolved #41 by properly pruning weak dependencies that were improperly resolved by cargo.
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies rust 
    opened by dependabot[bot] 0
  • cargo_metadata & krate coupling

    cargo_metadata & krate coupling

    Need to de-couple these and ensure they do not break between bumps...

    https://dev.azure.com/cargo-geiger/cargo-geiger/_build/results?buildId=819&view=logs&j=022b0a5d-2698-5f72-7610-a845972a8b4c&t=33e4d865-0676-5964-ba63-59b88208e67d&l=350

    error[E0609]: no field `krate` on type `&krates::Node<cargo_metadata::Package>`
       --> cargo-geiger\src\graph.rs:119:39
        |
    119 |             let package = krates_node.krate.clone();
        |                                       ^^^^^
    
    

    This is blocking https://github.com/rust-secure-code/cargo-geiger/pull/397

    opened by pinkforest 0
Releases(cargo-geiger-0.11.4)
  • cargo-geiger-0.11.4(Aug 1, 2022)

    0.11.4

    Bump insta from 1.16 to 1.17 [#353], [#354]
    Bump regex from 0.5 to 0.6 [#348]
    Code clean-ups - thanks @jmcconnell26 [#333]
    Bump pico-args from 0.4 to 0.5 [#328]
    Upgraded from Cargo 0.62.0 to 0.63.0 [#345]
    Upgraded from Cargo 0.60.0 to 0.62.0 - thanks @jmcconnell26   [#317]
    Bump lockfile [#349]
    

    Special thanks to @alexschrod @jmcconnell26

    Source code(tar.gz)
    Source code(zip)
Owner
Rust Secure Code Working Group
Make it easy to write secure Rust code
Rust Secure Code Working Group
Audit Cargo.lock files for dependencies with security vulnerabilities

RustSec Crates ?? ??️ ?? The RustSec Advisory Database is a repository of security advisories filed against Rust crates published via crates.io. The a

RustSec 1.2k Jan 5, 2023
An impish, cross-platform binary parsing crate, written in Rust

libgoblin Documentation https://docs.rs/goblin/ changelog Usage Goblin requires rustc 1.40.0. Add to your Cargo.toml [dependencies] goblin = "0.4" Fea

null 891 Dec 29, 2022
Crate for calling NT System Calls easily

ntcall-rs Easily call NT System Calls from rust. All System Call ID’s are dumped at compile-time. To get started just import the function you would li

joshuа 7 Sep 14, 2022
Kepler is a vulnerability database and lookup store and API currently utilising National Vulnerability Database and NPM Advisories as data sources

Kepler — Kepler is a vulnerability database and lookup store and API currently utilising National Vulnerability Database and NPM Advisories as data so

Exein.io 101 Nov 12, 2022
Steals browser passwords and cookies and sends to webhook.

Browser-Stealer Steals browser passwords and cookies and sends to webhook. Donating Educational Purposes Only This code is made so you can learn from

RadonCoding 3 Sep 27, 2021
Xori is an automation-ready disassembly and static analysis library for PE32, 32+ and shellcode

Xori - Custom disassembly framework Xori is an automation-ready disassembly and static analysis library that consumes shellcode or PE binaries and pro

ENDGAME 712 Nov 28, 2022
🕵️‍♀️ Find, locate, and query files for ops and security experts ⚡️⚡️⚡️

Recon Find, locate, and query files for ops and security experts Key Features • How To Use • Download • Contributing • License Key Features Query with

Rusty Ferris Club 11 Dec 16, 2022
An esoteric language/compiler written with Rust and Rust LLVM bindings

MeidoLang (メイドラング) A not so useful and esoteric language. The goal of this project was to contain some quirky or novel syntax in a stack-style program

null 0 Dec 24, 2021
Rust-verification-tools - RVT is a collection of tools/libraries to support both static and dynamic verification of Rust programs.

Rust verification tools This is a collection of tools/libraries to support both static and dynamic verification of Rust programs. We see static verifi

null 253 Dec 31, 2022
link is a command and control framework written in rust

link link is a command and control framework written in rust. Currently in alpha. Table of Contents Introduction Features Feedback Build Process Ackno

null 427 Dec 24, 2022
Rust library for building and running BPF/eBPF modules

RedBPF A Rust eBPF toolchain. Overview The redbpf project is a collection of tools and libraries to build eBPF programs using Rust. It includes: redbp

foniod 1.5k Jan 1, 2023
A rust program to bruteforce ZIP, PDF and some popular hashes.

Veldora A program to bruteforce zips, pdfs and some popular hashes. This is basically a rust version of bruttle, but a lot faster. Installation: git c

Aquib 30 Dec 28, 2022
OpenSK is an open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.

OpenSK This repository contains a Rust implementation of a FIDO2 authenticator. We developed OpenSK as a Tock OS application. We intend to bring a ful

Google 2.4k Jan 7, 2023
Advanced Fuzzing Library - Slot your Fuzzer together in Rust! Scales across cores and machines. For Windows, Android, MacOS, Linux, no_std, ...

LibAFL, the fuzzer library. Advanced Fuzzing Library - Slot your own fuzzers together and extend their features using Rust. LibAFL is written and main

Advanced Fuzzing League ++ 1.2k Jan 6, 2023
Modular, structure-aware, and feedback-driven fuzzing engine for Rust functions

Fuzzcheck Fuzzcheck is a modular, structure-aware, and feedback-driven fuzzing engine for Rust functions. Given a function test: (T) -> bool, you can

Loïc Lecrenier 397 Jan 6, 2023
A fast Rust-based safe and thead-friendly grammar-based fuzz generator

Intro fzero is a grammar-based fuzzer that generates a Rust application inspired by the paper "Building Fast Fuzzers" by Rahul Gopinath and Andreas Ze

null 203 Nov 9, 2022
Breaking your Rust code for fun and profit

Breaking your Rust code for fun & profit this is an architecture-preview, not all components are there This is a mutation testing framework for Rust c

null 542 Jan 4, 2023
Mundane is a Rust cryptography library backed by BoringSSL that is difficult to misuse, ergonomic, and performant (in that order).

Mundane Mundane is a Rust cryptography library backed by BoringSSL that is difficult to misuse, ergonomic, and performant (in that order). Issues and

Google 1.1k Jan 3, 2023
A Rust program to control bias lighting on Linux and Windows.

displaylight_rs This Rust workspace is a rewrite of my DisplayLight project. It colors leds mounted behind the monitor with the colors shown on the di

Ivor Wanders 2 Sep 25, 2022