Audit Cargo.lock files for dependencies with security vulnerabilities

Overview

RustSec Crates 🦀 🛡️ 📦

The RustSec Advisory Database is a repository of security advisories filed against Rust crates published via crates.io.

The advisory database itself can be found at:

https://github.com/RustSec/advisory-db

About this repository

This repository contains a Cargo Workspace with all of the crates maintained by the RustSec project:

Name Description Crate Documentation Build
cargo‑audit Audit Cargo.lock against the advisory DB crates.io Documentation CI
cargo‑lock Self-contained Cargo.lock parser crates.io Documentation CI
cvss Common Vulnerability Scoring System crates.io Documentation CI
platforms Rust platform registry crates.io Documentation CI
rustsec Advisory DB client library crates.io Documentation CI
rustsec‑admin Linter and web site generator crates.io Documentation CI

License

All crates licensed under either of

at your option.

Comments
  • Pre-built distribution / releases

    Pre-built distribution / releases

    It would be nice to have pre-built binaries of the tool available here. This is mostly for CI usage as building the tool in CI inflates build times. This is less an issue with caching, but is still a concern.

    opened by passcod 23
  • Add a 'fix' command to automatically update dependencies.

    Add a 'fix' command to automatically update dependencies.

    Similar to https://docs.npmjs.com/cli/audit

    Running cargo audit fix or a similar command would install all compatible (as in SemVer compatible, no automatic major version bumps) updates to all vulnerable packages. This would also rewrite version constraints in Cargo.toml. I realize this may be a bigger issue, I just wanted to get this idea out there.

    enhancement help wanted 
    opened by phansch 23
  • rustsec: add `[advisory.source]`; remove old DB scopes

    rustsec: add `[advisory.source]`; remove old DB scopes

    Fixes #408

    Adds a new optional source field to the advisory metadata: a URL which identifies the source of the package, e.g. the registry where a vulnerable package is published. These map to the source field of Cargo.lock.

    The default is crates.io:

    registry+https://github.com/rust-lang/crates.io-index
    

    The db::Query type now considers Package::source, checking if it's a registry and if so, checking if the advisory's source URL matches the source of the package. This fixes #408: it ignores packages in Cargo.lock which don't come from a registry (e.g. git, local), and if they do come from a registry, makes sure it's the expected one.

    It also enables filing advisories for 3rd party crate registries, which would mainly be useful if someone spun up an internal RustSec DB, or potentially in a future where there are noteworthy public 3rd party registries in use other than crates.io.

    This commit also removes the previous db::scope::{Registry, Package} originally added in 6f56bfc/0f0a777 for a few reasons:

    • The new implementation "just works" without any additional configuration on the part of the user and accomplishes the same functionality. Convention over configuration!
    • The legacy db::scope system, despite its complexity, was mostly dead code and not actually ever considered in the Query (in fact clippy just recently started failing due to that). The only functionality it actually provided was allowing a user to configure that they only want to consider packages in their Cargo.lock whose source is crates.io
    • In addition to that, the db::scope system duplicated functionality already available in the SourceId type, resulting in needless complexity
    opened by tarcieri 21
  • Binary scanning MVP

    Binary scanning MVP

    This is an MVP, to have some support for cargo auditable on launch.

    Eventually I'd like to extend this with --dir parameter to scan an entire directory, because scanning files one by one causes us to reload the DB every time, which is slow. And once that's in place, make cargo audit bin scan the programs installed by Cargo instead of requiring --file or --dir parameters.

    I'm very open to constructive criticism here.

    opened by Shnatsel 14
  • cargo audit always fails with

    cargo audit always fails with "invalid version 0 on git_proxy_options"

    cargo audit from version 0.15.1 always fails on any project with the following error:

     $ cargo audit
        Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
    error: couldn't fetch advisory database: git operation failed: invalid version 0 on git_proxy_options; class=Invalid (3)
    

    Tested on Manjaro, git 2.33.0, Rust 1.55.0.

    opened by ArekPiekarz 14
  • error: couldn't fetch advisory database: git operation failed: reference 'refs/heads/master' not found; class=Reference (4); code=NotFound (-3)

    error: couldn't fetch advisory database: git operation failed: reference 'refs/heads/master' not found; class=Reference (4); code=NotFound (-3)

    I just installed cargo audit:

    $ cargo audit --version
    cargo-audit 0.3.2
    

    But running it fails with "git operation failed":

    $ cargo audit
        Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
    error: couldn't fetch advisory database: git operation failed: reference 'refs/heads/master' not found; class=Reference (4); code=NotFound (-3)
    

    I tried cloning directly via git clone https://github.com/RustSec/advisory-db.git and that works, so not sure what the problem is.

    opened by robinst 14
  • Field value exclusion and / or regex pattern

    Field value exclusion and / or regex pattern

    e.g. https://github.com/rustsec/rustsec/issues/671 on potential new field target

    We could say everything windows

    target = ["*windows*"]

    Or we could say everything except windows with a !:

    target = [!"*windows*"]

    All x86_64 targets

    target = ["x86_64*"]

    Or regex:

    target = ["^x86_64.+"]

    etc.

    opened by pinkforest 13
  • Master doesn't exist in the advisory database

    Master doesn't exist in the advisory database

    Currently, cargo-audit tries to fetch from the master branch when it doesn't exist. Is there a command to workaround this?

        Replaced package `cargo-audit v0.17.0` with `cargo-audit v0.17.0 (https://github.com/rustsec/rustsec.git#2a080f17)` (executable `cargo-audit`)
    ..
    cargo audit
        Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
    error: couldn't fetch advisory database: git operation failed: reference 'refs/heads/master' not found; class=Reference (4); code=NotFound (-3)
    
    opened by AwesomeIbex 13
  • Improve appearance of home page

    Improve appearance of home page

    Make the about page more visually appealing as it is also used as homepage. This type of design has the drawback or being less dense but given the level of information displayed I think it makes sense.

    Current page: image

    Proposition: image

    previous drafts
    opened by amousset 13
  • Generate release builds with github actions

    Generate release builds with github actions

    Submitted for consideration re #66

    Obviously not end-to-end tested against this repo.

    Some choices/questions:

    • I've named the Windows and macOS sections with their isa (x86-64) even though that's currently the only option, in the optic that perhaps there would eventually be builds for Windows ARM or Apple Silicon.

    • I've selected tar.gz as the archive format (zip on windows) as it's most common but it could be xz or zstd... as you wish

    • I've included the readme, changelog, and license files in the archive. Maybe that's not necessary? Or should the audit.toml.example file be included as well for even more of a batteries-included ux?

    • Should the build be done with --locked to respect the lockfile?

    • Should checksums be generated? (not sure how to do that due to the job layout / parallelism though)

    • Though this is a 1st party github service, some of the actions used are not (from action-rs and softprops). I'm sure it would be possible to avoid these, though that's beyond the level of effort I'm okay expending for this tbqh.

    opened by passcod 13
  • Upgrading to 0.14.0 with existing local advisory-db causes git fetch error

    Upgrading to 0.14.0 with existing local advisory-db causes git fetch error

    Just upgraded to v0.14.0 of cargo audit locally using:

    cargo install cargo-audit -f
    

    Subsequently, auditing a crate fails with an underlying git error:

    $ cargo audit
        Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
    error: couldn't fetch advisory database: git operation failed: reference 'refs/heads/main' not found; class=Reference (4); code=NotFound (-3)
    

    This was resolved by clearing out my local copy of the advisory db with:

    rm -rf ~/.cargo/advisory-db
    

    I'm guessing you recently renamed master -> main? I don't think this needs a technical fix, maybe just a clarifying note in the changelog.

    opened by tommilligan 13
  • build(deps): bump atom_syndication from 0.11.0 to 0.12.0

    build(deps): bump atom_syndication from 0.11.0 to 0.12.0

    Bumps atom_syndication from 0.11.0 to 0.12.0.

    Changelog

    Sourced from atom_syndication's changelog.

    0.12.0 - 2022-12-29

    Commits
    • 90bdfa2 Release 0.12.0
    • e134189 Remove unused error case
    • a2f5e15 Switch to Rust 2021 Edition
    • 5cf8d16 Allow to configure emitted XML
    • 3b2ba90 Update tests to cover more cases of text (tags, comments, CDATA)
    • bb9d076 Upgrade quick-xml to 0.27
    • 6fabfb7 Fix CDATA handing in extensions
    • 9e993bb Update README to reflect MSRV
    • 13c701c Upgrade GitHub actions
    • eb33b90 Bump MSRV to 1.42.0
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies rust 
    opened by dependabot[bot] 0
  • build(deps): bump actions/cache from 3.0.11 to 3.2.1

    build(deps): bump actions/cache from 3.0.11 to 3.2.1

    Bumps actions/cache from 3.0.11 to 3.2.1.

    Release notes

    Sourced from actions/cache's releases.

    v3.2.1

    What's Changed

    Full Changelog: https://github.com/actions/cache/compare/v3.2.0...v3.2.1

    v3.2.0

    What's Changed

    New Contributors

    Full Changelog: https://github.com/actions/cache/compare/v3...v3.2.0

    v3.2.0-beta.1

    What's Changed

    v3.1.0-beta.3

    What's Changed

    • Bug fixes for bsdtar fallback, if gnutar not available, and gzip fallback, if cache saved using old cache action, on windows.

    Full Changelog: https://github.com/actions/cache/compare/v3.1.0-beta.2...v3.1.0-beta.3

    ... (truncated)

    Changelog

    Sourced from actions/cache's changelog.

    3.0.11

    • Update toolkit version to 3.0.5 to include @actions/core@^1.10.0
    • Update @actions/cache to use updated saveState and setOutput functions from @actions/core@^1.10.0

    3.1.0-beta.1

    • Update @actions/cache on windows to use gnu tar and zstd by default and fallback to bsdtar and zstd if gnu tar is not available. (issue)

    3.1.0-beta.2

    • Added support for fallback to gzip to restore old caches on windows.

    3.1.0-beta.3

    • Bug fixes for bsdtar fallback if gnutar not available and gzip fallback if cache saved using old cache action on windows.

    3.2.0-beta.1

    • Added two new actions - restore and save for granular control on cache.

    3.2.0

    • Released the two new actions - restore and save for granular control on cache

    3.2.1

    • Update @actions/cache on windows to use gnu tar and zstd by default and fallback to bsdtar and zstd if gnu tar is not available. (issue)
    • Added support for fallback to gzip to restore old caches on windows.
    • Added logs for cache version in case of a cache miss.
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies github_actions 
    opened by dependabot[bot] 0
  • build(deps): bump cargo-edit from 0.9.1 to 0.11.7

    build(deps): bump cargo-edit from 0.9.1 to 0.11.7

    Bumps cargo-edit from 0.9.1 to 0.11.7.

    Release notes

    Sourced from cargo-edit's releases.

    v0.11.7

    0.11.7 - 2022-12-23

    Fixes

    • Improved build times

    v0.11.6

    0.11.6 - 2022-11-14

    Fixes

    upgrade

    • Ensure precise version setting runs
    • Remove error blocking precise version setting

    v0.11.5

    0.11.5 - 2022-10-09

    v0.11.4

    0.11.4 - 2022-10-06

    Features

    set-version

    • Modify workspace.package.version and all dependents, when needed

    Fixes

    set-version

    • Update versions in workspace.dependencies in virtual workspaces
    • Be more consistent with rest of cargo in output

    v0.11.3

    0.11.3 - 2022-09-28

    Fixes

    • Polished help output

    v0.11.2

    0.11.2 - 2022-09-22

    Features

    upgrade

    • Upgrade workspace.dependencies (new in Rust 1.64)

    v0.11.1

    0.11.1 - 2022-09-16

    ... (truncated)

    Changelog

    Sourced from cargo-edit's changelog.

    0.11.7 - 2022-12-23

    Fixes

    • Improved build times

    0.11.6 - 2022-11-14

    Fixes

    upgrade

    • Ensure precise version setting runs
    • Remove error blocking precise version setting

    0.11.5 - 2022-10-09

    0.11.4 - 2022-10-06

    Features

    set-version

    • Modify workspace.package.version and all dependents, when needed

    Fixes

    set-version

    • Update versions in workspace.dependencies in virtual workspaces
    • Be more consistent with rest of cargo in output

    0.11.3 - 2022-09-28

    Fixes

    • Polished help output

    0.11.2 - 2022-09-22

    Features

    upgrade

    • Upgrade workspace.dependencies (new in Rust 1.64)

    0.11.1 - 2022-09-16

    Fixes

    upgrade

    • Changed --compatible, --incompatible, and --pinned from accepting true|false to allow|ignore (with aliases for compatibility
      • While we are still working out how we want to express these options, this at least removes the confusion over --compatible false looking like it is the same as --incompatible.

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies rust 
    opened by dependabot[bot] 0
  • actions-rs is unmaintained

    actions-rs is unmaintained

    To integrate cargo audit into github actions, you officially recommend actions-rs/audit-check.

    Sadly, the entire actions-rs suite seems to be unmaintained since 2020. This is not a problem in general, but right now github will soon stop supporting Node12 based actions and recommends all actions to be update to Node16. As this won't happen for audit-check, it will soon seize to work.

    I'm not sure how to deal with this problem, I hoped to raise awareness here.

    opened by Finomnis 1
  • Bump abscissa_core from 0.6.0 to 0.7.0

    Bump abscissa_core from 0.6.0 to 0.7.0

    Bumps abscissa_core from 0.6.0 to 0.7.0.

    Changelog

    Sourced from abscissa_core's changelog.

    [0.7.0] (2022-12-14)

    Changed

    • Update clap to v4; MSRV 1.60 (#779)
    • Use OsString for argument parsing (#791)
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies rust 
    opened by dependabot[bot] 0
  • Add client-side glob expansion on Windows

    Add client-side glob expansion on Windows

    I've bumped version to 0.18.0 because this is technically a breaking change - glob paths now have to be escaped on Windows, which wasn't a requirement previously.

    But I'm not very familiar with argument parsing on Windows so I may be mistaken about the impact of this. In which case erring on the side of caution is prudent.

    opened by Shnatsel 0
Releases(cargo-audit/v0.17.4)
Owner
RustSec
Security advisory database for Rust crates to crates.io. Maintained by the Rust Secure Code WG
RustSec
A cargo subcommand for displaying when Rust dependencies are out of date

cargo-outdated Linux: A cargo subcommand for displaying when Rust dependencies are out of date About cargo-outdated is for displaying when dependencie

Kevin K. 911 Dec 30, 2022
cargo-crev to cargo-vet code review exporter

cargo-crev to cargo-vet converter Crev and Vet are supply-chain security tools for auditing Rust/Cargo dependencies. This tool (crevette) is a helper

crev - Code REView system 3 Dec 6, 2023
Koofr Vault is an open-source, client-side encrypted folder for your Koofr cloud storage offering an extra layer of security for your most sensitive files.

Koofr Vault https://vault.koofr.net Koofr Vault is an open-source, client-side encrypted folder for your Koofr cloud storage offering an extra layer o

Koofr 12 Dec 30, 2022
A contract to lock fungible tokens with a given vesting schedule including cliffs.

Fungible Token Lockup contract Features A reusable lockup contract for a select fungible token. Lockup schedule can be set as a list of checkpoints wi

null 15 Dec 16, 2022
Rust library for practical time-lock encryption using `drand` threshold network

tlock-rs: Practical Timelock Encryption/Decryption in Rust This repo contains pure Rust implementation of drand/tlock scheme. It provides time-based e

Timofey 32 Jan 8, 2023
Rust encryption library for practical time-lock encryption.

tlock_age: Hybrid Timelock Encryption/Decryption in Rust tlock_age is a library to encrypt and decrypt age filekey using tlock scheme. It provides an

Thibault 5 Mar 29, 2023
Arkworks circuits for verifiable time-lock encryption

zk-timelock This repo contains arithmetic circuits for verifiable time-lock encryption made using arkworks-rs toolkit. For more details on such an enc

Timofey 68 Apr 5, 2023
miniserde minus the dependencies

Microserde Microserde is miniserde minus the dependencies. All credit goes to David Tolnay for the original library. From miniserde: Prototype of a da

Alexis Sellier 18 Feb 26, 2022
Generates a big overview of dependencies between microservices using pact-broker

Pact graph network Generates a schema of dependencies between microservices using pact-broker data. Table of contents Screenshots Tech Stack Features

ManoMano Tech 3 Dec 15, 2022
An intentionally-limited Rust implementation of the Docker runtime with no external dependencies.

lil-docker An lightweight Rust implementation of Docker's run command. lil docker is an accessible implementation of a very basic Docker runner (which

Miguel Piedrafita 38 Jan 9, 2023
Modern, lightweight & standard-compliant bitcoin wallet runtime & cli without rust-bitcoin dependencies

Bitcoin protocol command-line wallet & tools Modern, minimalistic & standard-compliant cold wallet from LNP/BP Standards Association. Contributing Con

BP: Bitcoin protocol 3 Jul 31, 2023
Bindings to the macOS Security.framework

macOS/iOS Security framework for Rust Documentation Bindings to the Apple's Security.framework. Allows use of TLS and Keychain from Rust. License Lice

Kornel 172 Dec 24, 2022
A Rust implementation of the Message Layer Security group messaging protocol

Molasses An extremely early implementation of the Message Layer Security group messaging protocol. This repo is based on draft 4 of the MLS protocol s

Trail of Bits 109 Dec 13, 2022
A suite of programs for Solana key management and security.

?? goki Goki is a suite of programs for Solana key management and security. It currently features: Goki Smart Wallet: A wallet loosely based on the Se

Goki Protocol 157 Dec 8, 2022
An uploader honeypot designed to look like poor website security.

HoneyUp An uploader honeypot designed to look like poor website security. Requirements Linux server NGiNX Rust toolchain (build only) Installation Bui

Chad Baxter 21 Dec 20, 2022
Ingraind - a security monitoring agent built around RedBPF for complex containerized environments and endpoints.

ingraind is a security monitoring agent built around RedBPF for complex containerized environments and endpoints. The ingraind agent uses eBPF probes to provide safe and performant instrumentation for any Linux-based environment.

KingoOo 5 Apr 6, 2022
security.txt for Solana Contracts

security.txt This library defines a macro, which allows developers to provide easy-to-parse information to security researchers that wish to contact t

Neodyme 79 Dec 28, 2022
Automated security testing for open source libraries and applications.

autovet continuously searches for security breaches in open source libraries and applications. Recently processed packages package version channel las

null 5 Aug 23, 2022
Open-source tool to enforce privacy & security best-practices on Windows and macOS, because privacy is sexy 🍑🍆

privacy-sexy Open-source tool to enforce privacy & security best-practices on Windows and MacOs, because privacy is sexy ?? ?? privacy-sexy is a data-

Subconscious Compute 3 Oct 20, 2022