Find the ideal fuzz targets in a Rust codebase

Overview

Siderophile

Siderophile finds the "most unsafe" functions in your Rust codebase, so you can fuzz them or refactor them out entirely. It checks the callgraph of each function in the codebase, estimates how many unsafe expressions are called in an evalutation of that function, then produces a list sorted by this value. Here's what Siderophile's output format looks like:

Badness  Function
    092  <myProject::myThing as my_project::myThing>::tempt_fate
    064  <myProject::myOtherThing::whatever as my_project::myThing>::defy_death
    [...]

"Badness" of a function is simply an approximation of how many unsafe expressions are evaluated during an evaluation of that function. For instance, marking unsafe functions with a *, suppose your function f calls functions g* and h. Furthermore, h calls i*. Then the badness of f is 2. Functions with high badness have a lot of opportunities to be memory unsafe.

Installation

Make sure that you have the following requirements:

  • rustup and cargo must be installed and in your PATH
  • LLVM 11 is required. Older versions such as LLVM 8, 9 or 10 may work (see https://crates.io/crates/llvm-ir) but require the llvm-ir package's features change in Cargo.toml before compiling Siderophile.

Then, run cargo build --release, and you'll have a Siderophile binary :)

How to use

Make sure that you followed the above steps, then do the following:

  1. cd to the root directory of the crate you want to analyze

  2. Run SIDEROPHILE_LOCATION/target/release/siderophile --crate-name CRATENAME, where CRATENAME is the name of the crate you want to analyze, and SIDEROPHILE_LOCATION is the location where you put the siderophile code (you know, normal running-rust-binary stuff).

Functions are written to stdout, ordered by their badness.

How it works

Siderophile extends cargo-geiger, whose goal is to find unsafety at the crate-level.

First, the callgraph is created by having cargo output the crate's bitcode, then parsing it to produce a callgraph and demangle the names into things that we can match with the source code.

Next, siderophile finds all the sources of the current crate, finds every Rust file in the sources, and parses each file individually using the syn crate. Each file is recursively combed through for unsafety occurring in functions, trait declarations, trait implementations, and submodules. siderophile will output the path of these objects, along with an indication of what type of syntactic block they were found in. The list received from this step contains every unsafe block in every dependency of the crate, regardless of whether it's used. To narrow this down, we need to compare siderophile's list to nodes in the callgraph of the crate.

Using the callgraph produced in the first step, we check which elements from the siderophile output are actually executed from the crate in question. This step (implemented in src/callgraph_matching) is not guaranteed to find everything, but it has shown good results against manual search. It is also not immune to false positives, although none have been found yet. The labels of the nodes that are found to be unsafe are used as input for the final step.

The final step is to trace these unsafe nodes in the callgraph. For each node in the list, siderophile will find every upstream node in the callgraph, and increment their badness by one, thus indicating that they use unsafety at some point in their execution. At the end of this process, all the nodes with nonzero badness are printed out, sorted in descending order by badness.

Limitations

Siderophile is not guaranteed to catch all the unsafety in a crate's deps. Since things are only tagged at a source-level, we do not have the ability to inspect macros or resolve dynamically dispatched methods. Accordingly, this tool should not be used to "prove" that a crate uses no unsafety.

Debugging

To get debugging output from siderophile, set the RUST_LOG environment variable to siderophile=XXX where XXX can be info, debug, or trace.

Thanks

To cargo-geiger and rust-praezi for current best practices. This project is mostly due to their work.

License

Siderophile is licensed and distributed under the AGPLv3 license. Contact us if you're looking for an exception to the terms.

Comments
  • Integration with cargo-audit/RustSec?

    Integration with cargo-audit/RustSec?

    cargo-audit is a utility which compares dependencies in Cargo.lock agains the RustSec Advisory Database. I've opened an issue proposing a potential integration with Siderophile here:

    https://github.com/RustSec/cargo-audit/issues/89

    Recently we published an advisory high severity but low exploitability vulnerability to the database which resulted in false positive alerts for many users. The issue linked above goes into details about why this is an interesting case of where a call graph analysis would've helped.

    We've done some work on collecting paths to affected vulnerabilities already to support this kind of analysis, and have the ability to collect this sort of information in advisories. Here's an example:

    https://github.com/RustSec/advisory-db/blob/a8e2ec8/crates/safe-transmute/RUSTSEC-2018-0013.toml#L21

    [affected_paths]
    ">= 0.4.0, <= 0.10.0"  = ["safe_transmute::guarded_transmute_vec_permissive"]
    "= 0.10.0"             = ["safe_transmute::guarded_transmute_to_bytes_vec"]
    

    (sidebar: looking that again, it feels like we should swap these so the path is on the left and the impacted versions are on the right)

    What we need out of a call graph analysis tool is something that can both compute the call graph for --all-features, and then a way of testing if particular paths exist in the call graph. Compared to what Siderophile already does, this seems fairly simple.

    If this sounds like a good idea, I'm curious what you think the best way to integrate cargo-audit and Siderophile would be. Should we invoke it as a subprocess, or is there a way to use it as a library/crate dependency? Is there a particular crate we can use that provides the call graph analysis functionality in isolation?

    opened by tarcieri 14
  • Bump cargo from 0.61.0 to 0.63.1

    Bump cargo from 0.61.0 to 0.63.1

    Bumps cargo from 0.61.0 to 0.63.1.

    Commits
    • d39343d Auto merge of #10806 - ehuss:bump-cargo-util-stable-1.62, r=joshtriplett
    • 20e282b Auto merge of #10785 - ehuss:fix-dead_code-diag, r=Eh2406
    • 6dedcf8 Ignore invalid_target_empty test.
    • 524745d Bump cargo-util version.
    • a748cf5 Auto merge of #10737 - ehuss:revert-num-cpus, r=weihanglo
    • 0cfdbc0 [beta] Revert #10427: switch from num_cpus
    • 4751950 Auto merge of #10707 - ehuss:beta-backport, r=weihanglo
    • 735f2c8 Auto merge of #10677 - likzn:fix_publish_p, r=ehuss
    • 3f052d8 Auto merge of #10659 - Muscraft:prestabilization-inheritance-docs, r=epage
    • 6892cc3 pre-stabilization documentation for workspace inheritance
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 7
  • Bump syn from 1.0.99 to 1.0.100

    Bump syn from 1.0.99 to 1.0.100

    Bumps syn from 1.0.99 to 1.0.100.

    Release notes

    Sourced from syn's releases.

    1.0.100

    Commits
    • 3d01fc3 Release 1.0.100
    • 308d77b Merge pull request #1218 from dtolnay/variadiccomma
    • 9b589ba Fix printing of variadic extern fn with trailing comma
    • 42e9942 Allow multiple parenthesized path argument segments in the same path
    • ba6cd8e Merge pull request #1217 from dtolnay/typepathfnwithcoloncolon
    • 194c3d4 Insane syntax on feature="full" only
    • 6e09f2d Parse associated type on path with parenthesized generic arguments
    • 15c0075 Skip traversing into const params for precedence test
    • e3d6e7b Reorder GenericArgument::Const next to Type
    • be1b758 Merge pull request #1216 from dtolnay/anglebracketedorder
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 6
  • Bump syn from 1.0.88 to 1.0.89

    Bump syn from 1.0.88 to 1.0.89

    Bumps syn from 1.0.88 to 1.0.89.

    Release notes

    Sourced from syn's releases.

    1.0.89

    • Remove support for inner attributes on non-block expressions (#1146, rust-lang/rust#83312)
    • Fix panic on comma after mut self in a bare fn type (#1148)
    Commits
    • 8d4eb4c Release 1.0.89
    • 6daa474 Merge pull request #1148 from dtolnay/fnmutself
    • 4a3a83d Fix panic on comma after 'mut self' in bare fn type
    • 99510ff Add test of trailing comma after mut self
    • 9a66997 Update test suite to nightly-2022-03-16
    • be3238b Merge pull request #1146 from dtolnay/innerattr
    • fe5508b Remove support for inner attributes on non-block expressions
    • 1da3551 Revert "Parse inner attrs on structs, enums, unions, variants"
    • See full diff in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot will merge this PR once CI passes on it, as requested by @smoelius.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 6
  • Bump syn from 1.0.87 to 1.0.88

    Bump syn from 1.0.87 to 1.0.88

    Bumps syn from 1.0.87 to 1.0.88.

    Release notes

    Sourced from syn's releases.

    1.0.88

    • Parse .. pattern in pattern of let (#1136)
    • Parse for<…> lifetime introducer on closures (#1135)
    • Reject postfix operators after cast (#1117)
    • Implement extra-traits for Nothing (#1144)
    Commits
    • fcaca36 Release 1.0.88
    • 531c56f Merge pull request #1144 from dtolnay/nothingtraits
    • f21ce8a Implement extra-traits for syn::parse::Nothing
    • 3f0cfc1 Merge pull request #1142 from dtolnay/castsuffix
    • 15ea927 Reject postfix operators after cast
    • 097b3a2 Add cast tests that should fail to parse
    • fd6f0bf Merge pull request #1141 from dtolnay/forclosure
    • c1ef9ed Parse for<…> lifetime introducer on closures
    • 5d1cd93 Merge pull request #1140 from dtolnay/letdotdot
    • c708999 Parse .. pattern in pattern of let
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 6
  • Bump cargo from 0.57.0 to 0.58.0

    Bump cargo from 0.57.0 to 0.58.0

    Bumps cargo from 0.57.0 to 0.58.0.

    Commits
    • b2e52d7 Auto merge of #9988 - ehuss:beta-git-fetch-force, r=alexcrichton
    • ffa597e Auto merge of #9979 - ehuss:git-fetch-force, r=alexcrichton
    • c7957a7 Auto merge of #9968 - ehuss:verbose-version, r=alexcrichton,Eh2406
    • 9f5da7c Add --verbose to bug report template.
    • 5a8be7b Add os to verbose version string.
    • c5318a1 Add some more information to verbose version.
    • dea587a Auto merge of #9938 - weihanglo:issue-9857, r=ehuss
    • ec38c84 Auto merge of #9943 - ehuss:stabilize-named-profiles, r=alexcrichton
    • 42035c7 Auto merge of #9963 - ehuss:update-git2, r=alexcrichton
    • ed2bfc2 Update git2
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 6
  • Bump quote from 1.0.18 to 1.0.21

    Bump quote from 1.0.18 to 1.0.21

    ⚠️ Dependabot is rebasing this PR ⚠️

    Rebasing might not happen immediately, so don't worry if this takes some time.

    Note: if you make any changes to this PR yourself, they will take precedence over the rebase.


    Bumps quote from 1.0.18 to 1.0.21.

    Release notes

    Sourced from quote's releases.

    1.0.21

    • Add keywords to crates.io metadata

    1.0.20

    • Remove workaround for dealing with invalid spans on new enough compilers (#224, thanks @​mystor)
    • Use Ident::new_raw to quote raw identifiers (#225, thanks @​mystor)

    1.0.19

    • Improve the way rustc's -Zunpretty=expanded renders quote's expanded code (#221)
    Commits
    • 34d94b4 Release 1.0.21
    • 20a59fd Update keywords in crates.io metadata
    • ae25ab6 Change std imports to core where possible
    • fa923c4 Sort package entries in Cargo.toml
    • d196f95 Update ui test suite to nightly-2022-07-28
    • 29cc169 Update ui test suite to nightly-2022-07-20
    • 164493f Update ui test suite to nightly-2022-07-10
    • d84bcc3 Update ui test suite to nightly-2022-07-02
    • 8cf6d7b Use dtolnay/rust-toolchain's miri toolchain
    • 2a6da9b Update ui test suite to nightly-2022-06-26
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 4
  • Bump structopt from 0.3.12 to 0.3.15

    Bump structopt from 0.3.12 to 0.3.15

    Bumps structopt from 0.3.12 to 0.3.15.

    Changelog

    Sourced from structopt's changelog.

    v0.3.15 (2020-06-16)

    v0.3.14 (2020-04-22)

    • Minor documentation improvements.

    v0.3.13 (2020-04-9)

    • Bump proc-macro-error to 1.0.
    Commits
    • b1174e5 v0.3.15
    • 7e431cb Flattening a subcommand now panics with a meaningful error message
    • caa1455 Merge pull request #400 from TeXitoi/fix/matches-span
    • 83894e2 Some tweaks
    • 0a6bc51 Use proper span when generating matches token
    • f84e751 Remove unnecessary braces
    • 2b2d941 Fix first doc example for a practical one
    • 891b25a Update ui test to latest stable
    • 4759d50 Fix license in Cargo.toml
    • 203c6bc v0.3.14
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Note: This repo was added to Dependabot recently, so you'll receive a maximum of 5 PRs for your first few update runs. Once an update run creates fewer than 5 PRs we'll remove that limit.

    You can always request more updates by clicking Bump now in your Dependabot dashboard.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
    dependencies 
    opened by dependabot-preview[bot] 4
  • Issue with rust-toolchain file

    Issue with rust-toolchain file

    My project has a rust-toolchain file in its root for a nightly toolchain, but ./setup.sh simply calls "cargo" so it built with a different version than my project. This lead to the following error when running analyze.sh.

    $ ~/src/siderophile/analyze.sh myapp
    trawling source code of dependencies for unsafety
       Compiling libc v0.2.60
    
    ...
    
    
    error[E0514]: found crate `cached` compiled by an incompatible version of rustc myapp                                   
      --> src/lib.rs:15:1
       |
    15 | extern crate cached;
       | ^^^^^^^^^^^^^^^^^^^^
       |
       = help: please recompile that crate using this compiler (rustc 1.37.0-nightly (8aa42ed7c 2019-06-24))
       = note: the following crate versions were found:
               crate `cached` compiled by rustc 1.36.0 (a53f9df32 2019-07-03): ~/src/myapp/target/debug/deps/libcached-b5e2b19b56d13d52.rmeta
    
    error: aborting due to previous error
    
    thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: Cargo("Could not compile `myapp`.")', src/libcore/result.rs:1051:5
    stack backtrace:
       0: std::panicking::default_hook::{{closure}}
       1: std::panicking::default_hook
       2: std::panicking::rust_panic_with_hook
       3: std::panicking::continue_panic_fmt
       4: rust_begin_unwind
       5: core::panicking::panic_fmt
       6: core::result::unwrap_failed
       7: siderophile::main
       8: std::rt::lang_start::{{closure}}
       9: std::panicking::try::do_call
      10: __rust_maybe_catch_panic
      11: std::rt::lang_start_internal
      12: main
    

    To fix this problem, I had to build and run siderophile with the correct toolchain selected.

    cd ~/src/siderophile
    RUSTUP_TOOLCHAIN=$(cat ~/src/myapp/rust-toolchain) cargo build --release
    
    $ cd ~/src/myapp
    $ RUSTUP_TOOLCHAIN=$(cat rust-toolchain) ~/src/siderophile/analyze.sh myapp
    
    trawling source code of dependencies for unsafety
       Compiling libc v0.2.60
    ...
    generating LLVM bitcode for the callgraph
    ...
    

    A note about this should probably be added to the readme.

    bug 
    opened by WyseNynja 4
  • Bump env_logger from 0.9.0 to 0.9.1

    Bump env_logger from 0.9.0 to 0.9.1

    Bumps env_logger from 0.9.0 to 0.9.1.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 3
  • Bump crossbeam-utils from 0.8.5 to 0.8.8

    Bump crossbeam-utils from 0.8.5 to 0.8.8

    Bumps crossbeam-utils from 0.8.5 to 0.8.8.

    Release notes

    Sourced from crossbeam-utils's releases.

    crossbeam-utils 0.8.8

    • Fix a bug when unstable loom support is enabled. (#787)

    crossbeam-utils 0.8.7

    • Add AtomicCell<{i*,u*}>::{fetch_max,fetch_min}. (#785)
    • Add AtomicCell<{i*,u*,bool}>::fetch_nand. (#785)
    • Fix unsoundness of AtomicCell<{i,u}64> arithmetics on 32-bit targets that support Atomic{I,U}64 (#781)

    crossbeam-utils 0.8.6

    • Re-add AtomicCell<{i,u}64>::{fetch_add,fetch_sub,fetch_and,fetch_or,fetch_xor} that were accidentally removed in 0.8.0 0.7.1 on targets that do not support Atomic{I,U}64. (#767)
    • Re-add AtomicCell<{i,u}128>::{fetch_add,fetch_sub,fetch_and,fetch_or,fetch_xor} that were accidentally removed in 0.8.0 0.7.1. (#767)
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot will merge this PR once CI passes on it, as requested by @smoelius.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the Security Alerts page.
    dependencies 
    opened by dependabot[bot] 3
  • Bump syn from 1.0.103 to 1.0.107

    Bump syn from 1.0.103 to 1.0.107

    Bumps syn from 1.0.103 to 1.0.107.

    Release notes

    Sourced from syn's releases.

    1.0.106

    • Documentation improvements

    1.0.105

    • Improve parse errors related to dyn and impl type syntax (#1245)

    1.0.104

    • Add PathArguments::is_none()
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies rust 
    opened by dependabot[bot] 0
  • Bump anyhow from 1.0.66 to 1.0.68

    Bump anyhow from 1.0.66 to 1.0.68

    Bumps anyhow from 1.0.66 to 1.0.68.

    Release notes

    Sourced from anyhow's releases.

    1.0.67

    • Improve the backtrace captured when context() is used on an Option (#280)
    Commits
    • 867763b Release 1.0.68
    • c0a87d0 Opt out -Zrustdoc-scrape-examples on docs.rs
    • 1cc707b Release 1.0.67
    • 613b261 Update build status badge
    • 0f922d7 Disable backtrace CI on Rust 1.50
    • acecd9b Update ui test suite to nightly-2022-12-15
    • 0bac51f Time out workflows after 45 minutes
    • 60e8800 Fix renamed let_underscore_drop lint
    • 8d1c734 Update ui test suite to nightly-2022-11-16
    • 451651b Update ui test suite to nightly-2022-11-11
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies rust 
    opened by dependabot[bot] 0
  • Bump quote from 1.0.21 to 1.0.23

    Bump quote from 1.0.21 to 1.0.23

    Bumps quote from 1.0.21 to 1.0.23.

    Release notes

    Sourced from quote's releases.

    1.0.22

    • Documentation improvements
    Commits
    • 550af67 Release 1.0.23
    • b0337d0 Opt out -Zrustdoc-scrape-examples on docs.rs
    • 2386c5a Release 1.0.22
    • ead304a Update build status badge
    • 51d3bd2 Update ui test suite to nightly-2022-12-15
    • 2922a8e Time out workflows after 45 minutes
    • 6f42f3c Fix renamed let_underscore_drop lint
    • b2e30cc MIT copyright line
    • efc9b69 Ui test changes for trybuild 1.0.66
    • 1e2b198 Raise minimum tested toolchain to rust 1.56
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies rust 
    opened by dependabot[bot] 0
  • Bump cargo from 0.66.0 to 0.67.0

    Bump cargo from 0.66.0 to 0.67.0

    Bumps cargo from 0.66.0 to 0.67.0.

    Commits
    • d65d197 Auto merge of #11381 - ehuss:beta-fix-safe-directory, r=weihanglo
    • 4d1d2b2 Auto merge of #11335 - ehuss:space-test, r=epage
    • e3daada Auto merge of #11332 - weihanglo:fix-semver-check, r=Muscraft
    • 6774bc1 Auto merge of #11366 - ehuss:fix-safe-directory, r=epage
    • 7e484fc Auto merge of #11062 - epage:wait, r=weihanglo
    • 1985caf Auto merge of #11292 - arlosi:compression, r=epage
    • 1c1e9a6 Auto merge of #11294 - ehuss:highfive-docs, r=weihanglo
    • cf38262 Update contrib docs for highfive transition
    • 1cb94b0 Auto merge of #11293 - ehuss:highfive-triagebot, r=Mark-Simulacrum
    • 1945b44 Auto merge of #11287 - Rageking8:fix-dupe-word-typos, r=weihanglo
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies rust 
    opened by dependabot[bot] 0
  • Bump actions/checkout from 2 to 3

    Bump actions/checkout from 2 to 3

    Bumps actions/checkout from 2 to 3.

    Release notes

    Sourced from actions/checkout's releases.

    v3.0.0

    • Updated to the node16 runtime by default
      • This requires a minimum Actions Runner version of v2.285.0 to run, which is by default available in GHES 3.4 or later.

    v2.5.0

    What's Changed

    Full Changelog: https://github.com/actions/checkout/compare/v2...v2.5.0

    v2.4.2

    What's Changed

    Full Changelog: https://github.com/actions/checkout/compare/v2...v2.4.2

    v2.4.1

    • Fixed an issue where checkout failed to run in container jobs due to the new git setting safe.directory

    v2.4.0

    • Convert SSH URLs like org-<ORG_ID>@github.com: to https://github.com/ - pr

    v2.3.5

    Update dependencies

    v2.3.4

    v2.3.3

    v2.3.2

    Add Third Party License Information to Dist Files

    v2.3.1

    Fix default branch resolution for .wiki and when using SSH

    v2.3.0

    Fallback to the default branch

    v2.2.0

    Fetch all history for all tags and branches when fetch-depth=0

    v2.1.1

    Changes to support GHES (here and here)

    ... (truncated)

    Changelog

    Sourced from actions/checkout's changelog.

    Changelog

    v3.1.0

    v3.0.2

    v3.0.1

    v3.0.0

    v2.3.1

    v2.3.0

    v2.2.0

    v2.1.1

    • Changes to support GHES (here and here)

    v2.1.0

    v2.0.0

    Commits

    Dependabot compatibility score

    You can trigger a rebase of this PR by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies github_actions 
    opened by dependabot[bot] 0
Releases(v0.2.1)
  • v0.2.1(Sep 22, 2022)

  • v0.2.0(Sep 22, 2022)

    What's Changed

    • Bump quote from 1.0.10 to 1.0.14 by @dependabot in https://github.com/trailofbits/siderophile/pull/160
    • Bump cargo from 0.58.0 to 0.59.0 by @dependabot in https://github.com/trailofbits/siderophile/pull/161
    • Bump tempfile from 3.2.0 to 3.3.0 by @dependabot in https://github.com/trailofbits/siderophile/pull/162
    • Bump anyhow from 1.0.51 to 1.0.52 by @dependabot in https://github.com/trailofbits/siderophile/pull/163
    • Bump syn from 1.0.82 to 1.0.85 by @dependabot in https://github.com/trailofbits/siderophile/pull/164
    • Bump structopt from 0.3.25 to 0.3.26 by @dependabot in https://github.com/trailofbits/siderophile/pull/165
    • Bump syn from 1.0.85 to 1.0.86 by @dependabot in https://github.com/trailofbits/siderophile/pull/166
    • Bump quote from 1.0.14 to 1.0.15 by @dependabot in https://github.com/trailofbits/siderophile/pull/168
    • Bump anyhow from 1.0.52 to 1.0.53 by @dependabot in https://github.com/trailofbits/siderophile/pull/167
    • Bump anyhow from 1.0.53 to 1.0.54 by @dependabot in https://github.com/trailofbits/siderophile/pull/169
    • Bump anyhow from 1.0.54 to 1.0.55 by @dependabot in https://github.com/trailofbits/siderophile/pull/170
    • Bump cargo from 0.59.0 to 0.60.0 by @dependabot in https://github.com/trailofbits/siderophile/pull/172
    • Bump anyhow from 1.0.55 to 1.0.56 by @dependabot in https://github.com/trailofbits/siderophile/pull/173
    • Bump regex from 1.5.4 to 1.5.5 by @dependabot in https://github.com/trailofbits/siderophile/pull/174
    • Bump syn from 1.0.86 to 1.0.87 by @dependabot in https://github.com/trailofbits/siderophile/pull/175
    • Bump syn from 1.0.87 to 1.0.88 by @dependabot in https://github.com/trailofbits/siderophile/pull/176
    • Bump syn from 1.0.88 to 1.0.89 by @dependabot in https://github.com/trailofbits/siderophile/pull/177
    • Bump quote from 1.0.15 to 1.0.16 by @dependabot in https://github.com/trailofbits/siderophile/pull/178
    • Bump log from 0.4.14 to 0.4.15 by @dependabot in https://github.com/trailofbits/siderophile/pull/179
    • Bump log from 0.4.15 to 0.4.16 by @dependabot in https://github.com/trailofbits/siderophile/pull/180
    • Bump quote from 1.0.16 to 1.0.17 by @dependabot in https://github.com/trailofbits/siderophile/pull/181
    • Bump syn from 1.0.89 to 1.0.91 by @dependabot in https://github.com/trailofbits/siderophile/pull/183
    • Bump cargo from 0.60.0 to 0.61.0 by @dependabot in https://github.com/trailofbits/siderophile/pull/184
    • Bump quote from 1.0.17 to 1.0.18 by @dependabot in https://github.com/trailofbits/siderophile/pull/185
    • Cargo: bump llvm-ir by @woodruffw in https://github.com/trailofbits/siderophile/pull/211
    • Bump syn from 1.0.99 to 1.0.100 by @dependabot in https://github.com/trailofbits/siderophile/pull/213
    • Bump env_logger from 0.9.0 to 0.9.1 by @dependabot in https://github.com/trailofbits/siderophile/pull/212
    • Bump cargo from 0.61.0 to 0.63.1 by @dependabot in https://github.com/trailofbits/siderophile/pull/200
    • Bump cargo-util from 0.1.2 to 0.2.1 by @dependabot in https://github.com/trailofbits/siderophile/pull/206
    • Bump cargo from 0.63.1 to 0.64.0 by @dependabot in https://github.com/trailofbits/siderophile/pull/214

    Full Changelog: https://github.com/trailofbits/siderophile/compare/v0.1.4...v0.2.0

    Source code(tar.gz)
    Source code(zip)
Owner
Trail of Bits
More code: binary lifters @lifting-bits, blockchain @crytic
Trail of Bits
A cryptographically verifiable code review system for the cargo (Rust) package manager.

image credit cargo-crev A cryptographically verifiable code review system for the cargo (Rust) package manager. Introduction Crev is a language and ec

crev - Code REView system 1.8k Jan 5, 2023
Rust Memory Safety & Undefined Behavior Detection

Rudra is a static analyzer to detect common undefined behaviors in Rust programs. It is capable of analyzing single Rust packages as well as all the packages on crates.io.

gts3.org (SSLab@Gatech) 1.2k Dec 31, 2022
loc is a tool for counting lines of code. It's a rust implementation of cloc, but it's more than 100x faster.

2019-10-07: I really haven't been on top of accepting pull requests or looking at issues, you guy should definitely look at SCC. It's faster and more

cgag 2.1k Jan 2, 2023
Find the ideal fuzz targets in a Rust codebase

Siderophile Siderophile finds the "most unsafe" functions in your Rust codebase, so you can fuzz them or refactor them out entirely. It checks the cal

Trail of Bits 162 Dec 23, 2022
A pretty, sensible logger for Rust - ideal for running examples and tests on a crate of choice

sensible-env-logger A pretty, sensible logger for Rust - ideal for running examples and tests on a crate of choice. This is a thin wrapper around pret

Ritvik Nag 3 Aug 9, 2022
An uncluttered blackboard, ideal for simple sketches during online meetings

lavagna It's a blackboard, not a lasagna. Lavagna is a "no frills" blackboard, ideal for simple sketches during online meetings. You have just a black

Alessandro Pezzato 6 Dec 15, 2022
A fast Rust-based safe and thead-friendly grammar-based fuzz generator

Intro fzero is a grammar-based fuzzer that generates a Rust application inspired by the paper "Building Fast Fuzzers" by Rahul Gopinath and Andreas Ze

null 203 Nov 9, 2022
A fast Rust-based safe and thead-friendly grammar-based fuzz generator

Intro fzero is a grammar-based fuzzer that generates a Rust application inspired by the paper "Building Fast Fuzzers" by Rahul Gopinath and Andreas Ze

null 203 Nov 9, 2022
An example fuzzer about how to fuzz a JS engine combinign Nautilus with Token-level fuzzing

LibAFL QuickJS Fuzzing Example An example fuzzer about how to fuzz a JS engine combinign Nautilus with Token-level fuzzing. Prepare Make sure to have

Andrea Fioraldi 32 Dec 21, 2022
A fuzzer setup to fuzz libc functions.

libc-fuzzer This does what it sounds like! It attempts to, as automatically as possible, generate and run fuzzers for up to the entire set of libc (in

null 9 Nov 30, 2022
An unofficial client library for the fuzz-introspector API.

fuzz-introspector-client An unofficial client library for the fuzz-introspector API. Quickstart Add package as a dependency; cargo add fuzz-introspect

Nathaniel Brough 4 Nov 25, 2023
fd is a program to find entries in your filesystem. It is a simple, fast and user-friendly alternative to find

fd is a program to find entries in your filesystem. It is a simple, fast and user-friendly alternative to find. While it does not aim to support all of find's powerful functionality, it provides sensible (opinionated) defaults for a majority of use cases.

David Peter 25.9k Jan 9, 2023
fas stand for Find all stuff and it's a go app that simplify the find command and allow you to easily search everything you nedd

fas fas stands for Find all stuff and it's a rust app that simplify the find command and allow you to easily search everything you need. Note: current

M4jrT0m 1 Dec 24, 2021
An ultra-fast CLI app that fixes JSON files in large codebase or folders

minosse An ultra fast CLI app that fixes json files in large codebase or folders USAGE: minosse [OPTIONS] <input-dir> FLAGS: -h, --help Prints

Antonino Bertulla 5 Oct 17, 2022
Codemod - Codemod is a tool/library to assist you with large-scale codebase refactors that can be partially automated but still require human oversight and occasional intervention

Codemod - Codemod is a tool/library to assist you with large-scale codebase refactors that can be partially automated but still require human oversight and occasional intervention. Codemod was developed at Facebook and released as open source.

Meta Archive 4k Dec 29, 2022
Format codebase in documentation 🦤

Gelatyx Format codebase in documentation ?? Features Format language code block inside documentation files Check mode. Ask Gelatyx is the documentatio

azzamsa 3 Oct 24, 2022
Ethereum transaction simulator leveraging Foundry's codebase

Enso Transaction ?? Simulator ?? A simple API which simulates a given transaction request. ?? API ?? POST /api/v1/simulate Simulates a single transact

null 162 Jun 4, 2023
Local-first high performance codebase index engine designed for AI

CodeIndex CodeIndex is a local-first high performance codebase index engine designed for AI. It helps your LLM understand the structure and semantics

Jipiti AI 9 Aug 30, 2023
Sensorial System's Stable Diffusion codebase

Stable Diffusion XL LoRA Trainer Welcome to the official codebase for the Sensorial System's Stable Diffusion projects. For now, this only hosts the c

null 8 Mar 2, 2024
A working example of multi targets compilation for Rust using Github Actions.

A working example of multi targets compilation for Rust using Github Actions. Supports Windows, MacOSX, x86_64, ARM and Raspberry PI Linux.

Nicolas Vanhoren 41 Dec 17, 2022