cargo-auditable
cargo-auditable copied to clipboard
rust-secure-code
Make production Rust binaries auditable
It would be nice to verify that the recovered information is indeed read correctly by `cargo auditable` and/or the underlying `rustsec` crate, and that it does indeed report vulnerable versions...
There are multiple examples in the docs that are marked ` ```rust,ignore` because they require other crates that are normally not in the dependency tree. We should investigate whether adding...
Hi, nice to see all the progress on the "injection" approach. On msys2 i see that ``` cargo build --release --target x86_64-pc-windows-gnu ``` works fine, but ``` cargo auditable build...
We use `cargo metadata`, so we are affected by this issue: https://github.com/rust-lang/cargo/issues/7754
Having a rustc wrapper defined (like build caching with `RUSTC_WRAPPER=sccache`) makes build fail: ``` $ export RUSTC_WRAPPER=sccache $ cargo auditable build --release error: failed to run `rustc` to learn about...
As suggested by @pinkforest, it would be great to have a "publish auditable binary" Github action that builds the binaries with `cargo auditable`. Ideally people should be able to use...
Cargo has [made it possible to depend on the same version of a given crate with different feature sets](https://doc.rust-lang.org/cargo/reference/resolver.html#feature-resolver-version-2), provided that one version is a runtime dependency and another is...
It is technically possible to support WebAssembly, since they do allow custom sections: https://webassembly.github.io/spec/core/appendix/custom.html This may be useful since the overhead of the audit info is just a few kilobytes...
Right now we have the full extraction pipeline in examples, which is not super complicated but is nevertheless manual. `rust-audit-info` shows how it's all tied together; we should just put...
Apparently there is a number of formats designed to encode package info already: https://gitbom.dev/glossary/sbom/ We need to check if any of them are suitable for our use case. Notably we...