I reviewed rust-cargo-auditable 0.7.4-1 as checked into stonking. This
shouldn't be considered a full audit but rather a quick gauge of
maintainability.
rust-cargo-auditable is a cargo plugin that embeds dependency tree metadata
(JSON, zlib-compressed) into compiled Rust executables via linker sections.
This allows auditing production binaries for known vulnerabilities in their
dependency tree without external bookkeeping. Platform-specific ELF flags are
set (SHF_ALLOC cleared on ELF to prevent the section from being loaded into
memory at runtime - it's only needed at link time). The embedded metadata is
name, version, source (crates.io/registry/git/local), dependency kind
(runtime/build) and transitive dependency indices.
- CVE History
- None found
- Build-Depends
- cargo:native, rustc:native,
libstd-rust-dev, librust-auditable-serde-0.9+default-dev,
librust-cargo-metadata-0.23+default-dev, librust-miniz-oxide+default-dev,
librust-object+write-dev, librust-pico-args-0.5+default-dev,
librust-pico-args-0.5+eq-separator-dev,
librust-pico-args-0.5+short-space-opt-dev,
librust-serde-1+default-dev, librust-serde-json-1+default-dev,
librust-wasm-gen-0.1+default-dev
- All build-deps are Rust crates already in main/universe.
- pre/post inst/rm scripts
- None found
- init scripts
- None found
- systemd units
- None found
- dbus services
- None found
- setuid binaries
- No setuid binaries in the package binary.
- binaries in PATH
- Single binary: `cargo-auditable` installed to `./usr/bin/cargo-auditable`
- sudo fragments
- None found
- polkit files
- None found
- udev rules
- None found
- unit tests / autopkgtests
- Build-time test suite runs via `dh_auto_test`- test failures FTBFS.
- Autopkgtests pass on all supported architectures
- cron jobs
- None found
- Build logs
- No compiler errors. Warnings are all from transitive dependencies
(foldhash, miniz_oxide, hashbrown, zmij, indexmap) using feature-gated cfgs.
- No warnings from the package's own source code.
- Lintian: No errors.
- Processes spawned
- All subprocess spawning uses `Command::new()` with argument vectors (no
shell injection risk). Invoked commands: `cargo`, `rustc`, `cargo metadata`.
- Memory management
- N/A for Rust (managed by ownership/borrowing + allocator).
- Package uses `#![forbid(unsafe_code)]` - no manual memory management.
- File IO
- File paths are determined from trusted Cargo env vars (CARGO_MANIFEST_DIR,
CARGO_SBOM_PATH) and build-time arguments (--out-dir, --crate-name).
- SBOM file is read.
- Object file is written to the build output directory. No umask concerns.
- Logging
- No logging framework used. Errors printed to stderr via `eprintln!()`.
- Environment variable usage
- All env vars sourced from Cargo's documented environment:
CARGO, CARGO_MANIFEST_DIR, CARGO_SBOM_PATH, CARGO_PRIMARY_PACKAGE,
CARGO_AUDITABLE_ORIG_ARGS.
- RUSTC_WORKSPACE_WRAPPER set to this binary's path.
- Use of privileged functions
- No privileged functions used. The package runs as the invoking user.
- Use of cryptography / random number sources etc
- No cryptography, certificates or random number sources used.
- Use of temp files
- No temp files in /tmp. Object file written to build output directory.
- Use of networking
- No network sockets or connections. Only HTTPS URL references to crates.io
(CRATES_IO_INDEX constant) used for source
identification in metadata parsing, not actual network access.
- Use of WebKit
- None.
- Use of PolicyKit
- None.
- Any significant cppcheck results
- N/A (rust codebase)
- Any significant Coverity results
- N/A
- Any significant shellcheck results
- N/A (rust codebase)
- Any significant bandit results
- N/A (rust codebase)
- Any significant govulncheck results
- N/A (rust codebase)
- Any significant Semgrep results
- N/A
This is a clean, well-packaged, low-risk package suitable for main inclusion.
The code is small, auditable and follows rust safety best practices.
The packaging is standard and correct. All static analysis tools returned
clean results.
Security team ACK for promoting rust-cargo-auditable to main.
** Changed in: rust-cargo-auditable (Ubuntu)
Status: New => In Progress
** Changed in: rust-cargo-auditable (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => Sudhakar Verma
(sudhackar)
** Changed in: rust-cargo-auditable (Ubuntu)
Assignee: Sudhakar Verma (sudhackar) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2142252
Title:
[MIR] cargo needs cargo-auditable as runtime dependency
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rust-cargo-auditable/+bug/2142252/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs