RustSec is a community database of security advisories filed against crates published to crates.io. It is maintained by the Rust Secure Code Working Group.

The following security issues have been identified in Rust crates in April 2020:

• rusqlite: Various memory safety issues
• os_str_bytes: Relies on undefined behavior of char::from_u32_unchecked
• flatbuffers: read_scalar and read_scalar_at allow transmuting values without unsafe blocks

You can use cargo-audit to check whether your code depends on vulnerable versions of these crates and upgrade. A GitHub action that files bugs if your code depends on vulnerable crates is also available.

Additionally, we have published security advisories for two crates that intentionally violate Rust's memory safety guarantees: fake-static and plutonium. This has proven to be controversial, so we have retracted the latter advisory for the time being.

We are currently soliciting input on how you would like such issues to be surfaced (if at all). You can find more details and contribute here. We're using Reddit to solicit input because its threaded conversation system enables much more structured discussion than a single forum thread.

(sorry, I'm avoiding reddit)

You can publish a controversial/subjective security opinion using cargo-crev. It has ability to give a negative review and flag it as a security advisory. This makes cargo crev verify work similarly to cargo audit. I'm also surfacing these reviews on lib.rs.

Oh, that's interesting!

How do you discover cargo-crev reviews? There is no centralized repository (somewhat deliberately) so in my experience crev reviews just end up scattered across a gazillion personal git repositories.

You discover through web of trust. You find your friend's reviews, and add them, and this will also fetch reviews from people they know, and friends-of-friends, etc. The tool comes with some defaults to bootstrap, so cargo crev repo fetch all will get you an initial set.

Do you show the WoT that lib.rs uses somewhere? Is it just based on the bootstrap nodes and whoever is accepted into that set?

For now I fetch every crev repo I can find (everyone who's forked the template on github + their WoT). If I find spam/abuse, I'll start limiting it to some curated WoT.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.