cargo-auditable
crates.io
cargo-auditable | crates.io | |
---|---|---|
23 | 662 | |
553 | 2,802 | |
3.8% | 1.2% | |
7.8 | 10.0 | |
10 days ago | 7 days ago | |
Rust | Rust | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
cargo-auditable
-
Rust Offline?
Further we use cargo-auditable and cargo-audit as part of both our pipeline and regular scanning of all deployed services. This makes our InfoSec and Legal super happy since it means they can also monitor compliance with licenses and patch/update timings.
-
Hey Rustaceans! Got a question? Ask here (15/2023)!
This exists, see cargo auditable.
-
The Rust Implementation Of GNU Coreutils Is Becoming Remarkably Robust
The Rust community seems to have settled on a perfectly reasonable way to address bit-rot in statically linked binaries. https://github.com/rust-secure-code/cargo-auditable
-
Release Engineering Is Exhausting So Here's cargo-dist
Would you be open to integrating cargo auditable into this pipeline in some form? It seems like a great match.
-
Swift Achieved Dynamic Linking Where Rust Couldn't
> and static compilation probably just hides the problem unless security scanners these days can identify statically compiled vulnerable versions of libraries
Some scanners like trivy [1] can scan statically compiled binaries, provided they include dependency version information (I think go does this on its own, for rust there's [2], not sure about other languages).
It also looks into your containers.
The problem is what to do when it finds a vulnerability. In a fat app with dynamic linking you could exchange the offending library, check that this doesn't break anything for your use case, and be on your way. But with static linking you need to compile a new version, or get whoever can build it to compile a new version. Which seems to be a major drawback of discouraging fat apps.
1: https://github.com/aquasecurity/trivy
2: https://github.com/rust-secure-code/cargo-auditable
-
'cargo auditable' can now be used as a drop-in replacement for Cargo
I have investigated a bunch of standardized formats - SPDX, CycloneDX, etc. All of them are unsuitable for a variety of reasons, chief of which are being way too verbose and including timestamps, which would break reproducible builds.
-
sccache now supports GHA as backend
The fix for interoperability with cargo auditable has also shipped in the latest release of sccache. You can use the released sccache now instead of building it from git!
-
`cargo audit` can now scan compiled binaries
I've been working to bring vulnerability scanning to Rust binaries by creating cargo auditable, which embeds the list of dependencies and their versions into the compiled binary. This lets you audit the binary you actually run, instead of the Cargo.lock file in some repo somewhere.
-
Here's how to patch the upcoming OpenSSL vulnerability in Rust
cargo auditable solves this problem by embedding the list of dependencies and their versions into the binaries. But until it becomes part of Cargo and gets enabled by default, static linking will remain problematic.
- Introducing cargo-auditable: audit Rust binaries for known bugs or vulnerabilities in production
crates.io
-
Create a Custom GitHub Action in Rust
Rust has a rich ecosystem of frameworks and libraries that let you read, parse, and manipulate text files, interact with cloud services and databases, and perform any other job that your project's development workflow may require. And because of its strong typing and tight memory management, you are much less likely to write programs that behave unexpectedly in production.
-
Rust Keyword Extraction: Creating the YAKE! algorithm from scratch
All the code discussed in this article can be accessed through this repository. For integration with existing projects consider using keyword_extraction crate available on crates.io.
-
Migrating a JavaScript frontend to Leptos, a Rust framework
So, be sure to double-check your critical libraries and be sure their alternatives exist in the Rust ecosystem. Thereβs a good chance the crates you need are available in Rust's crates.io repository.
-
Learning Rust: A clean start
The previous section was very simple, this section is also very simple but introduces us to cargo which is Rust's package manager, as a JS dev my mind goes straight to NPM.
-
#2 Rust - Cargo Package Manager
Now, there has to be a place where all these packages come from. Similar to npmjs registry, where all node packages are registered, stored and retrieved, Rust also has something called crates.io where many helpful packages and dependencies are registered.
-
Rust π¦ Installation + Hello World
Before proceeding, let's check https://crates.io/, the official Rust package registry.
-
Underestimating rust for my Project.
The most thrilling aspect has been the joy of writing the backend. It's like every struct, enum, and method in Rust forms this interconnected Multiverse of code , which you can see in crates.io which is best Documentation experience I Ever Had.
-
Top 10 Rusty Repositories for you to start your Open Source Journey
5. Crates.io
-
Project Structure Clarification Coming From Python - With Example
When using crates from eg. crates.io, and also things like std and core
-
Cargo has never frustrated me like npm or pip has. Does Cargo ever get frustrating? Does anyone ever find themselves in dependency hell?
Vendoring your packages was very tedious to even remotely get to work with Cargo. I spent a very long time getting Cargo to work together with cargo-local-registry. We vendor crates from crates.io and a custom internal registry.
What are some alternatives?
trivy - Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
docs.rs - crates.io documentation generator
auto-fuzz-test - Effortlessly fuzz libraries with large API surfaces
plotters - A rust drawing library for high quality data plotting for both WASM and native, statically and realtimely π¦ ππ
cargo-supply-chain - Gather author, contributor and publisher data on crates in your dependency graph.
Cargo - The Rust package manager
eve-rs - A simple, intuitive, express-like HTTP library
trunk - Build, bundle & ship your Rust WASM application to the web.
svntogit-community - Automatic import of svn 'community' repo (read-only mirror)
gtk4-rs - Rust bindings of GTK 4
sandbox - A sand simulation game
Rocket - A web framework for Rust.