cargo-auditable
wasm-bindgen
cargo-auditable | wasm-bindgen | |
---|---|---|
23 | 44 | |
553 | 7,302 | |
3.8% | 1.2% | |
7.8 | 9.1 | |
10 days ago | about 6 hours ago | |
Rust | Rust | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
cargo-auditable
-
Rust Offline?
Further we use cargo-auditable and cargo-audit as part of both our pipeline and regular scanning of all deployed services. This makes our InfoSec and Legal super happy since it means they can also monitor compliance with licenses and patch/update timings.
-
Hey Rustaceans! Got a question? Ask here (15/2023)!
This exists, see cargo auditable.
-
The Rust Implementation Of GNU Coreutils Is Becoming Remarkably Robust
The Rust community seems to have settled on a perfectly reasonable way to address bit-rot in statically linked binaries. https://github.com/rust-secure-code/cargo-auditable
-
Release Engineering Is Exhausting So Here's cargo-dist
Would you be open to integrating cargo auditable into this pipeline in some form? It seems like a great match.
-
Swift Achieved Dynamic Linking Where Rust Couldn't
> and static compilation probably just hides the problem unless security scanners these days can identify statically compiled vulnerable versions of libraries
Some scanners like trivy [1] can scan statically compiled binaries, provided they include dependency version information (I think go does this on its own, for rust there's [2], not sure about other languages).
It also looks into your containers.
The problem is what to do when it finds a vulnerability. In a fat app with dynamic linking you could exchange the offending library, check that this doesn't break anything for your use case, and be on your way. But with static linking you need to compile a new version, or get whoever can build it to compile a new version. Which seems to be a major drawback of discouraging fat apps.
1: https://github.com/aquasecurity/trivy
2: https://github.com/rust-secure-code/cargo-auditable
-
'cargo auditable' can now be used as a drop-in replacement for Cargo
I have investigated a bunch of standardized formats - SPDX, CycloneDX, etc. All of them are unsuitable for a variety of reasons, chief of which are being way too verbose and including timestamps, which would break reproducible builds.
-
sccache now supports GHA as backend
The fix for interoperability with cargo auditable has also shipped in the latest release of sccache. You can use the released sccache now instead of building it from git!
-
`cargo audit` can now scan compiled binaries
I've been working to bring vulnerability scanning to Rust binaries by creating cargo auditable, which embeds the list of dependencies and their versions into the compiled binary. This lets you audit the binary you actually run, instead of the Cargo.lock file in some repo somewhere.
-
Here's how to patch the upcoming OpenSSL vulnerability in Rust
cargo auditable solves this problem by embedding the list of dependencies and their versions into the binaries. But until it becomes part of Cargo and gets enabled by default, static linking will remain problematic.
- Introducing cargo-auditable: audit Rust binaries for known bugs or vulnerabilities in production
wasm-bindgen
-
If the native speed DOM/Web API for Rust becomes a reality, would you be willing to build your web apps with Rust and HTML/CSS?
Another strange issue could be seen in the strict class heritage organized definition of the DOM, which can not be handled very well by rust because of a still unsolved bindgen issue (#210).
-
Rust + WASM + Typescript [+ React]
For a much simpler but less flexible approach there's wasm-pack for creating JS packages from Rust, and wasm-bindgen for easy interop. Both have very good documentation.
-
We Just Released our Rust WebTransport Teleconferencing System - Here are Some Lessons Learned
We encountered quite a few hurdles on our journey. For one, we had to build our own yew-webtransport and yew-websocket integration from scratch by adding WebTransport definitions to wasm-bindgen (pull request link). We also had to add WebTransport support to the h3 crate (pull request link). co-created by @ten3roberts
-
Looking to create a backend service for a website in Rust and Iām wondering on how to best do it
Go with your WebAssembly module idea. Since it sounds like your chess engine does not draw a UI, it shouldn't be too difficult. wasm-bindgen will be your best friend.
-
Ask HN: How can a BE/infra developer handle the FE side of personal projects?
I've never tried it, but apparently some bindings exist, e.g. https://github.com/rustwasm/wasm-bindgen
So you can either try manipulating the DOM w/ some bindings or draw to canvas.
-
I'm trying to compile my rust code to wasm but wasm_bindgen says the trait bound `(Vec<i32>, Vec<i32>): IntoWasmAbi` is not satisfied.
Google also brings up this GitHub issue.
-
Deno Fresh WASM: Code Modules in Rust
If you want to learn more on wasm-pack, there is a wasm-pack book as well as some fairly detailed wasm-bindgen docs. There are a few resources for learning Rust itself in the December newsletter. Finally, please get in touch if you would like to see more content on Deno and Fresh. I hope you found the content useful and am keen to hear about possible improvements.
-
Swift Achieved Dynamic Linking Where Rust Couldn't
Love the article.
In my mind I see the problem of dynamic linking in rust to have a bunch of overlap with the "I want this rust library to be exposed in my higher level GC'd language with minimal safety/handwritten bindings" problem.
My hunch is that the lack of expressiveness of the C ABI is holding back both. the thing I'd love to see some sort of "higher level than the C ABI" come out. And something like `wasm-bindgen`[0] to exist for more languages.
Here's a link to the rust "interopable_api" proposal! I don't understand all the implications, but it seems to be in the right direction https://github.com/rust-lang/rust/pull/105586
[0]https://rustwasm.github.io/docs/wasm-bindgen/
-
The Next Browser Language
Rust has https://github.com/rustwasm/wasm-bindgen and https://crates.io/crates/sledgehammer, the latter of which batches together JS calls to reduce the FFI cost. https://dioxuslabs.com/ uses these to great effect.
-
1Password releases Typeshare, the "ultimate tool for synchronizing your type definitions between Rust and other languages for seamless FFI"
This seems like it could be super useful for integrating with wasm-bindgen and TypeScript. Last I checked, the types generated by wasm-bindgen left a lot to be desired (no disrespect intended, wasm-bindgen is an awesome project). A few years ago, I contributed the skip_typescript attribute to wasm_bindgen that allowed you to override the type generation by hand-writing your own types (using a custom typescript section), but I wonder if this could simply generate higher quality types without the manual intervention.
What are some alternatives?
trivy - Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
wasm-pack - š¦āØ your favorite rust -> wasm workflow tool!
auto-fuzz-test - Effortlessly fuzz libraries with large API surfaces
react-three-fiber - šØš A React renderer for Three.js
cargo-supply-chain - Gather author, contributor and publisher data on crates in your dependency graph.
wasmer - š The leading Wasm Runtime supporting WASIX, WASI and Emscripten
eve-rs - A simple, intuitive, express-like HTTP library
wasmtime - A fast and secure runtime for WebAssembly
svntogit-community - Automatic import of svn 'community' repo (read-only mirror)
trunk - Build, bundle & ship your Rust WASM application to the web.
sandbox - A sand simulation game
wasi-libc - WASI libc implementation for WebAssembly