cargo-supply-chain VS cargo-geiger

Great news! Sounds like a good way to add caching to cargo supply-chain. There's a lot of small chunks of data we want to persist.

Shameless plug: https://github.com/rust-secure-code/cargo-supply-chain shows the supply chain attack surface for your Rust project.

bpaf: https://github.com/rust-secure-code/cargo-supply-chain/blob/29bfcb256001cdef46830544b554d33c56602030/src/cli.rs

I'm very happy with it for cargo supply-chain. I appreciate that it has no unsafe code, no sprawling dependency tree, and supports OsStr in addition to just &str.

cargo supply-chain to see your attack surface for supply chain attacks

See also: cargo supply-chain

I've used bpaf for cargo supply-chain and I'm very happy with it.

https://github.com/rust-secure-code/cargo-supply-chain can also help here.

cargo supply-chain list the publishers of all crates in your dependency graph. With it you can:

Instead of looking at the crates themselves, you might want to check your (or others') Rust application with https://github.com/rust-secure-code/cargo-geiger to get a sense of effective prevalence. I also dispute that the presence of unsafe somewhere in the dependency tree is an issue in itself, but that's a different discussion that many more had in other sub-threads.

There's still plenty. Run cargo geiger on any of your projects and see for yourself.

On point 2, the answer is cargo geiger, and judging how much memory safety you need for a given project.

You can use cargo-geiger or cargo-crev to check for whether people you trusted (e.g. u/jonhoo ) trust this crate.

The amount of unsafe code is also a factor. cargo geiger is a handy tool for measuring it.

We have cargo-geiger that does just that.

For that, I believe you need to use cargo-geiger[0] and audit the results.

[0] - https://github.com/rust-secure-code/cargo-geiger

cargo-geiger is a subcommand you can install which will check all the crates in your dependency graph for unsafe blocks and print out a report (which also shows if a crate has #![forbid(unsafe_code)] or not). You can then inspect those crates' sources to judge their use of unsafe for yourself. I don't think it has a "check" mode that simply errors if your dependency graph contains unsafe though, it's more about just collecting that information.

wrt to memory safety, keep in mind that many rust crates use "unsafe" internally. There are tools available that can find these such as cargo-geiger. So I would suggest to avoid unsafe deps as much as possible. Since they cannot be avoided entirely, it is a good idea to keep a list of unsafe deps.