cargo-vet
wapm-cli
cargo-vet | wapm-cli | |
---|---|---|
12 | 11 | |
598 | 361 | |
5.7% | - | |
7.6 | 4.9 | |
about 1 month ago | about 1 year ago | |
Rust | Rust | |
Apache License 2.0 | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
cargo-vet
-
Ferrocene – Rust for Critical Systems
For supply chain security, you might be interested in cargo-vet[0], a tool for coordinating and requiring manual reviews of open source dependencies. Both Mozilla and Google[1] have started publishing their audits.toml files, which are a machine-readable file describing what source code reviews they have performed.
[0] https://github.com/mozilla/cargo-vet
[1] https://opensource.googleblog.com/2023/05/open-sourcing-our-...
-
Rust security scanning options
there is also cargo-vet for manual auditing of the source code of the crates, which is not something that can be done automatically. Quite a few companies and orgs use it now like Mozilla, Google, Bytecode Alliance, us (Embark Studios), ISRG, zcash etc. And believe its usage will expand significantly going forward with corporate users and security sensitive projects/orgs.
-
NPM repository flooded with 15,000 phishing packages
If you don't know the author, signatures do nothing. Anybody can sign their package with some key. Even if you could check the author's identity, that still does very little for you, unless you know them personally.
It makes a lot more sense to use cryptography to verify that releases are not malicious directly. Tools like crev [1], vouch [2], and cargo-vet [3] allow you to trust your colleagues or specific people to review packages before you install them. That way you don't have to trust their authors or package repositories at all.
That seems like a much more viable path forward than expecting package repositories to audit packages or trying to assign trust onto random developers.
[1]: https://github.com/crev-dev/crev [2]: https://github.com/vouch-dev/vouch [3]: https://github.com/mozilla/cargo-vet
-
How do regulates companies handle software of unknown Provence (SOUP) when using needed open source crates?
The other approach is https://github.com/mozilla/cargo-vet
- greater supply chain attack risk due to large dependency trees?
- Dozens of malicious PyPI packages discovered targeting developers
-
Best way to protect a project from supply chain attacks?
cargo crev and cargo vet for reviewing dependencies and using reviewed versions
-
Vetting the Cargo
Since the audits are designed to be used at a per project level and contributed directly into the VCS repo (allowing you to using git signing for example) I don't quite understand what additional off-line cryptographic signatures are required here (considering that Cargo's lockfiles already contain a hash of the crate which would prevent the project from getting an altered version of a crate accidentally and that SHA validation is being considered as part of vet as well https://github.com/mozilla/cargo-vet/issues/116).
- Mozilla/cargo-vet – supply-chain security for Rust
- Gitsign
wapm-cli
-
Fast Matrix Math in JS 2: WASM
To actually compile this we can use a tool called WABT (WebAssembly Binary Toolkit). It's basically a mess that requires CMake and I couldn't get it to run on WSL and I wasn't going to install MinGW. Instead there's a nice tool called WAPM from Wasmer which works like npm for webassembly packages and since it's been compiled down to webassembly we can run it in any environment. In fact we don't even need to add configuration so long as wapm is installed. We can run wax wat2wasm -- wat/mat.wat -o wasm/mat.wasm. wax is like npx for npm. If you're wondering the command we give wax is defined by the wasmer/wabt package: https://wapm.io/wasmer/wabt. Also for some reason you can't prefix local paths with ./ so wax wat2wasm -- ./wat/mat.wat doesn't work which tool me a while to figure out. Anyway this provides a nice simple compile environment if you want to work on raw WAT files.
- WAPM - WebAssembly Package Manager
-
Dozens of malicious PyPI packages discovered targeting developers
That's the main reason we should start using WebAssembly for distributing and using packages.
Shamless plug: Wasmer [1] and WAPM [2] could help a lot on this quest!
[1]: https://wasmer.io/
[2]: https://wapm.io/
- WordPress WASM
-
A Look at Performance in Wasmtime and Cranelift
There's WAPM
-
Packaging and shipping your software
If it's buildable for the WebAssembly WASI target, consider also distributing it through WAPM.
-
Announcing Cargo WAPM
I don't know if many people have heard of it, but there's actually a WebAssembly Package Manager. It's similar to crates.io, except you upload WebAssembly binaries written in any language instead of Rust source code!
-
There’s a cunning workaround for this challenge; rather than compiling JS to Wasm, you can instead compile a JavaScript engine to WebAssembly then use that to execute your code.
You can see this paying off with wapm, which lets you download applications that would have normally required compilation for your environment and run them anywhere with a supported runtime, which is imo pretty neat.
-
Security advisory: malicious crate rustdecimal | Rust Blog
One step closer to the day when I can put actix-web creations up on WAPM so "Just type wax my-cool-thing to try it out" can be one of the distribution options.
-
WebAssembly in my Browser Desktop Environment
I've added limited support to run wapm.io directly from the Terminal. Examples of commands that work well are wapm cowsay {Text} and wapm uuid.
What are some alternatives?
cargo-crev - A cryptographically verifiable code review system for the cargo (Rust) package manager.
WASM-ImageMagick - Webassembly compilation of https://github.com/ImageMagick/ImageMagick & samples
W4SP-Stealer - w4sp Stealer official source code, one of the best python stealer on the web [GET https://api.github.com/repos/loTus04/W4SP-Stealer: 403 - Repository access blocked]
js-dos - The best API for running dos programs in browser
git-ts - Git TimeStamp Utility
wasmer-js - Monorepo for Javascript WebAssembly packages by Wasmer
gitsign - Keyless Git signing using Sigstore
Boxedwine
secimport - eBPF Python runtime sandbox with seccomp (Blocks RCE).
wordpress-playground - Run WordPress in the browser via WebAssembly PHP
security-wg - Node.js Ecosystem Security Working Group
Graphene - GraphQL framework for Python