crane
cargo-auditable
crane | cargo-auditable | |
---|---|---|
12 | 23 | |
747 | 553 | |
- | 2.7% | |
9.2 | 7.8 | |
7 days ago | 3 days ago | |
Nix | Rust | |
MIT License | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
crane
- Can rustc generate identical binaries, with the same hash, from the same souce code?
- Transitioning to Rust as a company
-
Help with building a 32bit library with cargo
i would also recommend using crane or naersk since iirc rustPlaform.buildRustPackage can mangle some of these options (or maybe i just did something wrong lol)
-
Better support of Docker layer caching in Cargo
Notably crane is doing what cargo-chef is doing for Nix.
-
20 Years of Nix
I don't think it's very valid to compare the two. It is a little bit just to compare the experiences using them bit they aren't meant to solve the same set of issues. In fact, they are better together in my experience. I use nix to manage my terraform configurations with a lot of success. It reduces my boilerplate and helps me build abstractions on top of HCL.
If you ever decide to take a stab at nix again, consider looking at https://github.com/ipetkov/crane and using flakes. I've got it down to the point that I can get a new rust project set up with nix in about 30 seconds with linting, package building, and test running all in the checks
-
Has anyone packaged Rust programs as nix packages?
Take a look at Crane, though it is squarely aimed at non-beginners. If you want to submit whatever you're packaging to nixpkgs and not just for personal use, you can't use crane, though.
-
Crafting container images without Dockerfiles
To get Rust incremental builds, did you consider using something such as crane https://github.com/ipetkov/crane ?
And regarding OCI images, i built nix2container (https://github.com/nlewo/nix2container) to speed up image build and push times.
-
How to setup devShell for rust development with bevy?
This is the relevant part of my flake (which uses the quick-start template of crane):
-
yarnpnp2nix: More efficient way of packaging NodeJS applications
I imagine/hope you've seen this, but over in Rust-land I do something similar using https://github.com/ipetkov/crane. I've been on the lookout for something precisely like this for a while. I don't know much about the newer versions of yarn but imagined such a thing was possible. I am looking forward to trying this out, especially if the above is eventually addressed.
-
Perfect Docker Images for Rust with Nix
If you haven't already, I recommend checking out crane for building extensible workflows using cargo and Nix (e.g. running clippy, cargo-audit, cargo-nextest, cargo-tarpaulin, etc.)
cargo-auditable
-
Rust Offline?
Further we use cargo-auditable and cargo-audit as part of both our pipeline and regular scanning of all deployed services. This makes our InfoSec and Legal super happy since it means they can also monitor compliance with licenses and patch/update timings.
-
Hey Rustaceans! Got a question? Ask here (15/2023)!
This exists, see cargo auditable.
-
The Rust Implementation Of GNU Coreutils Is Becoming Remarkably Robust
The Rust community seems to have settled on a perfectly reasonable way to address bit-rot in statically linked binaries. https://github.com/rust-secure-code/cargo-auditable
-
Release Engineering Is Exhausting So Here's cargo-dist
Would you be open to integrating cargo auditable into this pipeline in some form? It seems like a great match.
-
Swift Achieved Dynamic Linking Where Rust Couldn't
> and static compilation probably just hides the problem unless security scanners these days can identify statically compiled vulnerable versions of libraries
Some scanners like trivy [1] can scan statically compiled binaries, provided they include dependency version information (I think go does this on its own, for rust there's [2], not sure about other languages).
It also looks into your containers.
The problem is what to do when it finds a vulnerability. In a fat app with dynamic linking you could exchange the offending library, check that this doesn't break anything for your use case, and be on your way. But with static linking you need to compile a new version, or get whoever can build it to compile a new version. Which seems to be a major drawback of discouraging fat apps.
1: https://github.com/aquasecurity/trivy
2: https://github.com/rust-secure-code/cargo-auditable
-
'cargo auditable' can now be used as a drop-in replacement for Cargo
I have investigated a bunch of standardized formats - SPDX, CycloneDX, etc. All of them are unsuitable for a variety of reasons, chief of which are being way too verbose and including timestamps, which would break reproducible builds.
-
sccache now supports GHA as backend
The fix for interoperability with cargo auditable has also shipped in the latest release of sccache. You can use the released sccache now instead of building it from git!
-
`cargo audit` can now scan compiled binaries
I've been working to bring vulnerability scanning to Rust binaries by creating cargo auditable, which embeds the list of dependencies and their versions into the compiled binary. This lets you audit the binary you actually run, instead of the Cargo.lock file in some repo somewhere.
-
Here's how to patch the upcoming OpenSSL vulnerability in Rust
cargo auditable solves this problem by embedding the list of dependencies and their versions into the binaries. But until it becomes part of Cargo and gets enabled by default, static linking will remain problematic.
- Introducing cargo-auditable: audit Rust binaries for known bugs or vulnerabilities in production
What are some alternatives?
naersk - Build Rust projects in Nix - no configuration, no code generation, no IFD, sandbox friendly.
trivy - Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
api - 🎠API
auto-fuzz-test - Effortlessly fuzz libraries with large API surfaces
yarnpnp2nix - A performance focused and space efficient way of packaging NodeJS applications with Nix
cargo-supply-chain - Gather author, contributor and publisher data on crates in your dependency graph.
dream2nix - Simplified nix packaging for various programming language ecosystems [maintainer=@DavHau]
eve-rs - A simple, intuitive, express-like HTTP library
rustshop - Rust Shop is a fake cloud-based software company that you can fork.
svntogit-community - Automatic import of svn 'community' repo (read-only mirror)
crate2nix - rebuild only changed crates in CI with crate2nix and nix
sandbox - A sand simulation game