yaml-cpp VS rustsec

FetchContent_Declare(yaml-cpp GIT_REPOSITORY https://github.com/jbeder/yaml-cpp.git GIT_TAG yaml-cpp-0.7.0 GIT_SHALLOW TRUE ) set(YAML_CPP_BUILD_TESTS OFF) FetchContent_MakeAvailable(yaml-cpp)

As you can see, I'm trying to coerce some YAML::Node to get some unknown type:

Some context, In my day job, I'm working on a custom format that is based on yaml but extends it. We're still using C++, so we the used yaml-cpp as a base for our parser and it was great for that purpose. laying with rust on Advent of Code lately I also got sent back to reality... Not having rust enums, match, great string handling, iterators when working with my AST was hard. So I wanted to try to implement the same parser in Rust as an example to my teammates of how great rust can be.

yaml-cpp

Hi, this is a library (https://github.com/jbeder/yaml-cpp), I tried to add it but unfortunately I can't, and I can't find any instructions.

cmake_minimum_required(VERSION 3.0.0) project(cmaketest VERSION 0.1.0) include(CTest) enable_testing() include(ExternalProject) ExternalProject_Add(yaml PREFIX 3rd_party GIT_REPOSITORY https://github.com/jbeder/yaml-cpp/ INSTALL_COMMAND "" ) add_executable(cmaketest main.cpp) set(CPACK_PROJECT_NAME ${PROJECT_NAME}) set(CPACK_PROJECT_VERSION ${PROJECT_VERSION}) include(CPack)

I've found is yaml-cpp. The API seems fine

If you want a file format that has more readability, YAML is probably your best bet.

Can this not be parsed as YAML? (https://github.com/jbeder/yaml-cpp)

cargo-audit is a simple Cargo tool for detecting vulnerable Rust crates. You can install it with cargo install cargo-audit, use cargo audit and you’re done! Any vulnerable crates will appear below, like so:

Further we use cargo-auditable and cargo-audit as part of both our pipeline and regular scanning of all deployed services. This makes our InfoSec and Legal super happy since it means they can also monitor compliance with licenses and patch/update timings.

Yeah your decade old single header libs get so many audits by comparison.

https://github.com/RustSec/rustsec/tree/main/cargo-audit

https://mozilla.github.io/cargo-vet/

cargo is not npm

PSA: before filing CVEs for other people's projects, file an issue with https://rustsec.org instead

Historically, such serious bugs get communicated broadly and addressed very quickly via security advisory blog posts and on https://rustsec.org.

For known vulnerabilities we have the rustsec vulnerability database. You could have a look over there for inspiration. There's also the related cargo-audit for checking dependencies for known vulnerabilities.

Would be cool if this was also reported to https://rustsec.org/ that way cargo audit could pick up and alert the users about it.

P.S. I also made scanning binaries 5x faster in the latest release of cargo audit.

Thanks to cargo and the community, project maintenance is straightforward in rust. You'll need to install cargo-outdated and cargo-audit:

Use the automated tools to assist you in the maintenance of your projects: rustfmt, clippy, cargo update, cargo outdated and cargo-audit.