Re: [new] devel/cargo-audit a tool to check yer crates for security vulns!!

Fri, 10 Sep 2021 01:22:39 -0700 

On Fri, Sep 10, 2021 at 06:54:10AM +0200, Sebastien Marie wrote:
> On Thu, Sep 09, 2021 at 01:19:21PM -0600, Aaron Bieber wrote:
> > Hi,
> > 
> > Here is a port of cargo-audit:
> > https://github.com/RustSec/rustsec/tree/main/cargo-audit
> > 
> > This isn't the latest version because that fails to build:
> > https://github.com/rustsec/rustsec/issues/429
> > 
> > Unfortunately the program doesn't run unless you specify the full
> > path. I tried creating a patch to fix it, but I can't make heads or
> > tails of the code.
> > 
> > Thanks to tb@ and semarie@ for pointers on the Makefile!
> > 
> > Here is a git mirror as well:
> > https://github.com/jasperla/openbsd-wip/tree/master/devel/cargo-audit
> > 
> > OK? Cluesticks?
> 
> Just few nits: crates.inc doesn't have $OpenBSD$ marker, and contains
> no licence information (see make modcargo-gen-crates-licenses).
> 
> Regarding full path, you could look at env:current_exe() calls in the
> source code. But what is the full path required ? 
> ${LOCALBASE}/bin/cargo-audit ?
> 
> I also wonder if it is possible to redefine argv[0] (or more exactly
> the rust equiv) at beginning of the program to properly set it (the
> binary will be always at the same place if installed from ports).

Here's a version of this port that.

- addresses the crates.inc nits from semarie (RCS marker + licenses)
- fixes WANTLIB/LIB_DEPENDS
- adds a patch that builds the current_exe() path from the basename of
  argv[0] appended to ${LOCALBASE}/bin
- uses the main branch instead of master for advisory-db

This seems to work for me in some light testing.  For example, when it
is run on an old newsboat repo with a known problem in SmallVec:

$ cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 352 security advisories (from /home/theo/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (101 crate dependencies)
Crate:         smallvec
Version:       0.6.10
Title:         Buffer overflow in SmallVec::insert_many
Date:          2021-01-08
ID:            RUSTSEC-2021-0003
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0003
Solution:      Upgrade to >=0.6.14, <1.0.0 OR >=1.6.1
Dependency tree:
smallvec 0.6.10
├── unicode-normalization 0.1.8
│   └── idna 0.2.0
│       └── url 2.1.1
│           └── libnewsboat 2.20.0
│               └── libnewsboat-ffi 2.20.0
└── libnewsboat 2.20.0

error: 1 vulnerability found!

Attachment: cargo-audit.tgz
Description: application/tar-gz

Reply via email to