Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Matt Taylor
    @64
    hello, i will be submitting an advisory for the spin crate soon
    my concern is that since lazy_static depends on spin (only when the no std feature is enabled), that many lazy_static users will see the vulnerability pop up when doing a cargo audit even though it doesn’t affect them at all
    i see there’s an ‘affected_functions’ entry, does cargo audit take this into account?
    Tony Arcieri
    @tarcieri
    @64 unfortunately it does not. the goal was to collect this information for call graph analysis but we've never actually integrated with anything that can do that RustSec/cargo-audit#21
    failing that, it'd be nice if we could have advisories which map to specific cargo features, but we don't have anything like that now
    however, let me check something
    yeah, I think you should be fine
    since it's an optional dependency, it doesn't wind up in Cargo.lock unless the relevant feature of the dependent crate is enabled
    so I think there won't be false positives for lazy_static users (I just checked some of my own projects that use lazy_static)
    Tony Arcieri
    @tarcieri
    looks like it will be rather disruptive for anything that uses ring though, as it's a hard dependency there
    Matt Taylor
    @64
    @tarcieri there will be false positives for those who have that feature of lazy_static enabled
    because lazy_static doesn’t use any of the vulnerable parts of spin
    Tony Arcieri
    @tarcieri
    aah, well there's no way to avoid that but the call graph analysis. you can note in the advisory that it can be ignored for lazy_static users
    Jeremy Fitzhardinge
    @jsgf
    Hi all - is there a package with a test advisory, like the EICAR test virus? I'd like to be able to have something to test that my advisory pipeline is working, without having to introduce a real vulnerability which might screw up real dependencies
    Jeremy Fitzhardinge
    @jsgf
    Konrad Borowski
    @KonradBorowski_gitlab
    if you specify a real package with exact version and a comment describing this is for RUSTSEC specifically, it should be clear enough i feel like
    if messing with dependencies is a concern, use a very old version of a 0.x library
    like so old that no new package would depend on it
    say safe-transmute 0.4.0 or something
    Tony Arcieri
    @tarcieri
    @jsgf what specifically are you looking to test? handling of new advisories in general? we've had quite a few recently due to the Safety Dance
    the latest RustSec crate supports informational advisories as well
    Jeremy Fitzhardinge
    @jsgf
    The problem I have right now is that none of the crates I'm managing have any advisories at all, so I don't necessarily know whether its working. It would be useful to have a canary to make sure things are working. Testing whether new advisories are working is a separate thing, but if we're OK with having test advisories at all, then publishing a test advisory - say - every month would help with that (you could alarm on not seeing an expected advisory indicating that something is wrong along the chain).
    @KonradBorowski_gitlab That's fine for a one-off test, but I'm looking at building out some infra for a large organization, and having special ad-hoc rules like "safe-transmute 0.4.0 isn't a real advisory" is hard to communicate effectively. It would be easier to say that "all advisories with the rustsec-test-advisory keyword and category are tests", because you could get a fair intuition about what it means just by looking
    and code/rules implementing that wouldn't look strange
    Tony Arcieri
    @tarcieri
    @jsgf I could potentially add one, with an associated test crate, that you could use to test. I don't think it makes sense to publish an unbounded number of them (in the same way there's only one EICAR string)
    if you want to test it periodically, you can add and remove the test dependency from your Cargo.toml
    Jeremy Fitzhardinge
    @jsgf
    Yeah, one is a good start
    Hanif Ariffin
    @hbina
    are there any crates that still publish a vulnerable version that have a non-vulnerable one? im trying to implement a cargo-audit fix but i dont have a test
    Tony Arcieri
    @tarcieri
    @hbina let me publish a test crate for this purpose
    svartalf
    @svartalf
    @tarcieri hey! Are there informational advisories I could see? I'm working on a some thing here and would love to see a live example of them :)
    Tony Arcieri
    @tarcieri
    we just published some of the first ones yesterday
    there's an example
    svartalf
    @svartalf
    Awesome, thanks!
    Tony Arcieri
    @tarcieri
    ooh awesome
    svartalf
    @svartalf
    :)
    I would love to hear your opinion about what data should be shown at the Check page at all
    Tony Arcieri
    @tarcieri
    what you have looks good. if it's an informational advisory you could add another column to that table with the informational advisory type
    svartalf
    @svartalf
    Yep, that's why I wanted to see an informational advisory
    Tony Arcieri
    @tarcieri
    cool
    Tony Arcieri
    @tarcieri
    FYI I just migrated all of the RustSec projects, including the advisory DB repo itself, over to GitHub Actions
    need to look into using it to automate things like publishing the web site from the git repo whenever it's changed
    svartalf
    @svartalf
    @tarcieri yeah, I saw it, we are basically done the full circle here now with the actions-rs -> rustsec -> actions-rs
    Tony Arcieri
    @tarcieri
    heh
    svartalf
    @svartalf
    There we some actions to publish data into the GH pages, yet I had not used them, so I could not recommend anything
    Tony Arcieri
    @tarcieri
    yeah that'd be the goal. I was thinking of moving it to a gh-pages branch of the advisory-db repo
    so after there's a successful build on master, there's a deploy step which installs the website generator tool, runs it, and if anything's changed makes a gh-pages commit and pushes it
    svartalf
    @svartalf
    Well, it is possible technically, problem is to find the right tools for that..
    Tony Arcieri
    @tarcieri
    yeah