-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add cargo auditable
deps extractor for Rust bins to SCALIBR
#377
base: main
Are you sure you want to change the base?
Conversation
68433f2
to
2b2f446
Compare
@another-rex @oliverchang fyi, might want to link this with google/osv-scanner#1332 if that's not already happened internally |
2b2f446
to
7502f59
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey, author of cargo auditable
here! 👋
I've skimmed the PR and left a couple of notes, but by and large it looks good. I'm excited to see cargo auditable
data becoming accessible to osv-scanner!
extractor/filesystem/filesystem.go
Outdated
|
||
// TODO(b/279138598): Research: Maybe on windows all files have the executable bit set. | ||
// Either windows .exe or unix executable bit should be set. | ||
if filepath.Ext(path) != ".exe" && fileInfo.Mode()&0111 == 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
.dll
files can also built in Rust with cargo auditable
, although Rust shared libraries are less common than Rust executables. It is probably a good idea to load DLL files as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the review! This sounds like a great point, I went ahead and added the exception for .dll
s as well, thanks!
// Cargo auditable also tracks build dependencies which we don't want to report. | ||
if dep.Kind == rustaudit.Runtime { | ||
inventory = append(inventory, &extractor.Inventory{ | ||
Name: dep.Name, | ||
Version: dep.Version, | ||
Locations: []string{input.Path}, | ||
}) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is probably a reasonable default, although it would be nice to make this configurable eventually (not necessarily in this PR).
The use case I had in mind for this was e.g. protobuf codegen or a Rust proc macro emitting wrong memory-unsafe code which ends up in the final binary, even though the problematic code was only a build-dependency. But these issues are admittedly rare.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good idea, I hadn't considered that possibility so far. I went ahead and added in the suggested configuration. Thanks!
c2a68f5
to
b22b686
Compare
PiperOrigin-RevId: 713069568
b22b686
to
2b2c729
Compare
Add
cargo auditable
deps extractor for Rust bins to SCALIBR