Add cargo auditable deps extractor for Rust bins to SCALIBR
#377
Conversation
![copybara-service[bot]](https://avatars.githubusercontent.com/in/44061?s=60&v=4){kind=small}
copybara-service
bot
force-pushed
the
test_713069568
branch
from
68433f2 to
2b2f446
Compare
|
@another-rex @oliverchang fyi, might want to link this with google/osv-scanner#1332 if that's not already happened internally |
copybara-service
bot
force-pushed
the
test_713069568
branch
from
2b2f446 to
7502f59
Compare
extractor/filesystem/filesystem.go
Outdated
|
|
||
| // TODO(b/279138598): Research: Maybe on windows all files have the executable bit set. | ||
| // Either windows .exe or unix executable bit should be set. | ||
| if filepath.Ext(path) != ".exe" && fileInfo.Mode()&0111 == 0 { |
There was a problem hiding this comment.
.dll files can also built in Rust with cargo auditable, although Rust shared libraries are less common than Rust executables. It is probably a good idea to load DLL files as well.
There was a problem hiding this comment.
Thanks for the review! This sounds like a great point, I went ahead and added the exception for .dlls as well, thanks!
| // Cargo auditable also tracks build dependencies which we don't want to report. | ||
| if dep.Kind == rustaudit.Runtime { | ||
| inventory = append(inventory, &extractor.Inventory{ | ||
| Name: dep.Name, | ||
| Version: dep.Version, | ||
| Locations: []string{input.Path}, | ||
| }) | ||
| } |
There was a problem hiding this comment.
This is probably a reasonable default, although it would be nice to make this configurable eventually (not necessarily in this PR).
The use case I had in mind for this was e.g. protobuf codegen or a Rust proc macro emitting wrong memory-unsafe code which ends up in the final binary, even though the problematic code was only a build-dependency. But these issues are admittedly rare.
There was a problem hiding this comment.
Good idea, I hadn't considered that possibility so far. I went ahead and added in the suggested configuration. Thanks!
copybara-service
bot
force-pushed
the
test_713069568
branch
6 times, most recently
from
b22b686 to
2b2c729
Compare
copybara-service
bot
force-pushed
the
test_713069568
branch
from
2b2c729 to
5abb23f
Compare
PiperOrigin-RevId: 720239426
copybara-service
bot
force-pushed
the
test_713069568
branch
from
5abb23f to
61e7af7
Compare
|
I'm excited to see this merged! I'd appreciate a heads-up when this actually ships in osv-scanner so that I could add it to the list of software supporting the data format. |
CC @another-rex . This should be coming very very soon in the next OSV-Scanner v2 release (though not in the very first beta versions). |
Add
cargo auditabledeps extractor for Rust bins to SCALIBR