Stream: wg-secure-code

Topic: crates-audit


Zach Reizner (Oct 30 2018 at 16:34, on Zulip):

I have a website showing an MVP of the crates.io wide audit: https://crates-audit.zach297.com

Alex Gaynor (Oct 30 2018 at 21:10, on Zulip):

Any chance of sort-ability by download count?

Zach Reizner (Oct 30 2018 at 21:38, on Zulip):

That's a good idea.

Zach Reizner (Oct 30 2018 at 21:45, on Zulip):

I switched my gitlab repo to public.

Zach Reizner (Oct 30 2018 at 21:50, on Zulip):

Currently the audit output looks like this. There is purposefully very little information beyond what packages are depending on vulnerable crates. I wanted to keep the initial version small while we decided what was important.

Joshua Liebow-Feeser (Oct 30 2018 at 21:52, on Zulip):

Does this operate on Cargo.toml or Cargo.lock? If it's the former, it might be useful to explore the full set of valid packages. E.g., if I have a dependency on foo version 0.1.0, any vuln in the 0.1.x train should be flagged since any of those versions are valid according to Cargo.

Zach Reizner (Oct 30 2018 at 21:52, on Zulip):

it operates on the crates.io index

Joshua Liebow-Feeser (Oct 30 2018 at 21:53, on Zulip):

Ah, this doesn't operate on a particular crate's dependencies?

Zach Reizner (Oct 30 2018 at 21:53, on Zulip):

It does operate on the crate dependencies.

Joshua Liebow-Feeser (Oct 30 2018 at 21:54, on Zulip):

So my point is: When it's evaluating a given crate's dependencies, it should evaluate any of the versions of those dependencies which are consistent with its Cargo.toml file.

Joshua Liebow-Feeser (Oct 30 2018 at 21:54, on Zulip):

Because, depending on the dependencies of other crates in the same build graph, any of those versions might be selected by Cargo at build time.

Zach Reizner (Oct 30 2018 at 21:54, on Zulip):

That's an interesting line of thought.

Zach Reizner (Oct 30 2018 at 21:55, on Zulip):

I can see it going either way. Currently the resolver in crates-audit will just use the latest version that will satisfy a dependency.

Joshua Liebow-Feeser (Oct 30 2018 at 21:55, on Zulip):

Also, does the RustSec DB identify versions or version ranges?

Joshua Liebow-Feeser (Oct 30 2018 at 21:55, on Zulip):

E.g., I could imagine a vuln discovered in version 0.1.1 that, in practice, also affects 0.1.0, but RustSec doesn't say that 0.1.0 is vulnerable.

Zach Reizner (Oct 30 2018 at 21:56, on Zulip):

RustSec uses ranges

Joshua Liebow-Feeser (Oct 30 2018 at 21:56, on Zulip):

OK cool

Zach Reizner (Oct 30 2018 at 21:56, on Zulip):

e.g. https://rustsec.org/advisories/RUSTSEC-2018-0007.html

Zach Reizner (Oct 30 2018 at 21:56, on Zulip):

Unless a package falls in the unaffects or patches range, it's considered vuln.

Zach Reizner (Oct 30 2018 at 21:57, on Zulip):

An example of a advisory with unaffected versions.

Joshua Liebow-Feeser (Oct 30 2018 at 21:58, on Zulip):

OK cool. That information should be detailed enough to figure out whether or not a Cargo.toml names versions which could be vulnerable.

Zach Reizner (Oct 30 2018 at 21:59, on Zulip):

So my thinking on this is that it would cause a bit too much github issue traffic.

Zach Reizner (Oct 30 2018 at 21:59, on Zulip):

Btw, I haven't implemented that part yet because I think we need to lay out a solid policy.

Joshua Liebow-Feeser (Oct 30 2018 at 21:59, on Zulip):

Yeah so my thinking is that you could just modify your Cargo.toml to identify the patched version as the minimum.

Joshua Liebow-Feeser (Oct 30 2018 at 21:59, on Zulip):

I agree it might cause some GH issue traffic.

Joshua Liebow-Feeser (Oct 30 2018 at 22:00, on Zulip):

Is your thinking to have this auto-submit issues?

Zach Reizner (Oct 30 2018 at 22:00, on Zulip):

That was what I was thinking.

Joshua Liebow-Feeser (Oct 30 2018 at 22:00, on Zulip):

That's a really cool idea.

Zach Reizner (Oct 30 2018 at 22:00, on Zulip):

But I thought that was the plan of record.

Joshua Liebow-Feeser (Oct 30 2018 at 22:00, on Zulip):

I don't think there's any "record" here lol

Joshua Liebow-Feeser (Oct 30 2018 at 22:00, on Zulip):

At least that I've seen.

Zach Reizner (Oct 30 2018 at 22:01, on Zulip):

I'm referring to the post on "actionable work items" stream

Joshua Liebow-Feeser (Oct 30 2018 at 22:01, on Zulip):

Ah, you're right. I'd forgotten that detail.

Joshua Liebow-Feeser (Oct 30 2018 at 22:29, on Zulip):

A follow-up discussion here is about recursive dependencies. In particular, what do we do about foo which depends on a version of bar which depends on a vulnerable version of baz?

Alex Gaynor (Oct 30 2018 at 22:30, on Zulip):

It depends. Is your goal informing people of risk in their deps, or driving action on maintainer?

If it's informing people of risk, than you warn both foo and bar. If it's driving action for maintainers I think you complain to foo if there exists a version of bar that resolves the issue. If bar hasn't resolved the issue then you only complain to them.

Joshua Liebow-Feeser (Oct 30 2018 at 22:31, on Zulip):

I think the latter makes sense. Complaining to a crate author when there's nothing they can do seems unwise from a PR and alert fatigue perspective.

Zach Reizner (Oct 30 2018 at 22:32, on Zulip):

Let's say bar upgrades and is now vulnerable. Do you inform foo?

Alex Gaynor (Oct 30 2018 at 22:33, on Zulip):

Yes, I think so.

Joshua Liebow-Feeser (Oct 30 2018 at 22:34, on Zulip):

Longer-term, it might be worth allowing individual crates to opt into more verbose warnings, e.g. via a .cargo-audit file.

Joshua Liebow-Feeser (Oct 30 2018 at 22:35, on Zulip):

Speaking personally, there are some crates I maintain where I'd want to know about vulnerable dependencies so I could either poke their authors or take action on my own to patch the issue temporarily.

Zach Reizner (Oct 30 2018 at 22:35, on Zulip):

On the topic of configuration, I think it would make sense to put the settings into a centralized repository rather than in the repo of the crate.

Alex Gaynor (Oct 30 2018 at 22:36, on Zulip):

For cases the author wants to opt into more verbosity, they can always just run cargo-audit themselves, right?

Zach Reizner (Oct 30 2018 at 22:37, on Zulip):

Agreed

Zach Reizner (Oct 30 2018 at 22:38, on Zulip):

re crate configuration: I made the design choice for crates-audit to have reproducible output. Given a crates.io index commit and a rustsec advisory-db commit, the output should always be the same audit result file.

Alex Gaynor (Oct 30 2018 at 22:39, on Zulip):

And then on top of that you script the github API to get the latest version of each on cron. Seems pretty good.

Zach Reizner (Oct 30 2018 at 22:39, on Zulip):

It would slow the audit process and make it less reproducible if the results depended on commit of each crate.

Zach Reizner (Oct 30 2018 at 22:41, on Zulip):

Also, there isn't a good mapping between crates and git repos. A published crate could possibly not even have a repo because the publisher just uploads a tarball of their source tree.

Zach Reizner (Oct 30 2018 at 22:42, on Zulip):

And then on top of that you script the github API to get the latest version of each on cron. Seems pretty good.

I should note that that is the plan. As it's currently implemented, it just uses master of each. I should submit an issue...

Tony Arcieri (Nov 01 2018 at 23:38, on Zulip):

@Joshua Liebow-Feeser RustSec presently uses the semver crate's VersionReq for specifying versions which are or are not vulnerable, however it could probably use its own requirements with its own matcher

Tony Arcieri (Nov 01 2018 at 23:38, on Zulip):

and the tool itself operates on Cargo.lock which already has all of the transitive dependencies resolved

Tony Arcieri (Nov 01 2018 at 23:38, on Zulip):

@Zach Reizner neat re: crates.io scanner!

Zach Reizner (Nov 01 2018 at 23:39, on Zulip):

Thanks!

Zach Reizner (Nov 05 2018 at 20:11, on Zulip):

I've been running the crates-audit infrastructure using gitlab's free pipelines, the free tier of google cloud, and a free cloudflare account, but the only thing I can't get for free is a proper domain for audits page. I've been hosting it on my personal projects domain, but it would be nice to put it in a proper place.

Zach Reizner (Nov 05 2018 at 20:12, on Zulip):

Perhaps it could go under a subdomain of rustsec.org? What do you think?

Shnatsel (Nov 05 2018 at 20:13, on Zulip):

What is the target audience of that page? Especially in the light of filing github or gitlab issues directly in the future?

Zach Reizner (Nov 05 2018 at 20:14, on Zulip):

That's a good question.

Zach Reizner (Nov 05 2018 at 20:15, on Zulip):

Mainly, I don't have code for filing issues yet, and we haven't established what the policy for something that will even be.

Shnatsel (Nov 05 2018 at 20:15, on Zulip):

Subdomain of rustsec.org actually sounds good to me assuming we want to display it publicly. I'm not sure we do, though, and how discoverable it should be. If we want maximum discoverability we should just feed that info into crates.io directly

Zach Reizner (Nov 05 2018 at 20:15, on Zulip):

So the page is good for people that want to see if a crate that they are considering using currently has advisories.

Zach Reizner (Nov 05 2018 at 20:16, on Zulip):

@Tony Arcieri you're the owner of the rustsec.org domain, right?

Shnatsel (Nov 05 2018 at 20:21, on Zulip):

In that case I'd go for a rustsec.org subdomain as an intermediate step. It should probably be integrated with crates.io after some testing and once we figure out notification policy.

Tony Arcieri (Nov 05 2018 at 20:22, on Zulip):

Yes. I can point a subdomain somewhere if you'd like

Zach Reizner (Nov 05 2018 at 20:22, on Zulip):

Who maintains crates.io? How do you know that they want this functionality?

Tony Arcieri (Nov 05 2018 at 20:24, on Zulip):

crates.io is maintained by the Infrastructure Team

Zach Reizner (Nov 05 2018 at 20:27, on Zulip):

Yes. I can point a subdomain somewhere if you'd like

That would be cool. I'm using domain-named buckets for hosting the static content and the audit file, so I would need to confirm ownership for crates-audit.rustsec.org: https://cloud.google.com/storage/docs/domain-name-verification

Zach Reizner (Nov 05 2018 at 20:28, on Zulip):

After I create the bucket, then I need a CNAME DNS record to google storage: https://cloud.google.com/storage/docs/hosting-static-website

Tony Arcieri (Nov 05 2018 at 20:28, on Zulip):

cool, I can take a look in a bit

Zach Reizner (Nov 05 2018 at 20:29, on Zulip):

Cool, we can do this whenever you like.

Zach Reizner (Nov 05 2018 at 20:29, on Zulip):

We can also meet up in person, assuming you are in the bay area as your github says.

Tony Arcieri (Nov 05 2018 at 20:30, on Zulip):

yeah

Shnatsel (Nov 12 2018 at 23:20, on Zulip):

@Zach Reizner I can get you an extra $500 in free Google Cloud credit that will last for 1 year, if you can elaborate on what Google Cloud services you're using and what you're running on it.

Shnatsel (Nov 12 2018 at 23:21, on Zulip):

In fact, I could probably get this for anyone with a worthy cause, so feel free to ping me even if you're not Zach :)

Zach Reizner (Nov 12 2018 at 23:21, on Zulip):

That's very generous Shnatsel, but I just nominated myself about an hour ago :)

Tony Arcieri (Nov 28 2018 at 20:19, on Zulip):

guess I'll drop this in here since it seems like the most relevant topic: https://internals.rust-lang.org/t/prototype-dev-tool-rustprazi-a-tool-to-build-an-entire-call-graph-of-crates-io/8912

Tony Arcieri (Nov 28 2018 at 20:19, on Zulip):

Security vulnerabilities: which crates in crates.io are affected by a vulnerable function?

Zach Reizner (Nov 28 2018 at 20:21, on Zulip):

guess I'll drop this in here since it seems like the most relevant topic: https://internals.rust-lang.org/t/prototype-dev-tool-rustprazi-a-tool-to-build-an-entire-call-graph-of-crates-io/8912

That does seem interesting, and also reminds me that I never made any announcements about crates-audit.

Zach Reizner (Nov 28 2018 at 20:21, on Zulip):

I was gonna hold off until getting the domain situation worked out.

Tony Arcieri (Nov 28 2018 at 20:25, on Zulip):

let me know what you need from my end, if you'd like to use a rustsec.org subdomain

Tony Arcieri (Nov 28 2018 at 20:25, on Zulip):

also just mentioned your project on that thread, heh

Tony Arcieri (Nov 28 2018 at 20:26, on Zulip):

I just suggested we could try to collect the relevant information in RustSec advisories to feed into their omnicallgraph and find impacted crates

Zach Reizner (Nov 28 2018 at 20:29, on Zulip):

It was two things that I needed for the subdomain: I need to prove ownership of the subdomain to rename my google bucket, and I need you to point the subdomain's DNS info to googlestorage. Enabling cloudflare caching for all content on the subdomain would also go a long way towards keeping my bandwidth usage to the free tier.

Zach Reizner (Nov 28 2018 at 20:29, on Zulip):

(And I recall that you use cloudflare for your DNS and caching, so it should be easy)

Tony Arcieri (Nov 28 2018 at 20:30, on Zulip):

Yeah I have Cloudflare on there already, although that was just to get an X.509 cert easily, and I saw GitHub pages now has a Let's Encrypt integration and can do that itself

Tony Arcieri (Nov 28 2018 at 20:31, on Zulip):

but uhh, whatever, can just use Cloudflare I guess

Tony Arcieri (Nov 28 2018 at 20:31, on Zulip):

last I saw GCS doesn't have a similar integration

Zach Reizner (Nov 28 2018 at 20:32, on Zulip):

What is GCS in this context?

Tony Arcieri (Nov 28 2018 at 20:32, on Zulip):

you're talking about Google Cloud Storage, right?

Tony Arcieri (Nov 28 2018 at 20:32, on Zulip):

it can host content out of a bucket, and can do HTTPS with a user-provided cert

Tony Arcieri (Nov 28 2018 at 20:33, on Zulip):

but the only turnkey way to have Google get you an LE cert, for now, seems to be Firebase

Tony Arcieri (Nov 28 2018 at 20:34, on Zulip):

for something like Cloudflare it's easy enough to make a self-signed cert, upload the key to GCS, and then pin to the corresponding cert on the Cloudflare side

Zach Reizner (Nov 28 2018 at 20:38, on Zulip):

Oh I see, you're talking about certificate integration with GCS. I haven't looked into that much. I was just using cloudflare's built-in SSL.

Tony Arcieri (Nov 28 2018 at 20:47, on Zulip):

what does GCS want to prove ownership of the (sub)domain?

Tony Arcieri (Nov 28 2018 at 20:47, on Zulip):

and what subdomain do you want to use? (crates-)audit.rustsec.org?

Zach Reizner (Nov 28 2018 at 21:06, on Zulip):

https://cloud.google.com/storage/docs/domain-name-verification

Zach Reizner (Nov 28 2018 at 21:06, on Zulip):

I'm fine with crates-audit.rustsec.org.

Zach Reizner (Nov 28 2018 at 21:07, on Zulip):

Specifically, I need to serve a specific file at http://crates-audit.rustsec.org/google654255fc38b85e41.html

Tony Arcieri (Nov 28 2018 at 21:25, on Zulip):

the DV methods would probably be easiest for me... but I think you need to initiate them

Tony Arcieri (Nov 28 2018 at 21:26, on Zulip):

Click the gear icon , and then click Users & Property Owners.
Click Manage property owners, and then click Verify using a different method.
Verify your property again using the new method.

Zach Reizner (Nov 28 2018 at 21:30, on Zulip):

I'm not sure where this gear icon you're talking about is, but I did find the "Alternative Methods" tab in the "Webmaster Central" site that I'm using.
The "Domain Name Provider" method says to add a TXT record for rustsec.org: "google-site-verification=bDHZYm3GoFxu4yB8mBiNSUfw7fbG--6tI44bssyeIkA"

Zach Reizner (Nov 28 2018 at 21:31, on Zulip):

Unclear if that verifies me for all of rustsec.org or just crates-audit.rustsec.org

Tony Arcieri (Nov 28 2018 at 23:44, on Zulip):

I can try adding it on the subdomain first I guess?

Zach Reizner (Nov 28 2018 at 23:45, on Zulip):

sure, let me know and I'll hit verify

Tony Arcieri (Nov 29 2018 at 00:18, on Zulip):

ok I added it to crates.rustsec.org :wink:

Tony Arcieri (Nov 29 2018 at 00:19, on Zulip):

(after trying crates-audit.rustsec.org and thinking it looked a bit long)

Zach Reizner (Nov 29 2018 at 02:18, on Zulip):

The TXT record is different for crates.rustsec.org: google-site-verification=3MmthI1MdZ9tbgUmlmAOUIvcrw32vrit2jXuDlJgjBg

Tony Arcieri (Nov 29 2018 at 04:09, on Zulip):

ok, added, might take a bit to propagate

Tony Arcieri (Nov 29 2018 at 04:09, on Zulip):

(since the old one might be cached)

Zach Reizner (Nov 29 2018 at 04:09, on Zulip):

it seemed to work

Tony Arcieri (Nov 29 2018 at 04:19, on Zulip):

nice

Zach Reizner (Nov 29 2018 at 04:36, on Zulip):

There also needs to be a cname for that subdomain: https://cloud.google.com/storage/docs/hosting-static-website#cname

Tony Arcieri (Nov 29 2018 at 04:42, on Zulip):

added as well

Tony Arcieri (Nov 29 2018 at 04:49, on Zulip):

looks like you probably need to make allUsers a Storage Object Viewer on the bucket perms? <Error>
<Code>AccessDenied</Code>
<Message>Access denied.</Message>
<Details>
Anonymous caller does not have storage.objects.list access to crates.rustsec.org.
</Details>
</Error>

Zach Reizner (Nov 29 2018 at 04:57, on Zulip):

Yep, I haven't set up the bucket yet so that's expected.

Zach Reizner (Nov 29 2018 at 04:57, on Zulip):

(I have to make a new bucket for that domain and transfer everything over, as well as reconfigure my cloud functions to point at the new bucket)

Zach Reizner (Nov 29 2018 at 04:58, on Zulip):

If you like, I think I can add you to the project on Google Cloud.

Tony Arcieri (Nov 29 2018 at 05:01, on Zulip):

sweet, yeah the IAM on GCP is pretty nice

Zach Reizner (Nov 29 2018 at 05:49, on Zulip):

Ok, it should be up now

Zach Reizner (Nov 29 2018 at 06:03, on Zulip):

And I added you as an admin to the bucket.

Tony Arcieri (Nov 29 2018 at 06:08, on Zulip):

nice! yeah seems to be working

Tony Arcieri (Nov 29 2018 at 06:10, on Zulip):

added an "Always Use https://" page rule for it too

Zach Reizner (Nov 29 2018 at 06:10, on Zulip):

Nice, was just about to ask.

Tony Arcieri (Nov 29 2018 at 19:49, on Zulip):

what'd be really awesome with something like RustPräzi is a way to diff two different releases of the same crate

Shnatsel (Dec 17 2018 at 23:38, on Zulip):

I wonder, did https://github.com/RustSec/rustsec-crate/issues/51 affect crates-audit? 1000 vulnerable crates sounds like a lot. Or maybe I just don't understand the dependency resolution well enough

Zach Reizner (Dec 18 2018 at 01:10, on Zulip):

@Tony Arcieri I noticed that the cloudflare config for https://crates.rustsec.org/ has max-age set to 7 days (604800 seconds). Crates vulnerable to RUSTSEC-2018-0009 still haven't shown up on the site because of this.

Tony Arcieri (Dec 18 2018 at 01:17, on Zulip):

I can look into adjusting that, however to me that sounds like something where you'd want the origin server to signal an appropriate TTL?

Zach Reizner (Dec 18 2018 at 01:18, on Zulip):

I have the gcs configured to max-age=3600

Zach Reizner (Dec 18 2018 at 01:23, on Zulip):

Oh, never mind, I am an idiot. The javascript still has the old crates-audit.zach297.com URL hardcoded for retrieving audits

Zach Reizner (Dec 18 2018 at 01:24, on Zulip):

(And I got confused between expect-ct: (which has the long max-age) and cache-control: (which is correct) headers when debugging)

Zach Reizner (Dec 18 2018 at 01:24, on Zulip):

So you don't have to do anything, I'll fix it.

Zach Reizner (Dec 18 2018 at 05:03, on Zulip):

Ok, should be fixed now.

Zach Reizner (Dec 18 2018 at 05:08, on Zulip):

One interesting thing I discovered is that cloudflare will not cache HTML by default. Go figure.

Tony Arcieri (Dec 18 2018 at 05:13, on Zulip):

haha yeah we can probably get rid of Cloudflare if you have another way of provisioning a cert

Tony Arcieri (Dec 18 2018 at 05:14, on Zulip):

I was planning on moving off of it anyway, since the only reason I was using it was to get a TLS certificate

Tony Arcieri (Dec 18 2018 at 05:14, on Zulip):

but now GitHub has that integrated

Tony Arcieri (Dec 18 2018 at 05:14, on Zulip):

only problem with GitHub's implementation is no HSTS :cry:

Zach Reizner (Dec 18 2018 at 06:05, on Zulip):

If you want to get rid of it, that's fine with me. I don't think it will ever get enough traffic to blow the free tier.

Zach Reizner (Dec 18 2018 at 06:08, on Zulip):

Although now that I think about it, I don't know how to setup SSL for GCS without cloudflare.

Tony Arcieri (Dec 18 2018 at 06:22, on Zulip):

oh right you're doing it off gcs

Tony Arcieri (Dec 18 2018 at 06:22, on Zulip):

I believe they recently added built-in cert provisioning for their load balancers

Tony Arcieri (Dec 18 2018 at 06:23, on Zulip):

not sure about GCS itself

Tony Arcieri (Dec 18 2018 at 06:23, on Zulip):

I think it's just a Let's Encrypt integration

Tony Arcieri (Dec 18 2018 at 07:00, on Zulip):

just confirmed it's there

Tony Arcieri (Dec 18 2018 at 07:00, on Zulip):

Screen-Shot-2018-12-17-at-10.59.25-PM.png

Tony Arcieri (Dec 18 2018 at 07:01, on Zulip):

so create a new external IP address, tell me that, then create an HTTPS load balancer which uses that address, has a Google-managed cert for crates.rustsec.org, and point the backend at the GCS bucket

Zach Reizner (Dec 20 2018 at 01:47, on Zulip):

Idea: use gitlab pages to publish the audit. It supports custom domains and also SSL by uploading a pub/private key pair. It's also free.

Zach Reizner (Dec 20 2018 at 01:47, on Zulip):

I already have it working using the gitlab.io subdomain: https://zachreizner.gitlab.io/crates-audit/

Tony Arcieri (Dec 20 2018 at 02:11, on Zulip):

@Zach Reizner wherever you want to host it is fine by me... just tell me where to point DNS

Tony Arcieri (Dec 20 2018 at 02:12, on Zulip):

do they natively support getting a Let's Encrypt cert for a custom subdomain like GitHub?

Tony Arcieri (Dec 20 2018 at 02:12, on Zulip):

because I'd really like to get rid of Cloudflare, heh

Tony Arcieri (Dec 20 2018 at 02:12, on Zulip):

(I have largely transitioned my other projects to using GitHub Pages integrated HTTPS support now)

Tony Arcieri (Dec 20 2018 at 02:13, on Zulip):

the only thing I don't like about them is their "Enforce HTTPS" option doesn't set HSTS

Tony Arcieri (Dec 20 2018 at 02:13, on Zulip):

(GitHub, that is)

Zach Reizner (Dec 20 2018 at 02:25, on Zulip):

It seems they have no native support, but they at least have an official tutorial

Shnatsel (Jan 05 2019 at 04:16, on Zulip):

@Zach Reizner could you clarify how dependency resolution for crates-audit works? I see over 1000 crates marked as vulnerable at https://crates.rustsec.org/ and I find it hard to believe. Does it check that all versions that could potentially satisfy a dependency are vulnerable, or is it something else? Also, what of Cargo.lock where it's present?

Shnatsel (Jan 05 2019 at 04:20, on Zulip):

Also some false positives could be a side effect of https://github.com/RustSec/rustsec-crate/issues/51

Zach Reizner (Jan 05 2019 at 08:09, on Zulip):

Cargo.lock files are not used at all.

Zach Reizner (Jan 05 2019 at 08:10, on Zulip):

It will use the newest dependency possible that satisfies requirements.

Shnatsel (Jan 05 2019 at 12:47, on Zulip):

I am confused. At https://crates.rustsec.org/ cargo-thanks is marked vulnerable to RUSTSEC-2018-0003 and 2018-0010. One of those is a bug in SmallVec, but it does not depend on SmallVec directly. It also depends on the latest clap which is marked vulnerable to RUSTSEC-2018-0006; however, cargo-thanks is not marked vulnerable to RUSTSEC-2018-0006. I don't understand how is that possible.

Shnatsel (Jan 05 2019 at 12:58, on Zulip):

Another weird situation: concurrent-hash-map depends on crossbeam ^0.2.10 which should resolve to crossbeam version 0.2.12; however, it is somehow marked vulnerable to https://rustsec.org/advisories/RUSTSEC-2018-0009 which affects only much newer crossbeam.
I don't think this can be explained by https://github.com/RustSec/rustsec-crate/issues/51 either because that vulnerability affects a separate crate that is not even present in the dependency chain for 0.2.x

Shnatsel (Jan 05 2019 at 18:07, on Zulip):

Oh yeah, looks like https://github.com/RustSec/rustsec-crate/issues/51 was an issue. Updating rustsec requirement from 0.9 to 0.10 in Cargo.toml has cut the number of affected crates from 1696 to 724

Shnatsel (Jan 05 2019 at 18:14, on Zulip):

I've tried to open a PR on GitLab to bump the version, but it keeps saying "An error accured whilst committing your changes."

Shnatsel (Jan 05 2019 at 22:04, on Zulip):

The situation with cargo-thanks not getting a vulnerability transitively from clap is actually correct. The relevant clap feature is not enabled. The fact that crates-audit takes Cargo features into account is a pleasant surprise.

Shnatsel (Jan 05 2019 at 22:06, on Zulip):

It does follow development-only dependencies though, and that's another source of false positives. I've opened an issue about that: https://gitlab.com/zachreizner/crates-audit/issues/4

Shnatsel (Jan 05 2019 at 22:43, on Zulip):

But ignoring those two sources of false positives, this works really, really well. I've just discovered a crate with 8000 downloads a month using OpenSSL bindings so ancient that it doesn't even check hostname when verifying certificates: https://github.com/Antti/rust-amqp

Alex Gaynor (Jan 05 2019 at 23:03, on Zulip):

https://github.com/Antti/rust-amqp/pull/75

Shnatsel (Jan 05 2019 at 23:04, on Zulip):

Wow! That was fast! They actually have an issue on the bug tracker and a closed PR so I thought there was some fundamental reason why they're not upgrading.

Alex Gaynor (Jan 05 2019 at 23:06, on Zulip):

I didn't do much more than just bump the version and get the tests passing, it's entirely possible there's some complexity I missed.

Shnatsel (Jan 06 2019 at 00:19, on Zulip):

I have just requested backporting rust-yaml stack overflow fix based on crates-audit output

Shnatsel (Jan 06 2019 at 00:23, on Zulip):

Also I was kind of confused about what crates-audit does exactly. The shortest explanation I could come up with "It finds crates dependent on vulnerable library versions with no semver-compatible fix available".

Shnatsel (Jan 06 2019 at 00:26, on Zulip):

I would definitely like to see something like that on crates.io; normally this should not happen - all semver series actually in use should get the backport - but this would give visibility to issues in unmaintained crates

Alex Gaynor (Jan 06 2019 at 00:28, on Zulip):

Why are so many people using the old version of rust-yaml?

Shnatsel (Jan 06 2019 at 00:28, on Zulip):

¯\_(ツ)_/¯

Shnatsel (Jan 06 2019 at 00:29, on Zulip):

It's 165 crates according to cargo-audit and half the download count according to crates.io

Shnatsel (Jan 06 2019 at 00:30, on Zulip):

I wonder, do Rust compiled binaries contain data on what libraries went into making them? Probably not, but it would be so sweet if they did

Alex Gaynor (Jan 06 2019 at 00:30, on Zulip):

They don't. I wonder if it's possible to build a crate that does that... does the info exist in build.rs?

Shnatsel (Jan 06 2019 at 00:32, on Zulip):

If they did, you could just point an analyzer to a compiled binary and get it audited. And this would work for binaries deployed anywhere in any way and you wouldn't have to keep a matching Cargo.lock around and risk them being desynced

Shnatsel (Jan 06 2019 at 00:34, on Zulip):

Well, there is nothing preventing you from parsing Cargo.lock from build.rs at any rate

Zach Reizner (Jan 06 2019 at 00:50, on Zulip):

What about a embeddable crate that checked itself occasionally to see if it was using vulnerable crates?

Shnatsel (Jan 06 2019 at 00:52, on Zulip):

There are two problems with that: extra code size and the trouble with reaching the user to notify them.

Shnatsel (Jan 06 2019 at 00:53, on Zulip):

I'd rather have version info encoded in compiled binaries. It is small enough that we can make all Cargo-compiled binaries have it. Then you can run an analyzer manually or as a cronjob. The system is simple, transparent and it's clear how it will communicate with you in case it finds an issue

Zach Reizner (Jan 06 2019 at 00:54, on Zulip):

That seems like a better alternative.

Zach Reizner (Jan 06 2019 at 00:54, on Zulip):

Although I'm not sure how it would solves the communication issue.

Shnatsel (Jan 06 2019 at 00:57, on Zulip):

Well, if you're running it manually it just prints to stdout. And if you're setting up a cronjob you presumably set up alerting as well. The great thing about it is that since all the required data is already in the binary, anyone can audit it. Even if it's a weird thing like a docker container, both your cloud provider and docker container registry can run an audit and notify whoever has it running and image owner respectively

Shnatsel (Jan 06 2019 at 00:57, on Zulip):

I think Google Cloud already does security scans on Docker images, but it's limited to Linux distro packages right now

Shnatsel (Jan 06 2019 at 00:58, on Zulip):

So all you need to do as a user is simply check a checkbox

Shnatsel (Jan 06 2019 at 00:59, on Zulip):

According to the docs injecting extra data into the binary should be pretty straightforward. Address Sanitizer settings encoded in the binary can be seen as prior art.

Zach Reizner (Jan 06 2019 at 01:04, on Zulip):

I see what you mean.

Shnatsel (Jan 06 2019 at 01:14, on Zulip):

Also, thanks a lot for writing crates-audit. As you can see, I am enjoying it :)

Shnatsel (Jan 06 2019 at 01:20, on Zulip):

And it has already found two widespread issues that are not fixable by cargo update. That too.

Tony Arcieri (Jan 06 2019 at 17:41, on Zulip):

nice re: rust-amqp

Tony Arcieri (Jan 06 2019 at 17:42, on Zulip):

that reminds me, I should incorporate the changes the RustPräzi authors suggested

Tony Arcieri (Jan 06 2019 at 17:42, on Zulip):

into the rustsec crate and the advisory DB

Tony Arcieri (Jan 06 2019 at 17:43, on Zulip):

it's mostly making paths to vulnerable code generic over functions as well as types, and breaking them down version-by-version (e.g. if a vulnerable function was renamed at some point)

Shnatsel (Jan 07 2019 at 18:43, on Zulip):

@Zach Reizner is building on pre-1.31 Rust a hard requirement for crates-audit? My PR to upgrade it to rustsec crate that would fix the false positives fails CI because with 0.10 came a bump to 2018 edition

Zach Reizner (Jan 07 2019 at 18:46, on Zulip):

Oh, I just saw your PR. Gitlab apparently does not notify me of events on my own repos by default!

Zach Reizner (Jan 07 2019 at 18:46, on Zulip):

Taking a look now.

Zach Reizner (Jan 07 2019 at 19:00, on Zulip):

Upgrading the CI to use 1.31 or whatever the latest rust is should always be fine with me.

Zach Reizner (Jan 07 2019 at 19:01, on Zulip):

I commented on your PR on how to fix the pipeline in your branch so that I can merge it.

Shnatsel (Jan 07 2019 at 19:08, on Zulip):

Done. Thanks!

Zach Reizner (Jan 07 2019 at 19:34, on Zulip):

Merged. It looks like it reduced the number of reported crates by 1000

Shnatsel (Jan 07 2019 at 19:42, on Zulip):

Yup, almost. 1696 to 724

Alex Gaynor (Jul 20 2019 at 16:01, on Zulip):

Is sorting things on https://crates.rustsec.org/ by download count on the TODO list already?

Alex Gaynor (Jul 20 2019 at 16:13, on Zulip):

Looks like right now the list of crates comes from the git repo, not the crates.io API, so it'd require adding that

Tony Arcieri (Jul 20 2019 at 16:14, on Zulip):

@Alex Gaynor that sounds good

Alex Gaynor (Jul 20 2019 at 16:14, on Zulip):

/me looks at his TODO list for the weekend and does this instead

Tony Arcieri (Jul 20 2019 at 16:30, on Zulip):

hahaha

Tony Arcieri (Jul 20 2019 at 16:30, on Zulip):

/me finally gonna try to play with rustembedded on PyPortal :smiley:

Tony Arcieri (Jul 20 2019 at 16:30, on Zulip):

they just got the ADC working so we can finally use the joystick

Shnatsel (Jul 20 2019 at 16:35, on Zulip):

@Alex Gaynor actually I've found that the current representation is not very helpful. It would be way better to group the view by vulnerabilities and look at affected crate for each instead of looking at every crate in isolation and getting a list of vulnerabilities. This was my impression when I was using this to try to go and fix stuff last time there was no semver-compatible fix.

Alex Gaynor (Jul 20 2019 at 16:37, on Zulip):

I think probably two different views are required for different use cases -- if you're trying to work through the impact of one particular vuln, you want what you said, if you're just trying to clean up the ecosystem, starting from "most downloads" makes the most sense.

Tony Arcieri (Jul 20 2019 at 16:39, on Zulip):

I should ping the RustPräzi people again. I kept hoping they'd make a hosted version, but it seems it might've just been a (now abandoned) academic project :cry:

Tony Arcieri (Jul 20 2019 at 16:39, on Zulip):

as in https://github.com/praezi/rust

Alex Gaynor (Jul 20 2019 at 16:54, on Zulip):

Ok, here we go: https://gitlab.com/zachreizner/crates-audit/merge_requests/2

Tony Arcieri (Jul 20 2019 at 16:57, on Zulip):

@Zach Reizner do you have any thoughts about moving crates-audit under https://github.com/rust-secure-code/ ? I mainly ask because it's both cool but also has low-visibility / awareness

Alex Gaynor (Jul 20 2019 at 16:58, on Zulip):

I'd be in favor of that -- mostly because I'm lazy and having things in one place is convenient.

Alex Gaynor (Jul 20 2019 at 16:59, on Zulip):

Already one useful PR out of sorting these things: https://github.com/abonander/buf_redux/pull/13

Zach Reizner (Jul 20 2019 at 17:07, on Zulip):

I would be fine with moving it, but the gitlab ci would have to be ported.

Tony Arcieri (Jul 20 2019 at 17:07, on Zulip):

I can help setup CI

Zach Reizner (Jul 20 2019 at 17:08, on Zulip):

The CI is what actually does the audit.

Tony Arcieri (Jul 20 2019 at 17:08, on Zulip):

aah

Tony Arcieri (Jul 20 2019 at 17:08, on Zulip):

can you host the repo on GitHub but use GitLab CI?

Tony Arcieri (Jul 20 2019 at 17:08, on Zulip):

I haven't really used GitLab

Zach Reizner (Jul 20 2019 at 17:08, on Zulip):

Also, I know we have that longstanding issue of moving off of cloudflare, which I think is used to serve the traffic from my Google cloud bucket more cheaply.

Alex Gaynor (Jul 20 2019 at 17:09, on Zulip):

Travis has the ability to do builds scheduled daily/weekly/monthly, that seems sufficient?

Tony Arcieri (Jul 20 2019 at 17:09, on Zulip):

yeah I'd love to migrate all of the (other) RustSec stuff to use GitHub Pages built-in HTTPS support

Tony Arcieri (Jul 20 2019 at 17:09, on Zulip):

yeah Travis is what we're using for some of the other projects

Tony Arcieri (Jul 20 2019 at 17:09, on Zulip):

well mostly RustSec

Zach Reizner (Jul 20 2019 at 17:10, on Zulip):

Yeah. It should be sufficient

Zach Reizner (Jul 20 2019 at 17:11, on Zulip):

I'm currently on vacation until Tuesday, but I can review patches in the mean time if anybody steps up.

Tony Arcieri (Jul 20 2019 at 17:12, on Zulip):

I can make a repo which you can push the existing code (possibly after merging some PRs) to whenever you're ready

Tony Arcieri (Jul 20 2019 at 17:12, on Zulip):

I guess one question is should it be https://github.com/rustsecurecode or https://github.com/rustsec

Tony Arcieri (Jul 20 2019 at 17:12, on Zulip):

on second thought it feels a bit more like the latter

Alex Gaynor (Jul 20 2019 at 17:14, on Zulip):

Should go in the same place as cargo-audit and friends

Tony Arcieri (Jul 20 2019 at 17:20, on Zulip):

this is also reminding me I should add a second admin (or rather, third, as I gave @Joshua Liebow-Feeser access) for RustSec

Shnatsel (Jul 20 2019 at 17:25, on Zulip):

This reminds me, I should finish my RFC for something like https://github.com/Shnatsel/rust-audit in Cargo by default

Shnatsel (Jul 20 2019 at 17:26, on Zulip):

among a zillion other things

Tony Arcieri (Jul 20 2019 at 17:30, on Zulip):

@Shnatsel I should also finally address your issue about taking the lockfile via stdin

Shnatsel (Jul 20 2019 at 17:32, on Zulip):

you have a few months before people start really actually needing it because there is no way my rfc is going to be merged in less than a month, let alone implemented

Shnatsel (Jul 20 2019 at 17:33, on Zulip):

I've opened this trivial thing a month ago and it's yet to be looked at by the libs team: https://github.com/rust-lang/rfcs/pull/2714

Tony Arcieri (Jul 20 2019 at 17:43, on Zulip):

@Zach Reizner is this your GitHub account? https://github.com/zachreizner

Zach Reizner (Jul 20 2019 at 17:46, on Zulip):

Yes

Tony Arcieri (Jul 20 2019 at 17:47, on Zulip):

cool, sending you an invite

Tony Arcieri (Jul 20 2019 at 17:48, on Zulip):

sent, and here's an empty crates-audit repo: https://github.com/RustSec/crates-audit

Tony Arcieri (Jul 20 2019 at 17:49, on Zulip):

you (and @Alex Gaynor and @Shnatsel have admin access to it)

Shnatsel (Jul 20 2019 at 17:49, on Zulip):

This feels like a Google takeover of RustSec. 3 out of 5 people in there are employed by Google.

Tony Arcieri (Jul 20 2019 at 17:52, on Zulip):

hahaha

Tony Arcieri (Jul 20 2019 at 17:52, on Zulip):

eh, better than bus factor 1 :wink:

Tony Arcieri (Jul 20 2019 at 17:55, on Zulip):

BBIAB

Shnatsel (Jul 20 2019 at 18:43, on Zulip):

@Tony Arcieri speaking of rust-praezi: https://github.com/trailofbits/siderophile also generates a call graph and actually exports it too

Tony Arcieri (Jul 20 2019 at 19:00, on Zulip):

the thing I liked about RustPräzi was it was built for a global analysis of all of crates.io. I saw that (I know several Trail o' Bits people via various blockchain stuff), but it looked more like an enhanced cargo geiger to me...

Last update: Nov 11 2019 at 22:25UTC