Stream: wg-secure-code

Topic: Security linter?


Nicolas Bigaouette (Feb 01 2020 at 02:31, on Zulip):

Hi all! Not sure where to ask, so doing so here...

At $dayjob we are scanning our code base with security "linters". Those include for example Bandit for Python (https://github.com/PyCQA/bandit) or gosec for go (https://github.com/securego/gosec).

Those tools will go further than what clippy does. Instead of looking at "code quality" patterns they look for security issue. For example they contains lints for if your app listen on all interfaces, weak crypto usage or even committed credentials.

Since those tools are used as part of a process, I am sure the question of whether such a tool exists for rust will arise.

Does something like this already exists? I don't know the internals of clippy, but could a "security" lint category be possible?

Alex Gaynor (Feb 01 2020 at 02:32, on Zulip):

Clippy has quite a few security lints, primarily focused around unsafe ATM.

Shnatsel (Feb 02 2020 at 14:11, on Zulip):

There is a bunch of Clippy lints, mostly in correctness category, that flag incorrect use of unsafe. Last I checked Clippy developers were open to making a security category too: https://github.com/rust-secure-code/wg/issues/27#issuecomment-454477101
I don't think any checkers for committed credentials exist yet, but I expect Clippy is the easiest way to implement them.

Nicolas Bigaouette (Feb 03 2020 at 16:42, on Zulip):

Great, thanks both! Having this kind of security lint directly in clippy would be awesome. I'll take a look at the issue tracker.

Last update: Feb 25 2020 at 03:50UTC