Stream: wg-secure-code

Topic: cargo-audit #23


Hanif Ariffin (Oct 03 2019 at 18:05, on Zulip):

Hi, I would like to work on this issue. However, I have 2 problems : I am not sure where to start. And I don't have any tests that I can work on. I tried looking up stuff in the "database" but all of them already yanked their vulnerable versions preventing me from getting them...

Hanif Ariffin (Oct 03 2019 at 18:06, on Zulip):

forgot the link for convenient to the issue => https://github.com/RustSec/cargo-audit/issues/23

Shnatsel (Oct 03 2019 at 18:39, on Zulip):

@Tony Arcieri any updates on that "test advisory"? Or is there an easy way to override the source of the database?

Shnatsel (Oct 03 2019 at 18:40, on Zulip):

In the meanwhile, I'm pretty sure ncurses crate is unsafe as all get out and there are open advisories for stuff depending on it as well

Shnatsel (Oct 03 2019 at 18:40, on Zulip):

https://rustsec.org/advisories/RUSTSEC-2019-0005.html
https://rustsec.org/advisories/RUSTSEC-2019-0006.html
There two are still not fixed/yanked

Shnatsel (Oct 03 2019 at 18:41, on Zulip):

@Hanif Ariffin :point_up: you can use these ones

Hanif Ariffin (Oct 03 2019 at 18:41, on Zulip):

thank you :)

Shnatsel (Oct 03 2019 at 18:56, on Zulip):

Oh wait, there are no fixed versions for these either

Hanif Ariffin (Oct 03 2019 at 19:26, on Zulip):

what is the format of the database's table?
the suggestions by the cargo-audit defaults to the latest version, which is not secure....
AFAIK, there must be a change in rustsec repo for this to be more robust i.e. says that there are no secure versions available!

Hanif Ariffin (Oct 03 2019 at 19:27, on Zulip):

TODO:

  1. Study the rustsec's report format
  2. Read/Write Cargo.toml file
Shnatsel (Oct 03 2019 at 19:48, on Zulip):

Advisories are in TOML files: https://github.com/RustSec/advisory-db
The crate to parse that and match it against versions is here: https://github.com/RustSec/rustsec-crate

Tony Arcieri (Oct 03 2019 at 22:12, on Zulip):

I should create a test advisory, yeah...

Tony Arcieri (Oct 03 2019 at 22:13, on Zulip):

@Hanif Ariffin I can sketch out my idea of how to implement it in cargo-audit#23

Tony Arcieri (Oct 03 2019 at 22:13, on Zulip):

but yeah, parsing Cargo.toml files will be a part of that

Tony Arcieri (Oct 03 2019 at 22:15, on Zulip):

this crate already parses the Cargo.lock file and builds a dependency tree modeled with petgraph https://docs.rs/cargo-lock/3.0.0/cargo_lock/dependency/tree/struct.Tree.html

Tony Arcieri (Oct 03 2019 at 22:16, on Zulip):

so a fix command would need to walk that dependency graph from a vulnerable dependency to its edges, and then map the edges to crates in the local workspace, and then find the relevant dependency in the local crate's [dependencies] in Cargo.toml

Tony Arcieri (Oct 03 2019 at 22:16, on Zulip):

right now it doesn't parse Cargo.toml whatsoever

Tony Arcieri (Oct 03 2019 at 22:17, on Zulip):

I'd probably suggest only parsing Cargo.toml files for the audit fix command so we can continue to work on Cargo.lock files alone

Hanif Ariffin (Oct 07 2019 at 01:41, on Zulip):

This is strange :/ I can't keep the version low for me to test anything

Hanif Ariffin (Oct 07 2019 at 01:42, on Zulip):

it seems that all versions of ncurses have been yanked? and it goes immediately to the latest one

Hanif Ariffin (Oct 07 2019 at 01:44, on Zulip):

is it okay if i just make a dummy crate :<

  1. put something in there, publish
  2. remove the thing
  3. should advice bumping up the dependency
Hanif Ariffin (Oct 07 2019 at 02:57, on Zulip):

sorry I am a bit slow with these stuff :(
In the meantime I have made a PR that improved error message

Hanif Ariffin (Oct 07 2019 at 03:15, on Zulip):

what does it mean for this to be this if to fail? that there is no advisories available? https://github.com/hbina/cargo-audit/blob/5ae1d70d9ed4ffcc6c5592796ca6ff0ca283a9f4/src/presenter.rs#L100

Shnatsel (Oct 07 2019 at 18:38, on Zulip):

@Tony Arcieri :point_up: any ideas about that if?

Tony Arcieri (Oct 07 2019 at 18:39, on Zulip):

those are for informational advisories that show warnings

Tony Arcieri (Oct 07 2019 at 18:39, on Zulip):

@Hanif Ariffin let me go ahead and create a test crate and test advisory...

Tony Arcieri (Oct 09 2019 at 01:27, on Zulip):

There is now a test advisory: RUSTSEC-2019-0024: https://github.com/RustSec/advisory-db/pull/187

Hanif Ariffin (Oct 10 2019 at 00:02, on Zulip):

I am thinking that the fix should find a non API breaking versions to be considered first, yes?

Hanif Ariffin (Oct 10 2019 at 00:03, on Zulip):

btw, the way i set it up is you run it like this cargo-audit audit --fix, since I am going to need audit to be performed before i can perform any fix...

Tony Arcieri (Oct 10 2019 at 00:04, on Zulip):

@Hanif Ariffin my suggestion for the heuristics would be starting with the latest version and working backwards until it finds the newest version that satisfies the given requirements

Tony Arcieri (Oct 10 2019 at 00:04, on Zulip):

sure that sounds fine

Tony Arcieri (Oct 10 2019 at 15:29, on Zulip):

nice @ https://github.com/RustSec/cargo-audit/pull/151

Last update: Nov 11 2019 at 23:25UTC