-
Notifications
You must be signed in to change notification settings - Fork 371
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support scanning Rust binaries built with cargo auditable
#1332
Comments
Thanks for the FR. this indeed looks like a great fit for OSV-Scanner. |
@G-Rath is this something we can put in your backlog? |
Since my understanding is that we have to open a file to know if its Rust + supports this and I assume doing that for every/most files would be relatively expensive, our thinking for support would be as an explicit opt-in like with Alpine, JSON, etc? i.e. I also assume this should actually now get added to |
That makes sense to me. For example, Trivy requires an explicit opt-in to look for The use case of recursively scanning a directory and looking for |
Looks like someone has beaten me to it: google/osv-scalibr#377 😄 |
That PR's approach with |
Hadn't seen this Github Issue before making the PR but greatly appreciate everyone's input, thanks! |
cargo auditable
is a project by Rust's Secure Code WG. It embeds the list of dependencies into the binary itself, so that it can then be audited for known vulnerabilities.Auditing such binaries is already supported by
cargo audit
and Trivy. It would be nice to get support for it inosv-scanner
as well.cargo auditable
is used for all Rust builds by at least 5 Linux distributions, including Alpine. A number of organizations usecargo auditable
, but to the best of my knowledge only Microsoft has spoken about it publicly.There is already a Go library for extracting this data, which should make the integration quite easy: https://github.com/microsoft/go-rustaudit
I am the principal author of
cargo auditable
and I'm happy to answer any questions you might have.The text was updated successfully, but these errors were encountered: