A tool that lists statistics related to the usage of unsafe Rust code in a Rust crate and all its dependencies.
This cargo plugin was originally based on the code from two other projects:
- https://github.com/icefoxen/cargo-osha and
- https://github.com/sfackler/cargo-tree
Try to find and use a system-wide installed OpenSSL library:
cargo install --locked cargo-geiger
Or, build and statically link OpenSSL as part of the cargo-geiger executable:
cargo install --locked cargo-geiger --features vendored-openssl
Alternatively pre-built binary releases are available from GitHub releases.
- Navigate to the same directory as the
Cargo.toml
you want to analyze. cargo geiger
This tool is not meant to advise directly whether the code ultimately is truly insecure or not.
The purpose of cargo-geiger is to provide statistical input to auditing e.g. with:
The use of unsafe is nuanced and necessary in some cases and any motivation to use it is outside the scope of cargo-geiger.
It is important that any reporting is handled with care:
- Reddit: The Stigma around Unsafe
- YouTube: Rust NYC: Jon Gjengset - Demystifying unsafe code
- Rust-lang: WG Unsafe Code Guidelines
- See the issue tracker.
Cargo Geiger exposes three libraries:
cargo-geiger
- Unversioned and highly unstable library exposing the internals of thecargo-geiger
binary. As such, any function contained within this library may be subject to change.cargo-geiger-serde
- A library containing the serializable report typesgeiger
- A library containing a few decoupled cargo components used by cargo-geiger
See the changelog.
https://en.wikipedia.org/wiki/Geiger_counter
Unsafe code, like ionizing radiation, is unavoidable in some situations and should be safely contained!