-
Notifications
You must be signed in to change notification settings - Fork 65
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ignore build.rs #116
Comments
TL;DR: yes. Build scripts have a completely different attack model. They can run arbitrary code at build time - steal your passwords, download malware, you name it. Whether they use What we should be concerned is build.rs generating code with In the same vein, unsafe code in dev- and build-dependencies should be excluded from the tally. |
agree with @Shnatsel: I think of |
Great, let's make it ignore build.rs! |
Should build and dev dependencies be completely ignored, never scanned, never reported, or only ignored when summing up the final score on the bottom line? |
Well, build dependencies have a totally different threat model, so I don't see how looking for unsafe code in them would be useful. It would be misleading, if anything. And dev depdencies ostensibly don't affect the final binary at all. I'd just exclude them completely, and wait for someone with a use case for scanning them to show up. |
Sounds good to me. |
I am interested in the "completely different attack model" of crates attacking the build machine, because they can inject unsafe code into the executable. For example, nothing stops a sneaky crate from modifying Could you consider an option in cargo-geiger that flags all build-time code execution? build.rs, proc macros. |
Should cargo-geiger ignore build.rs since that code doesn't end up in the target binary?
Summary
Yes, cargo-geiger should ignore build.rs.
The text was updated successfully, but these errors were encountered: