Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support scanning Rust binaries built with cargo auditable #1332

Open
Shnatsel opened this issue Oct 18, 2024 · 2 comments
Open

Support scanning Rust binaries built with cargo auditable #1332

Shnatsel opened this issue Oct 18, 2024 · 2 comments
Assignees
Labels
enhancement New feature or request

Comments

@Shnatsel
Copy link

cargo auditable is a project by Rust's Secure Code WG. It embeds the list of dependencies into the binary itself, so that it can then be audited for known vulnerabilities.

Auditing such binaries is already supported by cargo audit and Trivy. It would be nice to get support for it in osv-scanner as well.

cargo auditable is used for all Rust builds by at least 5 Linux distributions, including Alpine. A number of organizations use cargo auditable, but to the best of my knowledge only Microsoft has spoken about it publicly.

There is already a Go library for extracting this data, which should make the integration quite easy: https://github.com/microsoft/go-rustaudit

I am the principal author of cargo auditable and I'm happy to answer any questions you might have.

@oliverchang
Copy link
Collaborator

Thanks for the FR. this indeed looks like a great fit for OSV-Scanner.

@oliverchang oliverchang added backlog Important but currently unprioritized enhancement New feature or request and removed backlog Important but currently unprioritized labels Oct 20, 2024
@oliverchang
Copy link
Collaborator

@G-Rath is this something we can put in your backlog?

@G-Rath G-Rath self-assigned this Oct 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

3 participants