Project Description
Look into things that make security/code reviews of rust code easier and play with cargo-crev.
Is there a lint or other automatic way like a deny compiler directive, to check a rust crate doesn't write any files? Can we come up with a list of these implicit capabilities in the standard library to make it easier to know which places to review? Maybe the crate cap-std can be inspiration? Is there a way to sandbox cargo build scripts?
cargo-crev allows coordination of reviews via a web of trust. How can it be extended with categories to differentiate a review that attests that the crate is e.g. safe to run with trusted input or fully sound? How can relation of these categories, like a proper sub-category, be made machine readable? See a draft of how machines could assist in collaborative review for more general ideas.
Goal for this Hackweek
cargo-crev doesn't support relating to GPG/OpenPGP yet: https://github.com/crev-dev/cargo-crev/issues/58 .
cargo-geiger which is also used by cargo-crev walks the source in a simplicst way ( https://github.com/rust-secure-code/cargo-geiger/blob/master/geiger/src/geiger_syn_visitor.rs ) so it will miss uses in macros. clippy has an easy to use lint for disallowed methods https://rust-lang.github.io/rust-clippy/master/index.html#disallowed_methods but I don't know if there are any uses it will miss.
Made it possible to walk repos and thus find reviews from people you did not yet trust: https://github.com/crev-dev/cargo-crev/pull/480
Resources
This project is part of:
Hack Week 21
Activity
Comments
Be the first to comment!
Similar Projects
Learn Rust from scratch by pherranz
Project Description
As I do not work as a d...
Kanidm - Modern Opensource Identity Management by firstyear
Project Description
Kanidm is a identity ma...
Give back to Wezterm by mpagot
[comment]: # (Please use the project descriptio...
rinit by dspinella
[comment]: # (Please use the project descriptio...
Improve zypp-gui tool by xiaoguang_wang
zypp-gui is a gui tool to update the system and...
Kanidm - Modern Opensource Identity Management by firstyear
Project Description
Kanidm is a identity ma...
Explore Crev as collaborative code audit by pperego
Project Description
Crev [1] is a collabo...
FIDO2 emulation by mkoutny
[comment]: # (Please use the project descriptio...
Learn more about Application Security (AppSec) Open Source Tools and Testing Techniques by heidi.bronson
[comment]: # (Please use the project descriptio...
Model checking the BPF verifier by shunghsiyu
Project Description
BPF verifier plays a ...