DEV Community

Cover image for Fixing Rust Dependencies Vulnerabilities
flipchan
flipchan

Posted on

Fixing Rust Dependencies Vulnerabilities

Rust is a new fun programming language trying to achieve the trifecta of security, stability and speed.

As developer we know its a pain in the ass of staying up to date with the latest dependency versions.

Dependency Vulnerabilities

Since the evolution of rust is moving forward and more eyes are throw at it and the security community in rust is becoming bigger and bigger, more and more security problems are being addressed and fixed.

Even google's security fuzzing project "OSS-Fuzz", have found several thousand of vulnerabilities in a large chunk of opensource software is now supporting Rust.

Source:
https://google.github.io/oss-fuzz/

Luckily thanks to an active community more and more security vulnerabilities are being reported so we need to keep our crates
versions up to date.

If you are running your own gitlab instance you can easily do something cool like a ci runner that validates each push request and checks if your Cargo.toml file is okey.

A nice tutorial about how to do this with Jenkins is posted here:
https://blog.firosolutions.com/2019/07/firo-sec-rust-with-jenkins/

A small group in the rust community has found a rust security advisory called https://rustsec.org/ where anyone can report security vulnerabilities found in public dependecies/crates.

Scan your Cargo.toml file

I like to use this site called https://rust.firosolutions.com

Alt Text

Simply just paste in your Cargo.toml file or link to it and the site will give you feedback on what is out of date and which dependencies contains vulnerabilities.

So that you can easily just update the versions in you Cargo.toml file.

You can even upload your Cargo.toml file to like a pasting service or similar and just tell the site to scan it with their api:

curl -H "Accept: application/json" -H "Content-type: application/json" -X POST -d '{"urllink":"https://raw.githubusercontent.com/FiroSolutions/vuln_rust/master/Cargo.toml"}' https://rust.firosolutions.com/apiadd

I like rust.firosolutions.com because you can also import your Cargo.toml file and receive email notifications when new versions get's released so you do not need to worry about staying out of date!

External links:

https://rust.firosolutions.com
https://blog.firosolutions.com

Top comments (0)