Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Build binaries with cargo auditable #81

Closed
Aloso opened this issue Feb 1, 2023 · 9 comments
Closed

Build binaries with cargo auditable #81

Aloso opened this issue Feb 1, 2023 · 9 comments
Labels
feature request - new integration supplychain security
Milestone
0.26.0

Comments

@Aloso
Copy link

Aloso commented Feb 1, 2023

This makes sure that all dependencies and their versions are embedded in the binary in a machine-readable format, and can be obtained with cargo audit bin. This allows auditing binaries for vulnerabilities that weren't yet known when the binaries were built.
@Shnatsel
Copy link

Shnatsel commented Feb 2, 2023
edited
Loading

Hello! Author of cargo auditable here 👋

I'd love to see this integration and I'm happy to support it on my end!

There's precedent for transparently enabling this in Linux distros: Void Linux builds all their Cargo packages with cargo auditable, and Nix is canarying it on a few popular packages before rolling it out to the entire archive. So it's been tested pretty widely and is known to work with a wide variety of packages, and not break even in exotic configurations.

And it's not just cargo audit that consumes this data, Syft and Trivy can read it as well. That's how Microsoft uses it.

The only caveat I can think of is unsupported platforms - cargo auditable will refuse to build WASM because it doesn't know how to make it auditable. But I can just add an environment variable you can set to ignore unsupported platforms and that should ensure there's no breakage. Unsupported platforms now build but emit a warning. WASM is also supported starting with v0.6.3.

@Gankra
Copy link
Contributor

Gankra commented Feb 16, 2023

(will re-evaluate this when core stuff is more settled, thanks for the info!)

@Shnatsel Shnatsel mentioned this issue Mar 2, 2023
Closed
@simonsan
Copy link

Hey, just wanted to chime in to state, that I'm really looking forward to this! (:

@Shnatsel Shnatsel mentioned this issue May 23, 2024
Merged
mistydemeo added a commit that referenced this issue Jun 17, 2024
@mistydemeo
Merge pull request #81 from axodotdev/dependabot/cargo/clap-4.4.18
c82d163 
chore(deps): bump clap from 4.4.17 to 4.4.18
@simonsan simonsan mentioned this issue Oct 2, 2024
Closed
@duckinator duckinator linked a pull request Nov 1, 2024 that will close this issue
(OLD) Add cargo-auditable config option. #1516
Closed
5 tasks
@duckinator
Copy link
Contributor

duckinator commented Nov 6, 2024
edited
Loading

This was implemented in #1528. Once there's been a release including it, you can have dist use cargo auditable build instead of cargo build by adding this to the [dist] section of dist-workspace.toml:

cargo-auditable = true

@Shnatsel
Copy link

Shnatsel commented Nov 6, 2024

That's great news!

Is this capability documented in the Dist Book?

@duckinator
Copy link
Contributor

Forgot an important part: once you make that config change, you can run dist generate and your workflow will be modified to install cargo-auditable installed for you.

Locally, you still need to install cargo-auditable manually. #1527 has been opened to handle that.

@mistydemeo
Copy link
Contributor

We also haven't yet cut a release with this feature - but we likely will fairly soon!

@duckinator
Copy link
Contributor

Is this capability documented in the Dist Book?

I'd apparently set the docs aside with git stash yesterday and forgot to pull it out and commit it with #1528. 😓

I just opened #1530 to add that documentation.

@duckinator
Copy link
Contributor

Documentation for the cargo-auditable feature has been merged. 🙂

@ashleygwilliams ashleygwilliams added this to the 0.26.0 milestone Nov 7, 2024
simonsan added a commit to rustic-rs/rustic that referenced this issue Nov 28, 2024
@simonsan
build: create release with cargo-dist
134fb26 
Takes idea from #823 and builds on it.

Relevant issues:
- axodotdev/cargo-dist#75
- axodotdev/cargo-dist#74
- axodotdev/cargo-dist#81

Still missing:
- [ ] cargo-auditable setting
- [ ] check if config directory gets included

Signed-off-by: simonsan <14062932+simonsan@users.noreply.github.com>
@simonsan simonsan mentioned this issue Nov 28, 2024
Draft
10 tasks
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
feature request - new integration supplychain security
Projects
None yet
Milestone
0.26.0
Development

Successfully merging a pull request may close this issue.

(OLD) Add cargo-auditable config option. axodotdev/cargo-dist
7 participants
@duckinator @Shnatsel @mistydemeo @Gankra @ashleygwilliams @simonsan @Aloso