Checking for Vulnerabilities
Install the cargo audit
tool with cargo install cargo-audit
.
Now, at any time you can run cargo audit
to check for vulnerabilities in your dependencies. This is a good thing to do periodically, and before you publish a crate. GitHub includes tooling for building this into your CI pipeline. Run it at the top-level of your workspace---it works by reading Cargo.lock
.
For example, when I wrote this it warned me that the memmap
crate we used is currently without a maintainer:
Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
Loaded 554 security advisories (from C:\Users\Herbert\.cargo\advisory-db)
Updating crates.io index
Scanning Cargo.lock for vulnerabilities (284 crate dependencies)
Crate: memmap
Version: 0.7.0
Warning: unmaintained
Title: memmap is unmaintained
Date: 2020-12-02
ID: RUSTSEC-2020-0077
URL: https://rustsec.org/advisories/RUSTSEC-2020-0077
Dependency tree:
memmap 0.7.0
└── count-lines-mmap 0.1.0
warning: 1 allowed warning found
This is an easy fix (memmap
was replaced by memmap2
which is almost identical).
This is a good tool to include in your CI pipeline. You may find that it's irritating---sometimes vulnerabilities don't affect what you're doing, sometimes it takes a little while for a fix to become available. This way, at least you know that there's action required!