-
Notifications
You must be signed in to change notification settings - Fork 128
/
auditor.rs
281 lines (245 loc) · 9.24 KB
/
auditor.rs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
//! Core auditing functionality
use crate::{config::AuditConfig, lockfile, prelude::*, presenter::Presenter};
use rustsec::{registry, report, Error, ErrorKind, Lockfile, Warning, WarningKind};
use std::{
collections::btree_map as map,
io::{self, Read},
path::Path,
process::exit,
};
/// Name of `Cargo.lock`
const CARGO_LOCK_FILE: &str = "Cargo.lock";
/// Security vulnerability auditor
pub struct Auditor {
/// RustSec Advisory Database
database: rustsec::Database,
/// Crates.io registry index
registry_index: Option<registry::CachedIndex>,
/// Presenter for displaying the report
presenter: Presenter,
/// Audit report settings
report_settings: report::Settings,
}
impl Auditor {
/// Initialize the auditor
pub fn new(config: &AuditConfig) -> Self {
let advisory_db_url = config
.database
.url
.as_ref()
.map(AsRef::as_ref)
.unwrap_or(rustsec::repository::git::DEFAULT_URL);
let advisory_db_path = config
.database
.path
.as_ref()
.cloned()
.unwrap_or_else(rustsec::repository::git::Repository::default_path);
let database = if config.database.fetch {
if !config.output.is_quiet() {
status_ok!("Fetching", "advisory database from `{}`", advisory_db_url);
}
let advisory_db_repo = rustsec::repository::git::Repository::fetch(
advisory_db_url,
&advisory_db_path,
!config.database.stale,
)
.unwrap_or_else(|e| {
status_err!("couldn't fetch advisory database: {}", e);
exit(1);
});
rustsec::Database::load_from_repo(&advisory_db_repo).unwrap_or_else(|e| {
status_err!("error loading advisory database: {}", e);
exit(1);
})
} else {
rustsec::Database::open(&advisory_db_path).unwrap_or_else(|e| {
status_err!("error loading advisory database: {}", e);
exit(1);
})
};
if !config.output.is_quiet() {
status_ok!(
"Loaded",
"{} security advisories (from {})",
database.iter().count(),
advisory_db_path.display()
);
}
let registry_index = if config.yanked.enabled {
if config.yanked.update_index && config.database.fetch {
if !config.output.is_quiet() {
status_ok!("Updating", "crates.io index");
}
match registry::CachedIndex::fetch() {
Ok(index) => Some(index),
Err(err) => {
if !config.output.is_quiet() {
status_warn!("couldn't update crates.io index: {}", err);
}
None
}
}
} else {
match registry::CachedIndex::open() {
Ok(index) => Some(index),
Err(err) => {
if !config.output.is_quiet() {
status_warn!("couldn't open crates.io index: {}", err);
}
None
}
}
}
} else {
None
};
Self {
database,
registry_index,
presenter: Presenter::new(&config.output),
report_settings: config.report_settings(),
}
}
/// Perform an audit of a textual `Cargo.lock` file
pub fn audit_lockfile(
&mut self,
maybe_lockfile_path: Option<&Path>,
) -> rustsec::Result<rustsec::Report> {
let lockfile_path = match maybe_lockfile_path {
Some(p) => p,
None => {
let path = Path::new(CARGO_LOCK_FILE);
if !path.exists() && Path::new("Cargo.toml").exists() {
lockfile::generate()?;
}
path
}
};
let lockfile = match self.load_lockfile(lockfile_path) {
Ok(l) => l,
Err(e) => {
return Err(Error::new(
ErrorKind::NotFound,
&format!("Couldn't load {}: {}", lockfile_path.display(), e),
))
}
};
self.presenter.before_report(lockfile_path, &lockfile);
self.audit(&lockfile, None)
}
#[cfg(feature = "binary-scanning")]
/// Perform an audit of multiple binary files
pub fn audit_binaries<P>(&mut self, binaries: &[P]) -> MultiFileReportSummmary
where
P: AsRef<Path>,
{
let mut summary = MultiFileReportSummmary::default();
for path in binaries {
let result = self.audit_binary(path.as_ref());
match result {
Ok(report) => {
if self.presenter.should_exit_with_failure(&report) {
summary.vulnerabilities_found = true;
}
}
Err(e) => {
status_err!("{}", e);
summary.errors_encountered = true;
}
}
}
if self
.presenter
.should_exit_with_failure_due_to_self(&self.self_advisories())
{
summary.errors_encountered = true;
}
summary
}
#[cfg(feature = "binary-scanning")]
/// Perform an audit of a binary file with dependency data embedded by `cargo auditable`
fn audit_binary(&mut self, binary_path: &Path) -> rustsec::Result<rustsec::Report> {
use crate::binary_deps::BinaryReport::*;
let report = crate::binary_deps::load_deps_from_binary(binary_path)?;
self.presenter.binary_scan_report(&report, binary_path);
match report {
Complete(lockfile) | Incomplete(lockfile) => self.audit(&lockfile, Some(binary_path)),
None => Err(Error::new(
ErrorKind::Parse,
&"No dependency information found! Is this a Rust executable built with cargo?",
)),
}
}
/// The part of the auditing process that is shared between auditing lockfiles and binary files
fn audit(
&mut self,
lockfile: &Lockfile,
path: Option<&Path>,
) -> rustsec::Result<rustsec::Report> {
let mut report = rustsec::Report::generate(&self.database, lockfile, &self.report_settings);
// Warn for yanked crates
if let Some(index) = &mut self.registry_index {
if let Ok(yanked) = index.find_yanked(&lockfile.packages) {
for pkg in yanked {
let warning = Warning::new(WarningKind::Yanked, pkg, None, None);
match report.warnings.entry(WarningKind::Yanked) {
map::Entry::Occupied(entry) => (*entry.into_mut()).push(warning),
map::Entry::Vacant(entry) => {
entry.insert(vec![warning]);
}
}
}
}
}
let self_advisories = self.self_advisories();
self.presenter
.print_report(&report, self_advisories.as_slice(), lockfile, path);
Ok(report)
}
/// Load the lockfile to be audited
fn load_lockfile(&self, lockfile_path: &Path) -> rustsec::Result<Lockfile> {
if lockfile_path == Path::new("-") {
// Read Cargo.lock from STDIN
let mut lockfile_toml = String::new();
io::stdin().read_to_string(&mut lockfile_toml)?;
Ok(lockfile_toml.parse()?)
} else {
Ok(Lockfile::load(lockfile_path)?)
}
}
/// Query the database for advisories about `cargo-audit` or `rustsec` itself
fn self_advisories(&self) -> Vec<rustsec::Advisory> {
let mut results = vec![];
for (package_name, package_version) in [
("cargo-audit", crate::VERSION),
("rustsec", rustsec::VERSION),
] {
let query = rustsec::database::Query::crate_scope()
.package_name(package_name.parse().unwrap())
.package_version(package_version.parse().unwrap());
for advisory in self.database.query(&query) {
results.push(advisory.clone());
}
}
results
}
/// Determines whether the process should exit with failure based on configuration
/// such as `--deny=warnings`.
/// **Performance:** calls `Auditor.self_advisories()`, which is costly.
/// Do not call this in a hot loop.
pub fn should_exit_with_failure(&self, report: &rustsec::Report) -> bool {
self.presenter.should_exit_with_failure(report)
|| self
.presenter
.should_exit_with_failure_due_to_self(&self.self_advisories())
}
}
/// Summary of the report over multiple scanned files
#[derive(Clone, Copy, Debug, Default)]
pub struct MultiFileReportSummmary {
/// Whether any vulnerabilities were found
pub vulnerabilities_found: bool,
/// Whether any errors were encountered during scanning
pub errors_encountered: bool,
}