Know the exact crate versions used to build your Rust executable. Audit binaries for known bugs or security vulnerabilities in production, at scale, with zero bookkeeping.
This works by embedding data about the dependency tree in JSON format into a dedicated linker section of the compiled executable.
Linux, Windows and Mac OS are officially supported. All other ELF targets should work, but are not tested on CI. WASM is currently not supported, but patches are welcome.
The end goal is to get Cargo itself to encode this information in binaries. There is an RFC for an implementation within Cargo, for which this project paves the way: https://github.com/rust-lang/rfcs/pull/2801
```bash
cargo install cargo-auditable cargo install cargo-audit --features=binary-scanning
cargo auditable build --release
cargo audit bin target/release/your-project ```
cargo auditable works with any Cargo command. All arguments are passed to cargo as-is.
In a word, no. The embedded dependency list uses under 4kB even on large dependency trees with 400+ entries. This typically translates to between 1/1000 and 1/10,000 of the size of the binary.
binary-scanning feature is enabled. See here for details.--catalogers all CLI option, e.g syft --catalogers all <container image containing Rust auditable binary>.It is also interoperable with existing tooling that consumes Cargo.lock via the JSON-to-TOML convertor. However, we recommend supporting the format natively; the format is designed to be very easy to parse, even if your language does not have a library for that yet.
Yes. The data format is designed for interoperability with alternative implementations. In fact, parsing it only takes 5 lines of Python. See here for documentation on parsing the data.
The data format is described by the JSON schema here.
The JSON is Zlib-compressed and placed in a linker section named .dep-v0.
You can find more info about parsing it here.
Embedded platforms where you cannot spare a byte should not add anything in the executable. Instead they should record the hash of every executable in a database and associate the hash with its Cargo.lock, compiler and LLVM version, build date, etc. This would make for an excellent Cargo wrapper or plugin. Since that can be done in a 5-line shell script, writing that tool is left as an exercise to the reader.
The data format is specifically designed not to disrupt reproducible builds. It contains no timestamps, and the generated JSON is sorted to make sure it is identical between compilations. If anything, this helps with reproducible builds, since you know all the versions for a given binary now.
No. All URLs and file paths are redacted, but the crate names and versions are recorded as-is. At present panic messages already disclose all this info and more. Also, chances are that you're legally obligated have to disclose use of specific open-source crates anyway, since MIT and many other licenses require it.
The compiler itself will start embedding it soon.
On older versions it's already there in the debug info. On Unix you can run strings your_executable | grep 'rustc version' to see it.
Good question. I don't think they are exposed in any reasonable way right now. Would be a great addition, but not required for the initial launch. We can add it later in a backwards-compatible way. Adopting the -src crate convention would make it happen naturally, and will have other benefits as well, so that's probably the best route.
We'd like to get more real-world experience with it. Please try it and let us know what you think!