Open
Description
openedon May 11, 2022
Problem
A user can add a crate with a security advisory and not know it unless they know of the third-party cargo audit
, install it, and run it.
Proposed Solution
Integrate cargo audit
checks into cargo add
when adding a new registry dependency
Notes
Inspired by conversation on zulip about checking it in cargo
It looks like we
- Fetch a repository
- rustsec::repository::git::Repository::default_path
- rustsec::repository::git::DEFAULT_URL
- Load the database from repo
- Run a query on the database
- Report it to the user (example from cargo-audit)
We might be blocked on rustsec/rustsec#490
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment