Make production binaries auditable for known vulnerabilities

[Shnatsel]

We need to make binaries deployed in production auditable for known security issues. This may include non-trivial deployment methods, such as:

• Plain old cargo install
• An executable inside a Docker container
• A shared library linked into another language

Ideally this should also extend to statically linked C libraries, if any.

Rustc and LLVM version are already embedded in the binary, so rustc and/or stdlib versions are already auditable in theory, but there is no tool to do that in practice. No other version information is currently embedded in binaries.

[Shnatsel]

I have a proof of concept implementation that embeds Cargo.lock into compiled binaries with non-perfect but reasonable ergonomics, and a tool to recover that info afterwards. This can be used for running cargo audit directly on those binaries, or performing custom checks based on library versions or hashes.

While I am waiting for permission to release the code, here's a sneak peek:

$ rust-audit target/release/hello-auditable | cargo audit -f /dev/stdin
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 18 security advisories (from /home/shnatsel/.cargo/advisory-db)
    Scanning /dev/stdin for vulnerabilities (2 crate dependencies)
     Success No vulnerable packages found

The intention is to demonstrate that embedding Cargo.lock in the binary is actually a really good idea and that Cargo should do that by default, so I wouldn't have to maintain a hacky implementation of the Cargo.lock embedding. The tool to extract that info is likely here to stay, though.

[Shnatsel]

I have published a proof of concept implementation: https://github.com/Shnatsel/rust-audit

Discussion: https://www.reddit.com/r/rust/comments/awlqfi/

[Shnatsel]

RFC for Cargo is open: rust-lang/rfcs#2801

It got a lot of constructive feedback, we need to incorporate it and submit it for another round.

[Shnatsel]

Implementation as a Cargo subcommand: https://github.com/rust-secure-code/cargo-auditable