6 releases

new 0.25.9 Oct 29, 2024
0.25.7 Mar 20, 2024
0.25.6 Feb 17, 2024
0.25.4 Nov 17, 2023
0.25.0 Sep 7, 2023

#430 in Development tools

MPL-2.0 OR MIT OR Apache-2.0

36KB
667 lines

cargo-crev to cargo-vet converter

Crev and Vet are supply-chain security tools for auditing Rust/Cargo dependencies.

This tool (crevette) is a helper for cargo-crev users that exports Crev reviews as an audits.toml file for use with cargo-vet.

Installation

You must have cargo-crev alredy set up, some repos added as trusted and reviews fetched (try cargo crev repo fetch all).

It requires the latest stable version of Rust. If your package manager has an outdated version of Rust, switch to rustup.

cargo install crevette

Usage

In this initial release, the tool has no configuration. It uses your default cargo crev identity and configuration. It exports almost all reviews from all reviewers you (transitively) trust. Running crevette will print location of the audits.toml file. You may want to review it to ensure you agree with its contents.

To generate and upload the audits.toml:

crevette
cargo crev publish

Then on the cargo vet side, go to a Rust/Cargo project that you want to verify, and run:

# cargo vet init (if you haven't already)
cargo vet import 'https://raw.githubusercontent.com/<your github username>/crev-proofs/HEAD/audits.toml'
cargo vet

If you host your repositories elsewhere, adjust the HTTPS link accordingly.

Re-run crevette to generate an updated version of audits.toml whenever you add more Crev reviews.

Important limitations

The tool estimates the safe-to-run and safe-to-deploy criteria based on a fuzzy combination of trust, rating, thoroughtness, and understanding attributes of crev code reviews. Currently negative reviews are not mapped to vet's violation feature, and thefore do not have any effect!

Dependencies

~19–37MB
~700K SLoC