Lib.rs

Parser implementations | Development toolsRustSec
#cargo #security #panic #parser #rustsec #binary #api #list #message #tooling

quitters

List dependencies of a Rust binary by parsing panic messages

by Sergey "Shnatsel" Davidoff, Tony Arcieri and 61 contributors

1 unstable release

0.1.0 Oct 23, 2022

#666 in Parser implementations

Download history 8031/week @ 2022-12-07 8907/week @ 2022-12-14 6283/week @ 2022-12-21 5324/week @ 2022-12-28 8731/week @ 2023-01-04 9143/week @ 2023-01-11 9834/week @ 2023-01-18 8831/week @ 2023-01-25 7924/week @ 2023-02-01 7041/week @ 2023-02-08 6241/week @ 2023-02-15 6639/week @ 2023-02-22 7309/week @ 2023-03-01 7384/week @ 2023-03-08 7714/week @ 2023-03-15 8775/week @ 2023-03-22

32,362 downloads per month
Used in cargo-audit

MIT/Apache

8KB
75 lines

Obtains the dependency list from a compiled Rust binary by parsing its panic messages. Recovers both crate names and versions.

Caveats

  • If the crate never panics, it will not show up. The Rust compiler is very good at removing unreachable panics, so we can only discover at around a half of all dependencies.
  • C code such as openssl-src never shows up, because it can't panic.
  • Only crates installed from a registry are discovered. Crates from local workspace or git don't show up.

Alternatives

cargo auditable embeds the complete dependency information into binaries, which can then be recovered using auditable-info. It should be used instead of quitters whenever possible, unless you're specifically after panics.

Dependencies

~1–1.4MB
~39K SLoC