Code review of the rure crate // Lib.rs

This review is from cargo-vet. To add your review, set up cargo-vet and submit your URL to its registry.

From mozilla/supply-chain copy of hg. By Nika Layzell.

This is a fairly straightforward FFI wrapper crate for regex, maintained by the regex developers in the same repository.

This crate is explicitly designed for FFI use, and should not be used directly by Rust code. The exported extern "C" functions are not marked as unsafe, meaning that it is technically incorrect to use them from within Rust code, however they are reasonable to use from C code.

The unsafe code in this crate heavily depends on the C caller maintaining invariants, however these invariants are clearly documented in the rure.h file, bundled with the crate.

I have checked the signatures of each function both in C++ and in the Rust to ensure they match. In some places, the c rure.h header file is missing a const qualifier which could be present given the Rust code, however this will have no impact on ABI, and is fairly normal for FFI crates.

Panics are handled in all Rust FFI methods, meaning that projects which do not disable unwinding will still consistently abort (using libc::abort()) if a panic occurs in the Rust code.

cargo-vet does not verify reviewers' identity. You have to fully trust the source the audits are from.

safe-to-deploy (implies safe-to-run)

This crate will not introduce a serious security vulnerability to production software exposed to untrusted input. More…

safe-to-run

Implied by other criteria

This crate can be compiled, run, and tested on a local workstation or in controlled automation without surprising consequences. More…

Lib.rs has been able to verify that all files in the crate's tarball are in the crate's repository with a git tag matching the version. Please note that this check is still in beta, and absence of this confirmation does not mean that the files don't match.

Crates in the crates.io registry are tarball snapshots uploaded by crates' publishers. The registry is not using crates' git repositories, so there is a possibility that published crates have a misleading repository URL, or contain different code from the code in the repository.

To review the actual code of the crate, it's best to use cargo crev open rure. Alternatively, you can download the tarball of rure v0.2.2 or view the source online.