Known crashes - Githubissues

cdstanford commented 2 months ago

Crash on rand:

$ python3 detective.py -a rand 0.8.5
Solving for required Assumptions to trust rand-0.8.5...
This crate has not been audited by any organization.
Traceback (most recent call last):
File "/Users/caleb/git/RustSec/cargo-sherlock/solver.py", line 106, in <module>
main()
File "/Users/caleb/git/RustSec/cargo-sherlock/solver.py", line 103, in main
complete_analysis(crate)
File "/Users/caleb/git/RustSec/cargo-sherlock/solver.py", line 93, in complete_analysis
variables, assumptions = assumptions_for(crate, metadata)
                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/caleb/git/RustSec/cargo-sherlock/helpers/assumption.py", line 126, in assumptions_for
dep_metadata = sherlock.get_crate_metadata(d)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/caleb/git/RustSec/cargo-sherlock/helpers/sherlock.py", line 25, in get_crate_metadata
logger.logger(crate.name, crate.version, "exp")
File "/Users/caleb/git/RustSec/cargo-sherlock/helpers/logger.py", line 831, in logger
entry[1],
~~~~~^^^
IndexError: string index out of range
Crate: rand, Version: 0.8.5

This appears to be due to version='alpha.2

Possibly helpful:

https://stackoverflow.com/questions/72900289/regex-for-semver which gives the following regex

(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?

cdstanford commented 2 months ago

python3 detective.py -a injex 0.1.0 Runs but after ~5 minutes raises this error:

==================================
This crate has not been audited by any organization.
Traceback (most recent call last):
  File "/Users/caleb/git/RustSec/cargo-sherlock/solver.py", line 106, in <module>
    main()
  File "/Users/caleb/git/RustSec/cargo-sherlock/solver.py", line 103, in main
    complete_analysis(crate)
  File "/Users/caleb/git/RustSec/cargo-sherlock/solver.py", line 93, in complete_analysis
    variables, assumptions = assumptions_for(crate, metadata)
                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/caleb/git/RustSec/cargo-sherlock/helpers/assumption.py", line 127, in assumptions_for
    dep_variables, dep_assumptions = assumptions_for(d, dep_metadata) # recursively add assumptions for dependencies
                                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/caleb/git/RustSec/cargo-sherlock/helpers/assumption.py", line 126, in assumptions_for
    dep_metadata = sherlock.get_crate_metadata(d)
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/caleb/git/RustSec/cargo-sherlock/helpers/sherlock.py", line 25, in get_crate_metadata
    logger.logger(crate.name, crate.version, "exp")
  File "/Users/caleb/git/RustSec/cargo-sherlock/helpers/logger.py", line 806, in logger
    _, audit_info = is_audited(crate_name, version)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/caleb/git/RustSec/cargo-sherlock/helpers/logger.py", line 426, in is_audited
    if version == audit["version"]:
                  ~~~~~^^^^^^^^^^^
KeyError: 'version'
Crate: injex, Version: 0.1.0

muhammad-hassnain commented 2 months ago

Injex

404 - Url issue, there was a .git at the end of the repository url from crates.io, and we were directly querying it with GitHub API causing a 404,
Crash ,one of injex dependency has sysinfo as dependency, and sysinfo has this dependency core-foundation-sys . There was no version present in the audit report for core-foundation-sys . That was causing a no key found error. Sometimes when Mozilla audits a crate they themselves wrote, they just go over the commits they have not authored, instead of a specific version.

Rand

The problem was because of sorting the versions directly, this would cause 1.9.0 to be greater than 1.25.0, but that’s not true. Now, we make ‘version objects’ and sort those instead , rather than sorting strings.

abasu2 commented 1 month ago

Crash on fast-kd:

$ python sherlock.py trust fast-kd
Latest version of fast-kd is 0.1.1.
Solving for required assumptions to trust fast-kd-0.1.1...
This crate has not been audited by any organization.
Traceback (most recent call last):
  File "/home/abasu/reu/cargo-sherlock/sherlock.py", line 84, in <module>
    main()
  File "/home/abasu/reu/cargo-sherlock/sherlock.py", line 81, in main
    complete_analysis(crate, sys.stdout)  
  File "/home/abasu/reu/cargo-sherlock/solver.py", line 161, in complete_analysis
    summary = memoized_crate_analysis(crate)
  File "/home/abasu/reu/cargo-sherlock/solver.py", line 76, in memoized_crate_analysis
    variables, assumptions = get_crate_assumptions(crate, metadata)
  File "/home/abasu/reu/cargo-sherlock/solver.py", line 47, in get_crate_assumptions
    assumptions_for_dependency_safety.append(memoized_crate_analysis(d))
  File "/home/abasu/reu/cargo-sherlock/solver.py", line 75, in memoized_crate_analysis
    metadata = crate_data.get_crate_metadata(crate)
  File "/home/abasu/reu/cargo-sherlock/helpers/crate_data.py", line 25, in get_crate_metadata
    logger.logger(crate.name, crate.version, "exp")
  File "/home/abasu/reu/cargo-sherlock/helpers/logger.py", line 783, in logger
    label = inRustSec(crate_name, version)
  File "/home/abasu/reu/cargo-sherlock/helpers/logger.py", line 154, in inRustSec
    flag, label = bulls_eye(ver, version)
  File "/home/abasu/reu/cargo-sherlock/helpers/logger.py", line 210, in bulls_eye
    if version >= ver: #means patched range
TypeError: '>=' not supported between instances of 'str' and 'list'

DavisPL / cargo-sherlock

Known crashes #4