pinkforest
commented
6 months ago cargo-geiger is not a security audit tool itself and only provides statistical output re: unsafe use to help analysing it's use
So not in scope for cargo-geiger really - use of unsafe and security issues are quite different animals -
I am also personally not a fan using supply-chain wording given no money exchanged hands.
There are tools that do ACL type of functionality e.g. https://crates.io/crates/cackle - would recommend checking it out.
While this not a security vulnerability, it is a significant supply chain security issue, which cargo-geiger might choose to address in addition to it's existing scope, by flagging dependencies which use build scripts in its output.
Non-Rust code becomes part of the final binary during the build. The mechanism that does this in Cargo is called Build Scripts, and the default name for those files is
build.rs.Using this mechanism, developers can write imperative build scripts in Rust, which can execute arbitrary code in order to
https://github.com/geiger-rs/cargo-geiger/issues/103 and https://github.com/geiger-rs/cargo-geiger/issues/6 are existing issues about marking Non-Rust code as unsafe.
Since users would want to run such a check before the first build a project, ideally a check which looks for build scripts should not require building the checked project. Otherwise a malicious dependency can compromise the system before the build is executed. In that case it can technically falsify the output of the
cargo-geigercommand.