[Question] making `binary_deps` public

[TitusVM]

Hi all!

I am working on some tooling for verifying wasm components. To do that, I was trying to use the cargo-audit library and more specifically the binary-scanning feature. Unfortunately, the module that has all the cool functions is private: binary_deps. More specifically, I'm using the load_deps_from_binary() function and then generate() from rustsec::Report to generate a Rustsec report.

For now I resorted to checking out the crate and making just that module public which made my stuff work. Is there a reason why the module is private to the crate or am I using it wrong?

Any help is always appreciated, Thanks!

[Shnatsel]

Hey! I made it private until it stabilized and until someone who actually needed it to be public came along. Now it should be stable enough to expose through the public API, and I'm happy to accept a PR that moves it to the rustsec crate.

The only change I'd make is load_deps_from_binary() should accept a &[u8] instead of loading the file in memory up front, and the hardcoded limit of 8MB for the extracted audit data should be made configurable (there's a TODO to that effect).

[TitusVM]

Awesome - I'll make the changes. How far up the call stack should I push the configuration setting? Should I just add a parameter to the function and fill it with the same constant on its call or would you prefer if the value came straight from the audit.toml?

[Shnatsel]

We can hardcode the limit in cargo audit for now.