logo

Rust crates reviews

Cryptographically verifiable, distributed dependency reviews

reviewer: dpc

https://lib.rs/dpc

$ cargo crev repo fetch url https://github.com/dpc/crev-proofs
$ cargo crev id trust FYlr8YoYGVvDwHQxqEIs89reKKDy-oWisoO0qXXEfHE

repo: https://github.com/dpc/crev-proofs

crate version
rating
date
reviewer
thoroughness, understanding
negative
2020-01-16
dpc
none, none

There have been numerous reports of authors ignoring
soundness issues in actix ecosystem.

See example:
https://www.reddit.com/r/rust/comments/epszt7/actixnet_unsoundness_patch_is_boring/

So I'm giving a proactive negative rating, and feel free to contact me if
there are good reasons to change it - eg. if the issues have been addressed
and maintainers are commited to taking memory safety and security seriously.

positive
2019-10-14
dpc
low, medium
2019-07-02
dpc
advisories:
medium
all
neutral
2019-04-28
dpc
none, none
advisory:
all
false

https://github.com/RustSec/advisory-db/pull/93

positive
2019-11-11
dpc
low, medium
negative
2019-01-06
dpc
none, none

It looks like it's not maintained, and they are problems with it. See https://github.com/dpc/crev/pull/133

2019-07-02
dpc
advisories:
high
major
neutral
2019-04-25
dpc
none, none
advisory:
major
true

https://github.com/RustSec/advisory-db/blob/master/crates/arrayfire/RUSTSEC-2018-0011.toml

2019-07-01
dpc
advisories:
medium
major

https://github.com/KizzyCode/asn1_der/issues/1

neutral
2019-06-21
dpc
none, none
advisory:
major
true

https://github.com/RustSec/advisory-db/blob/2bc98060424f96486c240a22a946e96b48be9467/crates/asn1_der/RUSTSEC-0000-0000.toml ; https://github.com/KizzyCode/asn1_der/issues/1

positive
2020-02-24
dpc
low, medium
alternative:
reqwest
positive
2020-01-13
dpc
low, medium
alternative:
reqwest
strong
2019-11-06
dpc
low, medium
alternative:
reqwest

Basic review before considering using it.

I really like it:

  • No unsafe code
  • You can disable almost everything via cargo features
  • Well structured, with tests and comments

Seems like a great crate for places where performance and features can
be sacrificed for simplicity and a small footprint (code and dependencies).

2019-07-02
dpc
advisories:
high
major
neutral
2019-04-25
dpc
none, none
advisory:
major
true

https://github.com/RustSec/advisory-db/blob/master/crates/base64/RUSTSEC-2017-0004.toml

positive
2019-07-19
dpc
medium, medium
2019-09-13
dpc
advisories:
medium
positive
2020-01-02
dpc
medium, high
positive
2020-01-02
dpc
low, medium
positive
2019-10-14
dpc
low, medium
strong
2019-01-12
dpc
medium, high
strong
2019-10-17
dpc
low, medium

Good test coverage, good documentation. LGTM

strong
2019-06-18
dpc
low, medium

Good test coverage, good documentation. LGTM

strong
2018-12-20
dpc
low, medium

Good test coverage, good documentation. LGTM

positive
2019-10-04
dpc
low, medium
positive
2020-10-25
dpc
low, medium
2019-11-05
dpc
alternative:
cassandra-cpp
2019-11-05
dpc
advisories:
high
major
2019-11-04
dpc
alternative:
crossbeam-channel
2019-09-05
dpc
advisories:
medium
minor
2019-07-02
dpc
advisories:
high
major
neutral
2019-04-25
dpc
none, none
advisory:
major
true

https://github.com/RustSec/advisory-db/blob/master/crates/claxon/RUSTSEC-2018-0004.toml

strong
2018-12-26
dpc
low, high

LGTM

2019-10-12
dpc
advisories:
medium
major
positive
2019-01-27
dpc
medium, high
2019-07-02
dpc
advisories:
medium
minor
neutral
2019-04-25
dpc
none, none
advisory:
minor
true

https://github.com/RustSec/advisory-db/blob/master/crates/cookie/RUSTSEC-2017-0005.toml

2019-07-02
dpc
advisories:
medium
minor
neutral
2019-04-25
dpc
none, none
advisory:
minor
true

https://github.com/RustSec/advisory-db/blob/master/crates/cookie/RUSTSEC-2017-0005.toml

positive
2018-12-27
dpc
low, high

LGTM

positive
2018-12-27
dpc
low, medium
positive
2020-01-02
dpc
medium, medium

Proxy crate.

2019-07-02
dpc
advisories:
high
minor
neutral
2019-04-25
dpc
none, none
advisory:
minor
true

https://github.com/RustSec/advisory-db/blob/master/crates/crossbeam/RUSTSEC-2018-0009.toml

positive
2022-01-17
dpc
low, low

Very rudimentary review, of a otherwise well known and reputable package.

2019-11-25
dpc
alternative:
libp2p
positive
2019-10-11
dpc
low, low
strong
2018-12-18
dpc
high, high

I'm the author. And this crate is 3 lines of trivial code.

positive
2022-01-15
dpc
high, high

I'm the author and I AFAICT this is a decent code that works well.

strong
2019-06-21
dpc
medium, high

Simple Either type.

strong
2018-12-19
dpc
medium, high

Simple Either type.

neutral
2019-01-03
dpc
none, none

OK, but slow. https://github.com/sebasmagri/env_logger/issues/123

positive
2019-07-03
dpc
low, medium
positive
2019-11-04
dpc
low, low
positive
2019-10-11
dpc
medium, medium
2019-11-05
dpc
advisories:
medium
major
positive
2019-10-04
dpc
none, none

Looks sane, but I'm not familiar with it.

positive
2019-10-04
dpc
none, none

Looks sane.

positive
2019-06-21
dpc
low, low

I have not reviewed the actual C code this calls.

positive
2019-10-28
dpc
low, medium
2019-10-12
dpc
advisories:
high
major
positive
2019-01-11
dpc
low, low
strong
2018-12-20
dpc
medium, high

Small, no unsafe, tests, good documentation.

positive
2019-11-04
dpc
low, medium
positive
2020-02-24
dpc
low, medium
positive
2019-10-11
dpc
low, low
2019-07-02
dpc
advisories:
medium
minor
neutral
2019-04-25
dpc
none, none
advisory:
minor
true

https://github.com/RustSec/advisory-db/blob/master/crates/hyper/RUSTSEC-2017-0002.toml

2019-07-02
dpc
advisories:
medium
major
neutral
2019-04-25
dpc
none, none
advisory:
major
true

https://github.com/RustSec/advisory-db/blob/master/crates/hyper/RUSTSEC-2017-0002.toml

2019-07-02
dpc
advisories:
high
major
neutral
2019-04-25
dpc
none, none
advisory:
major
true

https://github.com/RustSec/advisory-db/blob/master/crates/hyper/RUSTSEC-2016-0002.toml

positive
2019-10-12
dpc
low, high
positive
2019-01-11
dpc
low, high
2019-09-03
dpc
advisories:
medium
major
strong
2019-01-10
dpc
medium, high

Small, safe utility crate.

negative
2019-07-02
dpc
none, none
issues:
low

Deprecated. Use atty

negative
2019-04-27
dpc
none, none
advisory:
all
false

Deprecated. Use atty

strong
2018-12-20
dpc
medium, medium
2019-07-09
dpc
advisories:
medium
minor
2019-07-01
dpc
advisories:
high
minor
neutral
2019-05-16
dpc
none, none
advisory:
minor
true

https://github.com/RustSec/advisory-db/blob/58a4d5b2a2026d693b4e7095a569e9db3514293d/crates/libp2p-core/RUSTSEC-2019-0004.toml

2019-07-01
dpc
advisories:
high
major
neutral
2019-05-16
dpc
none, none
advisory:
major
false

https://github.com/RustSec/advisory-db/blob/58a4d5b2a2026d693b4e7095a569e9db3514293d/crates/libp2p-core/RUSTSEC-2019-0004.toml

2019-11-05
dpc
advisories:
high
major
2019-10-12
dpc
advisories:
high
major
positive
2018-12-18
dpc
low, medium
positive
2022-01-17
dpc
low, medium
negative
2019-08-25
dpc
low, medium
issues:
medium
This crate is currenly unsound.
2019-07-21
dpc
advisories:
high
positive
2019-01-27
dpc
none, none

It's basically a long C library. I've skimmed through it, and there's nothing out of ordinary, but good luck reviewing it.

negative
2019-06-21
dpc
none, none

https://github.com/RustSec/advisory-db/issues/106

negative
2019-07-01
dpc
none, none
issues:
medium
https://github.com/RustSec/advisory-db/issues/106
positive
2018-12-19
dpc
medium, medium

Some unsafe, but LGTM

positive
2019-07-03
dpc
medium, medium
2019-09-03
dpc
advisories:
medium
2019-07-02
dpc
advisories:
high
minor
neutral
2019-04-25
dpc
none, none
advisory:
minor
true

https://github.com/RustSec/advisory-db/blob/master/crates/openssl/RUSTSEC-2018-0010.toml

2019-07-02
dpc
advisories:
high
major
neutral
2019-04-25
dpc
none, none
advisory:
major
true

https://github.com/RustSec/advisory-db/blob/master/crates/openssl/RUSTSEC-2016-0001.toml

2019-07-09
dpc
advisories:
medium
major
neutral
2019-04-25
dpc
none, none
advisory:
major
true

https://github.com/RustSec/advisory-db/blob/master/crates/orion/RUSTSEC-2018-0012.toml

positive
2019-11-11
dpc
low, low
negative
2019-06-21
dpc
none, none

https://github.com/RustSec/advisory-db/issues/106

negative
2019-07-01
dpc
none, none
issues:
medium
https://github.com/RustSec/advisory-db/issues/106
positive
2019-10-11
dpc
medium, high
positive
2020-01-02
dpc
medium, medium

There's not much to review. It's just a proxy to underlying crates.

neutral
2019-11-04
dpc
low, low
positive
2019-07-11
dpc
low, medium
2019-10-12
dpc
advisories:
high
major
2019-07-01
dpc
advisories:
high
major
neutral
2019-05-30
dpc
none, none
advisory:
major
true

https://github.com/oherrala/advisory-db/blob/bfc6f36d20a7ab36b6c6ecd99b53ca320bd429fb/crates/protobuf/RUSTSEC-2019-0003.toml

2019-07-01
dpc
advisories:
high
major
neutral
2019-05-30
dpc
none, none
advisory:
major
true

https://github.com/oherrala/advisory-db/blob/bfc6f36d20a7ab36b6c6ecd99b53ca320bd429fb/crates/protobuf/RUSTSEC-2019-0003.toml

2019-12-30
dpc
positive
2019-10-28
dpc
low, none
2019-09-05
dpc
advisories:
medium
major
strong
2018-12-20
dpc
none, low

I failed to review the whole thing. I looked at unsafes and when through ~10 random files. LGTM, but considering how important this crate it, my understanding of it is insufficient.

2019-09-05
dpc
advisories:
medium
major
negative
2018-12-21
dpc
none, medium

I see no point in this crate existing (just use rand), and considering poor quality of other crates of this author, I would advise not to use. https://github.com/stainless-steel/temporary/issues/1

2019-09-03
dpc
advisories:
medium
2019-10-12
dpc
advisories:
high
strong
2019-01-10
dpc
low, medium

LGTM, small amount of unsafe for terminal manipulation

strong
2019-01-12
dpc
high, high
2019-11-04
dpc
alternative:
ripemd160
negative
2019-01-10
dpc
none, medium

Not really actively maintained, and pieces of functionality missing. I'm going to try termion instead.

positive
2019-01-12
dpc
high, low

I am confused why this crate exists, but it looks harmless.

2019-07-02
dpc
advisories:
high
major
neutral
2019-04-25
dpc
none, none
advisory:
major
true

https://github.com/RustSec/advisory-db/blob/master/crates/safe-transmute/RUSTSEC-2018-0013.toml

positive
2019-11-04
dpc
low, medium
positive
2019-10-04
dpc
low, low

No malicious code. The unsafe parts seems sane, but they could use a
a review by someone more confident with unsafe.

positive
2020-01-02
dpc
low, medium
2019-07-02
dpc
advisories:
high
major
neutral
2019-04-25
dpc
none, none
advisory:
major
true

https://github.com/RustSec/advisory-db/blob/master/crates/security-framework/RUSTSEC-2017-0003.toml

strong
2019-10-12
dpc
low, medium
2019-10-12
dpc
advisories:
high
major
2019-07-02
dpc
advisories:
medium
major
neutral
2019-04-25
dpc
none, none
advisory:
major
true

https://github.com/RustSec/advisory-db/blob/master/crates/serde_yaml/RUSTSEC-2018-0005.toml

positive
2019-10-04
dpc
low, medium
positive
2019-01-11
dpc
low, low

Small, but full of low-level unsafe signal handling. LGTM, but it low intensity review.

2019-07-02
dpc
advisories:
medium
minor
2019-07-01
dpc
advisories:
high
major
neutral
2019-05-09
dpc
none, none
advisory:
major
true

https://github.com/RustSec/advisory-db/blob/master/crates/slice-deque/RUSTSEC-2019-0002.toml

2019-07-02
dpc
advisories:
high
major
neutral
2019-04-25
dpc
none, none
advisory:
major
true

https://github.com/RustSec/advisory-db/blob/master/crates/slice-deque/RUSTSEC-2018-0008.toml

strong
2018-12-19
dpc
high, high

I'm the author. It's a decent, popular crate.

strong
2018-12-19
dpc
high, high

Strong. It's a decent, popular crate.

positive
2019-11-04
dpc
low, low
advisories:
high
minor

Quite a bit of unsafe, but I've implemented fuzzing for it https://github.com/servo/rust-smallvec/pull/168,
so hopefully unsoundness issues won't be a problem anymore.

neutral
2019-07-02
dpc
low, low
advisories:
high
minor

Quite a bit of unsafe. It seems to me this crate could use some fuzzing.

neutral
2019-07-03
dpc
low, low
advisories:
high
minor

Quite a bit of unsafe. It seems to me this crate could use some fuzzing.

neutral
2019-07-21
dpc
low, low
advisories:
high
minor

Quite a bit of unsafe. It seems to me this crate could use some fuzzing.

neutral
2019-06-21
dpc
low, low

Quite a bit of unsafe. It seems to me this crate could use some fuzzing.

neutral
2018-12-20
dpc
low, low

Quite a bit of unsafe. It seems to me this crate could use some fuzzing.

2019-07-02
dpc
advisories:
high
minor
neutral
2019-04-25
dpc
none, none
advisory:
minor
true

https://github.com/RustSec/advisory-db/blob/master/crates/smallvec/RUSTSEC-2018-0003.toml

2019-07-02
dpc
advisories:
high
major
neutral
2019-04-25
dpc
none, none
advisory:
minor
true

https://github.com/RustSec/advisory-db/blob/master/crates/smallvec/RUSTSEC-2018-0003.toml

2019-07-02
dpc
advisories:
high
minor
neutral
2019-04-25
dpc
none, none
advisory:
minor
true

https://github.com/RustSec/advisory-db/blob/master/crates/smallvec/RUSTSEC-2018-0003.toml

2019-07-02
dpc
advisories:
high
minor
neutral
2019-04-25
dpc
none, none
advisory:
minor
true

https://github.com/RustSec/advisory-db/blob/master/crates/smallvec/RUSTSEC-2018-0003.toml

2019-10-12
dpc
advisories:
high
major
2019-07-02
dpc
advisories:
high
major
neutral
2019-04-25
dpc
none, none
advisory:
major
true

https://github.com/RustSec/advisory-db/blob/master/crates/sodiumoxide/RUSTSEC-2017-0001.toml

2019-09-05
dpc
advisories:
medium
major
negative
2018-12-22
dpc
none, low

The owner of this crate https://crates.io/users/IvanUkhov has plenty of low-quality, suspicious crates, that at best are name-squating, I would advise against usting this one.

2019-10-12
dpc
advisories:
medium
major
positive
2020-01-02
dpc
medium, medium

Tiny proxy crate.

strong
2019-06-21
dpc
low, medium

Surpringly small, no unsafe, lots of tests and all.

strong
2018-12-20
dpc
low, medium

Surpringly small, no unsafe, tests and all.

strong
2019-06-21
dpc
low, low

No unsafe, documentation, fairly small. A lot of macro magic.

strong
2018-12-20
dpc
low, low

No unsafe, documentation, fairly small. A lot of macro magic.

2019-07-02
dpc
advisories:
high
major
neutral
2019-04-25
dpc
none, none
advisory:
major
true

https://github.com/RustSec/advisory-db/blob/master/crates/tar/RUSTSEC-2018-0002.toml

strong
2018-12-20
dpc
medium, high

Small, no unsafe, good documentation.

positive
2019-08-25
dpc
low, medium

LGTM. I feel like this crate could use more in-depth review since it does have some unsafe blocks (especially for Windows).

positive
2018-12-26
dpc
low, medium

LGTM. I feel like this crate could use more in-depth review since it does have some unsafe blocks (especially for Windows).

negative
2018-12-21
dpc
medium, high

Reckless unsafe, buggy. https://github.com/stainless-steel/temporary/issues/1 . One of the reasons I've created cargo-crev in the first place.

2019-11-01
dpc
alternative:
crossterm
2019-07-02
dpc
advisories:
medium
minor
neutral
2019-04-25
dpc
none, none
advisory:
minor
true

https://github.com/RustSec/advisory-db/blob/master/crates/trust-dns-proto/RUSTSEC-2018-0007.toml

2019-07-02
dpc
advisories:
high
major
neutral
2019-04-25
dpc
none, none
advisory:
major
true

https://github.com/RustSec/advisory-db/blob/master/crates/trust-dns-proto/RUSTSEC-2018-0007.toml

positive
2019-10-04
dpc
medium, medium

LGTM

positive
2019-01-10
dpc
low, high

LGTM. Small and safe.

2019-07-02
dpc
advisories:
medium
major
neutral
2019-04-25
dpc
none, none
advisory:
major
true

https://github.com/RustSec/advisory-db/blob/master/crates/untrusted/RUSTSEC-2018-0001.toml

negative
2019-10-16
dpc
low, medium

Header::new is unsound? This unsafe there seem unneccessary in the first place. There's not much performance to gain here.

Header: value - there can be more spaces preceeding the value. Header::from_str could take a HeaderName: Value "The field value MAY be preceded by any amount of LWS, though a single SP is preferred. " (https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2)

pub fn add_header(headers: &mut Vec<Header>, header: Header) {
    if !header.name().to_lowercase().starts_with("x-") {

Probably can be done faster by just comparing slice with eq_ignore_ascii_case, instead of allocating a lowercase copy.

src/lib.rs: Tests doing http calls to external network can fail on offline machines, are a potential privacy problem etc.

PoolKey::new - failing to get a port should probably be an error, since that means te scheme was neither http nor https, so why are we even handling it?

Unit indeed is a so-so name. If the comment is "unit of work" then it probably should be UnitOfWork.

    // pointer to underlying stream
    stream: *mut Stream,

Ouch. When I see mutable raw pointers, I already know that I will not be using this code as is. :D . From what I can see later, it seems this pointer is used just for the drop implementation? In that case, just use Option<Stream> or Option<Box<Stream>>. Option<Box<T>> even compiles down to the same data/code as nullable pointer.

I fail to see the point of Request::build...

Request::query and query_str seems silent about the matter of escaping, and I wonder if it will work correctly at all.

Request::timeout ... Deadlines are better than timeouts, and are not harder to implement.

index: (usize, usize), // index into status_line where we split: HTTP/1.1 200 OK

I see no reason, why these two would be touple, instead of being separate and named appropriatly.

Response::new works by ... parsing? I don't know how I feel about that. Seems wasteful.

    /// Rather than exposing a custom error type through results, this library has opted
    /// for representing potential connection/TLS/etc errors as HTTP response codes.
    /// These invented codes are called "synthetic".

I don't know how I feel about this. Seems like a bad idea. :D . It will lead to confusion during debugging eg. by people who don't know about this "feature" (eg. DevOps that will be reading logs of software that is using this library). They will see "error: 535", and wonder how the hell this code happened.

let mut yolo = YoloRead { does not build confidence. :D

pub(crate) struct YoloRead {
    stream: *mut Stream,
    dealloc: bool, // whether we are to dealloc stream on drop
}

Oh. Here is another *mut Stream. I don't really get why it is neccessary.

    fn from_str(s: &str) -> Result<Self, Self::Err> {
        let bytes = s.as_bytes().to_owned();

I don't think this clone is neccessary.

Generally - negative review, since there's some unsafe code that I don't think is neccessary, and I have
no confidence that it is actually correct (quite the opposite... I suspect some stuff is wrong with it).

There were some other minor problems, potentially bugs, a lot of casual needless cloning and
stuff that looks like plain inefficiencies, and generally this crate at its current state does not look
like something I'd recommend for any serious production use. The goal seems good but it seem not there yet.
I think crates like this need either a lot of usage and pair of eyes and developers to iron out all the details,
or some extensive test suite.

positive
2019-11-04
dpc
low, medium
positive
2019-10-14
dpc
low, medium

No unsafe, LGTM.

strong
2019-01-12
dpc
medium, high
positive
2019-07-11
dpc
low, medium
positive
2019-01-12
dpc
low, medium
2019-07-02
dpc
advisories:
medium
major
neutral
2019-04-25
dpc
none, none
advisory:
major
true

https://github.com/RustSec/advisory-db/blob/master/crates/yaml-rust/RUSTSEC-2018-0006.toml

strong
2019-01-13
dpc
medium, high

© bestia.dev 2021, MIT Licence, Version: 2021.1208.1729

Open source repository for this web app: https://github.com/bestia-dev/cargo_crev_web/