|
| 1 | +- Feature Name: crates-io-security |
| 2 | +- Start Date: 2025-10-27 |
| 3 | +- RFC PR: [rust-lang/rfcs#3872](https://github.com/rust-lang/rfcs/pull/3872) |
| 4 | +- Rust Issue: [rust-lang/rust#3872](https://github.com/rust-lang/rust/issues/3872) |
| 5 | + |
| 6 | +# Summary |
| 7 | + |
| 8 | +[summary]: #summary |
| 9 | + |
| 10 | +This RFC proposes that crates.io should provide insight into vulnerabilities and unsound |
| 11 | +API surface based on the RustSec advisory database. |
| 12 | + |
| 13 | +# Motivation |
| 14 | + |
| 15 | +[motivation]: #motivation |
| 16 | + |
| 17 | +One of the roles that crates.io serves for Rust developers is as a discovery mechanism for library |
| 18 | +packages. As such, it is important that users can quickly assess the quality of a given crate, |
| 19 | +including security considerations such as unsound code/API or known vulnerabilities. |
| 20 | +The RustSec advisory database is a curated database of security advisories for Rust crates, |
| 21 | +which tracks known vulnerabilities, unsound code, and maintenance status of crates. |
| 22 | + |
| 23 | +The Rust ecosystem has a culture of having smaller, focused crates with a clear purpose. |
| 24 | +As a result, many Rust projects have a large number of dependencies, which increases the |
| 25 | +risk of introducing problems in the final artifact via the supply chain of dependencies. |
| 26 | +Actively malicious crates (or crate versions) would be one example of these risks; the |
| 27 | +crates.io team handles these by deleting them when discovered. |
| 28 | + |
| 29 | +This RFC concerns itself mostly with unintentional vulnerabilities and unsound APIs. An example |
| 30 | +from the Java ecosystem is the [Log4Shell] vulnerability in the popular Log4j logging library, |
| 31 | +when a widely used package exposed affected services to remote code execution attacks. |
| 32 | + |
| 33 | +The Open Source Security Foundation (OpenSSF) has enumerated [Principles for Package Repository |
| 34 | +Security]; while crates.io already addresses many of these, one of these is: |
| 35 | + |
| 36 | +> The package repository warns of known security vulnerabilities in dependencies in the package |
| 37 | +> repository UI. |
| 38 | +
|
| 39 | +The RustSec advisory database tooling already supports exporting advisories in the OSV format. |
| 40 | +Today, crates.io does not display any information about known vulnerabilities or unsound APIs |
| 41 | +for a given crate. Devising how best to surface this information across a project dependency |
| 42 | +graph is a more complex problem that is outside the scope of this RFC (but see future work). |
| 43 | + |
| 44 | +[Log4Shell]: https://en.wikipedia.org/wiki/Log4j#Log4Shell_vulnerability |
| 45 | +[Principles for Package Repository Security]: https://repos.openssf.org/principles-for-package-repository-security.html |
| 46 | + |
| 47 | +# Guide-level explanation |
| 48 | + |
| 49 | +[guide-level-explanation]: #guide-level-explanation |
| 50 | + |
| 51 | +The crates.io website will display information about known vulnerabilities and unsound APIs. |
| 52 | +While this information is available today via the RustSec website (including feeds that can |
| 53 | +automatically be consumed by tooling), having this information directly on crates.io would |
| 54 | +make it accessible and visible to a wider audience. |
| 55 | + |
| 56 | +We want to convey a quick overview of the security status of a crate, and allow users to make informed decisions about whether to use the crate in their projects. Care should be taken to |
| 57 | +ensure that the mere existence of past vulnerabilities does not negatively impact the perceived quality of a crate; very popular crates are much more likely to have vulnerabilities reported |
| 58 | +against them, simply due to their popularity and the amount of scrutiny. |
| 59 | + |
| 60 | +For example, the UI could be somewhat like this: |
| 61 | + |
| 62 | +> Add a `Security` tab to crate pages. If there are known vulnerabilities for the currently |
| 63 | +> selected version, the tab might be highlighted. The Security tab will be there whether there |
| 64 | +> are existing advisories for a crate or not. Opening the Security tab for a crate should show |
| 65 | +> a list of advisories that affect the crate, including a summary of the issue, a list of |
| 66 | +> affected versions, and links to more information. |
| 67 | +
|
| 68 | +The way advisories are represented in the crates.io UI will evolve over time based on the |
| 69 | +available data and user feedback. This RFC does not mandate a specific UI design. |
| 70 | + |
| 71 | +# Reference-level explanation |
| 72 | + |
| 73 | +[reference-level-explanation]: #reference-level-explanation |
| 74 | + |
| 75 | +The RustSec project publishes a number of Rust crates that can be used to parse and query the |
| 76 | +advisory database, which can be reused in the crates.io codebase. For now, crates.io will only |
| 77 | +display advisories in the UI; we will not be adding API to query RustSec advisories. Downstream |
| 78 | +users who want to consume this data can use the RustSec crates and the [advisory-db repository] |
| 79 | +directly. |
| 80 | + |
| 81 | +[advisory-db repository]: https://github.com/RustSec/advisory-db |
| 82 | + |
| 83 | +# Drawbacks |
| 84 | + |
| 85 | +[drawbacks]: #drawbacks |
| 86 | + |
| 87 | +The RustSec project is maintained by an independent team of volunteers, so the crates.io Security |
| 88 | +tab will be reflecting data that is maintained by what amounts to a kind of third party. |
| 89 | +The Leadership Council has an [ongoing discussion] on governance for the Secure Code WG that |
| 90 | +governs the RustSec project, which might be relevant to this proposal. Feedback on the RustSec |
| 91 | +advisory data can be fed back to the RustSec team via their issue tracker. |
| 92 | + |
| 93 | +Rust developers might be scared off of using crates that have known vulnerabilities, even if |
| 94 | +those vulnerabilities are not relevant to their use case, or have been fixed in later versions. |
| 95 | +This seems like a reasonable trade-off to me -- we should allow informed users to make decisions |
| 96 | +that are best for their projects. |
| 97 | + |
| 98 | +[ongoing discussion]: https://github.com/rust-lang/leadership-council/issues/140 |
| 99 | + |
| 100 | +# Rationale and alternatives |
| 101 | + |
| 102 | +[rationale-and-alternatives]: #rationale-and-alternatives |
| 103 | + |
| 104 | +crates.io is the official package repository for the Rust ecosystem, so sharing important security |
| 105 | +context via this interface seems like an effective way to make it accessible to a wide audience. |
| 106 | + |
| 107 | +Widely used tools like [cargo-audit] and [cargo-deny] already provide a way to check for |
| 108 | +security-sensitive issues in a Rust project's dependencies, but these tools are opt-in and require |
| 109 | +users to be aware of them and to run them. They are also more focused on auditing a project's |
| 110 | +existing dependencies rather than helping inform users in the discovery phase. |
| 111 | + |
| 112 | +Alternatively, we might make the RustSec advisory database available directly via cargo. This |
| 113 | +seems mostly unrelated to what crates.io does, and seems like an interesting future possibility. |
| 114 | + |
| 115 | +[cargo-audit]: https://crates.io/crates/cargo-audit |
| 116 | +[cargo-deny]: https://crates.io/crates/cargo-deny |
| 117 | + |
| 118 | +# Prior art |
| 119 | + |
| 120 | +[prior-art]: #prior-art |
| 121 | + |
| 122 | +Neither npm nor PyPI currently seem to provide support for displaying security advisories. |
| 123 | + |
| 124 | +[lib.rs], the opinionated alternative crate index, does have an [audit page] that shows |
| 125 | +both RustSec advisories and reviews from [cargo-crev] and [cargo-vet]. |
| 126 | + |
| 127 | +[lib.rs]: https://lib.rs/ |
| 128 | +[audit page]: https://lib.rs/crates/tokio-tar/audit |
| 129 | +[cargo-crev]: https://github.com/crev-dev/cargo-crev |
| 130 | +[cargo-vet]: https://github.com/mozilla/cargo-vet |
| 131 | + |
| 132 | +# Unresolved questions |
| 133 | + |
| 134 | +[unresolved-questions]: #unresolved-questions |
| 135 | + |
| 136 | +This seems like a relatively straightforward feature with a limited scope. The main questions |
| 137 | +are about the desirability of the feature, the implementation approach, and the governance |
| 138 | +of the source data. |
| 139 | + |
| 140 | +# Future possibilities |
| 141 | + |
| 142 | +[future-possibilities]: #future-possibilities |
| 143 | + |
| 144 | +In the future, it would be valuable if lockfile updates exposed open vulnerabilities in a |
| 145 | +project's dependency graph in the Cargo CLI, for example on `cargo update` or `cargo check`. |
| 146 | +crates.io doesn't necessarily have good access to a project's dependency graph, so a simple |
| 147 | +implementation would be limited to direct dependencies, which limits its usefulness. |
| 148 | + |
| 149 | +crates.io could extend its existing API to query advisories for a given crate. |
| 150 | + |
| 151 | +`SECURITY.md` files are often used to communicate a project's security policies. crates.io |
| 152 | +could surface the contents of these files on the new Security page. However, `SECURITY.md` |
| 153 | +files commonly live in the repository root, which is often a crate workspace, and thus |
| 154 | +is not directly associated with a specific crate. Some prerequisite work in Cargo would |
| 155 | +probably be needed to associate a crate with the relevant `SECURITY.md` file. |
0 commit comments