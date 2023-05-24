



Many of Google’s open source projects use Rust, a modern systems language designed to build reliable and efficient software. Google has long invested in the Rust community. We helped found the Rust Foundation, have many Googlers working on Rust upstream as part of their job, and financially support major Rust projects. Today, we continue our commitment to the open source Rust community by aggregating and publishing audits of the Rust crates that the open source Google project uses.

Rust makes it easy to encapsulate and share code in crates. Crates are reusable software components similar to packages in other languages. We embrace the broad ecosystem of open source Rust crates by leveraging crates made outside of Google and by publishing some of our own.

All third party code carries an element of risk. Before a project begins using a new crate, members typically perform a thorough audit to evaluate it against criteria such as security, accuracy, and testing. You end up using many of the same dependencies across open source projects, which can lead to duplication of effort if multiple different projects audit the same crate. To eliminate duplication of that work, we started sharing audits across projects. Now we are excited to join other organizations and share with the broader open source community.

Our crate audits are continuously aggregated and published to our supply chain repository on GitHub. They work with cargo veterinarians to mechanically verify:

A human audited all dependencies and recorded their associated properties. Those properties meet the requirements of the current project.

You can easily import audits done by Googlers into your own project proving properties for many open source Rust crates. This data can then be used to determine whether the crate meets the security, correctness, and testing requirements of the project. Cargo vet has strong support for incremental dependency checking, making it easy to adopt into existing projects.

Different use cases have different requirements. Cargo vet allows you to configure requirements separately for each dependency. It may be appropriate to proactively check only local development tools for malicious code and ensure that there are no privacy violations, data leaks, or malware installations. However, code deployed to users is typically more stringent, such as ensuring that it does not introduce memory safety issues, uses modern cryptography, and adheres to standards and specifications. A set of requirements must be met. When using audits to share, it is important to consider how project requirements relate to the facts recorded during the audit.

We hope that by sharing our work with the open source community, we can make the Rust ecosystem even more secure for everyone. ChromeOS and Fuchsia have already started performing audits and publishing in the supply chain repositories mentioned above, and other Google open source projects will join them soon. As more projects join and we work on our collective audit backlog, our audits will grow to provide even more value and scope. We are in the early stages of conducting and sharing audits with cargo inspectors and the tool is still in active development. Details may change over time and we are excited to evolve and improve our processes and tools. We hope that you will find value in the efforts of Googlers and join us in building a safer Rust ecosystem.

By David Koloski, Fuchsia, George Burgess, Chrome OS

