cargo vet subcommand is a tool to help projects ensure that third-party
Rust dependencies have been audited by a trusted entity. It strives to be
lightweight and easy to integrate.
cargo vet matches all of a project's third-party dependencies
against a set of audits performed by the project authors or entities they trust.
If there are any gaps, the tool provides mechanical assistance in performing and
documenting the audit.
The primary reason that people do not ordinarily audit open-source dependencies
is that it is too much work. There are a few key ways that
cargo vet aims to
reduce developer effort to a manageable level:
Sharing: Public crates are often used by many projects. These projects can share their findings with each other to avoid duplicating work.
Relative Audits: Different versions of the same crate are often quite similar to each other. Developers can inspect the difference between two versions, and record that if the first version was vetted, the second can be considered vetted as well.
Deferred Audits: It is not always practical to achieve full coverage. Dependencies can be added to a list of exceptions which can be ratcheted down over time. This makes it trivial to introduce
cargo vetto a new project and guard against future vulnerabilities while vetting the pre-existing code gradually as time permits.
cargo vetis under active development. If you're interested in deploying it, get in touch.