[][src]Module cargo_crev::doc::user::cargo_specific

Cargo specific features

crev is a language and ecosystem agnostic system for reviewing code. While being quite generic it does not forbit or prevent integrating with particular features and data available in each ecosystem. Quite the opposite - part of the vision of crev is to build well integrated ecosystem-specific tools. cargo-crev is exactly such a tool for Rust language and cargo package manager.

For this reason cargo-crev implements multiple features to help cargo users.

Known Owners

While in a perfect world everyone would just review the code they are using and/or rely on other reputable reviewers, this will be a difficult target until a critical mass of adoption is reached.

To address this problem, cargo-crev allows reasoning about trustworthinnes of crates by the reputation of their autors.

Every crev identity can create and maintain a "known owners" list. Use cargo crev config edit known command to edit it. Each line is crates.io username or group name that will be considered somewhat trustwothy.

During dependency verification a --skip-known-owners argument can be used to skip crates that have at least one known owner.

It's important to consider the security implications. crates.io or the personal accounts of reputable crate authors could get compromised. And just because the crate owner is on a list of authors does not mean other co-authors are neccessarily trustworthy.

So this feature is definitely a compromise. But it is very useful for filtering out dependencies that are most probably OK, and can be reviewed after code from less reputable sources is reviewed first.

Download counters

cargo crev crate verify will display download counts for both specific crate version and total crate downloads, as a quick estimate of crate popularity. Crates and versions with particularily low download count at higher risk of introducing serious bugs or malicious code.

Geiger count

geiger is a binary and a library calculating number of unsafe lines of code. cargo-crev uses it to display the geiger count for each dependency. unsafe code can introduce memory safety issues, and non-zero geiger count is a good reason to prioritze reviewing the code.

Lines of code

cargo-crev uses tokei to calculate the total number of Rust code each dependency introduces. Small crates are a good candidate for imediate review (because it will be quick). Bigger ones can often be replaced with smaller alternatives.