Expand description
§Minimal cargo-vet client
This is a library that downloads and parses Rust crate reviews in the cargo-vet format. It can be used to build custom tools for auditing supply-chain security, reusing reviews from the cargo-vet registry, or indirectly from cargo-crev or Debian or Guix.
Structs§
- A record of a review. If
violation
is not set, it’s an approval, but check thecriteria
to know what has been approved. - A fetched and parsed list of reviews
- A list of audits from
fetch_registry_from_url
- A file containing criteria and audits
- Registry entry for data sources
- Case-insensitive string
safe-to-run
andsafe-to-deploy
are two special ones, meaning “no malware” and “no dangerous bugs”, respectively.- Start here
- A list of URLs to fetch. See the default registry for the sources: https://raw.githubusercontent.com/bholley/cargo-vet/main/registry.toml.
- A reference to an
Audit
. - Approval of everything by a user, without checking
- cargo-vet allows specifying git revisions for versions, but presence of the revision seems to imply that the crate is not available on crates.io
- Approved without checking
Enums§
- Audits can either trust source code, or whole crates, or authors
- Unfortunately, cargo-vet sometimes exposes internal IDs of crates.io users