stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
40e7f827da764e39ca67fc27a74813a98e9a38d2
git.stella-ops.org/docs/benchmarks/scanner/deep-dives/rust.md
master 1d962ee6fc
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Add OpenSslLegacyShim to ensure OpenSSL 1.1 libraries are accessible on Linux 
This commit introduces the OpenSslLegacyShim class, which sets the LD_LIBRARY_PATH environment variable to include the directory containing OpenSSL 1.1 native libraries. This is necessary for Mongo2Go to function correctly on Linux platforms that do not ship these libraries by default. The shim checks if the current operating system is Linux and whether the required directory exists before modifying the environment variable.
2025-11-02 21:41:03 +02:00

2.4 KiB
Raw Blame History

Rust Ecosystem

StellaOps implementation

  • src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/RustLanguageAnalyzer.cs coordinates collection via Internal/RustAnalyzerCollector.cs.
  • Collector ingests Cargo.lock, cargo fingerprint caches, and compiled binaries, merging data into three record sets: crate (authoritative), heuristic (fingerprints), and fallback (hashed binaries).
  • License metadata is sourced through RustLicenseScanner; binaries retain SHA256 hashes and usage indicators derived from EntryTrace.
  • Results are deduplicated and sorted to guarantee deterministic replay; each record includes evidence pointing to lockfile paths or binary locations.

Trivy implementation

  • pkg/fanal/analyzer/language/rust/cargo/cargo.go parses Cargo.lock/TOML to classify direct, workspace, and transitive dependencies, removing dev dependencies where possible.
  • pkg/fanal/analyzer/language/rust/binary/binary.go inspects ELF binaries, returning nil when crate metadata is missing; no hashed fallback component is emitted.
  • License attribution relies on Cargo metadata; runtime usage is not tracked.

Snyk implementation

  • The plugin dispatcher in src/lib/plugins/index.ts does not list a Rust/Cargo plugin, so Rust projects are currently unsupported by the Snyk CLI.[s1]
  • Users must resort to other tooling or Snyk SaaS capabilities outside the CLI for Rust coverage.

Grype implementation

  • Syft provides Rust packages for Grypes matchers (grype/pkg/syft_provider.go).
  • The Rust matcher consumes syftPkg.RustPkg and matches via ecosystem/CPE lookups (grype/matcher/rust/matcher.go); there is no fallback for binaries without Cargo metadata.
  • Runtime usage, fingerprinting, or hashed binary fallbacks are not emitted.

Key differences

  • Fallback strategy: StellaOps preserves components for binaries lacking metadata; Trivy and Grype drop or ignore binaries without Cargo linkage, while Snyk lacks Rust support entirely.
  • Evidence breadth: StellaOps aggregates lockfile, fingerprint, and binary evidence into a deterministic record; Trivy and Grype primarily consume Cargo descriptors, and Snyk provides no CLI coverage.
  • Usage insight: StellaOps propagates EntryTrace usage flags; Trivy and Grype outputs are inventory-only; Snyk has no runtime data due to lack of support.

References

  • [s1] /tmp/snyk-cli/src/lib/plugins/index.ts