Skip to content

Require explicit acknowledgement for risky Rust call analysis #2715

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sumitshahorg wants to merge 1 commit into
base: main
Choose a base branch
from
+12 −0
Open

Require explicit acknowledgement for risky Rust call analysis #2715

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,10 @@ This command will recursively scan the specified directory for any supported pac

OSV-Scanner has the option of using call analysis to determine if a vulnerable function is actually being used in the project, resulting in fewer false positives, and actionable alerts.

> [!WARNING]
> Rust call analysis can execute build scripts (`build.rs`) during compilation and may run arbitrary code from the scanned project.
> Use it only for trusted projects and pass `--allow-risky-rust-call-analysis` when enabling `--call-analysis=rust`.

OSV-Scanner can also detect vendored C/C++ code for vulnerability scanning. See [here](https://google.github.io/osv-scanner/usage/#cc-scanning) for details.

#### Supported Lockfiles
Expand Down
4 changes: 4 additions & 0 deletions cmd/osv-scanner/internal/helper/flags.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -165,6 +165,10 @@ func BuildCommonScanFlags(defaultExtractors []string) []cli.Flag {
Name: "call-analysis",
Usage: "Enable call analysis for specific languages (e.g. --call-analysis=go). Supported: go, rust (*). (*) Will run build scripts.",
},
&cli.BoolFlag{
Name: "allow-risky-rust-call-analysis",
Usage: "acknowledge that rust call analysis may execute untrusted build scripts (build.rs)",
},
&cli.StringSliceFlag{
Name: "no-call-analysis",
Usage: "disables call graph analysis",
Expand Down
4 changes: 4 additions & 0 deletions cmd/osv-scanner/scan/source/command.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,10 @@ func action(_ context.Context, cmd *cli.Command, stdout, stderr io.Writer, clien
}

scannerAction := helper.GetCommonScannerActions(cmd, scanLicensesAllowlist)
// Rust call analysis builds the scanned project, so require explicit trust acknowledgement.
if scannerAction.CallAnalysisStates["rust"] && !cmd.Bool("allow-risky-rust-call-analysis") {
return errors.New("refusing to run rust call analysis without explicit acknowledgement: pass --allow-risky-rust-call-analysis if you trust this project")
}

scannerAction.LockfilePaths = cmd.StringSlice("lockfile")
//nolint:staticcheck // ignore our own deprecated field
Expand Down