Cargo Build Scripts can execute arbitrary code on the build host (by design)

[mschwaig]

While this not a security vulnerability, it is a significant supply chain security issue, which cargo-geiger might choose to address in addition to it's existing scope, by flagging dependencies which use build scripts in its output.

Non-Rust code becomes part of the final binary during the build. The mechanism that does this in Cargo is called Build Scripts, and the default name for those files is build.rs.

Using this mechanism, developers can write imperative build scripts in Rust, which can execute arbitrary code in order to

1. obtain source code or binary blobs, outside of the dependency tree tracked by Cargo, in any way they like
2. build this Non-Rust code in any way they like
3. instruct Cargo to link the build result into the final binary, by passing additional compiler/liker flags back to Cargo's.

#103 and #6 are existing issues about marking Non-Rust code as unsafe.

• Flagging dependencies with build scripts in them should be the same as
• flagging all Non-Rust code that ships as part of the binary plus any existing less conventional uses of build scripts.

Since users would want to run such a check before the first build a project, ideally a check which looks for build scripts should not require building the checked project. Otherwise a malicious dependency can compromise the system before the build is executed. In that case it can technically falsify the output of the cargo-geiger command.

[pinkforest]

cargo-geiger is not a security audit tool itself and only provides statistical output re: unsafe use to help analysing it's use

So not in scope for cargo-geiger really - use of unsafe and security issues are quite different animals -

I am also personally not a fan using supply-chain wording given no money exchanged hands.

There are tools that do ACL type of functionality e.g. https://crates.io/crates/cackle - would recommend checking it out.