Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Known crashes #4

Closed
cdstanford opened this issue Sep 6, 2024 · 3 comments
Closed

Known crashes #4

cdstanford opened this issue Sep 6, 2024 · 3 comments
Assignees
@muhammad-hassnain

Comments

@cdstanford
Copy link

  • Crash on rand:
$ python3 detective.py -a rand 0.8.5
Solving for required Assumptions to trust rand-0.8.5...
This crate has not been audited by any organization.
Traceback (most recent call last):
  File "/Users/caleb/git/RustSec/cargo-sherlock/solver.py", line 106, in <module>
    main()
  File "/Users/caleb/git/RustSec/cargo-sherlock/solver.py", line 103, in main
    complete_analysis(crate)
  File "/Users/caleb/git/RustSec/cargo-sherlock/solver.py", line 93, in complete_analysis
    variables, assumptions = assumptions_for(crate, metadata)
                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/caleb/git/RustSec/cargo-sherlock/helpers/assumption.py", line 126, in assumptions_for
    dep_metadata = sherlock.get_crate_metadata(d)
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/caleb/git/RustSec/cargo-sherlock/helpers/sherlock.py", line 25, in get_crate_metadata
    logger.logger(crate.name, crate.version, "exp")
  File "/Users/caleb/git/RustSec/cargo-sherlock/helpers/logger.py", line 831, in logger
    entry[1],
    ~~~~~^^^
IndexError: string index out of range
Crate: rand, Version: 0.8.5

This appears to be due to version='alpha.2

Possibly helpful:

(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?
@cdstanford
Copy link
Author

python3 detective.py -a injex 0.1.0
Runs but after ~5 minutes raises this error:

==================================
This crate has not been audited by any organization.
Traceback (most recent call last):
  File "/Users/caleb/git/RustSec/cargo-sherlock/solver.py", line 106, in <module>
    main()
  File "/Users/caleb/git/RustSec/cargo-sherlock/solver.py", line 103, in main
    complete_analysis(crate)
  File "/Users/caleb/git/RustSec/cargo-sherlock/solver.py", line 93, in complete_analysis
    variables, assumptions = assumptions_for(crate, metadata)
                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/caleb/git/RustSec/cargo-sherlock/helpers/assumption.py", line 127, in assumptions_for
    dep_variables, dep_assumptions = assumptions_for(d, dep_metadata) # recursively add assumptions for dependencies
                                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/caleb/git/RustSec/cargo-sherlock/helpers/assumption.py", line 126, in assumptions_for
    dep_metadata = sherlock.get_crate_metadata(d)
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/caleb/git/RustSec/cargo-sherlock/helpers/sherlock.py", line 25, in get_crate_metadata
    logger.logger(crate.name, crate.version, "exp")
  File "/Users/caleb/git/RustSec/cargo-sherlock/helpers/logger.py", line 806, in logger
    _, audit_info = is_audited(crate_name, version)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/caleb/git/RustSec/cargo-sherlock/helpers/logger.py", line 426, in is_audited
    if version == audit["version"]:
                  ~~~~~^^^^^^^^^^^
KeyError: 'version'
Crate: injex, Version: 0.1.0

@muhammad-hassnain muhammad-hassnain self-assigned this Sep 8, 2024
@muhammad-hassnain
Copy link
Contributor

muhammad-hassnain commented Sep 8, 2024
edited
Loading

Injex

  1. 404 - Url issue, there was a .git at the end of the repository url from crates.io, and we were directly querying it with GitHub API causing a 404,
  2. Crash ,one of injex dependency has sysinfo as dependency, and sysinfo has this dependency core-foundation-sys . There was no version present in the audit report for core-foundation-sys . That was causing a no key found error. Sometimes when Mozilla audits a crate they themselves wrote, they just go over the commits they have not authored, instead of a specific version.

Rand

The problem was because of sorting the versions directly, this would cause 1.9.0 to be greater than 1.25.0, but that’s not true. Now, we make ‘version objects’ and sort those instead , rather than sorting strings.

@muhammad-hassnain muhammad-hassnain mentioned this issue Sep 8, 2024
Closed
@abasu2
Copy link
Collaborator

abasu2 commented Oct 13, 2024

Crash on fast-kd:

$ python sherlock.py trust fast-kd
Latest version of fast-kd is 0.1.1.
Solving for required assumptions to trust fast-kd-0.1.1...
This crate has not been audited by any organization.
Traceback (most recent call last):
  File "/home/abasu/reu/cargo-sherlock/sherlock.py", line 84, in <module>
    main()
  File "/home/abasu/reu/cargo-sherlock/sherlock.py", line 81, in main
    complete_analysis(crate, sys.stdout)  
  File "/home/abasu/reu/cargo-sherlock/solver.py", line 161, in complete_analysis
    summary = memoized_crate_analysis(crate)
  File "/home/abasu/reu/cargo-sherlock/solver.py", line 76, in memoized_crate_analysis
    variables, assumptions = get_crate_assumptions(crate, metadata)
  File "/home/abasu/reu/cargo-sherlock/solver.py", line 47, in get_crate_assumptions
    assumptions_for_dependency_safety.append(memoized_crate_analysis(d))
  File "/home/abasu/reu/cargo-sherlock/solver.py", line 75, in memoized_crate_analysis
    metadata = crate_data.get_crate_metadata(crate)
  File "/home/abasu/reu/cargo-sherlock/helpers/crate_data.py", line 25, in get_crate_metadata
    logger.logger(crate.name, crate.version, "exp")
  File "/home/abasu/reu/cargo-sherlock/helpers/logger.py", line 783, in logger
    label = inRustSec(crate_name, version)
  File "/home/abasu/reu/cargo-sherlock/helpers/logger.py", line 154, in inRustSec
    flag, label = bulls_eye(ver, version)
  File "/home/abasu/reu/cargo-sherlock/helpers/logger.py", line 210, in bulls_eye
    if version >= ver: #means patched range
TypeError: '>=' not supported between instances of 'str' and 'list'

@abasu2 abasu2 reopened this Oct 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@muhammad-hassnain muhammad-hassnain

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cdstanford @muhammad-hassnain @abasu2