Code Monkey home page Code Monkey logo

mtvare6 / hello-world.rs Goto Github PK

View Code? Open in Web Editor NEW

This project forked from b4skyx/hello-world.rs

3.2K 0.0 1.0 559 KB

๐Ÿš€Memory safe, blazing fast, configurable, minimal hello world written in rust(๐Ÿš€) in a few lines of code with few(1092๐Ÿš€) dependencies๐Ÿš€

License: Other

Rust 95.34% Makefile 0.49% Dockerfile 0.20% Nix 2.01% Shell 0.97% Python 0.43% Vim Script 0.56%
rust rust-lang rustlang rust-crate rust-library memory-safety speed blazingly-fast configurable minimal blazing-fast fast ciscringe rustisrewrite hello-world helloworld

hello-world.rs's Introduction

๐Ÿš€ hello-world.rs ๐Ÿš€

๐Ÿš€ Memory safe, blazing fast, minimal and configurable hello world project written in the rust(๐Ÿš€) programming language ๐Ÿš€

๐Ÿš€ While this depends on more c code than rust(๐Ÿš€) code to compile, because rust(๐Ÿš€) is magically memory safe, now all c code is memory safe too ๐Ÿš€

๐Ÿš€ This project is very minimal, it only requires 1092 crates ๐Ÿš€

Building

To compile this project you need only one library ๐Ÿš€:

1. alsa-lib ๐Ÿš€
1. glfw ๐Ÿš€
1. freetype ๐Ÿš€
1. libglib ๐Ÿš€
1. pango ๐Ÿš€
1. atk ๐Ÿš€
1. pixbuf ๐Ÿš€
1. gdk ๐Ÿš€

Just 1 lib as you can see the number list along the names ๐Ÿš€

You probably have most of them already, if it says something along the words, you know what to search for now

Then you can just make and the compiled executable should be located in ./target/release/hello-world run it or install it with make install.

Due to the lightweightness of rust(๐Ÿš€), unlike node_modules being fairly large for few dependencies, rust(๐Ÿš€) manages compile caches efficiently and stores them to storage to save compile times! Just 33G target folder, the compile time is only around 2 hours and 30 minutes on my mac on release mode

๐Ÿš€

A clean build makes it take around 3.8G

๐Ÿš€

The CPU usage is pretty minimal too (release mode)

๐Ÿš€ ๐Ÿš€

๐Ÿš€

It is slower than echo but memory safety comes at a cost! We need to be memory chad and blazing pure and lightning based

Benchmark by cypercine

Installation

Arch Linux

$ makepkg -si
$ pacman -U <package>.pkg.tar.xz

Docker

$ docker build -t hello-world .
$ docker run -it --rm --name hwrs hello-world

Nix

$ nix-env -i -f default.nix

Shade

$ wget "https://raw.githubusercontent.com/mTvare6/hello-world.rs/master/hello-world.rs-buildscript" -O <prefix>/user/main/hello-world.rs
$ shade install hello-world.rs

Why rust(๐Ÿš€) while its only 1 line and depends on 600 c bind crates?

Here are my takes on that matter

C in "c language" stands for Cringe and CVE and Cervical Capricious Catastrophic Chthonic Clumsy Clueless Complex and Cryptic ๐Ÿคฎ

R in "rust(๐Ÿš€) systems programming language" stands for Rewrite, Robust, Reliable, Rambunctious, Reprehensibl[ly great] and Secure๐Ÿš€

Since hello-world.rs is written in blazingly pure, configurable, lightweight and memory pure rust(๐Ÿš€) - the CVEs are secure, memory chad and blazing pure ๐Ÿš€

Here are the comments from few of my fellow Rustaceans ๐Ÿš€

People ask the question "what's rust(๐Ÿš€) good for?" pretty frequently, and little terminal apps like this are precisely the reason. [...]. It enables a kind of workflow that simply didn't exist before: I could have a fully safe, "correct", LLVM-optimized binary installed on my desktop in an afternoon.๐Ÿš€

Modern rust(๐Ÿš€) appears pretty similar to modern JavaScript. You declare your variables with let๐Ÿš€

I think it would make rust(๐Ÿš€) more productive if rust(๐Ÿš€) could absorb Python's ecosystem(many mature wheels) as soon as possible.๐Ÿš€

One thing I like about rust(๐Ÿš€) is that it filters out lazy/sloppy thinkers. Even when I disagree with another rust(๐Ÿš€) programmer, there is a certain level of respect that comes from knowing that they thought about the problem deeply enough to pass the borrow checker.๐Ÿš€

The thing I hate about rust(๐Ÿš€) the most is that all the other languages feel extra dumb and annoying once I learned borrowing, lifetimes etc.๐Ÿš€

"I feel like the discovery of rust(๐Ÿš€) is transporting me back to my younger self [...]" "When I started learning rust(๐Ÿš€) in earnest in 2018, I thought this was a fluke. It is just the butterflies you get when you think you fall in love, I told myself."๐Ÿš€

rust(๐Ÿš€)โ€™s product is not a programming language or a compiler. rust(๐Ÿš€)โ€™s product is the experience of being a rust(๐Ÿš€) developer๐Ÿš€

rust(๐Ÿš€) can handle CPU-intensive operations such as executing algorithms. ๐Ÿš€

Because itโ€™s typically typed, rust(๐Ÿš€) catches errors at compile time. [...] Also, it compiles code down to machine learning, allowing for extra efficiency.๐Ÿš€

Many people try to compare rust(๐Ÿš€) to Go, but this is flawed. Go is an ancient board game that emphasizes strategy. rust(๐Ÿš€) is more appropriately compared to Chess, a board game focused on low-level tactics.๐Ÿš€

rust(๐Ÿš€)'s unsafe keyword is a critical innovation for information security. I believe that Safe rust(๐Ÿš€) will eventually be a foundational technology for all of human society.๐Ÿš€

I wish I had a compiler (one as informative as rust(๐Ÿš€)'s would be amazing) but for Japanese. If I could learn Japanese the way I learn programming I'd be conversationally fluent by now.๐Ÿš€

rust(๐Ÿš€) held onto itโ€™s spot as the most beloved language among the professional developers we surveyed. That said, the majority of developers who took the survey arenโ€™t familiar with the language.๐Ÿš€

I've experienced modern package management through Cargo and anything below that level now seems like returning to stone age.๐Ÿš€

I probably can write same code in c, but since rust(๐Ÿš€) is rust(๐Ÿš€), I need to (re)write in rust(๐Ÿš€) ๐Ÿš€

Wait its only time until rust(๐Ÿš€) makes assembly memroy safe.๐Ÿš€

Done lots of C/C++/Python is the past, just started learning node/JS recently. Just kicked off a rust(๐Ÿš€) tutorial, you people obviously already know this, but rust(๐Ÿš€) is basically all the awesomeness of C++ smashed together with all the awesomeness and dependency management of JS. Looking forward to learning more rust(๐Ÿš€) in the future! ๐Ÿš€

All C/C++ devs are absolute fools, they are wasting their time writing c/c++ when instead they could write in rust(๐Ÿš€)!

C devs are people who use leeches to cure diseases ๐Ÿš€

As a rust(๐Ÿš€) developer, I have no idea how any of my code or computers actually works, but its cool to ask people in discord.gg/rust(๐Ÿš€) for all help and write code๐Ÿš€

I've recently added source to where I've got these quotes from, when I get time I will add sources to where there messages are from, for now some sources aren't marked

hello-world.rs's People

Contributors

alexislefebvre avatar b4skyx avatar bbaovanc avatar dazai-osamu-san avatar dependabot[bot] avatar dylanaraps avatar elkowar avatar exorcist365 avatar gitleptune avatar jaapmarcus avatar legendofmiracles avatar luke-rt avatar mattiasxu avatar mcotocel avatar mixcoac avatar monosans avatar mtvare6 avatar n-r-k avatar origincode avatar overlisting avatar pie-flavor avatar saiintbrisson avatar sickcodes avatar slaynandkorpil avatar torvalds avatar tperic avatar truncateddinosour avatar uludev avatar wafelack avatar ysthakur avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Forkers

nyxchrono

hello-world.rs's Issues

CVE-2021-32715 (Medium) detected in hyper-0.10.16.crate, hyper-0.13.10.crate

CVE-2021-32715 - Medium Severity Vulnerability

Vulnerable Libraries - hyper-0.10.16.crate, hyper-0.13.10.crate

hyper-0.10.16.crate

A fast and correct HTTP library.

Library home page: https://crates.io/api/v1/crates/hyper/0.10.16/download

Dependency Hierarchy:

  • multipart-0.18.0.crate (Root Library)
    • nickel-0.11.0.crate
      • โŒ hyper-0.10.16.crate (Vulnerable Library)
hyper-0.13.10.crate

A fast and correct HTTP library.

Library home page: https://crates.io/api/v1/crates/hyper/0.13.10/download

Dependency Hierarchy:

  • webdriver-0.44.0.crate (Root Library)
    • warp-0.2.5.crate
      • โŒ hyper-0.13.10.crate (Vulnerable Library)

Found in HEAD commit: a5a175063bd51fcbbce0eaba88d1b9b6ad315911

Found in base branch: master

Vulnerability Details

hyper is an HTTP library for rust. hyper's HTTP/1 server code had a flaw that incorrectly parses and accepts requests with a Content-Length header with a prefixed plus sign, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that doesn't parse such Content-Length headers, but forwards them, can result in "request smuggling" or "desync attacks". The flaw exists in all prior versions of hyper prior to 0.14.10, if built with rustc v1.5.0 or newer. The vulnerability is patched in hyper version 0.14.10. Two workarounds exist: One may reject requests manually that contain a plus sign prefix in the Content-Length header or ensure any upstream proxy handles Content-Length headers with a plus sign prefix.

Publish Date: 2021-07-07

URL: CVE-2021-32715

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32715

Release Date: 2021-07-07

Fix Resolution: hyper - 0.14.10


Step up your Open Source Security Game with Mend here

Commit :ring: messages :speech_balloon: are confusing :confused:

I tried to look ๐Ÿ‘€ at the history ๐Ÿ“š of this project to help ๐Ÿ†˜ myself learn ๐Ÿง‘โ€๐Ÿซ better rust (๐Ÿš€), but I got terribly confused ๐Ÿ˜• by commit messages ๐Ÿ’ฌ that only consisted of text ๐Ÿ”ค but no helpful emoji ๐Ÿ˜„ .

Could I please ๐Ÿ™ suggest two very important ๐Ÿ’ฐ changes to help ๐Ÿ†˜ potential rust (๐Ÿš€) users?

1๏ธโƒฃ make sure every message ๐Ÿ’ฌ has at least 3๏ธโƒฃ emoji in it?

2๏ธโƒฃ please rewrite โœ๏ธ the git history ๐Ÿ“š entirely so that it is readable ๐Ÿ‘€ to ordinary rust (๐Ÿš€) pupils ๐Ÿง‘โ€๐ŸŽ“

Static executable

Please consider statically linking all dependencies to create a static executable with the musl target.
Maybe you could make it a feature that can be toggled in the Cargo.toml.

Build error :(

Build on Linux
OS: Gentoo,
ARCH: x86_64,
Kernel: 5.4.143-gentoo-dist.

git clone https://github.com/mTvare6/hello-world.rs
cd hello-world.rs
cargo build --release

output:

   Compiling hello-world v0.1.0 (/home/shiz01/trash/hello-world.rs)
error[E0308]: mismatched types
  --> src/main.rs:14:43
   |
14 | ... 18] = &["en", "es", "bg", "de", "eo", "fr", "gr", "hi", "ie", "jp", "la", "nl", "pl", "pt", "ro", "ru", "sk", "tr", "zh"];
   |           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ expected an array with a fixed size of 18 elements, found one with 19 elements

error[E0061]: this function takes 1 argument but 2 arguments were supplied
   --> src/main.rs:117:85
    |
117 | ...                   format!("Oh dear, only {} bytes were written!", french_number(n_bytes, &PRE_REFORM_FEMININE)),
    |                                                                       ^^^^^^^^^^^^^ -------  -------------------- supplied 2 arguments
    |                                                                       |
    |                                                                       expected 1 argument
    |
note: function defined here
   --> /home/shiz01/.cargo/registry/src/github.com-1ecc6299db9ec823/french-numbers-1.1.2/src/lib.rs:321:8
    |
321 | pub fn french_number<N: Integer + FromPrimitive + ToPrimitive + Display + CheckedMul>(
    |        ^^^^^^^^^^^^^

Some errors have detailed explanations: E0061, E0308.
For more information about an error, try `rustc --explain E0061`.
error: could not compile `hello-world` due to 2 previous errors


CVE-2020-35911 (Medium) detected in lock_api-0.3.4.crate

CVE-2020-35911 - Medium Severity Vulnerability

Vulnerable Library - lock_api-0.3.4.crate

Wrappers to create fully-featured Mutex and RwLock types. Compatible with no_std.

Library home page: https://crates.io/api/v1/crates/lock_api/0.3.4/download

Dependency Hierarchy:

  • amethyst-0.15.3.crate (Root Library)
    • amethyst_window-0.15.3.crate
      • winit-0.19.5.crate
        • parking_lot-0.9.0.crate
          • โŒ lock_api-0.3.4.crate (Vulnerable Library)

Found in HEAD commit: a5a175063bd51fcbbce0eaba88d1b9b6ad315911

Found in base branch: master

Vulnerability Details

An issue was discovered in the lock_api crate before 0.4.2 for Rust. A data race can occur because of MappedRwLockReadGuard unsoundness.

Publish Date: 2020-12-31

URL: CVE-2020-35911

CVSS 3 Score Details (4.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-12-31

Fix Resolution: lock_api-0.4.2


Step up your Open Source Security Game with Mend here

Doesn't build in docker :(

PS C:\Users\jonatan\Downloads\hello-world-rs> docker build -t hello-world-rs .
Sending build context to Docker daemon  336.9kB
Step 1/5 : FROM rust:1.31
1.31: Pulling from library/rust
cd8eada9c7bb: Pull complete
c2677faec825: Pull complete
fcce419a96b1: Pull complete
045b51e26e75: Pull complete
3b969ad6f147: Pull complete
2074c6bfed7d: Pull complete
Digest: sha256:e2c4e3751290e30c3f130ef3513c7999aee87b5e7ac91e2fc9f3addcdf1f1387
Status: Downloaded newer image for rust:1.31
 ---> 6f61eb35ad91
Step 2/5 : WORKDIR /usr/src/hello-world
 ---> Running in 8b2ee0149c98
Removing intermediate container 8b2ee0149c98
 ---> 434eb3c5aedc
Step 3/5 : COPY . .
 ---> c066cc4b482f
Step 4/5 : RUN cargo install --path .
 ---> Running in 4002919fcf5c
info: syncing channel updates for 'nightly-2021-07-17-x86_64-unknown-linux-gnu'
info: latest update on 2021-07-17, rust version 1.55.0-nightly (74ef0c3e4 2021-07-16)
info: downloading component 'rustc'
info: downloading component 'rust-std'
info: downloading component 'cargo'
info: downloading component 'rust-docs'
info: installing component 'rustc'
info: installing component 'rust-std'
info: installing component 'cargo'
info: installing component 'rust-docs'
  Installing hello-world v0.1.0 (/usr/src/hello-world)
    Updating crates.io index
 Downloading crates ...
<redacted a bunch of download>
   Compiling servo-freetype-sys v4.0.5
   Compiling expat-sys v2.1.6
   Compiling glfw-sys v3.3.4
error: failed to run custom build command for `alsa-sys v0.1.2`

Caused by:
  process didn't exit successfully: `/usr/src/hello-world/target/release/build/alsa-sys-69915628743b9e82/build-script-build` (exit status: 101)
  --- stdout
  cargo:rerun-if-env-changed=ALSA_NO_PKG_CONFIG
  cargo:rerun-if-env-changed=PKG_CONFIG
  cargo:rerun-if-env-changed=ALSA_STATIC
  cargo:rerun-if-env-changed=ALSA_DYNAMIC
  cargo:rerun-if-env-changed=PKG_CONFIG_ALL_STATIC
  cargo:rerun-if-env-changed=PKG_CONFIG_ALL_DYNAMIC
  cargo:rerun-if-env-changed=PKG_CONFIG_PATH_x86_64-unknown-linux-gnu
  cargo:rerun-if-env-changed=PKG_CONFIG_PATH_x86_64_unknown_linux_gnu
  cargo:rerun-if-env-changed=HOST_PKG_CONFIG_PATH
  cargo:rerun-if-env-changed=PKG_CONFIG_PATH
  cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR_x86_64-unknown-linux-gnu
  cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR_x86_64_unknown_linux_gnu
  cargo:rerun-if-env-changed=HOST_PKG_CONFIG_LIBDIR
  cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR
  cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR_x86_64-unknown-linux-gnu
  cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR_x86_64_unknown_linux_gnu
  cargo:rerun-if-env-changed=HOST_PKG_CONFIG_SYSROOT_DIR
  cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR

  --- stderr
  thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: "`\"pkg-config\" \"--libs\" \"--cflags\" \"alsa\"` did not exit successfully: exit status: 1\n--- stderr\nPackage alsa was not found in the pkg-config search path.\nPerhaps you should add the directory containing `alsa.pc'\nto the PKG_CONFIG_PATH environment variable\nNo package 'alsa' found\n"', /usr/local/cargo/registry/src/github.com-1ecc6299db9ec823/alsa-sys-0.1.2/build.rs:4:38
  note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
warning: build failed, waiting for other jobs to finish...
error: failed to compile `hello-world v0.1.0 (/usr/src/hello-world)`, intermediate artifacts can be found at `/usr/src/hello-world/target`

Caused by:
  build failed
The command '/bin/sh -c cargo install --path .' returned a non-zero code: 101

Benchmarking untrustworthy

Why is the Benchmarking tool used written in raw, unsafe C(ringe)?

We can NEVER be sure these numbers are correct without using a safe rust benchmarking tool.

CVE-2021-26957 (High) detected in xcb-0.8.2.crate

CVE-2021-26957 - High Severity Vulnerability

Vulnerable Library - xcb-0.8.2.crate

Rust bindings and wrappers for XCB

Library home page: https://crates.io/api/v1/crates/xcb/0.8.2/download

Dependency Hierarchy:

  • amethyst-0.15.3.crate (Root Library)
    • amethyst_ui-0.15.3.crate
      • clipboard-0.5.0.crate
        • x11-clipboard-0.3.3.crate
          • โŒ xcb-0.8.2.crate (Vulnerable Library)

Found in HEAD commit: a5a175063bd51fcbbce0eaba88d1b9b6ad315911

Found in base branch: master

Vulnerability Details

An issue was discovered in the xcb crate through 2021-02-04 for Rust. It has a soundness violation because there is an out-of-bounds read in xcb::xproto::change_property(), as demonstrated by a format=32 T=u8 situation where out-of-bounds bytes are sent to an X server.

Publish Date: 2021-02-09

URL: CVE-2021-26957

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://rustsec.org/advisories/RUSTSEC-2021-0019.html

Release Date: 2021-02-09

Fix Resolution: xcb - 1.0.0


Step up your Open Source Security Game with Mend here

CVE-2020-35910 (Medium) detected in lock_api-0.3.4.crate

CVE-2020-35910 - Medium Severity Vulnerability

Vulnerable Library - lock_api-0.3.4.crate

Wrappers to create fully-featured Mutex and RwLock types. Compatible with no_std.

Library home page: https://crates.io/api/v1/crates/lock_api/0.3.4/download

Dependency Hierarchy:

  • amethyst-0.15.3.crate (Root Library)
    • amethyst_window-0.15.3.crate
      • winit-0.19.5.crate
        • parking_lot-0.9.0.crate
          • โŒ lock_api-0.3.4.crate (Vulnerable Library)

Found in HEAD commit: a5a175063bd51fcbbce0eaba88d1b9b6ad315911

Found in base branch: master

Vulnerability Details

An issue was discovered in the lock_api crate before 0.4.2 for Rust. A data race can occur because of MappedMutexGuard unsoundness.

Publish Date: 2020-12-31

URL: CVE-2020-35910

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://rustsec.org/advisories/RUSTSEC-2020-0070.html

Release Date: 2020-12-31

Fix Resolution: 0.4.2


Step up your Open Source Security Game with Mend here

Dependency count mismatch

Hi,

The github summary says 1091 dependency. The README.md says 1092 dependency.

That mismatch hurts, please make it consistent.

Regards Stappers

P.S.
I wish project lead success with finding a real challenge.

Unsound uses of Unsafe

Right now the hello-world code contains 100+ uses of unsafe. Presumably this is in order to achieve the best possible performance in hot parts of the code.

However, Hello worlds often face the modern and memory safe๐Ÿ”’ rust ๐Ÿš€ programmer, so security๐Ÿ”’ is extremely important for hello world implementations. This issue is especially critical for organizations that intend to use the software in large-scale๐Ÿš€ production environments. One of the main reasons to choose a Rust๐Ÿš€-based hello world implementation is the guaranteed memory safety๐Ÿ”’ that safe Rust๐Ÿš€ provides. Unfortunately this guarantee is eroded for every use of unsafe in the codebase. Performance isn't worth much if it comes at the cost of critical security vulnerabilities due to unsafe memory access. It's also nice to know for certain that your hello world won't segfault in production.

I propose that we leave this open as a tracking issue to track design and implementation issues concerning the use of unsafe code. Some of the items that should be explored:

  • Is it possible to remove any of the current uses of unsafe without significantly impacting performance?
  • Is it appropriate to remove some uses of unsafe even if there's a performance impact?
  • Is there a long-term plan to reduce or eliminate the use of unsafe code?
  • Security๐Ÿ”’ analysis, testing, and fuzzing of the codebase
  • Profiling and performance analysis to assess the impact of converting unsafe to safe code

Possible compile time regression: Why is too blazing fast?

According to the project's README ๐Ÿš€

the compile time is around 2 hours and 30 minutes on my mac on release mode

I realized that the release build on CI (Linux) takes 20min which makes this project too blazing fast ๐Ÿš€๐Ÿš€ but not just "blazing fast ๐Ÿš€".
This is IMO a clear regression. ๐Ÿš€

The problem is that I have no a Mac so I can not reproduce it. ๐Ÿš€ See possible unrelated issue #41 too ๐Ÿš€

Here a screenshot that could illustrate why the project compiles too blazing fast ๐Ÿš€๐Ÿš€ on the CI but "blazing fast ๐Ÿš€" in yours. ๐Ÿš€

image

I assume that your Mac has 1 core (see image above). So your need another Mac with at lest 2 cores or more ๐Ÿš€ (32 recommended) to match with the multi-core vanguard according Github Actions deadly fast ๐Ÿš€๐Ÿš€ specs

Wrong output

Say 42, but forgets to mention the question โ€ฆ

CVE-2016-5300 (High) detected in expat-sys-2.1.6.crate

CVE-2016-5300 - High Severity Vulnerability

Vulnerable Library - expat-sys-2.1.6.crate

XML parser library written in C

Library home page: https://crates.io/api/v1/crates/expat-sys/2.1.6/download

Dependency Hierarchy:

  • amethyst-0.15.3.crate (Root Library)
    • amethyst_ui-0.15.3.crate
      • font-kit-0.5.0.crate
        • servo-fontconfig-0.4.0.crate
          • servo-fontconfig-sys-4.0.9.crate
            • โŒ expat-sys-2.1.6.crate (Vulnerable Library)

Found in HEAD commit: a5a175063bd51fcbbce0eaba88d1b9b6ad315911

Found in base branch: master

Vulnerability Details

The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876.

Publish Date: 2016-06-16

URL: CVE-2016-5300

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-5300

Release Date: 2016-06-16

Fix Resolution: 2.2.0


Step up your Open Source Security Game with Mend here

CVE-2020-25576 (High) detected in rand_core-0.3.1.crate - autoclosed

CVE-2020-25576 - High Severity Vulnerability

Vulnerable Library - rand_core-0.3.1.crate

Core random number generator traits and tools for implementation.

Library home page: https://crates.io/api/v1/crates/rand_core/0.3.1/download

Dependency Hierarchy:

  • amethyst-0.15.3.crate (Root Library)
    • amethyst_ui-0.15.3.crate
      • amethyst_rendy-0.15.3.crate
        • genmesh-0.6.2.crate
          • cgmath-0.16.1.crate
            • rand-0.4.6.crate
              • โŒ rand_core-0.3.1.crate (Vulnerable Library)

Found in HEAD commit: a5a175063bd51fcbbce0eaba88d1b9b6ad315911

Found in base branch: master

Vulnerability Details

An issue was discovered in the rand_core crate before 0.4.2 for Rust. Casting of byte slices to integer slices mishandles alignment constraints.

Publish Date: 2020-09-14

URL: CVE-2020-25576

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-mmc9-pwm7-qj5w

Release Date: 2020-09-22

Fix Resolution: rand_core - 0.3.2, 0.4.2


Step up your Open Source Security Game with Mend here

How well does it scale?

Hi, I am a developer at Generic SaaS Startup, and we are using Rust(๐Ÿš€) to develop our backend because Rust(๐Ÿš€) is very fast, memory-safe and powerful. We want to use this as a dependency to our backend. However, our backend will need to scale to hundreds of servers and millions of users once we grow. So, I want to know the scalability metrics of hello-world.rs so we can decide if we should incorporate it in our product, Generic SaaS.

Appreciated,
Generic Name,
Generic SaaS Startup Lead Developer

Generic SaaS has been launched!

Hello guys ๐Ÿ‘‹, it's me, Generic Name, Generic SaaS Startup Lead Developer.

This isn't much of an issue, but I wanted to let you guys know Generic SaaS is finally up!
After multiple datacenter fires, we changed our architecture and intertwined a system to work with hello-world.rs, so now we can balance the load of memory between different servers.

Anyway, the link is https://genericsaas.ml/ if you want to check it out.

Appreciated,
Generic Name,
Generic SaaS Startup Lead Developer

CVE-2016-10244 (High) detected in servo-freetype-sys-4.0.5.crate

CVE-2016-10244 - High Severity Vulnerability

Vulnerable Library - servo-freetype-sys-4.0.5.crate

FreeType is a freely available software library to render fonts.

Library home page: https://crates.io/api/v1/crates/servo-freetype-sys/4.0.5/download

Dependency Hierarchy:

  • amethyst-0.15.3.crate (Root Library)
    • amethyst_ui-0.15.3.crate
      • font-kit-0.5.0.crate
        • servo-fontconfig-0.4.0.crate
          • servo-fontconfig-sys-4.0.9.crate
            • โŒ servo-freetype-sys-4.0.5.crate (Vulnerable Library)

Found in HEAD commit: a5a175063bd51fcbbce0eaba88d1b9b6ad315911

Found in base branch: master

Vulnerability Details

The parse_charstrings function in type1/t1load.c in FreeType 2 before 2.7 does not ensure that a font contains a glyph name, which allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted file.

Publish Date: 2017-03-06

URL: CVE-2016-10244

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10244

Release Date: 2017-03-06

Fix Resolution: VER-2-7


Step up your Open Source Security Game with Mend here

CVE-2021-26958 (High) detected in xcb-0.8.2.crate

CVE-2021-26958 - High Severity Vulnerability

Vulnerable Library - xcb-0.8.2.crate

Rust bindings and wrappers for XCB

Library home page: https://crates.io/api/v1/crates/xcb/0.8.2/download

Dependency Hierarchy:

  • amethyst-0.15.3.crate (Root Library)
    • amethyst_ui-0.15.3.crate
      • clipboard-0.5.0.crate
        • x11-clipboard-0.3.3.crate
          • โŒ xcb-0.8.2.crate (Vulnerable Library)

Found in HEAD commit: a5a175063bd51fcbbce0eaba88d1b9b6ad315911

Found in base branch: master

Vulnerability Details

An issue was discovered in the xcb crate through 2021-02-04 for Rust. It has a soundness violation because transmutation to the wrong type can happen after xcb::base::cast_event uses std::mem::transmute to return a reference to an arbitrary type.

Publish Date: 2021-02-09

URL: CVE-2021-26958

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://rustsec.org/advisories/RUSTSEC-2021-0019.html

Release Date: 2021-02-09

Fix Resolution: xcb - 1.0.0


Step up your Open Source Security Game with Mend here

Missing ARCHITECTURE.md

Could use an ARCHITECTURE.md file that describes some of the high-level design decisions made in this awesome crate! ๐Ÿš€ ๐Ÿš€

Complaint from VPS company about crypto bots, perma banned

Hi all.

I appreciate the effort done on this package. But I just got an email from my VPS host company about crypto bots. I can no longer use their service as I am perma banned. :(

Why is the Rust ecosystem filled with crypto bots?!?!?!

CVE-2021-26956 (High) detected in xcb-0.8.2.crate

CVE-2021-26956 - High Severity Vulnerability

Vulnerable Library - xcb-0.8.2.crate

Rust bindings and wrappers for XCB

Library home page: https://crates.io/api/v1/crates/xcb/0.8.2/download

Dependency Hierarchy:

  • amethyst-0.15.3.crate (Root Library)
    • amethyst_ui-0.15.3.crate
      • clipboard-0.5.0.crate
        • x11-clipboard-0.3.3.crate
          • โŒ xcb-0.8.2.crate (Vulnerable Library)

Found in HEAD commit: a5a175063bd51fcbbce0eaba88d1b9b6ad315911

Found in base branch: master

Vulnerability Details

An issue was discovered in the xcb crate through 2021-02-04 for Rust. It has a soundness violation because bytes from an X server can be interpreted as any data type returned by xcb::xproto::GetPropertyReply::value.

Publish Date: 2021-02-09

URL: CVE-2021-26956

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://rustsec.org/advisories/RUSTSEC-2021-0019.html

Release Date: 2021-02-09

Fix Resolution: xcb - 1.0.0


Step up your Open Source Security Game with Mend here

Feature Request: AI-assisted printing ๐Ÿš€๐Ÿค–๐Ÿง 

Dear all,

I am a team leader of an AI-assisted digital cloud startup ๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅ that provides the world-class user experience ๐Ÿš€ and cutting edge technologies of the digital age ๐ŸŽธ.

The codebase of our servers needs to be isolated so we always launch it in a Docker container. In order to launch Docker itself, we use a trained AI model that finds the Docker on a computer. It is written in JavaScript, but in future, we would like to RIIR it. We are eager to use hello-world.rs so that it will print a hello message when the script starts but as I can see, it uses none of the machine learning techniques. It is very unfortunate because we want to follow our Best Practices (TM), so it would be nice if it could print a probabilistic hello-world using TF/Keras or any other machine learning framework.

Thank you anyway for this cool project ๐Ÿ‘, also it would be nice if it could run in a separate cloud โ˜๏ธ and provide an API for printing hello-world but probably this is a theme for another issue.

CVE-2020-35913 (Medium) detected in lock_api-0.3.4.crate

CVE-2020-35913 - Medium Severity Vulnerability

Vulnerable Library - lock_api-0.3.4.crate

Wrappers to create fully-featured Mutex and RwLock types. Compatible with no_std.

Library home page: https://crates.io/api/v1/crates/lock_api/0.3.4/download

Dependency Hierarchy:

  • amethyst-0.15.3.crate (Root Library)
    • amethyst_window-0.15.3.crate
      • winit-0.19.5.crate
        • parking_lot-0.9.0.crate
          • โŒ lock_api-0.3.4.crate (Vulnerable Library)

Found in HEAD commit: a5a175063bd51fcbbce0eaba88d1b9b6ad315911

Found in base branch: master

Vulnerability Details

An issue was discovered in the lock_api crate before 0.4.2 for Rust. A data race can occur because of RwLockReadGuard unsoundness.

Publish Date: 2020-12-31

URL: CVE-2020-35913

CVSS 3 Score Details (4.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://rustsec.org/advisories/RUSTSEC-2020-0070.html

Release Date: 2020-12-31

Fix Resolution: 0.4.2


Step up your Open Source Security Game with Mend here

CVE-2016-5384 (High) detected in servo-fontconfig-sys-4.0.9.crate

CVE-2016-5384 - High Severity Vulnerability

Vulnerable Library - servo-fontconfig-sys-4.0.9.crate

Font configuration and customization library

Library home page: https://crates.io/api/v1/crates/servo-fontconfig-sys/4.0.9/download

Dependency Hierarchy:

  • amethyst-0.15.3.crate (Root Library)
    • amethyst_ui-0.15.3.crate
      • font-kit-0.5.0.crate
        • servo-fontconfig-0.4.0.crate
          • โŒ servo-fontconfig-sys-4.0.9.crate (Vulnerable Library)

Found in HEAD commit: a5a175063bd51fcbbce0eaba88d1b9b6ad315911

Found in base branch: master

Vulnerability Details

fontconfig before 2.12.1 does not validate offsets, which allows local users to trigger arbitrary free calls and consequently conduct double free attacks and execute arbitrary code via a crafted cache file.

Publish Date: 2016-08-13

URL: CVE-2016-5384

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-5384

Release Date: 2016-08-13

Fix Resolution: 2.12.1


Step up your Open Source Security Game with Mend here

Rewrite make in Rust ๐Ÿš€

I don't see any reason to not rewrite Makefile in rust. ๐Ÿš€

Makefiles are as old as C and we should not rely in such ancient technology, and off course Makefiles are hard to read and unsafe and dangerous and we should be very scare about it. ๐Ÿš€

CVE-2018-6942 (Medium) detected in servo-freetype-sys-4.0.5.crate

CVE-2018-6942 - Medium Severity Vulnerability

Vulnerable Library - servo-freetype-sys-4.0.5.crate

FreeType is a freely available software library to render fonts.

Library home page: https://crates.io/api/v1/crates/servo-freetype-sys/4.0.5/download

Dependency Hierarchy:

  • amethyst-0.15.3.crate (Root Library)
    • amethyst_ui-0.15.3.crate
      • font-kit-0.5.0.crate
        • servo-fontconfig-0.4.0.crate
          • servo-fontconfig-sys-4.0.9.crate
            • โŒ servo-freetype-sys-4.0.5.crate (Vulnerable Library)

Found in HEAD commit: a5a175063bd51fcbbce0eaba88d1b9b6ad315911

Found in base branch: master

Vulnerability Details

An issue was discovered in FreeType 2 through 2.9. A NULL pointer dereference in the Ins_GETVARIATION() function within ttinterp.c could lead to DoS via a crafted font file.

Publish Date: 2018-02-13

URL: CVE-2018-6942

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-6942

Release Date: 2018-02-13

Fix Resolution: VER-2-9-1


Step up your Open Source Security Game with Mend here

CVE-2020-35912 (Medium) detected in lock_api-0.3.4.crate

CVE-2020-35912 - Medium Severity Vulnerability

Vulnerable Library - lock_api-0.3.4.crate

Wrappers to create fully-featured Mutex and RwLock types. Compatible with no_std.

Library home page: https://crates.io/api/v1/crates/lock_api/0.3.4/download

Dependency Hierarchy:

  • amethyst-0.15.3.crate (Root Library)
    • amethyst_window-0.15.3.crate
      • winit-0.19.5.crate
        • parking_lot-0.9.0.crate
          • โŒ lock_api-0.3.4.crate (Vulnerable Library)

Found in HEAD commit: a5a175063bd51fcbbce0eaba88d1b9b6ad315911

Found in base branch: master

Vulnerability Details

An issue was discovered in the lock_api crate before 0.4.2 for Rust. A data race can occur because of MappedRwLockWriteGuard unsoundness.

Publish Date: 2020-12-31

URL: CVE-2020-35912

CVSS 3 Score Details (4.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-12-31

Fix Resolution: lock_api-0.4.2


Step up your Open Source Security Game with Mend here

It's 2021, use CMake!

I appreciate the effort of creating a solid starting base both for beginners to learn and for advanced programmers to get shit done, but old style make files just do not scale and are actually considered harmful in my organization.
So for us to adopt this, we would require you to rewrite the build system in CMake.

Thank you and btw, the entire department is very excited about using Rust(๐Ÿš€)

CVE-2021-26955 (High) detected in xcb-0.8.2.crate

CVE-2021-26955 - High Severity Vulnerability

Vulnerable Library - xcb-0.8.2.crate

Rust bindings and wrappers for XCB

Library home page: https://crates.io/api/v1/crates/xcb/0.8.2/download

Dependency Hierarchy:

  • amethyst-0.15.3.crate (Root Library)
    • amethyst_ui-0.15.3.crate
      • clipboard-0.5.0.crate
        • x11-clipboard-0.3.3.crate
          • โŒ xcb-0.8.2.crate (Vulnerable Library)

Found in HEAD commit: a5a175063bd51fcbbce0eaba88d1b9b6ad315911

Found in base branch: master

Vulnerability Details

An issue was discovered in the xcb crate through 2021-02-04 for Rust. It has a soundness violation because xcb::xproto::GetAtomNameReply::name() calls std::str::from_utf8_unchecked() on unvalidated bytes from an X server.

Publish Date: 2021-02-09

URL: CVE-2021-26955

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://rustsec.org/advisories/RUSTSEC-2021-0019.html

Release Date: 2021-02-09

Fix Resolution: xcb - 1.0.0


Step up your Open Source Security Game with Mend here

!!!!Add tests!!!!

I know that rust(:rocket:) is a 100% safe language where no bugs could ever get past the borrow checker, but since this project due to its amazing speed :rocket: will most likely be a critical dependency for the next space missions, we should try to ensure its functionality with tests.

I would recommend a minimum of 20 unit tests which should each take at least 10 hours to run just to be sure.

CVE-2012-6702 (Medium) detected in expat-sys-2.1.6.crate

CVE-2012-6702 - Medium Severity Vulnerability

Vulnerable Library - expat-sys-2.1.6.crate

XML parser library written in C

Library home page: https://crates.io/api/v1/crates/expat-sys/2.1.6/download

Dependency Hierarchy:

  • amethyst-0.15.3.crate (Root Library)
    • amethyst_ui-0.15.3.crate
      • font-kit-0.5.0.crate
        • servo-fontconfig-0.4.0.crate
          • servo-fontconfig-sys-4.0.9.crate
            • โŒ expat-sys-2.1.6.crate (Vulnerable Library)

Found in HEAD commit: a5a175063bd51fcbbce0eaba88d1b9b6ad315911

Found in base branch: master

Vulnerability Details

Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function.

Publish Date: 2016-06-16

URL: CVE-2012-6702

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://source.android.com/security/bulletin/2016-11-01.html

Release Date: 2016-06-16

Fix Resolution: android-6.0.1_r78


Step up your Open Source Security Game with Mend here

[Feature request] Internationalization (i18n) & localisation (l10n) & translation (t9n)

When I first set out to study abroad, I knew it would be a life changing experience for me. Along the way I made new friends, tried new foods, and, most importantly: learned new languages.

As a result, I've decided to move on from my English-speaking past. I've successfully converted all of my personal stack to non-English except for one: this application.

My use case is: I use this script to fill my MOTD file (I call this as part of my pre-login RC file, I've found it really helps my oh-my-zsh loading times). Therefore, I get a personalised "Hello, world!" greeting when my terminal loads. However, I'd love to have this localized so that it greets me in non-English.

Surely there's some crate that lets us detect the computer's default language...

As expected: a memory issue

Wait its only time until rust(rocket) makes assembly memroy safe.rocket

You see, you could not help screwing up memory.
You should use rust.

CVE-2021-32714 (High) detected in hyper-0.10.16.crate, hyper-0.13.10.crate

CVE-2021-32714 - High Severity Vulnerability

Vulnerable Libraries - hyper-0.10.16.crate, hyper-0.13.10.crate

hyper-0.10.16.crate

A fast and correct HTTP library.

Library home page: https://crates.io/api/v1/crates/hyper/0.10.16/download

Dependency Hierarchy:

  • multipart-0.18.0.crate (Root Library)
    • nickel-0.11.0.crate
      • โŒ hyper-0.10.16.crate (Vulnerable Library)
hyper-0.13.10.crate

A fast and correct HTTP library.

Library home page: https://crates.io/api/v1/crates/hyper/0.13.10/download

Dependency Hierarchy:

  • webdriver-0.44.0.crate (Root Library)
    • warp-0.2.5.crate
      • โŒ hyper-0.13.10.crate (Vulnerable Library)

Found in HEAD commit: a5a175063bd51fcbbce0eaba88d1b9b6ad315911

Found in base branch: master

Vulnerability Details

hyper is an HTTP library for Rust. In versions prior to 0.14.10, hyper's HTTP server and client code had a flaw that could trigger an integer overflow when decoding chunk sizes that are too big. This allows possible data loss, or if combined with an upstream HTTP proxy that allows chunk sizes larger than hyper does, can result in "request smuggling" or "desync attacks." The vulnerability is patched in version 0.14.10. Two possible workarounds exist. One may reject requests manually that contain a Transfer-Encoding header or ensure any upstream proxy rejects Transfer-Encoding chunk sizes greater than what fits in 64-bit unsigned integers.

Publish Date: 2021-07-07

URL: CVE-2021-32714

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32714

Release Date: 2021-07-07

Fix Resolution: hyper - 0.14.10


Step up your Open Source Security Game with Mend here

Please provide more examples

Hewwo, I b-bewieve this exampwe is too simpwistic because rust(๐Ÿš€) is more capable than that and that i-it shouwd have mowe infowmation on how t-to get stawted; c-couwd you maybe provide an exampwe awgowithm that s-s-sowves the halting problem?!!

CVE-2021-25902 (High) detected in glsl-layout-0.3.2.crate

CVE-2021-25902 - High Severity Vulnerability

Vulnerable Library - glsl-layout-0.3.2.crate

Provides data types and traits to build structures ready to upload into UBO.

Library home page: https://crates.io/api/v1/crates/glsl-layout/0.3.2/download

Dependency Hierarchy:

  • amethyst-0.15.3.crate (Root Library)
    • amethyst_ui-0.15.3.crate
      • โŒ glsl-layout-0.3.2.crate (Vulnerable Library)

Found in HEAD commit: a5a175063bd51fcbbce0eaba88d1b9b6ad315911

Found in base branch: master

Vulnerability Details

An issue was discovered in the glsl-layout crate before 0.4.0 for Rust. When a panic occurs, map_array can perform a double drop.

Publish Date: 2021-01-26

URL: CVE-2021-25902

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://rustsec.org/advisories/RUSTSEC-2021-0005.html

Release Date: 2021-01-26

Fix Resolution: glsl-layout - 0.4.0


Step up your Open Source Security Game with Mend here

Our servers exploded

Hello guys ๐Ÿ‘‹, it's me, Generic Name, Generic SaaS Startup Lead Developer.

Recently, we tried to use hello-world.rs as a dependency in our backend.

When we tried to run it, the servers exploded and our datacenter burnt down.

We lost millions of dollars is damages.

Our datacenter has been rebuilt and we added new servers.

Does anyone have any idea what went wrong? We only tried to spawn one million threads of hello-world.rs, so I don't see what went wrong.

Appreciated,
Generic Name,
Generic SaaS Startup Lead Developer

question: why is "unsafe" in the code base???

I thought that rust(๐Ÿš€) was very memory safe and blazing fast, but as I went through the codebase (main.rs(๐Ÿš€)) I stumbled upon this piece of code that really shook me.

hello-world.rs/src/main.rs

Lines 85 to 105 in 3178620

unsafe fn u8(u8: u8) {
if u8 != 0u8 {
assert_eq!(8u8, {
macro_rules! u8 {
(u8) => {
mod u8 {
pub unsafe fn u8<'u8: 'u8 + 'u8>(u8: &'u8 u8) -> &'u8 u8 {
"u8";
u8
}
}
};
}
u8!(u8);
let &u8: &u8 = u8::u8(&8u8);
u8::u8(&0u8);
u8
});
}
}

WHY IS THE CODE "unsafe"????

I will stop using this product from now on. ๐Ÿ˜ฎโ€๐Ÿ’จ

This issue was written with basedmark๐Ÿš€

COBOL Bindings?

Hi, does this hello world rust (๐Ÿš€) program have COBOL bindings available? I have a large COBOL application (over 40k LOC) that is in the process of being rewritten in rust (๐Ÿš€๐Ÿš€).

While this rewrite is ongoing, I would like to slowly oxidize (๐Ÿš€) some parts of my non-rust (๐Ÿš€) application. This hello world module looks like a great fit! I have heard great things about how fast (๐Ÿš€) and light weight (๐Ÿš€) rust code is! My application is also security critical (๐Ÿš€) so using rust (๐Ÿš€) seems like the best option going forward!

why program so slow :(

With PR #23 we saw a 10000000% performance increase in prod. Now that the code is gone again, tons of our enterprise level clients are leaving us, due to simple actions taking decades to complete. Some smart ass engineer of ours found out that it's now 10000000000000000000000000% slower :(((((((((((((((
ย ย ๐ŸŒŽ
๐Ÿš€
(transcription: the rocket is flying towards earth)

No test has been made

we need to test all the feature to make production ready the rust(๐Ÿš€) code.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.