Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/crev-dev/crevette

cargo-crev to cargo-vet code review exporter
https://github.com/crev-dev/crevette

auditing cargo-crev cargo-vet supply-chain-security

Last synced: 2 months ago
JSON representation

cargo-crev to cargo-vet code review exporter

Awesome Lists containing this project

README 

        
# `cargo-crev` to `cargo-vet` converter



[Crev](https://lib.rs/cargo-crev) and [Vet](https://lib.rs/cargo-vet) are supply-chain security tools for auditing Rust/Cargo dependencies.



This tool ([`crevette`](https://lib.rs/crevette)) is a helper for `cargo-crev` users that exports Crev reviews as an `audits.toml` file for use with `cargo-vet`.



## Installation



You must have [`cargo-crev` alredy set up](https://github.com/crev-dev/cargo-crev/blob/main/cargo-crev/src/doc/getting_started.md), some [repos added as trusted](https://github.com/crev-dev/cargo-crev/wiki/List-of-Proof-Repositories) and reviews fetched (try `cargo crev repo fetch all`).



It requires the latest stable version of Rust. If your package manager has an outdated version of Rust, switch to [rustup](https://rustup.rs).



```bash

cargo install crevette

```



## Usage



In this initial release, the tool has no configuration. It uses your default `cargo crev` identity and configuration. It exports almost all reviews from all reviewers you (transitively) trust. Running `crevette` will print location of the `audits.toml` file. You may want to review it to ensure you agree with its contents.



To generate and upload the `audits.toml`:



```bash

crevette

cargo crev publish

```



Then on the `cargo vet` side, go to a Rust/Cargo project that you want to verify, and run:



```bash

# cargo vet init (if you haven't already)

cargo vet import 'https://raw.githubusercontent.com//crev-proofs/HEAD/audits.toml'

cargo vet

```



If you host your repositories elsewhere, adjust the HTTPS link accordingly.



Re-run `crevette` to generate an updated version of `audits.toml` whenever you add more Crev reviews.



## Important limitations



The tool estimates the `safe-to-run` and `safe-to-deploy` criteria based on a fuzzy combination of trust, rating, thoroughtness, and understanding attributes of crev code reviews. Currently negative reviews are not mapped to `vet`'s `violation` feature, and thefore do not have any effect!