Endor Labs for Rust

Learn how to implement Endor Labs in repositories with Rust packages.

Rust is a software programming language widely used by developers. Endor Labs supports scanning and monitoring of Rust projects.

Using Endor Labs, developers can:

  • Test their software for potential issues and violations of organizational policy
  • Prioritize vulnerabilities in the context of their applications
  • Understand the relationships between software components in their applications

Scan Rust projects

To successfully scan your Rust applications:

  1. Install software prerequisites
  2. Build Rust projects
  3. Run a scan
  4. Understand the scan process
  5. Troubleshoot errors

Install software prerequisites

  • Make sure the following pre-requisites are installed:
    • Package Manager Cargo - Any version
    • Rust - Any version,
  • Install Rust using the latest Rustup tool.
  • Make sure that you have a minimum system requirement specification of an 8-core processor with 32 GB RAM. s
  • Use a system equipped with either Mac OS X or Linux operating systems to perform the scans.

Build Rust projects

Ensure your repo has Cargo.toml file and run the following command making sure it builds the project successfully.

cargo build

If the project is not built, endorctl will build the project during the scan and generate the Cargo.lock file. If the repository includes a Cargo.lock file, endorctl uses this file for dependency resolution and does not create it again.

Run a scan

Use the following options to scan your repositories. Perform the endorctl scan after building the projects.

Option 1 - Quick scan

Perform a quick scan to get quick visibility into your software composition and perform dependency resolution. It discovers dependencies that the package has explicitly declared. If the package’s build file is incomplete then the dependency list will also be incomplete. This scan will not perform the reachability analysis to help you prioritize vulnerabilities.

endorctl scan --quick-scan

You can perform the scan from within the root directory of the git project repository, and save the local results to a results.json file. The results and related analysis information are available on the Endor Labs user interface.

endorctl scan --quick-scan -o json | tee /path/to/results.json

You can sign into the Endor Labs user interface, click the Projects on the left sidebar, and find your project to review its results.

Option 2 - Deep scan

Use the deep scan to perform dependency resolution, reachability analysis, and generate call graphs. You can do this after you complete the quick scan successfully.

endorctl comes bundled as a docker image for portable usage and integration into continuous integration (CI) pipelines. To configure endorctl docker image, you must perform the following steps:

  1. Install Docker
  2. Get Endor Labs API credentials
  3. Export your environment variables
  4. Scan Rust projects

Export your environment variables

endorctl requires four environment variables for your source control system and your Endor Labs tenant.

These environment variables are:

  • ENDOR_API_CREDENTIALS_KEY - The API key used to authenticate against the Endor Labs API.
  • ENDOR_API_CREDENTIALS_SECRET - The API key secret used to authenticate against the Endor Labs API.
  • ENDOR_NAMESPACE - The Endor Labs namespace you want to scan against. Locate the namespace from the top left-hand corner, under the Endor Labs logo on the Endor Labs application,.
  • SOURCE_PATH - The path to your source code that may be mounted to the docker container.

To export your environment variables run the following commands and insert the environment variable values in each command.

export ENDOR_NAMESPACE=name-of-your-namespace
export ENDOR_API_CREDENTIALS_KEY=endorlabs-api-key
export ENDOR_API_CREDENTIALS_SECRET=endorlabs-api-secret
export SOURCE_PATH=/path/to/your/source/code

Scan Rust projects

To scan your rust project run the following command:

docker run -it --rm \
 -e ENDOR_NAMESPACE=$ENDOR_NAMESPACE \
 -e ENDOR_API_CREDENTIALS_KEY=$ENDOR_API_CREDENTIALS_KEY \
 -e ENDOR_API_CREDENTIALS_SECRET=$ENDOR_API_CREDENTIALS_SECRET \
 -v $SOURCE_PATH:/root/endorlabs \
 us-central1-docker.pkg.dev/endor-ci/public/endorctl:latest \
 scan --path=/root/endorlabs

Use the following command to save the local results to a results.json file. The results and related analysis information are available on the Endor Labs user interface.

docker run -it --rm \
 -e ENDOR_NAMESPACE=$ENDOR_NAMESPACE \
 -e ENDOR_API_CREDENTIALS_KEY=$ENDOR_API_CREDENTIALS_KEY \
 -e ENDOR_API_CREDENTIALS_SECRET=$ENDOR_API_CREDENTIALS_SECRET \
 -v $SOURCE_PATH:/root/endorlabs \
 us-central1-docker.pkg.dev/endor-ci/public/endorctl:latest \
 scan --path=/root/endorlabs -o json | tee /path/to/results.json

You can sign into the Endor Labs user interface, click the Projects on the left sidebar, and find your project to review its results.

Understand the scan process

Endor Labs performs the following steps when it scans Rust projects:

  • Resolves dependencies for the package version
  • Performs static analysis on your Rust code

Resolving Dependencies & Static Analysis for Rust

Endor Labs leverages the Cargo.toml file in Rust and uses this file to build the package version using cargo. Endor Labs uses the output from cargo metadata to resolve dependencies specified in Cargo.toml files and construct the dependency graph.

Perform Static Analysis on Your Rust Code

  • After building the package, call graphs are created for your package. These are then combined with the call graphs of the dependencies in your dependency tree to form a comprehensive call graph for the entire project. Use the call graphs to understand if vulnerabilities in your Rust code are reachable through a function associated with the known vulnerability.
  • Endor Labs performs an inside-out analysis of the software to determine the reachability of dependencies in your project.
  • The static analysis time may vary depending on the number of dependencies in the package and the number of packages in the project.

Known Limitations

  • To perform static analysis on Rust packages, the package version must be able to be successfully built.
  • Performing Endor Labs scans on the Microsoft Windows operating system is currently unsupported.

Troubleshoot errors

  • Host system check failure errors: These errors occur when Rust is not installed or not present in the path variable. Install Rust and try again.
  • Call graph errors: These errors occur when the project is not buildable and the required dependencies cannot be located.