Rust is a software programming language widely used by developers. Endor Labs supports scanning and monitoring of Rust projects.
Using Endor Labs, developers can:
- Test their software for potential issues and violations of organizational policy
- Prioritize vulnerabilities in the context of their applications
- Understand the relationships between software components in their applications
System specifications for scan
Make sure that you have a minimum system requirement specification of an 8-core processor with 32 GB RAM.
Use a system equipped with either Mac OS X or Linux operating systems to perform the scans.
Software prerequisites
- Make sure the following prerequisites are installed: - Package Manager Cargo - Any version - Rust - Any version,
- Make sure your repository includes one or more files with
.rs
extension. - Install Rust using the latest rustup tool.
Build Rust projects
Ensure your repository has Cargo.toml
file and run the following command making sure it builds the project successfully.
cargo build
If the project is not built, endorctl will build the project during the scan and generate the Cargo.lock
file. If the repository includes a Cargo.lock
file, endorctl uses this file for dependency resolution and does not create it again.
Run a scan
Use the following options to scan your repositories. Perform the endorctl scan after building the projects.
Option 1 - Quick scan
Perform a quick scan to get quick visibility into your software composition and perform dependency resolution. It discovers dependencies that the package has explicitly declared. If the package’s build file is incomplete then the dependency list will also be incomplete. This scan won’t perform the reachability analysis to help you prioritize vulnerabilities.
endorctl scan --quick-scan
You can perform the scan from within the root directory of the Git project repository, and save the local results to a results.json file. The results and related analysis information are available on the Endor Labs user interface.
endorctl scan --quick-scan -o json | tee /path/to/results.json
You can sign into the Endor Labs user interface, click the Projects on the left sidebar, and find your project to review its results.
Option 2 - Deep scan
Use the deep scan to perform dependency resolution, reachability analysis, and generate call graphs. You can do this after you complete the quick scan successfully.
Important
Rust call graphs are built based on the MIRAI intermediate representation tool. The tool relies on the nightly Rust builds. The Endor Labs Docker container includes the necessary tool chains required to scan Rust projects. Hence, the scan can be performed only using the Endor Lab’s Docker container.endorctl comes bundled as a Docker image for portable usage and integration into continuous integration (CI) pipelines. To configure the endorctl Docker image, you must perform the following steps:
Export your environment variables
endorctl requires four environment variables for your source control system and your Endor Labs tenant.
These environment variables are:
- ENDOR_API_CREDENTIALS_KEY - The API key used to authenticate against the Endor Labs API.
- ENDOR_API_CREDENTIALS_SECRET - The API key secret used to authenticate against the Endor Labs API.
- ENDOR_NAMESPACE - The Endor Labs namespace you want to scan against. Locate the namespace from the top left-hand corner, under the Endor Labs logo on the Endor Labs application,.
- SOURCE_PATH - The path to your source code that may be mounted to the Docker container.
To export your environment variables run the following commands and insert the environment variable values in each command.
export ENDOR_NAMESPACE=name-of-your-namespace
export ENDOR_API_CREDENTIALS_KEY=endorlabs-api-key
export ENDOR_API_CREDENTIALS_SECRET=endorlabs-api-secret
export SOURCE_PATH=/path/to/your/source/code
Scan Rust projects
To scan your rust project run the following command:
docker run -it --rm \
-e ENDOR_NAMESPACE=$ENDOR_NAMESPACE \
-e ENDOR_API_CREDENTIALS_KEY=$ENDOR_API_CREDENTIALS_KEY \
-e ENDOR_API_CREDENTIALS_SECRET=$ENDOR_API_CREDENTIALS_SECRET \
-v $SOURCE_PATH:/root/endorlabs \
endorcipublic.azurecr.io/endorctl:latest \
scan --path=/root/endorlabs
Use the following command to save the local results to a results.json file. The results and related analysis information are available on the Endor Labs user interface.
docker run -it --rm \
-e ENDOR_NAMESPACE=$ENDOR_NAMESPACE \
-e ENDOR_API_CREDENTIALS_KEY=$ENDOR_API_CREDENTIALS_KEY \
-e ENDOR_API_CREDENTIALS_SECRET=$ENDOR_API_CREDENTIALS_SECRET \
-v $SOURCE_PATH:/root/endorlabs \
endorcipublic.azurecr.io/endorctl:latest \
scan --path=/root/endorlabs -o json | tee /path/to/results.json
You can sign in to the Endor Labs user interface, click the Projects on the left sidebar, and find your project to review its results.
Understand the scan process
Endor Labs performs the following steps when it scans Rust projects:
- Resolves dependencies for the package version
- Performs static analysis on your Rust code
Resolving Dependencies & Static Analysis for Rust
Endor Labs leverages the Cargo.toml file in Rust and uses this file to build the package version using cargo. Endor Labs uses the output from cargo metadata
to resolve dependencies specified in Cargo.toml files and construct the dependency graph.
Perform Static Analysis on Your Rust Code
- After building the package, call graphs are created for your package. These are then combined with the call graphs of the dependencies in your dependency tree to form a comprehensive call graph for the entire project. Use the call graphs to understand if vulnerabilities in your Rust code are reachable through a function associated with the known vulnerability.
- Endor Labs performs an inside-out analysis of the software to determine the reachability of dependencies in your project.
- The static analysis time may vary depending on the number of dependencies in the package and the number of packages in the project.
Known Limitations
- To perform static analysis on Rust packages, the package version must be able to be successfully built.
- Performing Endor Labs scans on the Microsoft Windows operating system is currently unsupported.
Troubleshoot errors
- Host system check failure errors: These errors occur when Rust is not installed or not present in the path variable. Install Rust and try again.
- Call graph errors: These errors occur when the project is not buildable and the required dependencies cannot be located.