A look at the number of vulnerabilities filed in the RustSec Advisory Database: 2016-2019pic.twitter.com/uTm4e4ZcMe
This is the legacy version of twitter.com. We will be shutting it down on June 1, 2020. Please switch to a supported browser, or disable the extension which masks your browser. You can see a list of supported browsers in our Help Center.
Security advisory database for Rust crates published through http://crates.io . A project of the @rustsecurecode working group.
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
Add this Tweet to your website by copying the code below. Learn more
Add this video to your website by copying the code below. Learn more
By embedding Twitter content in your website or app, you are agreeing to the Twitter Developer Agreement and Developer Policy.
| Country | Code | For customers of |
|---|---|---|
| United States | 40404 | (any) |
| Canada | 21212 | (any) |
| United Kingdom | 86444 | Vodafone, Orange, 3, O2 |
| Brazil | 40404 | Nextel, TIM |
| Haiti | 40404 | Digicel, Voila |
| Ireland | 51210 | Vodafone, O2 |
| India | 53000 | Bharti Airtel, Videocon, Reliance |
| Indonesia | 89887 | AXIS, 3, Telkomsel, Indosat, XL Axiata |
| Italy | 4880804 | Wind |
| 3424486444 | Vodafone | |
| » See SMS short codes for other countries | ||
This timeline is where you’ll spend most of your time, getting instant updates about what matters to you.
Hover over the profile pic and click the Following button to unfollow any account.
When you see a Tweet you love, tap the heart — it lets the person who wrote it know you shared the love.
The fastest way to share someone else’s Tweet with your followers is with a Retweet. Tap the icon to send it instantly.
Add your thoughts about any Tweet with a Reply. Find a topic you’re passionate about, and jump right in.
Get instant insight into what people are talking about now.
Follow more accounts to get instant updates about topics you care about.
See the latest conversations about any topic instantly.
Catch up instantly on the best stories happening as they unfold.
A look at the number of vulnerabilities filed in the RustSec Advisory Database: 2016-2019pic.twitter.com/uTm4e4ZcMe
At first glance this number going up might seem bad: does this mean the Rust ecosystem is getting less secure with time? The short answer is no. There are two main reasons the number of advisories are going up. The first is simply growth in the number of Rust crates...
To the first point, could you render the same plot but as vulns per crate, not total vulns?
I expect the number to be unreliable or ridiculously low, since there TONS of crates. What is more interesting, and meaningful, is perhaps the total number (or %) of crates that are associatively effected.
How would you know if a dependent crate is subject to a vuln? You'd have to at least check if the vuln is reachable, right? Is there tooling to do this already?
cargo-audit is a good way to find crates that have inherited vulns from their dep graph but it has false positives. Using this to answer "Is the Rust ecosystem getting less secure with time" would be incorrect, and perhaps misleading.
For better granularity than "is a vuln present in tree" I guess we turn to crev.
Because it'll always take a human to determine if the vuln in tree is actually hittable without false positives.
We hope to integrate with Siderophile soon to provide call graph analysis!https://github.com/RustSec/cargo-audit/issues/89 …
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.