Following a suggestion by @qyliss, I investigated checking the
Cargo.lock files of the various
buildRustPackage derivations we have in nixpkgs against RustSec’s advisory-db. Using cargo-audit and a bit of glue code, this turned out to be not too hard.
The result is https://github.com/NixOS/nixpkgs/issues/141368, in case you maintain Rust packages in nixpkgs, consider following up on these warnings.
Of course this type of checking is prone to a lot of false positives: A vulnerability in a dependency doesn’t necessarily mean the dependent package is vulnerable as well. The report at least seems to confirm the concerns of “The modern packager’s security nightmare”: Cargo’s lock files and vendoring have lead to for example multiple vulnerable
openssl versions coming up in the dependency graph of packages — even though these have been long patched in our normal openssl package.
Feel free to report any issues or suggest improvements in this thread. Additionally I’d be interested in preventable false positives.