Google has released results of an audit on 389 crate packets used in its projects Chromiumos and Fuchsia. The audit, which was allowed to develop in the language Rust, was published on their GitHub page called “supply-Chain”. A file was provided to ensure that the dependencies used in the projects are compliant with safety requirements, correctness, and testing. This file can be checked using the command “cargo vet”.
“Cargo VET” provides a guarantee that only proven dependencies that satisfy predetermined certain conditions were used in the projects. The Cargo package file for connecting to the Cargo package manager reflects the tested versions of the packages. It was also marked with audit criteria, such as confirmation of safe use, the presence of encryption support, the absence/presence of UNSAFE blocks in the code, and different risk levels when using the UNSAFE blocks.
This audit by Google aims to ensure safety and security for their projects and their users. By using only proven dependencies with set safety requirements, they are mitigating the risks of vulnerabilities and attacks that may compromise their systems.