Is there a good way to visualise rust-audit-info json? (Also additional dependencies may be present)

[xnox]

It is difficult to resolve the dependencies IDs, is there anything that would substitute names for the digits? or at least augument the json with digits?

Is there anything that can generate graph (mermaid or graphviz) from the json?

Also what is the difference between no kind specified, and kind "build"? Are the kind "build" crates linked into the final binary?

I am trying to understand why "ring" crate got into this binary, and if it really is present in the binary and used, or not.

ztunnel.json.txt.gz

gzip -d ztunnel.json.txt
cat ztunnel.json | jq | grep name | less -N

Look at the numbers:

 30       "name": "boring-rustls-provider",
233       "name": "ring",
240       "name": "rustls",
244       "name": "rustls-webpki",
329       "name": "ztunnel",

Mentally subtract one, as less -N is 1-indexed, and dependencies appear to be 0-indexed

 29       "name": "boring-rustls-provider",
232       "name": "ring",
239       "name": "rustls",
243       "name": "rustls-webpki",
328       "name": "ztunnel",

Now try to trace edges

cat ztunnel.json | jq | grep -e name -e 29, -e 232 -e 239 -e 243 -e 328

Abriviated:

      "name": "boring",
      "name": "boring-additions",
      "name": "boring-rustls-provider",
        239,
        243,
      "name": "boring-sys",
      "name": "boring-sys-additions",
      "name": "hyper",
      "name": "hyper-rustls",
        239,
      "name": "hyper-util",
      "name": "rcgen",
        232,
      "name": "rustls",
        243,
      "name": "rustls-native-certs",
      "name": "rustls-pemfile",
      "name": "rustls-pki-types",
      "name": "rustls-webpki",
        232,
      "name": "ryu",
      "name": "tokio",
      "name": "tokio-macros",
      "name": "tokio-rustls",
        239,
      "name": "tokio-stream",
      "name": "tokio-util",
      "name": "x509-parser",
        232,
      "name": "ztunnel",
        29,
        239,

Does this mean that ztunnel depends on boring-rustls-provider (29) & rustls (239)?
And boring-rustls-provider (29) depends on both rustls (239) and rustls-webpki (243)?
And finally "rustls-webpki" depends on ring (232)?

Did I parse this right?

It would have helped a lot if rust-audit-info could translate this to humans by replacing integer references with names; and also allow to show graph without kind build; or just the kind build.

[bjorn3]

Does this mean that ztunnel depends on boring-rustls-provider (29) & rustls (239)?
And boring-rustls-provider (29) depends on both rustls (239) and rustls-webpki (243)?
And finally "rustls-webpki" depends on ring (232)?

I think so. rustls-webpki has the cargo feature to depend on ring enabled by default. And boring-rustls-provider doesn't disable it.

[Shnatsel]

Yeah, the format isn't meant to be human-readable. You can convert it to CycloneDX with https://github.com/rust-secure-code/cargo-auditable/tree/master/auditable2cdx or Syft and feed that into any dependency explorer/visualizer that supports CycloneDX, that should give a nicer tree.

[xnox]

Does this mean that ztunnel depends on boring-rustls-provider (29) & rustls (239)?
And boring-rustls-provider (29) depends on both rustls (239) and rustls-webpki (243)?
And finally "rustls-webpki" depends on ring (232)?

I think so. rustls-webpki has the cargo feature to depend on ring enabled by default. And boring-rustls-provider doesn't disable it.

But it is disabled:
https://github.com/janrueth/boring-rustls-provider/blob/aa6e1c36f880002ceb56f99a64d19e0503e0bec7/Cargo.toml#L26

And i can also manually disable it in my cargo.toml / lock, and it still gets pull in. As in:

$ cargo add --no-default-features rustls-webpki
$ git diff
diff --git a/Cargo.lock b/Cargo.lock
index 5553066..1237302 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -3959,6 +3959,7 @@ dependencies = [
  "rustls",
  "rustls-native-certs",
  "rustls-pemfile",
+ "rustls-webpki",
  "serde",
  "serde_json",
  "serde_yaml",
diff --git a/Cargo.toml b/Cargo.toml
index 11ecff5..011d497 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -106,6 +106,7 @@ tracing-core = "0.1"
 tracing-appender = "0.2"
 tokio-util = { version = "0.7", features = ["io-util"] }
 educe = "0.6.0"
+rustls-webpki = { version = "0.102.8", default-features = false }
 
 [target.'cfg(target_os = "linux")'.dependencies]
 netns-rs = "0.1"
$ cargo clean
     Removed 3008 files, 878.8MiB total
$ cargo fetch
$ cargo auditable build --frozen --offline --release --no-default-features --features tls-boring --bin ztunnel
   Compiling proc-macro2 v1.0.92
   Compiling unicode-ident v1.0.14
   Compiling autocfg v1.4.0
   Compiling libc v0.2.168
   Compiling cfg-if v1.0.0
   Compiling serde v1.0.216
   Compiling memchr v2.7.4
   Compiling smallvec v1.13.2
   Compiling once_cell v1.20.2
   Compiling pin-project-lite v0.2.15
   Compiling itoa v1.0.14
   Compiling parking_lot_core v0.9.10
   Compiling scopeguard v1.2.0
   Compiling either v1.13.0
   Compiling futures-core v0.3.31
   Compiling stable_deref_trait v1.2.0
   Compiling futures-sink v0.3.31
   Compiling byteorder v1.5.0
   Compiling tracing-core v0.1.33
   Compiling shlex v1.3.0
   Compiling thiserror v1.0.69
   Compiling futures-channel v0.3.31
   Compiling pin-utils v0.1.0
   Compiling itertools v0.13.0
   Compiling futures-task v0.3.31
   Compiling bitflags v2.6.0
   Compiling lock_api v0.4.12
   Compiling num-traits v0.2.19
   Compiling slab v0.4.9
   Compiling regex-syntax v0.8.5
   Compiling anyhow v1.0.94
   Compiling futures-io v0.3.31
   Compiling cc v1.2.4
   Compiling quote v1.0.37
   Compiling glob v0.3.1
   Compiling writeable v0.5.5
   Compiling crossbeam-utils v0.8.21
   Compiling syn v2.0.90
   Compiling litemap v0.7.4
   Compiling clang-sys v1.8.1
   Compiling foldhash v0.1.3
   Compiling minimal-lexical v0.2.1
   Compiling rustix v0.38.42
   Compiling version_check v0.9.5
   Compiling allocator-api2 v0.2.21
   Compiling equivalent v1.0.1
   Compiling libloading v0.8.6
   Compiling bindgen v0.70.1
   Compiling icu_locid_transform_data v1.5.0
   Compiling num-conv v0.1.0
   Compiling nom v7.1.3
   Compiling heck v0.5.0
   Compiling hashbrown v0.15.2
   Compiling icu_properties_data v1.5.0
   Compiling rustc-hash v1.1.0
   Compiling powerfmt v0.2.0
   Compiling time-core v0.1.2
   Compiling log v0.4.22
   Compiling protobuf v2.28.0
   Compiling mio v1.0.3
   Compiling socket2 v0.5.8
   Compiling signal-hook-registry v1.4.2
   Compiling parking_lot v0.12.3
   Compiling regex-automata v0.4.9
   Compiling deranged v0.3.11
   Compiling getrandom v0.2.15
   Compiling time-macros v0.2.19
   Compiling cmake v0.1.52
   Compiling fslock v0.2.1
   Compiling write16 v1.0.0
   Compiling icu_normalizer_data v1.5.0
   Compiling fnv v1.0.7
   Compiling utf8_iter v1.0.4
   Compiling fs_extra v1.3.0
   Compiling utf16_iter v1.0.5
   Compiling rand_core v0.6.4
   Compiling indexmap v2.7.0
   Compiling aho-corasick v1.1.3
   Compiling crunchy v0.2.2
   Compiling percent-encoding v2.3.1
   Compiling typenum v1.17.0
   Compiling ryu v1.0.18
   Compiling cexpr v0.6.0
   Compiling rustls-pki-types v1.10.1
   Compiling serde_json v1.0.133
   Compiling generic-array v0.14.7
   Compiling getrandom v0.1.16
   Compiling bytes v1.9.0
   Compiling linux-raw-sys v0.4.14
   Compiling tiny-keccak v2.0.2
   Compiling prettyplease v0.2.25
   Compiling regex v1.11.1
   Compiling time v0.3.37
   Compiling form_urlencoded v1.2.1
   Compiling crossbeam-epoch v0.9.18
   Compiling httparse v1.9.5
   Compiling fixedbitset v0.4.2
   Compiling fastrand v2.3.0
   Compiling synstructure v0.13.1
   Compiling rustls v0.23.20
   Compiling rayon-core v1.12.1
   Compiling data-encoding v2.6.0
   Compiling lazy_static v1.5.0
   Compiling untrusted v0.9.0
   Compiling tinyvec_macros v0.1.1
   Compiling semver v1.0.24
   Compiling tinyvec v1.8.0
   Compiling rusticata-macros v4.1.0
   Compiling rustls-webpki v0.102.8
   Compiling tempfile v3.14.0
   Compiling petgraph v0.6.5
   Compiling protobuf-codegen v2.28.0
   Compiling crossbeam-deque v0.8.6
   Compiling serde_derive v1.0.216
   Compiling displaydoc v0.2.5
   Compiling tokio-macros v2.4.0
   Compiling zerofrom-derive v0.1.5
   Compiling yoke-derive v0.7.5
   Compiling zerovec-derive v0.10.3
   Compiling futures-macro v0.3.31
   Compiling thiserror-impl v1.0.69
   Compiling zerocopy-derive v0.7.35
   Compiling tracing-attributes v0.1.28
   Compiling futures-util v0.3.31
   Compiling icu_provider_macros v1.5.0
   Compiling prost-derive v0.13.4
   Compiling zerocopy v0.7.35
   Compiling async-trait v0.1.83
   Compiling zerofrom v0.1.5
   Compiling yoke v0.7.5
   Compiling asn1-rs-impl v0.2.0
   Compiling zerovec v0.10.4
   Compiling enum-as-inner v0.6.1
   Compiling ppv-lite86 v0.2.20
   Compiling foreign-types-macros v0.2.3
   Compiling tracing v0.1.41
   Compiling asn1-rs-derive v0.5.1
   Compiling rand_chacha v0.3.1
   Compiling memoffset v0.6.5
   Compiling thread_local v1.1.8
   Compiling rand v0.8.5
   Compiling half v2.4.1
   Compiling plotters-backend v0.3.7
   Compiling tinystr v0.7.6
   Compiling icu_collections v1.5.0
   Compiling prost v0.13.4
   Compiling foreign-types-shared v0.3.1
   Compiling anstyle v1.0.10
   Compiling zeroize v1.8.1
   Compiling icu_locid v1.5.0
   Compiling try-lock v0.2.5
   Compiling clap_lex v0.7.4
   Compiling subtle v2.6.1
   Compiling atomic-waker v1.1.2
   Compiling prost-types v0.13.4
   Compiling regex-syntax v0.6.29
   Compiling multimap v0.10.0
   Compiling uuid v1.11.0
   Compiling tower-service v0.3.3
   Compiling cpp_demangle v0.4.4
   Compiling bitflags v1.3.2
   Compiling ciborium-io v0.2.2
   Compiling match_cfg v0.1.0
   Compiling icu_provider v1.5.0
   Compiling hostname v0.3.1
   Compiling boring-sys v4.13.0
   Compiling debugid v0.8.0
   Compiling ciborium-ll v0.2.2
   Compiling clap_builder v4.5.23
   Compiling icu_locid_transform v1.5.0
   Compiling asn1-rs v0.6.2
   Compiling want v0.3.1
   Compiling foreign-types v0.5.0
   Compiling plotters-svg v0.3.7
   Compiling rand_core v0.5.1
   Compiling const-random-macro v0.1.16
   Compiling prost-build v0.13.4
   Compiling icu_properties v1.5.1
   Compiling protobuf-codegen-pure v2.28.0
   Compiling regex-automata v0.1.10
   Compiling crypto-common v0.1.6
   Compiling openssl-macros v0.1.1
   Compiling equator-macro v0.2.1
   Compiling ipnet v2.10.1
   Compiling itertools v0.10.5
   Compiling tokio v1.42.0
   Compiling http v1.2.0
   Compiling icu_normalizer v1.5.0
   Compiling findshlibs v0.10.2
   Compiling memmap2 v0.9.5
   Compiling ahash v0.8.11
   Compiling http-body v1.0.1
   Compiling num-integer v0.1.46
   Compiling memoffset v0.9.1
   Compiling same-file v1.0.6
   Compiling httpdate v1.0.3
   Compiling iana-time-zone v0.1.61
   Compiling idna_adapter v1.2.0
   Compiling idna v1.0.3
   Compiling linked-hash-map v0.5.6
   Compiling const-oid v0.9.6
   Compiling overload v0.1.1
   Compiling adler2 v2.0.0
   Compiling cfg_aliases v0.2.1
   Compiling rust_decimal v1.36.0
   Compiling gimli v0.31.1
   Compiling quick-error v1.2.3
   Compiling cast v0.3.0
   Compiling rustc-demangle v0.1.24
   Compiling thiserror v2.0.8
   Compiling symbolic-demangle v12.12.4
   Compiling oid-registry v0.7.1
   Compiling url v2.5.4
   Compiling criterion-plot v0.5.0
   Compiling resolv-conf v0.7.0
   Compiling lru-cache v0.1.2
   Compiling nix v0.29.0
   Compiling miniz_oxide v0.8.2
   Compiling der v0.7.9
   Compiling nu-ansi-term v0.46.0
   Compiling num-bigint v0.4.6
   Compiling chrono v0.4.39
   Compiling walkdir v2.5.0
   Compiling symbolic-common v12.12.4
   Compiling tinytemplate v1.2.1
   Compiling equator v0.2.2
   Compiling rayon v1.10.0
   Compiling rustc_version v0.4.1
   Compiling tracing-serde v0.2.0
   Compiling addr2line v0.24.2
   Compiling ciborium v0.2.2
   Compiling matchers v0.1.0
   Compiling pprof v0.14.0
   Compiling clap v4.5.23
   Compiling aead v0.5.2
   Compiling tonic-build v0.12.3
   Compiling const-random v0.1.18
   Compiling rand_chacha v0.2.2
   Compiling plotters v0.3.7
   Compiling boring v4.13.0
   Compiling enum-ordinalize-derive v4.3.1
   Compiling pin-project-internal v1.1.7
   Compiling thiserror-impl v2.0.8
   Compiling tokio-util v0.7.13
   Compiling hickory-proto v0.24.2
   Compiling sharded-slab v0.1.7
   Compiling tracing-log v0.2.0
   Compiling h2 v0.4.7
   Compiling is-terminal v0.4.13
   Compiling object v0.36.5
   Compiling nibble_vec v0.1.0
   Compiling endian-type v0.1.2
   Compiling anes v0.1.6
   Compiling oorandom v11.1.4
   Compiling prometheus-client v0.23.0
   Compiling tower-layer v0.3.3
   Compiling arrayvec v0.7.6
   Compiling criterion v0.5.1
   Compiling tracing-subscriber v0.3.19
   Compiling boring-additions v0.0.1 (https://github.com/janrueth/boring-rustls-provider#aa6e1c36)
   Compiling radix_trie v0.2.1
   Compiling pin-project v1.1.7
   Compiling enum-ordinalize v4.3.0
   Compiling ztunnel v0.0.0 (/home/xnox/upstream/ztunnel)
   Compiling tokio-stream v0.1.17
   Compiling pingora-timeout v0.4.0
   Compiling tokio-rustls v0.26.1
   Compiling boring-sys-additions v0.0.1 (https://github.com/janrueth/boring-rustls-provider#aa6e1c36)
   Compiling rand v0.7.3
   Compiling nix v0.23.2
   Compiling hyper v1.5.2
   Compiling backtrace v0.3.74
   Compiling hickory-resolver v0.24.2
   Compiling der-parser v9.0.0
   Compiling aligned-vec v0.6.1
   Compiling spki v0.7.3
   Compiling http-body-util v0.1.2
   Compiling futures-executor v0.3.31
   Compiling hyper-util v0.1.10
   Compiling nix v0.26.4
   Compiling prometheus-client-derive-encode v0.4.2
   Compiling async-stream-impl v0.3.6
   Compiling itertools v0.12.1
   Compiling lru v0.12.5
   Compiling num_cpus v1.16.0
   Compiling crossbeam-queue v0.3.12
   Compiling crossbeam-channel v0.5.14
   Compiling hdrhistogram v7.5.4
   Compiling instant v0.1.13
   Compiling unsafe-libyaml v0.2.11
   Compiling sync_wrapper v1.0.2
   Compiling winnow v0.6.20
   Compiling dtoa v1.0.9
   Compiling seize v0.3.3
   Compiling openssl-probe v0.1.5
   Compiling base64 v0.12.3
   Compiling base64 v0.22.1
   Compiling flurry v0.5.2
   Compiling tonic v0.12.3
   Compiling prometheus-parse v0.2.5
   Compiling textnonce v1.0.0
   Compiling serde_yaml v0.9.34+deprecated
   Compiling rustls-native-certs v0.8.1
   Compiling tower v0.5.2
   Compiling backoff v0.4.0
   Compiling tracing-appender v0.2.3
   Compiling async-stream v0.3.6
   Compiling pingora-pool v0.4.0
   Compiling hyper-rustls v0.27.4
   Compiling netns-rs v0.1.0
   Compiling duration-str v0.11.3
   Compiling futures v0.3.31
   Compiling hickory-server v0.24.2
   Compiling x509-parser v0.16.0
   Compiling boring-rustls-provider v0.0.1 (https://github.com/janrueth/boring-rustls-provider#aa6e1c36)
   Compiling hickory-client v0.24.2
   Compiling educe v0.6.0
   Compiling tls-listener v0.10.2
   Compiling arcstr v1.2.0
   Compiling ppp v2.2.0
   Compiling keyed_priority_queue v0.4.2
   Compiling rustls-pemfile v2.2.0
   Compiling split-iter v0.1.0
    Finished `release` profile [optimized] target(s) in 3m 14s
$ ls out/rust/release/deps/libring* out/rust/release/deps/ring*
ls: cannot access 'out/rust/release/deps/libring*': No such file or directory
ls: cannot access 'out/rust/release/deps/ring*': No such file or directory
$ rust-audit-info out/rust/release/ztunnel | jq | grep '"ring"'
      "name": "ring",

so ring crate was not fetched, not compiled, yet it is in the audit information. Is rust-audit-info calculated separately, or is it based on compiled crates & linked crates? Cause if there was no rlib / rmeta, and it didn't get linked into the binary how come there is a runtime dep?

If i rebuild the binary with tls-ring feature there are rlib / rmeta files for libring. And lots of elf symbols starting with ring_ and lots of output with ring_ in strings on the binary.
The builds with tls-boring, do not have any strings / symbols for ring_ but do have many strings symbols for boring_.

It feels like a false positive metadata in rust-audit-info of a component that is not present in the binary. Which should be mostly harmless, but i was hoping to use it for FIPS cryptography determination, to see if unapproved/not-certified libraries are linked. Looks like I cannot do that.

It feels as if rust-audit-info is based on cargo.lock file data; irrespective of which features are enabled.

should attempt to create a smaller reproducer?

[Shnatsel]

The audit information may occasionally include too many dependencies due to the limitations of cargo metadata:

#66
#38

I've been looking into using the guppy crate to work around the limitations of the data that cargo exposes, but we still need to know the resolver version in use, and I don't think Cargo exposes that either.

[tofay]

I've looked into this specific dependency before. Because of those metadata bugs and and rust-lang/cargo#10801, I also ended up resorting to checking whether ring is actually built by cargo during the build.

[xnox]

Implemented build tree sure for positive/negative search of .rmeta files, and also elf symbol check for positive/negative symbols with help from rustfilt. This way I can be sure that libring was not built, and no ring symbols are present.

I feel confident with these checks.

I still dislike the false positive in the rust audit info.

Is there anything I can do, at workspace level to override these? Pondering if I should create local works of crates, change their features, use replaces, and recalculate lock.

[Shnatsel]

Building each crate in its own workspace may help, although I don't know if it will really eliminate all the false positives in this case.

The way to fix this in cargo auditable once and for all is to find a reliable way to get the resolver version Cargo is using and run a reimplementation of the Cargo feature resolution algorithm in side cargo auditable, as discussed in #66. The remaining tricky bit is getting the resolver version.

I'll discuss with the Cargo team and see if there is a way to either obtain the resolver version from cargo or reimplement the algorithm that determines it outside Cargo.

[xnox]

Building each crate in its own workspace may help, although I don't know if it will really eliminate all the false positives in this case.

The way to fix this in cargo auditable once and for all is to find a reliable way to get the resolver version Cargo is using and run a reimplementation of the Cargo feature resolution algorithm in side cargo auditable, as discussed in #66. The remaining tricky bit is getting the resolver version.

I'll discuss with the Cargo team and see if there is a way to either obtain the resolver version from cargo or reimplement the algorithm that determines it outside Cargo.

without knowing how it works; i was hoping you can encode whatever is needed inside .rmeta files; and then at link stage to have a hook that has access to which .rmeta's are being linked and generate the json at that point for the linked binary.

To me that's the only reliable way to pertaining this information throughout the build =)

(or .rlib's portion of .rmeta / compiler info inside there)

[bjorn3]

The format of the crate metadata is unstable and rustc doesn't expose a way to encode arbitrary information in it.

[Shnatsel]

I've talked to a Cargo maintainer, and it seems that it's now feasible to match Cargo's dependency resolution mechanism exactly. I'll see what I can do.

I'm going to close this as a duplicate of #66, please follow that issue for updates.