Data

Tools

Indexes

Applications

Experiments

Open Source Science

https://github.com/congnghiahieu/rust-ecosystem

https://github.com/congnghiahieu/rust-ecosystem

Science Score: 23.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
  • DOI references
  • Academic publication links
    Links to: zenodo.org
  • Academic email domains
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (11.3%) to scientific vocabulary
Last synced: 10 months ago · JSON representation

Repository

Basic Info
  • Host: GitHub
  • Owner: congnghiahieu
  • Language: Jupyter Notebook
  • Default Branch: master
  • Size: 3.54 MB
Statistics
  • Stars: 0
  • Watchers: 1
  • Forks: 0
  • Open Issues: 0
  • Releases: 0
Created over 1 year ago · Last pushed over 1 year ago
Metadata Files
Readme

README.md

Fork from https://github.com/ZXXYy/rust_ecosystem

  • Dowload 2 datasets is enough:
    • https://drive.google.com/file/d/114GiIP2srHUm6BKX3AK92D157LWw1IZN/view?usp=share_link
    • https://zenodo.org/record/7828059#.ZDo1v-xBy3Y

A Closer Look at the Security Risks in the Rust Ecosystem

In this paper, we systematically examine the security risks of the Rust ecosystem by following a mixed- methods approach. We compiled a dataset of 433 vulnerabilities, 300 vulnerable code repositories, and 218 vulnerability fix commits in the Rust ecosystem over 7 years. Using the dataset, we characterized the types, life spans, and evolution of disclosed vulnerabilities, as well as the affected versions, popularity, categorization, and affected code regions of vulnerable Rust packages. Additionally, we investigated the complexity of fixes and locality of code changes, and how practitioners fix vulnerabilities in Rust packages with different localities. We find that two thirds of the categorized vulnerabilities in the ecosystem involve memory safety and concurrency issues. Vulnerabilities take more than 2 years to be publicly disclosed, among which 66.7% have fixes committed before their public disclosure in the ecosystem. Vulnerable code tends to have significantly more unsafe functions and blocks than complete code in vulnerable packages. The vulnerability fix commits are localized in the Rust ecosystem, and differences exist in the localities and fixes of vulnerable code across various vulnerability types. Based on our findings, we provide recommendations for software practitioners and outline directions for future research.

image1

Reproduce the results:

  • Requirements:

Python 3.9+

  • Run the following commands:

shell sudo apt install python3-pip sudo apt install python3-virtualenv virtualenv -p /usr/bin/python3 test-env source test-env/bin/activate pip3 install -r requirements.txt

  • Follow steps in the jupter files in RQ\ to get the statistics and figures. Generated figs are inside RQ\fig. Please download the db file with our dataset from https://drive.google.com/file/d/114GiIP2srHUm6BKX3AK92D157LWw1IZN/view?usp=share_link and put it in the current directory.

Collect the dataset:

  1. Data Collection (data_collection/)
  • collect_vuls.ipynb: collect vulnerabilities and package metadata.
  • clone_repos.py: clone vulnerable package repositories in a specific directory.
  1. Data Extraction (data_extraction/)
    • collect_commits.ipynb: Mine vulnerability-fix commits.
    • extract_changes.py: Extract changes in fix commits.
    • extract_life_span.py: Extract commit date of introduced commits and fix commits.
  2. Source code Analysis (source_analysis/)
    • compile.py: Get the location of unsafe/safe functions and blocks in vulnerable packages by using Rust compiler plugin.
    • format_result.py: Format compilation results into database. The dataset could be downloaded from https://zenodo.org/record/7828059#.ZDo1v-xBy3Y.

Owner

  • Name: Hiếu Cien
  • Login: congnghiahieu
  • Kind: user

GitHub Events

Total
  • Push event: 3
  • Create event: 2
Last Year
  • Push event: 3
  • Create event: 2

Dependencies

source_analysis/decls/Cargo.toml cargo
source_analysis/tests/Cargo.lock cargo
  • 128 dependencies
source_analysis/tests/Cargo.toml cargo
source_analysis/unsafeAnalysis/Cargo.lock cargo
  • 128 dependencies
source_analysis/unsafeAnalysis/Cargo.toml cargo
requirements.txt pypi
  • GitPython ==3.1.43
  • PyDriller ==2.7
  • Pygments ==2.18.0
  • asttokens ==2.4.1
  • certifi ==2024.8.30
  • charset-normalizer ==3.4.0
  • comm ==0.2.2
  • contourpy ==1.3.1
  • cvss ==3.3
  • cycler ==0.12.1
  • debugpy ==1.8.8
  • decorator ==5.1.1
  • executing ==2.1.0
  • fonttools ==4.54.1
  • gitdb ==4.0.11
  • idna ==3.10
  • ipykernel ==6.29.5
  • ipython ==8.29.0
  • jedi ==0.19.2
  • jupyter_client ==8.6.3
  • jupyter_core ==5.7.2
  • kiwisolver ==1.4.7
  • lizard ==1.17.13
  • matplotlib ==3.9.2
  • matplotlib-inline ==0.1.7
  • nest-asyncio ==1.6.0
  • numpy ==2.1.3
  • packaging ==24.2
  • pandas ==2.2.3
  • parso ==0.8.4
  • pexpect ==4.9.0
  • pillow ==11.0.0
  • platformdirs ==4.3.6
  • prompt_toolkit ==3.0.48
  • psutil ==6.1.0
  • ptyprocess ==0.7.0
  • pure_eval ==0.2.3
  • pyparsing ==3.2.0
  • python-dateutil ==2.9.0.post0
  • pytz ==2024.2
  • pyzmq ==26.2.0
  • requests ==2.32.3
  • six ==1.16.0
  • smmap ==5.0.1
  • stack-data ==0.6.3
  • toml ==0.10.2
  • tornado ==6.4.1
  • traitlets ==5.14.3
  • types-pytz ==2024.2.0.20241003
  • tzdata ==2024.2
  • urllib3 ==2.2.3
  • wcwidth ==0.2.13