Cackle is a tool to analyse the transitive dependencies of your crate to see what kinds of APIs each crate uses.

The idea is look for crates that are using APIs that you don't think they should be using. For example a crate that from its description should just be doing some data processing, but is actually using network APIs.

  • wisha@lemmy.ml
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    Amazing project!

    Would be cool if we also have an online database of what APIs each crate uses. This would allow quickly knowing some crates are safe without compiling them (there could be malicious build.rs code) or even seeing the source code at all.

    • DavidLattimore@lemmyrs.org
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Interesting idea. It feels to me though that it’d be a lot of work to check such a database for each of your transitive dependencies, where if you just run cackle it checks them all for you and perhaps most importantly will tell you if there’s a change.

      Another consideration is that cackle only considers an API to be used if it’s in reachable code. This is handy because you can for example use a crate like the image crate, which has functions to read and write images on the filesystem and you don’t need to grant filesystem permissions unless you actually use those APIs.

      • wisha@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        1 year ago

        What I meant was that I want exactly Cackle, but I don’t want to run it on my own computer. If a crate uses some suspicious API (including transitively), I want to know before I download it.

  • livingcoder@programming.dev
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Is this a problem today? I’ll scan through the code of less popular crates, looking for reasonable TCP std library usage and such, just to be sure, but I haven’t found unusual networking crate usage (yet).

    That said, the repository may not actually contain the code compiled in the crate. I’ve found situations where the source code is impossible to find.