Auditing Rust Crates Effectively

We introduce Cargo Scan, the first interactive program analysis tool designed to help developers audit third-party Rust code. Real systems written in Rust rely on thousands of transitive dependencies. These dependencies are as dangerous in Rust as they are in other languages (e.g., C or JavaScript) – and auditing these dependencies today means manually inspecting every line of code. Unlike for most industrial languages, though, we can take advantage of Rust’s type and module system to minimize the amount of code that developers need to inspect to the code that is potentially dangerous. Cargo Scan models such potentially dangerous code as effects and performs a side-effects analysis, tailored to Rust, to identify effects and track them across crate and module boundaries. In most cases (69.2%) developers can inspect flagged effects and decide whether the code is potentially dangerous locally. In some cases, however, the safety of an effect depends on the calling context – how a function is called, potentially by a crate the developer imports later. Hence, Cargo Scan tracks context-dependent information using a call-graph, and collects audit results into composable and reusable audit files. In this paper, we describe our experience auditing Rust crates with Cargo Scan. In particular, we audit the popular client and server HTTP crate, hyper, and all of its dependencies; our experience shows that Cargo Scan can reduce the auditing burden of potentially dangerous code to a median of 0.2% of lines of code when compared to auditing whole crates. Looking at the Rust ecosystem more broadly, we find that Cargo Scan can automatically classify ~3.5K of the top 10K crates on crates.io as safe; of the crates that do require manual inspection, we find that most of the potentially dangerous side-effects are concentrated in roughly 3% of these crates.

💡 Research Summary

The paper presents Cargo Scan, the first interactive program‑analysis tool designed to make auditing third‑party Rust crates practical and scalable. While Rust’s strong static typing, module system, and explicit unsafe blocks already limit many classes of bugs, real‑world projects still depend on thousands of transitive crates that may contain unsafe code, system calls, or other potentially dangerous operations. Existing manual auditing processes are labor‑intensive, and tools such as Cargo Vet only record unstructured approvals without capturing context‑sensitive safety information.

Cargo Scan addresses two core goals: (1) reduce the amount of code developers must review to only the parts that could be dangerous, and (2) preserve context‑dependent safety decisions so that previously audited code does not need to be re‑examined when used in new call sites. To achieve this, the authors model any potentially dangerous operation as an “effect”. Effects are classified into three categories: unsafe effects (use of the unsafe keyword or unsafe traits), system effects (calls that invoke operating‑system services such as file I/O, networking, or process execution), and higher‑order effects (creation of closures, function pointers, or other abstractions that may later trigger unsafe or system behavior). By exhaustively inspecting the Rust standard library, they derive concrete sink patterns for each category and extend these patterns as context‑sensitive effects propagate across dependencies.

The static analysis pass works at the function level. It leverages Rust’s borrow checker and explicit mutable reference types to make aliasing and mutation tractable, allowing the analysis to focus on function calls rather than whole‑program data flow. Complex language features—generics, traits, and higher‑order functions—are “lifted” into the effect model, meaning that the analysis records the effect at the point of closure creation or trait implementation rather than trying to resolve every possible monomorphization. The result is a conservative over‑approximation of each function’s effect set, which is then propagated through the call graph across crate boundaries.

Cargo Scan’s interactive component is delivered as a VS Code extension. When the analysis flags an effect site, the developer can click on it, view surrounding code, and annotate the site as safe, unsafe, or context‑dependent. These annotations are stored in a structured audit file that captures the precise conditions under which an effect is considered safe. Unlike Cargo Vet, the audit file can be reused by other projects; when a downstream crate imports a previously audited crate, Cargo Scan reads the existing audit file and only prompts the developer for newly introduced call contexts.

The authors evaluate Cargo Scan on two fronts. First, they run the static classifier on the top 10 000 most‑downloaded crates from crates.io. They find that 3 434 crates (≈34 %) contain no dangerous effects at all and can be automatically marked safe. Moreover, 85 % of all identified effects are concentrated in just 3 % of the crates, indicating that the bulk of the ecosystem can be vetted with minimal effort. Second, they conduct a case study auditing the hyper HTTP library and all of its transitive dependencies (approximately 160 K lines of code across 30 crates). Their manual audit shows that 30.8 % of functions have context‑dependent safety, and only 5.2 % of those dependencies cross package boundaries. Despite this, the total amount of code that required human inspection was a median of 0.2 % of the lines, a reduction of roughly 500× compared with naïve line‑by‑line review.

The paper’s contributions are threefold: (1) a Rust‑specific effect model and static side‑effect analysis that isolates dangerous code, (2) an interactive auditing workflow with reusable, context‑aware audit artifacts, and (3) an empirical evaluation demonstrating that Cargo Scan dramatically lowers the manual auditing burden while preserving high assurance. Limitations include a conservative analysis that may over‑report safe code, limited handling of procedural macros and complex macro‑generated code, and increased analysis time for very large codebases. Future work is suggested on refining the effect model, integrating dynamic profiling to reduce false positives, and extending support for macro‑heavy crates. Overall, Cargo Scan represents a significant step toward scalable supply‑chain security for the Rust ecosystem.