Skip to content

UPSTREAM.RUST.RUST

UPSTREAM.RUST.RUST-VERSION | Reviewed: ✔ | Score: 0.7

Project is actively managing its Minimum Supported Rust Version (MSRV).

In the context of trustable software and deployment into safe systems, MSRV chosen by the project might be influenced by the usage and availability of a safety-certified compiler toolchain.

Supported Requests:

None

Supporting Items:

Item Summary Score Status
UPSTREAM.TSF.TA-RELEASES Construction of XYZ releases is fully repeatable and the results are fully reproducible, with any exceptions documented and justified. 0.70 ✔ Item Reviewed
✔ Link Reviewed

References:

None

UPSTREAM.RUST.RUST-VERSION_SPECIFICITY | Reviewed: ✔ | Score: 0.7

Project is declaring its dependencies at least on minor-version level specificity. Where there exists a reason, patch-level specificity is used.

In the context of trustable software, we lean towards build reproducibility over flexible use of dependency versions.

Supported Requests:

None

Supporting Items:

Item Summary Score Status
UPSTREAM.TSF.TA-RELEASES Construction of XYZ releases is fully repeatable and the results are fully reproducible, with any exceptions documented and justified. 0.70 ✔ Item Reviewed
✔ Link Reviewed

References:

None

UPSTREAM.RUST.RUST-VERSION_LOCKING | Reviewed: ✔ | Score: 0.7

Project is locking and actively managing its dependencies, so that any change/update to dependency versions is done explicitly and with intention.

In the context of trustable software, we prioritize build reproducibility, so it is always recommended to include Cargo.lock in version control.

Supported Requests:

None

Supporting Items:

Item Summary Score Status
UPSTREAM.TSF.TA-RELEASES Construction of XYZ releases is fully repeatable and the results are fully reproducible, with any exceptions documented and justified. 0.70 ✔ Item Reviewed
✔ Link Reviewed

References:

None

UPSTREAM.RUST.RUST-CVE_MANAGEMENT | Reviewed: ✔ | Score: 0.6

Project is actively managing known/reported CVEs in its supply chain e.g. by using cargo deny.

Any rule exceptions and ignored advisories (e.g. in deny.toml) come with a reason.

Supported Requests:

None

Supporting Items:

Item Summary Score Status
UPSTREAM.TSF.TA-INPUTS All inputs to XYZ are assessed, to identify potential risks and issues 0.60 ✔ Item Reviewed
✔ Link Reviewed

References:

None

UPSTREAM.RUST.RUST-LINTER | Reviewed: ✔ | Score: 0.7

Project is using cargo clippy, treating all warning as errors, to vet pull request and reject merging of any code that fails the linter.

Supported Requests:

None

Supporting Items:

Item Summary Score Status
UPSTREAM.TSF.TA-RELEASES Construction of XYZ releases is fully repeatable and the results are fully reproducible, with any exceptions documented and justified. 0.70 ✔ Item Reviewed
✔ Link Reviewed

References:

None

UPSTREAM.RUST.RUST-FORMATTER | Reviewed: ✔ | Score: 0.7

Project is using cargo fmt to reject merging of any code that fails the standard Rust formatting rules.

Supported Requests:

None

Supporting Items:

Item Summary Score Status
UPSTREAM.TSF.TA-RELEASES Construction of XYZ releases is fully repeatable and the results are fully reproducible, with any exceptions documented and justified. 0.70 ✔ Item Reviewed
✔ Link Reviewed

References:

None

UPSTREAM.RUST.RUST-TEST_HARNESS | Reviewed: ✔ | Score: 0.8

Project is using Rust test tooling and core framework runners. Any additional test harnesses and approaches are integrated with the core test setup and are run in the same (automated) manner.

Supported Requests:

None

Supporting Items:

Item Summary Score Status
UPSTREAM.TSF.TA-TESTS All tests for XYZ, and its build and test environments, are constructed from controlled/mirrored sources and are reproducible, with any exceptions documented 0.80 ✔ Item Reviewed
✔ Link Reviewed

References:

None