CWE checker dependencies incompatible with current Kali (clap)

[m-1-k-3]

With the latest dependency updates (clap) cwe_checker breaks on a current Kali Linux:

└─$ make all GHIDRA_PATH=/home/m1k3/github-repos/emba_forked/external/ghidra/ghidra_10.1.5_PUBLIC 
cargo build -p cwe_checker_install --release
    Updating crates.io index
error: failed to select a version for the requirement `clap = "=4.0.9"`
candidate versions found which didn't match: 3.2.22, 3.2.21, 3.2.20, ...
location searched: crates.io index
required by package `cwe_checker v0.7.0-dev (/home/m1k3/github-repos/emba_forked/external/cwe_checker/src/caller)`
make: *** [Makefile:5: all] Fehler 101

Currently we need to stick on version 0.6 or PR before PR354 for Kali Linux. Could we make the dependencies compatible with Kali?

[Enkelmann]

Does Kali (or you) use an offline mirror of the crates.io package repository? Otherwise I could not explain why the switch to clap 4 (which is available on crates.io) breaks your build process.

If it uses an offline mirror: How often does it get updated? I explicitly make no stability guarantees for the master branch and if the problem will resolve itself in one or two weeks I am inclined to just wait until then. But in general a switch to the older clap 3 should be possible if necessary.

Edit: Another thing you could check is if your installed Rust version is up-to-date. With the switch to clap 4 I raised the minimum version of Rust required for the cwe_checker to 1.63 (although technically 1.60 should be enough right now). So maybe a simple rustup update will solve your problems.

[m-1-k-3]

Thanks for your reply. Rust is installed from the original Kali package repository and is version 1.60.0:

ii  rust-all                               1.60.0+dfsg1-1                      all          Rust systems programming language - all developer tools
ii  rust-clippy                            1.60.0+dfsg1-1                      amd64        Rust linter
ii  rust-gdb                               1.60.0+dfsg1-1                      all          Rust debugger (gdb)
ii  rustc                                  1.60.0+dfsg1-1                      amd64        Rust systems programming language
ii  rustfmt                                1.60.0+dfsg1-1                      amd64        Rust formatting helper

So, we have the source of this issue identified. Probably they will update it with Kali 2022.04. Otherwise we need to go back to manual installation.

[Enkelmann]

I just double-checked that the cwe_checker installation still works using Rust 1.60. So maybe Kali really uses a not-up-to-date offline mirror of the crates.io package repository? If we are lucky, the mirror gets updated more frequently than just for every Kali release, so maybe the issue is already solved/will solve itself soon. In this case I could delay making Rust 1.63 a hard requirement until it lands in Kali Linux.

Would using the official Docker image of the cwe_checker be an alternative for you? This way you could still use the latest cwe_checker based on the master branch without any fear that it will break on any specific Linux distro.

[m-1-k-3]

Tested today with the new Kali 2022.4 and everything works fine.