To me, this attitude of the rust community is another benefit of rust: there is a general commitment that idiomatic rust code handles and exposes when things can go wrong.
- most often are ub in binding code between rust and language x
- if not binding code the severity is often below 5, which is most often not a bug that will affect you
- exceptions are code with heavy async usage and user input handling (which rust never advertises to fix and is common in all languages, even ones with gc)
Some of these CVEs only exist because Rust takes security seriously. There was a filesystem bug: https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html
This impacted C++'s standard library as well, but since the standard says it's undefined behavior, they said "not a bug" and didn't file CVEs.
Nobody believes that Rust programs will have zero bugs or zero security vulnerabilities. It's that it can significantly reduce them.
To me, this attitude of the rust community is another benefit of rust: there is a general commitment that idiomatic rust code handles and exposes when things can go wrong.
Just skimming the first few entries:
- most often are ub in binding code between rust and language x
- if not binding code the severity is often below 5, which is most often not a bug that will affect you
- exceptions are code with heavy async usage and user input handling (which rust never advertises to fix and is common in all languages, even ones with gc)