V OpenVet
cargo / winapi / audit
cargo : winapi @ 0.3.9
PE Patrick Elsen signed 2026-05-28 published 2026-05-28

Claims

build-exec-deterministicbuild-exec-minimalbuild-exec-no-networkbuild-exec-no-write-outbuild-exec-safeenvironment-safehas-binarieshas-build-exechas-fuzz-testshas-install-exechas-integration-testshas-property-testshas-unit-testsimpl-algorithmimpl-concurrencyimpl-cryptoimpl-datastructureimpl-interpreterimpl-jitimpl-parserimpl-protocolis-benignuses-concurrencyuses-cryptouses-environmentuses-execuses-filesystemuses-interpreteruses-jituses-networkuses-unsafe

Summary

winapi 0.3.9 is a large collection of raw FFI bindings for the Windows API (~180K LOC, ~400 generated header files). The build script reads CARGO_FEATURE_* and two optional env vars to emit link-library directives; it makes no network requests and spawns no processes. The published source matches the tagged VCS commit byte-for-byte. No findings were raised. The unsafe sub-claims were left unasserted due to the scale of machine-generated binding code.

Report

Subject

winapi 0.3.9 is the community-maintained raw FFI bindings crate for the Windows API. It exposes hand-transcribed and macro-generated extern "system" function declarations, C struct definitions, constants, and COM vtable types for approximately 400 Windows SDK headers, organised under src/shared/, src/um/, src/km/, src/ucrt/, src/vc/, and src/winrt/. Each header group is gated behind a matching feature flag; the everything feature enables all of them. The crate is no_std by default and carries no runtime logic beyond the type definitions themselves.

Methodology

The published crate contents were compared against the upstream Git repository at commit 796a8e6c (tagged "Publish winapi 0.3.9") using diff -rq. The build script was read in full. src/lib.rs and src/macros.rs were read in full. A grep survey covered all 404 .rs files for unsafe, extern, network primitives, filesystem access, process spawning, environment variable access, cryptographic APIs, RNG, and concurrency primitives. Binary file presence was checked with find. The VCS checkout at the tagged commit is present in vcs/.

Scope. Due to the crate's size (~180K LOC, 87 unsafe keyword occurrences across 404 generated files), the following claims were not evaluated and are left unasserted: unsafe-safe, unsafe-documented, unsafe-minimal, unsafe-tested. This audit evaluates supply-chain integrity (VCS byte-equivalence), capability surface (uses-*), build/install-time execution, and dependency enumeration.

Results

The diff -rq between contents/ and vcs/ shows only the expected Cargo.toml normalisation differences (cargo auto-generated header lines, field reordering). All 404 source files and build.rs match the VCS tree byte-for-byte. No unexplained files are present. is-benign.

No pre-compiled binaries appear in the package. has-binaries.

The build.rs is the only build-time code. It reads CARGO_FEATURE_* variables to identify which headers are requested, reads TARGET to filter one library on aarch64, and reads WINAPI_NO_BUNDLED_LIBRARIES and WINAPI_STATIC_NOBUNDLE to select link mode. It emits only cargo:rustc-link-lib, cargo:rustc-cfg, and cargo:rerun-if-env-changed lines. It makes no network requests, spawns no processes, and writes nothing outside the cargo output protocol. Justifies has-build-exec, build-exec-safe, build-exec-no-network, build-exec-no-write-out, build-exec-minimal, and build-exec-deterministic. The env vars read are the standard CARGO_FEATURE_*/TARGET cargo-provided variables plus the two WINAPI_* vars documented in the README; they are used only to influence link flags, justifying uses-environment and environment-safe.

No install script exists. has-install-exec.

The source is FFI declarations: extern "system" function imports, C-ABI struct and union definitions, and constants. The 87 unsafe occurrences are concentrated in src/macros.rs (COM vtable dispatch methods and union accessor methods via pointer casts) and in three extern "C" blocks in binding files. No network sockets, filesystem calls, process spawning, cryptographic operations, or concurrency primitives appear anywhere in the library code. Justifies uses-network, uses-filesystem, uses-exec, uses-crypto, uses-concurrency, uses-jit, uses-interpreter, and uses-unsafe.

The crate implements no algorithms, data structures, parsers, interpreters, JIT, protocols, or concurrency primitives. Justifies impl-crypto, impl-parser, impl-interpreter, impl-jit, impl-protocol, impl-datastructure, impl-algorithm, impl-concurrency.

No #[test] items, no tests/ directory in the published package, and no fuzz or property test infrastructure. The VCS has a tests/ directory containing struct-layout and API compile-check tests, but these are not shipped. Justifies has-unit-tests, has-integration-tests, has-fuzz-tests, has-property-tests.

No findings were raised.

Conclusion

The package contents match the VCS commit byte-for-byte on all source and build files. The build script performs purely mechanical link-library selection from cargo feature flags and two optional env vars; it does nothing unexpected. The library itself is entirely type declarations with no runtime behaviour. No findings were raised. The unsafe sub-claims (unsafe-safe, unsafe-documented, unsafe-minimal) were left unasserted due to the scale of the generated binding code.

Findings

No findings.

Annotations(2)

build.rs

build.rs reads CARGO_FEATURE_* env vars to identify which Windows headers are requested, reads TARGET to filter out unsupported libraries on aarch64, and reads WINAPI_NO_BUNDLED_LIBRARIES and WINAPI_STATIC_NOBUNDLE to configure link mode. It emits only cargo:rustc-link-lib and cargo:rustc-cfg directives plus cargo:rerun-if-env-changed lines. No network access, no process spawning, no writes outside the cargo output protocol. Justifies has-build-exec, build-exec-safe, build-exec-no-network, build-exec-no-write-out, build-exec-minimal, build-exec-deterministic, uses-environment, environment-safe.

src/macros.rs

The crate contains 87 occurrences of unsafe keywords across the source tree. The bulk are in macros.rs, which generates unsafe accessor methods for COM vtable dispatch and union variant access (pointer casts via as *const _ and mem::zeroed()). A smaller number appear in individual binding files (evntrace.rs, wincrypt.rs, shellapi.rs) as extern "C" blocks. All unsafe here is inherent to FFI binding declarations and COM vtable indirection; there is no unsafe logic beyond type-level pointer casts. Justifies uses-unsafe. The unsafe-safe, unsafe-documented, and unsafe-minimal claims are scoped out per the scoped-audit methodology.