From bbc329fd1f90c5a46a96b78bb3f801ff8bf7415e Mon Sep 17 00:00:00 2001 From: "jhr2hi@bosch.com" Date: Mon, 15 Jun 2026 15:50:59 +0200 Subject: [PATCH 1/4] improve rust coding guidelines and add CodeQL --- .../development/rust/coding_guidelines.rst | 402 ++++++++++++++++-- docs/contribute/development/rust/index.rst | 5 + 2 files changed, 368 insertions(+), 39 deletions(-) diff --git a/docs/contribute/development/rust/coding_guidelines.rst b/docs/contribute/development/rust/coding_guidelines.rst index 9bfcc920fdd..842184a62c4 100644 --- a/docs/contribute/development/rust/coding_guidelines.rst +++ b/docs/contribute/development/rust/coding_guidelines.rst @@ -23,8 +23,39 @@ Writing Rust Code incl. Coding Guidelines :realizes: wp__sw_development_plan +Safety Rust +=========== + +For writing Rust code in SCORE, especially for safety- and +security-relevant software, the following guidance and tooling references +apply. + + Coding Guidelines -================= +----------------- + +The following coding guidelines and reference documents are relevant for +Rust development in SCORE: + +* `JA1020_202603: Safety and Cybersecurity Recommendations for the Use of the Rust Language in Critical Systems `_ + is the primary baseline for safety- and security-related Rust development and in arguing safety according to ISO 26262 or RTCA DO-178C combined with RTCA DO-332. The current version of JA1020 is from March 2026 and is expected to be updated in the future, with the next version planned for late 2026. It provides a comprehensive set of recommendations for using Rust in safety-critical systems, covering topics such as language features, coding practices, and tool usage. +* `Safety-Critical Rust Coding Guidelines `_ + are still under development and currently only define a subset of the + desired rules. +* `Secure Rust Guidelines (unstable) `_ + complement JA1020. ANSSI focuses more on process and architecture + guidance, while JA1020 is more concrete regarding tool usage and + enforceable checks. +* `Linux Kernel Rules `_ + mainly define formatting and documentation requirements for Rust in the + Linux kernel and do not provide broader static code analysis rules. +* `MISRA C:2025 Addendum 6, Applicability of MISRA C:2025 to the Rust Programming Language `_ + overlaps strongly with JA1020 and is therefore primarily relevant as an + additional cross-reference. + + +State of Rust Safety-Critical Tooling +------------------------------------- The Safety-Critical Rust Consortium aims to make Rust suitable for use in automotive and other safety-critical environments by building and maintaining a @@ -52,17 +83,13 @@ enable certification and safe use of Rust in automotive applications. `Rust language `_ - -State of Rust Safety-Critical Tooling -##################################### - The linked document provides a current overview of the tooling landscape for certifying Rust in safety-critical applications, presenting a community-approved list of essential tools and tracking their development status. It also explores whether developing specialized training curricula for safety-critical Rust is necessary, potentially requiring a separate -subcommittee. The document details the state of specific tools—such as -compilers and analysis utilities—by outlining their intended purposes, +subcommittee. The document details the state of specific tools, such as +compilers and analysis utilities, by outlining their intended purposes, certification requirements, and their availability or progress. While some tools, such as the Ferrocene compiler, are already available or being actively developed, others remain under evaluation or are not yet accessible. @@ -70,20 +97,8 @@ developed, others remain under evaluation or are not yet accessible. `Mission Statement - Tooling Subcommittee `_ -Explanation of ARA Applications in Rust -####################################### - -AUTOSAR also shares a public available document that explains how to use Rust in -ARA applications as Rust is offering safety and performance advantages. While -ecosystem support is still maturing, Rust-based ARA applications can lead to -safer, more reliable automotive software, especially in safety-critical and -high-performance domains. - -`AUTOSAR ARA Applications in Rust `_ - - -MISRA vs Cert -############# +MISRA vs CERT +------------- This issue contrasts the MISRA and CERT coding standards, highlighting their different approaches to software safety and security. MISRA is noted for its @@ -93,19 +108,21 @@ security. This can create unnecessary work for developers without clear benefits and is sometimes inconsistent across languages. CERT, on the other hand, is praised for its focus on practical, consensus-based rules that target real security vulnerabilities in existing code, avoiding excessive constraints. -The overall recommendation is to favor guidelines like CERT’s—practical, -evidence-based, and focused on real-world issues—over rigid, untested standards -that hinder adoption and developer productivity. +The overall recommendation is to favor guidelines like CERT's: practical, +evidence-based, and focused on real-world issues, over rigid, untested +standards that hinder adoption and developer productivity. `MISRA vs Cert `_ -In 2026 the Coding Guidelines Subcommittee of the SCRC are aiming to have MISRA C and CERT C mapped to Rust, with +In 2026 the Coding Guidelines Subcommittee of the SCRC are aiming to have +MISRA C and CERT C mapped to Rust, with + +* a bulk of the coding guidelines written +* a bulk of the Clippy lints necessary written to check the guidelines -- a bulk of the coding guidelines written -- a bulk of the Clippy lints necessary written to check the guidelines -Link to Clippy -############## +Rust Tooling: Clippy +-------------------- Rust Clippy is a collection of lints (code style and correctness checks) for the Rust programming language. It helps developers identify common mistakes, @@ -117,8 +134,36 @@ tool for writing clean, idiomatic, and efficient Rust code. `Link to Clippy `_ -Link to Miri -############ +Rust Tooling: CodeQL +-------------------- + +CodeQL is a code analysis platform based on the QL query language and +associated tooling. It supports Rust (see +https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks/ +and https://codeql.github.com/codeql-query-help/rust-cwe/). + +Typical problem classes detected by CodeQL for Rust include: + +* injection vulnerabilities (e.g., SQL injection, path traversal, + regex injection, log injection, XSS) +* insecure communication and transport usage (e.g., non-HTTPS URLs, + disabled TLS certificate checks) +* cryptographic weaknesses (e.g., hard-coded cryptographic values, + weak algorithms or weak hashing) +* sensitive data exposure (e.g., cleartext logging, cleartext + transmission or storage) +* request and input abuse patterns (e.g., SSRF, uncontrolled allocation + size from untrusted input) +* unsafe memory-related patterns relevant at Rust unsafe boundaries + (e.g., access-after-lifetime-ended, invalid pointer access, + constructor initialization issues) + +CodeQL's key strength is inter-procedural data-flow/taint tracking, +which complements compiler and lint checks. + + +Rust Tooling: Miri +------------------ Miri is an Undefined Behavior detection tool for Rust. It can run binaries and test suites of cargo projects and detect unsafe code that fails to @@ -126,17 +171,296 @@ uphold its safety requirements. `Link to Miri `_ + Conclusions for S-CORE -###################### +---------------------- + +The SAE JA1020 Appendix A.2 contains some rules and recommendations related to the automated tools that support its enforcement. The following table summarizes the coverage of these tools. Where no automated tool exists, the coverage column reflects the need for manual review, process controls, or architecture decisions. + +The classification follows the MISRA convention used by SAE JA1020: + + Required — Mandatory. Deviations need documented reasoning. + Advisory — Recommended. Deviations should be documented when practical. + Document — The decision and its reasoning must be documented regardless of outcome. + +The matrix below summarizes overall coverage per topic. The `Cargo.toml` +profiles further below are practical baseline and intentionally +contains the by JA1020 recommended subset of checks. + + +.. csv-table:: Overlap Summary Matrix (JA1020_202603 Measures) + :header: "Name", "Type", "Automated (JA1020)", "Section", "CodeQL", "Clippy", "Rustc", "Other Tooling / Process", "Combined" + :widths: 24, 14, 12, 10, 10, 18, 18, 22, 8 + + "Compiler qualification", "Document, Required", "-", "6.1, 13.1", "-", "-", "-", "Process/evidence", "M" + "Dependency management", "Required", "-", "6.1.1, 6.2.8, 6.4.18, 13.1", "-", "-", "-", "cargo-audit, cargo-deny, cargo-vet, SBOM", "H" + "async/await decision", "Document, Advisory", "-", "6.2.1", "-", "-", "-", "Architecture decision record", "M" + "Extension trait guidelines", "Document, Advisory", "-", "6.2.2", "-", "-", "-", "Review guideline", "M" + "Minimum Supported Rust Version", "Document, Advisory", "cargo plugin", "6.2.3", "-", "-", "M (stable toolchain pinning, rust-version policy)", "Toolchain pinning in CI", "H" + "Shadowing style", "Document, Advisory", "Partially, clippy", "6.2.4, 6.3.4", "-", "M (shadow_reuse/shadow_unrelated as warn, shadow_same as allow)", "-", "Review style guide", "M" + "Code review environment", "Advisory", "-", "6.2.5", "-", "-", "-", "Process/tooling setup", "M" + "Macro review and testing strategy", "Document, Advisory", "-", "6.2.6", "-", "-", "-", "Tests, trybuild, review", "M" + "Module file naming", "Document, Advisory", "Partially", "6.2.7", "-", "L (no strong built-in lint)", "-", "Custom checks", "M" + "Default trait implementations", "Document, Advisory", "-", "6.2.9", "-", "-", "-", "Design guideline", "M" + "Usage of unwrap in mutex lock", "Document, Advisory", "-", "6.2.10.1", "-", "M (unwrap_used with documented exception policy)", "-", "Review policy", "M" + "Document undesirable but not unsafe hardware effects", "Advisory", "-", "6.2.10.2", "-", "-", "-", "Safety documentation", "M" + "FFI: Check values at boundary", "Required", "-", "6.3.1, 6.3.1.3", "-", "-", "-", "FFI tests, fuzzing, review", "M" + "Safe wrapper for unsafe interfaces", "Required", "-", "6.3.1", "-", "-", "-", "Design/review", "M" + "Document unsafe assumptions in Safety: clause", "Required", "clippy", "6.3.1", "-", "H (undocumented_unsafe_blocks)", "-", "-", "H" + "Minimal scope for unsafe", "Required", "-", "6.3.1", "-", "M (policy/review support, no single strong lint)", "-", "cargo-geiger, review", "M" + "Unsafe block in unsafe function", "Required", "clippy", "6.3.1", "-", "M (supporting only, project-dependent)", "H (unsafe_op_in_unsafe_fn)", "-", "H" + "Safety documentation for unsafe functions", "Required", "clippy", "6.3.1", "-", "M (manual documentation/review in profile baseline)", "-", "Rustdoc + review process", "M" + "Panic documentation on functions", "Required", "clippy", "6.3.1", "-", "H (missing_panics_doc)", "-", "-", "H" + "Global mutable state with sound wrapper", "Required", "-", "6.3.1.1", "-", "-", "-", "Review/design", "M" + "FFI rules from ANSII", "Required", "-", "6.3.1.2", "-", "-", "-", "FFI conformance process", "M" + "Inline assembly rules from reference", "Required", "-", "6.3.1.4", "-", "-", "-", "Manual asm review", "M" + "Automated contract versioning", "Advisory", "symbols", "6.3.1.5", "-", "-", "-", "Symbol/ABI diff tooling", "H" + "Pointer to reference conversion", "Required", "-", "6.3.1.6", "M", "M (cast_ptr_alignment, ptr_cast_constness, ref_as_ptr, transmute_ptr_to_ptr)", "M (invalid_reference_casting plus diagnostics)", "Review/tests", "M" + "Define proper panic handling", "Document, Required", "-", "6.3.2, 6.4.12", "-", "M (panic_in_result_fn as warn; unwrap_used and panicking_overflow_checks evaluated for usefulness)", "M (panic strategy/profile settings)", "Panic strategy in CI/profile", "H" + "catch_unwind only for controlled shutdown", "Required", "-", "6.3.2", "-", "L (no direct strong lint)", "-", "Review policy", "M" + "Deref misuse for inheritance", "Required", "-", "6.3.3", "-", "L (no direct strong lint)", "-", "Review/style", "M" + "Transitive interior mutability documentation", "Advisory", "-", "6.3.5", "-", "-", "-", "Documentation process", "M" + "No internal mutability in constants", "Required", "-", "6.3.5", "-", "H (declare_interior_mutable_const)", "-", "-", "H" + "Prefer cfg!() over #[cfg()]", "Required", "-", "6.3.6", "-", "-", "-", "Review/custom linting", "M" + "Features are additive, not exclusive", "Required", "-", "6.3.6", "-", "-", "-", "Cargo feature CI checks", "H" + "No deprecated interfaces from core/std", "Required", "-", "6.3.7", "-", "M (deprecated in lint profile)", "H (deprecated)", "-", "H" + "No nightly features", "Required", "rustc", "6.3.8", "-", "-", "H (stable compiler policy; unstable_features on nightly)", "Stable toolchain enforcement", "H" + "No wildcard in imports", "Required", "clippy", "6.3.9", "-", "H (wildcard_imports)", "-", "-", "H" + "Ensure formatting and lints (e.g., in CI)", "Advisory", "rustfmt + clippy", "6.4.1", "-", "H (CI clippy gate)", "-", "rustfmt in CI", "H" + "No raw identifiers", "Required", "grep", "6.4.1", "-", "-", "-", "grep/custom check", "H" + "Rustc linter", "Advisory", "rustc", "6.4.2", "-", "-", "H (JA1020-curated rustc baseline profile; extended edition/future lints enabled per toolchain support)", "-", "H" + "Clippy linter", "Advisory", "clippy", "6.4.3", "-", "H (JA1020 curated warn/deny/allow clippy profile)", "-", "-", "H" + "Strong typing for error detection at compile time", "Advisory", "-", "6.4.5", "-", "-", "H (type system, borrow checker, trait bounds)", "-", "H" + "Structures replace many arguments", "Advisory", "-", "6.4.5.2", "-", "L (style/review guidance)", "-", "Review/style", "M" + "Testing trait requirements on trait implementations", "Required", "-", "6.4.6", "-", "-", "-", "Tests/property tests", "H" + "Test coverage on generics", "Advisory", "coverage", "6.4.7, 10.1", "-", "-", "-", "Coverage tooling", "H" + "Avoid as for conversions", "Required", "clippy", "6.4.9", "-", "H (as_underscore, cast_lossless, cast_possible_truncation, cast_possible_wrap, cast_ptr_alignment, cast_sign_loss)", "-", "-", "H" + "Error/Option instead of magic values", "Advisory", "-", "6.4.10", "-", "M (partial style support)", "M (type checks support pattern, no direct rule)", "Review", "M" + "Resource Acquisition Is Initialization", "Required", "-", "6.4.11", "-", "-", "M (ownership and Drop semantics, no direct lint)", "Review/tests", "M" + "Overflow checking", "Required", "rustc", "6.4.12", "-", "-", "H (release overflow-checks enabled)", "Release profile setting", "H" + "Dynamic memory design", "Required", "-", "6.4.13", "-", "-", "-", "Allocator/system design checks", "M" + "Stack checking", "Required", "rustc", "6.4.13", "-", "-", "M (limited compiler support)", "cargo-call-stack, external analysis", "M" + "Concurrency system design (timing constraints)", "Required", "-", "6.4.14, 6.4.15.4", "-", "-", "-", "loom, WCET, system analysis", "M" + "Document cancellation safety of async functions", "Advisory", "-", "6.4.15.1", "-", "-", "-", "Documentation/review", "M" + "Explicit task dropping intention", "Advisory", "-", "6.4.15.3", "-", "L (let_underscore_future as supporting signal)", "-", "Runtime policy/review", "M" + "Planning ahead for Pin/Send", "Document, Advisory", "-", "6.4.15.5", "-", "-", "M (Send and lifetime trait-bound checks)", "Design constraints review", "M" + "Minimize duplicated dependencies because of versioning", "Required", "cargo", "6.4.16", "-", "-", "-", "cargo tree, cargo-deny", "H" + "Minimal scope for symbols", "Advisory", "(clippy)", "6.4.16", "-", "M (redundant_pub_crate as supporting signal)", "M (unreachable_pub, visibility diagnostics)", "Visibility checks/review", "M" + "Multi-crate design to minimize cyclic dependencies", "Advisory", "-", "6.4.16", "-", "-", "-", "cargo graph, dependency analysis", "M" + "Usize should only measure memory, not environment quantities", "Required", "-", "6.4.17", "-", "L (no direct strong lint)", "-", "Review/style", "M" + "Separation of download and build steps", "Advisory", "-", "6.4.18", "-", "-", "-", "CI sandboxing/pipeline controls", "H" + "Special protection of sensitive data", "Advisory", "-", "6.4.19", "H", "-", "-", "Secret handling process", "H" + "Marker traits for formal documentation", "Advisory", "-", "6.4.21", "-", "-", "M (trait-bound enforcement mechanism)", "Review/formal method support", "M" + "Lifetime and pointers", "Advisory", "-", "6.4.23.1", "M", "-", "H (borrow checker, lifetime analysis)", "-", "H" + "Atomic access modes", "Advisory", "-", "6.4.23.2", "-", "L (no explicit lint in current JA1020 profile block)", "-", "Review for ordering rationale", "M" + "Unintended matches", "Advisory", "-", "6.4.23.3", "-", "M (wildcard_enum_match_arm)", "M (non_exhaustive_omitted_patterns)", "-", "M" + "Logically significant return values should be #[must_use]", "Required", "-", "9.1", "-", "M (let_underscore_must_use)", "M (unused_results in profile; must_use semantics by language)", "-", "M" + "Complex drop logic should be called explicitly", "Required", "-", "9.2", "-", "L (no direct strong lint)", "-", "Review/tests", "M" + During the S-CORE project formatting and clippy checks are enforced. Miri can -be used to detect undefined behaviors. Also the code should compile with zero warnings. -Additional guidelines by the Rust Community, the Rust Foundation and the Safety-Critical -Rust Consortium are applied where applicable but not enforced. If possible the usage -of `unsafe` is avoided. To keep the code `panic`-free only APIs with a proper return value -should be used. The goal is to have coding guidelines for Rust suitable for safety-critial -systems by Safety-Critical Rust Consortium by the end of 2026. Until that, please also use -Slack score-rust-community channel for discussions and participation in the SCRC. +be used to detect undefined behaviors. Also the code should compile with zero +warnings. Additional guidelines by the Rust Community, the Rust Foundation and +the Safety-Critical Rust Consortium are applied where applicable but not +enforced. If possible the usage of `unsafe` is avoided. To keep the code +`panic`-free only APIs with a proper return value should be used. The goal is +to have coding guidelines for Rust suitable for safety-critial systems by the +Safety-Critical Rust Consortium by the end of 2026. Until that, please also +use Slack score-rust-community channel for discussions and participation in the +SCRC. The adaption of these guidelines will be documented in the S-CORE project documentation. + +.. admonition:: Cargo.toml lint profile (JA1020-oriented, practical baseline) + + .. code-block:: toml + + # Cargo.toml + + # Rust compiler lints (rustc) + [lints.rust] + unsafe_op_in_unsafe_fn = "deny" + missing_abi = "warn" + unreachable_pub = "warn" + missing_docs = "warn" + unused_results = "warn" + let_underscore_drop = "warn" + non_exhaustive_omitted_patterns = "warn" + + # Rustc lints recommended to evaluate as warn (JA1020) + elided_lifetimes_in_paths = "warn" + explicit_outlives_requirements = "warn" + macro_use_extern_crate = "warn" + meta_variable_misuse = "warn" + non_local_definitions = "warn" + redundant_lifetimes = "warn" + single_use_lifetimes = "warn" + trivial_numeric_casts = "warn" + unit_bindings = "warn" + unnameable_types = "warn" + variant_size_differences = "warn" + + # Edition and compatibility lint groups (JA1020 intent) + # Enable rust--* and keyword-idents- lints supported by the + # pinned compiler version. + unused = { level = "warn", priority = -1 } + + # Future/availability-dependent rustc lints (enable when available in + # the selected toolchain) + # must_not_suspend = "warn" + # fuzzy_provenance_casts = "warn" + # lossy_provenance_casts = "warn" + + # Clippy lints + [lints.clippy] + # Warn + as_underscore = "warn" + cast_lossless = "warn" + cast_possible_truncation = "warn" + cast_possible_wrap = "warn" + cast_sign_loss = "warn" + cast_ptr_alignment = "warn" + exit = "warn" + format_push_string = "warn" + infinite_loop = "warn" + iter_over_hash_type = "warn" + invalid_upcast_comparisons = "warn" + lossy_float_literal = "warn" + missing_errors_doc = "warn" + missing_docs_in_private_items = "warn" + panic_in_result_fn = "warn" + ptr_cast_constness = "warn" + ref_as_ptr = "warn" + transmute_ptr_to_ptr = "warn" + redundant_type_annotations = "warn" + shadow_reuse = "warn" + shadow_unrelated = "warn" + try_err = "warn" + wildcard_enum_match_arm = "warn" + + # Deny + as_ptr_cast_mut = "deny" + let_underscore_must_use = "deny" + missing_panics_doc = "deny" + undocumented_unsafe_blocks = "deny" + wildcard_imports = "deny" + declare_interior_mutable_const = "deny" + + # Allow + shadow_same = "allow" + implicit_return = "allow" + allow_attributes = "allow" + + # Evaluate for helpfulness (JA1020) + panicking_overflow_checks = "warn" + unwrap_used = "warn" + + # Recommended against because too coarse (JA1020) + as_conversions = "allow" + + # Release profile requirement + [profile.release] + overflow-checks = true # Required for safety-oriented integer checks + + # Checking of documentation on private items (in clippy.toml) + # check-private-items = true + + +.. admonition:: Cargo.toml lint profile (JA1020-oriented, strict/ASIL variant) + + .. code-block:: toml + + # Cargo.toml + + # Rust compiler lints (strict) + [lints.rust] + unsafe_op_in_unsafe_fn = "deny" + missing_abi = "warn" + unreachable_pub = "warn" + missing_docs = "warn" + unused_results = "warn" + let_underscore_drop = "warn" + non_exhaustive_omitted_patterns = "warn" + + # Rustc lints recommended to evaluate as warn (JA1020) + elided_lifetimes_in_paths = "warn" + explicit_outlives_requirements = "warn" + macro_use_extern_crate = "warn" + meta_variable_misuse = "warn" + non_local_definitions = "warn" + redundant_lifetimes = "warn" + single_use_lifetimes = "warn" + trivial_numeric_casts = "warn" + unit_bindings = "warn" + unnameable_types = "warn" + variant_size_differences = "warn" + + # Edition and compatibility lint groups (JA1020 intent) + unused = { level = "warn", priority = -1 } + + # Clippy lints (strict) + [lints.clippy] + # Warn + as_underscore = "warn" + cast_lossless = "warn" + cast_possible_truncation = "warn" + cast_possible_wrap = "warn" + cast_sign_loss = "warn" + cast_ptr_alignment = "warn" + exit = "warn" + format_push_string = "warn" + infinite_loop = "warn" + iter_over_hash_type = "warn" + invalid_upcast_comparisons = "warn" + lossy_float_literal = "warn" + missing_errors_doc = "warn" + missing_docs_in_private_items = "warn" + panic_in_result_fn = "warn" + ptr_cast_constness = "warn" + ref_as_ptr = "warn" + transmute_ptr_to_ptr = "warn" + redundant_type_annotations = "warn" + shadow_reuse = "warn" + shadow_unrelated = "warn" + try_err = "warn" + wildcard_enum_match_arm = "warn" + + # Deny + as_ptr_cast_mut = "deny" + let_underscore_must_use = "deny" + missing_panics_doc = "deny" + undocumented_unsafe_blocks = "deny" + wildcard_imports = "deny" + declare_interior_mutable_const = "deny" + + # Allow + shadow_same = "allow" + implicit_return = "allow" + allow_attributes = "allow" + + # Evaluate for helpfulness (JA1020) + panicking_overflow_checks = "warn" + unwrap_used = "warn" + + # Recommended against because too coarse (JA1020) + as_conversions = "allow" + + # Release profile requirement + [profile.release] + overflow-checks = true + + # clippy.toml + # check-private-items = true + + +Explanation of ARA Applications in Rust +======================================= + +AUTOSAR also shares a public available document that explains how to use Rust in +ARA applications as Rust is offering safety and performance advantages. While +ecosystem support is still maturing, Rust-based ARA applications can lead to +safer, more reliable automotive software, especially in safety-critical and +high-performance domains. + +`AUTOSAR ARA Applications in Rust `_ diff --git a/docs/contribute/development/rust/index.rst b/docs/contribute/development/rust/index.rst index 6f3e5b7b988..7dfcc9f1b9a 100644 --- a/docs/contribute/development/rust/index.rst +++ b/docs/contribute/development/rust/index.rst @@ -15,6 +15,11 @@ Rust #### +For safety- and security-related Rust development, SCORE uses +`SAE JA1020_202603 `_ +as a baseline reference for recommended practices, in addition to the +project-specific guidance linked below. + .. toctree:: :maxdepth: 1 From ae9763827ebd792ba38b3e16b811677dfa8a7ed2 Mon Sep 17 00:00:00 2001 From: "jhr2hi@bosch.com" Date: Mon, 15 Jun 2026 15:54:53 +0200 Subject: [PATCH 2/4] certification --- .../development/rust/certification/index.rst | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/docs/contribute/development/rust/certification/index.rst b/docs/contribute/development/rust/certification/index.rst index c9b484270ab..4e85f53f374 100644 --- a/docs/contribute/development/rust/certification/index.rst +++ b/docs/contribute/development/rust/certification/index.rst @@ -15,6 +15,35 @@ Certification ############## + +JA1020_202603 and Rust Certification +==================================== + +SAE JA1020_202603 describes certification-relevant guidance for Rust and its +tooling, especially in the context of ISO 26262 and RTCA DO-178C/DO-332. + +Key points for practice: + +* Tool confidence and qualification must be explicitly defined for compiler and + crates (see JA1020 section 6.1). +* Depending on project context and integrity level, three paths are considered: + qualified tools, strong downstream verification that detects tool faults, or + comprehensive confidence evidence for tool usage. +* Qualification evidence is tied to the exact tool version, target + architecture, and relevant compiler configuration. +* Stable toolchains are expected for certification contexts; nightly features + are not recommended for safety-related projects. +* Configuration management must include Rust toolchain components (e.g., + compiler, rustup/cargo, clippy/rustdoc), runtime libraries, and external + crates. +* "Proven in use" arguments alone are considered difficult to justify for + safety cases and should not replace structured qualification or verification + arguments. + +For SCORE, JA1020 should be used as baseline guidance for certification +strategy, while project-specific safety case evidence is documented in the +corresponding plans and work products. + .. toctree:: :maxdepth: 1 From a2313e741e98fa6392a62d2f9045370f107aa799 Mon Sep 17 00:00:00 2001 From: "jhr2hi@bosch.com" Date: Mon, 22 Jun 2026 08:51:01 +0200 Subject: [PATCH 3/4] use neutral language --- .../development/rust/certification/index.rst | 10 +- .../development/rust/coding_guidelines.rst | 201 +++++++++--------- docs/contribute/development/rust/index.rst | 4 +- 3 files changed, 111 insertions(+), 104 deletions(-) diff --git a/docs/contribute/development/rust/certification/index.rst b/docs/contribute/development/rust/certification/index.rst index 4e85f53f374..a80d01a2c21 100644 --- a/docs/contribute/development/rust/certification/index.rst +++ b/docs/contribute/development/rust/certification/index.rst @@ -16,16 +16,16 @@ Certification ############## -JA1020_202603 and Rust Certification -==================================== +Rust Certification Guidance +=========================== -SAE JA1020_202603 describes certification-relevant guidance for Rust and its +This section summarizes certification-relevant guidance for Rust and its tooling, especially in the context of ISO 26262 and RTCA DO-178C/DO-332. Key points for practice: * Tool confidence and qualification must be explicitly defined for compiler and - crates (see JA1020 section 6.1). + crates. * Depending on project context and integrity level, three paths are considered: qualified tools, strong downstream verification that detects tool faults, or comprehensive confidence evidence for tool usage. @@ -40,7 +40,7 @@ Key points for practice: safety cases and should not replace structured qualification or verification arguments. -For SCORE, JA1020 should be used as baseline guidance for certification +For SCORE, this baseline guidance should be used for certification strategy, while project-specific safety case evidence is documented in the corresponding plans and work products. diff --git a/docs/contribute/development/rust/coding_guidelines.rst b/docs/contribute/development/rust/coding_guidelines.rst index 842184a62c4..0b839d1afc5 100644 --- a/docs/contribute/development/rust/coding_guidelines.rst +++ b/docs/contribute/development/rust/coding_guidelines.rst @@ -37,20 +37,24 @@ Coding Guidelines The following coding guidelines and reference documents are relevant for Rust development in SCORE: -* `JA1020_202603: Safety and Cybersecurity Recommendations for the Use of the Rust Language in Critical Systems `_ - is the primary baseline for safety- and security-related Rust development and in arguing safety according to ISO 26262 or RTCA DO-178C combined with RTCA DO-332. The current version of JA1020 is from March 2026 and is expected to be updated in the future, with the next version planned for late 2026. It provides a comprehensive set of recommendations for using Rust in safety-critical systems, covering topics such as language features, coding practices, and tool usage. +* A safety- and cybersecurity-oriented Rust baseline is used as the primary + reference for safety- and security-related development and for arguing + safety according to ISO 26262 or RTCA DO-178C combined with RTCA DO-332. + It provides a comprehensive set of recommendations for using Rust in + safety-critical systems, including language features, coding practices, and + tool usage. * `Safety-Critical Rust Coding Guidelines `_ are still under development and currently only define a subset of the desired rules. * `Secure Rust Guidelines (unstable) `_ - complement JA1020. ANSSI focuses more on process and architecture - guidance, while JA1020 is more concrete regarding tool usage and + complement this baseline. ANSSI focuses more on process and architecture + guidance, while the baseline is more concrete regarding tool usage and enforceable checks. * `Linux Kernel Rules `_ mainly define formatting and documentation requirements for Rust in the Linux kernel and do not provide broader static code analysis rules. * `MISRA C:2025 Addendum 6, Applicability of MISRA C:2025 to the Rust Programming Language `_ - overlaps strongly with JA1020 and is therefore primarily relevant as an + overlaps strongly with this baseline and is therefore primarily relevant as an additional cross-reference. @@ -175,87 +179,90 @@ uphold its safety requirements. Conclusions for S-CORE ---------------------- -The SAE JA1020 Appendix A.2 contains some rules and recommendations related to the automated tools that support its enforcement. The following table summarizes the coverage of these tools. Where no automated tool exists, the coverage column reflects the need for manual review, process controls, or architecture decisions. - -The classification follows the MISRA convention used by SAE JA1020: - - Required — Mandatory. Deviations need documented reasoning. - Advisory — Recommended. Deviations should be documented when practical. - Document — The decision and its reasoning must be documented regardless of outcome. - -The matrix below summarizes overall coverage per topic. The `Cargo.toml` -profiles further below are practical baseline and intentionally -contains the by JA1020 recommended subset of checks. - - -.. csv-table:: Overlap Summary Matrix (JA1020_202603 Measures) - :header: "Name", "Type", "Automated (JA1020)", "Section", "CodeQL", "Clippy", "Rustc", "Other Tooling / Process", "Combined" - :widths: 24, 14, 12, 10, 10, 18, 18, 22, 8 - - "Compiler qualification", "Document, Required", "-", "6.1, 13.1", "-", "-", "-", "Process/evidence", "M" - "Dependency management", "Required", "-", "6.1.1, 6.2.8, 6.4.18, 13.1", "-", "-", "-", "cargo-audit, cargo-deny, cargo-vet, SBOM", "H" - "async/await decision", "Document, Advisory", "-", "6.2.1", "-", "-", "-", "Architecture decision record", "M" - "Extension trait guidelines", "Document, Advisory", "-", "6.2.2", "-", "-", "-", "Review guideline", "M" - "Minimum Supported Rust Version", "Document, Advisory", "cargo plugin", "6.2.3", "-", "-", "M (stable toolchain pinning, rust-version policy)", "Toolchain pinning in CI", "H" - "Shadowing style", "Document, Advisory", "Partially, clippy", "6.2.4, 6.3.4", "-", "M (shadow_reuse/shadow_unrelated as warn, shadow_same as allow)", "-", "Review style guide", "M" - "Code review environment", "Advisory", "-", "6.2.5", "-", "-", "-", "Process/tooling setup", "M" - "Macro review and testing strategy", "Document, Advisory", "-", "6.2.6", "-", "-", "-", "Tests, trybuild, review", "M" - "Module file naming", "Document, Advisory", "Partially", "6.2.7", "-", "L (no strong built-in lint)", "-", "Custom checks", "M" - "Default trait implementations", "Document, Advisory", "-", "6.2.9", "-", "-", "-", "Design guideline", "M" - "Usage of unwrap in mutex lock", "Document, Advisory", "-", "6.2.10.1", "-", "M (unwrap_used with documented exception policy)", "-", "Review policy", "M" - "Document undesirable but not unsafe hardware effects", "Advisory", "-", "6.2.10.2", "-", "-", "-", "Safety documentation", "M" - "FFI: Check values at boundary", "Required", "-", "6.3.1, 6.3.1.3", "-", "-", "-", "FFI tests, fuzzing, review", "M" - "Safe wrapper for unsafe interfaces", "Required", "-", "6.3.1", "-", "-", "-", "Design/review", "M" - "Document unsafe assumptions in Safety: clause", "Required", "clippy", "6.3.1", "-", "H (undocumented_unsafe_blocks)", "-", "-", "H" - "Minimal scope for unsafe", "Required", "-", "6.3.1", "-", "M (policy/review support, no single strong lint)", "-", "cargo-geiger, review", "M" - "Unsafe block in unsafe function", "Required", "clippy", "6.3.1", "-", "M (supporting only, project-dependent)", "H (unsafe_op_in_unsafe_fn)", "-", "H" - "Safety documentation for unsafe functions", "Required", "clippy", "6.3.1", "-", "M (manual documentation/review in profile baseline)", "-", "Rustdoc + review process", "M" - "Panic documentation on functions", "Required", "clippy", "6.3.1", "-", "H (missing_panics_doc)", "-", "-", "H" - "Global mutable state with sound wrapper", "Required", "-", "6.3.1.1", "-", "-", "-", "Review/design", "M" - "FFI rules from ANSII", "Required", "-", "6.3.1.2", "-", "-", "-", "FFI conformance process", "M" - "Inline assembly rules from reference", "Required", "-", "6.3.1.4", "-", "-", "-", "Manual asm review", "M" - "Automated contract versioning", "Advisory", "symbols", "6.3.1.5", "-", "-", "-", "Symbol/ABI diff tooling", "H" - "Pointer to reference conversion", "Required", "-", "6.3.1.6", "M", "M (cast_ptr_alignment, ptr_cast_constness, ref_as_ptr, transmute_ptr_to_ptr)", "M (invalid_reference_casting plus diagnostics)", "Review/tests", "M" - "Define proper panic handling", "Document, Required", "-", "6.3.2, 6.4.12", "-", "M (panic_in_result_fn as warn; unwrap_used and panicking_overflow_checks evaluated for usefulness)", "M (panic strategy/profile settings)", "Panic strategy in CI/profile", "H" - "catch_unwind only for controlled shutdown", "Required", "-", "6.3.2", "-", "L (no direct strong lint)", "-", "Review policy", "M" - "Deref misuse for inheritance", "Required", "-", "6.3.3", "-", "L (no direct strong lint)", "-", "Review/style", "M" - "Transitive interior mutability documentation", "Advisory", "-", "6.3.5", "-", "-", "-", "Documentation process", "M" - "No internal mutability in constants", "Required", "-", "6.3.5", "-", "H (declare_interior_mutable_const)", "-", "-", "H" - "Prefer cfg!() over #[cfg()]", "Required", "-", "6.3.6", "-", "-", "-", "Review/custom linting", "M" - "Features are additive, not exclusive", "Required", "-", "6.3.6", "-", "-", "-", "Cargo feature CI checks", "H" - "No deprecated interfaces from core/std", "Required", "-", "6.3.7", "-", "M (deprecated in lint profile)", "H (deprecated)", "-", "H" - "No nightly features", "Required", "rustc", "6.3.8", "-", "-", "H (stable compiler policy; unstable_features on nightly)", "Stable toolchain enforcement", "H" - "No wildcard in imports", "Required", "clippy", "6.3.9", "-", "H (wildcard_imports)", "-", "-", "H" - "Ensure formatting and lints (e.g., in CI)", "Advisory", "rustfmt + clippy", "6.4.1", "-", "H (CI clippy gate)", "-", "rustfmt in CI", "H" - "No raw identifiers", "Required", "grep", "6.4.1", "-", "-", "-", "grep/custom check", "H" - "Rustc linter", "Advisory", "rustc", "6.4.2", "-", "-", "H (JA1020-curated rustc baseline profile; extended edition/future lints enabled per toolchain support)", "-", "H" - "Clippy linter", "Advisory", "clippy", "6.4.3", "-", "H (JA1020 curated warn/deny/allow clippy profile)", "-", "-", "H" - "Strong typing for error detection at compile time", "Advisory", "-", "6.4.5", "-", "-", "H (type system, borrow checker, trait bounds)", "-", "H" - "Structures replace many arguments", "Advisory", "-", "6.4.5.2", "-", "L (style/review guidance)", "-", "Review/style", "M" - "Testing trait requirements on trait implementations", "Required", "-", "6.4.6", "-", "-", "-", "Tests/property tests", "H" - "Test coverage on generics", "Advisory", "coverage", "6.4.7, 10.1", "-", "-", "-", "Coverage tooling", "H" - "Avoid as for conversions", "Required", "clippy", "6.4.9", "-", "H (as_underscore, cast_lossless, cast_possible_truncation, cast_possible_wrap, cast_ptr_alignment, cast_sign_loss)", "-", "-", "H" - "Error/Option instead of magic values", "Advisory", "-", "6.4.10", "-", "M (partial style support)", "M (type checks support pattern, no direct rule)", "Review", "M" - "Resource Acquisition Is Initialization", "Required", "-", "6.4.11", "-", "-", "M (ownership and Drop semantics, no direct lint)", "Review/tests", "M" - "Overflow checking", "Required", "rustc", "6.4.12", "-", "-", "H (release overflow-checks enabled)", "Release profile setting", "H" - "Dynamic memory design", "Required", "-", "6.4.13", "-", "-", "-", "Allocator/system design checks", "M" - "Stack checking", "Required", "rustc", "6.4.13", "-", "-", "M (limited compiler support)", "cargo-call-stack, external analysis", "M" - "Concurrency system design (timing constraints)", "Required", "-", "6.4.14, 6.4.15.4", "-", "-", "-", "loom, WCET, system analysis", "M" - "Document cancellation safety of async functions", "Advisory", "-", "6.4.15.1", "-", "-", "-", "Documentation/review", "M" - "Explicit task dropping intention", "Advisory", "-", "6.4.15.3", "-", "L (let_underscore_future as supporting signal)", "-", "Runtime policy/review", "M" - "Planning ahead for Pin/Send", "Document, Advisory", "-", "6.4.15.5", "-", "-", "M (Send and lifetime trait-bound checks)", "Design constraints review", "M" - "Minimize duplicated dependencies because of versioning", "Required", "cargo", "6.4.16", "-", "-", "-", "cargo tree, cargo-deny", "H" - "Minimal scope for symbols", "Advisory", "(clippy)", "6.4.16", "-", "M (redundant_pub_crate as supporting signal)", "M (unreachable_pub, visibility diagnostics)", "Visibility checks/review", "M" - "Multi-crate design to minimize cyclic dependencies", "Advisory", "-", "6.4.16", "-", "-", "-", "cargo graph, dependency analysis", "M" - "Usize should only measure memory, not environment quantities", "Required", "-", "6.4.17", "-", "L (no direct strong lint)", "-", "Review/style", "M" - "Separation of download and build steps", "Advisory", "-", "6.4.18", "-", "-", "-", "CI sandboxing/pipeline controls", "H" - "Special protection of sensitive data", "Advisory", "-", "6.4.19", "H", "-", "-", "Secret handling process", "H" - "Marker traits for formal documentation", "Advisory", "-", "6.4.21", "-", "-", "M (trait-bound enforcement mechanism)", "Review/formal method support", "M" - "Lifetime and pointers", "Advisory", "-", "6.4.23.1", "M", "-", "H (borrow checker, lifetime analysis)", "-", "H" - "Atomic access modes", "Advisory", "-", "6.4.23.2", "-", "L (no explicit lint in current JA1020 profile block)", "-", "Review for ordering rationale", "M" - "Unintended matches", "Advisory", "-", "6.4.23.3", "-", "M (wildcard_enum_match_arm)", "M (non_exhaustive_omitted_patterns)", "-", "M" - "Logically significant return values should be #[must_use]", "Required", "-", "9.1", "-", "M (let_underscore_must_use)", "M (unused_results in profile; must_use semantics by language)", "-", "M" - "Complex drop logic should be called explicitly", "Required", "-", "9.2", "-", "L (no direct strong lint)", "-", "Review/tests", "M" +The current baseline includes general Rust safety and security topics together +with related rules and recommendations. The following table shows how each +topic is captured in practice, including automated checks (by tool and tool option) and supporting +process measures. Where no automated check exists, coverage is captured +through manual review, process controls, or architecture decisions. + +The classification follows a MISRA-style convention: + +* Required — Mandatory. Deviations need documented reasoning. +* Advisory — Recommended. Deviations should be documented when practical. +* Document — The decision and its reasoning must be documented regardless of outcome. + +The matrix below summarizes overall coverage for these topics. The +`Cargo.toml` profiles further below provide a practical baseline and +intentionally contain a recommended subset of checks. + +.. csv-table:: Overlap Summary Matrix (Baseline Measures) + :header: "Name", "Type", "Automated (Baseline)", "CodeQL", "Clippy", "Rustc", "Other Tooling / Process", "Combined" + :widths: 24, 14, 12, 10, 18, 18, 22, 8 + + "Compiler qualification", "Document, Required", "-", "-", "-", "-", "Process/evidence", "M" + "Dependency management", "Required", "-", "-", "-", "-", "cargo-audit, cargo-deny, cargo-vet, SBOM", "H" + "async/await decision", "Document, Advisory", "-", "-", "-", "-", "Architecture decision record", "M" + "Extension trait guidelines", "Document, Advisory", "-", "-", "-", "-", "Review guideline", "M" + "Minimum Supported Rust Version", "Document, Advisory", "cargo plugin", "-", "-", "M (stable toolchain pinning, rust-version policy)", "Toolchain pinning in CI", "H" + "Shadowing style", "Document, Advisory", "Partially, clippy", "-", "M (shadow_reuse/shadow_unrelated as warn, shadow_same as allow)", "-", "Review style guide", "M" + "Code review environment", "Advisory", "-", "-", "-", "-", "Process/tooling setup", "M" + "Macro review and testing strategy", "Document, Advisory", "-", "-", "-", "-", "Tests, trybuild, review", "M" + "Module file naming", "Document, Advisory", "Partially", "-", "L (no strong built-in lint)", "-", "Custom checks", "M" + "Default trait implementations", "Document, Advisory", "-", "-", "-", "-", "Design guideline", "M" + "Usage of unwrap in mutex lock", "Document, Advisory", "-", "-", "M (unwrap_used with documented exception policy)", "-", "Review policy", "M" + "Document undesirable but not unsafe hardware effects", "Advisory", "-", "-", "-", "-", "Safety documentation", "M" + "FFI: Check values at boundary", "Required", "-", "-", "-", "-", "FFI tests, fuzzing, review", "M" + "Safe wrapper for unsafe interfaces", "Required", "-", "-", "-", "-", "Design/review", "M" + "Document unsafe assumptions in Safety: clause", "Required", "clippy", "-", "H (undocumented_unsafe_blocks)", "-", "-", "H" + "Minimal scope for unsafe", "Required", "-", "-", "M (policy/review support, no single strong lint)", "-", "cargo-geiger, review", "M" + "Unsafe block in unsafe function", "Required", "clippy", "-", "M (supporting only, project-dependent)", "H (unsafe_op_in_unsafe_fn)", "-", "H" + "Safety documentation for unsafe functions", "Required", "clippy", "-", "M (manual documentation/review in profile baseline)", "-", "Rustdoc + review process", "M" + "Panic documentation on functions", "Required", "clippy", "-", "H (missing_panics_doc)", "-", "-", "H" + "Global mutable state with sound wrapper", "Required", "-", "-", "-", "-", "Review/design", "M" + "FFI rules from ANSII", "Required", "-", "-", "-", "-", "FFI conformance process", "M" + "Inline assembly rules from reference", "Required", "-", "-", "-", "-", "Manual asm review", "M" + "Automated contract versioning", "Advisory", "symbols", "-", "-", "-", "Symbol/ABI diff tooling", "H" + "Pointer to reference conversion", "Required", "-", "M", "M (cast_ptr_alignment, ptr_cast_constness, ref_as_ptr, transmute_ptr_to_ptr)", "M (invalid_reference_casting plus diagnostics)", "Review/tests", "M" + "Define proper panic handling", "Document, Required", "-", "-", "M (panic_in_result_fn as warn; unwrap_used and panicking_overflow_checks evaluated for usefulness)", "M (panic strategy/profile settings)", "Panic strategy in CI/profile", "H" + "catch_unwind only for controlled shutdown", "Required", "-", "-", "L (no direct strong lint)", "-", "Review policy", "M" + "Deref misuse for inheritance", "Required", "-", "-", "L (no direct strong lint)", "-", "Review/style", "M" + "Transitive interior mutability documentation", "Advisory", "-", "-", "-", "-", "Documentation process", "M" + "No internal mutability in constants", "Required", "-", "-", "H (declare_interior_mutable_const)", "-", "-", "H" + "Prefer cfg!() over #[cfg()]", "Required", "-", "-", "-", "-", "Review/custom linting", "M" + "Features are additive, not exclusive", "Required", "-", "-", "-", "-", "Cargo feature CI checks", "H" + "No deprecated interfaces from core/std", "Required", "-", "-", "M (deprecated in lint profile)", "H (deprecated)", "-", "H" + "No nightly features", "Required", "rustc", "-", "-", "H (stable compiler policy; unstable_features on nightly)", "Stable toolchain enforcement", "H" + "No wildcard in imports", "Required", "clippy", "-", "H (wildcard_imports)", "-", "-", "H" + "Ensure formatting and lints (e.g., in CI)", "Advisory", "rustfmt + clippy", "-", "H (CI clippy gate)", "-", "rustfmt in CI", "H" + "No raw identifiers", "Required", "grep", "-", "-", "-", "grep/custom check", "H" + "Rustc linter", "Advisory", "rustc", "-", "-", "H (curated rustc baseline profile; extended edition/future lints enabled per toolchain support)", "-", "H" + "Clippy linter", "Advisory", "clippy", "-", "H (curated warn/deny/allow clippy profile)", "-", "-", "H" + "Strong typing for error detection at compile time", "Advisory", "-", "-", "-", "H (type system, borrow checker, trait bounds)", "-", "H" + "Structures replace many arguments", "Advisory", "-", "-", "L (style/review guidance)", "-", "Review/style", "M" + "Testing trait requirements on trait implementations", "Required", "-", "-", "-", "-", "Tests/property tests", "H" + "Test coverage on generics", "Advisory", "coverage", "-", "-", "-", "Coverage tooling", "H" + "Avoid as for conversions", "Required", "clippy", "-", "H (as_underscore, cast_lossless, cast_possible_truncation, cast_possible_wrap, cast_ptr_alignment, cast_sign_loss)", "-", "-", "H" + "Error/Option instead of magic values", "Advisory", "-", "-", "M (partial style support)", "M (type checks support pattern, no direct rule)", "Review", "M" + "Resource Acquisition Is Initialization", "Required", "-", "-", "-", "M (ownership and Drop semantics, no direct lint)", "Review/tests", "M" + "Overflow checking", "Required", "rustc", "-", "-", "H (release overflow-checks enabled)", "Release profile setting", "H" + "Dynamic memory design", "Required", "-", "-", "-", "-", "Allocator/system design checks", "M" + "Stack checking", "Required", "rustc", "-", "-", "M (limited compiler support)", "cargo-call-stack, external analysis", "M" + "Concurrency system design (timing constraints)", "Required", "-", "-", "-", "-", "loom, WCET, system analysis", "M" + "Document cancellation safety of async functions", "Advisory", "-", "-", "-", "-", "Documentation/review", "M" + "Explicit task dropping intention", "Advisory", "-", "-", "L (let_underscore_future as supporting signal)", "-", "Runtime policy/review", "M" + "Planning ahead for Pin/Send", "Document, Advisory", "-", "-", "-", "M (Send and lifetime trait-bound checks)", "Design constraints review", "M" + "Minimize duplicated dependencies because of versioning", "Required", "cargo", "-", "-", "-", "cargo tree, cargo-deny", "H" + "Minimal scope for symbols", "Advisory", "(clippy)", "-", "M (redundant_pub_crate as supporting signal)", "M (unreachable_pub, visibility diagnostics)", "Visibility checks/review", "M" + "Multi-crate design to minimize cyclic dependencies", "Advisory", "-", "-", "-", "-", "cargo graph, dependency analysis", "M" + "Usize should only measure memory, not environment quantities", "Required", "-", "-", "L (no direct strong lint)", "-", "Review/style", "M" + "Separation of download and build steps", "Advisory", "-", "-", "-", "-", "CI sandboxing/pipeline controls", "H" + "Special protection of sensitive data", "Advisory", "-", "H", "-", "-", "Secret handling process", "H" + "Marker traits for formal documentation", "Advisory", "-", "-", "-", "M (trait-bound enforcement mechanism)", "Review/formal method support", "M" + "Lifetime and pointers", "Advisory", "-", "M", "-", "H (borrow checker, lifetime analysis)", "-", "H" + "Atomic access modes", "Advisory", "-", "-", "L (no explicit lint in current baseline profile block)", "-", "Review for ordering rationale", "M" + "Unintended matches", "Advisory", "-", "-", "M (wildcard_enum_match_arm)", "M (non_exhaustive_omitted_patterns)", "-", "M" + "Logically significant return values should be #[must_use]", "Required", "-", "-", "M (let_underscore_must_use)", "M (unused_results in profile; must_use semantics by language)", "-", "M" + "Complex drop logic should be called explicitly", "Required", "-", "-", "L (no direct strong lint)", "-", "Review/tests", "M" During the S-CORE project formatting and clippy checks are enforced. Miri can @@ -264,7 +271,7 @@ warnings. Additional guidelines by the Rust Community, the Rust Foundation and the Safety-Critical Rust Consortium are applied where applicable but not enforced. If possible the usage of `unsafe` is avoided. To keep the code `panic`-free only APIs with a proper return value should be used. The goal is -to have coding guidelines for Rust suitable for safety-critial systems by the +to have coding guidelines for Rust suitable for safety-critical systems by the Safety-Critical Rust Consortium by the end of 2026. Until that, please also use Slack score-rust-community channel for discussions and participation in the SCRC. @@ -272,7 +279,7 @@ SCRC. The adaption of these guidelines will be documented in the S-CORE project documentation. -.. admonition:: Cargo.toml lint profile (JA1020-oriented, practical baseline) +.. admonition:: Cargo.toml lint profile (safety-oriented, practical baseline) .. code-block:: toml @@ -288,7 +295,7 @@ documentation. let_underscore_drop = "warn" non_exhaustive_omitted_patterns = "warn" - # Rustc lints recommended to evaluate as warn (JA1020) + # Rustc lints recommended to evaluate as warn elided_lifetimes_in_paths = "warn" explicit_outlives_requirements = "warn" macro_use_extern_crate = "warn" @@ -301,7 +308,7 @@ documentation. unnameable_types = "warn" variant_size_differences = "warn" - # Edition and compatibility lint groups (JA1020 intent) + # Edition and compatibility lint groups (baseline intent) # Enable rust--* and keyword-idents- lints supported by the # pinned compiler version. unused = { level = "warn", priority = -1 } @@ -352,11 +359,11 @@ documentation. implicit_return = "allow" allow_attributes = "allow" - # Evaluate for helpfulness (JA1020) + # Evaluate for helpfulness panicking_overflow_checks = "warn" unwrap_used = "warn" - # Recommended against because too coarse (JA1020) + # Recommended against because too coarse as_conversions = "allow" # Release profile requirement @@ -367,7 +374,7 @@ documentation. # check-private-items = true -.. admonition:: Cargo.toml lint profile (JA1020-oriented, strict/ASIL variant) +.. admonition:: Cargo.toml lint profile (safety-oriented, strict/ASIL variant) .. code-block:: toml @@ -383,7 +390,7 @@ documentation. let_underscore_drop = "warn" non_exhaustive_omitted_patterns = "warn" - # Rustc lints recommended to evaluate as warn (JA1020) + # Rustc lints recommended to evaluate as warn elided_lifetimes_in_paths = "warn" explicit_outlives_requirements = "warn" macro_use_extern_crate = "warn" @@ -396,7 +403,7 @@ documentation. unnameable_types = "warn" variant_size_differences = "warn" - # Edition and compatibility lint groups (JA1020 intent) + # Edition and compatibility lint groups (baseline intent) unused = { level = "warn", priority = -1 } # Clippy lints (strict) @@ -439,11 +446,11 @@ documentation. implicit_return = "allow" allow_attributes = "allow" - # Evaluate for helpfulness (JA1020) + # Evaluate for helpfulness panicking_overflow_checks = "warn" unwrap_used = "warn" - # Recommended against because too coarse (JA1020) + # Recommended against because too coarse as_conversions = "allow" # Release profile requirement diff --git a/docs/contribute/development/rust/index.rst b/docs/contribute/development/rust/index.rst index 7dfcc9f1b9a..b96edc6dee4 100644 --- a/docs/contribute/development/rust/index.rst +++ b/docs/contribute/development/rust/index.rst @@ -16,8 +16,8 @@ Rust #### For safety- and security-related Rust development, SCORE uses -`SAE JA1020_202603 `_ -as a baseline reference for recommended practices, in addition to the +widely adopted safety- and cybersecurity-oriented Rust guidance as a +baseline reference for recommended practices, in addition to the project-specific guidance linked below. .. toctree:: From b2715cddba1136f4d7c66b0e347640b824a11eb5 Mon Sep 17 00:00:00 2001 From: "jhr2hi@bosch.com" Date: Mon, 22 Jun 2026 09:49:37 +0200 Subject: [PATCH 4/4] move toml to right repo --- .../development/rust/coding_guidelines.rst | 188 +----------------- 1 file changed, 8 insertions(+), 180 deletions(-) diff --git a/docs/contribute/development/rust/coding_guidelines.rst b/docs/contribute/development/rust/coding_guidelines.rst index 0b839d1afc5..30ac35b409a 100644 --- a/docs/contribute/development/rust/coding_guidelines.rst +++ b/docs/contribute/development/rust/coding_guidelines.rst @@ -279,186 +279,14 @@ SCRC. The adaption of these guidelines will be documented in the S-CORE project documentation. -.. admonition:: Cargo.toml lint profile (safety-oriented, practical baseline) - - .. code-block:: toml - - # Cargo.toml - - # Rust compiler lints (rustc) - [lints.rust] - unsafe_op_in_unsafe_fn = "deny" - missing_abi = "warn" - unreachable_pub = "warn" - missing_docs = "warn" - unused_results = "warn" - let_underscore_drop = "warn" - non_exhaustive_omitted_patterns = "warn" - - # Rustc lints recommended to evaluate as warn - elided_lifetimes_in_paths = "warn" - explicit_outlives_requirements = "warn" - macro_use_extern_crate = "warn" - meta_variable_misuse = "warn" - non_local_definitions = "warn" - redundant_lifetimes = "warn" - single_use_lifetimes = "warn" - trivial_numeric_casts = "warn" - unit_bindings = "warn" - unnameable_types = "warn" - variant_size_differences = "warn" - - # Edition and compatibility lint groups (baseline intent) - # Enable rust--* and keyword-idents- lints supported by the - # pinned compiler version. - unused = { level = "warn", priority = -1 } - - # Future/availability-dependent rustc lints (enable when available in - # the selected toolchain) - # must_not_suspend = "warn" - # fuzzy_provenance_casts = "warn" - # lossy_provenance_casts = "warn" - - # Clippy lints - [lints.clippy] - # Warn - as_underscore = "warn" - cast_lossless = "warn" - cast_possible_truncation = "warn" - cast_possible_wrap = "warn" - cast_sign_loss = "warn" - cast_ptr_alignment = "warn" - exit = "warn" - format_push_string = "warn" - infinite_loop = "warn" - iter_over_hash_type = "warn" - invalid_upcast_comparisons = "warn" - lossy_float_literal = "warn" - missing_errors_doc = "warn" - missing_docs_in_private_items = "warn" - panic_in_result_fn = "warn" - ptr_cast_constness = "warn" - ref_as_ptr = "warn" - transmute_ptr_to_ptr = "warn" - redundant_type_annotations = "warn" - shadow_reuse = "warn" - shadow_unrelated = "warn" - try_err = "warn" - wildcard_enum_match_arm = "warn" - - # Deny - as_ptr_cast_mut = "deny" - let_underscore_must_use = "deny" - missing_panics_doc = "deny" - undocumented_unsafe_blocks = "deny" - wildcard_imports = "deny" - declare_interior_mutable_const = "deny" - - # Allow - shadow_same = "allow" - implicit_return = "allow" - allow_attributes = "allow" - - # Evaluate for helpfulness - panicking_overflow_checks = "warn" - unwrap_used = "warn" - - # Recommended against because too coarse - as_conversions = "allow" - - # Release profile requirement - [profile.release] - overflow-checks = true # Required for safety-oriented integer checks - - # Checking of documentation on private items (in clippy.toml) - # check-private-items = true - - -.. admonition:: Cargo.toml lint profile (safety-oriented, strict/ASIL variant) - - .. code-block:: toml - - # Cargo.toml - - # Rust compiler lints (strict) - [lints.rust] - unsafe_op_in_unsafe_fn = "deny" - missing_abi = "warn" - unreachable_pub = "warn" - missing_docs = "warn" - unused_results = "warn" - let_underscore_drop = "warn" - non_exhaustive_omitted_patterns = "warn" - - # Rustc lints recommended to evaluate as warn - elided_lifetimes_in_paths = "warn" - explicit_outlives_requirements = "warn" - macro_use_extern_crate = "warn" - meta_variable_misuse = "warn" - non_local_definitions = "warn" - redundant_lifetimes = "warn" - single_use_lifetimes = "warn" - trivial_numeric_casts = "warn" - unit_bindings = "warn" - unnameable_types = "warn" - variant_size_differences = "warn" - - # Edition and compatibility lint groups (baseline intent) - unused = { level = "warn", priority = -1 } - - # Clippy lints (strict) - [lints.clippy] - # Warn - as_underscore = "warn" - cast_lossless = "warn" - cast_possible_truncation = "warn" - cast_possible_wrap = "warn" - cast_sign_loss = "warn" - cast_ptr_alignment = "warn" - exit = "warn" - format_push_string = "warn" - infinite_loop = "warn" - iter_over_hash_type = "warn" - invalid_upcast_comparisons = "warn" - lossy_float_literal = "warn" - missing_errors_doc = "warn" - missing_docs_in_private_items = "warn" - panic_in_result_fn = "warn" - ptr_cast_constness = "warn" - ref_as_ptr = "warn" - transmute_ptr_to_ptr = "warn" - redundant_type_annotations = "warn" - shadow_reuse = "warn" - shadow_unrelated = "warn" - try_err = "warn" - wildcard_enum_match_arm = "warn" - - # Deny - as_ptr_cast_mut = "deny" - let_underscore_must_use = "deny" - missing_panics_doc = "deny" - undocumented_unsafe_blocks = "deny" - wildcard_imports = "deny" - declare_interior_mutable_const = "deny" - - # Allow - shadow_same = "allow" - implicit_return = "allow" - allow_attributes = "allow" - - # Evaluate for helpfulness - panicking_overflow_checks = "warn" - unwrap_used = "warn" - - # Recommended against because too coarse - as_conversions = "allow" - - # Release profile requirement - [profile.release] - overflow-checks = true - - # clippy.toml - # check-private-items = true +The recommended ``[lints.rust]``, ``[lints.clippy]``, and ``[profile.release]`` +settings are maintained centrally in the +`score_rust_policies repository `_: + +* `Practical baseline (relaxed) `_ — + suitable for general SCORE components. +* `Strict / ASIL variant `_ — + for safety-critical code requiring stricter enforcement. Explanation of ARA Applications in Rust