The question is rather how many are logic bugs and how many are memory safety bugs, Rust excludes the latter quite well, which according to the MS and Google Studies makes up about 70% of programming mistakes in their C++ codebases. However rewriting carries the risk of introducing new logic bugs. So There's a tradeoff here.
I am a big believer in Rust, I basically only use rg instead of grep and fd instead of find and never looked back, but they are slightly different in behavior, so not a drop-in replacement. I'm not sure if porting coreutils will be so useful in the end, since if you do all the workarounds for the rust version to behave like the C version, maybe you won't have the performance benefits or the clean codebase that you set out for in the end. I like the rg and fd approach much better. It's an almost drop-in with huge performance benefits.
That is actually slightly different. I guess I misremembered this. Probably a good question is also how quantifiable other bugs than security vulnerabilities are. Security vulnerabilities are probably the only measurable bugs in that sense, since they are analyzed for root cause and listed consistently. While other bugs can often be explained away and are harder to get numbers for.
In any case the question was about CVEs in coreutils so it's still somewhat relevant.
I just use OCI registry to host all my MCP modules (the way I chose to extends my MCP server's capabilities) - WASM plugins.
OCI registry is available every where and probably already presented in your infrastructure. You get to use all the OCI tools/security controls you already have with it.
To add new tools, you just have to update the config file to include new plugins and restart.
reply