1
0
Fork 0
mirror of https://github.com/imjasonh/rustvulncheck synced 2026-07-08 04:08:07 +00:00

Fix advisory parsing for .md format and suppress compiler warnings

The RustSec advisory-db uses .md files with TOML in a fenced code block,
not plain .toml files. The parser now extracts the TOML block from markdown.

Also fixes:
- --limit now means "collect up to N enriched entries" instead of
  "take first N candidates", so it keeps scanning until enough are found
- Suppressed dead_code warnings on Issue variant and deserialization-only fields
- Updated test fixtures to match the .md format

https://claude.ai/code/session_01AeNG3herWfKhos9uZVUY5d
This commit is contained in:
Claude 2026-03-25 01:52:22 +00:00
parent ce7f533cb0
commit 3aeae98506
No known key found for this signature in database
5 changed files with 53 additions and 14 deletions

View file

@ -27,6 +27,7 @@ pub struct AdvisoryMeta {
#[serde(default)]
pub title: Option<String>,
#[serde(default)]
#[allow(dead_code)]
pub description: Option<String>,
}
@ -35,6 +36,7 @@ pub struct VersionInfo {
#[serde(default)]
pub patched: Vec<String>,
#[serde(default)]
#[allow(dead_code)]
pub unaffected: Vec<String>,
}
@ -70,6 +72,7 @@ pub enum GithubRef {
repo: String,
number: u64,
},
#[allow(dead_code)]
Issue {
owner: String,
repo: String,
@ -149,7 +152,8 @@ pub fn parse_advisory_db(db_path: &Path) -> Result<Vec<Advisory>> {
.filter_map(|e| e.ok())
{
let path = entry.path();
if path.extension().map_or(true, |ext| ext != "toml") {
// Advisory-db uses .md files with TOML in a fenced code block
if path.extension().map_or(true, |ext| ext != "md") {
continue;
}
@ -171,8 +175,12 @@ fn parse_advisory_file(path: &Path) -> Result<Advisory> {
let content =
std::fs::read_to_string(path).with_context(|| format!("reading {}", path.display()))?;
// Advisory-db .md files have TOML inside a ```toml ... ``` fenced block
let toml_content = extract_toml_block(&content)
.with_context(|| format!("no TOML block found in {}", path.display()))?;
let file: AdvisoryFile =
toml::from_str(&content).with_context(|| format!("parsing {}", path.display()))?;
toml::from_str(&toml_content).with_context(|| format!("parsing {}", path.display()))?;
let mut github_urls = Vec::new();
@ -202,3 +210,10 @@ fn parse_advisory_file(path: &Path) -> Result<Advisory> {
github_urls,
})
}
/// Extract the TOML content from a markdown file with a ```toml fenced block.
fn extract_toml_block(content: &str) -> Option<String> {
let start = content.find("```toml\n")? + "```toml\n".len();
let end = content[start..].find("```")? + start;
Some(content[start..end].to_string())
}

View file

@ -25,7 +25,8 @@ struct Args {
#[arg(long)]
advisory_db: Option<PathBuf>,
/// Maximum number of advisories to process (most recent first).
/// Maximum number of enriched entries to collect (most recent first).
/// Processes advisories until this many have been successfully enriched.
#[arg(long, default_value = "10")]
limit: usize,
@ -77,29 +78,34 @@ fn main() -> Result<()> {
candidates.len()
);
let to_process = &candidates[..candidates.len().min(args.limit)];
println!("Processing {} advisories...\n", to_process.len());
println!(
"Processing advisories (collecting up to {} enriched entries)...\n",
args.limit
);
// Step 3: Fetch diffs and extract symbols
let gh = GithubClient::new(args.github_token);
let mut vuln_db = VulnDb::new();
for (i, adv) in to_process.iter().enumerate() {
for adv in &candidates {
if vuln_db.entries.len() >= args.limit {
break;
}
let gh_refs = adv.github_refs();
if gh_refs.is_empty() {
continue;
}
println!(
"[{}/{}] {} ({}) - {}",
i + 1,
to_process.len(),
vuln_db.entries.len() + 1,
args.limit,
adv.id,
adv.package,
adv.title
);
let gh_refs = adv.github_refs();
if gh_refs.is_empty() {
println!(" No parseable GitHub refs, skipping");
continue;
}
let mut entry = VulnEntry {
advisory_id: adv.id.clone(),
package: adv.package.clone(),

View file

@ -1,3 +1,4 @@
```toml
[advisory]
id = "RUSTSEC-2024-0001"
package = "hyper"
@ -8,3 +9,8 @@ references = ["https://github.com/hyperium/hyper/commit/abc123def456"]
[versions]
patched = [">= 1.2.0"]
```
# Lenient HTTP header parsing allows request smuggling
A bug in hyper's header parsing could allow request smuggling.

View file

@ -1,3 +1,4 @@
```toml
[advisory]
id = "RUSTSEC-2024-0003"
package = "smallvec"
@ -8,3 +9,8 @@ references = []
[versions]
patched = [">= 1.13.1"]
```
# Buffer overflow in SmallVec::insert_many
A buffer overflow in SmallVec's insert_many method.

View file

@ -1,3 +1,4 @@
```toml
[advisory]
id = "RUSTSEC-2024-0002"
package = "tokio"
@ -8,3 +9,8 @@ references = ["https://github.com/tokio-rs/tokio/commit/deadbeef1234"]
[versions]
patched = [">= 1.36.0"]
```
# Race condition in task cancellation
A race condition in tokio's task cancellation could cause issues.