mirror of
https://github.com/imjasonh/rustvulncheck
synced 2026-07-08 04:08:07 +00:00
Fix advisory parsing for .md format and suppress compiler warnings
The RustSec advisory-db uses .md files with TOML in a fenced code block, not plain .toml files. The parser now extracts the TOML block from markdown. Also fixes: - --limit now means "collect up to N enriched entries" instead of "take first N candidates", so it keeps scanning until enough are found - Suppressed dead_code warnings on Issue variant and deserialization-only fields - Updated test fixtures to match the .md format https://claude.ai/code/session_01AeNG3herWfKhos9uZVUY5d
This commit is contained in:
parent
ce7f533cb0
commit
3aeae98506
5 changed files with 53 additions and 14 deletions
|
|
@ -27,6 +27,7 @@ pub struct AdvisoryMeta {
|
|||
#[serde(default)]
|
||||
pub title: Option<String>,
|
||||
#[serde(default)]
|
||||
#[allow(dead_code)]
|
||||
pub description: Option<String>,
|
||||
}
|
||||
|
||||
|
|
@ -35,6 +36,7 @@ pub struct VersionInfo {
|
|||
#[serde(default)]
|
||||
pub patched: Vec<String>,
|
||||
#[serde(default)]
|
||||
#[allow(dead_code)]
|
||||
pub unaffected: Vec<String>,
|
||||
}
|
||||
|
||||
|
|
@ -70,6 +72,7 @@ pub enum GithubRef {
|
|||
repo: String,
|
||||
number: u64,
|
||||
},
|
||||
#[allow(dead_code)]
|
||||
Issue {
|
||||
owner: String,
|
||||
repo: String,
|
||||
|
|
@ -149,7 +152,8 @@ pub fn parse_advisory_db(db_path: &Path) -> Result<Vec<Advisory>> {
|
|||
.filter_map(|e| e.ok())
|
||||
{
|
||||
let path = entry.path();
|
||||
if path.extension().map_or(true, |ext| ext != "toml") {
|
||||
// Advisory-db uses .md files with TOML in a fenced code block
|
||||
if path.extension().map_or(true, |ext| ext != "md") {
|
||||
continue;
|
||||
}
|
||||
|
||||
|
|
@ -171,8 +175,12 @@ fn parse_advisory_file(path: &Path) -> Result<Advisory> {
|
|||
let content =
|
||||
std::fs::read_to_string(path).with_context(|| format!("reading {}", path.display()))?;
|
||||
|
||||
// Advisory-db .md files have TOML inside a ```toml ... ``` fenced block
|
||||
let toml_content = extract_toml_block(&content)
|
||||
.with_context(|| format!("no TOML block found in {}", path.display()))?;
|
||||
|
||||
let file: AdvisoryFile =
|
||||
toml::from_str(&content).with_context(|| format!("parsing {}", path.display()))?;
|
||||
toml::from_str(&toml_content).with_context(|| format!("parsing {}", path.display()))?;
|
||||
|
||||
let mut github_urls = Vec::new();
|
||||
|
||||
|
|
@ -202,3 +210,10 @@ fn parse_advisory_file(path: &Path) -> Result<Advisory> {
|
|||
github_urls,
|
||||
})
|
||||
}
|
||||
|
||||
/// Extract the TOML content from a markdown file with a ```toml fenced block.
|
||||
fn extract_toml_block(content: &str) -> Option<String> {
|
||||
let start = content.find("```toml\n")? + "```toml\n".len();
|
||||
let end = content[start..].find("```")? + start;
|
||||
Some(content[start..end].to_string())
|
||||
}
|
||||
|
|
|
|||
30
src/main.rs
30
src/main.rs
|
|
@ -25,7 +25,8 @@ struct Args {
|
|||
#[arg(long)]
|
||||
advisory_db: Option<PathBuf>,
|
||||
|
||||
/// Maximum number of advisories to process (most recent first).
|
||||
/// Maximum number of enriched entries to collect (most recent first).
|
||||
/// Processes advisories until this many have been successfully enriched.
|
||||
#[arg(long, default_value = "10")]
|
||||
limit: usize,
|
||||
|
||||
|
|
@ -77,29 +78,34 @@ fn main() -> Result<()> {
|
|||
candidates.len()
|
||||
);
|
||||
|
||||
let to_process = &candidates[..candidates.len().min(args.limit)];
|
||||
println!("Processing {} advisories...\n", to_process.len());
|
||||
println!(
|
||||
"Processing advisories (collecting up to {} enriched entries)...\n",
|
||||
args.limit
|
||||
);
|
||||
|
||||
// Step 3: Fetch diffs and extract symbols
|
||||
let gh = GithubClient::new(args.github_token);
|
||||
let mut vuln_db = VulnDb::new();
|
||||
|
||||
for (i, adv) in to_process.iter().enumerate() {
|
||||
for adv in &candidates {
|
||||
if vuln_db.entries.len() >= args.limit {
|
||||
break;
|
||||
}
|
||||
|
||||
let gh_refs = adv.github_refs();
|
||||
if gh_refs.is_empty() {
|
||||
continue;
|
||||
}
|
||||
|
||||
println!(
|
||||
"[{}/{}] {} ({}) - {}",
|
||||
i + 1,
|
||||
to_process.len(),
|
||||
vuln_db.entries.len() + 1,
|
||||
args.limit,
|
||||
adv.id,
|
||||
adv.package,
|
||||
adv.title
|
||||
);
|
||||
|
||||
let gh_refs = adv.github_refs();
|
||||
if gh_refs.is_empty() {
|
||||
println!(" No parseable GitHub refs, skipping");
|
||||
continue;
|
||||
}
|
||||
|
||||
let mut entry = VulnEntry {
|
||||
advisory_id: adv.id.clone(),
|
||||
package: adv.package.clone(),
|
||||
|
|
|
|||
|
|
@ -1,3 +1,4 @@
|
|||
```toml
|
||||
[advisory]
|
||||
id = "RUSTSEC-2024-0001"
|
||||
package = "hyper"
|
||||
|
|
@ -8,3 +9,8 @@ references = ["https://github.com/hyperium/hyper/commit/abc123def456"]
|
|||
|
||||
[versions]
|
||||
patched = [">= 1.2.0"]
|
||||
```
|
||||
|
||||
# Lenient HTTP header parsing allows request smuggling
|
||||
|
||||
A bug in hyper's header parsing could allow request smuggling.
|
||||
|
|
@ -1,3 +1,4 @@
|
|||
```toml
|
||||
[advisory]
|
||||
id = "RUSTSEC-2024-0003"
|
||||
package = "smallvec"
|
||||
|
|
@ -8,3 +9,8 @@ references = []
|
|||
|
||||
[versions]
|
||||
patched = [">= 1.13.1"]
|
||||
```
|
||||
|
||||
# Buffer overflow in SmallVec::insert_many
|
||||
|
||||
A buffer overflow in SmallVec's insert_many method.
|
||||
|
|
@ -1,3 +1,4 @@
|
|||
```toml
|
||||
[advisory]
|
||||
id = "RUSTSEC-2024-0002"
|
||||
package = "tokio"
|
||||
|
|
@ -8,3 +9,8 @@ references = ["https://github.com/tokio-rs/tokio/commit/deadbeef1234"]
|
|||
|
||||
[versions]
|
||||
patched = [">= 1.36.0"]
|
||||
```
|
||||
|
||||
# Race condition in task cancellation
|
||||
|
||||
A race condition in tokio's task cancellation could cause issues.
|
||||
Loading…
Add table
Add a link
Reference in a new issue