1
0
Fork 0
mirror of https://github.com/imjasonh/rustvulncheck synced 2026-07-06 19:02:25 +00:00

Create design.md

This commit is contained in:
Jason Hall 2026-03-25 06:39:54 -04:00 committed by GitHub
parent 8d98f6b12f
commit 5b9897a671
No known key found for this signature in database
GPG key ID: B5690EEEBB952194

33
design.md Normal file
View file

@ -0,0 +1,33 @@
Here is a clean, self-contained architecture prompt you can copy and paste directly to your coding agent to kick off the project.
Context for Coding Agent
Project Goal: Build cargo deep-audit, a deterministic, reachability-based vulnerability scanner for Rust. It aims to achieve parity with Go's govulncheck by identifying if a known vulnerable function in a dependency is actually reachable from the user's code.
Constraints: No live LLM calls at runtime. The tool must be fast, deterministic, and run locally. Accept standard static analysis trade-offs (e.g., Rapid Type Analysis for dyn Trait, blind spots at FFI boundaries).
Architecture & Pipeline Overview
The system consists of three distinct phases. We are currently focusing on MVP execution starting with Phase 1.
Phase 1: Offline Database Enrichment (The Target for MVP)
Objective: Translate crate-level vulnerability data into function-level signatures.
* Input: The official RustSec Advisory Database (github.com/RustSec/advisory-db), which stores vulnerabilities as TOML files with crate names, patched versions, and PR/Issue URLs.
* Process:
* Parse the TOML files to extract the crate, patched version/commit, and vulnerability ID.
* Query the GitHub API or local git diffs to isolate the exact commit that patched the vulnerability.
* Analyze the diff to extract the fully qualified signatures of the modified functions (e.g., hyper::http::Request::parse).
* Output: A lightweight JSON or SQLite database mapping CVE IDs to specific crate::module::function signatures.
Phase 2: Static Analysis Engine (Call Graph Extractor)
Objective: Deterministically map the execution paths of a target Rust codebase.
* Tech Stack: Use the rust-analyzer API crates (e.g., ra_ap_hir, ra_ap_ide) to parse the target codebase without requiring a full rustc compilation step.
* Process:
* Ingest the user's Rust project and expand all macros.
* Build a comprehensive call graph from the entry points (main, public library functions) down through the dependency tree.
* Implement Rapid Type Analysis (RTA) for dynamic dispatch: if a method on dyn Trait is called, draw edges to all concrete types in the binary that implement that trait.
Phase 3: CLI Orchestrator (cargo deep-audit)
Objective: The user-facing tool that glues the DB and Engine together.
* Tech Stack: Rust (clap for CLI, cargo_metadata for dependency resolution).
* Execution Flow:
* Parse the user's Cargo.lock to find the exact dependency tree.
* Download/load the Enriched Vulnerability Database (from Phase 1).
* Filter the DB for crates that exist in the user's lockfile.
* Run the Static Analysis Engine (Phase 2) to search the call graph for paths terminating at the vulnerable_symbols identified in the DB.
* Print the full execution path to stdout if a match is found.
First Task for Agent
Begin building the Phase 1 Offline Database Enrichment pipeline. Write a script that clones the RustSec/advisory-db repository, parses the TOML files, and successfully pulls the associated git patch diffs via the GitHub API for a test batch of 10 recent advisories.
Would you like me to write the initial starter code for that first Phase 1 script (either in Python or Rust) so you have a solid foundation to hand over along with the prompt?