mirror of
https://github.com/imjasonh/rustvulncheck
synced 2026-07-06 19:02:25 +00:00
Create design.md
This commit is contained in:
parent
8d98f6b12f
commit
5b9897a671
1 changed files with 33 additions and 0 deletions
33
design.md
Normal file
33
design.md
Normal file
|
|
@ -0,0 +1,33 @@
|
|||
Here is a clean, self-contained architecture prompt you can copy and paste directly to your coding agent to kick off the project.
|
||||
Context for Coding Agent
|
||||
Project Goal: Build cargo deep-audit, a deterministic, reachability-based vulnerability scanner for Rust. It aims to achieve parity with Go's govulncheck by identifying if a known vulnerable function in a dependency is actually reachable from the user's code.
|
||||
Constraints: No live LLM calls at runtime. The tool must be fast, deterministic, and run locally. Accept standard static analysis trade-offs (e.g., Rapid Type Analysis for dyn Trait, blind spots at FFI boundaries).
|
||||
Architecture & Pipeline Overview
|
||||
The system consists of three distinct phases. We are currently focusing on MVP execution starting with Phase 1.
|
||||
Phase 1: Offline Database Enrichment (The Target for MVP)
|
||||
Objective: Translate crate-level vulnerability data into function-level signatures.
|
||||
* Input: The official RustSec Advisory Database (github.com/RustSec/advisory-db), which stores vulnerabilities as TOML files with crate names, patched versions, and PR/Issue URLs.
|
||||
* Process:
|
||||
* Parse the TOML files to extract the crate, patched version/commit, and vulnerability ID.
|
||||
* Query the GitHub API or local git diffs to isolate the exact commit that patched the vulnerability.
|
||||
* Analyze the diff to extract the fully qualified signatures of the modified functions (e.g., hyper::http::Request::parse).
|
||||
* Output: A lightweight JSON or SQLite database mapping CVE IDs to specific crate::module::function signatures.
|
||||
Phase 2: Static Analysis Engine (Call Graph Extractor)
|
||||
Objective: Deterministically map the execution paths of a target Rust codebase.
|
||||
* Tech Stack: Use the rust-analyzer API crates (e.g., ra_ap_hir, ra_ap_ide) to parse the target codebase without requiring a full rustc compilation step.
|
||||
* Process:
|
||||
* Ingest the user's Rust project and expand all macros.
|
||||
* Build a comprehensive call graph from the entry points (main, public library functions) down through the dependency tree.
|
||||
* Implement Rapid Type Analysis (RTA) for dynamic dispatch: if a method on dyn Trait is called, draw edges to all concrete types in the binary that implement that trait.
|
||||
Phase 3: CLI Orchestrator (cargo deep-audit)
|
||||
Objective: The user-facing tool that glues the DB and Engine together.
|
||||
* Tech Stack: Rust (clap for CLI, cargo_metadata for dependency resolution).
|
||||
* Execution Flow:
|
||||
* Parse the user's Cargo.lock to find the exact dependency tree.
|
||||
* Download/load the Enriched Vulnerability Database (from Phase 1).
|
||||
* Filter the DB for crates that exist in the user's lockfile.
|
||||
* Run the Static Analysis Engine (Phase 2) to search the call graph for paths terminating at the vulnerable_symbols identified in the DB.
|
||||
* Print the full execution path to stdout if a match is found.
|
||||
First Task for Agent
|
||||
Begin building the Phase 1 Offline Database Enrichment pipeline. Write a script that clones the RustSec/advisory-db repository, parses the TOML files, and successfully pulls the associated git patch diffs via the GitHub API for a test batch of 10 recent advisories.
|
||||
Would you like me to write the initial starter code for that first Phase 1 script (either in Python or Rust) so you have a solid foundation to hand over along with the prompt?
|
||||
Loading…
Add table
Add a link
Reference in a new issue