mirror of
https://github.com/imjasonh/rustvulncheck
synced 2026-07-09 12:56:54 +00:00
Add analyze command to detect reachable vulnerable symbols in Rust projects
Implements the next phase of cargo-deep-audit: given a Rust project and the enriched vulnerability database, determine which vulnerable symbols are actually called from user code. New modules: - lockfile.rs: Parse Cargo.lock to extract dependency names and versions - scanner.rs: Scan .rs source files for references to vulnerable symbols using import tracking (use statements) and call pattern matching, with High/Medium confidence levels - analyzer.rs: Orchestrate the full pipeline — load vuln_db, match against lockfile versions (semver-aware), scan source, produce structured report Changes: - main.rs refactored into subcommands: `enrich` (Phase 1) and `analyze` (Phase 2) - db.rs/diff_analyzer.rs: Added Deserialize support to load vuln_db.json - CI workflow updated for subcommand syntax - 24 tests total (21 unit + 3 integration), all passing https://claude.ai/code/session_011sdj18ZvQYbDVwEKqrWDj1
This commit is contained in:
parent
5b9897a671
commit
b148c8d4b8
13 changed files with 1221 additions and 12 deletions
2
.github/workflows/ci.yml
vendored
2
.github/workflows/ci.yml
vendored
|
|
@ -60,7 +60,7 @@ jobs:
|
|||
- name: Run enrichment pipeline (10 advisories)
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
run: cargo run -- --limit 10 --output vuln_db.json
|
||||
run: cargo run -- enrich --limit 10 --output vuln_db.json
|
||||
|
||||
- name: Show output
|
||||
run: cat vuln_db.json
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue