1
0
Fork 0
mirror of https://github.com/imjasonh/rustvulncheck synced 2026-07-06 19:02:25 +00:00
Commit graph

4 commits

Author SHA1 Message Date
Claude
6740de1687
Add AST-based symbol extraction using syn, with regex fallback
Instead of regex-matching unified diff lines, the enrichment pipeline
now fetches the full before/after file contents from GitHub, parses
them with syn::parse_file, walks the AST to extract all fn items with
their fully-qualified paths (including impl block context), and diffs
the two symbol sets to classify Added/Modified/Deleted.

This eliminates entire classes of regex bugs:
- impl Trait for Type: syn's ItemImpl has separate trait_ and self_ty
  fields, so the implementing type is always correct
- where clauses: parsed into generics.where_clause, never in the type
- nested generics: syn handles all nesting correctly
- #[cfg(test)] modules: checked via attributes, not path heuristics
- Duplicate symbols: set-based diffing produces each symbol exactly once

Falls back to regex per-file when:
- AST parsing fails (syntax errors, macro-heavy files)
- File contents can't be fetched (missing metadata, API errors)
- File didn't exist at either ref (handled as all-Added or all-Deleted)

New files:
- src/ast_differ.rs: AST visitor + symbol set diffing (8 tests)

Changes:
- src/github.rs: Added parent_sha, owner, repo to PatchDiff;
  added fetch_file_contents() for raw file retrieval
- src/diff_analyzer.rs: extract_symbols() now tries AST first;
  regex path renamed to extract_symbols_regex()
- Cargo.toml: Added quote dependency for token stream hashing

https://claude.ai/code/session_01P1LKP6aqGt68rQAXrF6kSE
2026-03-25 15:49:20 +00:00
Claude
a2db0d4d15
Add syn-based type tracking and golden codebase integration tests
Type tracking (type_tracker.rs):
- Uses syn AST parsing to resolve variable types from function parameters,
  let bindings with annotations, constructor calls (Type::new()), struct
  literals, builder patterns, and closure parameters
- Integrated into scanner to promote method-call matches from Medium to
  High confidence when the receiver's type is known

Golden integration tests:
- vulnerable_project: 4 vulnerable deps, 3 with reachable calls across
  multiple files (qualified calls, typed method calls, constructor-inferred
  types). Verifies regex dep is listed but Compiler::compile is NOT reachable.
- safe_project: patched deps (hyper, smallvec) excluded, vulnerable deps
  (tokio, regex) listed but no symbols reachable. Reports POSSIBLY SAFE.
- clean_project: no vulnerable deps at all. Reports CLEAN.

37 tests total (33 unit + 4 integration), all passing.

https://claude.ai/code/session_011sdj18ZvQYbDVwEKqrWDj1
2026-03-25 12:44:13 +00:00
Claude
b148c8d4b8
Add analyze command to detect reachable vulnerable symbols in Rust projects
Implements the next phase of cargo-deep-audit: given a Rust project and the
enriched vulnerability database, determine which vulnerable symbols are
actually called from user code.

New modules:
- lockfile.rs: Parse Cargo.lock to extract dependency names and versions
- scanner.rs: Scan .rs source files for references to vulnerable symbols
  using import tracking (use statements) and call pattern matching, with
  High/Medium confidence levels
- analyzer.rs: Orchestrate the full pipeline — load vuln_db, match against
  lockfile versions (semver-aware), scan source, produce structured report

Changes:
- main.rs refactored into subcommands: `enrich` (Phase 1) and `analyze` (Phase 2)
- db.rs/diff_analyzer.rs: Added Deserialize support to load vuln_db.json
- CI workflow updated for subcommand syntax
- 24 tests total (21 unit + 3 integration), all passing

https://claude.ai/code/session_011sdj18ZvQYbDVwEKqrWDj1
2026-03-25 10:50:22 +00:00
Claude
430816c717
Add Phase 1: Offline Database Enrichment pipeline
Build the first phase of cargo deep-audit - a reachability-based vulnerability
scanner for Rust. This pipeline:

- Clones/caches the RustSec advisory-db and parses TOML advisory files
- Extracts crate names, patched versions, CVE/RUSTSEC IDs, and GitHub refs
- Fetches patch diffs via GitHub API (PRs resolve to merge commits)
- Analyzes unified diffs to extract modified Rust function signatures
- Outputs an enriched JSON database mapping advisory IDs to function signatures

Modules:
- advisory.rs: TOML parser with GitHub reference extraction
- github.rs: GitHub API client for commit/PR diffs
- diff_analyzer.rs: Unified diff parser extracting fn signatures from hunks
- db.rs: JSON output database structure
- main.rs: CLI orchestrator with clap

https://claude.ai/code/session_01AeNG3herWfKhos9uZVUY5d
2026-03-25 01:28:25 +00:00