When a multi-hunk diff has consecutive hunks in the same function,
git may show the impl block (not the fn) in the second hunk header.
Previously this reset current_context_fn to None, causing body-only
changes to be silently dropped.
Now hunk headers with impl but no fn preserve the existing fn context.
This fixes cases like libcrux-sha3's squeeze() where the actual
vulnerability fix (loop index change) was missed because the second
hunk header showed `impl KeccakXofState` instead of `fn squeeze`.
https://claude.ai/code/session_01AeNG3herWfKhos9uZVUY5d
- Parse markdown heading as title fallback when TOML title is missing,
fixing the "(no title)" entries
- Filter out test files (tests/, *_test.rs) from vulnerable symbols
since test code isn't callable library API
- Fix module path generation to handle workspace layouts
(crates/foo/src/bar.rs → foo::bar) and strip src/ properly
- Replace hyphens with underscores in module paths to match Rust
crate naming conventions (pyo3-ffi → pyo3_ffi)
https://claude.ai/code/session_01AeNG3herWfKhos9uZVUY5d
The RustSec advisory-db uses .md files with TOML in a fenced code block,
not plain .toml files. The parser now extracts the TOML block from markdown.
Also fixes:
- --limit now means "collect up to N enriched entries" instead of
"take first N candidates", so it keeps scanning until enough are found
- Suppressed dead_code warnings on Issue variant and deserialization-only fields
- Updated test fixtures to match the .md format
https://claude.ai/code/session_01AeNG3herWfKhos9uZVUY5d
Two jobs:
- test: builds and runs cargo test
- enrichment-dry-run: runs the pipeline against 10 real advisories
using the Actions GITHUB_TOKEN, uploads vuln_db.json as artifact
https://claude.ai/code/session_01AeNG3herWfKhos9uZVUY5d