1
0
Fork 0
mirror of https://github.com/imjasonh/rustvulncheck synced 2026-07-16 20:43:49 +00:00
Commit graph

2 commits

Author SHA1 Message Date
Claude
4f330e94a2
Fix three enrichment quality issues found by spot-checking
1. Impl body changes with no fn context: When the fn declaration is too
   far above for git to include in hunk headers or context lines, body
   changes were silently dropped. Now emits symbols at the impl-type
   level with a <method> placeholder (e.g. KeccakXofState::<method>).

2. PR diff uses files endpoint: Previously resolved PRs to their merge
   commit, which could be a version-only bump with no .rs files (e.g.
   quinn-proto PR #2559). Now uses /pulls/{n}/files to get all changes
   across the entire PR.

3. Nested generics in impl regex: The impl block regex used [^>]* which
   broke on nested generics like impl<T: Foo<Bar>>. Now uses .* for
   greedy matching to the last >.

https://claude.ai/code/session_01AeNG3herWfKhos9uZVUY5d
2026-03-25 02:16:57 +00:00
Claude
430816c717
Add Phase 1: Offline Database Enrichment pipeline
Build the first phase of cargo deep-audit - a reachability-based vulnerability
scanner for Rust. This pipeline:

- Clones/caches the RustSec advisory-db and parses TOML advisory files
- Extracts crate names, patched versions, CVE/RUSTSEC IDs, and GitHub refs
- Fetches patch diffs via GitHub API (PRs resolve to merge commits)
- Analyzes unified diffs to extract modified Rust function signatures
- Outputs an enriched JSON database mapping advisory IDs to function signatures

Modules:
- advisory.rs: TOML parser with GitHub reference extraction
- github.rs: GitHub API client for commit/PR diffs
- diff_analyzer.rs: Unified diff parser extracting fn signatures from hunks
- db.rs: JSON output database structure
- main.rs: CLI orchestrator with clap

https://claude.ai/code/session_01AeNG3herWfKhos9uZVUY5d
2026-03-25 01:28:25 +00:00