Type tracking (type_tracker.rs):
- Uses syn AST parsing to resolve variable types from function parameters,
let bindings with annotations, constructor calls (Type::new()), struct
literals, builder patterns, and closure parameters
- Integrated into scanner to promote method-call matches from Medium to
High confidence when the receiver's type is known
Golden integration tests:
- vulnerable_project: 4 vulnerable deps, 3 with reachable calls across
multiple files (qualified calls, typed method calls, constructor-inferred
types). Verifies regex dep is listed but Compiler::compile is NOT reachable.
- safe_project: patched deps (hyper, smallvec) excluded, vulnerable deps
(tokio, regex) listed but no symbols reachable. Reports POSSIBLY SAFE.
- clean_project: no vulnerable deps at all. Reports CLEAN.
37 tests total (33 unit + 4 integration), all passing.
https://claude.ai/code/session_011sdj18ZvQYbDVwEKqrWDj1
Implements the next phase of cargo-deep-audit: given a Rust project and the
enriched vulnerability database, determine which vulnerable symbols are
actually called from user code.
New modules:
- lockfile.rs: Parse Cargo.lock to extract dependency names and versions
- scanner.rs: Scan .rs source files for references to vulnerable symbols
using import tracking (use statements) and call pattern matching, with
High/Medium confidence levels
- analyzer.rs: Orchestrate the full pipeline — load vuln_db, match against
lockfile versions (semver-aware), scan source, produce structured report
Changes:
- main.rs refactored into subcommands: `enrich` (Phase 1) and `analyze` (Phase 2)
- db.rs/diff_analyzer.rs: Added Deserialize support to load vuln_db.json
- CI workflow updated for subcommand syntax
- 24 tests total (21 unit + 3 integration), all passing
https://claude.ai/code/session_011sdj18ZvQYbDVwEKqrWDj1