1
0
Fork 0
mirror of https://github.com/imjasonh/rustvulncheck synced 2026-07-10 21:31:50 +00:00
Commit graph

11 commits

Author SHA1 Message Date
Claude
b148c8d4b8
Add analyze command to detect reachable vulnerable symbols in Rust projects
Implements the next phase of cargo-deep-audit: given a Rust project and the
enriched vulnerability database, determine which vulnerable symbols are
actually called from user code.

New modules:
- lockfile.rs: Parse Cargo.lock to extract dependency names and versions
- scanner.rs: Scan .rs source files for references to vulnerable symbols
  using import tracking (use statements) and call pattern matching, with
  High/Medium confidence levels
- analyzer.rs: Orchestrate the full pipeline — load vuln_db, match against
  lockfile versions (semver-aware), scan source, produce structured report

Changes:
- main.rs refactored into subcommands: `enrich` (Phase 1) and `analyze` (Phase 2)
- db.rs/diff_analyzer.rs: Added Deserialize support to load vuln_db.json
- CI workflow updated for subcommand syntax
- 24 tests total (21 unit + 3 integration), all passing

https://claude.ai/code/session_011sdj18ZvQYbDVwEKqrWDj1
2026-03-25 10:50:22 +00:00
5b9897a671
Create design.md 2026-03-25 06:39:54 -04:00
8d98f6b12f
Merge pull request #1 from imjasonh/claude/cargo-deep-audit-Mk1F3 2026-03-25 06:38:50 -04:00
Claude
0acb3074c6
Filter examples/fuzz/perf/benches and fix leading :: in paths
- Expand non-library file filter to also skip examples/, fuzz/, perf/,
  and benches/ directories (e.g. quinn's perf/src/server.rs, fuzz targets)
- Fix qualify_fn_name to skip empty path segments, preventing leading ::
  when module path is empty (src/lib.rs → Context::seal not ::Context::seal)

https://claude.ai/code/session_01AeNG3herWfKhos9uZVUY5d
2026-03-25 02:21:40 +00:00
Claude
4f330e94a2
Fix three enrichment quality issues found by spot-checking
1. Impl body changes with no fn context: When the fn declaration is too
   far above for git to include in hunk headers or context lines, body
   changes were silently dropped. Now emits symbols at the impl-type
   level with a <method> placeholder (e.g. KeccakXofState::<method>).

2. PR diff uses files endpoint: Previously resolved PRs to their merge
   commit, which could be a version-only bump with no .rs files (e.g.
   quinn-proto PR #2559). Now uses /pulls/{n}/files to get all changes
   across the entire PR.

3. Nested generics in impl regex: The impl block regex used [^>]* which
   broke on nested generics like impl<T: Foo<Bar>>. Now uses .* for
   greedy matching to the last >.

https://claude.ai/code/session_01AeNG3herWfKhos9uZVUY5d
2026-03-25 02:16:57 +00:00
Claude
00c14b043f
Fix fn context lost across consecutive hunks in same method
When a multi-hunk diff has consecutive hunks in the same function,
git may show the impl block (not the fn) in the second hunk header.
Previously this reset current_context_fn to None, causing body-only
changes to be silently dropped.

Now hunk headers with impl but no fn preserve the existing fn context.
This fixes cases like libcrux-sha3's squeeze() where the actual
vulnerability fix (loop index change) was missed because the second
hunk header showed `impl KeccakXofState` instead of `fn squeeze`.

https://claude.ai/code/session_01AeNG3herWfKhos9uZVUY5d
2026-03-25 02:08:15 +00:00
Claude
44f0b1385e
Improve enrichment quality: titles, test filtering, module paths
- Parse markdown heading as title fallback when TOML title is missing,
  fixing the "(no title)" entries
- Filter out test files (tests/, *_test.rs) from vulnerable symbols
  since test code isn't callable library API
- Fix module path generation to handle workspace layouts
  (crates/foo/src/bar.rs → foo::bar) and strip src/ properly
- Replace hyphens with underscores in module paths to match Rust
  crate naming conventions (pyo3-ffi → pyo3_ffi)

https://claude.ai/code/session_01AeNG3herWfKhos9uZVUY5d
2026-03-25 01:59:56 +00:00
Claude
3aeae98506
Fix advisory parsing for .md format and suppress compiler warnings
The RustSec advisory-db uses .md files with TOML in a fenced code block,
not plain .toml files. The parser now extracts the TOML block from markdown.

Also fixes:
- --limit now means "collect up to N enriched entries" instead of
  "take first N candidates", so it keeps scanning until enough are found
- Suppressed dead_code warnings on Issue variant and deserialization-only fields
- Updated test fixtures to match the .md format

https://claude.ai/code/session_01AeNG3herWfKhos9uZVUY5d
2026-03-25 01:52:22 +00:00
Claude
ce7f533cb0
Add CI workflow for tests and enrichment dry-run
Two jobs:
- test: builds and runs cargo test
- enrichment-dry-run: runs the pipeline against 10 real advisories
  using the Actions GITHUB_TOKEN, uploads vuln_db.json as artifact

https://claude.ai/code/session_01AeNG3herWfKhos9uZVUY5d
2026-03-25 01:34:22 +00:00
Claude
430816c717
Add Phase 1: Offline Database Enrichment pipeline
Build the first phase of cargo deep-audit - a reachability-based vulnerability
scanner for Rust. This pipeline:

- Clones/caches the RustSec advisory-db and parses TOML advisory files
- Extracts crate names, patched versions, CVE/RUSTSEC IDs, and GitHub refs
- Fetches patch diffs via GitHub API (PRs resolve to merge commits)
- Analyzes unified diffs to extract modified Rust function signatures
- Outputs an enriched JSON database mapping advisory IDs to function signatures

Modules:
- advisory.rs: TOML parser with GitHub reference extraction
- github.rs: GitHub API client for commit/PR diffs
- diff_analyzer.rs: Unified diff parser extracting fn signatures from hunks
- db.rs: JSON output database structure
- main.rs: CLI orchestrator with clap

https://claude.ai/code/session_01AeNG3herWfKhos9uZVUY5d
2026-03-25 01:28:25 +00:00
Claude
b0a0d8599d
Initial commit 2026-03-25 01:28:13 +00:00