1
0
Fork 0
mirror of https://github.com/imjasonh/rustvulncheck synced 2026-07-08 12:15:03 +00:00
Commit graph

37 commits

Author SHA1 Message Date
Claude
d64faab2c9
Delete regex-based symbol extraction entirely
Remove extract_symbols_regex and all its helpers (parse_impl_type,
qualify_fn_name, is_std_trait, skip_balanced_angles, find_top_level_keyword)
plus all 17 regex-specific tests. The AST path is the only extraction
method now — files that fail to parse are skipped with a warning rather
than falling back to brittle regex matching.

-853 lines of regex code that was the source of every symbol extraction
bug (for leaks, where leaks, trait-as-type, duplicates, <method>
placeholders).

https://claude.ai/code/session_01P1LKP6aqGt68rQAXrF6kSE
2026-03-25 15:54:26 +00:00
github-actions[bot]
62e9fcd8ff chore: enrich vuln db from CI (642 entries, 144 with symbols) 2026-03-25 15:54:19 +00:00
Claude
6740de1687
Add AST-based symbol extraction using syn, with regex fallback
Instead of regex-matching unified diff lines, the enrichment pipeline
now fetches the full before/after file contents from GitHub, parses
them with syn::parse_file, walks the AST to extract all fn items with
their fully-qualified paths (including impl block context), and diffs
the two symbol sets to classify Added/Modified/Deleted.

This eliminates entire classes of regex bugs:
- impl Trait for Type: syn's ItemImpl has separate trait_ and self_ty
  fields, so the implementing type is always correct
- where clauses: parsed into generics.where_clause, never in the type
- nested generics: syn handles all nesting correctly
- #[cfg(test)] modules: checked via attributes, not path heuristics
- Duplicate symbols: set-based diffing produces each symbol exactly once

Falls back to regex per-file when:
- AST parsing fails (syntax errors, macro-heavy files)
- File contents can't be fetched (missing metadata, API errors)
- File didn't exist at either ref (handled as all-Added or all-Deleted)

New files:
- src/ast_differ.rs: AST visitor + symbol set diffing (8 tests)

Changes:
- src/github.rs: Added parent_sha, owner, repo to PatchDiff;
  added fetch_file_contents() for raw file retrieval
- src/diff_analyzer.rs: extract_symbols() now tries AST first;
  regex path renamed to extract_symbols_regex()
- Cargo.toml: Added quote dependency for token stream hashing

https://claude.ai/code/session_01P1LKP6aqGt68rQAXrF6kSE
2026-03-25 15:49:20 +00:00
github-actions[bot]
51945d6b42 chore: enrich vuln db from CI (642 entries, 146 with symbols) 2026-03-25 15:40:36 +00:00
Claude
7385e81c56
Fix duplicate symbols and trait-name-as-type bugs in diff_analyzer
Bug 4 - Duplicate symbols (~43 entries, 195 extra): When a fn signature
was both deleted and added (modified), each line independently produced
a symbol. Added dedup to the fn-declaration path that upgrades existing
entries to Modified instead of adding duplicates.

Bug 5 - Trait name as type (~146 symbols): Truncated hunk headers like
`impl From<X>` (without `for ActualType`) caused the trait name to be
captured as the implementing type, producing wrong symbols like
`From::from`. Added is_std_trait() blocklist to return None for
well-known traits when `for` is absent, falling through to the safer
`<method>` placeholder.

Added 4 regression tests. All 51 tests pass.

https://claude.ai/code/session_01P1LKP6aqGt68rQAXrF6kSE
2026-03-25 15:35:49 +00:00
github-actions[bot]
2c5672b83d chore: enrich vuln db from CI (642 entries, 147 with symbols) 2026-03-25 15:30:29 +00:00
Claude
0b933a662d
Add --re-enrich flag to reprocess existing DB entries with current code
The old --existing-db flag skipped already-enriched entries by advisory
ID, so improvements to diff_analyzer.rs had no effect on the committed
vuln_db.json. The new --re-enrich flag re-fetches diffs for existing
entries and re-extracts symbols using the current code, updating them
in-place.

The CI enrich job now passes --re-enrich so that code changes to the
symbol extraction pipeline are reflected in the PR's vuln_db.json diff.

https://claude.ai/code/session_01P1LKP6aqGt68rQAXrF6kSE
2026-03-25 15:26:11 +00:00
github-actions[bot]
edfd55f0dd chore: enrich vuln db from CI (642 entries, 147 with symbols) 2026-03-25 15:22:37 +00:00
4525ae00cf
Update generated_at timestamp in vuln_db.json 2026-03-25 11:20:49 -04:00
91cbbbdbb3
Merge branch 'main' into claude/review-vuln-db-and-docs-RRsc6 2026-03-25 11:18:13 -04:00
github-actions[bot]
c3891ed704 chore: enrich vuln db from CI (642 entries, 147 with symbols) 2026-03-25 15:17:08 +00:00
Claude
d1d1a95991
Add CI enrichment job that commits vuln_db.json back to PR
Replaces the old enrichment-dry-run job with an enrich job that:
- Only runs on pull requests (not push to main)
- Checks out the PR branch (not merge ref) so it can push back
- Builds with --release for faster enrichment
- Uses --existing-db to resume from the committed vuln_db.json
- Enriches up to 20 new advisories with a 25-min timeout
- Commits and pushes updated vuln_db.json if it changed
- Also uploads as an artifact for inspection

The workflow has contents: write permission so the bot can push
commits to the PR branch.

https://claude.ai/code/session_01P1LKP6aqGt68rQAXrF6kSE
2026-03-25 15:15:01 +00:00
Claude
873be4d133
Fix three symbol extraction bugs and add lessons.md
1. Fix `for` keyword leaking into symbol names (~14 entries): replaced
   greedy regex `<.*>` with bracket-counting parser `parse_impl_type()`
   that correctly handles nested generics like `impl<T> From<Py<T>> for PyObject`.

2. Fix `where` clause leaking into symbol names (~5 entries): the new
   parser stops at top-level `where` keywords.

3. Filter test functions from symbol extraction (~39 entries): skip
   `#[test]`/`#[cfg(test)]` attributed functions and `test_*` named
   functions in diff output.

Added 9 regression tests. All 47 tests pass.

https://claude.ai/code/session_01P1LKP6aqGt68rQAXrF6kSE
2026-03-25 15:11:28 +00:00
github-actions[bot]
812dfe3bf7 chore: enrich vuln db (642 entries, 147 with symbols) 2026-03-25 14:52:35 +00:00
Claude
a5c154b697
Add CLAUDE.md with project overview and known vuln_db issues
Documents project architecture, key files, commands, test fixtures,
vuln_db.json structure, and known limitations found during spot-checking
of the enriched vulnerability database.

https://claude.ai/code/session_01P1LKP6aqGt68rQAXrF6kSE
2026-03-25 14:43:51 +00:00
28508164ab
Update README with enriched database status and encouragement
Clarified the status of the enriched database and its availability. Added encouragement for improvements.
2026-03-25 10:39:35 -04:00
github-actions[bot]
ac681b1899 chore: enrich vuln db (642 entries, 147 with symbols) 2026-03-25 14:35:54 +00:00
d2d3962e4f
Add Apache License 2.0
Added the Apache License 2.0 to the project.
2026-03-25 10:30:09 -04:00
922a8729f8
Add link to Go vulnerabilities database in README
Updated README to include a link to the Go vulnerabilities database.
2026-03-25 10:29:30 -04:00
b5b4564835
Create README.md for rustvulncheck project
Add initial README with project background and details.
2026-03-25 10:28:05 -04:00
9f99d2e6dd
Remove vuln_db.json from .gitignore 2026-03-25 10:23:25 -04:00
a4c3ab33bd
Merge pull request #3 from imjasonh/claude/add-enrichment-workflow-EggET
Add hourly enrichment workflow with resume support
2026-03-25 09:26:39 -04:00
Claude
e797dadbad
Add hourly enrichment workflow with resume and timeout support
- Add --existing-db flag to enrich command to skip already-enriched advisories
- Add --timeout-secs flag to stop processing after a time budget
- Create .github/workflows/enrich.yml that runs hourly on a 55-minute budget
- Workflow commits enriched vuln_db.json to repo, checkpointing progress
- Each run picks up where the last left off, progressively enriching the backlog

https://claude.ai/code/session_01Pp3k3jGUtnTTqvMMr1uP4Y
2026-03-25 13:24:07 +00:00
df0064c90c
Merge pull request #2 from imjasonh/claude/analyze-vulnerable-symbols-rTuHI
Add analyze command to detect reachable vulnerable symbols
2026-03-25 09:17:13 -04:00
Claude
76921cfde0
Precise golden integration tests and scanner fixes for edge cases
Scanner fixes:
- Block comment tracking: skip lines inside /* ... */ blocks
- Skip `use` statements from being matched as call sites
- Free function call detection: `parse_cookie(...)` after direct import
- Type-aware suppression: when the receiver's type is positively known
  and doesn't match the vulnerable type, suppress the finding entirely
  (e.g., .abort() on MyHandle vs JoinHandle)

Golden test improvements:
- All assertions are now specific: exact counts (deps, reachable symbols,
  files scanned), exact advisory IDs listed vs reachable, exact call site
  locations (file:line), exact confidence levels (HIGH vs MEDIUM)
- Each test documents its fixture layout and expected positive/negative
  findings in a header comment

New edge_cases_project fixture covering:
- Aliased imports (Decoder as HyperDecoder → dec.decode detected)
- Free function calls (parse_cookie after direct import)
- Commented-out code (block & line comments correctly skipped)
- False positive suppression (abort() on MyHandle, parse() on String)
- Typed method calls (jar.add(c) with explicit CookieJar type)

38 tests total (33 unit + 5 integration), all passing.

https://claude.ai/code/session_011sdj18ZvQYbDVwEKqrWDj1
2026-03-25 13:01:33 +00:00
Claude
a2db0d4d15
Add syn-based type tracking and golden codebase integration tests
Type tracking (type_tracker.rs):
- Uses syn AST parsing to resolve variable types from function parameters,
  let bindings with annotations, constructor calls (Type::new()), struct
  literals, builder patterns, and closure parameters
- Integrated into scanner to promote method-call matches from Medium to
  High confidence when the receiver's type is known

Golden integration tests:
- vulnerable_project: 4 vulnerable deps, 3 with reachable calls across
  multiple files (qualified calls, typed method calls, constructor-inferred
  types). Verifies regex dep is listed but Compiler::compile is NOT reachable.
- safe_project: patched deps (hyper, smallvec) excluded, vulnerable deps
  (tokio, regex) listed but no symbols reachable. Reports POSSIBLY SAFE.
- clean_project: no vulnerable deps at all. Reports CLEAN.

37 tests total (33 unit + 4 integration), all passing.

https://claude.ai/code/session_011sdj18ZvQYbDVwEKqrWDj1
2026-03-25 12:44:13 +00:00
Claude
b148c8d4b8
Add analyze command to detect reachable vulnerable symbols in Rust projects
Implements the next phase of cargo-deep-audit: given a Rust project and the
enriched vulnerability database, determine which vulnerable symbols are
actually called from user code.

New modules:
- lockfile.rs: Parse Cargo.lock to extract dependency names and versions
- scanner.rs: Scan .rs source files for references to vulnerable symbols
  using import tracking (use statements) and call pattern matching, with
  High/Medium confidence levels
- analyzer.rs: Orchestrate the full pipeline — load vuln_db, match against
  lockfile versions (semver-aware), scan source, produce structured report

Changes:
- main.rs refactored into subcommands: `enrich` (Phase 1) and `analyze` (Phase 2)
- db.rs/diff_analyzer.rs: Added Deserialize support to load vuln_db.json
- CI workflow updated for subcommand syntax
- 24 tests total (21 unit + 3 integration), all passing

https://claude.ai/code/session_011sdj18ZvQYbDVwEKqrWDj1
2026-03-25 10:50:22 +00:00
5b9897a671
Create design.md 2026-03-25 06:39:54 -04:00
8d98f6b12f
Merge pull request #1 from imjasonh/claude/cargo-deep-audit-Mk1F3 2026-03-25 06:38:50 -04:00
Claude
0acb3074c6
Filter examples/fuzz/perf/benches and fix leading :: in paths
- Expand non-library file filter to also skip examples/, fuzz/, perf/,
  and benches/ directories (e.g. quinn's perf/src/server.rs, fuzz targets)
- Fix qualify_fn_name to skip empty path segments, preventing leading ::
  when module path is empty (src/lib.rs → Context::seal not ::Context::seal)

https://claude.ai/code/session_01AeNG3herWfKhos9uZVUY5d
2026-03-25 02:21:40 +00:00
Claude
4f330e94a2
Fix three enrichment quality issues found by spot-checking
1. Impl body changes with no fn context: When the fn declaration is too
   far above for git to include in hunk headers or context lines, body
   changes were silently dropped. Now emits symbols at the impl-type
   level with a <method> placeholder (e.g. KeccakXofState::<method>).

2. PR diff uses files endpoint: Previously resolved PRs to their merge
   commit, which could be a version-only bump with no .rs files (e.g.
   quinn-proto PR #2559). Now uses /pulls/{n}/files to get all changes
   across the entire PR.

3. Nested generics in impl regex: The impl block regex used [^>]* which
   broke on nested generics like impl<T: Foo<Bar>>. Now uses .* for
   greedy matching to the last >.

https://claude.ai/code/session_01AeNG3herWfKhos9uZVUY5d
2026-03-25 02:16:57 +00:00
Claude
00c14b043f
Fix fn context lost across consecutive hunks in same method
When a multi-hunk diff has consecutive hunks in the same function,
git may show the impl block (not the fn) in the second hunk header.
Previously this reset current_context_fn to None, causing body-only
changes to be silently dropped.

Now hunk headers with impl but no fn preserve the existing fn context.
This fixes cases like libcrux-sha3's squeeze() where the actual
vulnerability fix (loop index change) was missed because the second
hunk header showed `impl KeccakXofState` instead of `fn squeeze`.

https://claude.ai/code/session_01AeNG3herWfKhos9uZVUY5d
2026-03-25 02:08:15 +00:00
Claude
44f0b1385e
Improve enrichment quality: titles, test filtering, module paths
- Parse markdown heading as title fallback when TOML title is missing,
  fixing the "(no title)" entries
- Filter out test files (tests/, *_test.rs) from vulnerable symbols
  since test code isn't callable library API
- Fix module path generation to handle workspace layouts
  (crates/foo/src/bar.rs → foo::bar) and strip src/ properly
- Replace hyphens with underscores in module paths to match Rust
  crate naming conventions (pyo3-ffi → pyo3_ffi)

https://claude.ai/code/session_01AeNG3herWfKhos9uZVUY5d
2026-03-25 01:59:56 +00:00
Claude
3aeae98506
Fix advisory parsing for .md format and suppress compiler warnings
The RustSec advisory-db uses .md files with TOML in a fenced code block,
not plain .toml files. The parser now extracts the TOML block from markdown.

Also fixes:
- --limit now means "collect up to N enriched entries" instead of
  "take first N candidates", so it keeps scanning until enough are found
- Suppressed dead_code warnings on Issue variant and deserialization-only fields
- Updated test fixtures to match the .md format

https://claude.ai/code/session_01AeNG3herWfKhos9uZVUY5d
2026-03-25 01:52:22 +00:00
Claude
ce7f533cb0
Add CI workflow for tests and enrichment dry-run
Two jobs:
- test: builds and runs cargo test
- enrichment-dry-run: runs the pipeline against 10 real advisories
  using the Actions GITHUB_TOKEN, uploads vuln_db.json as artifact

https://claude.ai/code/session_01AeNG3herWfKhos9uZVUY5d
2026-03-25 01:34:22 +00:00
Claude
430816c717
Add Phase 1: Offline Database Enrichment pipeline
Build the first phase of cargo deep-audit - a reachability-based vulnerability
scanner for Rust. This pipeline:

- Clones/caches the RustSec advisory-db and parses TOML advisory files
- Extracts crate names, patched versions, CVE/RUSTSEC IDs, and GitHub refs
- Fetches patch diffs via GitHub API (PRs resolve to merge commits)
- Analyzes unified diffs to extract modified Rust function signatures
- Outputs an enriched JSON database mapping advisory IDs to function signatures

Modules:
- advisory.rs: TOML parser with GitHub reference extraction
- github.rs: GitHub API client for commit/PR diffs
- diff_analyzer.rs: Unified diff parser extracting fn signatures from hunks
- db.rs: JSON output database structure
- main.rs: CLI orchestrator with clap

https://claude.ai/code/session_01AeNG3herWfKhos9uZVUY5d
2026-03-25 01:28:25 +00:00
Claude
b0a0d8599d
Initial commit 2026-03-25 01:28:13 +00:00