The old --existing-db flag skipped already-enriched entries by advisory
ID, so improvements to diff_analyzer.rs had no effect on the committed
vuln_db.json. The new --re-enrich flag re-fetches diffs for existing
entries and re-extracts symbols using the current code, updating them
in-place.
The CI enrich job now passes --re-enrich so that code changes to the
symbol extraction pipeline are reflected in the PR's vuln_db.json diff.
https://claude.ai/code/session_01P1LKP6aqGt68rQAXrF6kSE
Replaces the old enrichment-dry-run job with an enrich job that:
- Only runs on pull requests (not push to main)
- Checks out the PR branch (not merge ref) so it can push back
- Builds with --release for faster enrichment
- Uses --existing-db to resume from the committed vuln_db.json
- Enriches up to 20 new advisories with a 25-min timeout
- Commits and pushes updated vuln_db.json if it changed
- Also uploads as an artifact for inspection
The workflow has contents: write permission so the bot can push
commits to the PR branch.
https://claude.ai/code/session_01P1LKP6aqGt68rQAXrF6kSE
- Add --existing-db flag to enrich command to skip already-enriched advisories
- Add --timeout-secs flag to stop processing after a time budget
- Create .github/workflows/enrich.yml that runs hourly on a 55-minute budget
- Workflow commits enriched vuln_db.json to repo, checkpointing progress
- Each run picks up where the last left off, progressively enriching the backlog
https://claude.ai/code/session_01Pp3k3jGUtnTTqvMMr1uP4Y
Implements the next phase of cargo-deep-audit: given a Rust project and the
enriched vulnerability database, determine which vulnerable symbols are
actually called from user code.
New modules:
- lockfile.rs: Parse Cargo.lock to extract dependency names and versions
- scanner.rs: Scan .rs source files for references to vulnerable symbols
using import tracking (use statements) and call pattern matching, with
High/Medium confidence levels
- analyzer.rs: Orchestrate the full pipeline — load vuln_db, match against
lockfile versions (semver-aware), scan source, produce structured report
Changes:
- main.rs refactored into subcommands: `enrich` (Phase 1) and `analyze` (Phase 2)
- db.rs/diff_analyzer.rs: Added Deserialize support to load vuln_db.json
- CI workflow updated for subcommand syntax
- 24 tests total (21 unit + 3 integration), all passing
https://claude.ai/code/session_011sdj18ZvQYbDVwEKqrWDj1
Two jobs:
- test: builds and runs cargo test
- enrichment-dry-run: runs the pipeline against 10 real advisories
using the Actions GITHUB_TOKEN, uploads vuln_db.json as artifact
https://claude.ai/code/session_01AeNG3herWfKhos9uZVUY5d