mirror of
https://github.com/imjasonh/rustvulncheck
synced 2026-07-08 20:25:28 +00:00
Type tracking (type_tracker.rs): - Uses syn AST parsing to resolve variable types from function parameters, let bindings with annotations, constructor calls (Type::new()), struct literals, builder patterns, and closure parameters - Integrated into scanner to promote method-call matches from Medium to High confidence when the receiver's type is known Golden integration tests: - vulnerable_project: 4 vulnerable deps, 3 with reachable calls across multiple files (qualified calls, typed method calls, constructor-inferred types). Verifies regex dep is listed but Compiler::compile is NOT reachable. - safe_project: patched deps (hyper, smallvec) excluded, vulnerable deps (tokio, regex) listed but no symbols reachable. Reports POSSIBLY SAFE. - clean_project: no vulnerable deps at all. Reports CLEAN. 37 tests total (33 unit + 4 integration), all passing. https://claude.ai/code/session_011sdj18ZvQYbDVwEKqrWDj1
20 lines
440 B
TOML
20 lines
440 B
TOML
[package]
|
|
name = "cargo-deep-audit"
|
|
version = "0.1.0"
|
|
edition = "2021"
|
|
|
|
[dependencies]
|
|
clap = { version = "4", features = ["derive", "env"] }
|
|
serde = { version = "1", features = ["derive"] }
|
|
serde_json = "1"
|
|
toml = "0.8"
|
|
reqwest = { version = "0.12", features = ["blocking", "json"] }
|
|
regex = "1"
|
|
git2 = "0.19"
|
|
walkdir = "2"
|
|
anyhow = "1"
|
|
semver = "1"
|
|
syn = { version = "2", features = ["full", "visit"] }
|
|
|
|
[dev-dependencies]
|
|
tempfile = "3"
|