mirror of
https://github.com/imjasonh/rustvulncheck
synced 2026-07-09 21:06:59 +00:00
Implements the next phase of cargo-deep-audit: given a Rust project and the enriched vulnerability database, determine which vulnerable symbols are actually called from user code. New modules: - lockfile.rs: Parse Cargo.lock to extract dependency names and versions - scanner.rs: Scan .rs source files for references to vulnerable symbols using import tracking (use statements) and call pattern matching, with High/Medium confidence levels - analyzer.rs: Orchestrate the full pipeline — load vuln_db, match against lockfile versions (semver-aware), scan source, produce structured report Changes: - main.rs refactored into subcommands: `enrich` (Phase 1) and `analyze` (Phase 2) - db.rs/diff_analyzer.rs: Added Deserialize support to load vuln_db.json - CI workflow updated for subcommand syntax - 24 tests total (21 unit + 3 integration), all passing https://claude.ai/code/session_011sdj18ZvQYbDVwEKqrWDj1
19 lines
386 B
TOML
19 lines
386 B
TOML
[package]
|
|
name = "cargo-deep-audit"
|
|
version = "0.1.0"
|
|
edition = "2021"
|
|
|
|
[dependencies]
|
|
clap = { version = "4", features = ["derive", "env"] }
|
|
serde = { version = "1", features = ["derive"] }
|
|
serde_json = "1"
|
|
toml = "0.8"
|
|
reqwest = { version = "0.12", features = ["blocking", "json"] }
|
|
regex = "1"
|
|
git2 = "0.19"
|
|
walkdir = "2"
|
|
anyhow = "1"
|
|
semver = "1"
|
|
|
|
[dev-dependencies]
|
|
tempfile = "3"
|