mirror of
https://github.com/imjasonh/rustvulncheck
synced 2026-07-11 07:31:38 +00:00
Implements the next phase of cargo-deep-audit: given a Rust project and the enriched vulnerability database, determine which vulnerable symbols are actually called from user code. New modules: - lockfile.rs: Parse Cargo.lock to extract dependency names and versions - scanner.rs: Scan .rs source files for references to vulnerable symbols using import tracking (use statements) and call pattern matching, with High/Medium confidence levels - analyzer.rs: Orchestrate the full pipeline — load vuln_db, match against lockfile versions (semver-aware), scan source, produce structured report Changes: - main.rs refactored into subcommands: `enrich` (Phase 1) and `analyze` (Phase 2) - db.rs/diff_analyzer.rs: Added Deserialize support to load vuln_db.json - CI workflow updated for subcommand syntax - 24 tests total (21 unit + 3 integration), all passing https://claude.ai/code/session_011sdj18ZvQYbDVwEKqrWDj1
50 lines
1.3 KiB
JSON
50 lines
1.3 KiB
JSON
{
|
|
"generated_at": "unix:1700000000",
|
|
"entries": [
|
|
{
|
|
"advisory_id": "RUSTSEC-2024-0001",
|
|
"package": "hyper",
|
|
"title": "Lenient HTTP header parsing allows request smuggling",
|
|
"date": "2024-01-15",
|
|
"patched_versions": [">= 1.0.0"],
|
|
"commit_sha": "abc123",
|
|
"vulnerable_symbols": [
|
|
{
|
|
"file": "src/http/request.rs",
|
|
"function": "hyper::http::Request::parse",
|
|
"change_type": "Modified"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"advisory_id": "RUSTSEC-2024-0002",
|
|
"package": "tokio",
|
|
"title": "Race condition in task cancellation",
|
|
"date": "2024-02-01",
|
|
"patched_versions": [">= 1.33.0"],
|
|
"commit_sha": "def456",
|
|
"vulnerable_symbols": [
|
|
{
|
|
"file": "src/runtime/task.rs",
|
|
"function": "tokio::runtime::task::Task::cancel",
|
|
"change_type": "Modified"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"advisory_id": "RUSTSEC-2024-0099",
|
|
"package": "serde",
|
|
"title": "Fake advisory for testing",
|
|
"date": "2024-03-01",
|
|
"patched_versions": [">= 1.0.180"],
|
|
"commit_sha": "ghi789",
|
|
"vulnerable_symbols": [
|
|
{
|
|
"file": "src/de.rs",
|
|
"function": "serde::de::Deserializer::deserialize",
|
|
"change_type": "Modified"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|