mirror of
https://github.com/imjasonh/rustvulncheck
synced 2026-07-08 20:25:28 +00:00
Implements the next phase of cargo-deep-audit: given a Rust project and the enriched vulnerability database, determine which vulnerable symbols are actually called from user code. New modules: - lockfile.rs: Parse Cargo.lock to extract dependency names and versions - scanner.rs: Scan .rs source files for references to vulnerable symbols using import tracking (use statements) and call pattern matching, with High/Medium confidence levels - analyzer.rs: Orchestrate the full pipeline — load vuln_db, match against lockfile versions (semver-aware), scan source, produce structured report Changes: - main.rs refactored into subcommands: `enrich` (Phase 1) and `analyze` (Phase 2) - db.rs/diff_analyzer.rs: Added Deserialize support to load vuln_db.json - CI workflow updated for subcommand syntax - 24 tests total (21 unit + 3 integration), all passing https://claude.ai/code/session_011sdj18ZvQYbDVwEKqrWDj1
72 lines
1.6 KiB
YAML
72 lines
1.6 KiB
YAML
name: CI
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
pull_request:
|
|
branches: [main]
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
test:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Install Rust
|
|
uses: dtolnay/rust-toolchain@stable
|
|
|
|
- name: Cache cargo registry & build
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: |
|
|
~/.cargo/registry
|
|
~/.cargo/git
|
|
target
|
|
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-cargo-
|
|
|
|
- name: Build
|
|
run: cargo build --verbose
|
|
|
|
- name: Run tests
|
|
run: cargo test --verbose
|
|
|
|
enrichment-dry-run:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Install Rust
|
|
uses: dtolnay/rust-toolchain@stable
|
|
|
|
- name: Cache cargo registry & build
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: |
|
|
~/.cargo/registry
|
|
~/.cargo/git
|
|
target
|
|
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-cargo-
|
|
|
|
- name: Build
|
|
run: cargo build
|
|
|
|
- name: Run enrichment pipeline (10 advisories)
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
run: cargo run -- enrich --limit 10 --output vuln_db.json
|
|
|
|
- name: Show output
|
|
run: cat vuln_db.json
|
|
|
|
- name: Upload enriched DB artifact
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: vuln-db
|
|
path: vuln_db.json
|