1
0
Fork 0
mirror of https://github.com/imjasonh/rustvulncheck synced 2026-07-08 04:08:07 +00:00
rustvulncheck/Cargo.toml
Claude a2db0d4d15
Add syn-based type tracking and golden codebase integration tests
Type tracking (type_tracker.rs):
- Uses syn AST parsing to resolve variable types from function parameters,
  let bindings with annotations, constructor calls (Type::new()), struct
  literals, builder patterns, and closure parameters
- Integrated into scanner to promote method-call matches from Medium to
  High confidence when the receiver's type is known

Golden integration tests:
- vulnerable_project: 4 vulnerable deps, 3 with reachable calls across
  multiple files (qualified calls, typed method calls, constructor-inferred
  types). Verifies regex dep is listed but Compiler::compile is NOT reachable.
- safe_project: patched deps (hyper, smallvec) excluded, vulnerable deps
  (tokio, regex) listed but no symbols reachable. Reports POSSIBLY SAFE.
- clean_project: no vulnerable deps at all. Reports CLEAN.

37 tests total (33 unit + 4 integration), all passing.

https://claude.ai/code/session_011sdj18ZvQYbDVwEKqrWDj1
2026-03-25 12:44:13 +00:00

20 lines
440 B
TOML

[package]
name = "cargo-deep-audit"
version = "0.1.0"
edition = "2021"
[dependencies]
clap = { version = "4", features = ["derive", "env"] }
serde = { version = "1", features = ["derive"] }
serde_json = "1"
toml = "0.8"
reqwest = { version = "0.12", features = ["blocking", "json"] }
regex = "1"
git2 = "0.19"
walkdir = "2"
anyhow = "1"
semver = "1"
syn = { version = "2", features = ["full", "visit"] }
[dev-dependencies]
tempfile = "3"