git-forensic 0.1.0

Forensic anomaly auditor for Git object stores — backdated commits, rewritten history, unsigned-in-signed-history, and unreachable objects as graded report::Finding, built on git-core
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155

//! Reachability analysis: objects present in the store but reachable from no
//! ref. Such an object is residue of deleted or rewritten history — it remains
//! resurrectable from the object store until garbage-collected. Commits are the
//! most telling (a whole dropped line of development); blobs and trees are
//! lower-signal. An examiner follows these leads; they are never a verdict.

use std::collections::HashSet;

use forensicnomicon::report::{Category, Evidence, Observation, Severity};
use git_core::{GitHash, GitRepo, ObjectKind, Result};

/// An object present in the store yet reachable from no ref.
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct UnreachableObject {
    /// The unreachable object's hash.
    pub object: GitHash,
    /// Its kind as a lowercase git type (`commit`, `tree`, `blob`, `tag`).
    pub kind: String,
}

impl Observation for UnreachableObject {
    fn severity(&self) -> Option<Severity> {
        // A resurrectable dropped commit (deleted/rewritten history) is the
        // sharper lead; a loose blob/tree is lower signal.
        if self.kind == "commit" {
            Some(Severity::Medium)
        } else {
            Some(Severity::Low)
        }
    }

    fn code(&self) -> &'static str {
        "GIT-UNREACHABLE-OBJECT"
    }

    fn category(&self) -> Category {
        // Residue of deleted/rewritten history.
        Category::Residue
    }

    fn note(&self) -> String {
        format!(
            "{} object reachable from no ref; consistent with deleted or rewritten \
             history (the object remains resurrectable from the store until gc)",
            self.kind
        )
    }

    fn evidence(&self) -> Vec<Evidence> {
        vec![
            Evidence {
                field: "object".into(),
                value: self.object.to_hex(),
                location: None,
            },
            Evidence {
                field: "kind".into(),
                value: self.kind.clone(),
                location: None,
            },
        ]
    }
}

fn kind_str(kind: ObjectKind) -> &'static str {
    match kind {
        ObjectKind::Commit => "commit",
        ObjectKind::Tree => "tree",
        ObjectKind::Blob => "blob",
        ObjectKind::Tag => "tag",
    }
}

/// Compute the set of objects reachable from every ref tip.
///
/// Walks commit → parents + tree, tree → entries (subtrees + blobs). A tag is
/// opaque (git-core does not parse tag targets), so a tag tip contributes only
/// itself; this is sound for the common branch/HEAD tips used in practice.
///
/// Objects that fail to read or parse are recorded as reached-but-not-expanded
/// rather than aborting the walk — robustness on a damaged store beats a hard
/// failure.
fn reachable_set(repo: &GitRepo) -> HashSet<GitHash> {
    let mut reached = HashSet::new();
    let mut stack: Vec<GitHash> = repo.all_refs().into_iter().map(|(_, h)| h).collect();

    while let Some(hash) = stack.pop() {
        if !reached.insert(hash) {
            continue;
        }
        let Ok(obj) = repo.read_object(&hash) else {
            continue;
        };
        match obj.kind {
            ObjectKind::Commit => {
                if let Ok(commit) = repo.read_commit(&hash) {
                    stack.push(commit.tree);
                    stack.extend(commit.parents);
                }
            }
            ObjectKind::Tree => {
                if let Ok(tree) = repo.read_tree(&hash) {
                    stack.extend(tree.entries.into_iter().map(|e| e.hash));
                }
            }
            // Blobs are leaves; tags are opaque here.
            ObjectKind::Blob | ObjectKind::Tag => {}
        }
    }
    reached
}

/// Audit `repo` for objects reachable from no ref (`all_objects − reachable`).
///
/// # Errors
/// Propagates a [`git_core`] error from object enumeration.
pub fn audit_unreachable(repo: &GitRepo) -> Result<Vec<UnreachableObject>> {
    let reached = reachable_set(repo);
    let mut out = Vec::new();
    for hash in repo.all_objects()? {
        if reached.contains(&hash) {
            continue;
        }
        // Determine the kind for grading; an unreadable object is reported as
        // "unknown" rather than dropped, so its presence is still surfaced.
        let kind = repo
            .read_object(&hash)
            .map_or("unknown", |o| kind_str(o.kind))
            .to_string();
        out.push(UnreachableObject { object: hash, kind });
    }
    Ok(out)
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn note_and_grading_depend_on_kind() {
        let commit = UnreachableObject {
            object: GitHash::from_hex("0123456789abcdef0123456789abcdef01234567").unwrap(),
            kind: "commit".into(),
        };
        let blob = UnreachableObject {
            object: GitHash::from_hex("89abcdef0123456789abcdef0123456789abcdef").unwrap(),
            kind: "blob".into(),
        };
        assert_eq!(commit.severity(), Some(Severity::Medium));
        assert_eq!(blob.severity(), Some(Severity::Low));
        assert_eq!(commit.code(), "GIT-UNREACHABLE-OBJECT");
        assert_eq!(commit.category(), Category::Residue);
        assert!(commit.note().contains("commit"));
    }
}