padlock-cli 0.9.5

Struct memory layout analyzer for C, C++, Rust, and Go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134

// padlock-cli/src/commands/analyze.rs

use std::path::PathBuf;

use padlock_core::findings::Report;

use crate::config::Config;
use crate::filter::{FailSeverity, FilterArgs};
use crate::paths::collect_layouts;

/// Output and arch options for the `analyze` subcommand.
pub struct AnalyzeOpts {
    pub json: bool,
    pub sarif: bool,
    pub markdown: bool,
    pub cache_line_size: Option<usize>,
    pub word_size: Option<usize>,
    pub fail_on_severity: Option<FailSeverity>,
    /// Rust target triple or short arch name (e.g. `aarch64-apple-darwin`).
    /// Overrides the `arch.override` config value.
    pub target: Option<String>,
}

pub fn run(paths: &[PathBuf], opts: AnalyzeOpts, filter: &FilterArgs) -> anyhow::Result<()> {
    let AnalyzeOpts {
        json,
        sarif,
        markdown,
        cache_line_size,
        word_size,
        fail_on_severity,
        target,
    } = opts;
    // Load config by searching upward from the first supplied path.
    let cfg = Config::for_path(
        paths
            .first()
            .map(|p| p.as_path())
            .unwrap_or(std::path::Path::new(".")),
    );

    // Merge config filter defaults into a local copy; CLI flags take precedence.
    let mut filter = filter.clone();
    filter.apply_config_defaults(&cfg);

    // Collect layouts from all paths (dirs expanded, binaries via DWARF).
    let (mut layouts, analyzed) = collect_layouts(paths)?;

    // Apply arch override: CLI --target takes precedence over config arch.override.
    let arch_name_override = target.as_deref().or(cfg.arch_override.as_deref());
    if let Some(arch_name) = arch_name_override {
        let arch = padlock_core::arch::arch_by_name(arch_name).unwrap_or_else(|| {
            eprintln!("padlock: warning: unknown target/arch '{arch_name}', ignoring override");
            padlock_dwarf::reader::detect_arch_from_host()
        });
        for layout in &mut layouts {
            layout.arch = arch;
        }
    }

    // Apply --cache-line-size / --word-size overrides per layout.
    if cache_line_size.is_some() || word_size.is_some() {
        for layout in &mut layouts {
            layout.arch =
                padlock_core::arch::with_overrides(layout.arch, cache_line_size, word_size);
        }
    }

    // Apply config ignore list and path exclusions, then CLI pre-filters (name, size, holes).
    layouts.retain(|l| {
        !cfg.is_ignored(&l.name)
            && !l
                .source_file
                .as_deref()
                .map(|f| cfg.is_path_excluded(f))
                .unwrap_or(false)
    });
    filter.apply_to_layouts(&mut layouts)?;

    // Run all analysis passes.
    let mut report = Report::from_layouts(&layouts);
    report.analyzed_paths = analyzed;

    // Apply config severity filter (respects per-struct overrides).
    for sr in &mut report.structs {
        sr.findings
            .retain(|f| cfg.should_report_for(&sr.struct_name, f.severity()));
    }

    // Apply post-analysis CLI filters (packable) and sort.
    filter.apply_to_report(&mut report);

    // Check fail_below score threshold (config-based, per-struct overrides).
    let score_failed = report.structs.iter().any(|s| {
        let threshold = cfg.fail_below_for(&s.struct_name);
        threshold > 0 && s.score < threshold as f64
    });

    // Check --fail-on-severity threshold (CLI flag takes precedence; config fallback).
    let effective_fail_sev: Option<FailSeverity> = fail_on_severity.or_else(|| {
        cfg.fail_on_severity.as_ref().map(|s| match s {
            padlock_core::findings::Severity::High => FailSeverity::High,
            padlock_core::findings::Severity::Medium => FailSeverity::Medium,
            padlock_core::findings::Severity::Low => FailSeverity::Low,
        })
    });
    let severity_failed = if let Some(ref threshold) = effective_fail_sev {
        report
            .structs
            .iter()
            .flat_map(|s| &s.findings)
            .any(|f| threshold.matches(f.severity()))
    } else {
        false
    };

    let failed = score_failed || severity_failed;

    if sarif {
        println!("{}", padlock_output::to_sarif(&report)?);
    } else if json {
        println!("{}", padlock_output::to_json(&report)?);
    } else if markdown {
        print!("{}", padlock_output::to_markdown(&report));
    } else {
        print!("{}", padlock_output::render_report(&report));
    }

    if failed {
        std::process::exit(1);
    }

    Ok(())
}