rustinel-core 0.1.1

Defensive Rust supply-chain risk analysis: static signals, policy and risk diff for Cargo lockfiles.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211

//! SARIF 2.1.0 serialization for the analysis findings.
//!
//! Output is deterministic and safe to publish to code-scanning dashboards.
//! Message text is plain (SARIF consumers render it as text, not HTML), but we
//! still flatten control characters defensively.

use crate::report::RustinelReport;
use crate::signals::{RiskSignal, Severity};
use serde::Serialize;
use std::collections::BTreeMap;

#[derive(Serialize)]
pub struct SarifLog {
    #[serde(rename = "$schema")]
    schema: String,
    version: String,
    runs: Vec<SarifRun>,
}

#[derive(Serialize)]
struct SarifRun {
    tool: SarifTool,
    results: Vec<SarifResult>,
}

#[derive(Serialize)]
struct SarifTool {
    driver: SarifDriver,
}

#[derive(Serialize)]
struct SarifDriver {
    name: String,
    version: String,
    #[serde(rename = "informationUri")]
    information_uri: String,
    rules: Vec<SarifRule>,
}

#[derive(Serialize)]
struct SarifRule {
    id: String,
    name: String,
    #[serde(rename = "shortDescription")]
    short_description: SarifText,
    help: SarifText,
}

#[derive(Serialize)]
struct SarifResult {
    #[serde(rename = "ruleId")]
    rule_id: String,
    level: String,
    message: SarifText,
    /// Every result carries a location — GitHub code scanning drops results that
    /// have none. Dependency findings have no source line, so they anchor to the
    /// lockfile where the dependency is declared.
    locations: Vec<SarifLocation>,
    /// Stable, deterministic fingerprint so GitHub code scanning tracks the same
    /// finding across runs (no alert churn) instead of recomputing from text.
    #[serde(rename = "partialFingerprints")]
    partial_fingerprints: BTreeMap<String, String>,
}

#[derive(Serialize)]
struct SarifLocation {
    #[serde(rename = "physicalLocation")]
    physical_location: SarifPhysicalLocation,
}

#[derive(Serialize)]
struct SarifPhysicalLocation {
    #[serde(rename = "artifactLocation")]
    artifact_location: SarifArtifactLocation,
    region: SarifRegion,
}

#[derive(Serialize)]
struct SarifArtifactLocation {
    uri: String,
}

#[derive(Serialize)]
struct SarifRegion {
    #[serde(rename = "startLine")]
    start_line: u32,
}

#[derive(Serialize)]
struct SarifText {
    text: String,
}

/// The repo-root lockfile is the conventional location for dependency findings.
/// (rustinel does not track per-package line numbers, so results anchor to the
/// file rather than a specific line.)
const LOCKFILE_URI: &str = "Cargo.lock";

/// FNV-1a 64-bit, hex-encoded. Deterministic across platforms and versions — the
/// `std` hashers are not guaranteed stable, which would break fingerprint
/// continuity, so we hash explicitly.
fn fnv1a_hex(s: &str) -> String {
    let mut hash: u64 = 0xcbf2_9ce4_8422_2325;
    for b in s.bytes() {
        hash ^= b as u64;
        hash = hash.wrapping_mul(0x0000_0100_0000_01b3);
    }
    format!("{hash:016x}")
}

fn level_for(severity: Severity) -> &'static str {
    match severity {
        Severity::Critical | Severity::High => "error",
        Severity::Medium => "warning",
        Severity::Low | Severity::Info => "note",
    }
}

fn flatten(text: &str) -> String {
    text.chars()
        .map(|c| if c.is_control() { ' ' } else { c })
        .collect()
}

pub fn build(report: &RustinelReport) -> SarifLog {
    // One rule per distinct finding id, in deterministic order.
    let mut rules_map: BTreeMap<String, SarifRule> = BTreeMap::new();
    for finding in &report.findings {
        rules_map
            .entry(finding.id.clone())
            .or_insert_with(|| SarifRule {
                id: finding.id.clone(),
                name: rule_name(finding),
                short_description: SarifText {
                    text: rule_name(finding),
                },
                help: SarifText {
                    text: flatten(&finding.recommendation),
                },
            });
    }
    let rules: Vec<SarifRule> = rules_map.into_values().collect();

    let results: Vec<SarifResult> = report
        .findings
        .iter()
        .map(|f| {
            let detail = f
                .evidence
                .first()
                .map(|e| flatten(&e.summary))
                .unwrap_or_else(|| f.id.clone());
            let mut fingerprints = BTreeMap::new();
            // Keyed on rule + package so the same finding on the same package
            // keeps one stable alert; the `/v1` namespace lets the scheme evolve.
            fingerprints.insert(
                "rustinel/v1".to_string(),
                fnv1a_hex(&format!("{}\u{0}{}", f.id, f.package)),
            );
            SarifResult {
                rule_id: f.id.clone(),
                level: level_for(f.severity).to_string(),
                message: SarifText {
                    text: flatten(&format!("{}: {}", f.package, detail)),
                },
                locations: vec![SarifLocation {
                    physical_location: SarifPhysicalLocation {
                        artifact_location: SarifArtifactLocation {
                            uri: LOCKFILE_URI.to_string(),
                        },
                        region: SarifRegion { start_line: 1 },
                    },
                }],
                partial_fingerprints: fingerprints,
            }
        })
        .collect();

    SarifLog {
        schema: "https://json.schemastore.org/sarif-2.1.0.json".into(),
        version: "2.1.0".into(),
        runs: vec![SarifRun {
            tool: SarifTool {
                driver: SarifDriver {
                    name: report.tool.name.clone(),
                    version: report.tool.version.clone(),
                    information_uri: "https://github.com/kosiorkosa47/rustinel".into(),
                    rules,
                },
            },
            results,
        }],
    }
}

fn rule_name(finding: &RiskSignal) -> String {
    match finding.id.as_str() {
        "native_ffi_detected" => "Native FFI dependency detected".into(),
        "build_script_present" => "Build script present".into(),
        "build_script_suspicious" => "Suspicious build script (network / payload)".into(),
        "suspicious_source_exfil" => "Source matches secret-exfiltration malware pattern".into(),
        "unsafe_present" => "Unsafe code present".into(),
        "multiple_versions_same_crate" => "Multiple versions of the same crate".into(),
        "possible_typosquat" => "Possible typosquat of a popular crate".into(),
        "yanked_crate" => "Yanked crate version".into(),
        "license_unknown" => "Unknown license".into(),
        "license_detected" => "License detected".into(),
        id if id.starts_with("advisory_") => "Known security advisory".into(),
        other => other.to_string(),
    }
}