vsec 0.0.1

Detect secrets and in Rust codebases
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325

// src/registry/mod.rs

pub mod definition;

use dashmap::DashMap;
use std::path::Path;
use std::sync::Arc;

pub use definition::{ConstantDefinition, ConstantVisibility, RegistryStats};

/// Thread-safe registry of constant definitions across all files.
/// Uses DashMap for lock-free concurrent access during parallel scanning.
///
/// Keys are fully qualified (file::module::name) to avoid namespace collisions
/// between constants with the same name in different modules/files.
pub struct SuspectRegistry {
    /// Primary storage: qualified_key -> ConstantDefinition
    inner: Arc<DashMap<String, ConstantDefinition>>,
    /// Secondary index: name -> Vec<qualified_key> for fast name-based lookups
    by_name: Arc<DashMap<String, Vec<String>>>,
}

impl SuspectRegistry {
    /// Create a new empty registry
    pub fn new() -> Self {
        Self {
            inner: Arc::new(DashMap::new()),
            by_name: Arc::new(DashMap::new()),
        }
    }

    /// Insert a constant definition
    pub fn insert(&self, def: ConstantDefinition) {
        let qualified_key = def.qualified_key();
        let name = def.name.clone();

        // Insert into primary storage (no collisions with qualified keys)
        self.inner.insert(qualified_key.clone(), def);

        // Update secondary index
        self.by_name
            .entry(name)
            .and_modify(|keys| {
                if !keys.contains(&qualified_key) {
                    keys.push(qualified_key.clone());
                }
            })
            .or_insert_with(|| vec![qualified_key]);
    }

    /// Look up a constant by name, preferring definitions from the same file.
    /// Returns the value if found unambiguously, or the highest-scored match
    /// if there are multiple definitions with the same name.
    pub fn get_value(&self, name: &str) -> Option<String> {
        self.get(name).map(|def| def.value)
    }

    /// Look up a constant by name, preferring definitions from the same file.
    pub fn get(&self, name: &str) -> Option<ConstantDefinition> {
        let keys = self.by_name.get(name)?;

        if keys.is_empty() {
            return None;
        }

        // If there's only one definition, return it
        if keys.len() == 1 {
            return self.inner.get(&keys[0]).map(|e| e.clone());
        }

        // Multiple definitions exist - return the one with highest score
        // (conservative approach: more suspicious = more likely to be a real issue)
        keys.iter()
            .filter_map(|k| self.inner.get(k).map(|e| e.clone()))
            .max_by_key(|def| def.preliminary_score)
    }

    /// Look up a constant by name, preferring definitions from the specified file.
    /// This provides better accuracy when the caller knows which file they're analyzing.
    pub fn get_value_for_file(&self, name: &str, file: &Path) -> Option<String> {
        self.get_for_file(name, file).map(|def| def.value)
    }

    /// Look up a constant by name, preferring definitions from the specified file.
    pub fn get_for_file(&self, name: &str, file: &Path) -> Option<ConstantDefinition> {
        let keys = self.by_name.get(name)?;

        if keys.is_empty() {
            return None;
        }

        // If there's only one definition, return it
        if keys.len() == 1 {
            return self.inner.get(&keys[0]).map(|e| e.clone());
        }

        // Try to find a definition from the same file first
        let file_prefix = format!("{}::", file.display());
        for key in keys.iter() {
            if key.starts_with(&file_prefix) {
                if let Some(def) = self.inner.get(key) {
                    return Some(def.clone());
                }
            }
        }

        // No same-file match - return highest scored
        keys.iter()
            .filter_map(|k| self.inner.get(k).map(|e| e.clone()))
            .max_by_key(|def| def.preliminary_score)
    }

    /// Get all definitions with the given name (for diagnostics/debugging)
    pub fn get_all_by_name(&self, name: &str) -> Vec<ConstantDefinition> {
        self.by_name
            .get(name)
            .map(|keys| {
                keys.iter()
                    .filter_map(|k| self.inner.get(k).map(|e| e.clone()))
                    .collect()
            })
            .unwrap_or_default()
    }

    /// Check if registry contains a name
    pub fn contains(&self, name: &str) -> bool {
        self.by_name.contains_key(name)
    }

    /// Get statistics about the registry
    pub fn stats(&self) -> RegistryStats {
        let mut total = 0;
        let mut public = 0;
        let mut suspicious = 0;

        for entry in self.inner.iter() {
            total += 1;
            if entry.visibility == ConstantVisibility::Public {
                public += 1;
            }
            if entry.preliminary_score > 30 {
                suspicious += 1;
            }
        }

        RegistryStats {
            total,
            public,
            suspicious,
        }
    }

    /// Get the number of entries in the registry
    pub fn len(&self) -> usize {
        self.inner.len()
    }

    /// Check if the registry is empty
    pub fn is_empty(&self) -> bool {
        self.inner.is_empty()
    }

    /// Iterate over all entries
    pub fn iter(&self) -> impl Iterator<Item = ConstantDefinition> + '_ {
        self.inner.iter().map(|entry| entry.value().clone())
    }
}

impl Default for SuspectRegistry {
    fn default() -> Self {
        Self::new()
    }
}

impl Clone for SuspectRegistry {
    fn clone(&self) -> Self {
        Self {
            inner: Arc::clone(&self.inner),
            by_name: Arc::clone(&self.by_name),
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use std::path::PathBuf;

    #[test]
    fn test_insert_and_get() {
        let registry = SuspectRegistry::new();
        let def = ConstantDefinition {
            name: "SECRET_KEY".into(),
            value: "abc123".into(),
            file: PathBuf::from("src/lib.rs"),
            module_path: String::new(),
            line: 10,
            visibility: ConstantVisibility::Public,
            preliminary_score: 50,
        };

        registry.insert(def);

        assert!(registry.contains("SECRET_KEY"));
        assert_eq!(registry.get_value("SECRET_KEY"), Some("abc123".into()));
    }

    #[test]
    fn test_same_name_different_files_both_stored() {
        let registry = SuspectRegistry::new();

        let def1 = ConstantDefinition {
            name: "TOKEN".into(),
            value: "value_from_a".into(),
            file: PathBuf::from("a.rs"),
            module_path: String::new(),
            line: 1,
            visibility: ConstantVisibility::Public,
            preliminary_score: 10,
        };

        let def2 = ConstantDefinition {
            name: "TOKEN".into(),
            value: "value_from_b".into(),
            file: PathBuf::from("b.rs"),
            module_path: String::new(),
            line: 1,
            visibility: ConstantVisibility::Public,
            preliminary_score: 50,
        };

        registry.insert(def1);
        registry.insert(def2);

        // Both definitions should be stored (no collision)
        assert_eq!(registry.len(), 2);

        // get_all_by_name returns both
        let all = registry.get_all_by_name("TOKEN");
        assert_eq!(all.len(), 2);

        // get_value returns highest scored when ambiguous
        assert_eq!(registry.get_value("TOKEN"), Some("value_from_b".into()));
    }

    #[test]
    fn test_get_for_file_prefers_same_file() {
        let registry = SuspectRegistry::new();

        let def1 = ConstantDefinition {
            name: "API_KEY".into(),
            value: "key_from_a".into(),
            file: PathBuf::from("a.rs"),
            module_path: String::new(),
            line: 1,
            visibility: ConstantVisibility::Public,
            preliminary_score: 10,
        };

        let def2 = ConstantDefinition {
            name: "API_KEY".into(),
            value: "key_from_b".into(),
            file: PathBuf::from("b.rs"),
            module_path: String::new(),
            line: 1,
            visibility: ConstantVisibility::Public,
            preliminary_score: 50, // Higher score, but not in same file
        };

        registry.insert(def1);
        registry.insert(def2);

        // When looking up from file a.rs, prefer the definition from a.rs
        assert_eq!(
            registry.get_value_for_file("API_KEY", Path::new("a.rs")),
            Some("key_from_a".into())
        );

        // When looking up from file b.rs, prefer the definition from b.rs
        assert_eq!(
            registry.get_value_for_file("API_KEY", Path::new("b.rs")),
            Some("key_from_b".into())
        );

        // When looking up from an unrelated file, return highest scored
        assert_eq!(
            registry.get_value_for_file("API_KEY", Path::new("c.rs")),
            Some("key_from_b".into())
        );
    }

    #[test]
    fn test_module_path_in_key() {
        let registry = SuspectRegistry::new();

        let def1 = ConstantDefinition {
            name: "SECRET".into(),
            value: "outer".into(),
            file: PathBuf::from("lib.rs"),
            module_path: String::new(),
            line: 1,
            visibility: ConstantVisibility::Public,
            preliminary_score: 10,
        };

        let def2 = ConstantDefinition {
            name: "SECRET".into(),
            value: "inner".into(),
            file: PathBuf::from("lib.rs"),
            module_path: "inner".into(),
            line: 10,
            visibility: ConstantVisibility::Public,
            preliminary_score: 20,
        };

        registry.insert(def1);
        registry.insert(def2);

        // Both are stored (different module paths)
        assert_eq!(registry.len(), 2);

        let all = registry.get_all_by_name("SECRET");
        assert_eq!(all.len(), 2);
    }
}