Rust call analysis

cmd/osv-scanner/main.go

@@ -148,7 +148,7 @@ func run(args []string, stdout, stderr io.Writer) int {
 				}
 			}
 
-			if r, err = reporter.New(format, stdout, stderr, termWidth); err != nil {
+			if r, err = reporter.New(format, context.App.Writer, context.App.ErrWriter, termWidth); err != nil {
 				return err
 			}
 

docs/_config.yml

@@ -34,6 +34,9 @@ plugins:
 color_scheme: better_contrast
 markdown: kramdown
 
+kramdown:
+  toc_levels: 1..3
+
 logo: "/assets/logo.png"
 favicon_ico: "/assets/icon.png"
 

docs/output.md

@@ -195,6 +195,176 @@ osv-scanner --format json -L path/to/lockfile > /path/to/file.json
 
 </details>
 
+
+## Call analysis
+
+With `--experimental-call-analysis` flag enabled, call information will be included in the output.
+
+### Table
+
+In the table output format, call analysis info is used to split output between vulnerabilities that
+affects code called by your project, and vulnerabilities that only affect code paths not called by
+your code.
+
+```bash
+osv-scanner --format table --experimental-call-analysis your/project/dir
+```
+
+<details markdown="1">
+<summary><b>Sample table output</b></summary>
+
+```bash
+╭─────────────────────────────────────┬──────┬───────────┬─────────────────┬─────────┬────────────────────╮
+│ OSV URL                             │ CVSS │ ECOSYSTEM │ PACKAGE         │ VERSION │ SOURCE             │
+├─────────────────────────────────────┼──────┼───────────┼─────────────────┼─────────┼────────────────────┤
+│ https://osv.dev/GHSA-qc84-gqf4-9926 │ 8.1  │ crates.io │ crossbeam-utils │ 0.6.6   │ path/to/Cargo.lock │
+│ https://osv.dev/RUSTSEC-2022-0041   │      │           │                 │         │                    │
+│ https://osv.dev/GHSA-43w2-9j62-hq99 │ 9.8  │ crates.io │ smallvec        │ 1.6.0   │ path/to/Cargo.lock │
+│ https://osv.dev/RUSTSEC-2021-0003   │      │           │                 │         │                    │
+├─────────────────────────────────────┼──────┼───────────┼─────────────────┼─────────┼────────────────────┤
+│ Uncalled vulnerabilities            │      │           │                 │         │                    │
+├─────────────────────────────────────┼──────┼───────────┼─────────────────┼─────────┼────────────────────┤
+│ https://osv.dev/GHSA-xcf7-rvmh-g6q4 │      │ crates.io │ openssl         │ 0.10.52 │ path/to/Cargo.lock │
+│ https://osv.dev/RUSTSEC-2023-0044   │      │           │                 │         │                    │
+╰─────────────────────────────────────┴──────┴───────────┴─────────────────┴─────────┴────────────────────╯
+```
+</details>
+
+### JSON
+
+The JSON output will include analysis results for each vulnerability group.
+
+```bash
+osv-scanner --format json --experimental-call-analysis -L path/to/lockfile > /path/to/file.json
+```
+
+<details markdown="1">
+<summary><b>Sample JSON output</b></summary>
+
+```json
+{
+  "results": [
+    {
+      "source": {
+        "path": "path/to/Cargo.lock",
+        "type": "lockfile"
+      },
+      "packages": [
+                {
+          "package": {
+            "name": "crossbeam-utils",
+            "version": "0.6.6",
+            "ecosystem": "crates.io"
+          },
+          "vulnerabilities": [
+            {
+              "id": "GHSA-qc84-gqf4-9926",
+              "aliases": [
+                "CVE-2022-23639"
+              ]
+              // ... Full OSV
+            },
+            {
+              "id": "RUSTSEC-2022-0041",
+              "aliases": [
+                "GHSA-qc84-gqf4-9926",
+                "CVE-2022-23639"
+              ]
+              // ... Full OSV
+            }
+          ],
+          "groups": [
+            {
+              // This vuln has no function info, so no call analysis done
+              "ids": [
+                "GHSA-qc84-gqf4-9926",
+                "RUSTSEC-2022-0041"
+              ]
+            }
+          ]
+        },
+        {
+          "package": {
+            "name": "memoffset",
+            "version": "0.5.6",
+            "ecosystem": "crates.io"
+          },
+          "vulnerabilities": [
+            {
+              "id": "GHSA-wfg4-322g-9vqv"
+              // ... Full OSV
+            },
+            {
+              "id": "RUSTSEC-2023-0045",
+              "aliases": [
+                "GHSA-wfg4-322g-9vqv"
+              ]
+              // ... Full OSV
+            }
+          ],
+          "groups": [
+            {
+              "ids": [
+                "GHSA-wfg4-322g-9vqv",
+                "RUSTSEC-2023-0045"
+              ],
+              // RUSTSEC-2023-0045 does have function info, call analysis is performed
+              // the vulnerable function is not called
+              "experimentalAnalysis": {
+                "RUSTSEC-2023-0045": {
+                  "called": false
+                }
+              }
+            }
+          ]
+        },
+        {
+          "package": {
+            "name": "smallvec",
+            "version": "1.6.0",
+            "ecosystem": "crates.io"
+          },
+          "vulnerabilities": [
+            {
+              "id": "GHSA-43w2-9j62-hq99",
+              "aliases": [
+                "CVE-2021-25900"
+              ]
+              // ... Full OSV
+            },
+            {
+              "id": "RUSTSEC-2021-0003",
+              "aliases": [
+                "CVE-2021-25900",
+                "GHSA-43w2-9j62-hq99"
+              ]
+              // ... Full OSV
+            }
+          ],
+          "groups": [
+            {
+              "ids": [
+                "GHSA-43w2-9j62-hq99",
+                "RUSTSEC-2021-0003"
+              ],
+              // RUSTSEC-2021-0003 does have function info, call analysis is performed
+              // the vulnerable function does get called.
+              "experimentalAnalysis": {
+                "RUSTSEC-2021-0003": {
+                  "called": true
+                }
+              }
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}
+```
+
+</details>
+
 ## Return Codes
 
 |----- 

docs/usage.md

@@ -122,9 +122,39 @@ is not being executed, these vulnerabilities will be marked as unexecuted.
 To enable call analysis, call OSV-Scanner with the `--experimental-call-analysis` flag.
 
 ### Supported languages
-- `go`
-  - Additional dependencies:
-    - `go` compiler needs to be installed and available on PATH
+
+---
+
+#### **Go**
+
+OSV-Scanner uses the `govulncheck` library to analyze Go source code to identify called vulnerable functions.
+
+##### Additional Dependencies
+
+`go` compiler needs to be installed and available on `PATH`    
+
+---
+
+#### **Rust**
+
+OSV-Scanner compiles Rust source code and analyzes the output binary's DWARF debug information to identify called vulnerable functions.
+
+##### Additional Dependencies
+
+Rust toolchain (including `cargo`) that can compile the source code being scanned needs to be installed and available on `PATH`.
+
+The installed Rust toolchain must be capable of compiling every crate/target in the scanned code, for code with
+a lot of dependencies this will take a few minutes.
+
+##### **Limitations**
+
+Current implementation has a few limitations:
+
+- Does not support dependencies on proc-macros (Tracked in [#464](https://github.com/google/osv-scanner/issues/464))
+- Does not support any dependencies that are dynamically linked
+- Does not support dependencies that link external non-rust code
+
+---
 
 ### Example
 ```bash

go.mod

@@ -24,6 +24,7 @@ require (
 )
 
 require (
+	// Vanity URL for https://github.com/imdario/mergo
 	dario.cat/mergo v1.0.0 // indirect
 	github.com/Microsoft/go-winio v0.6.1 // indirect
 	github.com/ProtonMail/go-crypto v0.0.0-20230717121422-5aa5874ade95 // indirect
@@ -35,6 +36,7 @@ require (
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/goark/errs v1.1.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/ianlancetaylor/demangle v0.0.0-20230524184225-eabc099b10ab
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/kr/text v0.2.0 // indirect

go.sum

@@ -48,6 +48,8 @@ github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaW
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/ianlancetaylor/demangle v0.0.0-20230524184225-eabc099b10ab h1:BA4a7pe6ZTd9F8kXETBoijjFJ/ntaa//1wiH9BZu4zU=
+github.com/ianlancetaylor/demangle v0.0.0-20230524184225-eabc099b10ab/go.mod h1:gx7rwoVhcfuVKG5uya9Hs3Sxj7EIvldVofAWIUtGouw=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
 github.com/jedib0t/go-pretty/v6 v6.4.6 h1:v6aG9h6Uby3IusSSEjHaZNXpHFhzqMmjXcPq1Rjl9Jw=