Goal
Add a Tier-3 (package-level) reachability analyzer for Rust / Cargo projects, mirroring the jsreach / pyreach / jvmreach shape. Annotate PackageVulnerability.Reachability on each Rust package as reachable / unreachable / unknown depending on whether the crate appears in the application's import set (expanded transitively through Graph.Dependencies).
Why now
Rust is the next-biggest ecosystem currently lacking reachability coverage. The mapping problem is the cleanest of any unsupported language: Rust crates publish under their crate name, which is exactly what appears in source as use crate_name::… (modulo hyphen-to-underscore: serde-json the crate ↔ serde_json the module path). Identity normalization handles essentially every case — no large curated map needed, unlike jvmreach.
Scope
- New package
internal/analyzers/cargoreach/ mirroring the pyreach layout (analyzer / runner / scanner / discover / sources / cache + tests).
- Source walk:
.rs files under the project root. Skip target/, .cargo/, vendor/, VCS dirs.
- Scanner: line-oriented
use directive scanner. Handle use foo;, use foo::bar;, use foo::{a, b};, use foo::*;, extern crate foo;. Skip relative paths (use self::…, use super::…, use crate::…). Drop stdlib crates (std, core, alloc, proc_macro, test).
- Mapping: identity normalization — replace
_ with - to canonicalize against PyPI-style crate names. Cargo accepts both forms in Cargo.toml; the source-level use foo_bar and the Cargo coord foo-bar are the same crate.
- Per-project FileCache invalidating on
Cargo.lock content change.
- Plugin command picks up via
AnalyzerDescriptors automatically.
- INFO/DEBUG/WARN logging mirroring pyreach.
Smoke fixture
Look for a Veracode example-rust repo or pick a small public Cargo project with stale deps. Pin to a verified commit SHA.
References
- Template: internal/analyzers/pyreach
- Detector:
internal/detectors/cargo (already in tree)
- SDK:
LanguageRust and PackageManagerCargo exist in sdk/language.go / sdk/package_manager.go.
- Docs: append a row to
docs/REACHABILITY.md ecosystem table; add a cargoreach Tier-3 caveat section.
Tier-3 caveats to document
Same shape as the existing Tier-3 sections: dynamic loading via libloading, inventory macro-collected items, build-script-emitted code, conditional #[cfg] blocks — all invisible to a static scanner.
Goal
Add a Tier-3 (package-level) reachability analyzer for Rust / Cargo projects, mirroring the
jsreach/pyreach/jvmreachshape. AnnotatePackageVulnerability.Reachabilityon each Rust package asreachable/unreachable/unknowndepending on whether the crate appears in the application's import set (expanded transitively throughGraph.Dependencies).Why now
Rust is the next-biggest ecosystem currently lacking reachability coverage. The mapping problem is the cleanest of any unsupported language: Rust crates publish under their crate name, which is exactly what appears in source as
use crate_name::…(modulo hyphen-to-underscore:serde-jsonthe crate ↔serde_jsonthe module path). Identity normalization handles essentially every case — no large curated map needed, unlikejvmreach.Scope
internal/analyzers/cargoreach/mirroring thepyreachlayout (analyzer / runner / scanner / discover / sources / cache + tests)..rsfiles under the project root. Skiptarget/,.cargo/,vendor/, VCS dirs.usedirective scanner. Handleuse foo;,use foo::bar;,use foo::{a, b};,use foo::*;,extern crate foo;. Skip relative paths (use self::…,use super::…,use crate::…). Drop stdlib crates (std,core,alloc,proc_macro,test)._with-to canonicalize against PyPI-style crate names. Cargo accepts both forms inCargo.toml; the source-leveluse foo_barand the Cargo coordfoo-barare the same crate.Cargo.lockcontent change.AnalyzerDescriptorsautomatically.Smoke fixture
Look for a Veracode example-rust repo or pick a small public Cargo project with stale deps. Pin to a verified commit SHA.
References
internal/detectors/cargo(already in tree)LanguageRustandPackageManagerCargoexist insdk/language.go/sdk/package_manager.go.docs/REACHABILITY.mdecosystem table; add acargoreachTier-3 caveat section.Tier-3 caveats to document
Same shape as the existing Tier-3 sections: dynamic loading via
libloading,inventorymacro-collected items, build-script-emitted code, conditional#[cfg]blocks — all invisible to a static scanner.