Rust call analysis

cmd/osv-scanner/main.go

@@ -115,11 +115,11 @@ func run(args []string, stdout, stderr io.Writer) int {
 
 			switch format {
 			case "json":
-				r = reporter.NewJSONReporter(stdout, stderr)
+				r = reporter.NewJSONReporter(context.App.Writer, context.App.ErrWriter)
 			case "table":
-				r = reporter.NewTableReporter(stdout, stderr, false)
+				r = reporter.NewTableReporter(context.App.Writer, context.App.ErrWriter, false)
 			case "markdown":
-				r = reporter.NewTableReporter(stdout, stderr, true)
+				r = reporter.NewTableReporter(context.App.Writer, context.App.ErrWriter, true)
 			default:
 				return fmt.Errorf("%v is not a valid format", format)
 			}

go.mod

@@ -33,6 +33,7 @@ require (
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/goark/errs v1.1.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/ianlancetaylor/demangle v0.0.0-20230524184225-eabc099b10ab
 	github.com/imdario/mergo v0.3.15 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect

go.sum

@@ -42,6 +42,8 @@ github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/ianlancetaylor/demangle v0.0.0-20230524184225-eabc099b10ab h1:BA4a7pe6ZTd9F8kXETBoijjFJ/ntaa//1wiH9BZu4zU=
+github.com/ianlancetaylor/demangle v0.0.0-20230524184225-eabc099b10ab/go.mod h1:gx7rwoVhcfuVKG5uya9Hs3Sxj7EIvldVofAWIUtGouw=
 github.com/imdario/mergo v0.3.15 h1:M8XP7IuFNsqUx6VPK2P9OSmsYsI/YFaGil0uD21V3dM=
 github.com/imdario/mergo v0.3.15/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=

internal/sourceanalysis/go.go

@@ -54,6 +54,7 @@ func matchAnalysisWithPackageVulns(pkgs []models.PackageVulns, idToFindings map[
 					fillNotImportedAnalysisInfo(vulnsByID, vulnID, pv, analysis)
 					continue
 				}
+				// TODO: There feels like something's wrong here, not sure what
 				(*analysis)[vulnID] = models.AnalysisInfo{
 					Called: moduleToCalled[pv.Package.Name],
 				}

internal/sourceanalysis/rust.go

@@ -0,0 +1,283 @@
+package sourceanalysis
+
+import (
+	"bytes"
+	"debug/dwarf"
+	"debug/elf"
+	"errors"
+	"fmt"
+	"io"
+	"log"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+
+	"github.com/google/osv-scanner/internal/cachedregexp"
+	"github.com/google/osv-scanner/internal/thirdparty/ar"
+	"github.com/google/osv-scanner/pkg/models"
+	"github.com/google/osv-scanner/pkg/reporter"
+	"github.com/ianlancetaylor/demangle"
+)
+
+const (
+	RustFlagsEnv     = "RUSTFLAGS=-C opt-level=3 -C debuginfo=1"
+	RustLibExtension = ".rcgu.o/"
+)
+
+func rustAnalysis(r reporter.Reporter, pkgs []models.PackageVulns, source models.SourceInfo) {
+	binaryPaths, err := rustBuildSource(r, source)
+	if err != nil {
+		r.PrintError(fmt.Sprintf("failed to build cargo/rust project from source: %s", err))
+		return
+	}
+
+	// This map stores 3 states for each vuln ID
+	// - There is function level vuln info, but it **wasn't** called   (false)
+	// - There is function level vuln info, and it **is** called    (true)
+	// - There is **no** functional level vuln info, so we don't know whether it is called (doesn't exist)
+	isCalledVulnMap := map[string]bool{}
+
+	for _, path := range binaryPaths {
+		if strings.HasSuffix(path, ".rlib") {
+			// Is a library, so need an extra step to extract the object binary file before passing to parseDWARFData
+			objFilePath, err := extractRlibArchive(path)
+			if err != nil {
+				r.PrintError(fmt.Sprintf("failed to analyse '%s': %s", path, err))
+				continue
+			}
+			// TODO: Do we need to care about error on deletion here?
+			defer os.Remove(objFilePath)
+		}
+		calls, err := parseDWARFData(r, path)
+		if err != nil {
+			r.PrintError(fmt.Sprintf("failed to analyse '%s': %s", path, err))
+			continue
+		}
+
+		for _, pv := range pkgs {
+			for _, v := range pv.Vulnerabilities {
+				for _, a := range v.Affected {
+					// Example of RUSTSEC function level information:
+					//
+					// "affects": {
+					//     "os": [],
+					//     "functions": [
+					//         "smallvec::SmallVec::grow"
+					//     ],
+					//     "arch": []
+					// }
+					ecosystemAffects, ok := a.EcosystemSpecific["affects"].(map[string]interface{})
+					if !ok {
+						continue
+					}
+					affectedFunctions, ok := ecosystemAffects["functions"].([]interface{})
+					if !ok {
+						continue
+					}
+					for _, f := range affectedFunctions {
+						if funcName, ok := f.(string); ok {
+							_, called := calls[funcName]
+							// Once one advisory marks this vuln as called, always mark as called
+							isCalledVulnMap[v.ID] = isCalledVulnMap[v.ID] || called
+						}
+					}
+				}
+			}
+		}
+
+		for _, pv := range pkgs {
+			for groupIdx := range pv.Groups {
+				for _, vulnID := range pv.Groups[groupIdx].IDs {
+					analysis := &pv.Groups[groupIdx].ExperimentalAnalysis
+					if *analysis == nil {
+						*analysis = make(map[string]models.AnalysisInfo)
+					}
+
+					called, hasFuncInfo := isCalledVulnMap[vulnID]
+					if hasFuncInfo {
+						(*analysis)[vulnID] = models.AnalysisInfo{
+							Called: called,
+						}
+					}
+				}
+			}
+		}
+	}
+}
+
+func parseDWARFData(_ reporter.Reporter, binaryPath string) (map[string]struct{}, error) {
+	output := map[string]struct{}{}
+	file, err := elf.Open(binaryPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open binary %s: %w", binaryPath, err)
+	}
+	dwarfData, err := file.DWARF()
+	if err != nil {
+		return nil, fmt.Errorf("failed to extract debug symbols from binary %s: %w", binaryPath, err)
+	}
+	entryReader := dwarfData.Reader()
+
+	for {
+		entry, err := entryReader.Next()
+		if errors.Is(err, io.EOF) || entry == nil {
+			// We've reached the end of DWARF entries
+			break
+		}
+		if err != nil {
+			return nil, fmt.Errorf("error parsing binary DWARF data: %w", err)
+		}
+
+		// We only care about contents in functions
+		if entry.Tag != dwarf.TagSubprogram {
+			continue
+		}
+		// Go through fields
+		for _, field := range entry.Field {
+			// We only care about linkage names (including function names)
+			if field.Attr != dwarf.AttrLinkageName {
+				continue
+			}
+
+			val, err := demangle.ToString(field.Val.(string), demangle.NoClones)
+			if err != nil {
+				// most likely not a rust function, so just ignore it
+				continue
+			}
+
+			val = cleanRustFunctionSymbols(val)
+			output[val] = struct{}{}
+		}
+	}
+
+	return output, nil
+}
+
+// extractRlibArchive return the file path to a temporary ELF Object file extracted from the given rlib.
+//
+// It is the callers responsibility to remove the temporary file
+func extractRlibArchive(rlibPath string) (string, error) {
+	file, err := os.CreateTemp("", "rust-*.o")
+	if err != nil {
+		return "", fmt.Errorf("failed to create temporary file: %w", err)
+	}
+	rlibFile, err := os.Open(rlibPath)
+	if err != nil {
+		return "", fmt.Errorf("failed to open .rlib file '%s': %w", rlibPath, err)
+	}
+
+	reader, err := ar.NewReader(rlibFile)
+	if err != nil {
+		return "", fmt.Errorf(".rlib file '%s' is not valid ar archive: %w", rlibPath, err)
+	}
+	for {
+		header, err := reader.Next()
+		if err != nil {
+			log.Fatalf("%v", err)
+		}
+		if header.Name == "//" { // "//" is used in GNU ar format as a store for long file names
+			fileBuf := bytes.Buffer{}
+			// Ignore the error here as it's likely
+			_, err = io.Copy(&fileBuf, reader)
+			if err != nil {
+				return "", fmt.Errorf("failed to read // store in ar archive: %w", err)
+			}
+			// There should only be one file (since we set codegen-units=1)
+			if !strings.HasSuffix(fileBuf.String(), RustLibExtension) {
+				// TODO: Verify this, and return an error here instead.
+				log.Printf("rlib archive contents were unexpected: %s\n", fileBuf.String())
+			}
+		}
+		// /0 indicates the first file mentioned in the "//" store
+		if header.Name == "/0" || strings.HasSuffix(header.Name, RustLibExtension) {
+			break
+		}
+	}
+	_, err = io.Copy(file, reader)
+	if err != nil {
+		return "", fmt.Errorf("failed to write to temporary file '%s': %w", file.Name(), err)
+	}
+
+	filePath := file.Name()
+	err = file.Close()
+	if err != nil {
+		return "", fmt.Errorf("failed to close the temporary file '%s': %w", file.Name(), err)
+	}
+
+	return filePath, nil
+}
+
+func rustBuildSource(r reporter.Reporter, source models.SourceInfo) ([]string, error) {
+	projectBaseDir := filepath.Dir(source.Path)
+
+	cmd := exec.Command("cargo", "build", "--all-targets", "--release")
+	cmd.Env = append(cmd.Environ(), RustFlagsEnv)
+	cmd.Dir = projectBaseDir
+	if errors.Is(cmd.Err, exec.ErrDot) {
+		cmd.Err = nil
+	}
+
+	stdoutBuffer := bytes.Buffer{}
+	stderrBuffer := bytes.Buffer{}
+	cmd.Stdout = &stdoutBuffer
+	cmd.Stderr = &stderrBuffer
+
+	r.PrintText("Begin building rust/cargo project\n")
+
+	if err := cmd.Run(); err != nil {
+		r.PrintError(fmt.Sprintf("cargo stdout:\n%s", stdoutBuffer.String()))
+		r.PrintError(fmt.Sprintf("cargo stderr:\n%s", stderrBuffer.String()))
+
+		return nil, fmt.Errorf("failed to run cargo build: %w", err)
+	}
+
+	outputDir := filepath.Join(projectBaseDir, "target", "debug")
+	entries, err := os.ReadDir(outputDir)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read \"%s\" dir: %w", outputDir, err)
+	}
+
+	resultBinaryPaths := []string{}
+	for _, de := range entries {
+		// We only want .d files, which is generated for each output binary from cargo
+		// These files contains a string to the full path of output binary/library file.
+		// This is a reasonably reliable way to identify the output in a cross platform way.
+		if de.IsDir() || !strings.HasSuffix(de.Name(), ".d") {
+			continue
+		}
+
+		file, err := os.ReadFile(filepath.Join(outputDir, de.Name()))
+		if err != nil {
+			return nil, fmt.Errorf("failed to read \"%s\": %w", filepath.Join(outputDir, de.Name()), err)
+		}
+
+		fileSplit := strings.Split(string(file), ": ")
+		if len(fileSplit) != 2 {
+			// TODO: this can probably be fixed with more effort
+			return nil, fmt.Errorf("file path contains ': ', which is unsupported")
+		}
+		resultBinaryPaths = append(resultBinaryPaths, fileSplit[0])
+	}
+
+	return resultBinaryPaths, nil
+}
+
+// cleanRustFunctionSymbols takes in demanged rust symbols and makes them fit format of
+// the common function level advisory information
+func cleanRustFunctionSymbols(val string) string {
+	// Used to remove generics from functions and types as they are not included in function calls
+	// in advisories:
+	// E.g.: `smallvec::SmallVec<A>::new` => `smallvec::SmallVec::new`
+	//
+	// Usage: antiGenericRegex.ReplaceAllString(val, "")
+	var antiGenericRegex = cachedregexp.MustCompile(`<[\w,]+>`)
+	val = antiGenericRegex.ReplaceAllString(val, "")
+
+	// Used to remove fully qualified trait implementation indicators from the function type,
+	// since those are generally not included in advisory:
+	// E.g.: `<libflate::gzip::MultiDecoder as std::io::Read>::read` => `libflate::gzip::MultiDecoder::read`
+	var antiTraitImplRegex = cachedregexp.MustCompile(`<(.*) as .*>`)
+	val = antiTraitImplRegex.ReplaceAllString(val, "$1")
+
+	return val
+}

internal/sourceanalysis/sourceanalysis.go

@@ -30,4 +30,8 @@ func Run(r reporter.Reporter, source models.SourceInfo, pkgs []models.PackageVul
 	if source.Type == "lockfile" && filepath.Base(source.Path) == "go.mod" {
 		goAnalysis(r, pkgs, source)
 	}
+
+	if source.Type == "lockfile" && filepath.Base(source.Path) == "Cargo.lock" {
+		rustAnalysis(r, pkgs, source)
+	}
 }

internal/thirdparty/ar/COPYING

@@ -0,0 +1,19 @@
+Copyright (c) 2013 Blake Smith <[email protected]>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.