rustsec-reachability is a Rust vulnerability analysis tool.
It does two things:
- checks whether a project depends on crates with known RustSec advisories
- tries to determine whether the affected functions are actually reachable
The repository also contains callgraph4rs, which is the call graph component used by the analysis.
Version-based scanning is useful, but it often produces results that still need manual review. This project tries to narrow that gap by combining advisory data with function-level call graph analysis.
There are two main workflows:
check: scan a local Rust project from its lockfile and report advisories with reachability hintsanalyze: run dependency propagation analysis for a specific advisory or a batch of advisories
In practice, most users only need check.
cargo build --release
cargo install --path callgraph4rsIf you have never used the project before, start with these steps.
- Download the repository.
- Open a terminal.
- Enter the project directory.
- Build the binaries.
- Run the example below.
You need Rust and Cargo installed first. If they are not available yet, install them with rustup.
If you use git:
git clone https://github.com/xizheyin/rustsec-reachability
cd rustsec-reachability
export REPO_ROOT=$(pwd)If you downloaded a ZIP archive from the repository page, unzip it first and then enter the extracted directory:
cd rustsec-reachability
export REPO_ROOT=$(pwd)Then build the project and install the integrated call graph component:
cargo build --release
cargo install --path callgraph4rsIf you want a case that can be run from the command line from scratch, use v_frame 0.3.2.
This crate depends on maligned 0.2.1. RustSec records RUSTSEC-2023-0017 for maligned.
tmpdir=$(mktemp -d /tmp/rreach-vframe-XXXXXX)
cd "$tmpdir"
curl -A "rustsec-reachability/0.1" -fL https://static.crates.io/crates/v_frame/v_frame-0.3.2.crate -o v_frame-0.3.2.crate
tar -xzf v_frame-0.3.2.crate
cd "$REPO_ROOT"
"$REPO_ROOT/target/release/cvetracker4rs" check --path "$tmpdir/v_frame-0.3.2"Scanning dependencies in .../v_frame-0.3.2...
Found 1 advisories:
✗ VULNERABLE RUSTSEC-2023-0017
Package: maligned 0.2.1
Title: `maligned::align_first` causes incorrect deallocation
Affected functions:
- maligned::align_first
- maligned::align_first_boxed
- maligned::align_first_boxed_cloned
- maligned::align_first_boxed_default
Call chains:
→ frame::Frame::<T>::new_with_padding -> plane::Plane::<T>::new -> plane::PlaneData::<T>::new -> maligned::align_first_boxed_cloned::<T, maligned::A64>
we can compare with cargo audit to verify the results.
More details about the check workflow and dependency resolution are in CHECK_WORKFLOW.md.
After that, run the same command on your own project:
cargo run --bin cvetracker4rs -- check --path /path/to/projectScan the current project:
cargo run --bin cvetracker4rs -- check --path .Run advisory propagation analysis:
./target/release/cvetracker4rs analyze RUSTSEC-2019-0017Run a batch from CSV:
./target/release/run_from_csv examples/tasks.csvThe check command reports three statuses:
✗ VULNERABLE: a call path to an affected function was found⚠ POTENTIALLY VULNERABLE: affected functions are known, but no call path was foundℹ INFO: no function-level information was available from the advisory data
These results are still analysis output, not a guarantee. Reachability depends on the quality of the advisory metadata and the call graph.
Create a .env file if you want to use propagation analysis or Docker-based database setup:
PG_HOST=localhost:5432
PG_USER=rust
PG_PASSWORD=rust
PG_DATABASE=crates_io_db
DOWNLOAD_DIR=./downloads
WORKING_DIR=./downloads/working
MAX_CONCURRENT_BFS_NODES=32
MAX_CONCURRENT_DEP_DOWNLOAD=32
RUST_LOG=info
LOG_DIR=./logsThe check command does not require PostgreSQL. The database is only needed for the propagation workflow.
If you want the propagation workflow, the simplest setup is:
bash scripts/docker/run-docker.sh db-oneclick-minThat imports the subset of the crates.io dump currently used by this project. If you want the full dump instead:
bash scripts/docker/run-docker.sh db-oneclickMore details are in DOCKER_USAGE.md.
Batch analysis expects CSV rows like this:
cve_id,crate_name,version_range,target_function_paths
RUSTSEC-2019-0017,smallvec,<0.6.10,"smallvec::SmallVec::insert_many"
CVE-2025-31130,gix-features,<0.41.0,"gix_features::hash::Hasher::digest"An example file is available in examples/tasks.csv.
src/: main application codecallgraph4rs/: integrated call graph componentdocs/: project documentationscripts/: helper scriptsexamples/: example inputs
- Install the call graph tools with
cargo install --path callgraph4rsifcall-cg4rsis missing - Reachability analysis can be slow on large projects
- Advisory metadata is incomplete for many RustSec entries, so some results remain best-effort
If you want to work on the project locally:
cargo build
cargo install --path callgraph4rsThe current contribution guide is in CONTRIBUTING.md.
This repository is available under either MIT or Apache-2.0, at your option.