|
1 | 1 | // SPDX-License-Identifier: PMPL-1.0-or-later |
2 | | -= panic-attacker — Show Me The Receipts |
| 2 | += panic-attack — Show Me The Receipts |
3 | 3 | :toc: |
4 | 4 | :icons: font |
5 | 5 |
|
6 | 6 | The README makes claims. This file backs them up. |
7 | 7 |
|
8 | | -[quote, README] |
9 | | -____ |
10 | | -See the link:README.adoc[README] for details. |
11 | | -____ |
| 8 | +== Claims Substantiation |
| 9 | + |
| 10 | +=== Claim 1: "47-language static analysis across multiple families" |
| 11 | + |
| 12 | +**How it works:** The `src/assail/analyzer.rs` module implements a per-file language detector that identifies file extension and shebang, dispatching to language-specific pattern matchers in `src/assail/patterns.rs`. Each language family (C/C++, Python, JavaScript, Rust, Go, etc.) has dedicated regex-based weak point detectors (unwrap, panic, unsafe blocks, expect, eval, hardcoded secrets). The analyzer processes 47 distinct language patterns without requiring external parsers—pattern-based shallow analysis enables fast scanning across heterogeneous codebases. |
| 13 | + |
| 14 | +**Caveat:** Pattern-based analysis has false negatives (e.g., dead code paths triggering unwrap won't be caught) and false positives (commented-out panic sites flagged). Full AST-based analysis would eliminate these but scale poorly. For production, pair with specialized language linters (clippy, pylint) for each language. |
| 15 | + |
| 16 | +**Evidence:** `src/assail/patterns.rs` defines language-specific patterns; `src/assail/analyzer.rs` performs dispatch and aggregation; `src/main.rs` exposes the `assail` subcommand. |
| 17 | + |
| 18 | +=== Claim 2: "miniKanren logic engine for taint analysis and cross-language reasoning" |
| 19 | + |
| 20 | +**How it works:** The `src/kanren/` module implements a miniKanren-inspired relational database with forward chaining. The `taint.rs` submodule tracks data flow from sources (user input, network calls, deserialization) to sinks (eval, shell exec, SQL queries). The `crosslang.rs` analyzer detects vulnerability chains across FFI boundaries by building facts about callers, callees, and their types. The `strategy.rs` module selects search strategies (risk-weighted, language-family-first, breadth-first) based on project characteristics. |
| 21 | + |
| 22 | +**Caveat:** Miniature implementation (not full Kanren) with limited rule expressiveness. Taint tracking is flow-insensitive (doesn't track control flow precisely). For correctness-critical applications, integrate with full constraint solvers (Z3, Coq). |
| 23 | + |
| 24 | +**Evidence:** `src/kanren/core.rs` defines unification and fact database; `src/kanren/taint.rs` implements taint propagation; `src/kanren/strategy.rs` selects search algorithms. |
12 | 25 |
|
13 | 26 | == Technology Choices |
14 | 27 |
|
|
17 | 30 | | Technology | Learn More |
18 | 31 |
|
19 | 32 | | **Rust** | https://www.rust-lang.org |
| 33 | +| **miniKanren** | Logic programming (relational reasoning) |
| 34 | +| **Rayon** | Parallel batch scanning |
| 35 | +| **Serde** | JSON serialization for pipeline integration |
20 | 36 | |=== |
21 | 37 |
|
22 | 38 | == File Map |
23 | 39 |
|
24 | | -[cols="1,2"] |
| 40 | +[cols="1,3"] |
25 | 41 | |=== |
26 | | -| Path | What's There |
| 42 | +| Path | Purpose |
27 | 43 |
|
28 | | -| `src/` | Source code |
29 | | -| `test(s)/` | Test suite |
| 44 | +| `src/main.rs` | CLI entry: 20 subcommands (assail, assault, temporal, panll, groove, bridge, etc.) |
| 45 | +| `src/lib.rs` | Library API exposing all analysis engines |
| 46 | +| `src/assail/` | Static analysis (47 languages, 20 weak point categories) |
| 47 | +| `src/assail/analyzer.rs` | Per-file language detection and pattern matching dispatcher |
| 48 | +| `src/assail/patterns.rs` | Language-specific regex patterns for weak points |
| 49 | +| `src/kanren/` | Logic engine (unification, fact database, taint, cross-lang) |
| 50 | +| `src/kanren/core.rs` | Term, substitution, unification, FactDB, forward chaining |
| 51 | +| `src/kanren/taint.rs` | Source→sink tracking (user input, network, deserialization) |
| 52 | +| `src/kanren/crosslang.rs` | FFI boundary analysis, vulnerability chains |
| 53 | +| `src/kanren/strategy.rs` | Search strategy selection (risk-weighted, etc.) |
| 54 | +| `src/attack/` | 6-axis stress testing (CPU, memory, disk, network, concurrency, time) |
| 55 | +| `src/attestation/` | Cryptographic intent→evidence→seal chain |
| 56 | +| `src/bridge/` | CVE lifecycle: Cargo.lock parsing, OSV API, reachability, classification |
| 57 | +| `src/bridge/lockfile.rs` | Parses Cargo.lock for dependency extraction |
| 58 | +| `src/bridge/intelligence.rs` | Batch queries api.osv.dev for known CVEs |
| 59 | +| `src/bridge/reachability.rs` | Scans .rs files for imports of vulnerable crates |
| 60 | +| `src/bridge/classify.rs` | Three-way classification: Mitigable/Unmitigable/Informational |
| 61 | +| `src/assemblyline.rs` | Batch directory scanning with Rayon parallelism |
| 62 | +| `src/panll/` | PanLL event-chain export (three-panel visualization) |
| 63 | +| `src/report/` | Report generation and formatting (text, JSON, markdown) |
| 64 | +| `src/diagnostics.rs` | Self-check for Hypatia/gitbot-fleet integration |
30 | 65 | |=== |
31 | 66 |
|
32 | | -== Questions? |
| 67 | +== Dogfooted Across The Account |
| 68 | + |
| 69 | +| Project | Integration | |
| 70 | +| **reposystem** | Feeds weak-point scores into graph aspects (security weight) |
| 71 | +| **proof-of-work** | Z3-verifies that assail findings are genuine vulnerabilities |
| 72 | +| **hypatia** | Consumes assail facts as Logtalk predicates for rule engine |
| 73 | +| **januskey** | Scans operation metadata for unsafe patterns in audit trail code |
| 74 | + |
| 75 | +== Readiness |
33 | 76 |
|
34 | | -Open an issue or reach out directly — happy to explain anything in more detail. |
| 77 | +**CRG Grade:** C (Beta) - 47 languages working, miniKanren logic proven, CVE bridge tested on real Cargo.lock files, needs advanced proof integration for false-negative elimination. |
0 commit comments