TL;DR: RustPräzi is like rust-lang-nursery/crater, but creates a single versioned call graph of crates.io
We are happy to announce our first release of RustPräzi, a PoC (Proof-of-Concept) project that downloads all crate versions from crates.io, builds LLVM call graphs and links them into a single large versioned call-based dependency network. Unlike a regular dependency network, a call-based dependency network represents function call chains on both the intra- and inter-package level, supporting graph analytics/queries such as:
- Identifying central crate APIs that are important for the stability of crates.io
- Impact analysis of deprecated API functions: how many crates are still depending on deprecated functions that should be removed?
- Security vulnerabilities: which crates in crates.io are affected by a vulnerable function?
Link to the project: https://github.com/praezi/rust
Link to our preliminary research paper: https://pure.tudelft.nl/portal/files/46926997/main2.pdf.
What is WIP?
Our current focus is to make it production-grade, in particular:
- Add proper error management, retry mechanism for running failed compilations
- Integrate it with cargo and add extensible analysis modes
- Incrementally update the graph when a new release is published
- Implement a robust query platform with a proper graph database
Vision
Our long-term goal is to equip the cargo community with a tool that can aid in the stability of crates.io, prevent publications of impactful bad releases by lightweight code vetting (like this fresh incident [1]), and also crate maintainers can understand the changes they make.
[1] https://www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_stealer/
Want to know more?
Chat with us on https://gitter.im/praezi/rust
Joseph(@jhejderup), Moritz, and Georgios