We are happy to announce our first release of RustPräzi, a PoC (Proof-of-Concept) project that downloads all crate versions from crates.io, builds LLVM call graphs and links them into a single large versioned call-based dependency network. Unlike a regular dependency network, a call-based dependency network represents function call chains on both the intra- and inter-package level, supporting graph analytics/queries such as:
- Identifying central crate APIs that are important for the stability of crates.io
- Impact analysis of deprecated API functions: how many crates are still depending on deprecated functions that should be removed?
- Security vulnerabilities: which crates in crates.io are affected by a vulnerable function?
Link to the project: https://github.com/praezi/rust
Link to our preliminary research paper: https://pure.tudelft.nl/portal/files/46926997/main2.pdf.
What is WIP?
Our current focus is to make it production-grade, like:
- Add proper error management, retry mechanism for running failed compilations
- Integrate it with cargo and add extensible analysis modes
- Incrementally update the graph when a new release is published
- Implement a robust query platform with a proper graph database
We are now looking at possibilities to turn our work into a production-grade tool that benefits the Cargo/crates.io community, both library maintainers and clients with intelligent dependency analysis. In particular, equip the cargo community with a tool that can aid in the stability of crates.io, prevent publications of impactful bad releases by lightweight code vetting (like this fresh incident ), and also crate maintainers can understand the changes they make.
Want to know more?
Chat with us on https://gitter.im/praezi/rust