feat: add cross-crate dependency audit with FFI propagation, workspace-to-workspace findings, and export map caching

Author: bordumb

crates/cargo-capsec/src/export_map.rs

@@ -124,11 +124,69 @@ pub fn build_export_map(
 
     CrateExportMap {
         crate_name: crate_name.to_string(),
+
         crate_version: crate_version.to_string(),
         exports,
     }
 }
 
+/// Adds extern function declarations from parsed files to an export map.
+///
+/// When a crate like `libgit2-sys` declares `extern "C" { fn git_repository_open(...); }`,
+/// this creates an FFI export entry for `git_repository_open` so that other crates
+/// calling `libgit2_sys::git_repository_open()` get a cross-crate FFI finding.
+///
+/// This is necessary because extern block findings have `function: "extern \"C\""` which
+/// produces useless export map keys. The individual function names need to be exported.
+pub fn add_extern_exports(
+    export_map: &mut CrateExportMap,
+    parsed_files: &[crate::parser::ParsedFile],
+    src_dir: &Path,
+) {
+    let crate_name = &export_map.crate_name;
+
+    for file in parsed_files {
+        // Skip build.rs extern blocks (compile-time only)
+        if file.path.ends_with("build.rs") {
+            continue;
+        }
+
+        for ext in &file.extern_blocks {
+            let module_path = file_to_module_path(&file.path, src_dir);
+
+            for fn_name in &ext.functions {
+                let auth = ExportedAuthority {
+                    category: crate::authorities::Category::Ffi,
+                    risk: crate::authorities::Risk::High,
+                    leaf_call: format!("extern {fn_name}"),
+                    is_transitive: false,
+                };
+
+                // Full path: crate::module::fn_name
+                let mut full_path = vec![crate_name.clone()];
+                full_path.extend(module_path.clone());
+                full_path.push(fn_name.clone());
+                let key = full_path.join("::");
+                export_map
+                    .exports
+                    .entry(key.clone())
+                    .or_default()
+                    .push(auth.clone());
+
+                // Short form: crate::fn_name (for crate-scoped matching)
+                let short_key = format!("{crate_name}::{fn_name}");
+                if short_key != key {
+                    export_map
+                        .exports
+                        .entry(short_key)
+                        .or_default()
+                        .push(auth);
+                }
+            }
+        }
+    }
+}
+
 /// Cached export map format for disk persistence.
 #[derive(Debug, Serialize, Deserialize)]
 pub struct CachedExportMap {
@@ -140,7 +198,8 @@ pub struct CachedExportMap {
 }
 
 /// Current schema version for cached export maps.
-pub const EXPORT_MAP_SCHEMA_VERSION: u32 = 1;
+/// Bumped to 2: added extern function declaration exports.
+pub const EXPORT_MAP_SCHEMA_VERSION: u32 = 2;
 
 /// Attempts to load a cached export map for a dependency crate.
 ///

crates/cargo-capsec/src/main.rs

@@ -98,27 +98,33 @@ fn run_audit(args: AuditArgs) {
 
             let source_files = discovery::discover_source_files(&krate.source_dir, &fs_read);
             let mut dep_findings = Vec::new();
+            let mut parsed_files = Vec::new();
 
             for file_path in source_files {
                 match parser::parse_file(&file_path, &fs_read) {
                     Ok(parsed) => {
                         let findings =
                             det.analyse(&parsed, &krate.name, &krate.version, &crate_deny);
                         dep_findings.extend(findings);
+                        parsed_files.push(parsed);
                     }
                     Err(_e) => {
                         // Silently skip unparseable files in deps
                     }
                 }
             }
 
-            let emap = export_map::build_export_map(
+            let mut emap = export_map::build_export_map(
                 &normalized_name,
                 &krate.version,
                 &dep_findings,
                 &krate.source_dir,
             );
 
+            // Also export extern function declarations (e.g., libgit2-sys, sqlite3-sys)
+            // so callers like git2 get cross-crate FFI findings.
+            export_map::add_extern_exports(&mut emap, &parsed_files, &krate.source_dir);
+
             // Cache for registry deps
             if krate.is_dependency {
                 export_map::save_export_map_cache(&cache_dir, &emap, &fs_write);
@@ -170,26 +176,29 @@ fn run_audit(args: AuditArgs) {
 
                 let source_files = discovery::discover_source_files(&krate.source_dir, &fs_read);
                 let mut dep_findings = Vec::new();
+                let mut parsed_files = Vec::new();
 
                 for file_path in source_files {
                     match parser::parse_file(&file_path, &fs_read) {
                         Ok(parsed) => {
                             let findings =
                                 det.analyse(&parsed, &krate.name, &krate.version, &crate_deny);
                             dep_findings.extend(findings);
+                            parsed_files.push(parsed);
                         }
                         Err(e) => {
                             eprintln!("  Warning: {e}");
                         }
                     }
                 }
 
-                let emap = export_map::build_export_map(
+                let mut emap = export_map::build_export_map(
                     &normalized_name,
                     &krate.version,
                     &dep_findings,
                     &krate.source_dir,
                 );
+                export_map::add_extern_exports(&mut emap, &parsed_files, &krate.source_dir);
 
                 if krate.is_dependency {
                     export_map::save_export_map_cache(&cache_dir, &emap, &fs_write);
@@ -274,6 +283,7 @@ fn run_audit(args: AuditArgs) {
 
                 let source_files = discovery::discover_source_files(&krate.source_dir, &fs_read);
                 let mut ws_crate_findings = Vec::new();
+                let mut ws_parsed_files = Vec::new();
 
                 for file_path in source_files {
                     if config::should_exclude(&file_path, &cfg.analysis.exclude) {
@@ -285,6 +295,7 @@ fn run_audit(args: AuditArgs) {
                             let findings =
                                 det.analyse(&parsed, &krate.name, &krate.version, &crate_deny);
                             ws_crate_findings.extend(findings);
+                            ws_parsed_files.push(parsed);
                         }
                         Err(e) => {
                             eprintln!("  Warning: {e}");
@@ -294,12 +305,13 @@ fn run_audit(args: AuditArgs) {
 
                 // Build export map for this workspace crate (for downstream ws crates)
                 let normalized_name = discovery::normalize_crate_name(&krate.name);
-                let ws_emap = export_map::build_export_map(
+                let mut ws_emap = export_map::build_export_map(
                     &normalized_name,
                     &krate.version,
                     &ws_crate_findings,
                     &krate.source_dir,
                 );
+                export_map::add_extern_exports(&mut ws_emap, &ws_parsed_files, &krate.source_dir);
                 workspace_export_maps.push(ws_emap);
 
                 all_findings.extend(ws_crate_findings);