|
| 1 | +// SPDX-License-Identifier: PMPL-1.0-or-later |
| 2 | +// SPDX-FileCopyrightText: 2026 Jonathan D.A. Jewell |
| 3 | +:toc: macro |
| 4 | +:toclevels: 2 |
| 5 | +:icons: font |
| 6 | + |
| 7 | += panic-attack Roadmap |
| 8 | + |
| 9 | +_Static analysis and bug signature detection across 47 languages, used in 500+ repos._ |
| 10 | + |
| 11 | +toc::[] |
| 12 | + |
| 13 | +== Current State |
| 14 | + |
| 15 | +panic-attack is a Rust CLI tool providing static analysis, taint tracking, cross-language |
| 16 | +vulnerability detection, and CVE triage. It operates in three deployment modes: standalone |
| 17 | +binary, panicbot (gitbot-fleet CI integration), and mass-panic (org-scale batch scanning). |
| 18 | + |
| 19 | +**Key capabilities today:** |
| 20 | + |
| 21 | +* 47-language analyzer with per-file detection and 20 weak-point categories |
| 22 | +* miniKanren v2.0.0 logic engine (taint analysis, cross-language reasoning, search strategies) |
| 23 | +* Patch Bridge CVE lifecycle engine (OSV API, reachability scan, phantom dependency detection) |
| 24 | +* Cryptographic attestation chain (intent/evidence/seal) |
| 25 | +* Assemblyline batch scanning with rayon parallelism and BLAKE3 fingerprinting |
| 26 | +* Pre-commit hook integration (`panic-attack assail` before every commit) |
| 27 | +* Component Readiness Grades: D (Alpha) through B (RC) verified |
| 28 | + |
| 29 | +== v2.1.0 -- Logic Engine Refinement (Next) |
| 30 | + |
| 31 | +* [x] miniKanren v2.0.0 core (Term, Substitution, unification, FactDB) |
| 32 | +* [x] Taint analysis: source-to-sink tracking |
| 33 | +* [x] Cross-language analyzer: FFI boundary detection |
| 34 | +* [x] Search strategy: risk-weighted file prioritisation |
| 35 | +* [x] Forward chaining: derive new vulnerability facts from rules |
| 36 | +* [x] Backward queries: find files that could cause a vulnerability type |
| 37 | +* [ ] Context-facts for false-positive suppression (~10 rules, target ~8% -> ~2-3% FP rate) |
| 38 | +* [ ] Kanren fact export as Logtalk predicates for Hypatia pipeline |
| 39 | + |
| 40 | +== v2.2.0 -- VeriSimDB Integration |
| 41 | + |
| 42 | +* [x] Filesystem persistence for scan results |
| 43 | +* [ ] VeriSimDB HTTP API integration: push hexads via REST |
| 44 | +* [ ] Delta reporting: only report changes since last scan |
| 45 | +* [ ] Hexad persistence for Patch Bridge mitigation registry (currently JSON file) |
| 46 | +* [ ] Historical trend queries via VQL-UT |
| 47 | + |
| 48 | +== v2.3.0 -- Shell and UX |
| 49 | + |
| 50 | +* [x] CLI with 20 subcommands (clap) |
| 51 | +* [x] JSON output for pipeline integration |
| 52 | +* [x] A2ML manifest protocol support |
| 53 | +* [x] i18n support (10 languages, ISO 639-1) |
| 54 | +* [ ] Shell completions: bash, zsh, fish, nushell |
| 55 | +* [ ] Interactive TUI mode for reviewing findings |
| 56 | +* [ ] Improved error messages with fix suggestions |
| 57 | + |
| 58 | +== v2.4.0 -- Patch Bridge Phase 2 |
| 59 | + |
| 60 | +* [x] Cargo.lock parsing and OSV API batch queries |
| 61 | +* [x] Reachability scanning for phantom dependency detection |
| 62 | +* [x] Three-way classification (Mitigable/Unmitigable/Informational) |
| 63 | +* [x] Mitigation registry with lifecycle (Pending/Active/Retiring/Retired/AcceptedRisk) |
| 64 | +* [ ] VeriSimDB hexad persistence for mitigation lifecycle |
| 65 | +* [ ] Auto-retire mitigations when upstream fix is released |
| 66 | +* [ ] Upstream health monitoring (PipeWire, ReScript, UTF-8 tracking) |
| 67 | +* [ ] Multi-lockfile support (beyond Cargo.lock: package-lock.json, mix.lock, etc.) |
| 68 | + |
| 69 | +== v3.0.0 -- Distributed Scanning |
| 70 | + |
| 71 | +* [x] Assemblyline batch scanning with rayon parallelism |
| 72 | +* [x] BLAKE3 fingerprinting for incremental scanning |
| 73 | +* [x] Notification pipeline (markdown summaries, GitHub issues) |
| 74 | +* [ ] Chapel metalayer: distributed `coforall` scanning across compute clusters |
| 75 | +* [ ] Multi-machine orchestration for org-scale scanning |
| 76 | +* [ ] Scan result aggregation across distributed nodes |
| 77 | + |
| 78 | +== v3.1.0 -- Ecosystem Integration |
| 79 | + |
| 80 | +* [x] Panicbot integration (gitbot-fleet, PA001-PA020 codes) |
| 81 | +* [x] Hypatia diagnostics self-check |
| 82 | +* [x] PanLL event-chain export (two dedicated panels) |
| 83 | +* [x] Cryptographic attestation chain with optional Ed25519 signing |
| 84 | +* [ ] Echidnabot proof verification of scan claims |
| 85 | +* [ ] Hypatia learning loop: findings -> observed-patterns -> rules |
| 86 | +* [ ] PanLL panel for Patch Bridge CVE dashboard |
| 87 | + |
| 88 | +== Long-Term |
| 89 | + |
| 90 | +* [ ] Formal verification of core analysis rules (via proven library) |
| 91 | +* [ ] WASM build for browser-based scanning |
| 92 | +* [ ] IDE plugin: real-time scanning in editor |
| 93 | +* [ ] ML-assisted vulnerability classification (beyond pattern matching) |
0 commit comments