TL;DR: RustPräzi is like rust-lang-nursery/crater, but creates a single versioned call graph of crates.io

We are happy to announce our first release of RustPräzi, a PoC (Proof-of-Concept) project that downloads all crate versions from crates.io, builds LLVM call graphs and links them into a single large versioned call-based dependency network. Unlike a regular dependency network, a call-based dependency network represents function call chains on both the intra- and inter-package level, supporting graph analytics/queries such as:

Identifying central crate APIs that are important for the stability of crates.io

Impact analysis of deprecated API functions: how many crates are still depending on deprecated functions that should be removed?

Security vulnerabilities: which crates in crates.io are affected by a vulnerable function?

Link to the project: https://github.com/praezi/rust

Link to our preliminary research paper: https://pure.tudelft.nl/portal/files/46926997/main2.pdf.

What is WIP?

Our current focus is to make it production-grade, in particular:

Add proper error management, retry mechanism for running failed compilations

Integrate it with cargo and add extensible analysis modes

Incrementally update the graph when a new release is published

Implement a robust query platform with a proper graph database

Vision

Our long-term goal is to equip the cargo community with a tool that can aid in the stability of crates.io, prevent publications of impactful bad releases by lightweight code vetting (like this fresh incident [1]), and also crate maintainers can understand the changes they make.

[1] https://www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_stealer/

Want to know more?

Chat with us on https://gitter.im/praezi/rust

Joseph(@jhejderup), Moritz, and Georgios