assay
binary composition analysis & embedded-library vulnerability detection
assay determines what third-party libraries a compiled artifact
is made of — including statically-linked, vendored, and embedded
copies invisible to package managers — and maps them to known
vulnerabilities. It also inventories a live host's installed and running
software. A single Rust binary; no daemon, no cloud dependency.
Motivating case
Detecting an embedded, vulnerable copy of libssh2
(CVE-2026-55200, a pre-auth heap-corruption bug in
ssh2_transport_read()) inside a stripped binary — and telling
a patched copy from a vulnerable one at the function level, not just by
matching a version string.
How it works
Cheap signals run first; expensive ones only run where cheap ones are silent:
- Tier 0–1 — format/symbol parsing, string and symbol-table matching against a curated library corpus.
- Tier 2 — crypto constant-table scanning (catches libraries that strip symbols but can't hide S-boxes and IVs).
- Tier 3 (
--deep) — disassembly via rizin, normalized-instruction-stream hashing, and CFG-feature matching against an offline-built signature database, to discriminate a vulnerable build from a patched one at the function level.
Every finding carries its evidence chain and an honest confidence rating — high for an exact match, lower for a structural or approximate one. The tool would rather say "unknown, low confidence" than guess.
Surface
assay scan <path> [--deep] [--format json|cyclonedx] # a file or directory
assay host [--full-fs] [--managed-only] [--deep] # this machine
assay remote <host> [--full-fs] [--deep] # a machine over SSH
assay sig build <library> # build Tier-3 signatures
assay feed update # sync the CVE cache
assay report <scan-id> [--format ...] # re-render, no re-scan
Status
P0 – P5
Host/directory scanning, CVE mapping (NVD + OSV), CycloneDX SBOM export, dpkg-aware live host inventory, and disassembly-based signature matching (exact and CFG-feature-tolerant) are built and live-validated. SSH-based remote host scanning reuses the same inventory pipeline against a machine the operator already has access to — upload, run, fetch results, remove the uploaded copy.