assay

binary composition analysis & embedded-library vulnerability detection

assay determines what third-party libraries a compiled artifact is made of — including statically-linked, vendored, and embedded copies invisible to package managers — and maps them to known vulnerabilities. It also inventories a live host's installed and running software. A single Rust binary; no daemon, no cloud dependency.

Motivating case

Detecting an embedded, vulnerable copy of libssh2 (CVE-2026-55200, a pre-auth heap-corruption bug in ssh2_transport_read()) inside a stripped binary — and telling a patched copy from a vulnerable one at the function level, not just by matching a version string.

How it works

Cheap signals run first; expensive ones only run where cheap ones are silent:

Every finding carries its evidence chain and an honest confidence rating — high for an exact match, lower for a structural or approximate one. The tool would rather say "unknown, low confidence" than guess.

Surface

assay scan <path> [--deep] [--format json|cyclonedx]   # a file or directory
assay host [--full-fs] [--managed-only] [--deep]        # this machine
assay remote <host> [--full-fs] [--deep]                # a machine over SSH
assay sig build <library>                                # build Tier-3 signatures
assay feed update                                        # sync the CVE cache
assay report <scan-id> [--format ...]                    # re-render, no re-scan

Status

P0 – P5

Host/directory scanning, CVE mapping (NVD + OSV), CycloneDX SBOM export, dpkg-aware live host inventory, and disassembly-based signature matching (exact and CFG-feature-tolerant) are built and live-validated. SSH-based remote host scanning reuses the same inventory pipeline against a machine the operator already has access to — upload, run, fetch results, remove the uploaded copy.