Require explicit acknowledgement for risky Rust call analysis

[sumitshahorg]

Summary

Introduce a safety guard for Rust call analysis to prevent unintended execution of untrusted code during scanning, explicitly addressing a Remote Code Execution (RCE) risk.

Problem

When --call-analysis=rust is enabled, the scanner invokes cargo build, which executes build.rs scripts. These scripts can contain arbitrary code and are executed automatically during the build process.

This creates a Remote Code Execution (RCE) risk where scanning an untrusted project can lead to arbitrary code execution on the host system without explicit user awareness.

Solution

• Add a required flag: --allow-risky-rust-call-analysis
• Fail fast if Rust call analysis is requested without explicit acknowledgement
• Add documentation warning in README about execution of build.rs

Behavior Change

Before:

--call-analysis=rust
→ cargo build executes automatically
→ build.rs may execute arbitrary code (RCE risk)

After:

--call-analysis=rust
→ fails unless --allow-risky-rust-call-analysis is provided
→ explicit user acknowledgement required

Security Impact

• Prevents silent Remote Code Execution (RCE) via build.rs
• Eliminates implicit execution of untrusted code during scanning
• Introduces explicit user consent for risky operations
• Aligns with secure-by-default and least-astonishment principles

Notes

This change does not alter functionality when explicitly enabled, but enforces a secure default by requiring user acknowledgement before executing potentially unsafe build steps.

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.