Summary

Introduce a safety guard for Rust call analysis to prevent unintended execution of untrusted code during scanning, explicitly addressing a Remote Code Execution (RCE) risk.

Problem

When --call-analysis=rust is enabled, the scanner invokes cargo build, which executes build.rs scripts. These scripts can contain arbitrary code and are executed automatically during the build process.

This creates a Remote Code Execution (RCE) risk where scanning an untrusted project can lead to arbitrary code execution on the host system without explicit user awareness.

Solution

• Add a required flag: --allow-risky-rust-call-analysis
• Fail fast if Rust call analysis is requested without explicit acknowledgement
• Add documentation warning in README about execution of build.rs

Behavior Change

Before:

--call-analysis=rust
→ cargo build executes automatically
→ build.rs may execute arbitrary code (RCE risk)

After:

--call-analysis=rust
→ fails unless --allow-risky-rust-call-analysis is provided
→ explicit user acknowledgement required

Security Impact

• Prevents silent Remote Code Execution (RCE) via build.rs
• Eliminates implicit execution of untrusted code during scanning
• Introduces explicit user consent for risky operations
• Aligns with secure-by-default and least-astonishment principles

Notes

This change does not alter functionality when explicitly enabled, but enforces a secure default by requiring user acknowledgement before executing potentially unsafe build steps.