Follow-ups from the #260 review — none were merge-blockers, tracking here so they don't get lost.
1. Seed list gaps (highest priority)
src/rules/manifest.rs CARGO_SEEDS missing:
k256 — secp256k1 ECDSA, ubiquitous in Bitcoin / Ethereum toolingsecp256k1 / libsecp256k1openssl — the high-level Rust crate (not just openssl-sys)- Optional:
ed448-goldilocks
PIP_PACKAGES missing:
pyjwt — pinned to RS256/ES256 by defaultauthlib — OAuth/OIDC, uses RSA/ECpython-jose — JWT, samejwcryptom2crypto
These are real high-signal additions. JWT libs in particular are probably more likely to produce true positives than cryptography (which is a kitchen-sink crate).
2. fabric attribution is wrong
PIP_PACKAGES entry for fabric sets crypto_algorithm: Some("RSA"). fabric is a wrapper around paramiko and doesn't implement crypto itself. Should be None (like cryptography), keeping the finding but dropping the misleading algorithm label.
3. SARIF dep_name passthrough
src/report/sarif.rs currently drops the dep_name field added in #260. The other new metadata fields (confidence, cnsa2Deadline) are already in SARIF properties. Add depName there too — trivial change, matters for users piping SARIF into downstream tooling.
4. Document dev-deps limitation
Cargo.lock doesn't distinguish [dependencies] from [dev-dependencies], so a cargo-tarpaulin-only rsa dep flags the whole app. Not fixable without parsing Cargo.toml alongside the lockfile. Worth a line in the CargoLockPqCrypto rule description so users aren't confused by false positives from test infrastructure.
5. More lockfile formats
Pipfile.lock, poetry.lock, uv.lock are the canonical lockfile formats for modern Python projects. requirements.txt is still common but increasingly a frozen output rather than a source of truth.
Similarly for Node: package-lock.json, pnpm-lock.yaml, yarn.lock. Not a v0.8 blocker but worth a follow-up.
6. Minor — BFS allocation cleanup
reached_seeds is a Vec<(usize, f32)> not a dedup set. If a crate reaches the same seed via 5 paths it contributes 5 entries. The max_by at the end produces the correct result but the collection is larger than needed. Swap for HashMap<usize, f32> keeping max-per-seed. Trivial perf nit.
Not blocking any release.
Follow-ups from the #260 review — none were merge-blockers, tracking here so they don't get lost.
1. Seed list gaps (highest priority)
src/rules/manifest.rsCARGO_SEEDSmissing:k256— secp256k1 ECDSA, ubiquitous in Bitcoin / Ethereum toolingsecp256k1/libsecp256k1openssl— the high-level Rust crate (not justopenssl-sys)ed448-goldilocksPIP_PACKAGESmissing:pyjwt— pinned to RS256/ES256 by defaultauthlib— OAuth/OIDC, uses RSA/ECpython-jose— JWT, samejwcryptom2cryptoThese are real high-signal additions. JWT libs in particular are probably more likely to produce true positives than
cryptography(which is a kitchen-sink crate).2.
fabricattribution is wrongPIP_PACKAGESentry forfabricsetscrypto_algorithm: Some("RSA").fabricis a wrapper aroundparamikoand doesn't implement crypto itself. Should beNone(likecryptography), keeping the finding but dropping the misleading algorithm label.3. SARIF
dep_namepassthroughsrc/report/sarif.rscurrently drops thedep_namefield added in #260. The other new metadata fields (confidence,cnsa2Deadline) are already in SARIFproperties. AdddepNamethere too — trivial change, matters for users piping SARIF into downstream tooling.4. Document dev-deps limitation
Cargo.lockdoesn't distinguish[dependencies]from[dev-dependencies], so acargo-tarpaulin-onlyrsadep flags the whole app. Not fixable without parsingCargo.tomlalongside the lockfile. Worth a line in theCargoLockPqCryptorule description so users aren't confused by false positives from test infrastructure.5. More lockfile formats
Pipfile.lock,poetry.lock,uv.lockare the canonical lockfile formats for modern Python projects.requirements.txtis still common but increasingly a frozen output rather than a source of truth.Similarly for Node:
package-lock.json,pnpm-lock.yaml,yarn.lock. Not a v0.8 blocker but worth a follow-up.6. Minor — BFS allocation cleanup
reached_seedsis aVec<(usize, f32)>not a dedup set. If a crate reaches the same seed via 5 paths it contributes 5 entries. Themax_byat the end produces the correct result but the collection is larger than needed. Swap forHashMap<usize, f32>keeping max-per-seed. Trivial perf nit.Not blocking any release.