|
| 1 | +# RMA Roadmap |
| 2 | + |
| 3 | +This document outlines the evolution of RMA (Rust Monorepo Analyzer) from its initial release to the current version, and what's planned for the future. |
| 4 | + |
| 5 | +## Version History |
| 6 | + |
| 7 | +### Phase 1: Foundation (v0.1.0 - v0.2.0) |
| 8 | + |
| 9 | +**v0.1.0** — Initial Release |
| 10 | +- Multi-language support: Rust, JavaScript, TypeScript, Python, Go, Java |
| 11 | +- Tree-sitter based parsing for accurate AST analysis |
| 12 | +- Security and code quality rules |
| 13 | +- SARIF output for GitHub Security tab |
| 14 | +- Watch mode for real-time analysis |
| 15 | +- HTTP API daemon |
| 16 | +- Configuration via `rma.toml` |
| 17 | +- Profiles: fast, balanced, strict |
| 18 | + |
| 19 | +**v0.2.0** — Configuration & CI |
| 20 | +- Config versioning (`config_version = 1`) |
| 21 | +- Stable fingerprints for baseline comparisons |
| 22 | +- Rulesets (security, maintainability) |
| 23 | +- Inline suppression (`// rma-ignore-next-line`) |
| 24 | +- GitHub Actions integration |
| 25 | + |
| 26 | +--- |
| 27 | + |
| 28 | +### Phase 2: Security Rules (v0.3.0 - v0.4.0) |
| 29 | + |
| 30 | +**v0.3.0** — Secret Detection |
| 31 | +- 8 new security rules across all languages |
| 32 | +- Secret detection: API keys, AWS keys, GitHub tokens, private keys |
| 33 | +- Insecure crypto detection: MD5, SHA-1, DES, RC4, ECB |
| 34 | +- Automatic Homebrew tap updates |
| 35 | + |
| 36 | +**v0.4.x** — Polish |
| 37 | +- SARIF output improvements |
| 38 | +- Better error messages |
| 39 | +- Bug fixes and stability |
| 40 | + |
| 41 | +--- |
| 42 | + |
| 43 | +### Phase 3: Rich Diagnostics (v0.5.0 - v0.6.0) |
| 44 | + |
| 45 | +**v0.5.0** — Developer Experience |
| 46 | +- Rustc-style diagnostics with code snippets and suggestions |
| 47 | +- GitHub Actions output format (`--format github`) |
| 48 | + |
| 49 | +**v0.6.0** — Real-time Monitoring |
| 50 | +- WebSocket endpoint for real-time file watching (`/ws/watch`) |
| 51 | +- Web dashboard for browser-based monitoring |
| 52 | +- Interactive keyboard shortcuts in watch mode |
| 53 | + |
| 54 | +--- |
| 55 | + |
| 56 | +### Phase 4: Native JS/TS Analysis (v0.7.0 - v0.9.0) |
| 57 | + |
| 58 | +**v0.7.0** — Oxc Integration |
| 59 | +- Native Oxc integration for JS/TS (no external binaries required) |
| 60 | +- Gosec provider for Go security analysis |
| 61 | +- Test file exclusion from secret detection |
| 62 | +- 65 total rules |
| 63 | + |
| 64 | +**v0.8.0 - v0.9.0** — Performance |
| 65 | +- Rule pre-filtering with HashMap for O(1) lookup |
| 66 | +- Single-pass AST traversal |
| 67 | +- Pre-compiled regex patterns |
| 68 | + |
| 69 | +--- |
| 70 | + |
| 71 | +### Phase 5: Vulnerability Scanning (v0.10.0 - v0.12.0) |
| 72 | + |
| 73 | +**v0.12.0** — Security Audit |
| 74 | +- `rma audit` command for comprehensive vulnerability assessment |
| 75 | +- OSV provider for multi-language dependency scanning |
| 76 | +- RustSec provider for Rust advisory database |
| 77 | + |
| 78 | +--- |
| 79 | + |
| 80 | +### Phase 6: Cross-File Analysis (v0.13.0 - v0.14.0) |
| 81 | + |
| 82 | +**v0.13.0** — Import Resolution |
| 83 | +- Cross-file analysis (`--cross-file`) |
| 84 | +- Import resolution and call graph construction |
| 85 | +- Taint flow tracking through function parameters |
| 86 | +- 20+ new security rules |
| 87 | +- Diff-aware analysis (`--diff`) |
| 88 | +- HTML report generation |
| 89 | +- GitHub Action (`action.yml`) |
| 90 | + |
| 91 | +**v0.14.0** — Typestate Analysis |
| 92 | +- Typestate analysis framework (use-after-close, double-lock, etc.) |
| 93 | +- Interactive TUI for browsing findings |
| 94 | +- Smart progress display with ETA |
| 95 | +- Powerful filtering: `--severity`, `--rules`, `--category`, `--search` |
| 96 | +- Output limiting: `--limit N`, `--group-by` |
| 97 | + |
| 98 | +--- |
| 99 | + |
| 100 | +### Phase 7: Enterprise Features (v0.15.0 - v0.16.0) |
| 101 | + |
| 102 | +**v0.15.0** — GitHub Integration |
| 103 | +- SARIF scanned files summary for GitHub Code Scanning |
| 104 | +- Dedicated RMA scan workflow |
| 105 | +- Open source community files (CODEOWNERS, CODE_OF_CONDUCT, SECURITY.md) |
| 106 | + |
| 107 | +**v0.16.0** — Enhanced TUI & Caching *(Current)* |
| 108 | +- Call Graph Statistics Panel |
| 109 | +- Security Classification Badges (sources, sinks, sanitizers) |
| 110 | +- Source→Sink flow highlighting with `⚠` warnings |
| 111 | +- Analysis caching for faster re-scans |
| 112 | +- Test files excluded by default (`--include-tests` to opt-in) |
| 113 | + |
| 114 | +--- |
| 115 | + |
| 116 | +## Current Stats (v0.16.0) |
| 117 | + |
| 118 | +| Metric | Value | |
| 119 | +|--------|-------| |
| 120 | +| Supported Languages | 6 (JavaScript, TypeScript, Python, Rust, Go, Java) | |
| 121 | +| Security Rules | 647+ | |
| 122 | +| Tree-sitter Grammars | 30+ | |
| 123 | +| Crates | 10 | |
| 124 | +| Output Formats | SARIF, JSON, GitHub, HTML, JUnit XML | |
| 125 | + |
| 126 | +--- |
| 127 | + |
| 128 | +## What's Next |
| 129 | + |
| 130 | +### v0.17.0 (In Progress) |
| 131 | + |
| 132 | +- [ ] All 10 crates publishing to crates.io |
| 133 | +- [ ] Improved test exclusion patterns |
| 134 | +- [ ] Performance optimizations for large monorepos |
| 135 | + |
| 136 | +### v0.18.0 (Planned) |
| 137 | + |
| 138 | +- [ ] **Full LSP Integration** — Real-time diagnostics in any editor |
| 139 | +- [ ] **Auto-fix suggestions** — `rma fix` command with safe transformations |
| 140 | +- [ ] **Baseline management** — Track and suppress legacy issues |
| 141 | + |
| 142 | +### v0.19.0 (Planned) |
| 143 | + |
| 144 | +- [ ] **Reachability analysis** — Only flag vulnerabilities in reachable code paths |
| 145 | +- [ ] **Custom rule builder** — YAML-based rule authoring with validation |
| 146 | +- [ ] **Team dashboards** — Historical trends and metrics |
| 147 | + |
| 148 | +--- |
| 149 | + |
| 150 | +## Long-term Vision |
| 151 | + |
| 152 | +### Cloud SaaS Platform |
| 153 | +- Hosted scanning service |
| 154 | +- GitHub/GitLab/Bitbucket integrations |
| 155 | +- Team collaboration features |
| 156 | +- Centralized policy management |
| 157 | + |
| 158 | +### Advanced Analysis |
| 159 | +- Inter-procedural taint tracking |
| 160 | +- Context-sensitive analysis |
| 161 | +- Machine learning for false positive reduction |
| 162 | +- Supply chain security (SBOM generation) |
| 163 | + |
| 164 | +### Ecosystem |
| 165 | +- VS Code extension (✅ Done) |
| 166 | +- Neovim plugin (✅ Done) |
| 167 | +- JetBrains plugin (✅ Done) |
| 168 | +- Pre-commit hooks |
| 169 | +- Monorepo-aware caching |
| 170 | + |
| 171 | +--- |
| 172 | + |
| 173 | +## Completed Milestones |
| 174 | + |
| 175 | +- [x] Multi-language tree-sitter parsing |
| 176 | +- [x] Parallel analysis with rayon |
| 177 | +- [x] SARIF output for CI/CD |
| 178 | +- [x] Watch mode with interactive controls |
| 179 | +- [x] HTTP API daemon with WebSocket support |
| 180 | +- [x] WASM plugin system |
| 181 | +- [x] AI-powered analysis |
| 182 | +- [x] One-command installation (npm, cargo, brew) |
| 183 | +- [x] GitHub Actions integration |
| 184 | +- [x] VS Code extension |
| 185 | +- [x] Neovim plugin |
| 186 | +- [x] JetBrains plugin |
| 187 | +- [x] Web Dashboard |
| 188 | +- [x] Doctor command |
| 189 | +- [x] Cross-file taint analysis |
| 190 | +- [x] Interactive TUI |
| 191 | +- [x] Analysis caching |
| 192 | + |
| 193 | +--- |
| 194 | + |
| 195 | +## Contributing |
| 196 | + |
| 197 | +We welcome contributions! See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines. |
| 198 | + |
| 199 | +Priority areas for contribution: |
| 200 | +- New security rules (especially for underserved languages) |
| 201 | +- Performance improvements |
| 202 | +- Documentation and examples |
| 203 | +- Bug fixes and testing |
| 204 | + |
| 205 | +--- |
| 206 | + |
| 207 | +## Feedback |
| 208 | + |
| 209 | +Have ideas for the roadmap? Open a [GitHub Discussion](https://github.com/bumahkib7/rust-monorepo-analyzer/discussions) or file an issue! |
0 commit comments