feat(evaluation): scan the whole dependency graph (#18)

* feat(evaluation): scan the whole dependency graph

* feat(evaluation): improve acceptance test

Author: ubiratansoares

Cargo.lock

@@ -27,6 +27,7 @@ cargo-lock = "=10.1.0"
 clap = "=4.5.48"
 console = "=0.16.1"
 env_logger = "=0.11.8"
+futures = "=0.3.31"
 hex = "=0.4.3"
 httpmock = "=0.7.0"
 human-panic = "=2.0.3"

Cargo.toml

@@ -18,6 +18,7 @@ cargo-lock.workspace = true
 clap = { workspace = true, features = ["derive"] }
 console.workspace = true
 env_logger.workspace = true
+futures.workspace = true
 human-panic.workspace = true
 log.workspace = true
 reqwest.workspace = true
@@ -30,4 +31,5 @@ tokio.workspace = true
 assertor.workspace = true
 assert_cmd.workspace = true
 httpmock.workspace = true
+predicates.workspace = true
 temp-dir.workspace = true

crates/pollux/Cargo.toml

@@ -1,10 +1,13 @@
 // Copyright 2025 Dotanuki Labs
 // SPDX-License-Identifier: MIT
 
+use crate::core::CrateVeracityLevel::NotAvailable;
 use crate::infra::{
     CachedVeracityEvaluator, CrateBuildReproducibilityEvaluator, CrateProvenanceEvaluator, VeracityEvaluationStorage,
 };
 use std::fmt::Display;
+use std::time::Duration;
+use tokio::time::sleep;
 
 #[derive(Clone, Debug, PartialEq)]
 pub struct CargoPackage {
@@ -95,8 +98,8 @@ impl CombinedVeracityEvaluator {
     }
 
     async fn evaluate_two_veracity_factors(&self, crate_info: &CargoPackage) -> anyhow::Result<CrateVeracityLevel> {
-        let has_provenance = self.provenance.evaluate(crate_info).await?;
         let has_reproduced_build = self.reproducibility.evaluate(crate_info).await?;
+        let has_provenance = self.provenance.evaluate(crate_info).await?;
 
         let veracity_level = CrateVeracityLevel::from_booleans(has_provenance, has_reproduced_build);
         self.cache.save(crate_info, veracity_level.clone())?;
@@ -108,6 +111,8 @@ impl CombinedVeracityEvaluator {
         existing_factor: VeracityFactor,
         crate_info: &CargoPackage,
     ) -> anyhow::Result<CrateVeracityLevel> {
+        sleep(Duration::from_millis(1000)).await;
+
         let found_additional_factor = match existing_factor {
             VeracityFactor::ReproducibleBuilds => self.provenance.evaluate(crate_info).await?,
             VeracityFactor::ProvenanceAttested => self.reproducibility.evaluate(crate_info).await?,
@@ -126,14 +131,29 @@ impl CombinedVeracityEvaluator {
 }
 
 impl CrateVeracityEvaluation for CombinedVeracityEvaluator {
-    async fn evaluate(&self, crate_info: &CargoPackage) -> anyhow::Result<CrateVeracityLevel> {
-        let cached_veracity = self.cache.read(crate_info).unwrap_or(CrateVeracityLevel::NotAvailable);
+    async fn evaluate(&self, cargo_package: &CargoPackage) -> anyhow::Result<CrateVeracityLevel> {
+        let cached_veracity = self.cache.read(cargo_package).unwrap_or(NotAvailable);
+
+        let new_evaluation = match &cached_veracity {
+            CrateVeracityLevel::NotAvailable => self.evaluate_two_veracity_factors(cargo_package).await,
+            CrateVeracityLevel::SingleFactor(factor) => {
+                self.evaluate_missing_veracity_factor(factor.clone(), cargo_package)
+                    .await
+            },
+            CrateVeracityLevel::TwoFactors => Ok(cached_veracity.clone()),
+        };
 
-        match cached_veracity {
-            CrateVeracityLevel::NotAvailable => self.evaluate_two_veracity_factors(crate_info).await,
-            CrateVeracityLevel::SingleFactor(factor) => self.evaluate_missing_veracity_factor(factor, crate_info).await,
-            CrateVeracityLevel::TwoFactors => Ok(cached_veracity),
+        if new_evaluation.is_ok() {
+            return new_evaluation;
         }
+
+        log::info!(
+            "[pollux.core] failed to evaluate {} | reason = {}; defaulting to cache",
+            cargo_package,
+            new_evaluation.unwrap_err()
+        );
+        log::info!("[pollux.core] using cached veracity evaluation for {}", cargo_package);
+        Ok(cached_veracity)
     }
 }
 

crates/pollux/src/core.rs

@@ -95,14 +95,19 @@ pub mod factories {
     use std::env::home_dir;
     use std::path::PathBuf;
     use std::sync::{Arc, LazyLock};
+    use std::time::Duration;
 
     pub static HTTP_CLIENT: LazyLock<Arc<HTTPClient>> = LazyLock::new(|| {
         let user_agent = format!("{}/{}", env!("CARGO_PKG_NAME"), env!("CARGO_PKG_VERSION"));
 
         let mut headers = header::HeaderMap::new();
         headers.insert(header::USER_AGENT, header::HeaderValue::from_str(&user_agent).unwrap());
 
-        let client = HTTPClient::builder().default_headers(headers).build().unwrap();
+        let client = HTTPClient::builder()
+            .default_headers(headers)
+            .timeout(Duration::from_secs(15))
+            .build()
+            .unwrap();
         Arc::new(client)
     });
 

crates/pollux/src/infra.rs

@@ -6,6 +6,8 @@ use crate::infra::HTTPClient;
 use serde::Deserialize;
 use std::fmt::Display;
 use std::sync::Arc;
+use std::time::Duration;
+use tokio::time::sleep;
 
 #[derive(Debug, Deserialize)]
 struct TrustPubData {
@@ -46,6 +48,8 @@ impl CratesIOEvaluator {
 
 impl VeracityEvaluation for CratesIOEvaluator {
     async fn evaluate(&self, crate_info: &CargoPackage) -> anyhow::Result<bool> {
+        sleep(Duration::from_millis(1000)).await;
+
         let endpoint = format!(
             "{}/api/v1/crates/{}/{}",
             self.base_url, crate_info.name, crate_info.version

crates/pollux/src/infra/cratesio.rs

@@ -6,6 +6,8 @@ use crate::infra::HTTPClient;
 use anyhow::bail;
 use reqwest::StatusCode;
 use std::sync::Arc;
+use std::time::Duration;
+use tokio::time::sleep;
 
 pub struct OssRebuildEvaluator {
     base_url: String,
@@ -20,12 +22,20 @@ impl OssRebuildEvaluator {
 
 impl VeracityEvaluation for OssRebuildEvaluator {
     async fn evaluate(&self, crate_info: &CargoPackage) -> anyhow::Result<bool> {
+        sleep(Duration::from_millis(1000)).await;
+
         let endpoint = format!(
             "{}/{}/{}/{}-{}.crate/rebuild.intoto.jsonl",
             self.base_url, crate_info.name, crate_info.version, crate_info.name, crate_info.version
         );
 
-        let response = self.http_client.head(&endpoint).send().await?;
+        let response = match self.http_client.head(&endpoint).send().await {
+            Ok(inner) => inner,
+            Err(incoming) => {
+                log::info!("{}", incoming);
+                bail!("{}", incoming);
+            },
+        };
 
         if response.status() == StatusCode::OK {
             log::info!("[pollux.evaluator] found reproduced build for {}", crate_info);

crates/pollux/src/infra/ossrebuild.rs

@@ -4,8 +4,8 @@
 mod core;
 mod infra;
 
-use crate::core::CargoPackage;
 use crate::core::CrateVeracityEvaluation;
+use crate::core::CrateVeracityLevel;
 use crate::infra::cargo::RustProjectDependenciesResolver;
 use clap::Parser;
 use console::style;
@@ -18,14 +18,12 @@ static GLOBAL: Jemalloc = Jemalloc;
 #[derive(Parser, Debug)]
 #[command(version, about, long_about = None)]
 struct ProgramArguments {
-    #[arg(short, long)]
-    name: String,
-
     #[arg(short, long, help = "Path pointing to project root")]
     pub path: PathBuf,
 }
 
 #[tokio::main]
+
 async fn main() -> anyhow::Result<()> {
     better_panic::install();
     human_panic::setup_panic!();
@@ -49,17 +47,62 @@ async fn main() -> anyhow::Result<()> {
     let dependencies_resolver = RustProjectDependenciesResolver::new(arguments.path);
 
     let cargo_packages = dependencies_resolver.resolve_packages()?;
+    let total_project_packages = cargo_packages.len();
 
     println!();
-    println!("Total cargo packages for this project: {}", cargo_packages.len());
+    println!("Total cargo packages for this project: {}", total_project_packages);
+    println!();
+    println!("Evaluating veracity for packages. This operation may take some time ...");
+
+    let veracity_checks = cargo_packages
+        .into_iter()
+        .map(async |package| (package.clone(), veracity_evaluator.evaluate(&package).await))
+        .collect::<Vec<_>>();
+
+    let evaluations = futures::future::join_all(veracity_checks).await;
 
-    let parts = arguments.name.split("@").collect::<Vec<_>>();
-    let crates_info = CargoPackage::new(parts[0].to_string(), parts[1].to_string());
+    let total_evaluated_packages = evaluations
+        .iter()
+        .filter(|(_, check)| check.is_ok())
+        .collect::<Vec<_>>()
+        .len();
 
-    let evaluation = veracity_evaluator.evaluate(&crates_info).await.unwrap();
+    let total_packages_with_veracity_level = evaluations
+        .iter()
+        .filter_map(|(_, check)| {
+            if let Ok(level) = check {
+                Some(level.to_owned().clone())
+            } else {
+                None
+            }
+        })
+        .filter(|veracity_level| *veracity_level != CrateVeracityLevel::NotAvailable)
+        .collect::<Vec<_>>()
+        .len();
 
     println!();
-    println!("For {} : truthfulness = {:?} ", crates_info, style(evaluation).cyan());
+    println!("Packages evaluated : {}", total_evaluated_packages);
+    println!(
+        "Packages missing veracity checks : {}",
+        total_project_packages - total_evaluated_packages
+    );
+    println!(
+        "Packages with existing veracity checks : {}",
+        total_packages_with_veracity_level
+    );
+    println!();
+
+    evaluations
+        .iter()
+        .for_each(|(package, veracity_check)| match veracity_check {
+            Ok(level) => {
+                println!("For {} : veracity = {:?} ", package, style(level).cyan());
+            },
+            Err(_) => {
+                println!("For {} : {}", package, style("failed to evaluate").red());
+            },
+        });
+
     println!();
     Ok(())
 }