Skip to content

Validation

forensic-hashdb is a lookup crate: it answers membership queries against hash sets. Correctness is established by the evidence below.

Exact matching — no false positives

known_good and known_bad are exact-match structures (binary search over sorted 32-byte records; HashMap), so a hit is a decision-grade answer — there is no probabilistic layer in the exclusion path that could mis-exclude a file. The binary search is bounds-checked: an out-of-range slice degrades to a non-match, and that guard is annotated // cov:unreachable because the search index provably stays within the record count.

Panic-free + fuzzed

The crate reads analyst-supplied files — a binary known-good DB (mmap) and text/CSV feeds — so it meets the panic-free posture: unsafe_code = deny (one justified bounded mmap site in known_good), no unwrap/expect/panic! in production, and length-checked reads.

  • fuzz_known_good opens arbitrary bytes as a DB and runs is_known_good over them — no panic, no out-of-bounds read, whatever the file size or contents.
  • fuzz_feed loads arbitrary text/CSV into a HashFeed and queries it — a malformed line is skipped, never fatal.

Both run as a smoke pass on every push/PR and a deep run weekly.

Coverage

100% production line coverage (cargo llvm-cov), enforced in CI by a DA:n,0 gate that fails on any uncovered production line, honoring the single // cov:unreachable guard above.

The data behind the databases

The hash contents (NSRL/CIRCL sets, malware feeds, the loldrivers list) are sourced from their upstream publishers and are the analyst's to supply or refresh; this crate provides the lookup, not the corpus. known_good reads a binary file the operator builds from the NSRL RDS; feed reads whatever IOC list the analyst points it at; lol_drivers embeds a snapshot of loldrivers.io.