Validation
forensic-hashdb is a lookup crate: it answers membership queries against hash
sets. Correctness is established by the evidence below.
Exact matching — no false positives
known_good and known_bad are exact-match structures (binary search over sorted
32-byte records; HashMap), so a hit is a decision-grade answer — there is no
probabilistic layer in the exclusion path that could mis-exclude a file. The
binary search is bounds-checked: an out-of-range slice degrades to a non-match, and
that guard is annotated // cov:unreachable because the search index provably
stays within the record count.
Panic-free + fuzzed
The crate reads analyst-supplied files — a binary known-good DB (mmap) and text/CSV
feeds — so it meets the panic-free posture: unsafe_code = deny (one justified
bounded mmap site in known_good), no unwrap/expect/panic! in production,
and length-checked reads.
fuzz_known_goodopens arbitrary bytes as a DB and runsis_known_goodover them — no panic, no out-of-bounds read, whatever the file size or contents.fuzz_feedloads arbitrary text/CSV into aHashFeedand queries it — a malformed line is skipped, never fatal.
Both run as a smoke pass on every push/PR and a deep run weekly.
Coverage
100% production line coverage (cargo llvm-cov), enforced in CI by a DA:n,0
gate that fails on any uncovered production line, honoring the single
// cov:unreachable guard above.
The data behind the databases
The hash contents (NSRL/CIRCL sets, malware feeds, the loldrivers list) are
sourced from their upstream publishers and are the analyst's to supply or refresh;
this crate provides the lookup, not the corpus. known_good reads a binary file
the operator builds from the NSRL RDS; feed reads whatever IOC list the analyst
points it at; lol_drivers embeds a snapshot of loldrivers.io.