apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-12 19:55:14 +02:00
Code Issues Projects Releases Packages Wiki Activity

feat(surface): make attack surface first-class in the finding pipeline

Browse source
This commit is contained in:
elipeter 2026-06-10 13:01:48 -05:00
parent c9776a5caf
commit 1abcdedbfe
48 changed files with 1591 additions and 214 deletions
Download patch file Download diff file Expand all files Collapse all files

1
tests/calibration_data_exfil.rs
View file

@ -97,6 +97,7 @@ fn make_diag(
evidence: Some(make_evidence(source_kind, verdict)),
rank_score: None,
rank_reason: None,
exposure: None,
suppressed: false,
suppression: None,
triage_state: "open".to_string(),

1
tests/chain_edges.rs
View file

@ -50,6 +50,7 @@ fn diag_with_caps(path: &str, line: usize, caps: Cap) -> Diag {
}),
rank_score: None,
rank_reason: None,
exposure: None,
suppressed: false,
suppression: None,
triage_state: "open".to_string(),

2
tests/chain_emission.rs
View file

@ -45,6 +45,7 @@ fn fixture_surface_map() -> SurfaceMap {
location: loc("app.py", 30),
function_name: "shell.exec".into(),
cap_bits: Cap::CODE_EXEC.bits(),
label: String::new(),
}));
m
}
@ -77,6 +78,7 @@ fn fixture_findings() -> Vec<Diag> {
evidence: Some(ev),
rank_score: None,
rank_reason: None,
exposure: None,
suppressed: false,
suppression: None,
triage_state: "open".to_string(),

1
tests/common/fixture_harness.rs
View file

@ -968,6 +968,7 @@ fn make_diag(path: &Path, func: &str, cap: Cap, sink_line: u32) -> Diag {
evidence: Some(evidence),
rank_score: None,
rank_reason: None,
exposure: None,
suppressed: false,
suppression: None,
triage_state: "open".to_string(),

1
tests/console_snapshot.rs
View file

@ -45,6 +45,7 @@ fn base_diag() -> Diag {
evidence: None,
rank_score: None,
rank_reason: None,
exposure: None,
suppressed: false,
suppression: None,
triage_state: "open".to_string(),

2
tests/determinism_audit.rs
View file

@ -59,6 +59,7 @@ fn deny_diag(stable_hash: u64) -> Diag {
evidence: Some(ev),
rank_score: None,
rank_reason: None,
exposure: None,
suppressed: false,
suppression: None,
triage_state: "open".to_string(),
@ -312,6 +313,7 @@ fn confirmed_run_is_byte_identical_across_runs() {
evidence: Some(evidence),
rank_score: None,
rank_reason: None,
exposure: None,
suppressed: false,
suppression: None,
triage_state: "open".to_string(),

1
tests/dynamic_parity.rs
View file

@ -86,6 +86,7 @@ mod parity_tests {
}),
rank_score: None,
rank_reason: None,
exposure: None,
suppressed: false,
suppression: None,
triage_state: "open".to_string(),

2
tests/dynamic_verify_e2e.rs
View file

@ -78,6 +78,7 @@ mod verify_e2e {
}),
rank_score: None,
rank_reason: None,
exposure: None,
suppressed: false,
suppression: None,
triage_state: "open".to_string(),
@ -111,6 +112,7 @@ mod verify_e2e {
evidence: None,
rank_score: None,
rank_reason: None,
exposure: None,
suppressed: false,
suppression: None,
triage_state: "open".to_string(),

1
tests/engine_notes_rank_tests.rs
View file

@ -64,6 +64,7 @@ fn high_confidence_taint_diag(path: &str, line: u32) -> Diag {
}),
rank_score: None,
rank_reason: None,
exposure: None,
suppressed: false,
suppression: None,
triage_state: "open".to_string(),

1
tests/go_fixtures.rs
View file

@ -452,6 +452,7 @@ mod go_fixture_tests {
evidence: Some(evidence),
rank_score: None,
rank_reason: None,
exposure: None,
suppressed: false,
suppression: None,
triage_state: "open".to_string(),

1
tests/health_score_calibration.rs
View file

@ -47,6 +47,7 @@ fn diag(severity: Severity, id: &str, conf: Option<Confidence>) -> Diag {
evidence: None,
rank_score: None,
rank_reason: None,
exposure: None,
suppressed: false,
suppression: None,
triage_state: "open".to_string(),

1
tests/java_fixtures.rs
View file

@ -450,6 +450,7 @@ mod java_fixture_tests {
evidence: Some(evidence),
rank_score: None,
rank_reason: None,
exposure: None,
suppressed: false,
suppression: None,
triage_state: "open".to_string(),

1
tests/js_fixtures.rs
View file

@ -445,6 +445,7 @@ mod js_fixture_tests {
evidence: Some(evidence),
rank_score: None,
rank_reason: None,
exposure: None,
suppressed: false,
suppression: None,
triage_state: "open".to_string(),

1
tests/json_snapshot.rs
View file

@ -25,6 +25,7 @@ fn base_diag() -> Diag {
evidence: None,
rank_score: None,
rank_reason: None,
exposure: None,
suppressed: false,
suppression: None,
triage_state: "open".to_string(),

1
tests/lang_detect_probes.rs
View file

@ -55,6 +55,7 @@ mod lang_detect {
}),
rank_score: None,
rank_reason: None,
exposure: None,
suppressed: false,
suppression: None,
triage_state: "open".to_string(),

1
tests/php_fixtures.rs
View file

@ -440,6 +440,7 @@ mod php_fixture_tests {
evidence: Some(evidence),
rank_score: None,
rank_reason: None,
exposure: None,
suppressed: false,
suppression: None,
triage_state: "open".to_string(),

1
tests/policy_deny.rs
View file

@ -34,6 +34,7 @@ fn empty_diag() -> Diag {
evidence: Some(Evidence::default()),
rank_score: None,
rank_reason: None,
exposure: None,
suppressed: false,
suppression: None,
triage_state: "open".to_string(),

1
tests/python_fixtures.rs
View file

@ -928,6 +928,7 @@ mod python_fixture_tests {
evidence: Some(evidence),
rank_score: None,
rank_reason: None,
exposure: None,
suppressed: false,
suppression: None,
triage_state: "open".to_string(),

1
tests/rust_fixtures.rs
View file

@ -279,6 +279,7 @@ mod rust_fixture_tests {
evidence: Some(evidence),
rank_score: None,
rank_reason: None,
exposure: None,
suppressed: false,
suppression: None,
triage_state: "open".to_string(),

2
tests/sandbox_hardening_linux.rs
View file

@ -752,6 +752,7 @@ mod hardening_tests {
evidence: Some(evidence),
rank_score: None,
rank_reason: None,
exposure: None,
suppressed: false,
suppression: None,
triage_state: "open".to_string(),
@ -947,6 +948,7 @@ mod hardening_tests {
evidence: Some(evidence),
rank_score: None,
rank_reason: None,
exposure: None,
suppressed: false,
suppression: None,
triage_state: "open".to_string(),

2
tests/sandbox_hardening_macos.rs
View file

@ -647,6 +647,7 @@ finally:
evidence: Some(evidence),
rank_score: None,
rank_reason: None,
exposure: None,
suppressed: false,
suppression: None,
triage_state: "open".to_string(),
@ -787,6 +788,7 @@ finally:
evidence: Some(evidence),
rank_score: None,
rank_reason: None,
exposure: None,
suppressed: false,
suppression: None,
triage_state: "open".to_string(),

1
tests/sarif_dynamic_verdict_tests.rs
View file

@ -29,6 +29,7 @@ fn base_diag() -> Diag {
evidence: None,
rank_score: None,
rank_reason: None,
exposure: None,
suppressed: false,
suppression: None,
triage_state: "open".to_string(),

1
tests/spec_callgraph_resolution.rs
View file

@ -78,6 +78,7 @@ fn make_diag(id: &str, path: &str, line: usize) -> Diag {
evidence: Some(Evidence::default()),
rank_score: None,
rank_reason: None,
exposure: None,
suppressed: false,
suppression: None,
triage_state: "open".to_string(),

1
tests/spec_derivation_strategies.rs
View file

@ -48,6 +48,7 @@ mod spec_strategies {
evidence: Some(Evidence::default()),
rank_score: None,
rank_reason: None,
exposure: None,
suppressed: false,
suppression: None,
triage_state: "open".to_string(),

1
tests/spec_framework_sample.rs
View file

@ -73,6 +73,7 @@ fn make_diag(path: &str, handler: &str, line: usize, cap: Cap, rule_id: &str) ->
evidence: Some(ev),
rank_score: None,
rank_reason: None,
exposure: None,
suppressed: false,
suppression: None,
triage_state: "open".to_string(),

2
tests/surface_cli.rs
View file

@ -116,7 +116,7 @@ fn load_or_build_falls_back_to_filesystem_when_no_db() {
.unwrap();
let db_dir = tempfile::tempdir().unwrap();
let cfg = Config::default();
let map = load_or_build(tmp.path(), db_dir.path(), &cfg).expect("load_or_build");
let (map, _cov) = load_or_build(tmp.path(), db_dir.path(), &cfg).expect("load_or_build");
assert!(
map.entry_points().next().is_some(),
"expected at least one entry-point in fallback path"