apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-21 20:18:06 +02:00
Code Issues Projects Releases Packages Wiki Activity

[pitboss] phase 01: Track A.1 — Spec derivation strategy enum + flow-steps-optional fallback

Browse source
This commit is contained in:
pitboss 2026-05-13 13:03:44 -04:00
parent 5909fa8c5d
commit 31d9ef725a
21 changed files with 1106 additions and 62 deletions
Download patch file Download diff file Expand all files Collapse all files

36
src/dynamic/mod.rs
View file

@ -28,6 +28,42 @@
//!
//! Off by default. Enable with `--features dynamic`. Heavy deps (container
//! runtime client, fuzzer harness) live behind the same gate.
//!
//! # Spec derivation strategies
//!
//! [`spec::HarnessSpec::from_finding_opts`] tries a fixed-order pipeline of
//! [`spec::SpecDerivationStrategy`] candidates and returns the first one that
//! produces a runnable spec. Ordering is deliberately chosen so the cheapest,
//! most-precise sources fire first:
//!
//! 1. [`SpecDerivationStrategy::FromFlowSteps`] — the original derivation
//! path. Walks `evidence.flow_steps` for the outermost `Source` and uses
//! its enclosing function as the entry. Fires for taint findings with a
//! real cross-function flow.
//! 2. [`SpecDerivationStrategy::FromRuleNamespace`] — consumes the diag's
//! rule id (`py.cmdi.os_system`, `java.deser.readobject`,
//! `rs.auth.missing_ownership_check.taint`) plus `evidence.sink_caps` to
//! synthesize a single-step flow. Fires for AST/CFG findings whose rule
//! namespace identifies the sink class.
//! 3. [`SpecDerivationStrategy::FromFuncSummaryWalk`] — walks a
//! [`crate::summary::FuncSummary`] for the sink's enclosing function and
//! picks a `tainted_sink_params` entry. Currently only fires when a
//! summary is threaded in by the caller; the default verifier path does
//! not.
//! 4. [`SpecDerivationStrategy::FromCallgraphEntry`] — last-chance heuristic
//! that treats `*.http.*` and `*.cli.*` rule ids as entry-point findings.
//!
//! When every strategy returns `None`, [`verify::verify_finding`] decides
//! whether to lift the failure to
//! [`crate::evidence::InconclusiveReason::SpecDerivationFailed`] (the finding
//! had derivable signal but no strategy matched) or to keep it as
//! [`crate::evidence::UnsupportedReason::SpecDerivationFailed`] (genuinely
//! unmodellable).
//!
//! [`SpecDerivationStrategy::FromFlowSteps`]: spec::SpecDerivationStrategy::FromFlowSteps
//! [`SpecDerivationStrategy::FromRuleNamespace`]: spec::SpecDerivationStrategy::FromRuleNamespace
//! [`SpecDerivationStrategy::FromFuncSummaryWalk`]: spec::SpecDerivationStrategy::FromFuncSummaryWalk
//! [`SpecDerivationStrategy::FromCallgraphEntry`]: spec::SpecDerivationStrategy::FromCallgraphEntry
pub mod build_sandbox;
pub mod corpus;