mirror of
https://github.com/elicpeter/nyx.git
synced 2026-07-03 20:41:00 +02:00
Dynamic (#77)
This commit is contained in:
parent
55247b7fcd
commit
991c84a1eb
1464 changed files with 225448 additions and 1985 deletions
49
Cargo.toml
49
Cargo.toml
|
|
@ -1,14 +1,14 @@
|
|||
[package]
|
||||
name = "nyx-scanner"
|
||||
version = "0.7.0"
|
||||
version = "0.8.0"
|
||||
edition = "2024"
|
||||
rust-version = "1.88"
|
||||
description = "A multi-language static analysis tool for detecting security vulnerabilities"
|
||||
license = "GPL-3.0-or-later"
|
||||
authors = ["Eli Peter <elicpeter@example.com>"]
|
||||
homepage = "https://github.com/elicpeter/nyx"
|
||||
homepage = "https://nyxsec.dev/scanner"
|
||||
repository = "https://github.com/elicpeter/nyx"
|
||||
documentation = "https://elicpeter.github.io/nyx/"
|
||||
documentation = "https://nyxsec.dev/docs/nyx/"
|
||||
keywords = ["security", "vulnerability", "scanner", "static-analysis", "cli"]
|
||||
categories = ["security", "command-line-utilities", "development-tools", "parser-implementations", "text-processing"]
|
||||
readme = "README.md"
|
||||
|
|
@ -41,11 +41,26 @@ features = ["serve"]
|
|||
rustdoc-args = ["--cfg", "docsrs"]
|
||||
|
||||
[features]
|
||||
default = ["serve"]
|
||||
default = ["serve", "dynamic"]
|
||||
serve = ["dep:axum", "dep:tokio", "dep:tokio-stream", "dep:tower-http"]
|
||||
smt = ["dep:z3", "z3/bundled"]
|
||||
smt-system-z3 = ["dep:z3"]
|
||||
docgen = []
|
||||
# Dynamic verification layer: builds harnesses from findings, runs them in a
|
||||
# sandbox, reports back whether the sink fires.
|
||||
dynamic = ["dep:bytes", "dep:h2", "dep:http", "dep:prost", "dep:tempfile", "dep:tokio"]
|
||||
# Phase 19 (Track E.3): the `nyx-image-builder` helper binary that builds
|
||||
# and pins per-toolchain Docker images. Gated so it does not bloat the
|
||||
# default `nyx` build with extra TOML-write logic CI-only operators need.
|
||||
image-builder = []
|
||||
# Phase 20 (Track E.4): the firecracker VM backend. Off by default so
|
||||
# the standard build pulls in zero Firecracker-related code; turning it
|
||||
# on adds the `firecracker.rs` backend module and exposes
|
||||
# `SandboxBackend::Firecracker` to callers. When the feature is on but
|
||||
# the `firecracker` binary is absent on PATH, the backend returns
|
||||
# `SandboxError::BackendUnavailable(SandboxBackend::Firecracker)` so the
|
||||
# verifier can route around it cleanly.
|
||||
firecracker = ["dynamic"]
|
||||
|
||||
[lib]
|
||||
name = "nyx_scanner"
|
||||
|
|
@ -60,10 +75,20 @@ name = "nyx-docgen"
|
|||
path = "tools/docgen/main.rs"
|
||||
required-features = ["docgen"]
|
||||
|
||||
[[bin]]
|
||||
name = "nyx-image-builder"
|
||||
path = "tools/image-builder/main.rs"
|
||||
required-features = ["image-builder"]
|
||||
|
||||
[[bench]]
|
||||
name = "scan_bench"
|
||||
harness = false
|
||||
|
||||
[[bench]]
|
||||
name = "dynamic_bench"
|
||||
harness = false
|
||||
required-features = []
|
||||
|
||||
[dev-dependencies]
|
||||
tempfile = "3.27.0"
|
||||
criterion = { version = "0.8.2", features = ["html_reports"] }
|
||||
|
|
@ -116,10 +141,24 @@ smallvec = { version = "1.15.1", features = ["serde"] }
|
|||
rustc-hash = "2.1.2"
|
||||
uuid = { version = "1.23.1", features = ["v4"] }
|
||||
axum = { version = "0.8.9", optional = true }
|
||||
tokio = { version = "1.52.3", features = ["rt-multi-thread", "macros", "signal", "sync"], optional = true }
|
||||
bytes = { version = "1.11.0", optional = true }
|
||||
h2 = { version = "0.4.14", optional = true }
|
||||
http = { version = "1.3.1", optional = true }
|
||||
prost = { version = "0.14.3", optional = true }
|
||||
tokio = { version = "1.52.3", features = ["rt-multi-thread", "macros", "signal", "sync", "net", "io-util"], optional = true }
|
||||
tokio-stream = { version = "0.1.18", features = ["sync"], optional = true }
|
||||
tower-http = { version = "0.6.10", features = ["cors", "compression-gzip", "trace", "set-header", "limit"], optional = true }
|
||||
z3 = { version = "0.20.0", optional = true}
|
||||
tempfile = { version = "3.27.0", optional = true }
|
||||
|
||||
[lints.clippy]
|
||||
# Allowed project-wide instead of per-file. The vast majority of
|
||||
# `collapsible_if` hits are `if let Some(x) = .. { if cond { .. } }` patterns
|
||||
# whose only "fix" is to collapse into a let-chain, which hurts readability on
|
||||
# the complex extractor expressions throughout the engine. Keeping the decision
|
||||
# here means the rationale lives in one place and new files inherit it
|
||||
# automatically rather than re-declaring `#![allow(clippy::collapsible_if)]`.
|
||||
collapsible_if = "allow"
|
||||
|
||||
[profile.release]
|
||||
lto = true
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue