apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-24 20:28:06 +02:00
Code Issues Projects Releases Packages Wiki Activity

Dynamic (#77)

Browse source
This commit is contained in:
Eli Peter 2026-06-05 10:16:30 -05:00 committed by GitHub
parent 55247b7fcd
commit 991c84a1eb
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1464 changed files with 225448 additions and 1985 deletions
Download patch file Download diff file Expand all files Collapse all files

36
src/lib.rs
View file

@ -50,13 +50,13 @@
//!
//! Each [`commands::scan::Diag`] carries:
//!
//! - `path`, `line`, `col` source location of the sink
//! - `id` rule identifier (e.g. `taint-unsanitised-flow`, `cfg-auth-gap`)
//! - `severity` Critical / High / Medium / Low / Info
//! - `confidence` Low / Medium / High; capped at Medium when an engine
//! - `path`, `line`, `col`: source location of the sink
//! - `id`: rule identifier (e.g. `taint-unsanitised-flow`, `cfg-auth-gap`)
//! - `severity`: Critical / High / Medium / Low / Info
//! - `confidence`: Low / Medium / High; capped at Medium when an engine
//! budget was hit
//! - `rank_score` deterministic attack-surface score for truncation ordering
//! - `evidence` optional [`evidence::Evidence`] with source/sink spans,
//! - `rank_score`: deterministic attack-surface score for truncation ordering
//! - `evidence`: optional [`evidence::Evidence`] with source/sink spans,
//! flow steps, and [`engine_notes::EngineNote`] values describing precision loss
//!
//! Engine notes communicate when a bound was hit. A finding carrying
@ -91,14 +91,18 @@
pub mod abstract_interp;
pub mod ast;
pub mod auth_analysis;
pub mod baseline;
pub mod callgraph;
pub mod cfg;
pub mod cfg_analysis;
pub mod chain;
pub mod cli;
pub mod commands;
pub mod constraint;
pub mod convergence_telemetry;
pub mod database;
#[cfg(feature = "dynamic")]
pub mod dynamic;
pub mod engine_notes;
pub mod entry_points;
pub mod errors;
@ -118,6 +122,7 @@ pub mod ssa;
pub mod state;
pub mod summary;
pub mod suppress;
pub mod surface;
pub mod symbol;
pub mod symex;
pub mod taint;
@ -144,3 +149,22 @@ use utils::config::Config;
pub fn scan_no_index(root: &Path, cfg: &Config) -> NyxResult<Vec<commands::scan::Diag>> {
commands::scan::scan_filesystem(root, cfg, false)
}
/// Same as [`scan_no_index`] but additionally returns the [`SurfaceMap`]
/// built from the post-pass-2 view.
///
/// The non-indexed scan path used to drop the surface map on the floor,
/// which forced `nyx surface` (and any other consumer that wanted both
/// findings and the attack-surface model) to either run the analysis
/// twice or fall back to an entry-point-only build with no DataStore /
/// ExternalService / DangerousLocal nodes and no `Reaches` edges.
///
/// Use this entry point when you need both halves of the analysis.
///
/// [`SurfaceMap`]: surface::SurfaceMap
pub fn scan_no_index_with_surface_map(
root: &Path,
cfg: &Config,
) -> NyxResult<(Vec<commands::scan::Diag>, surface::SurfaceMap)> {
commands::scan::scan_filesystem_with_surface_map(root, cfg, false)
}