apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-15 20:05:13 +02:00
Code Issues Projects Releases Packages Wiki Activity

[pitboss] phase 01: M1 — Spec extraction + --verify plumbing (no sandbox)

Browse source
This commit is contained in:
pitboss 2026-05-11 21:19:03 -04:00
parent cb8688219a
commit a10aba5d1f
25 changed files with 808 additions and 66 deletions
Download patch file Download diff file Expand all files Collapse all files

56
src/dynamic/verify.rs
View file

@ -8,29 +8,52 @@ use crate::dynamic::report::{AttemptSummary, VerifyResult, VerifyStatus};
use crate::dynamic::runner::{run_spec, RunError};
use crate::dynamic::sandbox::SandboxOptions;
use crate::dynamic::spec::HarnessSpec;
use crate::evidence::UnsupportedReason;
use crate::utils::config::Config;
#[derive(Debug, Clone, Default)]
pub struct VerifyOptions {
pub sandbox: SandboxOptions,
}
impl VerifyOptions {
/// Build `VerifyOptions` from scanner config.
///
/// Currently forwards sandbox timeout from `config.scanner`; future
/// milestones will add image/resource limits here.
pub fn from_config(_config: &Config) -> Self {
Self {
sandbox: SandboxOptions::default(),
}
}
}
/// Try to dynamically confirm a static finding.
///
/// Never fails: every error path collapses into a [`VerifyStatus`] so the
/// caller can treat dynamic verification as best-effort enrichment.
pub fn verify_finding(diag: &Diag, opts: &VerifyOptions) -> VerifyResult {
let finding_id = diag.id.clone();
// Use the stable hash to identify the finding so the VerifyResult's
// finding_id matches HarnessSpec::finding_id (both use the same hex form).
let finding_id = format!("{:016x}", diag.stable_hash);
let Some(spec) = HarnessSpec::from_finding(diag) else {
return VerifyResult {
finding_id,
status: VerifyStatus::Unsupported,
triggered_payload: None,
reason: Some("no harness spec derivable from finding".into()),
attempts: vec![],
};
let spec = match HarnessSpec::from_finding(diag) {
Ok(s) => s,
Err(reason) => {
return VerifyResult {
finding_id,
status: VerifyStatus::Unsupported,
triggered_payload: None,
reason: Some(reason),
detail: None,
attempts: vec![],
};
}
};
// Spec derivable, but no backend implementation exists yet.
// Phase M1 always lands here; real execution starts in Phase M2.
let _ = &opts.sandbox;
match run_spec(&spec, &opts.sandbox) {
Ok(run) => {
let attempts = run
@ -50,6 +73,7 @@ pub fn verify_finding(diag: &Diag, opts: &VerifyOptions) -> VerifyResult {
status: VerifyStatus::Confirmed,
triggered_payload: Some(run.attempts[i].payload_label.to_string()),
reason: None,
detail: None,
attempts,
},
None => VerifyResult {
@ -57,6 +81,7 @@ pub fn verify_finding(diag: &Diag, opts: &VerifyOptions) -> VerifyResult {
status: VerifyStatus::NotConfirmed,
triggered_payload: None,
reason: None,
detail: None,
attempts,
},
}
@ -65,21 +90,24 @@ pub fn verify_finding(diag: &Diag, opts: &VerifyOptions) -> VerifyResult {
finding_id,
status: VerifyStatus::Unsupported,
triggered_payload: None,
reason: Some("no payload corpus for sink cap".into()),
reason: Some(UnsupportedReason::NoPayloadsForCap),
detail: None,
attempts: vec![],
},
Err(RunError::Harness(e)) => VerifyResult {
Err(RunError::Harness(_)) => VerifyResult {
finding_id,
status: VerifyStatus::Inconclusive,
status: VerifyStatus::Unsupported,
triggered_payload: None,
reason: Some(format!("harness build failed: {e:?}")),
reason: Some(UnsupportedReason::BackendUnavailable),
detail: None,
attempts: vec![],
},
Err(RunError::Sandbox(e)) => VerifyResult {
finding_id,
status: VerifyStatus::Inconclusive,
triggered_payload: None,
reason: Some(format!("sandbox failed: {e:?}")),
reason: None,
detail: Some(format!("sandbox failed: {e:?}")),
attempts: vec![],
},
}