[package] name = "nyx-scanner" version = "0.8.0" edition = "2024" rust-version = "1.88" description = "A multi-language static analysis tool for detecting security vulnerabilities" license = "GPL-3.0-or-later" authors = ["Eli Peter "] homepage = "https://nyxsec.dev/scanner" repository = "https://github.com/elicpeter/nyx" documentation = "https://nyxsec.dev/docs/nyx/" keywords = ["security", "vulnerability", "scanner", "static-analysis", "cli"] categories = ["security", "command-line-utilities", "development-tools", "parser-implementations", "text-processing"] readme = "README.md" default-run = "nyx" include = [ "/src/**", "/tools/**", "/build.rs", "/Cargo.toml", "/Cargo.lock", "/README.md", "/LICENSE", "/THIRDPARTY-LICENSES.html", "/default-nyx.conf", ] autoexamples = false [package.metadata.binstall] pkg-url = "{ repo }/releases/download/v{ version }/nyx-{ target }{ archive-suffix }" pkg-fmt = "zip" bin-dir = "target/{ target }/release/{ bin }{ binary-ext }" # docs.rs builds the `serve` feature (default) so the server module renders. # `smt` is left off — bundled Z3 takes too long on docs.rs builders, and # `smt-system-z3` needs a system library that isn't available there. [package.metadata.docs.rs] features = ["serve"] rustdoc-args = ["--cfg", "docsrs"] [features] default = ["serve", "dynamic"] serve = ["dep:axum", "dep:tokio", "dep:tokio-stream", "dep:tower-http"] smt = ["dep:z3", "z3/bundled"] smt-system-z3 = ["dep:z3"] docgen = [] # Dynamic verification layer: builds harnesses from findings, runs them in a # sandbox, reports back whether the sink fires. dynamic = ["dep:bytes", "dep:h2", "dep:http", "dep:prost", "dep:tempfile", "dep:tokio"] # Phase 19 (Track E.3): the `nyx-image-builder` helper binary that builds # and pins per-toolchain Docker images. Gated so it does not bloat the # default `nyx` build with extra TOML-write logic CI-only operators need. image-builder = [] # Phase 20 (Track E.4): the firecracker VM backend. Off by default so # the standard build pulls in zero Firecracker-related code; turning it # on adds the `firecracker.rs` backend module and exposes # `SandboxBackend::Firecracker` to callers. When the feature is on but # the `firecracker` binary is absent on PATH, the backend returns # `SandboxError::BackendUnavailable(SandboxBackend::Firecracker)` so the # verifier can route around it cleanly. firecracker = ["dynamic"] [lib] name = "nyx_scanner" path = "src/lib.rs" [[bin]] name = "nyx" path = "src/main.rs" [[bin]] name = "nyx-docgen" path = "tools/docgen/main.rs" required-features = ["docgen"] [[bin]] name = "nyx-image-builder" path = "tools/image-builder/main.rs" required-features = ["image-builder"] [[bench]] name = "scan_bench" harness = false [[bench]] name = "dynamic_bench" harness = false required-features = [] [dev-dependencies] tempfile = "3.27.0" criterion = { version = "0.8.2", features = ["html_reports"] } assert_cmd = "2.2.2" predicates = "3.1.4" glob = "0.3.3" tower = { version = "0.5.3", features = ["util"] } [dependencies] directories = "6.0.0" clap = { version = "4.6.1", features = ["derive"] } serde = { version = "1.0.228", features = ["derive"] } serde_json = "1.0.150" rmp-serde = "1.3.1" toml = "1.1.2" tracing-subscriber = { version = "0.3.23", features = ["env-filter", "json", "ansi","time"] } tracing = "0.1.44" num_cpus = "1.17.0" rusqlite = { version = "0.39.0", features = ["bundled"] } r2d2_sqlite = { version = "0.34.0", features = ["bundled"] } ignore = "0.4.26" tree-sitter = "0.26.9" tree-sitter-rust = "0.24.2" tree-sitter-c = "0.24.2" tree-sitter-cpp = "0.23.4" tree-sitter-java = "0.23.5" tree-sitter-typescript = "0.23.2" tree-sitter-javascript = "0.25.0" tree-sitter-go = "0.25.0" tree-sitter-php = "0.24.2" tree-sitter-python = "0.25.0" tree-sitter-ruby = "0.23.1" crossbeam-channel = "0.5.15" blake3 = "1.8.5" once_cell = "1.21.4" console = "0.16.3" terminal_size = "0.4.4" rayon = "1.12.0" r2d2 = "0.8.10" bytesize = "2.3.1" chrono = { version = "0.4.45", default-features = false, features = ["std", "clock", "serde"] } thiserror = "2.0.18" dashmap = "6.2.1" parking_lot = "0.12.5" petgraph = { version = "0.8.3", features = ["serde-1"] } bitflags = "2.12.1" phf = { version = "0.13.1", features = ["macros"] } indicatif = "0.18.4" smallvec = { version = "1.15.1", features = ["serde"] } rustc-hash = "2.1.2" uuid = { version = "1.23.2", features = ["v4"] } axum = { version = "0.8.9", optional = true } bytes = { version = "1.11.1", optional = true } h2 = { version = "0.4.14", optional = true } http = { version = "1.4.1", optional = true } prost = { version = "0.14.3", optional = true } tokio = { version = "1.52.3", features = ["rt-multi-thread", "macros", "signal", "sync", "net", "io-util"], optional = true } tokio-stream = { version = "0.1.18", features = ["sync"], optional = true } tower-http = { version = "0.6.11", features = ["cors", "compression-gzip", "trace", "set-header", "limit"], optional = true } z3 = { version = "0.20.0", optional = true} tempfile = { version = "3.27.0", optional = true } [lints.clippy] # Allowed project-wide instead of per-file. The vast majority of # `collapsible_if` hits are `if let Some(x) = .. { if cond { .. } }` patterns # whose only "fix" is to collapse into a let-chain, which hurts readability on # the complex extractor expressions throughout the engine. Keeping the decision # here means the rationale lives in one place and new files inherit it # automatically rather than re-declaring `#![allow(clippy::collapsible_if)]`. collapsible_if = "allow" [profile.release] lto = true codegen-units = 1 debug = 1 strip = "none"