nyx/Cargo.toml

[package]
name = "nyx-scanner"
version = "0.8.0"
edition = "2024"
rust-version = "1.88"
description = "A multi-language static analysis tool for detecting security vulnerabilities"
license = "GPL-3.0-or-later"
authors = ["Eli Peter <elicpeter@example.com>"]
homepage = "https://nyxsec.dev/scanner"
repository = "https://github.com/elicpeter/nyx"
documentation = "https://nyxsec.dev/docs/nyx/"
keywords = ["security", "vulnerability", "scanner", "static-analysis", "cli"]
categories = ["security", "command-line-utilities", "development-tools", "parser-implementations", "text-processing"]
readme = "README.md"
default-run = "nyx"
include = [
    "/src/**",
    "/tools/**",
    "/build.rs",
    "/Cargo.toml",
    "/Cargo.lock",
    "/README.md",
    "/LICENSE",
    "/THIRDPARTY-LICENSES.html",
    "/default-nyx.conf",
]

autoexamples = false


[package.metadata.binstall]
pkg-url = "{ repo }/releases/download/v{ version }/nyx-{ target }{ archive-suffix }"
pkg-fmt = "zip"
bin-dir = "target/{ target }/release/{ bin }{ binary-ext }"

# docs.rs builds the `serve` feature (default) so the server module renders.
# `smt` is left off — bundled Z3 takes too long on docs.rs builders, and
# `smt-system-z3` needs a system library that isn't available there.
[package.metadata.docs.rs]
features = ["serve"]
rustdoc-args = ["--cfg", "docsrs"]

[features]
default = ["serve", "dynamic"]
serve = ["dep:axum", "dep:tokio", "dep:tokio-stream", "dep:tower-http"]
smt = ["dep:z3", "z3/bundled"]
smt-system-z3 = ["dep:z3"]
docgen = []
# Dynamic verification layer: builds harnesses from findings, runs them in a
# sandbox, reports back whether the sink fires.
dynamic = ["dep:bytes", "dep:h2", "dep:http", "dep:prost", "dep:tempfile", "dep:tokio"]
# Phase 19 (Track E.3): the `nyx-image-builder` helper binary that builds
# and pins per-toolchain Docker images.  Gated so it does not bloat the
# default `nyx` build with extra TOML-write logic CI-only operators need.
image-builder = []
# Phase 20 (Track E.4): the firecracker VM backend.  Off by default so
# the standard build pulls in zero Firecracker-related code; turning it
# on adds the `firecracker.rs` backend module and exposes
# `SandboxBackend::Firecracker` to callers.  When the feature is on but
# the `firecracker` binary is absent on PATH, the backend returns
# `SandboxError::BackendUnavailable(SandboxBackend::Firecracker)` so the
# verifier can route around it cleanly.
firecracker = ["dynamic"]

[lib]
name = "nyx_scanner"
path = "src/lib.rs"

[[bin]]
name = "nyx"
path = "src/main.rs"

[[bin]]
name = "nyx-docgen"
path = "tools/docgen/main.rs"
required-features = ["docgen"]

[[bin]]
name = "nyx-image-builder"
path = "tools/image-builder/main.rs"
required-features = ["image-builder"]

[[bench]]
name = "scan_bench"
harness = false

[[bench]]
name = "dynamic_bench"
harness = false
required-features = []

[dev-dependencies]
tempfile = "3.27.0"
criterion = { version = "0.8.2", features = ["html_reports"] }
assert_cmd = "2.2.2"
predicates = "3.1.4"
glob = "0.3.3"
tower = { version = "0.5.3", features = ["util"] }

[dependencies]
directories = "6.0.0"
clap = { version = "4.6.1", features = ["derive"] }
serde = { version = "1.0.228", features = ["derive"] }
serde_json = "1.0.150"
rmp-serde = "1.3.1"
toml = "1.1.2"
tracing-subscriber = { version = "0.3.23", features = ["env-filter", "json", "ansi","time"] }
tracing = "0.1.44"
num_cpus = "1.17.0"
rusqlite = { version = "0.39.0", features = ["bundled"] }
r2d2_sqlite = { version = "0.34.0", features = ["bundled"] }
ignore = "0.4.26"
tree-sitter = "0.26.9"
tree-sitter-rust = "0.24.2"
tree-sitter-c = "0.24.2"
tree-sitter-cpp = "0.23.4"
tree-sitter-java = "0.23.5"
tree-sitter-typescript = "0.23.2"
tree-sitter-javascript = "0.25.0"
tree-sitter-go = "0.25.0"
tree-sitter-php = "0.24.2"
tree-sitter-python = "0.25.0"
tree-sitter-ruby = "0.23.1"
crossbeam-channel = "0.5.15"
blake3 = "1.8.5"
once_cell = "1.21.4"
console = "0.16.3"
terminal_size = "0.4.4"
rayon = "1.12.0"
r2d2 = "0.8.10"
bytesize  = "2.3.1"
chrono    = { version = "0.4.45", default-features = false, features = ["std", "clock", "serde"] }
thiserror = "2.0.18"
dashmap = "6.2.1"
parking_lot = "0.12.5"
petgraph = { version = "0.8.3", features = ["serde-1"] }
bitflags = "2.12.1"
phf = { version = "0.13.1", features = ["macros"] }
indicatif = "0.18.4"
smallvec = { version = "1.15.1", features = ["serde"] }
rustc-hash = "2.1.2"
uuid = { version = "1.23.2", features = ["v4"] }
axum = { version = "0.8.9", optional = true }
bytes = { version = "1.11.0", optional = true }
h2 = { version = "0.4.14", optional = true }
http = { version = "1.4.1", optional = true }
prost = { version = "0.14.3", optional = true }
tokio = { version = "1.52.3", features = ["rt-multi-thread", "macros", "signal", "sync", "net", "io-util"], optional = true }
tokio-stream = { version = "0.1.18", features = ["sync"], optional = true }
tower-http = { version = "0.6.11", features = ["cors", "compression-gzip", "trace", "set-header", "limit"], optional = true }
z3 = { version = "0.20.0", optional = true}
tempfile = { version = "3.27.0", optional = true }

[lints.clippy]
# Allowed project-wide instead of per-file. The vast majority of
# `collapsible_if` hits are `if let Some(x) = .. { if cond { .. } }` patterns
# whose only "fix" is to collapse into a let-chain, which hurts readability on
# the complex extractor expressions throughout the engine. Keeping the decision
# here means the rationale lives in one place and new files inherit it
# automatically rather than re-declaring `#![allow(clippy::collapsible_if)]`.
collapsible_if = "allow"

[profile.release]
lto = true
codegen-units = 1
debug = 1
strip = "none"