feat: add base_rules

2026-05-24 11:53:00 +02:00 · 2026-05-24 11:53:00 +02:00 · 9e1e054f05
commit 9e1e054f05
parent e69b626212
1 changed files with 10 additions and 2 deletions
--- a/nyx-scan/action.yml
+++ b/nyx-scan/action.yml
@ -44,7 +44,7 @@ runs:
      id: nyx
      shell: bash
      run: |
-        .nyx-src/target/release/nyx scan --format json > nyx-results-raw.json 2>&1
+        .nyx-src/target/release/nyx scan --format json --quiet > nyx-results-raw.json 2>nyx-scan.stderr

        python3 -c "
        import json, os
@ -68,8 +68,16 @@ runs:
            p = p.replace(workspace, '').lstrip('/')
            return p

+        # Taint rule ids carry a source-location suffix, e.g.
+        # 'taint-unsanitised-flow (source 401:5)'. Strip it so 'rule' and
+        # 'rule_in_file' suppressions match on the base rule id (and so the
+        # colon inside the suffix does not break the 'rule_in_file' split).
+        def base_rule(rid):
+            i = rid.find(' (source ')
+            return rid[:i] if i != -1 else rid
+
        def is_suppressed(f):
-            rule_id = f.get('id', '')
+            rule_id = base_rule(f.get('id', ''))
            path = rel_path(f.get('path', ''))
            for r in rules:
                by = r.get('by', '')