Skip to content

feat(bridge): cohort overrides for vendored-pin (#74) + Dioxus/GTK transitive (#75)#78

Merged
hyperpolymath merged 1 commit into
mainfrom
feat/bridge-cohort-overrides
May 27, 2026
Merged

feat(bridge): cohort overrides for vendored-pin (#74) + Dioxus/GTK transitive (#75)#78
hyperpolymath merged 1 commit into
mainfrom
feat/bridge-cohort-overrides

Conversation

@hyperpolymath
Copy link
Copy Markdown
Owner

@hyperpolymath hyperpolymath commented May 27, 2026

Summary

Two layered refinements on top of #76 (phantom-declared / phantom-transitive split). Same three-way Mitigable/Unmitigable/Informational output, but the Informational tier now produces an accurate `action` field for two cohorts where the generic message was misleading.

Closes #74 in part (build-script-only / vendored-pin name-list portion).
Closes #75.

Cohort E-3 — build-script-only / vendored-pin (#74, partial)

A naive `cargo machete --fix` strip of certain phantom-declared crates breaks the build inscrutably (cross-compile TLS, native-lib resolution, build-time codegen). New `is_build_script_only_or_vendored_pin(name)` predicate covers crates that have no `use` site by design:

  • Build-script side-effect crates: `pkg-config`, `cc`, `bindgen`, `cmake`, `autocfg`, `vcpkg`, `winres`, `embed-resource`
  • Canonical vendored-pin: `openssl-src`

When a phantom-declared crate matches, the action flips from "Strip from Cargo.toml" to "DO NOT STRIP — load-bearing via build.rs side-effects or native-lib linkage".

Future follow-up: feature-based detection (e.g. `openssl-sys = { features = ["vendored"] }`) needs feature-set plumbing through `ReachabilityEvidence` — left out of scope.

Cohort E-2 — Dioxus/GTK transitive (#75)

Phantom-transitive advisories where the parent is in the Dioxus desktop family (`wry`, `dioxus-desktop`, `dioxus`) and the affected crate is in the GTK/webkit family now get a Cohort E-2 message naming the no-local-fix path (wait for parent release, or swap the desktop renderer). Sub-rule covers `printpdf`→`kuchiki`.

GTK/webkit family matched: `atk*`, `gdk*`, `gtk*`, `glib`, `glib-sys`, `gio`, `gio-sys`, `gobject-sys`, `gtk3-macros`, `proc-macro-error`, `paste`, `fxhash`, `webkit2gtk`, `webkit2gtk-sys`.

Bonus repair: src/assail/analyzer.rs test-module corruption

The squash-merge sequence of PRs #71 (Julia) → #77 (refile of #72 vendored-snapshot) → #73 (flake.lock) left `src/assail/analyzer.rs` with an unclosed-delimiter at line 7962:

  • `count_julia_dce` had `flake_findings` body
  • `julia_ext_jl_dce_is_exempt` was missing closing braces
  • Two flake tests (`flake_without_lock_is_low_severity`, `flake_with_narhash_has_no_finding`) had landed inside the Julia section

`cargo test --lib` was failing to compile on main as a result. This PR reassembles each section in its intended location; no test logic changed.

Test plan

  • `cargo test --features http --lib bridge::classify::` — 14/14 pass (5 new + 9 existing)
  • `cargo test --features http --lib` — 343 lib tests pass (was previously failing to compile)
  • `cargo check --features http` — green

Changes

  • `src/bridge/classify.rs`: +268 / -29 lines (3 predicate fns + 2 cohort override branches + 5 regression tests)
  • `src/assail/analyzer.rs`: +/-109 lines, net wash (reassemble corrupted test sections)

🤖 Generated with Claude Code

@hyperpolymath @claude
feat(bridge): cohort overrides for vendored-pin (#74) + Dioxus/GTK tr…
6dd9cf1 
…ansitive (#75)

Bridge classifier still produces the three-way Mitigable/Unmitigable/
Informational output, but now distinguishes two further cases inside
the Informational tier so the suggested action matches reality:

PhantomDeclared cohort override (closes #74 in part):
- New `is_build_script_only_or_vendored_pin(name)` predicate covers
  pkg-config, cc, bindgen, cmake, autocfg, vcpkg, winres,
  embed-resource, openssl-src.
- When a phantom-declared crate matches, the action flips from
  "Strip from Cargo.toml" to "DO NOT STRIP — load-bearing via build.rs
  side-effects or native-lib linkage". Same Informational class,
  different recommendation. Stops `cargo machete --fix` from breaking
  cross-compile TLS / native-lib resolution.
- Feature-based detection (e.g. openssl-sys with `vendored` feature)
  remains future work — it needs feature-set plumbing into evidence
  that the bridge doesn't have today.

PhantomTransitive cohort override (closes #75):
- New `is_dioxus_gui_parent(parent)` matches wry, dioxus-desktop,
  dioxus.
- New `is_gtk_webkit_family(name)` matches the atk*/gdk*/gtk*/glib/
  gio*/gobject-sys/gtk3-macros/proc-macro-error/paste/fxhash/
  webkit2gtk* surface observed in presswerk.
- When (parent is Dioxus GUI) AND (crate is GTK/webkit family), emit
  the Cohort E-2 message naming the no-local-fix path + tracker.
- printpdf+kuchiki sub-rule covers the printpdf-internal HTML→PDF
  parser path.

Five new regression tests in `bridge::classify::tests` (14 total in
the module). Full lib suite: 343 passed.

Also restores the test module corruption in src/assail/analyzer.rs:
the squash-merge sequence for PRs #71 / #77 (refile of #72) / #73
left the file with an unclosed delimiter at line 7962 (count_julia_dce
helper had flake_findings body, julia_ext_jl_dce_is_exempt was missing
its closing braces, two flake tests landed inside the Julia section).
Reassembles each section in its intended location; no test logic
changed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@hyperpolymath hyperpolymath enabled auto-merge (squash) May 27, 2026 15:28
@hyperpolymath hyperpolymath disabled auto-merge May 27, 2026 19:23
@hyperpolymath hyperpolymath merged commit 897159a into main May 27, 2026
0 of 26 checks passed
@hyperpolymath hyperpolymath deleted the feat/bridge-cohort-overrides branch May 27, 2026 19:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

1 participant

@hyperpolymath