Expand description
Turning raw scan output into a final FleetReport plus its exit code.
Pipeline steps §10.5–8: correlate, apply ignores (recording stale ones),
filter by min severity, summarize. The clock is injected via provenance, so
report assembly is fully deterministic and testable.
Structs§
- Assembled
- An assembled report plus the suppressed occurrences (consumed only by
-f vex). - Gate
Config - What makes a trustworthy run “fail” with exit
1(§8). - Suppressed
Occurrence - An occurrence removed by a
Suppression, with the context-f vexneeds to emit anot_affectedstatement (§6, §7.1). - Suppression
- A human suppression applied before gating (§6): an
ignore(fleet-wide, no approver) or avex_assertion(optionally repo-scoped, approved). Matching occurrences are removed from the gated report and captured for-f vex.
Functions§
- assemble
- Correlate and assemble the report, capturing occurrences removed by
suppressionsfor VEX promotion. - build_
report assemblefor non-VEX callers: each ignore is a fleet-wide suppression and the captured occurrences are discarded.- combine_
baseline - Fold a
--baseline“has new findings” signal into an exit code while preserving §8 precedence: an untrustworthy2always wins; otherwise a new finding raises the code to at least1. - drop_
phantom - Drop occurrences known to be phantom — a
Cargo.lock-only optional dependency that is never compiled (active: Some(false), from--resolve-features) — and remove any finding left with no occurrences. Recomputes summary counts. Returns the number of findings removed entirely. Occurrences with unknown build status (active: None) are always kept (fail-closed). - exit_
code - The §8 exit code for an already-assembled (trustworthy) report.
- retain_
min_ epss - Keep only vulnerabilities whose EPSS is at/above
min; unknown EPSS is kept (fail-closed). Recomputes counts. Returns the(advisory_id, epss)of each finding dropped — the EPSS score is network-sourced and hides a finding, so the caller surfaces exactly what a feed suppressed (auditable, not silent). - retain_
new - Filter a report down to findings not present in the baseline id set, then
recompute the affected summary counts. Used by
--baselineto surface only what is new since a prior run. - retain_
reachable - Drop vulnerabilities the reachability heuristic marked
Some(false)(no affected function name found in your source).None/Some(true)are kept — fail-closed, since the heuristic cannot prove unreachability. Returns the number removed.