Skip to content

fix(assail): UnboundedAllocation is Medium, not Critical#130

Merged
hyperpolymath merged 1 commit into
mainfrom
claude/unbounded-severity-v2
Jun 13, 2026
Merged

fix(assail): UnboundedAllocation is Medium, not Critical#130
hyperpolymath merged 1 commit into
mainfrom
claude/unbounded-severity-v2

Conversation

@hyperpolymath

@hyperpolymath hyperpolymath commented Jun 13, 2026

Copy link
Copy Markdown
Owner

Summary

Changes Severity::CriticalSeverity::Medium for the UnboundedAllocation weak point emitted by fn analyze_rust in src/assail/analyzer.rs. This is the only WeakPoint construction for this category; the other occurrences in analyzer.rs are .filter() calls on existing findings and are unaffected.

Motivation: The heuristic keyword match ("potential pattern") was calibrated at Critical but was ~70% of all estate Criticals in the 2026-06-11 estate-loop audit, drowning confirmed findings. Hypatia's ingest already caps it to Medium for scans produced by older binaries; this aligns the source so the raw store and PR-scan-comments also reflect the corrected severity estate-wide.

Rebased onto current main (6a814fa). Supersedes #128.

Test plan

  • cargo build --release — clean
  • cargo test --release assail — pass
  • cargo test --release unbounded — 6 detection tests green (assert presence, not severity)
  • Change adds no new clippy warnings

🤖 Generated with Claude Code

@hyperpolymath @claude
fix(assail): UnboundedAllocation is Medium, not Critical
14d8eaa 
Heuristic keyword match at ~70% of all estate Criticals (2026-06-11
estate-loop audit), drowning confirmed findings. Medium reflects actual
confirmation strength. Hypatia's ingest already applies the same cap
for scans from older binaries; this aligns the source.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@hyperpolymath hyperpolymath enabled auto-merge (squash) June 13, 2026 21:12
@github-actions

github-actions Bot commented Jun 13, 2026

Copy link
Copy Markdown

🔍 Hypatia Security Scan

Findings: 43 issues detected

Severity Count
🔴 Critical 6
🟠 High 15
🟡 Medium 22

⚠️ Action Required: Critical security issues found!

View findings 
[
  {
    "reason": "Issue in scorecard-enforcer.yml",
    "type": "scorecard_publish_with_run_step",
    "file": "scorecard-enforcer.yml",
    "action": "split_scorecard_publish_job",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in instant-sync.yml",
    "type": "secret_action_without_presence_gate",
    "file": "instant-sync.yml",
    "action": "peter-evans/repository-dispatch",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "unwrap_or(0) with dangerous default (3 occurrences, CWE-754)",
    "type": "unwrap_dangerous_default",
    "file": "/home/runner/work/panic-attack/panic-attack/src/axial/mod.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "critical"
  },
  {
    "reason": "unwrap_or(0) with dangerous default (1 occurrences, CWE-754)",
    "type": "unwrap_dangerous_default",
    "file": "/home/runner/work/panic-attack/panic-attack/src/ambush/mod.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "critical"
  },
  {
    "reason": "unwrap_or(0) with dangerous default (1 occurrences, CWE-754)",
    "type": "unwrap_dangerous_default",
    "file": "/home/runner/work/panic-attack/panic-attack/src/attestation/evidence.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "critical"
  },
  {
    "reason": "expect() in hot path (2 occurrences, CWE-754)",
    "type": "expect_in_hot_path",
    "file": "/home/runner/work/panic-attack/panic-attack/src/attestation/chain.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "unsafe block -- requires SAFETY comment (1 occurrences, CWE-676)",
    "type": "unsafe_block",
    "file": "/home/runner/work/panic-attack/panic-attack/src/jit_context.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "mem::transmute bypasses type safety with unchecked bit reinterpretation (12 occurrences, CWE-704)",
    "type": "transmute",
    "file": "/home/runner/work/panic-attack/panic-attack/src/jit_context.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "critical"
  },
  {
    "reason": "unwrap_or(0) with dangerous default (3 occurrences, CWE-754)",
    "type": "unwrap_dangerous_default",
    "file": "/home/runner/work/panic-attack/panic-attack/src/kanren/strategy.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "critical"
  },
  {
    "reason": "unwrap_or(0) with dangerous default (1 occurrences, CWE-754)",
    "type": "unwrap_dangerous_default",
    "file": "/home/runner/work/panic-attack/panic-attack/src/sweep_tracker/mod.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "critical"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

@hyperpolymath hyperpolymath merged commit 3f7d0bb into main Jun 13, 2026
39 checks passed
@hyperpolymath hyperpolymath deleted the claude/unbounded-severity-v2 branch June 13, 2026 21:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hyperpolymath