feat(assail): downgrade flake.lock-only SupplyChain finding to Severity::Low

hyperpolymath · claude · hyperpolymath · commit 3527988cf70e · 2026-05-27T14:53:00.000+01:00
When `flake.nix` declares inputs without inline narHash, without rev
pinning, and without a sibling `flake.lock`, the standard remediation
is a single `nix flake update` invocation that generates the lockfile
with narHash for every transitive input.

Because the fix is trivial and mechanical, this finding does not
belong in the same severity tier as e.g. an unsigned binary fetch or
a tamperable URL. Downgrade from High to Low and embed the fix
command directly in the description.

The detector still triggers — the finding is real and worth noting —
but it no longer dominates noise tiers in scan reports. Estate
context: the Nix-mirror campaign closure (standards#149, hypatia#289)
confirmed flake.lock generation is the canonical mechanical fix.

Regression tests verify (a) the Low severity, (b) the suggestion
text, (c) that flakes with narHash or rev pinning remain
finding-free.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/assail/analyzer.rs b/src/assail/analyzer.rs
@@ -4285,15 +4285,22 @@ impl Analyzer {
                     .unwrap_or(false);
 
                 if !has_narhash && !has_rev_pin && !has_lockfile {
+                    // The standard remediation is `nix flake update`, which
+                    // generates a sibling flake.lock that pins every transitive
+                    // input by narHash. Because the fix is trivial and
+                    // mechanical, downgrade this finding to Low — it is a real
+                    // supply-chain concern but not in the same class as e.g. an
+                    // unsigned binary download or tamperable URL fetch.
                     weak_points.push(WeakPoint {
                         file: None,
                         line: None,
                         category: WeakPointCategory::SupplyChain,
                         location: Some(file_path.to_string()),
-                        severity: Severity::High,
+                        severity: Severity::Low,
                         description: format!(
                             "flake.nix declares inputs without narHash, rev pinning, \
-                             or sibling flake.lock — dependency revision is unpinned in {}",
+                             or sibling flake.lock — dependency revision is unpinned in {}. \
+                             Suggested fix: run `nix flake update` to generate flake.lock.",
                             file_path
                         ),
                         recommended_attack: vec![],
@@ -7763,4 +7770,75 @@ pub fn safe_get_x() -> Option<String> {
             "unsafe fn / unsafe extern must not count toward the unsafe-block tally"
         );
     }
+
+    // ---------------------------------------------------------------
+    // flake.nix SupplyChain severity (downgrade to Low when fix is
+    // trivially mechanical — generate flake.lock).
+    // ---------------------------------------------------------------
+
+    fn flake_findings(content: &str, file_path: &str) -> Vec<WeakPoint> {
+        let analyzer = Analyzer::new(std::path::Path::new(".")).expect("analyzer construction");
+        let mut stats = ProgramStatistics::default();
+        let mut wp = Vec::new();
+        analyzer
+            .analyze_config(content, &mut stats, &mut wp, file_path)
+            .expect("analyze_config");
+        wp.into_iter()
+            .filter(|w| matches!(w.category, WeakPointCategory::SupplyChain))
+            .collect()
+    }
+
+    #[test]
+    fn flake_without_lock_is_low_severity() {
+        let src = r#"{
+            inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+            outputs = { self, nixpkgs }: { };
+        }"#;
+        // Use a path that does NOT have a sibling flake.lock in the working dir.
+        let findings = flake_findings(src, "/nonexistent/dir/flake.nix");
+        assert_eq!(findings.len(), 1, "unpinned flake.nix must produce one finding");
+        assert!(
+            matches!(findings[0].severity, Severity::Low),
+            "missing flake.lock alone is mechanically fixable — must be Low severity, got {:?}",
+            findings[0].severity
+        );
+        assert!(
+            findings[0].description.contains("nix flake update"),
+            "description must point at the fix command"
+        );
+    }
+
+    #[test]
+    fn flake_with_narhash_has_no_finding() {
+        let src = r#"{
+            inputs.nixpkgs = {
+                url = "github:NixOS/nixpkgs/nixos-unstable";
+                narHash = "sha256-...";
+            };
+            outputs = { self, nixpkgs }: { };
+        }"#;
+        let findings = flake_findings(src, "/nonexistent/dir/flake.nix");
+        assert_eq!(
+            findings.len(),
+            0,
+            "flake.nix with inline narHash must NOT produce a SupplyChain finding"
+        );
+    }
+
+    #[test]
+    fn flake_with_rev_pins_has_no_finding() {
+        let src = r#"{
+            inputs.nixpkgs = {
+                url = "github:NixOS/nixpkgs/nixos-unstable";
+                rev = "abc123def456abc123def456abc123def456abcd";
+            };
+            outputs = { self, nixpkgs }: { };
+        }"#;
+        let findings = flake_findings(src, "/nonexistent/dir/flake.nix");
+        assert_eq!(
+            findings.len(),
+            0,
+            "flake.nix with rev pinning must NOT produce a SupplyChain finding"
+        );
+    }
 }
