Skip to main content
When a check function identifies a vulnerability, a patch, or a malware indicator, it reports the finding by returning a Result object. A result attaches structured information to the finding, including a name, description, severity, and optionally evidence with annotated decompiled code. This improves explainability and enables faster triage.

Creating a finding

The simplest way to return a finding is to call one of the result methods with a table containing a name and a description:
The severity is determined by the method you call (in this case, result:high). The name field typically contains a vulnerability identifier (e.g., a CVE ID), and description provides a short summary of the finding.

Severity levels

VulHunt provides a method for each severity level:

Adding evidence

To help analysts understand where and why a vulnerability exists, you can attach evidence to the result. Evidence points to specific locations in the decompiled code and annotates them with explanatory messages. The evidence field contains a functions table that maps function addresses to arrays of annotations. The most common annotation is annotate:at, which marks a single address with a message:
In this example, context.caller.address selects the function to decompile and display, while annotate:at places the annotation at the call site address (context.caller.call_address).

Multiple annotations

You can attach multiple annotations to a single function to trace the flow of a vulnerability across different locations:
Beyond annotate:at, VulHunt supports several other annotation types to provide richer context, such as annotate:prototype for function signatures, annotate:range for code ranges, and annotate:variable for variable declarations. A complete list is available in the Annotations Reference.

Reporting patches

When a rule detects that a vulnerability has been patched, use result:patch instead of a severity method:
Patch findings always have severity “none” since they indicate that the issue has been resolved.

Reporting malware

Similarly, use result:malware to report malware indicators:
Malware findings always have severity “high”.

Additional fields

When running on the Binarly Transparency Platform (BTP), results can include additional metadata such as CVSS scores, CWE and MBC classifications, provenance information, advisories, and more. See the Result Reference for the full list of available fields.
Fields marked as “BTP Only” in the reference are only relevant when executing rules on the Binarly Transparency Platform. They are ignored when running rules with the VulHunt CLI.