Functions
| Function | Description |
|---|---|
scope:project | Constructs a Project scope |
scope:functions | Constructs a Functions scope |
scope:calls | Constructs a Calls scope |
var:named | Creates a named variable annotation |
result:none/info/unspecified/low/medium/high/critical | Shorthand constructors for vulnerability results with preset severity |
result:patch | Constructs a Result object indicating the presence of a patch |
result:malware | Constructs a Result object indicating the presence of malware |
annotate:at | Annotates a specific location with a message |
annotate:prototype | Annotates a function prototype |
annotate:assignment | Annotates an assignment to an output variable |
annotate:global | Annotates a global variable |
annotate:variable | Annotates a variable with position, index, and declaration |
annotate:range | Annotates a range of code with a message |
annotate:operand | Annotates a specific operand at a call site |
cvss:v2/v3/v3_1/v4 | Constructs a CVSS score table for the specified version |
container.empty | Checks if a container is empty |
printf | Formatted print (equivalent to print(string.format(...))) |
validate:all/any/not_ | Logical operators for composing validators |
validate:contains | Checks for a pattern in the binary (bytes, ASCII, UTF, or regex) |
validate:at/validate:from | Location anchors for validate:contains |
Scope functions
Scope functions define the execution context and target for VulHunt rules.scope:project: Constructs a Project scope that operates on project-level datascope:functions: Constructs a Functions scope that operates on individual functionsscope:calls: Constructs a Calls scope that operates on function call sites
Variable and result functions
These functions create variables and construct result objects for vulnerability findings.var:named: Creates a named variable annotation for tracking valuesresult:none,result:info,result:unspecified,result:low,result:medium,result:high,result:critical: Construct vulnerability results with specified severity levels.result:infoandresult:unspecifiedare aliases forresult:noneresult:patch: Constructs a result indicating a patch has been identifiedresult:malware: Constructs a result indicating malware has been detected
Annotation functions
Annotation functions attach explanatory information to code elements in vulnerability findings.annotate:at: Annotates a specific address or location with a messageannotate:prototype: Annotates a function’s prototype signatureannotate:assignment: Annotates variable assignments with contextannotate:global: Annotates a global variable with its declarationannotate:variable: Annotates variables with position, index, and type declarationannotate:range: Annotates a range of addresses with explanatory textannotate:operand: Annotates a specific operand at a call site with a message
CVSS functions
CVSS functions construct standardized vulnerability scoring information.cvss:v2: Constructs a CVSS version 2.0 score tablecvss:v3: Constructs a CVSS version 3.0 score tablecvss:v3_1: Constructs a CVSS version 3.1 score tablecvss:v4: Constructs a CVSS version 4.0 score table
Container functions
Container functions provide utilities for working with data collections.container.empty: Checks whether a container has no elements
Utility functions
General-purpose helpers available in all rules.printf(fmt, ...): Formatted print, equivalent toprint(string.format(fmt, ...))
Validate functions
Validate functions are used inside theconditions field of a rule to perform binary-level checks before the rule runs. See Rule Fields for full usage details.
validate:all{...}: All validators must passvalidate:any{...}: Any validator must passvalidate:not_(validator): Negates a validatorvalidate:contains{pattern, where, kind}: Checks for a pattern in the binary. Bothwhereandkindare optional, defaulting tovalidate.anywhereandbytesrespectivelyvalidate:at(n): Anchor the match at byte offsetnvalidate:from(n): Search from byte offsetnto the end