The build workflow (sanitizer job) has been red since v0.9.0 because two
test rows asserted verdicts that don't match what detect() actually
returns:
- udisks_libblockdev: I expected PRECOND_FAIL (udisksd absent in CI), got
VULNERABLE. GHA ubuntu-24.04 runners ship udisks2 by default; detect()
does direct path_exists() stat() calls (not host-fixture lookups) so
it sees the binary and gates pass. Rewritten as 'udisksd present → VULNERABLE'.
- sudo_runas_neg1: I expected PRECOND_FAIL (no (ALL,!root) grant), got OK.
detect() treats 'no grant' as 'not exploitable from this user' → OK, not
'missing precondition' → PRECOND_FAIL. Updated expectation.
The release workflow doesn't run the sanitizer job and has been passing
through these failures; the build workflow caught them. Both expectations
are now honest about what detect() does on CI.
leviathan
92396a0d6d