nyx/src/cli.rs

use clap::{Parser, Subcommand};

#[derive(Parser)]
#[command(name = "nyx")]
#[command(about = "A fast vulnerability scanner with project indexing")]
#[command(version)]
pub struct Cli {
    #[command(subcommand)]
    pub(crate) command: Commands,
}

impl Commands {
    /// Whether this command produces structured (machine-readable) output on
    /// stdout, meaning human status messages must be suppressed entirely.
    pub fn is_structured_output(&self) -> bool {
        matches!(self, Commands::Scan { format, .. } if format == "json" || format == "sarif")
    }
}

#[derive(Subcommand)]
pub enum Commands {
    /// Scan project for vulnerabilities
    Scan {
        /// Path to scan (defaults to current directory)
        #[arg(default_value = ".")]
        path: String,

        /// Skip using/building index, scan directly
        #[arg(long)]
        no_index: bool,

        /// Force rebuild index before scanning
        #[arg(long)]
        rebuild_index: bool,

        /// Output format (console, json, sarif)
        #[arg(short, long, default_value = "")]
        format: String,

        /// Show only high severity issues
        #[arg(long)]
        high_only: bool,

        #[arg(long)]
        ast_only: bool,

        #[arg(long)]
        cfg_only: bool,

        #[arg(long)]
        all_targets: bool,

        /// Include findings from test/vendor/build paths at original severity
        /// (by default these are downgraded)
        #[arg(long)]
        include_nonprod: bool,
    },

    /// Manage project indexes
    Index {
        #[command(subcommand)]
        action: IndexAction,
    },

    /// List all indexed projects
    List {
        /// Show detailed information
        #[arg(short, long)]
        verbose: bool,
    },

    /// Remove project from index
    Clean {
        /// Project name or path to clean
        project: Option<String>,

        /// Clean all projects
        #[arg(long)]
        all: bool,
    },

    /// Manage analysis configuration
    Config {
        #[command(subcommand)]
        action: ConfigAction,
    },
}

#[derive(Subcommand)]
pub enum ConfigAction {
    /// Print effective merged configuration as TOML
    Show,

    /// Print configuration directory path
    Path,

    /// Add a label rule to nyx.local
    AddRule {
        /// Language slug (e.g. javascript, rust, python)
        #[arg(long)]
        lang: String,

        /// Function or property name to match
        #[arg(long)]
        matcher: String,

        /// Rule kind: source, sanitizer, or sink
        #[arg(long)]
        kind: String,

        /// Capability: env_var, html_escape, shell_escape, url_encode, json_parse, file_io, or all
        #[arg(long)]
        cap: String,
    },

    /// Add a terminator function to nyx.local
    AddTerminator {
        /// Language slug (e.g. javascript, rust, python)
        #[arg(long)]
        lang: String,

        /// Function name that terminates execution (e.g. process.exit)
        #[arg(long)]
        name: String,
    },
}

#[derive(Subcommand)]
pub enum IndexAction {
    /// Build or update index for current project
    Build {
        /// Path to index (defaults to current directory)
        #[arg(default_value = ".")]
        path: String,

        /// Force full rebuild
        #[arg(short, long)]
        force: bool,
    },

    /// Show index status and statistics
    Status {
        /// Project path to check
        #[arg(default_value = ".")]
        path: String,
    },
}
Added foundational modules for core functionalities: - Introduced `walk.rs` as a parallel directory walker for search operations. - Implemented basic index handling in `commands/index.rs`. - Created `utils/config.rs` for configuration management with placeholders for future enhancements. 2025-06-16 16:46:22 +02:00			`use clap::{Parser, Subcommand};`

			`#[derive(Parser)]`
Renamed project from "Nano" to "Nyx" across codebase and configuration files. 2025-06-17 10:55:50 +02:00			`#[command(name = "nyx")]`
Added foundational modules for core functionalities: - Introduced `walk.rs` as a parallel directory walker for search operations. - Implemented basic index handling in `commands/index.rs`. - Created `utils/config.rs` for configuration management with placeholders for future enhancements. 2025-06-16 16:46:22 +02:00			`#[command(about = "A fast vulnerability scanner with project indexing")]`
			`#[command(version)]`
			`pub struct Cli {`
			`#[command(subcommand)]`
			`pub(crate) command: Commands,`
			`}`

Feat/configurable sanitizers and js precision (#32) * chore: Exclude CLAUDE.md from Cargo.toml * feat: Add configurable analysis rules and CLI commands for custom sanitizers and terminators * feat: Enhance resource management and analysis efficiency - Implemented parallel summary merging in `scan_filesystem` using rayon for improved performance. - Introduced `GlobalSummaries::merge()` for efficient merging of summaries. - Optimized file reading and hashing to eliminate redundant I/O operations. - Added `should_scan_with_hash()` and `upsert_file_with_hash()` methods to streamline file processing. - Enhanced taint analysis with in-place mutations to reduce memory allocations. - Updated resource acquisition patterns to exclude false positives for `freopen` and wrapper functions. * feat: Implement severity downgrade for findings in non-production paths and add source kind inference * feat: Update versioning information in SECURITY.md for new stable line * feat: Update categories in Cargo.toml to include parser-implementations and text-processing * feat: Update dependencies in Cargo.lock for improved compatibility and performance * feat: Update dependencies in Cargo.lock and Cargo.toml for improved compatibility 2026-02-25 04:02:11 -05:00			`impl Commands {`
			`/// Whether this command produces structured (machine-readable) output on`
			`/// stdout, meaning human status messages must be suppressed entirely.`
			`pub fn is_structured_output(&self) -> bool {`
			`matches!(self, Commands::Scan { format, .. } if format == "json" \|\| format == "sarif")`
			`}`
			`}`

Added foundational modules for core functionalities: - Introduced `walk.rs` as a parallel directory walker for search operations. - Implemented basic index handling in `commands/index.rs`. - Created `utils/config.rs` for configuration management with placeholders for future enhancements. 2025-06-16 16:46:22 +02:00			`#[derive(Subcommand)]`
			`pub enum Commands {`
			`/// Scan project for vulnerabilities`
			`Scan {`
			`/// Path to scan (defaults to current directory)`
			`#[arg(default_value = ".")]`
			`path: String,`

			`/// Skip using/building index, scan directly`
			`#[arg(long)]`
			`no_index: bool,`

			`/// Force rebuild index before scanning`
			`#[arg(long)]`
			`rebuild_index: bool,`

Feat/configurable sanitizers and js precision (#32) * chore: Exclude CLAUDE.md from Cargo.toml * feat: Add configurable analysis rules and CLI commands for custom sanitizers and terminators * feat: Enhance resource management and analysis efficiency - Implemented parallel summary merging in `scan_filesystem` using rayon for improved performance. - Introduced `GlobalSummaries::merge()` for efficient merging of summaries. - Optimized file reading and hashing to eliminate redundant I/O operations. - Added `should_scan_with_hash()` and `upsert_file_with_hash()` methods to streamline file processing. - Enhanced taint analysis with in-place mutations to reduce memory allocations. - Updated resource acquisition patterns to exclude false positives for `freopen` and wrapper functions. * feat: Implement severity downgrade for findings in non-production paths and add source kind inference * feat: Update versioning information in SECURITY.md for new stable line * feat: Update categories in Cargo.toml to include parser-implementations and text-processing * feat: Update dependencies in Cargo.lock for improved compatibility and performance * feat: Update dependencies in Cargo.lock and Cargo.toml for improved compatibility 2026-02-25 04:02:11 -05:00			`/// Output format (console, json, sarif)`
			`#[arg(short, long, default_value = "")]`
Refactor database schema and scanning process: - Introduced `issues` table for detailed vulnerability storage. - Enhanced `files` table with project scoping and unique constraints. - Replaced `OutputFormat` enum with `String` for flexibility. - Added support for formatted console output of scan results. - Integrated file and issue updating logic for incremental scans. - Optimized scanning by leveraging database-stored issues. 2025-06-17 16:46:45 +02:00			`format: String,`
Added foundational modules for core functionalities: - Introduced `walk.rs` as a parallel directory walker for search operations. - Implemented basic index handling in `commands/index.rs`. - Created `utils/config.rs` for configuration management with placeholders for future enhancements. 2025-06-16 16:46:22 +02:00
			`/// Show only high severity issues`
			`#[arg(long)]`
			`high_only: bool,`
Added experimental control flow analysis and syntax classification for rust lang (#22) * Introduce control flow graph (CFG) support: - Added `cfg.rs` with CFG generation and analysis utilities. - Integrated `petgraph` library for graph-based computations. - Updated `ast.rs` to utilize CFG for function analysis. - Modified `Cargo.toml` and `Cargo.lock` to include new dependencies. - Improved static analysis with taint tracking through CFG paths. * feat: enhance control flow analysis with taint tracking and node labeling * feat: improve control flow graph with enhanced node handling and new tests * Remove unnecessary reference marker in `byte_offset_to_point` comment. * Remove unnecessary reference marker in `byte_offset_to_point` comment. * Refactor `ast.rs` for performance and clarity; enhance `cfg.rs` with recursive CFG generation and improved classification logic for AST analysis. * Refactor CFG and taint tracking logic: - Enhanced `cfg.rs` with inline helper function `text_of` for cleaner UTF-8 handling in AST nodes. - Expanded `labels.rs` rules with detailed `Sources`, `Sanitizers`, and `Sinks` for improved classification. - Refined `push_node` to handle method call expressions with object-function pairing. - Simplified code handling in trivia skipping and debug-only logic. * Enhance `cfg.rs` with `first_call_ident` helper and improve identifier extraction logic in `push_node`. * Add targeted CFG taint-tracking tests to enhance analysis coverage. * Enhance CFG generation with loop expression handling and improve taint tracking logic. Add new sanitization example in `examples/sanitize/example.rs`. * Update README with installation instructions for Cargo and GitHub releases. * Expand taint-tracking with precise `def-use` computation and enhance `labels.rs` for detailed classification. Extend `examples/sanitize` with realistic scenarios demonstrating new rules. * Refactor `labels.rs`: - Removed redundant `LabelRule` entries for cleaner rule definitions. - Adjusted matching logic to prioritize suffix and prefix matches effectively. * Refactor `labels.rs`: - Removed redundant `LabelRule` entries for cleaner rule definitions. - Adjusted matching logic to prioritize suffix and prefix matches effectively. * Add test for taint tracking with multiple sources in `cfg.rs`. * Add `function_summaries` table and implement summary upsert/load methods. Refactor to handle summary storage and retrieval efficiently, with placeholder clean/drop logic. * refactor: split `labels.rs` into modular structure with language-specific files * refactor: split `labels.rs` into modular structure with language-specific files * refactor: clean up SQL table definitions in `database.rs` for better readability * refactor: simplify CFG structure by removing lifetime parameters and enhancing taint metadata handling * refactor: update TODO comments in `cfg.rs` to clarify future enhancements for cap labels and function details * refactor: remove redundant header from README.md for improved clarity * feat: add PHF-based syntax classifiers and Kind enum for efficient syntax mapping across languages * feat: introduce analysis modes for enhanced scanner configuration and diagnostics * feat: define Kind enum for syntax classification in control flow analysis * feat: bump version to 0.2.0-alpha and update CHANGELOG for new features and fixes * refactor: clean up imports and formatting in AST and CFG modules for improved readability * refactor: simplify function signatures and improve code readability in CFG and module files * fix: correct rayon_thread_stack_size comment to reflect actual value of 8 MiB * refactor: update string formatting in clean and project modules for consistency * refactor: fix indentation in clean.rs for improved readability --------- Co-authored-by: elipeter <eli.peter@es.fcm.travel> 2025-06-28 17:36:14 +02:00
			`#[arg(long)]`
			`ast_only: bool,`

			`#[arg(long)]`
			`cfg_only: bool,`

			`#[arg(long)]`
			`all_targets: bool,`
Feat/configurable sanitizers and js precision (#32) * chore: Exclude CLAUDE.md from Cargo.toml * feat: Add configurable analysis rules and CLI commands for custom sanitizers and terminators * feat: Enhance resource management and analysis efficiency - Implemented parallel summary merging in `scan_filesystem` using rayon for improved performance. - Introduced `GlobalSummaries::merge()` for efficient merging of summaries. - Optimized file reading and hashing to eliminate redundant I/O operations. - Added `should_scan_with_hash()` and `upsert_file_with_hash()` methods to streamline file processing. - Enhanced taint analysis with in-place mutations to reduce memory allocations. - Updated resource acquisition patterns to exclude false positives for `freopen` and wrapper functions. * feat: Implement severity downgrade for findings in non-production paths and add source kind inference * feat: Update versioning information in SECURITY.md for new stable line * feat: Update categories in Cargo.toml to include parser-implementations and text-processing * feat: Update dependencies in Cargo.lock for improved compatibility and performance * feat: Update dependencies in Cargo.lock and Cargo.toml for improved compatibility 2026-02-25 04:02:11 -05:00
			`/// Include findings from test/vendor/build paths at original severity`
			`/// (by default these are downgraded)`
			`#[arg(long)]`
			`include_nonprod: bool,`
Added foundational modules for core functionalities: - Introduced `walk.rs` as a parallel directory walker for search operations. - Implemented basic index handling in `commands/index.rs`. - Created `utils/config.rs` for configuration management with placeholders for future enhancements. 2025-06-16 16:46:22 +02:00			`},`

			`/// Manage project indexes`
			`Index {`
			`#[command(subcommand)]`
			`action: IndexAction,`
			`},`

			`/// List all indexed projects`
			`List {`
			`/// Show detailed information`
			`#[arg(short, long)]`
			`verbose: bool,`
			`},`

			`/// Remove project from index`
			`Clean {`
			`/// Project name or path to clean`
			`project: Option<String>,`

			`/// Clean all projects`
			`#[arg(long)]`
			`all: bool,`
			`},`
Feat/configurable sanitizers and js precision (#32) * chore: Exclude CLAUDE.md from Cargo.toml * feat: Add configurable analysis rules and CLI commands for custom sanitizers and terminators * feat: Enhance resource management and analysis efficiency - Implemented parallel summary merging in `scan_filesystem` using rayon for improved performance. - Introduced `GlobalSummaries::merge()` for efficient merging of summaries. - Optimized file reading and hashing to eliminate redundant I/O operations. - Added `should_scan_with_hash()` and `upsert_file_with_hash()` methods to streamline file processing. - Enhanced taint analysis with in-place mutations to reduce memory allocations. - Updated resource acquisition patterns to exclude false positives for `freopen` and wrapper functions. * feat: Implement severity downgrade for findings in non-production paths and add source kind inference * feat: Update versioning information in SECURITY.md for new stable line * feat: Update categories in Cargo.toml to include parser-implementations and text-processing * feat: Update dependencies in Cargo.lock for improved compatibility and performance * feat: Update dependencies in Cargo.lock and Cargo.toml for improved compatibility 2026-02-25 04:02:11 -05:00
			`/// Manage analysis configuration`
			`Config {`
			`#[command(subcommand)]`
			`action: ConfigAction,`
			`},`
			`}`

			`#[derive(Subcommand)]`
			`pub enum ConfigAction {`
			`/// Print effective merged configuration as TOML`
			`Show,`

			`/// Print configuration directory path`
			`Path,`

			`/// Add a label rule to nyx.local`
			`AddRule {`
			`/// Language slug (e.g. javascript, rust, python)`
			`#[arg(long)]`
			`lang: String,`

			`/// Function or property name to match`
			`#[arg(long)]`
			`matcher: String,`

			`/// Rule kind: source, sanitizer, or sink`
			`#[arg(long)]`
			`kind: String,`

			`/// Capability: env_var, html_escape, shell_escape, url_encode, json_parse, file_io, or all`
			`#[arg(long)]`
			`cap: String,`
			`},`

			`/// Add a terminator function to nyx.local`
			`AddTerminator {`
			`/// Language slug (e.g. javascript, rust, python)`
			`#[arg(long)]`
			`lang: String,`

			`/// Function name that terminates execution (e.g. process.exit)`
			`#[arg(long)]`
			`name: String,`
			`},`
Added foundational modules for core functionalities: - Introduced `walk.rs` as a parallel directory walker for search operations. - Implemented basic index handling in `commands/index.rs`. - Created `utils/config.rs` for configuration management with placeholders for future enhancements. 2025-06-16 16:46:22 +02:00			`}`

			`#[derive(Subcommand)]`
			`pub enum IndexAction {`
			`/// Build or update index for current project`
			`Build {`
			`/// Path to index (defaults to current directory)`
			`#[arg(default_value = ".")]`
			`path: String,`

			`/// Force full rebuild`
			`#[arg(short, long)]`
			`force: bool,`
			`},`

			`/// Show index status and statistics`
			`Status {`
			`/// Project path to check`
			`#[arg(default_value = ".")]`
			`path: String,`
			`},`
			`}`