2025-06-25 00:31:30 +02:00
# Changelog
Release/0.5.0 (#35)
* feat: Introduce function-scoped variable interning for state analysis with new tests and fixtures
* feat: Add Phase 26 symbolic execution enhancements with bitwise operator support, abstract interpretation refinements, and new taint analysis tests
* feat: Refine state analysis to handle factory-pattern resource returns with mixed-path tests and leak detection enhancements
* feat: Add Phase 27 debug views with symbolic execution, abstract interpretation, SSA, and call graph viewers; integrate with debug layout and styles
* feat: Add Phase 31 type-qualified symbolic resolution with receiver-based callee disambiguation and testing
* feat: Extend symbolic execution with state iteration, enhanced debug views, and debounced input handling
* feat: Add Phase 13 resource and auth pattern extensions with new tests and fixtures
* feat: Introduce CFG debug graph renderer with compact mode, toolbar, and DAG layout integration
* feat: Add Phase 28 encoding and decoding transform modeling with structural symex enhancements and new taint analysis tests
* feat: Extend abstract interpretation with type facts and constant value tracking in debug views and server logic
* feat: Add linear path handling and witness extraction to symbolic execution with Phase 28 transform mismatch detection
* feat: Refine Go auth and sanitizer handling with enhanced rules, state updates, and benchmark improvements
* feat: Enable auth-state analysis by default and update relevant tests in benchmark config
* test: Update state_tests to reflect default enablement of auth-state analysis and add auth suppression test
* docs: update CHANGELOG.md
* feat: Introduce per-index taint tracking in `HeapState` with `HeapSlot`, overflow handling, and revised SSA transfers
* feat: Introduce C/C++ language labels and refine heap state tracking in SSA transfers
* feat: Implement per-index array slot tracking in symbolic heap with overflow collapse
* feat: Add implicit definition handling for uninitialized declarations in SSA value allocation
* feat: Refactor function parameters and constants for improved clarity and maintainability
* refactor: Reorder module imports and improve formatting for consistency
* refactor: Fix formatting erorrs
* refactor: Fix clippy warnings
* refactor: Fix fmt warnings (again)
* chore: Update dependencies and improve feature configuration
* Add comprehensive tests for undertested modules (#36) (COPILOT)
* Add comprehensive tests for undertested modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
* Add comprehensive tests for ext, project, walk, and errors modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: Update dependencies and improve feature configuration
* fix: formatting errors in new tests
* chore: Update license list in about.toml
* chore: made functions input inline
* chore: updated cfg graph to take up the full page
* chore: add Prettier configuration and update code formatting
* Add frontend test suite with Vitest (111 tests) (#37)
* Add Vitest test suite for frontend - 111 tests across utils, components, hooks, and graph utilities
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/7cf0dba2-ecff-4740-ba4d-92717e74a0b7
* ci: add frontend test step to CI workflow
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/5bc0ac9f-0a32-4d03-9cb7-7a15aea53fca
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: simplify array initialization in test files for consistency
* ran typecheck
* feat: add AnalysisWorkspace component and integrate it into CfgViewerPage
* feat: update routing in AppLayout and improve empty state message in ExplorerPage
* feat: enhance scan progress tracking with additional metrics and stages
* feat: update license information and add license check script
* feat: implement cross-file symbolic execution with callee body persistence
* feat: replace dagre graphs with Graphology + ELK + Sigma for more advanced call stack and cfg rendering
* feat: ensure CFG function view is scoped to the selected function, preventing bleed into sibling functions
* feat: enhance resource tracking with proxy method summaries and improve finding extraction
* feat: add terminal function exit detection for accurate resource leak analysis
* feat: add warnings for loops and functions without bodies to improve error recovery
* feat: update lambda expression handling to ensure proper function classification and control flow
* feat: remove bounded formatting/string ops and add JSON.parse sanitizer for improved data handling
* feat: add inline return taint analysis and regression tests for improved security checks
* feat: add engine version management and migration handling for database schema updates
* feat: enhance first_call_ident to skip nested function bodies and add regression tests
* feat: enhance callee name resolution with two-segment normalization and disambiguation
* feat: add cross-file context flags and debug assertions for taint analysis
* feat: refactor taint analysis structure to unify context handling and improve clarity
* feat: enhance dead code elimination to preserve Sink, Source, and Sanitizer labels with new tests
* docs: updated CHANGELOG.md
* fmt: formatting fixes
* fix: fixed frontend formatting and lint warnings
* fix: optimized ci
* fix: optimized ci
* Add comprehensive multi-file test coverage to Nyx (#38)
* Initial checklist for multi-file test suite expansion
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* Add 12 new multi-file test fixtures with TP/TN/near-miss coverage
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* deleted root repo
* rebuilt to test for regressions
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* feat: enhance import alias resolution and taint tracking
* feat: implement security hardening with CSRF protection and path validation
* feat: add support for import alias bindings in Python, PHP, and Rust
* feat: enhance CFG analysis modes and improve code readability
* feat: add detection for parameterized SQL queries to enhance security
* feat: add safe internal redirect handling and enhance session destroy validation
* feat: implement security improvements by addressing vulnerabilities in execAsync, session management, and file downloads
* feat: enhance taint detection by adding support for inline source member expressions in call arguments
* feat: implement pre-emission of Source nodes for inline source member expressions in call arguments
* feat: add support for Throw statement in control flow and error handling
* feat: add debug and echo endpoints with potential information leakage
* feat: implement internal redirect suppression and enhance taint detection
* feat: implement module alias tracking for dynamic dispatch in JS/TS
* feat: add authorization analysis module with Express support
* feat: add authorization analysis module with Express support
* feat: add tests for admin guard requirements and clean checks in authorization analysis
* feat: integrate Koa and Fastify frameworks into authorization analysis
* feat: add Flask and Django support to authorization analysis module
* feat: add support for Rails and Sinatra frameworks in authorization analysis
* feat: add support for Axum, ActixWeb, and Rocket frameworks in authorization analysis
* feat: add support for ActixWeb, Axum, and Rocket frameworks in authorization analysis
* feat: add support for Rails and Sinatra in authorization analysis
* chore: add .DS_Store to .gitignore
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: update usage of Option methods for improved clarity and consistency
* refactor: improve code readability by simplifying conditional checks and formatting
* refactor: improve code formatting and readability by simplifying conditional checks
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: simplify conditional checks in axum.rs for improved readability
* feat: add CodeQL analysis configuration for enhanced security scanning
* test: add comprehensive tests for `src/output.rs` SARIF builder (#39)
* chore: start test coverage improvement work
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* test: add comprehensive tests for src/output.rs SARIF builder
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* refactor: improve code formatting and readability in output.rs
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* refactor: improve code formatting and readability in output.rs
* Potential fix for code scanning alert no. 210: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* Potential fix for code scanning alert no. 211: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* refactor: enhance triage file path handling with improved error management and validation
* refactor: updated func summaries for richer detail
* refactor: update SSA summary extraction to use canonical FuncKey for distinct entries
* refactor: enhance callee metadata structure to support arity, receiver, and qualifier for better overload resolution
* refactor: add support for keyword arguments in function calls and enhance receiver extraction for method-style calls
* refactor: implement new Flask routes for safe and unsafe shell command execution
* refactor: separate receiver handling in SSA operations and enhance taint propagation
* refactor: improve arity handling by using arg_uses for positional argument count and enhance witness scoring for tainted arguments
* refactor: implement auth decorator extraction and classification for multiple languages
* refactor: enhance Rust module path resolution and use map handling for cross-file disambiguation
* refactor: introduce CalleeQuery struct for structured callee resolution and enhance resolver logic
* refactor: implement same-file identity collision handling for `runTask` to ensure correct resolver behavior
* refactor: standardize default struct initialization across multiple files
* feat: add scripts for formatting checks and auto-fixes with test summaries
* refactor: simplify character splitting and enhance namespace qualifier handling
* refactor: improve documentation clarity and enhance code readability in resolver logic
* refactor: replace default struct initialization with explicit field assignments for clarity
* feat: enhance anonymous function naming by deriving context-based bindings
* refactor: streamline match expressions for improved readability and performance
* refactor: streamline match expressions for improved readability and performance
* refactor: replace loop with while let for improved clarity and performance
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: implement shell metacharacter validation and bounded-length checks in Rust analysis
* feat: add static map analysis for command injection suppression and type safety
* refactor: simplify match statements and reduce line breaks for improved readability
* feat(summary): phase 1/5 SinkSite data model for primary sink-location attribution
Introduce SinkSite (file_rel, line, col, snippet, cap) carrying the
primary sink source-location through function summaries. Swap
SsaFuncSummary.param_to_sink and FuncSummary.param_to_sink from a coarse
Cap map to a deduped SmallVec<[SinkSite; 1]> per parameter, with a
backward-compatible cap_sites() helper and serde defaults so pre-phase-1
on-disk rows continue to deserialise cleanly.
Extraction: SinkSiteLocator bundles the tree/bytes/file_rel needed by
extract_ssa_func_summary; ParsedFile::extract_ssa_artifacts wires the
locator in for the persisted pass-1 path, while pass-2 intra-file
transient summaries fall back to cap-only sites (behavior unchanged).
Merge: GlobalSummaries::insert now unions sink sites with
(file_rel, line, col, cap) dedup via shared union_param_sink_sites
helper.
Database: JSON-serialised summary columns carry the new shape
automatically; no schema change needed.
Phase 2 will consume SinkSite in build_taint_diag() to overwrite the
caller-site Finding.line with the callee's sink line when resolved via
summary. Phase 1 keeps behavior unchanged: scanning
tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs still produces the
same (wrong) line 10 finding.
Adds round-trip tests covering SinkSite solo, SsaFuncSummary with sink
sites, legacy-JSON default handling for both summary types, and merge
dedup.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* feat(taint): phase 2/5 thread SinkSite into SsaTaintEvent and Finding
Plumb Phase 1's SinkSite through the event pipeline into Findings,
no output change yet. SsaTaintEvent gains `primary_sink_site:
Option<SinkSite>`; when the main or callback sink-emission path has
non-empty `param_to_sink_sites`, filter to sites whose
`(line != 0) && (cap ∩ sink_caps != ∅)` and emit one event per
distinct site — the multi-primary collapse keeps each downstream
Finding single-primary.
Resolution: ResolvedSummary and SinkInfo gain mirror
`param_to_sink_sites` fields, populated from `SsaFuncSummary.param_to_sink`
(SSA + callback paths) and `FuncSummary.param_to_sink` (global paths).
Label, local-summary, and interop resolution paths leave the field
empty — they only ever had cap-level info to begin with.
Finding: new `primary_location: Option<SinkLocation>` with
`file_rel/line/col`. `ssa_events_to_findings` maps
`event.primary_sink_site` → `Finding.primary_location`, filtering
cap-only sites (`line == 0`) to `None` so the (0,0) sentinel never
leaks to formatters. Dedup key extended with the primary location
so multi-site events aren't collapsed back together.
Invariants (debug_assert!):
* every SinkSite reaching emission has `line != 0 && cap ∩ sink_caps
!= ∅` — enforced by the pick_primary_sink_sites* filters;
* every populated Finding.primary_location has `line != 0` AND
non-empty `file_rel` — the cap-only → None translation upstream
guarantees this.
Deliberately independent of `uses_summary`: that flag tracks whether
the *taint chain* used a summary, whereas primary attribution
requires only that the *sink* itself was summary-resolved. A local
source reaching a cross-file sink produces `uses_summary=false`
alongside a populated primary_location — documented on
Finding.primary_location, covered by
`cross_file_sink_finding_carries_primary_location`.
build_taint_diag, SARIF/JSON/explanation formatters, and the
benchmark scorer remain untouched: finding.line still comes from
`cfg_graph[finding.sink]`, so cmdi_indirect.rs still reports line 10
and the benchmark's rs-cmdi-003 row still shows FN in the LOC column.
Tests: `cross_file_sink_finding_carries_primary_location` (proves
plumbing via a synthetic FuncSummary carrying a SinkSite at 42:5) and
`cross_file_sink_cap_only_site_leaves_primary_location_none`
(regression guard against cap-only sites surfacing). All 1566 lib
tests + integration tests pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(output): phase 3/5 consume primary sink location in diag + SARIF
When a finding's primary_location (populated in phase 2 from a callee
summary's SinkSite) names the dangerous instruction inside a callee
body, attribute the diagnostic line to that location instead of the
caller's call site. The call site is demoted to a Call step in
flow_steps, and a synthetic Sink step at the primary location is
appended so analysts still see the full trace.
Changes:
- Add scan_root parameter to build_taint_diag so file_rel can be
resolved back to an absolute path via a shared resolve_file_rel
helper. Empty file_rel (single-file scans where namespace == "")
resolves to the file under analysis.
- Extend SinkLocation with snippet, carried from the upstream
SinkSite so the formatter needs no second file read.
- Relax the ssa_events_to_findings debug_assert to allow empty
file_rel, which is valid when scan root equals the file itself.
- SARIF: emit data-flow as codeFlows[0].threadFlows[0].locations[];
locations[0] already reflects the primary sink position via the
updated diag line/col.
Acceptance: scan on tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs
now reports line 5 (Command::new) as the primary sink, with the call
site at line 10 visible in flow_steps.
Two expect.json fixtures updated (must_match line_range widened):
- javascript/taint/context_sensitive_call: 12-14 -> 7-14 (line 8 is
the real sink inside run()).
- rust/cfg/closure_async: 10-10 -> 10-11 (line 11 is Command::new
inside the closure).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(bench): phase 4/5 validate primary sink attribution across corpus
Extend the benchmark scorer and ground truth to lock in phase 3's
primary-location behavior, and add fixtures that exercise the new
capability end-to-end.
Scorer (tests/benchmark_test.rs):
- Add optional `expected_call_site_lines: Option<Vec<[usize; 2]>>` on
Case. When present, score_location_level additionally requires at
least one flow_step in the finding's evidence trace to fall within
±2 of the call-site range. When absent, the check is skipped —
fully forward-compatible with existing fixtures.
- Retain ±2 tolerance on expected_sink_lines (compared against the
now-primary Diag.line post-phase-3).
Ground truth edits:
- rs-cmdi-cross-001: expected_sink_lines [8,8] -> [9,9]. Line 8 is the
transform::wrap call site (a cross-file propagator, not a sink);
line 9 is Command::new, the real sink. The ±2 tolerance happened to
mask this stale attribution but it was semantically wrong — phase 4
is the right time to correct it. Also adds expected_call_site_lines
[8,8] so the new field is exercised on an existing cross-file case.
- rs-cmdi-003: adds expected_call_site_lines [10,10] (run_cmd call).
This fixture's sink (Command::new inside run_cmd at line 5) was the
motivating case for phases 1-3; adding the call-site assertion
guards against regression to caller-line attribution.
New fixtures:
- rust/cmdi/cmdi_indirect_multisink.rs (rs-cmdi-009): helper run_both
takes two tainted params and invokes two Command sinks on
consecutive lines. Locks in that primary line lands inside the
helper (lines 5-6), not at the caller (line 12). Notes document
that SinkSite is currently one-per-callee so both findings today
collapse onto the first sink; expected_sink_lines=[5,6] and
expected_call_site_lines=[12,12] stay valid either way.
- python/cmdi/cross_indirect_sink/{app.py,helper.py} (py-cmdi-cross-
004): sink os.system lives in helper.py (cross-file), caller in
app.py reads env source and calls run_cmd. Verifies phase 3's
cross-file primary attribution: Diag.path = helper.py, Diag.line =
5, with app.py:7 recorded in flow_steps as a Call step.
Acceptance:
- `cargo test --test benchmark_test -- --ignored --nocapture` passes.
- rs-cmdi-003 is TP/TP/TP (the target flip FN->TP at LOC). All
pre-existing TP/TP/TP fixtures remain TP/TP/TP; 2 new fixtures are
TP/TP/TP.
- Aggregate rule-level: TP=158 FP=10 FN=1 TN=97, P=0.940 R=0.994
F1=0.966 on the 266-case corpus (was TP=156 FP=10 FN=1 TN=97 on
264 pre-phase-4, delta is the +2 new cases both resolving TP).
- Full `cargo test` green (1566 lib tests + all integration tests).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(taint): phase 5/5 lock Finding.primary_location contract via regression test
Add a regression test in src/taint/ssa_transfer.rs that wires up a synthetic
SsaFuncSummary with a SinkSite at other.rs:42:10 and drives the three
emission stages (pick_primary_sink_sites → emit_ssa_taint_events →
ssa_events_to_findings) against a minimal caller SSA body. Asserts the
resulting Finding.primary_location is exactly that triple.
The existing integration tests in src/taint/tests.rs cover the coarse
FuncSummary path end-to-end through analyse_file. This test locks in the
lower-level SSA-side plumbing so a future refactor that silently drops the
site between pick → emit → findings fails here rather than only at the
benchmark layer.
Also refreshes tests/benchmark/results/latest.json (timestamp only; rs-cmdi-003
remains TP/TP/TP and the aggregate P/R/F1 are unchanged from phase 4).
Closes the primary sink-location attribution feature (phases 1-5/5):
* Phase 1 — SinkSite data model on summaries.
* Phase 2 — SinkSite threaded into SsaTaintEvent and Finding.
* Phase 3 — diag + SARIF consume primary_location.
* Phase 4 — benchmark validates primary_call_site_lines across corpus.
* Phase 5 — regression test locks the event→finding contract.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* refactor: clean up formatting and improve readability in multiple files
* refactor: simplify type definition for deduplication key in findings
* test(harness): add must_not_match expectation for FP regression guards
Extends ExpectedFinding with must_not_match field that asserts a
diagnostic must NOT fire — presence is a hard failure. Non-consuming
scan so it coexists with must_match entries on the same rule_id.
Adds forbidden_violations accumulator and updates summary line.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(regression): update expectations to ensure must_not_match for various taint and resource leak rules
* feat: implement auto-seeding for JS/TS handler parameters to enhance taint tracking
* feat: update switch statement handling to improve control flow analysis
* feat: implement promisify alias handling for JS/TS to enhance taint tracking
* feat: enhance taint tracking by refining expectation handling and adding mode filtering
* feat: refine SQL handling in stream processing and enhance auto-seeding for handler parameters
* feat: update taint tracking rules to enforce full mode matching and improve flow analysis
* feat: enhance Ruby subshell handling to improve taint tracking and flow analysis
* feat: update xss_response expectations to refine taint flow analysis and enhance regression guarding
* feat: refine framework detection and update expectation handling for Echo and Sinatra
* feat: implement max_count for taint tracking expectations and deduplicate findings
* feat: add strict_unexpected handling for taint-unsanitised-flow in expectation files
* feat: enhance deduplication of taint-unsanitised-flow findings by collapsing based on line and severity
* feat: add strict_unexpected handling for taint-unsanitised-flow in multiple expectation files
* feat: add structural invariant checks for SSA bodies
* feat: ensure deterministic phi emission order using BTreeSet
* feat: enhance handling of terminators to ensure authoritative flow through successor edges
* feat: enhance Goto terminator handling to ensure all successors are marked executable
* feat: refactor code for improved readability and organization
* feat: simplify predicate checks and enhance readability in SSA handling
* feat: implement per-file parse timeout and enhance file size handling
* feat: migrate analysis engine toggles from environment variables to configuration file
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: update dependencies and enhance documentation on language maturity
* feat: enhance security headers and improve request body limits
* feat: implement sink capability bits for deduplication and enhance evidence tagging
* feat: implement dynamic activation handling for gated sinks and enhance validation logic
* feat: enhance configuration documentation and clarify inline analysis cache behavior
* feat: implement panic recovery during analysis to continue scans past errors
* feat: add expectations configuration for taint analysis and performance metrics
* feat: enhance error handling and logging during file reading and mutex locking
* feat: add cross-file body loading tests and plumbing for CF-1 phase
* feat: implement cross-file k=1 context-sensitive inline taint analysis with new tests and fixtures
* feat: implement indexed-scan parity in cross-file inline analysis with new dropdown and copy functionality
* feat: enhance classification span handling in CFG and AST for improved source attribution
* feat: add new Express routes for handling user input and telemetry data
* feat: implement ternary expression handling in CFG with diamond structure for JS/TS
* feat: implement Phase CF-3 abstract-domain transfer channels in summaries
* feat: add support for string-prefix transfer in cross-file calls and update tests
* docs: reduce RESULTS.md doc size
* feat: implement Phase CF-4 per-return-path summary decomposition with tests
* feat: update parameter handling in pass1 and refactor SsaFuncSummary initialization
* feat: implement Phase CF-5 for cross-file SCC joint fixed-point convergence with new flags and tests
* feat: implement Phase CF-6 with parameter-granularity points-to summaries and associated tests
* refactor: update comments and documentation for clarity and consistency
* style: format code for consistency and readability
* refactor: simplify verdict handling and improve edge checking logic
* refactor: optimize path and identifier collection by avoiding unnecessary cloning
* chore: update Cargo.toml for Rust version 1.85 and add ignored files; modify CHANGELOG and README for clarity on state analysis defaults
* refactor: update documentation and improve clarity in configuration files
* refactor: update documentation and improve clarity in configuration files
* feat: add JS/TS pass-2 convergence tests and expectations configuration
* feat: add Phase 5 regression tests for inline cache origin attribution and update related logic
* feat: implement Phase 7 deduplication and alternative path linking for taint findings
* feat: implement structural DFS index for anonymous functions and update naming conventions
* feat: add Phase 8 regression tests for container-element taint in JS and Python
* feat: add engine-depth profiles and explain-engine option for CLI
* feat: update expectations and add new README fixtures for multi-file scan regression
* feat: implement Phase 11 callback-alias and factory patterns with regression tests
* feat: implement Terminator::Switch for multi-way dispatch and add regression tests
* feat: add real-CVE benchmark fixtures for CVE-2023-48022, CVE-2019-14939, and CVE-2023-26159 with corresponding patched variants
* refactor: extract cfg and ssa_transfer to submodules
* refactor: cargo fmt
* refactor: remove unnecessary blank line in cfg_tests.rs
* refactor: remove unnecessary planning file
* chore: update Rust version to 1.88 and bump dependencies in Cargo files
* feat: enhance triage UI with new layout and controls, update README for clarity
* feat: enhance triage UI with new layout and controls, update README for clarity
* chore: remove outdated section from README for version 0.5.0
* docs: improve clarity and consistency in README content
* chore: add "GPL-3.0-or-later" to license options in about.toml
* chore: update license handling in about.toml and check-licenses.mjs
* style: format code for improved readability in TriagePage component
* style: format code for improved readability in TriagePage component
* chore: enhance license handling and improve body_id scoping in seed lookup
* feat: introduce owner and parent body IDs for enhanced seed scoping
* feat: implement direction-aware engine provenance with new CLI flag for strict CI gating
* feat: add Undef SSA operation for improved control-flow handling
* style: improve code formatting for consistency and readability in multiple files
* feat: add 16-function chain SCC across multiple files for enhanced analysis
* style: simplify code formatting for improved readability in multiple files
* fix: update CapHitReason default implementation and improve README clarity
* docs: enhance README with detailed explanations of taint analysis and limitations
* docs: refine README for clarity and consistency in taint analysis section
* style: improve code formatting for better readability in NewScanModal and scans
* fix: update cargo-about command to use --offline for deterministic license generation
* fix: update cargo-about command to use --offline for deterministic license generation
* ci: add step to prime cargo registry cache for deterministic license generation
* feat: add support for non-sink collections in authorization analysis
* feat: enhance authorization checks with row-level ownership equality and binding tracking
* feat: implement self-scoped user handling and enhance ownership checks
* refactor: simplify assertions and formatting in authorization analysis tests
* fix: normalize line endings in THIRDPARTY-LICENSES.html generation and update README with AI disclosure
* docs: update AI disclosure section for clarity and conciseness
* feat: add AI Contribution Policy and update contributing guidelines for AI assistance disclosure
* feat: enhance authorization analysis with SSA-derived variable type classification
* feat: implement auth_finding_to_diag function for enhanced security diagnostics
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add direction-aware engine provenance with LossDirection classification and new CLI flag
* feat: simplify strip_cap_from_call_args call by removing unnecessary line breaks
* feat: enhance error message handling in cli_validation_tests for better Windows compatibility
* feat: optimize release profile settings in Cargo.toml and update CodeQL configuration
* feat: enhance release build process with SBOM generation and SLSA provenance
* feat: update actions/checkout and actions/setup-node to v6, enhance CLI options, and improve auth-check summaries
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: update benchmark data and enhance path sanitization logic with new safety checks
* feat: document AI assistance in frontend UI development and human review process
* feat: add return path facts for enhanced path safety checks and update documentation
* chore: update release date for version 0.5.0 in CHANGELOG.md
* chore: clean up ci.yml by removing outdated comments and clarifying steps
* feat: implement cross-language path sanitizers and validators for enhanced security
* feat: enhance SSA value usage tracking by including block terminators and improve path safety checks
* feat: enhance switch statement handling by adding per-case path constraints and support for exclusive cases
* refactor: simplify conditional formatting and improve code readability in executor and lower modules
* feat: add vulnerable examples for various languages demonstrating authentication and sanitization issues
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: add transform classifiers for Java, Go, and Ruby with corresponding tests
* refactor: clarify comments on reassign-to-constant idiom and sink behavior in guards.rs
---------
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-25 17:59:11 -04:00
All notable changes to Nyx are documented here. The format is based on [Keep a Changelog ](https://keepachangelog.com/en/1.1.0/ ) and the project follows [Semantic Versioning ](https://semver.org/spec/v2.0.0.html ). For where Nyx is going, see the [Roadmap ](ROADMAP.md ).
2025-06-25 00:31:30 +02:00
2026-05-15 20:34:53 -05:00
## [Unreleased]
### Dynamic verification overhaul
End-to-end delivery of the surface map + chain composer + dynamic verifier work tracked in the pitboss plan. Together these three pieces turn a static finding list into a verified attack-surface graph and post the published headline metrics in `docs/dynamic.md` .
- **Attack-surface map.** `nyx surface` (Phase 23) emits a JSON / web-renderable graph of every entry point, datastore, external service, and dangerous local sink the project exposes. Built from the existing pass-1 summaries (no second walk of the codebase) and persisted alongside the index so the frontend can reload without rescanning. Per-framework router probes cover Flask, FastAPI, Django, Express, Koa, Spring, Servlet, Quarkus, Gin, Actix, Axum, Rails, and Laravel.
- **Chain composer.** `nyx scan` (Phase 24– `ChainFinding` records that connect a route entry point to a downstream sink via the call graph + surface map. The lattice composer scores (impact × `findings.json` / SARIF emitters and the `nyx serve` UI so chains rank above isolated findings.
- **Dynamic verifier.** Every `Confidence >= Medium` finding (Phase 06– `Confirmed` / `NotConfirmed` / `Inconclusive` / `Unsupported` ) stamped onto `Evidence.dynamic_verdict` . Backends: in-process (`Standard` / `Strict` hardening), docker (Phase 19 image-builder catalogue), firecracker stub (Phase 20 trait). Per-language emitters cover Python, JS/TS, Go, Java, PHP, Ruby, Rust, C, and C++. Curated payload corpus, abstract-interpretation + symex sanitizer suppression (Phase 17– `~/.cache/nyx/dynamic/repro/<spec_hash>/` (Phase 27–
- **Telemetry + repro.** `events.jsonl` is now schema-versioned (envelope: `schema_version` , `nyx_version` , `corpus_version` , `kind` , `ts` ). Repro bundles are hermetic (Phase 28): every bundle emits `reproduce.sh` + `expected/{verdict.json,outcome.json,trace.jsonl}` and a `docker_pull.sh` when the toolchain is pinned in `tools/image-builder/images.toml` . PII / secret scrubbing runs on every persisted artefact via `src/utils/redact.rs` .
- **Determinism + policy.** `src/policy.rs` exposes a YAML-driven deny list (Phase 30) consulted before harness build, with deny-decision excerpts redacted via the same scrubber. `crate::dynamic::rand::SpecRng` is seeded from each `HarnessSpec` 's hash and audited by `scripts/check_no_unseeded_rand.sh` . `VerifyTrace` (Phase 30) carries every per-step decision into the repro bundle for offline triage.
- **Headline gate.** `scripts/m7_ship_gate.sh` runs five gates against `tests/eval_corpus/budget.toml` (Phase 31 headline targets: Unsupported < 20 % per `(cap, lang)` cell , False-Confirmed < 2 % per cap , repro stability ≥ 95 %, wall-clock ≤ 2 × static-only , sandbox-escape suite green ). `tests/eval_corpus/run_full.sh` is the canonical orchestrator and writes a stable `tests/eval_corpus/results.json` for the gate + the published metrics table in `docs/dynamic.md` .
The default-on flip is gated on `m7_ship_gate.sh` exit 0 against the eval corpus. Engine follow-ups blocking the gate are tracked in `.pitboss/play/deferred.md` (per-language probe-shim splicing for Go / PHP / Ruby / Rust / C / C++, composite chain reverifier live execution path, telemetry repro-stability stamping, and image-builder catalogue digest population).
2026-05-11 12:42:39 -04:00
## [0.7.0] - 2026-05-11
2026-02-25 21:16:36 -05:00
2026-05-11 12:42:39 -04:00
A focused release that adds seven new vulnerability classes, ships two SSA sidecars for XML and XPath parser hardening, deepens cross-file authorization for FastAPI, trims roughly a thousand auth false positives on Go DAO helpers along with the dominant Hibernate Criteria SQL cluster, and runs a performance pass on the auth extractor, SCCP, and the global summaries map. A `nyx rules list` CLI surfaces the rule registry, the web UI gets a brand-aligned visual refresh, and the CVE corpus grows across Python, PHP, JavaScript, and C.
2026-05-06 05:01:43 -04:00
2026-05-11 12:42:39 -04:00
### Highlights
- New caps for LDAP injection, XPath injection, header / CRLF injection, open redirect, server-side template injection, XXE, and prototype pollution, with per-language label rules across all eight supported languages.
- Cross-file FastAPI authorization: `include_router` chains and module-level `APIRouter(dependencies=[…])` now lift onto every attached route, with `Security(..., scopes=[...])` recognised distinctly from `Depends(...)` .
- Type-tracked XML and XPath hardening through two new SSA sidecars: parser bodies that set `secure_processing` / `processEntities: false` / `resolve_entities=False` , and `XPath` instances bound to `setXPathVariableResolver(...)` , are recognised as safe.
- ~957 `go.auth.missing_ownership_check` findings closed on gitea-shaped DAO helpers (id-scalar precision pass), 169 of 216 openmrs `cfg-unguarded-sink` findings closed on Hibernate Criteria-API receivers, joomla and drupal `php.deser.unserialize` closed on `Serializable::unserialize($input)` magic-method bodies.
- `nyx rules list` CLI subcommand, brand-aligned `nyx serve` visual refresh, and regenerated README / docs screenshots and GIFs.
2026-05-07 01:29:31 -04:00
### Detector classes
2026-05-11 12:42:39 -04:00
- New `Cap` bits and canonical rule ids: `Cap::LDAP_INJECTION` / `taint-ldap-injection` , `Cap::XPATH_INJECTION` / `taint-xpath-injection` , `Cap::HEADER_INJECTION` / `taint-header-injection` , `Cap::OPEN_REDIRECT` / `taint-open-redirect` , `Cap::SSTI` / `taint-template-injection` , `Cap::XXE` / `taint-xxe` , `Cap::PROTOTYPE_POLLUTION` / `taint-prototype-pollution` . Each ships per-language sink, sanitizer, and gated-sink rules across JS/TS, Python, Java, PHP, Go, Ruby, Rust, and C/C++. Severity, OWASP 2021 mapping, and human-readable description live in `CAP_RULE_REGISTRY` in `src/labels/mod.rs` ; `cap_rule_meta()` and `rule_id_for_caps()` are the public lookups.
- `Cap` widened from `u16` to `u32` to fit the new bits. `Evidence.sink_caps` and `RuleInfo.cap_bits` follow. The serde decoder accepts any unsigned integer width so caches written before the bump still load. SQLite schema bumped from 3 to 4 to force a rescan, since older `source_caps` / `sanitizer_caps` / `sink_caps` blobs were emitted before any of the new bits could appear.
- `owasp_bucket_for` consults `CAP_RULE_REGISTRY` first so adding a cap class no longer requires a second-table edit. The match requires an exact rule id or a recognised separator (` ` , `(` , `.` ) so a future `taint-ssrf-allowlist-violation` cannot silently inherit `taint-ssrf` 's bucket. The legacy family-token table now also routes `xpath` , `header` , and `xxe` to A03 / A05.
2026-05-07 01:29:31 -04:00
- `issue_category_label` (dashboard badge) routes the seven new rule-id prefixes to dedicated labels: LDAP Injection, XPath Injection, Header Injection, Open Redirect, Template Injection, XXE, Prototype Pollution.
2026-05-11 12:42:39 -04:00
### Engine
2026-05-04 19:58:04 -04:00
2026-05-11 12:42:39 -04:00
- **XML-parser configuration tracking.** `src/ssa/xml_config.rs` runs alongside type-fact analysis and carries per-receiver `secure_processing` / `disallow_doctype` / `external_entities` flags forward through copy assignments and phi joins (meet for safe flags, sticky union for the unsafe `external_entities` polarity). `xxe_safe()` queries the result at the type-qualified `XmlParser.parse` sink and strips `Cap::XXE` when the parser was provably hardened (JAXP `setFeature(FEATURE_SECURE_PROCESSING, true)` , lxml `XMLParser(resolve_entities=False, no_network=True)` , fast-xml-parser `processEntities: false` ). Persisted to `OptimizeResult.xml_parser_config` .
- **XPath-receiver configuration tracking.** `src/ssa/xpath_config.rs` mirrors the XML sidecar for Java's `XPath` instances: `setXPathVariableResolver(...)` flips the receiver's `has_resolver` flag, copy assignments union, phi joins meet. `xpath_safe()` strips `Cap::XPATH_INJECTION` at `xpath.evaluate(expr, ...)` / `xpath.compile(expr)` sinks when the receiver was provably bound to a resolver. Persisted to `OptimizeResult.xpath_config` .
- **Five new `TypeKind` variants.** `LdapClient` (JNDI `InitialDirContext` / `InitialLdapContext` , Spring `LdapTemplate` , ldapjs `createClient` , python-ldap `initialize` , ldap3 `Connection` ), `XPathClient` (JAXP `newXPath` , lxml `etree.XPath` , npm `xpath` ), `XmlParser` (JAXP factory products: `newDocumentBuilder` , `newSAXParser` , `getXMLReader` ), `Template` (FreeMarker `new Template(...)` / `Configuration.getTemplate` ), and `NullPrototypeObject` for JS/TS values produced by `Object.create(null)` . Wired into `constructor_type` for return-type inference and `TypeKind::label_prefix()` for type-qualified callee resolution. `XPathClient` is kept distinct from `DatabaseConnection` so a generic `pdo->query` SQL_QUERY sink does not collide with `xpath.query` .
- **`GateActivation::LiteralOnly` .** Strict literal-value activation: the gate fires only when the activation argument is a literal that matches `dangerous_values` / `dangerous_prefixes` . Unknown or dynamic activation argument suppresses (no conservative `ALL_ARGS_PAYLOAD` push). Used where the dangerous shape is identifiable only by an explicit literal flag, e.g. `jQuery.extend(true, target, src)` deep-merge against Backbone's `Model.extend({proto})` .
- **Two new path-state predicates for inline open-redirect sanitisers.** `RelativeUrlValidated` covers `x.startsWith("/")` , `x.starts_with("/")` , `x.startswith("/")` , PHP `strpos($x, "/") === 0` , and direct `x[0] === "/"` . `HostAllowlistValidated` covers `new URL(x).host === ALLOWED` , `urlparse(x).netloc == ALLOWED` , multi-statement `parsed.host_str() == "..."` for Rust, and `parsed.Host == "..."` / `parsed.Hostname() == "..."` for Go. Both clear `Cap::OPEN_REDIRECT` only on the validated branch, leaving any non-redirect taint downstream to fire on its own caps. The Go form gates on case-sensitive capital `H` so a lowercase `u.host == X` field comparison falls through to the generic `Comparison` predicate.
- **`Object.create(null)` recogniser.** `is_object_create_null_call` in `cfg/literals.rs` matches `Object.create(null)` (and parenthesised, awaited, or TS type-cast wrappers) and tags `CallMeta.produces_null_proto = true` . Type-fact analysis lifts the flag to `TypeKind::NullPrototypeObject` on the returned SSA value so the synthetic `__index_set__` sink is suppressed flow-sensitively. Phi joins drop the tag back to `Unknown` so a partial null-proto receiver still fires on the unsafe path.
- **CFG-layer prototype-pollution suppression** at the synthetic `__index_set__` sink (JS/TS, recognised by the existing `try_lower_subscript_write` lowering). Three flow-insensitive shapes elide the `Sink(PROTOTYPE_POLLUTION)` label before SSA sees the node: constant-key fold (literal key not in `__proto__` / `constructor` / `prototype` ), reject pattern (sibling `if (idx === "__proto__" || ...) return / throw / break;` ), and allowlist pattern (ancestor `if (idx === "name" || idx === "id") { obj[idx] = v }` ). Walks stop at the enclosing function so closure-captured guards in an outer scope cannot silently authorise inner assignments.
- **Spring MVC `return "redirect:" + tainted` recogniser** (Java). `try_lower_spring_redirect_return` in `cfg/mod.rs` matches the leftmost `+` -chain whose root is a `redirect:` string literal and emits a synthetic `__spring_redirect__` Call sink with `Sink(Cap::OPEN_REDIRECT)` between the predecessors and the Return node. Concatenated identifiers from anywhere in the right-hand chain feed the synthetic node's `arg_uses[0]` , so the taint pipeline carries any tainted suffix through OPEN_REDIRECT.
- **Subscript-set form classification for header sinks.** `response.headers["X-Foo"] = bar` / `headers["X-Foo"] = bar` (Ruby `element_reference` , JS/TS `subscript_expression` , Python `subscript` ) had no `property` field on the LHS. `push_node` now walks into the subscript's `object` and classifies its member-expression text, so `Cap::HEADER_INJECTION` fires on the bare bracket form alongside `setHeader` / `res.set` / `headers_mut.insert` .
- **PHP literal extraction** extended in `cfg/literals.rs` : PHP `encapsed_string` (double-quoted) when every child is a pure-literal segment; boolean literals (`true` / `false` ) for the jQuery `extend(true, ...)` `LiteralOnly` gate; leading-string `binary_expression` concat (`"Location: " . $url` , JS/TS `"Location: " + url` ) so `dangerous_prefixes` matching activates on partially dynamic concatenations.
- **PHP receiver-text strip** in `helpers::root_receiver_text` drops the leading `$` from `variable_name` nodes so `$smarty->fetch(...)` / `$twig->createTemplate(...)` reconstruct as `Smarty.fetch` / `Environment.createTemplate` for suffix-matcher gates.
- **Gate-callee resolution hardening for member-source rewrites.** When `first_member_label` rewrites a call's `text` to a Source like `req.body` , the gate matcher now reads the call's `function` / `method` / `name` field instead, so `setValue(target, req.body, ...)` matches the `setValue` proto-pollution gate. Whitespace stripped from the function field so multi-line chains still match flat gate matchers.
- **Ruby option-constant lookup in gate activation.** Bare `scope_resolution` / `constant` nodes (`Nokogiri::XML::ParseOptions::NOENT` ) now fall back to the macro-arg extractor used by C/C++/PHP, so Nokogiri XXE gates activate on idiomatic option-flag arguments.
- **PHP `unary_op_expression` negation recognition.** tree-sitter-php emits `unary_op_expression` for unary `!` ; CFG `detect_negation` and condition-chain decomposition now match it, so `if (!validate($x))` no longer carries `condition_negated=false` and the surviving branch is the rejection arm, not the validated one.
- **PHP container kinds.** `declaration_list` , `interface_declaration` , `trait_declaration` , `enum_declaration` , `enum_declaration_list` mapped to `Kind::Block` so methods inside them participate in CFG construction.
- **Go variadic `parameter_declaration` named-field handling** for `collect_param_names` . `name` and `type` named fields read directly so type-segment identifiers no longer pollute the param-name set (`info *PackageInfo` no longer contributes `PackageInfo` ).
- **Empty-formals SSA lowering signal.** Per-parameter summary probing now seeds via `BodyMeta.param_destructured_fields` ; JS/TS arrow `() => {…}` lowers with `with_params=true` so it is treated as "explicitly zero formals" rather than "no formals info".
### Authorization
- **FastAPI cross-file `include_router` dependency tracking.** `auth_analysis/router_facts.rs` captures per-file router declarations (`<router> = X(deps=[…])` ) and `<parent>.include_router(<child_module>.<child_var>)` edges in pass 1, persists them into `GlobalSummaries::router_facts_by_module` , and resolves them into the active file's `AuthorizationModel::cross_file_router_deps` at pass 2 entry. Transitive lifts (grandparent to parent to child) handled by iterative index walk. Module identity is the file basename without `.py` . Closes the airflow execution-API shape where a child router lives in `routes/task_instances.py` and its auth is declared on the parent in `routes/__init__.py` .
- **FastAPI router-level `dependencies=[...]` propagation.** Module-level `router = APIRouter(dependencies=[Security(...)])` is pre-walked once per file and merged onto every `@<router>.<verb>(...)` route attached in the same file. Closes airflow execution-API routes that re-use a single `ti_id_router` declared once at module scope.
- **FastAPI `Security(callable, scopes=[...])` recognised distinctly from `Depends(callable)` .** Scoped Security promotes the synthetic `AuthCheck` to `AuthCheckKind::Other` (route-level scope-checked authorization), not Login. New scope-tracking boolean threaded through `expand_decorator_calls` and `extract_fastapi_dependencies` .
- **Caller-scope IPA: same-file route-handler-to-helper auth lift.** `apply_caller_scope_propagation` walks every non-route helper unit; if its in-file callers are non-empty AND every caller is itself an authorized route handler (route-level non-Login auth check) or already authorized via this same propagation, the caller's checks lift onto the helper as synthetic `is_route_level=true` `AuthCheck` s. Iterated to a small fixpoint so transitive helper chains (route to mid_helper to leaf_helper) are covered. Refuses to authorize helpers with no in-file caller, helpers called from a mix of authorized and unauthorized callers, and helpers called only from un-lifted helpers. Cross-file equivalent deferred. Closes the dominant FastAPI / Django / Flask "route authenticates via decorator/dependency, then delegates to a private helper that performs the sink" FP shape on sentry / saleor / airflow.
- **Go DAO-helper id-scalar precision pass.** For non-route Go units, a parameter whose declared type is a bounded primitive scalar (`int64` , `uint32` , `string` , `bool` , `byte` , `rune` , `float64` , …) and whose name is id-shaped (`id` , `*Id` , `*_id` , `*ids` ) is dropped from `unit.params` before ownership-check evaluation. Real Go HTTP handlers always carry a framework-request-typed param (`*http.Request` , `*gin.Context` , `echo.Context` , `*fiber.Ctx` ); per-framework route extractors set `include_id_like_typed=true` so id-shaped path params survive on real routes. Mirrors the existing Python `is_python_id_like_typed_param` filter. Closes ~957 `go.auth.missing_ownership_check` findings on gitea backend DAO helpers (`func GetRunByRepoAndID(ctx, repoID, runID int64)` , `func DeleteRunner(ctx, id int64)` , the entire `models/...` layer where the ownership check sits in the calling route handler) and equivalent shapes in minio / Go ORM codebases.
- **Bare-callee verb-name fallback gate.** `list(...)` , `filter(...)` , `update(...)` , `create_audit_entry(...)` , `update_coding_agent_state(...)` (no receiver dot at all) no longer classify as `DbMutation` / `DbCrossTenantRead` via the loose verb-name fallback. Real ORM/DB calls carry a receiver (`User.find(id)` , `Model.objects.filter` , `repo.save(x)` ); a bare `list(events)` is the Python builtin and `filter(fn, xs)` is `Iterable.filter` . New helper `receiver_is_simple_chain(callee)` requires a non-chained receiver dot. The realtime / outbound / cache prefix dispatches still match by chain root.
### Type-aware sinks and validators
- **Java JPA / Hibernate Criteria API as structural SQL.** `TypeKind::JpaCriteriaQuery` covers `CriteriaQuery<T>` , `CriteriaUpdate<T>` , `CriteriaDelete<T>` , `Subquery<T>` , `TypedQuery<T>` . `sink_args_jpa_criteria_query_safe` clears `cfg-unguarded-sink` SQL_QUERY when any positional argument to the sink call is JpaCriteriaQuery-typed (receiver excluded; receiver of `session.createQuery(cq)` is the Session/EntityManager channel, never the SQL payload). `cb.createQuery(...)` , `em.getCriteriaBuilder()` , and the JpaCriteriaQuery type chain inferred via constructor / factory return-type hints in `type_facts.rs` . Closes the dominant FP cluster on openmrs (169 of 216 cfg-unguarded-sink), xwiki, and keycloak Hibernate DAO methods.
- **Receiver-side validator registry.** `labels::lookup_receiver_validator(lang, callee)` clears `Cap` from the receiver value (and call equivalents) on success, distinct from `Sanitizer` which clears caps from the return value. Python registers `relative_to => Cap::FILE_IO` so `path.relative_to(base)` drops the file-IO cap on the path. Closes the CVE-2024-23334 patched aiohttp `static_root_path.joinpath(filename).resolve().relative_to(static_root_path)` shape.
- **JS/TS Array-method validator-callback narrowing.** `arr.filter(isSafeIdentifier)` , `arr.find(isValidId)` , `arr.findLast(...)` with a `BooleanTrueIsValid` callback (`isValid…` , `isSafe…` , `hasValid…` and snake-case variants) propagate `validated_must` through the call's return value. Resolves callback name from `info.arg_callees` (call-shape arguments) and SSA `value_defs[v].var_name` (bare-identifier callbacks, the dominant patched-CVE form). Strict-additive: anonymous arrows / opaque identifiers leave existing propagation untouched. `findIndex` / `every` / `some` excluded (scalar return shape). Motivated by CVE-2026-42353.
- **JS/TS ternary-branch source classification.** `let arr = cond ? req.query.lng : "";` previously lowered each branch to a labelless Assign with empty uses; the join phi saw no taint. `lower_ternary_branch` now runs `first_member_label` on the branch AST when no `Source` label is already attached.
- **PHP `fopen` modeled as `Sink(Cap::SSRF)` ** (same dual SSRF / LFI shape as `file_get_contents` ; fires only on tainted argument). Closes CVE-2026-33486 (roadiz/documents `DownloadedFile::fromUrl` wrapping `fopen($url, 'r')` ).
- **PHP `Serializable::unserialize($input)` magic-method passthrough recognition.** The legacy `Serializable` interface contract (deprecated since PHP 8.1) requires the implementation to call `\unserialize($input)` on the formal parameter inside `public function unserialize($x) { ... }` . PHP itself invokes the method when restoring an instance, so the body's call cannot be removed without breaking the interface. `php.deser.unserialize` now suppresses inside this exact shape (method named `unserialize` , single formal, bare-parameter argument). Class-level `Serializable` implementation is the actionable signal (fix is migration to `__serialize` / `__unserialize` ). Closes joomla / drupal Serializable-implementing class FPs.
- **SQLAlchemy query-builder chained-call recognition.** `select(X).filter_by(...)` , `query(X).filter(...)` , `select().join().where()` chains now anchor through the chain root primitive when the chain receiver type is opaque. New `db_query_builder_roots` config (Python defaults: `select` , `query` ). Closes airflow `session.scalar(select(C).filter_by(conn_id=user_input))` shapes that previously dropped under the chained-call suppression in `classify_sink_class` .
- **Python non-sink container constructor recognition.** Bare-callee `set()` / `dict()` / `list()` / `tuple()` / `frozenset()` / `defaultdict(...)` is treated as a non-sink constructor, so `verified_ids = set(); verified_ids.update(myteams)` does not classify the `.update` call as `DbMutation` . Type-annotation hint form `set[int]` / `dict[str, int]` recognised via PEP 585 generic suffix strip alongside the existing angle-bracket strip.
- **Python `request.match_info` source label** (aiohttp path-parameter source).
- **New Python pattern `py.xss.make_response_format` (Tier B).** Flask `make_response(<f-string-or-concat>)` reflection. Recognises both bare `make_response(...)` and `flask.make_response(...)` . Closes CVE-2023-6568 (mlflow auth `create_user` reflecting attacker-controlled `Content-Type` header into the response body).
### Language coverage
Per-language label rules expanded for the seven new caps.
- **JavaScript / TypeScript:** ldapjs `LdapClient.search` , `escapeXpath` / `xpathEscape` , `document.evaluate` / npm `xpath.select` , `setHeader` / `res.set` / `res.append` / `res.headers[]=` , `stripCRLF` / `escapeHeader` , lodash / dot-prop / object-path deep-merge prototype-pollution gates, Handlebars / EJS / Mustache template sinks, fast-xml-parser / xml2js with `processEntities` -aware activation, `redirect` / `Location` open-redirect sinks.
- **Python:** python-ldap `LDAPObject.search_s` , ldap3 `Connection.search` , lxml `etree.XPath` / `lxml.etree.parse` with parser-config awareness, Flask `response.headers[]=` / `make_response` , Jinja2 `Template(...)` and Mako `Template(...)` SSTI sinks, `flask.redirect` / `aiohttp HTTPFound` open-redirect.
- **Java / Kotlin:** `DirContext.search` , `XPath.evaluate` / `XPath.compile` , JAXP `DocumentBuilder.parse` / `SAXParser.parse` / `XMLReader.parse` , FreeMarker `Template.process` , Spring `redirect:` view-name synthetic sink, `HttpServletResponse.setHeader` / `addHeader` .
- **PHP:** `ldap_search` / `ldap_list` / `ldap_read` , `DOMXPath::query` / `DOMXPath::evaluate` , `header()` with leading-prefix activation, Smarty `fetch` / Twig `createTemplate` / Blade compile + `eval` template forms, `loadXML` / `simplexml_load_string` with `LIBXML_NOENT` activation.
- **Go:** `go-ldap conn.Search` , `etree.Path` / `xmlpath.Compile` , `http.Header.Set` / `Response.Header().Set` , `html/template` and `text/template` `Parse(...)` , `encoding/xml.Unmarshal` / `Decoder.Decode` , `http.Redirect` with relative-URL / host-allowlist gating.
- **Ruby:** `Net::LDAP#search` , `Nokogiri::XML::Document#xpath` , `response.headers[]=` , `ERB.new` SSTI, `Nokogiri::XML.parse` with `NOENT` / `DTDLOAD` activation, `redirect_to` with relative-URL gate.
- **C / C++:** libldap `ldap_search_ext_s` , libxml2 `xmlXPathEval` , `curl_easy_setopt` with header-list activation, libxml2 `xmlReadFile` / `xmlReadMemory` with `XML_PARSE_NOENT` activation.
- **Rust:** actix-web `HeaderMap.insert` / `HeaderValue::from_str` header-injection gates. `Redirect::to` retagged from `Cap::SSRF` to `Cap::OPEN_REDIRECT` so the open-redirect rule fires distinctly from the SSRF rule.
`NYX_PYTHON_PROTO_POLLUTION` opt-in flag: Python `dict.update` / `__dict__.update` proto-pollution gates are off by default because bare `update` overlaps too broadly with `Counter.update` and ordinary state-mutation patterns to ship as a default sink.
### CVE corpus
- **C.** CVE-2017-1000117 (git argv injection via `ssh://-oProxyCommand=…` ) vulnerable + patched fixtures under `tests/benchmark/cve_corpus/c/CVE-2017-1000117/` . Three-layer engine gap deferred (array-element taint propagation, `c.cmdi.exec*` AST patterns, dash-prefix-byte sanitizer recognition).
- **Python.** CVE-2023-6568 (mlflow reflected XSS), CVE-2024-21513 (langchain SQL / Jinja), CVE-2024-23334 (aiohttp static-file path traversal) vulnerable + patched fixtures.
- **PHP.** CVE-2026-33486 (roadiz/documents SSRF) vulnerable + patched fixtures.
- **JavaScript.** CVE-2026-42353 (i18next-http-middleware path traversal) vulnerable + patched fixtures.
### CLI
- **`nyx rules list` ** subcommand. Surfaces the same registry the dashboard's `/api/rules` page reads from: built-in cap-class entries (one per `Cap` with a canonical rule id), per-language label rules (sink / source / sanitizer), gated sinks, and any custom rules from config. Filters: `--lang <slug>` , `--kind <class|source|sink|sanitizer>` , `--class-only` for registry entries only, `--no-class` for per-language rules only. `--json` for machine output. Cap-class entries carry `language = "all"` so a language filter still surfaces them unless `--no-class` is set.
- **`RuleInfo.is_class` / `RuleInfo.emission_active` flags.** Cap-class entries carry `is_class = true` so dashboards can group them separately. `emission_active = false` marks legacy classes (SQL_QUERY, SSRF, FILE_IO, FMT_STRING, DESERIALIZE, CODE_EXEC, CRYPTO) whose findings still surface under the catch-all `taint-unsanitised-flow` rule id; the seven new classes plus `unauthorized_id` and `data_exfil` are `emission_active = true` . The active set is pinned in `cap_rule_registry_emission_active_set_is_pinned` so a future migration of a legacy cap cannot drift silently.
- **`parse_cap` and `CapName::FromStr` ** accept the new short names: `ldap_injection` / `ldapi` , `xpath_injection` / `xpathi` , `header_injection` / `crlf` / `response_splitting` , `open_redirect` / `redirect` , `ssti` / `template_injection` , `xxe` , `prototype_pollution` / `proto_pollution` , plus the existing `data_exfil` alias. The `nyx config add-rule --cap` flag and `[analysis.languages.*.rules]` entries take any of these.
### Frontend
- **Refreshed local web UI visual system** around the mint-cyan Nyx brand: warmer light surfaces, deep green accents, updated severity / confidence colors, tighter typography, smaller radii, denser cards, table, badge, button, header, and sidebar styling, and matched graph / code-viewer colors.
- **Reworked `nyx serve` surfaces** for a more operational layout. Overview uses the refreshed health-score card and chart grid; Scans has a fixed compact table with capped language badges; Scan Detail places summary and timing data side by side; Triage, Rules, Config, Explorer, Finding Detail, Scan Compare, and Debug pages received focused spacing, overflow, and density fixes.
- **Branded asset set** shared between the SPA and the embedded server bundle: PNG favicons, Apple touch icon, sidebar logo image, refreshed SVG favicon, and Rust static handlers for the new `/logo.png` and favicon files.
- **Frontend `RuleListItem` and `RuleDetailView` ** carry the new `is_class` flag so the dashboard's Rules page can group cap-class entries separately.
- **Regenerated README and docs screenshots and GIFs** against the new UI at 1600x992, saving raw originals before framing and adding CLI GIF plus combined CLI-to-serve demo GIF capture support. Extended the screenshot capture workflow with mint-led framing copy, optional `nyxscan.dev` asset mirroring, WebP regeneration for mirrored PNGs, and raw `_raw` image / GIF outputs for downstream reuse.
2026-05-04 19:58:04 -04:00
### Performance
2026-05-11 12:42:39 -04:00
- **Hoisted `collect_top_level_units` out of the per-extractor loop** in `extract_authorization_model` . Multi-extractor languages (Go gin+echo, JS/TS express+koa+fastify, Python flask+django, Rust axum+actix_web+rocket, Ruby sinatra) had been re-walking the entire AST and rebuilding the `Function` -kind unit set per extractor, then deduping by span. New `AuthExtractor::requires_top_level_units()` opt-out for Spring / Rails which build their own. Was 46% of `extract_authorization_model` wall-clock on the mattermost/server/channels/app subtree.
- **Single `AuthorizationModel` build per file in fused mode.** The diag path and the per-file summary path each ran their own `extract_authorization_model` , duplicating the hoisted unit pass and every framework extractor's AST walk. Auth summaries now extract from the base model (pre var-types, pre helper-lifting) so the persisted per-file summary matches the legacy `extract_auth_summaries_by_key` path bit-for-bit.
- **O(N) shallow value-ref emission in `collect_unit_state` .** The previous per-node `extract_value_refs(node, bytes)` walked the entire subtree on every recursion level (O(N²) per body) even though the recursion below already visits every descendant once. New `append_shallow_value_ref` emits the node's own ref and lets recursion handle the descent. Public callers of `extract_value_refs` (`collect_call` , `collect_condition` , assignment-side extraction) keep the deep walk. Was ~17% + 15% + 11% of wall-clock split across `build_function_unit_with_meta` , `collect_unit_state` , and `extract_value_refs` on mattermost.
- **Per-`ParsedFile` `body_const_facts_cache: OnceCell` .** SSA + const-prop + type-fact build was running 2-3× `run_cfg_analyses_with_lowered` , `run_auth_analyses` , and `collect_file_var_types` . Single-pass cache; gin profile dropped from 13.6% to ~4.5%.
- **SCCP switched from `HashMap<SsaValue, _>` and `HashSet<(BlockId, BlockId)>` ** to dense `Vec` per-value lattice and per-destination predecessor `SmallVec<[BlockId; 2]>` . The inner fixed-point loop no longer SipHashes a 64-bit pair for every operand of every phi. Public `ConstPropResult` shape unchanged (one final O(num_values) HashMap conversion).
- **`GlobalSummaries.by_key` switched to `FxHashMap` ** (rustc-hash 2.1) from stdlib SipHash. `FuncKey` carries 3 String fields, so any HashMap operation hashes at least 30 bytes; FxHash is ~5×
2026-05-04 19:58:04 -04:00
- `large_go_module.go` perf fixture (1493 lines) added to `benches/perf_fixtures/` ; `benches/scan_bench.rs` extended with auth-extractor, SCCP, and summary-resolution rows.
### Fixed (false positives)
2026-05-07 01:29:31 -04:00
- `Object.create(null)` receivers no longer fire prototype-pollution at the synthetic `__index_set__` sink. Suppression is flow-sensitive via `TypeKind::NullPrototypeObject` so a phi join that only sometimes resolves to a null-proto receiver still fires on the unsafe path.
- `cfg-unguarded-sink` over-fires on JS/TS object-literal property writes guarded by an explicit `__proto__` / `constructor` / `prototype` reject `if` (early `return` / `throw` / `break` ) or by an allowlist `if` whose true arm contains the assignment. Resolved at the CFG layer before the SSA sink scan.
- Spring MVC `return "redirect:" + url` flagged generic `taint-unsanitised-flow` even when the redirect destination was the load-bearing taint. Now routed through the synthetic `__spring_redirect__` sink so the finding emerges as `taint-open-redirect` .
2026-05-11 12:42:39 -04:00
- `$smarty->fetch(...)` / `$twig->createTemplate(...)` no longer drop their SSTI gate match on idiomatic PHP receiver shapes.
- `setValue(target, req.body, ...)` and similar wrappers no longer gate-match on the rewritten Source `req.body` text.
- Nokogiri / lxml / fast-xml-parser parser bodies hardened with `setFeature` / `processEntities: false` / `XMLParser(resolve_entities=False)` no longer fire `taint-xxe` .
- `XPath` instances bound to `setXPathVariableResolver(...)` no longer fire `taint-xpath-injection` on subsequent `xpath.evaluate(expr, ...)` sinks.
- Inline `if (!url.startsWith("/")) reject` and `if (new URL(url).host !== ALLOWED) reject` open-redirect sanitisers narrow `Cap::OPEN_REDIRECT` on the validated branch instead of falling through to the generic `Comparison` predicate. Other taint downstream still fires on its own caps.
- Rust `Redirect::to` no longer fires `taint-ssrf` for what is structurally an open redirect; retagged to `Cap::OPEN_REDIRECT` .
- ~957 gitea backend DAO `go.auth.missing_ownership_check` findings (id-scalar precision pass).
- 169 of 216 openmrs `cfg-unguarded-sink` findings (JpaCriteriaQuery type). Equivalent reductions on xwiki / keycloak Hibernate DAO clusters.
- joomla and drupal `php.deser.unserialize` flagged inside `Serializable::unserialize($input)` magic-method bodies.
- airflow execution-API routes flagged `missing_ownership_check` despite being authorized via cross-file `include_router` chains and module-level `APIRouter(dependencies=[…])` declarations.
- sentry `verified_ids = set(); verified_ids.update(myteams)` flagged as `DbMutation` .
- aiohttp `path.relative_to(static_root_path)` not recognised as a path-traversal validator.
- i18next-http-middleware `arr.filter(utils.isSafeIdentifier)` not narrowing taint on the result.
- `cond ? req.query.lng : ""` ternary lost `Source` label on the truthy branch.
- `if (!validate($x))` rejection-arm narrowing flipped on PHP unary `!` .
- mlflow `make_response(f"Invalid content type: '{content_type}'")` (Tier B pattern).
- Bare-callee verb-name dispatch on Python builtins / locally-defined helpers (`list` , `filter` , `update` , `create_audit_entry` , `update_coding_agent_state` ).
2026-05-04 19:58:04 -04:00
- FastAPI `Depends(...)` / `Security(...)` deps declared on a module-level `APIRouter` no longer dropped on every attached route.
- FastAPI `Security(callable, scopes=[...])` no longer downgraded to a Login-only check.
2026-05-11 12:42:39 -04:00
### Tests
2026-05-04 19:58:04 -04:00
2026-05-11 12:42:39 -04:00
- New per-cap integration suites: `tests/{xpath_injection,xxe,ssti,prototype_pollution,header_injection,open_redirect,ldap_injection}_tests.rs` , plus `python_proto_pollution_tests.rs` for the env-gated Python form. Per-cap fixture trees under `tests/fixtures/<class>/<lang>/` cover safe, unsafe, and irrelevant-baseline shapes for every supported language.
- Cross-file FastAPI integration test `tests/fastapi_cross_file_include_router_tests.rs` with airflow-shaped fixture tree under `tests/fixtures/auth_cross_file/airflow_execution_api_includes/` .
2026-05-04 19:58:04 -04:00
- New `cfg/cfg_tests.rs` covers ternary-branch CFG lowering shapes.
- New `summary/tests.rs` covers cross-file `include_router` summary persistence and resolution.
2026-05-11 12:42:39 -04:00
- Per-language safe / vuln auth and detector fixtures across Python, Java, Go, PHP, JS, TS.
### Other
2026-05-04 19:58:04 -04:00
- Refactor passes across `auth_analysis` , `ssa/const_prop` , `ssa/type_facts` , `summary` , and the per-framework auth extractors (cleaner conditional checks, simpler function signatures, deduplicated assertions). No behaviour change.
2026-05-11 12:42:39 -04:00
- README links to a Simplified Chinese translation (`README.zh-CN.md` ).
2026-05-04 19:58:04 -04:00
2026-05-03 13:51:46 -04:00
## [0.6.1] - 2026-05-03
A precision pass on auth and resource analysis plus three fresh CVE corpus pairs, plus a UTF-8 slice panic in the path abstract domain. Closes ~1900 Go auth FPs on gitea-shaped helpers, the mastodon/diaspora private-callback Ruby controller pattern, and a phantom-taint outbreak from JS/TS / Java lambda shorthand in jest-style nested test callbacks.
### Added
- Java JDBC raw-SQL sinks. `Statement.execute` , `Statement.executeBatch` , and `Statement.executeLargeUpdate` modeled as `SQL_QUERY` sinks, classified via type-qualified resolution (`DatabaseConnection.execute` ) so bare `execute` (Runnable, Executor, HttpClient) does not over-fire. `conn.createStatement()` and `conn.prepareCall()` now infer return type `DatabaseConnection` , so the JDBC chain `Statement s = conn.createStatement(); s.execute(q)` types `s` correctly. Closes GHSA-h8cj-hpmg-636v (Appsmith FilterDataServiceCE.dropTable). Vulnerable + patched Java fixtures added.
- Java/Kotlin `Pattern.matcher(value).matches()` chain recognised as a `ValidationCall` allowlist. Receiver of `.matcher(` must contain `regex` or `pattern` . Validation target is the `.matcher()` argument, not the bare `.matches()` receiver. Branch narrowing applies the `validated_must` to the input variable on the surviving branch. Same GHSA as above (`FILTER_TEMP_TABLE_NAME_PATTERN.matcher(tableName).matches()` ).
- Per-parameter SSA summary probe now receives `BodyMeta.param_types` , so `extract_ssa_func_summary` runs a local `analyze_types_with_param_types` pass before extraction. Helper bodies whose sinks resolve only via type-qualified callees (e.g. `DatabaseConnection.execute` for JDBC `Statement.execute` ) no longer drop the sink during cross-function summary extraction. Fixes the Appsmith helper `executeDbQuery(query)` that routed SQL through `statement.execute(query)` .
- Short-circuit branch condition CFG nodes now mirror `condition_vars` into `taint.uses` , so `apply_branch_predicates` interns the variable for short-circuit-decomposed validators (`if (x == null || !regex.matcher(x).matches()) throw` ). Without this, the per-disjunct cond nodes built via `build_condition_chain` silently no-opped and `x` never reached `validated_must` on the surviving branch.
- Go `goqu.L(s)` and `goqu.Lit(s)` raw-SQL literal builders modeled as `SQL_QUERY` sinks. Safe siblings (`goqu.I` identifier, `goqu.C` column, `goqu.T` table, `goqu.V` parameterised value, `goqu.SUM` , `goqu.COUNT` , …) stay unlabeled. Gin source list extended with the array-returning siblings of the existing scalar helpers: `c.QueryArray` , `c.GetQueryArray` , `c.PostFormArray` , `c.GetPostFormArray` . Closes CVE-2026-41422 (daptin: `c.QueryArray("column")` → `goqu.L(project)` with the loop variable lifted through `for _, project := range columns` ). Vulnerable + patched Go corpus pair under `tests/benchmark/cve_corpus/go/CVE-2026-41422/` .
- Go `for ident := range iter` def-use lifting. The `range_clause` child of `for_statement` is now consulted when `left` /`right` aren't direct fields of the `for` node, so taint from the iterable reaches the loop binding. Required for the daptin CVE shape above.
- Rust format-string named-argument lifting (`format!("...{x}...")` , stable since 1.58). Identifiers captured by `{name}` / `{name:fmt-spec}` are pulled into the call's `uses` for known format-style macros: `format` , `print` /`println` , `eprint` /`eprintln` , `write` /`writeln` , `panic` , `format_args` , `assert` /`debug_assert` , `todo` , `unimplemented` , `unreachable` , plus log-crate severity macros (`info` , `warn` , `error` , `debug` , `trace` ). Recursive descent through one or two layers of expression wrapping (`format!("{x}").to_owned()` , RHS chained method calls). Without this, taint stopped at the macro boundary. `let q = format!("...{x}...")` carried no `x` because the identifier lives in format-string bytes rather than as a separate AST argument node. Mirrors the Python f-string lifter.
- Rust CVE corpus extended. CVE-2023-42456, CVE-2024-32884, CVE-2025-53549 vulnerable + patched fixtures under `tests/benchmark/cve_corpus/rust/` .
- Java lambda shorthand recognised by `extract_param_meta` . `lambda_expression` 's `parameters` field as a bare `identifier` (`cmd -> …` ) or as an `inferred_parameters` wrapper around identifiers (`(a, b) -> …` ) was not matching the formal_parameter / spread_parameter kinds in `PARAM_CONFIG` , so the lambda appeared parameterless and the SSA pipeline treated its formals as closure captures. Mirrors the JS/TS arrow shorthand path.
### Fixed
- Panic on non-ASCII input to `has_first_char_absolute_check` in the path abstract domain. The 32-byte search window around `[0]` was sliced as `&clause[lo..hi]` (str), which panicked when `hi` landed inside a multi-byte UTF-8 char (e.g. the em dash `—` , bytes 34..37). Switched to `&bytes[lo..hi]` with `windows()` byte-pattern checks; all needles are ASCII so the searches are equivalent. Surfaced by `cargo fuzz` (`scan_bytes` target, `.c` extension path, embedded `—` in a comment near `s[0] == '/'` ). Regression test added.
### Fixed (false positives)
- Go `unit_has_user_input_evidence` framework-request-name allow-list narrowed for Go. `ctx` , `context` , `info` , `body` , `path` , `payload` , `dto` , `form` , `query` are no longer treated as user-input indicators on Go: in Go these are `context.Context` (cancellation/value-bag from the stdlib) or struct-pointer payload params (`info *PackageInfo` , `opts *FooOptions` ), not request bindings. Go HTTP frameworks bind the request to per-framework typed params (`r *http.Request` , `c *gin.Context` , `c echo.Context` , `c *fiber.Ctx` ); these arrive at the gate via `RouteHandler` kind or the type-aware param filter below. Stdlib `req` / `request` (the `*http.Request` convention) preserved. Other languages keep the broader allow-list.
- Go param collection drops `ctx context.Context` and `ctx context.CancelFunc` parameters entirely rather than seeding their names into `unit.params` . Tree-sitter-go's `parameter_declaration` exposes `name` and `type` as named fields; descend only into `name` so type-segment identifiers don't pollute the param-name set (`info *PackageInfo` no longer contributes `PackageInfo` ). Together with the allow-list narrowing above, closes ~1900 `go.auth.missing_ownership_check` findings on gitea backend helpers whose only "user-input evidence" was the ubiquitous `ctx context.Context` first param.
- Ruby controller method visibility + filter-callback gate. Methods marked `private` (bare `private` directive, targeted `private :foo, :bar` , or `protected` ) and Rails filter callback targets (`before_action` , `after_action` , `around_action` , their `prepend_*` / `append_*` / `skip_*` siblings, and the legacy `*_filter` aliases) are no longer emitted as `Function` units. Visibility tracking is class-body source-order with two directive forms (bare toggles default visibility, targeted explicitly marks named methods). Block-form filters (`before_action do … end` ) carry no symbol arg and are correctly ignored. Closes mastodon / diaspora `rb.auth.missing_ownership_check` flood on `set_X` row-fetch helpers used as `before_action` callbacks.
- Field-LHS resource acquires no longer counted as local resource leaks at the `apply_assignment` site. `e->name = (char *)e + sizeof(*e)` (sub-buffer alias inside a returned struct) and `mem->buf = ptr` (local-into-field ownership transfer) now mark the RHS local `MOVED` and stop tracking the field as a separately OPEN resource. The parent struct owns the field's lifecycle. Cross-language (distinct from the Go-only `apply_call` field-LHS gate, which is restricted because JS/TS class-field acquires `this.fd = fs.openSync(...)` are the documented expected leak pattern in that path). Closes curl `entry_new` and equivalent C/C++ shapes in openssl / postgres.
- Empty-formals SSA lowering signal. `lower_to_ssa_with_params` now sets `with_params=true` even when `formal_params` is empty, so an arrow `() => {…}` is treated as "explicitly zero formals" rather than "no formals info". External vars in a zero-formal arrow are now correctly tagged as synthetic closure captures, so the JS/TS / Java auto-seed pass cannot mistake a bubbled-up free var (e.g. `userId` lifted from a nested jest test callback) for a real handler formal. Closes 934 phantom taint findings on the outline test suite (`describe("…", () => { test("…", () => { server.post(…) }) })` -shaped fixtures).
- Rust integer-typed values now suppress `Cap::FILE_IO` at the abstract-domain leaf gate (previously HTML_ESCAPE only). An integer's decimal representation is digits with optional leading `-` , never path metacharacters (`/` , `\` , `.` ); magnitude is irrelevant. Closes the sudo-rs RUSTSEC-2023-0069 patched FP `let uid: u32 = user.parse()?; path.push(uid.to_string())` .
2026-05-02 18:06:50 -04:00
## [0.6.0] - 2026-05-02
2026-05-02 03:36:14 -04:00
A focused release that splits data-exfiltration off from SSRF and ships sinks for outbound HTTP request bodies across all 10 languages, with calibration tuned so plain user input echoed back upstream does not fire.
2026-05-01 10:59:52 -04:00
### Added
- New `taint-data-exfiltration` rule, separate from SSRF. Fires when a Sensitive-tier source (cookie, header, env, file, database, caught exception) reaches the body, headers, or json payload of an outbound HTTP call. Plain user input gets suppressed at emission time so a gateway echoing `req.body` back upstream is not flagged.
- Sinks ship for `fetch` body, `XMLHttpRequest.send` , Python `requests.post` and `httpx.AsyncClient.post` , Java JDK `HttpClient.send` with `BodyPublishers` , OkHttp builder chains, Apache HttpClient `execute` , RestTemplate, WebClient, Go `http.Post` and `http.NewRequest` + `Do` , Rust `reqwest` /`ureq` /`surf` /`hyper` body/json/form/multipart chains, Ruby `Net::HTTP.post` and RestClient, C and C++ `curl_easy_setopt(CURLOPT_POSTFIELDS, ...)` gated by the macro arg.
- Three suppression knobs:
- Sanitizer convention. `logEvent` , `forwardPayload` , `tracker.send` , `analytics.track` , `metrics.report` , `serializeForUpstream` are treated as `Sanitizer(data_exfil)` by default. Add your own with the standard custom-rule path.
- Trusted destination allowlist in `detectors.data_exfil.trusted_destinations` . Matched against the abstract-string domain prefix; a literal or template prefix that begins with one of these entries drops the cap.
- Detector toggle `detectors.data_exfil.enabled = false` strips the cap before emission. Other taint classes are unaffected.
- Calibration. Severity is High for cookie or env sources, Medium for header, file, database, or caught-exception sources. Confidence stays at Medium even with strong corroboration, drops to Low without abstract or symbolic backing, and drops one tier on path-validated flows. SARIF output carries a `properties.data_exfil_field` entry on data-exfil findings, set to the destination object-literal field the leak reached (`body` , `headers` , or `json` ).
- Benchmark coverage. 13 vulnerable fixtures across 8 languages under `tests/benchmark/corpus/{lang}/data_exfil/` and 6 paired safe fixtures for the sensitivity gate and sanitizer convention. New `data_exfil` row in the per-class breakdown. Per-class CI floor at P, R, F1 ≥ 0.85 (current baseline is 1.000).
- Backwards taint walk recognises `Cap::DATA_EXFIL` and emits the same rule ID.
2026-05-02 03:36:14 -04:00
- Ruby SSRF coverage. `OpenURI.open_uri` now classified as an SSRF sink (the low-level fetcher that `URI.open` delegates to). Closes the CarrierWave CVE-2021-21288 download path and equivalent gem shapes that route through `OpenURI` directly.
- Ruby chained-call wrapper classification. Statement-level wrappers like `YAML.safe_load(File.read(filename))` and `Marshal.load(File.read(p))` now classify the inner sink for cross-function summary extraction. Without this, the outer call became a non-sink node and the inner sink was lost when the helper was summarised.
- Ruby CVE corpus. Vulnerable + patched fixtures added for CVE-2021-21288 (CarrierWave SSRF) and CVE-2023-38337 (rswag path traversal).
2026-05-02 16:44:49 -04:00
- Lodash `_.template` modeled as a gated `Cap::CODE_EXEC` sink. Activates on the template-string argument; suppresses when arg-1 carries a literal `{ evaluate: false }` . Closes Strapi CVE-2023-22621 (server-side template injection → RCE via `<% … %>` evaluate blocks). Vulnerable + patched fixtures added under `tests/benchmark/cve_corpus/javascript/CVE-2023-22621/` .
- JS/TS gated-sink kwarg extractor falls back to inspecting arg-1 object literals (`fn(x, { evaluate: false })` ) when the language has no `keyword_argument` node. Required so the lodash gate can read its options object.
- Lodash double-call form (`_.template(t)(data)` ) routes through `find_chained_inner_call` so the outer call's gated-sink rebinding fires.
2026-05-11 12:42:39 -04:00
- Cross-function helper-validation propagation. New `SsaFuncSummary.validated_params_to_return` field records parameter indices whose taint flow to the return value is fully validated by a dominating predicate (regex allowlist, type check, validation call) on every return path. At call sites, each tainted argument passed to a validated position, and the call's own return value, are marked `validated_must` / `validated_may` in the caller's SSA taint state, the same way an inline `if (!regex.test(x)) throw` would. Closes the helper-validator gap behind PayloadCMS CVE-2026-25544 (Drizzle SQL injection in `sanitizeValue` ). Vulnerable + patched TypeScript fixtures added.
2026-05-02 16:44:49 -04:00
- Destructured-arg sibling expansion in per-parameter taint summary probing. JS/TS object-pattern formals (`({ column, operator, value }) => …` ) now seed every binding sharing the slot, and any sibling reaching `validated_must` counts as the slot being validated. New `BodyMeta.param_destructured_fields` carries sibling lists alongside `params` and `param_types` . JS `PARAM_CONFIG` accepts `assignment_pattern` (default-value formals) and `object_pattern` (destructured formals).
- Regex-allowlist branch narrowing. `<X>.test(value)` / `<X>.match(value)` / `<X>.matches(value)` where the receiver name contains `regex` or `pattern` classifies as a `ValidationCall` and narrows the call's first argument, not the regex receiver. Was also extended to `extract_validation_target` so the surviving branch validates `value` , not the regex object. Motivated by Payload CVE-2026-25544 (`if (!SAFE_STRING_REGEX.test(value)) throw …` ).
- TypeScript template-substring (`${fn(arg)}` ) call-resolution arity-hint fallback. When CFG lowering drops `arg_uses` but `args` is non-empty, the resolver passes `None` so the unique-name fallback can still pick up the lone candidate.
- Caller-scope-entity exemption in `rs.auth.missing_ownership_check` . `<entity>.id` / `<entity>.pk` no longer fires when `<entity>` is a unit parameter named after a multi-tenant scope primitive: `organization` / `org` , `project` , `team` , `workspace` , `tenant` , `account` , `community` , `group` , `repository` / `repo` , `company` . Other field names (`.name` , `.slug` ) still flag, and `user` / `member` / `actor` are deliberately excluded (handled by `is_actor_context_subject` ). Closes a flood of FPs in Sentry / Saleor / Discourse / Mastodon-shaped multi-tenant helpers (`get_environments(request, organization)` , `_filter_releases_by_query(qs, organization, …)` ).
2026-05-11 12:42:39 -04:00
- Auth value-ref walker recurses into the `value` child of `keyword_argument` / `keyword_arg` / `named_argument` nodes. `Model.objects.filter(organization_id=org.id)` no longer surfaces the kwarg key (`organization_id` ) as a bare-identifier user-input subject. The schema column name is fixed at call time.
2026-05-02 16:44:49 -04:00
- Test-decorator denylist for Flask route extraction. `mock.patch` , `mock.patch.object` / `.dict` / `.multiple` , `unittest.mock.*` , `monkeypatch.setattr` / `setenv` / `delattr` / `delenv` , and `pytest.mark.parametrize` no longer collide with `<app>.patch` route registration. Stops every `@mock.patch("…")` -decorated test method from being attached as a Flask PATCH handler and flagged as `missing_ownership_check` .
- Typed-extractor route-level guard injection for axum and actix-web. Handlers registered via attribute macros (`#[get("/path")]` , `#[routes::path(…)]` ) or via external service-config builders previously never had their typed-extractor guards seeded. New `apply_typed_extractor_guards_to_units` walks every `Function` -kind unit and injects guard checks from typed-extractor params, complementing the route-walk path that already covered `.route(...)` registration.
- New auth config key `policy_guard_names` . Typed-extractor wrappers that prove route-level capability/policy enforcement (e.g. meilisearch's `GuardedData<ActionPolicy<X>, _>` ) are recognised distinctly from authentication-only wrappers. Matched as last-segment + case-insensitive `starts_with` . Rust default: `["Guarded"]` . Distinct from `login_guard_names` so the pattern doesn't pollute regular call recognition (a function like `guarded_load(..)` is not a login guard).
- Outer-wrapper-aware classification of typed extractors. `GuardedData<ActionPolicy<X>, Data<AuthController>>` is classified by the outer `GuardedData` (policy-bearing → `AuthCheckKind::Other` ), not by whether an inner generic arg substring-matches `auth` . Bare data-only extractors (`Path<u64>` , `Query<X>` , `Json<X>` , `Form<X>` , `State<X>` , `Extension<X>` , `Data<X>` ) outer-name-match early-return to `None` regardless of inner type tokens. Reference-marker (`&` , `&mut` , `&'a` ) and module-path (`std::collections::` ) prefixes stripped before matching.
2026-05-11 12:42:39 -04:00
- Project-level web-framework signal in Rust auth analysis. New `FrameworkContext::lang_has_web_framework(lang)` is three-valued: `Some(true)` when manifest names a framework, `Some(false)` when the manifest was inspected and named none, `None` when no manifest was inspected. New `rust_file_imports_web_framework` does a per-file `axum::` / `actix_web::` / `rocket::` / `axum_extra::` import probe (8 KB head). When the project's Cargo.toml is inspected and lists no Rust web framework AND the file does not directly import one, the `context_inputs` and param-name-heuristic arms of `unit_has_user_input_evidence` are suppressed. `RouteHandler` classification (concrete route-registration evidence) still bypasses the gate. Closes a flood of `missing_ownership_check` FPs in non-web Rust crates such as zed-style desktop / GUI codebases where a debug-session handle named `session` would trip `matches_session_context` on `session.update(cx, …)` . Currently Rust-only; other languages keep prior behavior (`None` ).
2026-05-02 16:44:49 -04:00
- Rust auth corpus extended with `safe_actix_guarded_data_extractor.rs` and `unsafe_actix_no_guarded_data_extractor.rs` (typed-extractor guard injection); `safe_non_web_rust_project/` and `unsafe_actix_web_project_no_check/` (full Cargo.toml + src/lib.rs project shapes for the framework-signal gate).
- Python auth corpus extended with `vuln_user_id_param_no_auth.py` , `safe_django_orm_caller_scoped_entity.py` (caller-scope-entity exemption), `safe_mock_patch_test_method.py` (test-decorator denylist).
- Go safe corpus extended with `safe_inner_call_close_in_arg.go` (`require.NoError(t, f.Close())` shape), `safe_struct_field_resource_owned_by_struct.go` (field-LHS ownership transfer), and a `vuln_resource_leak_no_close.go` regression guard.
2026-05-02 03:36:14 -04:00
### Fixed (false positives)
- C++ `cpp.memory.reinterpret_cast` no longer fires when the target type is well-defined by C++ aliasing rules. Suppressed targets: byte-pointer family (`char*` , `unsigned char*` , `signed char*` , `wchar_t*` , `uint8_t*` , `int8_t*` , `std::byte*` , `byte*` ), `void*` , integer round-trip (`uintptr_t` , `intptr_t` , and `std::` variants, no pointer required), and the BSD socket address family (`sockaddr*` , `struct sockaddr*` , `sockaddr_in*` , `sockaddr_in6*` , `sockaddr_un*` , `sockaddr_storage*` ). User-defined struct or class pointer targets keep firing. Closes ~70% over-fire on serialization, hashing, IPC, and socket-API code where the cast is the standard-blessed idiom.
- PHP `php.crypto.md5` and `php.crypto.sha1` suppress when the call's consuming context yields a non-cryptographic identifier name. Recognised contexts: assignment LHS (variable, `$obj->property` , `$arr['key']` ), array element keys, subscript indices, return statements (resolved to enclosing method or function name with `get` prefix stripped), and method-call arguments where the method is a key/cache/lookup verb (`get` , `set` , `has` , `delete` , `fetch` , `store` , `find` , `getItem` , `setItem` ). Names containing a crypto keyword (`password` , `secret` , `token` , `signature` , `hmac` , `digest` , `salt` , `key` ) keep firing. Closes ETag generation, cache-key hashing, dedup fingerprint, and `getCacheKey()` -style false positives in real PHP repos (phpmyadmin, nextcloud).
- JS and TS `secrets.fallback_secret` no longer fire on empty-string fallbacks (`process.env.X || ""` ). Developers write `|| ""` to satisfy non-undefined string types without committing a real secret. Non-empty literal fallbacks still fire.
- Path-traversal sink suppression accepts canonicalised-and-rooted shapes. New `PathFact::is_path_traversal_safe` predicate clears `Cap::FILE_IO` when the path is dotdot-free and either non-absolute or carries a verified prefix-lock. New `OPAQUE_PREFIX_LOCK` marker records the structural invariant ("rooted under SOME prefix") when the `starts_with` -style guard's argument is a method call, field access, or configured root rather than a string literal. Closes the Ruby `File.expand_path + start_with?(root)` shape (rswag CVE-2023-38337 patched counterpart), the Python `os.path.realpath + .startswith(root)` shape, and the JS `path.resolve + .startsWith(root)` shape. `classify_path_assertion` extended to JS `.startsWith(...)` , Python `.startswith(...)` , Ruby `.start_with?(...)` (paren and paren-less), and Go `strings.HasPrefix(...)` .
- Branch narrowing now flips prefix-lock attachment under condition negation. For `if !target.startsWith(ROOT) { return; }` the lock attaches to the surviving block, not the rejection arm. Rejection-axis narrowing is unchanged because the rejection classifier is text-level and already accounts for leading `!` .
2026-05-11 12:42:39 -04:00
- Go field-LHS resource acquires no longer counted as local resource leaks. `b.cpuprof = os.Create(...)` transfers ownership to the containing struct; closure responsibility belongs to a paired `Stop()` / `Release()` method on the struct's lifecycle. Gated in both `state/transfer.rs::apply_call` and `cfg_analysis/resources.rs::run` . Restricted to Go (`Lang::Go` check). JS/TS class-field acquires (`this.fd = fs.openSync(...)` ) keep being tracked because the leak fixtures rely on it. Production trigger: prometheus `cmd/promtool/tsdb.go::startProfiling` cluster (`b.cpuprof` , `b.memprof` , `b.blockprof` , `b.mtxprof` ).
- Go inner-call release in argument position. `require.NoError(t, f.Close())` , `errs = append(errs, f.Close())` , JUnit `assertEquals(0, in.read())` : releases that live in argument position now mark the receiver `CLOSED` . Bare-receiver inner calls only (chained-receiver releases stay owned by `chain_proxies` ); marks `CLOSED` only with no `DoubleClose` attribution; respects `in_defer` for symmetry.
2026-05-02 03:36:14 -04:00
### Other
- Action download script warning for the mutable `latest` tag now references `v0.6.0` instead of `v0.5.0` .
Release/0.5.0 (#35)
* feat: Introduce function-scoped variable interning for state analysis with new tests and fixtures
* feat: Add Phase 26 symbolic execution enhancements with bitwise operator support, abstract interpretation refinements, and new taint analysis tests
* feat: Refine state analysis to handle factory-pattern resource returns with mixed-path tests and leak detection enhancements
* feat: Add Phase 27 debug views with symbolic execution, abstract interpretation, SSA, and call graph viewers; integrate with debug layout and styles
* feat: Add Phase 31 type-qualified symbolic resolution with receiver-based callee disambiguation and testing
* feat: Extend symbolic execution with state iteration, enhanced debug views, and debounced input handling
* feat: Add Phase 13 resource and auth pattern extensions with new tests and fixtures
* feat: Introduce CFG debug graph renderer with compact mode, toolbar, and DAG layout integration
* feat: Add Phase 28 encoding and decoding transform modeling with structural symex enhancements and new taint analysis tests
* feat: Extend abstract interpretation with type facts and constant value tracking in debug views and server logic
* feat: Add linear path handling and witness extraction to symbolic execution with Phase 28 transform mismatch detection
* feat: Refine Go auth and sanitizer handling with enhanced rules, state updates, and benchmark improvements
* feat: Enable auth-state analysis by default and update relevant tests in benchmark config
* test: Update state_tests to reflect default enablement of auth-state analysis and add auth suppression test
* docs: update CHANGELOG.md
* feat: Introduce per-index taint tracking in `HeapState` with `HeapSlot`, overflow handling, and revised SSA transfers
* feat: Introduce C/C++ language labels and refine heap state tracking in SSA transfers
* feat: Implement per-index array slot tracking in symbolic heap with overflow collapse
* feat: Add implicit definition handling for uninitialized declarations in SSA value allocation
* feat: Refactor function parameters and constants for improved clarity and maintainability
* refactor: Reorder module imports and improve formatting for consistency
* refactor: Fix formatting erorrs
* refactor: Fix clippy warnings
* refactor: Fix fmt warnings (again)
* chore: Update dependencies and improve feature configuration
* Add comprehensive tests for undertested modules (#36) (COPILOT)
* Add comprehensive tests for undertested modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
* Add comprehensive tests for ext, project, walk, and errors modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: Update dependencies and improve feature configuration
* fix: formatting errors in new tests
* chore: Update license list in about.toml
* chore: made functions input inline
* chore: updated cfg graph to take up the full page
* chore: add Prettier configuration and update code formatting
* Add frontend test suite with Vitest (111 tests) (#37)
* Add Vitest test suite for frontend - 111 tests across utils, components, hooks, and graph utilities
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/7cf0dba2-ecff-4740-ba4d-92717e74a0b7
* ci: add frontend test step to CI workflow
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/5bc0ac9f-0a32-4d03-9cb7-7a15aea53fca
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: simplify array initialization in test files for consistency
* ran typecheck
* feat: add AnalysisWorkspace component and integrate it into CfgViewerPage
* feat: update routing in AppLayout and improve empty state message in ExplorerPage
* feat: enhance scan progress tracking with additional metrics and stages
* feat: update license information and add license check script
* feat: implement cross-file symbolic execution with callee body persistence
* feat: replace dagre graphs with Graphology + ELK + Sigma for more advanced call stack and cfg rendering
* feat: ensure CFG function view is scoped to the selected function, preventing bleed into sibling functions
* feat: enhance resource tracking with proxy method summaries and improve finding extraction
* feat: add terminal function exit detection for accurate resource leak analysis
* feat: add warnings for loops and functions without bodies to improve error recovery
* feat: update lambda expression handling to ensure proper function classification and control flow
* feat: remove bounded formatting/string ops and add JSON.parse sanitizer for improved data handling
* feat: add inline return taint analysis and regression tests for improved security checks
* feat: add engine version management and migration handling for database schema updates
* feat: enhance first_call_ident to skip nested function bodies and add regression tests
* feat: enhance callee name resolution with two-segment normalization and disambiguation
* feat: add cross-file context flags and debug assertions for taint analysis
* feat: refactor taint analysis structure to unify context handling and improve clarity
* feat: enhance dead code elimination to preserve Sink, Source, and Sanitizer labels with new tests
* docs: updated CHANGELOG.md
* fmt: formatting fixes
* fix: fixed frontend formatting and lint warnings
* fix: optimized ci
* fix: optimized ci
* Add comprehensive multi-file test coverage to Nyx (#38)
* Initial checklist for multi-file test suite expansion
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* Add 12 new multi-file test fixtures with TP/TN/near-miss coverage
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* deleted root repo
* rebuilt to test for regressions
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* feat: enhance import alias resolution and taint tracking
* feat: implement security hardening with CSRF protection and path validation
* feat: add support for import alias bindings in Python, PHP, and Rust
* feat: enhance CFG analysis modes and improve code readability
* feat: add detection for parameterized SQL queries to enhance security
* feat: add safe internal redirect handling and enhance session destroy validation
* feat: implement security improvements by addressing vulnerabilities in execAsync, session management, and file downloads
* feat: enhance taint detection by adding support for inline source member expressions in call arguments
* feat: implement pre-emission of Source nodes for inline source member expressions in call arguments
* feat: add support for Throw statement in control flow and error handling
* feat: add debug and echo endpoints with potential information leakage
* feat: implement internal redirect suppression and enhance taint detection
* feat: implement module alias tracking for dynamic dispatch in JS/TS
* feat: add authorization analysis module with Express support
* feat: add authorization analysis module with Express support
* feat: add tests for admin guard requirements and clean checks in authorization analysis
* feat: integrate Koa and Fastify frameworks into authorization analysis
* feat: add Flask and Django support to authorization analysis module
* feat: add support for Rails and Sinatra frameworks in authorization analysis
* feat: add support for Axum, ActixWeb, and Rocket frameworks in authorization analysis
* feat: add support for ActixWeb, Axum, and Rocket frameworks in authorization analysis
* feat: add support for Rails and Sinatra in authorization analysis
* chore: add .DS_Store to .gitignore
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: update usage of Option methods for improved clarity and consistency
* refactor: improve code readability by simplifying conditional checks and formatting
* refactor: improve code formatting and readability by simplifying conditional checks
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: simplify conditional checks in axum.rs for improved readability
* feat: add CodeQL analysis configuration for enhanced security scanning
* test: add comprehensive tests for `src/output.rs` SARIF builder (#39)
* chore: start test coverage improvement work
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* test: add comprehensive tests for src/output.rs SARIF builder
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* refactor: improve code formatting and readability in output.rs
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* refactor: improve code formatting and readability in output.rs
* Potential fix for code scanning alert no. 210: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* Potential fix for code scanning alert no. 211: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* refactor: enhance triage file path handling with improved error management and validation
* refactor: updated func summaries for richer detail
* refactor: update SSA summary extraction to use canonical FuncKey for distinct entries
* refactor: enhance callee metadata structure to support arity, receiver, and qualifier for better overload resolution
* refactor: add support for keyword arguments in function calls and enhance receiver extraction for method-style calls
* refactor: implement new Flask routes for safe and unsafe shell command execution
* refactor: separate receiver handling in SSA operations and enhance taint propagation
* refactor: improve arity handling by using arg_uses for positional argument count and enhance witness scoring for tainted arguments
* refactor: implement auth decorator extraction and classification for multiple languages
* refactor: enhance Rust module path resolution and use map handling for cross-file disambiguation
* refactor: introduce CalleeQuery struct for structured callee resolution and enhance resolver logic
* refactor: implement same-file identity collision handling for `runTask` to ensure correct resolver behavior
* refactor: standardize default struct initialization across multiple files
* feat: add scripts for formatting checks and auto-fixes with test summaries
* refactor: simplify character splitting and enhance namespace qualifier handling
* refactor: improve documentation clarity and enhance code readability in resolver logic
* refactor: replace default struct initialization with explicit field assignments for clarity
* feat: enhance anonymous function naming by deriving context-based bindings
* refactor: streamline match expressions for improved readability and performance
* refactor: streamline match expressions for improved readability and performance
* refactor: replace loop with while let for improved clarity and performance
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: implement shell metacharacter validation and bounded-length checks in Rust analysis
* feat: add static map analysis for command injection suppression and type safety
* refactor: simplify match statements and reduce line breaks for improved readability
* feat(summary): phase 1/5 SinkSite data model for primary sink-location attribution
Introduce SinkSite (file_rel, line, col, snippet, cap) carrying the
primary sink source-location through function summaries. Swap
SsaFuncSummary.param_to_sink and FuncSummary.param_to_sink from a coarse
Cap map to a deduped SmallVec<[SinkSite; 1]> per parameter, with a
backward-compatible cap_sites() helper and serde defaults so pre-phase-1
on-disk rows continue to deserialise cleanly.
Extraction: SinkSiteLocator bundles the tree/bytes/file_rel needed by
extract_ssa_func_summary; ParsedFile::extract_ssa_artifacts wires the
locator in for the persisted pass-1 path, while pass-2 intra-file
transient summaries fall back to cap-only sites (behavior unchanged).
Merge: GlobalSummaries::insert now unions sink sites with
(file_rel, line, col, cap) dedup via shared union_param_sink_sites
helper.
Database: JSON-serialised summary columns carry the new shape
automatically; no schema change needed.
Phase 2 will consume SinkSite in build_taint_diag() to overwrite the
caller-site Finding.line with the callee's sink line when resolved via
summary. Phase 1 keeps behavior unchanged: scanning
tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs still produces the
same (wrong) line 10 finding.
Adds round-trip tests covering SinkSite solo, SsaFuncSummary with sink
sites, legacy-JSON default handling for both summary types, and merge
dedup.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* feat(taint): phase 2/5 thread SinkSite into SsaTaintEvent and Finding
Plumb Phase 1's SinkSite through the event pipeline into Findings,
no output change yet. SsaTaintEvent gains `primary_sink_site:
Option<SinkSite>`; when the main or callback sink-emission path has
non-empty `param_to_sink_sites`, filter to sites whose
`(line != 0) && (cap ∩ sink_caps != ∅)` and emit one event per
distinct site — the multi-primary collapse keeps each downstream
Finding single-primary.
Resolution: ResolvedSummary and SinkInfo gain mirror
`param_to_sink_sites` fields, populated from `SsaFuncSummary.param_to_sink`
(SSA + callback paths) and `FuncSummary.param_to_sink` (global paths).
Label, local-summary, and interop resolution paths leave the field
empty — they only ever had cap-level info to begin with.
Finding: new `primary_location: Option<SinkLocation>` with
`file_rel/line/col`. `ssa_events_to_findings` maps
`event.primary_sink_site` → `Finding.primary_location`, filtering
cap-only sites (`line == 0`) to `None` so the (0,0) sentinel never
leaks to formatters. Dedup key extended with the primary location
so multi-site events aren't collapsed back together.
Invariants (debug_assert!):
* every SinkSite reaching emission has `line != 0 && cap ∩ sink_caps
!= ∅` — enforced by the pick_primary_sink_sites* filters;
* every populated Finding.primary_location has `line != 0` AND
non-empty `file_rel` — the cap-only → None translation upstream
guarantees this.
Deliberately independent of `uses_summary`: that flag tracks whether
the *taint chain* used a summary, whereas primary attribution
requires only that the *sink* itself was summary-resolved. A local
source reaching a cross-file sink produces `uses_summary=false`
alongside a populated primary_location — documented on
Finding.primary_location, covered by
`cross_file_sink_finding_carries_primary_location`.
build_taint_diag, SARIF/JSON/explanation formatters, and the
benchmark scorer remain untouched: finding.line still comes from
`cfg_graph[finding.sink]`, so cmdi_indirect.rs still reports line 10
and the benchmark's rs-cmdi-003 row still shows FN in the LOC column.
Tests: `cross_file_sink_finding_carries_primary_location` (proves
plumbing via a synthetic FuncSummary carrying a SinkSite at 42:5) and
`cross_file_sink_cap_only_site_leaves_primary_location_none`
(regression guard against cap-only sites surfacing). All 1566 lib
tests + integration tests pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(output): phase 3/5 consume primary sink location in diag + SARIF
When a finding's primary_location (populated in phase 2 from a callee
summary's SinkSite) names the dangerous instruction inside a callee
body, attribute the diagnostic line to that location instead of the
caller's call site. The call site is demoted to a Call step in
flow_steps, and a synthetic Sink step at the primary location is
appended so analysts still see the full trace.
Changes:
- Add scan_root parameter to build_taint_diag so file_rel can be
resolved back to an absolute path via a shared resolve_file_rel
helper. Empty file_rel (single-file scans where namespace == "")
resolves to the file under analysis.
- Extend SinkLocation with snippet, carried from the upstream
SinkSite so the formatter needs no second file read.
- Relax the ssa_events_to_findings debug_assert to allow empty
file_rel, which is valid when scan root equals the file itself.
- SARIF: emit data-flow as codeFlows[0].threadFlows[0].locations[];
locations[0] already reflects the primary sink position via the
updated diag line/col.
Acceptance: scan on tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs
now reports line 5 (Command::new) as the primary sink, with the call
site at line 10 visible in flow_steps.
Two expect.json fixtures updated (must_match line_range widened):
- javascript/taint/context_sensitive_call: 12-14 -> 7-14 (line 8 is
the real sink inside run()).
- rust/cfg/closure_async: 10-10 -> 10-11 (line 11 is Command::new
inside the closure).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(bench): phase 4/5 validate primary sink attribution across corpus
Extend the benchmark scorer and ground truth to lock in phase 3's
primary-location behavior, and add fixtures that exercise the new
capability end-to-end.
Scorer (tests/benchmark_test.rs):
- Add optional `expected_call_site_lines: Option<Vec<[usize; 2]>>` on
Case. When present, score_location_level additionally requires at
least one flow_step in the finding's evidence trace to fall within
±2 of the call-site range. When absent, the check is skipped —
fully forward-compatible with existing fixtures.
- Retain ±2 tolerance on expected_sink_lines (compared against the
now-primary Diag.line post-phase-3).
Ground truth edits:
- rs-cmdi-cross-001: expected_sink_lines [8,8] -> [9,9]. Line 8 is the
transform::wrap call site (a cross-file propagator, not a sink);
line 9 is Command::new, the real sink. The ±2 tolerance happened to
mask this stale attribution but it was semantically wrong — phase 4
is the right time to correct it. Also adds expected_call_site_lines
[8,8] so the new field is exercised on an existing cross-file case.
- rs-cmdi-003: adds expected_call_site_lines [10,10] (run_cmd call).
This fixture's sink (Command::new inside run_cmd at line 5) was the
motivating case for phases 1-3; adding the call-site assertion
guards against regression to caller-line attribution.
New fixtures:
- rust/cmdi/cmdi_indirect_multisink.rs (rs-cmdi-009): helper run_both
takes two tainted params and invokes two Command sinks on
consecutive lines. Locks in that primary line lands inside the
helper (lines 5-6), not at the caller (line 12). Notes document
that SinkSite is currently one-per-callee so both findings today
collapse onto the first sink; expected_sink_lines=[5,6] and
expected_call_site_lines=[12,12] stay valid either way.
- python/cmdi/cross_indirect_sink/{app.py,helper.py} (py-cmdi-cross-
004): sink os.system lives in helper.py (cross-file), caller in
app.py reads env source and calls run_cmd. Verifies phase 3's
cross-file primary attribution: Diag.path = helper.py, Diag.line =
5, with app.py:7 recorded in flow_steps as a Call step.
Acceptance:
- `cargo test --test benchmark_test -- --ignored --nocapture` passes.
- rs-cmdi-003 is TP/TP/TP (the target flip FN->TP at LOC). All
pre-existing TP/TP/TP fixtures remain TP/TP/TP; 2 new fixtures are
TP/TP/TP.
- Aggregate rule-level: TP=158 FP=10 FN=1 TN=97, P=0.940 R=0.994
F1=0.966 on the 266-case corpus (was TP=156 FP=10 FN=1 TN=97 on
264 pre-phase-4, delta is the +2 new cases both resolving TP).
- Full `cargo test` green (1566 lib tests + all integration tests).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(taint): phase 5/5 lock Finding.primary_location contract via regression test
Add a regression test in src/taint/ssa_transfer.rs that wires up a synthetic
SsaFuncSummary with a SinkSite at other.rs:42:10 and drives the three
emission stages (pick_primary_sink_sites → emit_ssa_taint_events →
ssa_events_to_findings) against a minimal caller SSA body. Asserts the
resulting Finding.primary_location is exactly that triple.
The existing integration tests in src/taint/tests.rs cover the coarse
FuncSummary path end-to-end through analyse_file. This test locks in the
lower-level SSA-side plumbing so a future refactor that silently drops the
site between pick → emit → findings fails here rather than only at the
benchmark layer.
Also refreshes tests/benchmark/results/latest.json (timestamp only; rs-cmdi-003
remains TP/TP/TP and the aggregate P/R/F1 are unchanged from phase 4).
Closes the primary sink-location attribution feature (phases 1-5/5):
* Phase 1 — SinkSite data model on summaries.
* Phase 2 — SinkSite threaded into SsaTaintEvent and Finding.
* Phase 3 — diag + SARIF consume primary_location.
* Phase 4 — benchmark validates primary_call_site_lines across corpus.
* Phase 5 — regression test locks the event→finding contract.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* refactor: clean up formatting and improve readability in multiple files
* refactor: simplify type definition for deduplication key in findings
* test(harness): add must_not_match expectation for FP regression guards
Extends ExpectedFinding with must_not_match field that asserts a
diagnostic must NOT fire — presence is a hard failure. Non-consuming
scan so it coexists with must_match entries on the same rule_id.
Adds forbidden_violations accumulator and updates summary line.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(regression): update expectations to ensure must_not_match for various taint and resource leak rules
* feat: implement auto-seeding for JS/TS handler parameters to enhance taint tracking
* feat: update switch statement handling to improve control flow analysis
* feat: implement promisify alias handling for JS/TS to enhance taint tracking
* feat: enhance taint tracking by refining expectation handling and adding mode filtering
* feat: refine SQL handling in stream processing and enhance auto-seeding for handler parameters
* feat: update taint tracking rules to enforce full mode matching and improve flow analysis
* feat: enhance Ruby subshell handling to improve taint tracking and flow analysis
* feat: update xss_response expectations to refine taint flow analysis and enhance regression guarding
* feat: refine framework detection and update expectation handling for Echo and Sinatra
* feat: implement max_count for taint tracking expectations and deduplicate findings
* feat: add strict_unexpected handling for taint-unsanitised-flow in expectation files
* feat: enhance deduplication of taint-unsanitised-flow findings by collapsing based on line and severity
* feat: add strict_unexpected handling for taint-unsanitised-flow in multiple expectation files
* feat: add structural invariant checks for SSA bodies
* feat: ensure deterministic phi emission order using BTreeSet
* feat: enhance handling of terminators to ensure authoritative flow through successor edges
* feat: enhance Goto terminator handling to ensure all successors are marked executable
* feat: refactor code for improved readability and organization
* feat: simplify predicate checks and enhance readability in SSA handling
* feat: implement per-file parse timeout and enhance file size handling
* feat: migrate analysis engine toggles from environment variables to configuration file
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: update dependencies and enhance documentation on language maturity
* feat: enhance security headers and improve request body limits
* feat: implement sink capability bits for deduplication and enhance evidence tagging
* feat: implement dynamic activation handling for gated sinks and enhance validation logic
* feat: enhance configuration documentation and clarify inline analysis cache behavior
* feat: implement panic recovery during analysis to continue scans past errors
* feat: add expectations configuration for taint analysis and performance metrics
* feat: enhance error handling and logging during file reading and mutex locking
* feat: add cross-file body loading tests and plumbing for CF-1 phase
* feat: implement cross-file k=1 context-sensitive inline taint analysis with new tests and fixtures
* feat: implement indexed-scan parity in cross-file inline analysis with new dropdown and copy functionality
* feat: enhance classification span handling in CFG and AST for improved source attribution
* feat: add new Express routes for handling user input and telemetry data
* feat: implement ternary expression handling in CFG with diamond structure for JS/TS
* feat: implement Phase CF-3 abstract-domain transfer channels in summaries
* feat: add support for string-prefix transfer in cross-file calls and update tests
* docs: reduce RESULTS.md doc size
* feat: implement Phase CF-4 per-return-path summary decomposition with tests
* feat: update parameter handling in pass1 and refactor SsaFuncSummary initialization
* feat: implement Phase CF-5 for cross-file SCC joint fixed-point convergence with new flags and tests
* feat: implement Phase CF-6 with parameter-granularity points-to summaries and associated tests
* refactor: update comments and documentation for clarity and consistency
* style: format code for consistency and readability
* refactor: simplify verdict handling and improve edge checking logic
* refactor: optimize path and identifier collection by avoiding unnecessary cloning
* chore: update Cargo.toml for Rust version 1.85 and add ignored files; modify CHANGELOG and README for clarity on state analysis defaults
* refactor: update documentation and improve clarity in configuration files
* refactor: update documentation and improve clarity in configuration files
* feat: add JS/TS pass-2 convergence tests and expectations configuration
* feat: add Phase 5 regression tests for inline cache origin attribution and update related logic
* feat: implement Phase 7 deduplication and alternative path linking for taint findings
* feat: implement structural DFS index for anonymous functions and update naming conventions
* feat: add Phase 8 regression tests for container-element taint in JS and Python
* feat: add engine-depth profiles and explain-engine option for CLI
* feat: update expectations and add new README fixtures for multi-file scan regression
* feat: implement Phase 11 callback-alias and factory patterns with regression tests
* feat: implement Terminator::Switch for multi-way dispatch and add regression tests
* feat: add real-CVE benchmark fixtures for CVE-2023-48022, CVE-2019-14939, and CVE-2023-26159 with corresponding patched variants
* refactor: extract cfg and ssa_transfer to submodules
* refactor: cargo fmt
* refactor: remove unnecessary blank line in cfg_tests.rs
* refactor: remove unnecessary planning file
* chore: update Rust version to 1.88 and bump dependencies in Cargo files
* feat: enhance triage UI with new layout and controls, update README for clarity
* feat: enhance triage UI with new layout and controls, update README for clarity
* chore: remove outdated section from README for version 0.5.0
* docs: improve clarity and consistency in README content
* chore: add "GPL-3.0-or-later" to license options in about.toml
* chore: update license handling in about.toml and check-licenses.mjs
* style: format code for improved readability in TriagePage component
* style: format code for improved readability in TriagePage component
* chore: enhance license handling and improve body_id scoping in seed lookup
* feat: introduce owner and parent body IDs for enhanced seed scoping
* feat: implement direction-aware engine provenance with new CLI flag for strict CI gating
* feat: add Undef SSA operation for improved control-flow handling
* style: improve code formatting for consistency and readability in multiple files
* feat: add 16-function chain SCC across multiple files for enhanced analysis
* style: simplify code formatting for improved readability in multiple files
* fix: update CapHitReason default implementation and improve README clarity
* docs: enhance README with detailed explanations of taint analysis and limitations
* docs: refine README for clarity and consistency in taint analysis section
* style: improve code formatting for better readability in NewScanModal and scans
* fix: update cargo-about command to use --offline for deterministic license generation
* fix: update cargo-about command to use --offline for deterministic license generation
* ci: add step to prime cargo registry cache for deterministic license generation
* feat: add support for non-sink collections in authorization analysis
* feat: enhance authorization checks with row-level ownership equality and binding tracking
* feat: implement self-scoped user handling and enhance ownership checks
* refactor: simplify assertions and formatting in authorization analysis tests
* fix: normalize line endings in THIRDPARTY-LICENSES.html generation and update README with AI disclosure
* docs: update AI disclosure section for clarity and conciseness
* feat: add AI Contribution Policy and update contributing guidelines for AI assistance disclosure
* feat: enhance authorization analysis with SSA-derived variable type classification
* feat: implement auth_finding_to_diag function for enhanced security diagnostics
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add direction-aware engine provenance with LossDirection classification and new CLI flag
* feat: simplify strip_cap_from_call_args call by removing unnecessary line breaks
* feat: enhance error message handling in cli_validation_tests for better Windows compatibility
* feat: optimize release profile settings in Cargo.toml and update CodeQL configuration
* feat: enhance release build process with SBOM generation and SLSA provenance
* feat: update actions/checkout and actions/setup-node to v6, enhance CLI options, and improve auth-check summaries
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: update benchmark data and enhance path sanitization logic with new safety checks
* feat: document AI assistance in frontend UI development and human review process
* feat: add return path facts for enhanced path safety checks and update documentation
* chore: update release date for version 0.5.0 in CHANGELOG.md
* chore: clean up ci.yml by removing outdated comments and clarifying steps
* feat: implement cross-language path sanitizers and validators for enhanced security
* feat: enhance SSA value usage tracking by including block terminators and improve path safety checks
* feat: enhance switch statement handling by adding per-case path constraints and support for exclusive cases
* refactor: simplify conditional formatting and improve code readability in executor and lower modules
* feat: add vulnerable examples for various languages demonstrating authentication and sanitization issues
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: add transform classifiers for Java, Go, and Ruby with corresponding tests
* refactor: clarify comments on reassign-to-constant idiom and sink behavior in guards.rs
---------
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-25 17:59:11 -04:00
2026-04-29 00:58:38 -04:00
## [0.5.0] - 2026-04-29
Release/0.5.0 (#35)
* feat: Introduce function-scoped variable interning for state analysis with new tests and fixtures
* feat: Add Phase 26 symbolic execution enhancements with bitwise operator support, abstract interpretation refinements, and new taint analysis tests
* feat: Refine state analysis to handle factory-pattern resource returns with mixed-path tests and leak detection enhancements
* feat: Add Phase 27 debug views with symbolic execution, abstract interpretation, SSA, and call graph viewers; integrate with debug layout and styles
* feat: Add Phase 31 type-qualified symbolic resolution with receiver-based callee disambiguation and testing
* feat: Extend symbolic execution with state iteration, enhanced debug views, and debounced input handling
* feat: Add Phase 13 resource and auth pattern extensions with new tests and fixtures
* feat: Introduce CFG debug graph renderer with compact mode, toolbar, and DAG layout integration
* feat: Add Phase 28 encoding and decoding transform modeling with structural symex enhancements and new taint analysis tests
* feat: Extend abstract interpretation with type facts and constant value tracking in debug views and server logic
* feat: Add linear path handling and witness extraction to symbolic execution with Phase 28 transform mismatch detection
* feat: Refine Go auth and sanitizer handling with enhanced rules, state updates, and benchmark improvements
* feat: Enable auth-state analysis by default and update relevant tests in benchmark config
* test: Update state_tests to reflect default enablement of auth-state analysis and add auth suppression test
* docs: update CHANGELOG.md
* feat: Introduce per-index taint tracking in `HeapState` with `HeapSlot`, overflow handling, and revised SSA transfers
* feat: Introduce C/C++ language labels and refine heap state tracking in SSA transfers
* feat: Implement per-index array slot tracking in symbolic heap with overflow collapse
* feat: Add implicit definition handling for uninitialized declarations in SSA value allocation
* feat: Refactor function parameters and constants for improved clarity and maintainability
* refactor: Reorder module imports and improve formatting for consistency
* refactor: Fix formatting erorrs
* refactor: Fix clippy warnings
* refactor: Fix fmt warnings (again)
* chore: Update dependencies and improve feature configuration
* Add comprehensive tests for undertested modules (#36) (COPILOT)
* Add comprehensive tests for undertested modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
* Add comprehensive tests for ext, project, walk, and errors modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: Update dependencies and improve feature configuration
* fix: formatting errors in new tests
* chore: Update license list in about.toml
* chore: made functions input inline
* chore: updated cfg graph to take up the full page
* chore: add Prettier configuration and update code formatting
* Add frontend test suite with Vitest (111 tests) (#37)
* Add Vitest test suite for frontend - 111 tests across utils, components, hooks, and graph utilities
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/7cf0dba2-ecff-4740-ba4d-92717e74a0b7
* ci: add frontend test step to CI workflow
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/5bc0ac9f-0a32-4d03-9cb7-7a15aea53fca
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: simplify array initialization in test files for consistency
* ran typecheck
* feat: add AnalysisWorkspace component and integrate it into CfgViewerPage
* feat: update routing in AppLayout and improve empty state message in ExplorerPage
* feat: enhance scan progress tracking with additional metrics and stages
* feat: update license information and add license check script
* feat: implement cross-file symbolic execution with callee body persistence
* feat: replace dagre graphs with Graphology + ELK + Sigma for more advanced call stack and cfg rendering
* feat: ensure CFG function view is scoped to the selected function, preventing bleed into sibling functions
* feat: enhance resource tracking with proxy method summaries and improve finding extraction
* feat: add terminal function exit detection for accurate resource leak analysis
* feat: add warnings for loops and functions without bodies to improve error recovery
* feat: update lambda expression handling to ensure proper function classification and control flow
* feat: remove bounded formatting/string ops and add JSON.parse sanitizer for improved data handling
* feat: add inline return taint analysis and regression tests for improved security checks
* feat: add engine version management and migration handling for database schema updates
* feat: enhance first_call_ident to skip nested function bodies and add regression tests
* feat: enhance callee name resolution with two-segment normalization and disambiguation
* feat: add cross-file context flags and debug assertions for taint analysis
* feat: refactor taint analysis structure to unify context handling and improve clarity
* feat: enhance dead code elimination to preserve Sink, Source, and Sanitizer labels with new tests
* docs: updated CHANGELOG.md
* fmt: formatting fixes
* fix: fixed frontend formatting and lint warnings
* fix: optimized ci
* fix: optimized ci
* Add comprehensive multi-file test coverage to Nyx (#38)
* Initial checklist for multi-file test suite expansion
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* Add 12 new multi-file test fixtures with TP/TN/near-miss coverage
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* deleted root repo
* rebuilt to test for regressions
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* feat: enhance import alias resolution and taint tracking
* feat: implement security hardening with CSRF protection and path validation
* feat: add support for import alias bindings in Python, PHP, and Rust
* feat: enhance CFG analysis modes and improve code readability
* feat: add detection for parameterized SQL queries to enhance security
* feat: add safe internal redirect handling and enhance session destroy validation
* feat: implement security improvements by addressing vulnerabilities in execAsync, session management, and file downloads
* feat: enhance taint detection by adding support for inline source member expressions in call arguments
* feat: implement pre-emission of Source nodes for inline source member expressions in call arguments
* feat: add support for Throw statement in control flow and error handling
* feat: add debug and echo endpoints with potential information leakage
* feat: implement internal redirect suppression and enhance taint detection
* feat: implement module alias tracking for dynamic dispatch in JS/TS
* feat: add authorization analysis module with Express support
* feat: add authorization analysis module with Express support
* feat: add tests for admin guard requirements and clean checks in authorization analysis
* feat: integrate Koa and Fastify frameworks into authorization analysis
* feat: add Flask and Django support to authorization analysis module
* feat: add support for Rails and Sinatra frameworks in authorization analysis
* feat: add support for Axum, ActixWeb, and Rocket frameworks in authorization analysis
* feat: add support for ActixWeb, Axum, and Rocket frameworks in authorization analysis
* feat: add support for Rails and Sinatra in authorization analysis
* chore: add .DS_Store to .gitignore
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: update usage of Option methods for improved clarity and consistency
* refactor: improve code readability by simplifying conditional checks and formatting
* refactor: improve code formatting and readability by simplifying conditional checks
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: simplify conditional checks in axum.rs for improved readability
* feat: add CodeQL analysis configuration for enhanced security scanning
* test: add comprehensive tests for `src/output.rs` SARIF builder (#39)
* chore: start test coverage improvement work
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* test: add comprehensive tests for src/output.rs SARIF builder
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* refactor: improve code formatting and readability in output.rs
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* refactor: improve code formatting and readability in output.rs
* Potential fix for code scanning alert no. 210: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* Potential fix for code scanning alert no. 211: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* refactor: enhance triage file path handling with improved error management and validation
* refactor: updated func summaries for richer detail
* refactor: update SSA summary extraction to use canonical FuncKey for distinct entries
* refactor: enhance callee metadata structure to support arity, receiver, and qualifier for better overload resolution
* refactor: add support for keyword arguments in function calls and enhance receiver extraction for method-style calls
* refactor: implement new Flask routes for safe and unsafe shell command execution
* refactor: separate receiver handling in SSA operations and enhance taint propagation
* refactor: improve arity handling by using arg_uses for positional argument count and enhance witness scoring for tainted arguments
* refactor: implement auth decorator extraction and classification for multiple languages
* refactor: enhance Rust module path resolution and use map handling for cross-file disambiguation
* refactor: introduce CalleeQuery struct for structured callee resolution and enhance resolver logic
* refactor: implement same-file identity collision handling for `runTask` to ensure correct resolver behavior
* refactor: standardize default struct initialization across multiple files
* feat: add scripts for formatting checks and auto-fixes with test summaries
* refactor: simplify character splitting and enhance namespace qualifier handling
* refactor: improve documentation clarity and enhance code readability in resolver logic
* refactor: replace default struct initialization with explicit field assignments for clarity
* feat: enhance anonymous function naming by deriving context-based bindings
* refactor: streamline match expressions for improved readability and performance
* refactor: streamline match expressions for improved readability and performance
* refactor: replace loop with while let for improved clarity and performance
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: implement shell metacharacter validation and bounded-length checks in Rust analysis
* feat: add static map analysis for command injection suppression and type safety
* refactor: simplify match statements and reduce line breaks for improved readability
* feat(summary): phase 1/5 SinkSite data model for primary sink-location attribution
Introduce SinkSite (file_rel, line, col, snippet, cap) carrying the
primary sink source-location through function summaries. Swap
SsaFuncSummary.param_to_sink and FuncSummary.param_to_sink from a coarse
Cap map to a deduped SmallVec<[SinkSite; 1]> per parameter, with a
backward-compatible cap_sites() helper and serde defaults so pre-phase-1
on-disk rows continue to deserialise cleanly.
Extraction: SinkSiteLocator bundles the tree/bytes/file_rel needed by
extract_ssa_func_summary; ParsedFile::extract_ssa_artifacts wires the
locator in for the persisted pass-1 path, while pass-2 intra-file
transient summaries fall back to cap-only sites (behavior unchanged).
Merge: GlobalSummaries::insert now unions sink sites with
(file_rel, line, col, cap) dedup via shared union_param_sink_sites
helper.
Database: JSON-serialised summary columns carry the new shape
automatically; no schema change needed.
Phase 2 will consume SinkSite in build_taint_diag() to overwrite the
caller-site Finding.line with the callee's sink line when resolved via
summary. Phase 1 keeps behavior unchanged: scanning
tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs still produces the
same (wrong) line 10 finding.
Adds round-trip tests covering SinkSite solo, SsaFuncSummary with sink
sites, legacy-JSON default handling for both summary types, and merge
dedup.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* feat(taint): phase 2/5 thread SinkSite into SsaTaintEvent and Finding
Plumb Phase 1's SinkSite through the event pipeline into Findings,
no output change yet. SsaTaintEvent gains `primary_sink_site:
Option<SinkSite>`; when the main or callback sink-emission path has
non-empty `param_to_sink_sites`, filter to sites whose
`(line != 0) && (cap ∩ sink_caps != ∅)` and emit one event per
distinct site — the multi-primary collapse keeps each downstream
Finding single-primary.
Resolution: ResolvedSummary and SinkInfo gain mirror
`param_to_sink_sites` fields, populated from `SsaFuncSummary.param_to_sink`
(SSA + callback paths) and `FuncSummary.param_to_sink` (global paths).
Label, local-summary, and interop resolution paths leave the field
empty — they only ever had cap-level info to begin with.
Finding: new `primary_location: Option<SinkLocation>` with
`file_rel/line/col`. `ssa_events_to_findings` maps
`event.primary_sink_site` → `Finding.primary_location`, filtering
cap-only sites (`line == 0`) to `None` so the (0,0) sentinel never
leaks to formatters. Dedup key extended with the primary location
so multi-site events aren't collapsed back together.
Invariants (debug_assert!):
* every SinkSite reaching emission has `line != 0 && cap ∩ sink_caps
!= ∅` — enforced by the pick_primary_sink_sites* filters;
* every populated Finding.primary_location has `line != 0` AND
non-empty `file_rel` — the cap-only → None translation upstream
guarantees this.
Deliberately independent of `uses_summary`: that flag tracks whether
the *taint chain* used a summary, whereas primary attribution
requires only that the *sink* itself was summary-resolved. A local
source reaching a cross-file sink produces `uses_summary=false`
alongside a populated primary_location — documented on
Finding.primary_location, covered by
`cross_file_sink_finding_carries_primary_location`.
build_taint_diag, SARIF/JSON/explanation formatters, and the
benchmark scorer remain untouched: finding.line still comes from
`cfg_graph[finding.sink]`, so cmdi_indirect.rs still reports line 10
and the benchmark's rs-cmdi-003 row still shows FN in the LOC column.
Tests: `cross_file_sink_finding_carries_primary_location` (proves
plumbing via a synthetic FuncSummary carrying a SinkSite at 42:5) and
`cross_file_sink_cap_only_site_leaves_primary_location_none`
(regression guard against cap-only sites surfacing). All 1566 lib
tests + integration tests pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(output): phase 3/5 consume primary sink location in diag + SARIF
When a finding's primary_location (populated in phase 2 from a callee
summary's SinkSite) names the dangerous instruction inside a callee
body, attribute the diagnostic line to that location instead of the
caller's call site. The call site is demoted to a Call step in
flow_steps, and a synthetic Sink step at the primary location is
appended so analysts still see the full trace.
Changes:
- Add scan_root parameter to build_taint_diag so file_rel can be
resolved back to an absolute path via a shared resolve_file_rel
helper. Empty file_rel (single-file scans where namespace == "")
resolves to the file under analysis.
- Extend SinkLocation with snippet, carried from the upstream
SinkSite so the formatter needs no second file read.
- Relax the ssa_events_to_findings debug_assert to allow empty
file_rel, which is valid when scan root equals the file itself.
- SARIF: emit data-flow as codeFlows[0].threadFlows[0].locations[];
locations[0] already reflects the primary sink position via the
updated diag line/col.
Acceptance: scan on tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs
now reports line 5 (Command::new) as the primary sink, with the call
site at line 10 visible in flow_steps.
Two expect.json fixtures updated (must_match line_range widened):
- javascript/taint/context_sensitive_call: 12-14 -> 7-14 (line 8 is
the real sink inside run()).
- rust/cfg/closure_async: 10-10 -> 10-11 (line 11 is Command::new
inside the closure).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(bench): phase 4/5 validate primary sink attribution across corpus
Extend the benchmark scorer and ground truth to lock in phase 3's
primary-location behavior, and add fixtures that exercise the new
capability end-to-end.
Scorer (tests/benchmark_test.rs):
- Add optional `expected_call_site_lines: Option<Vec<[usize; 2]>>` on
Case. When present, score_location_level additionally requires at
least one flow_step in the finding's evidence trace to fall within
±2 of the call-site range. When absent, the check is skipped —
fully forward-compatible with existing fixtures.
- Retain ±2 tolerance on expected_sink_lines (compared against the
now-primary Diag.line post-phase-3).
Ground truth edits:
- rs-cmdi-cross-001: expected_sink_lines [8,8] -> [9,9]. Line 8 is the
transform::wrap call site (a cross-file propagator, not a sink);
line 9 is Command::new, the real sink. The ±2 tolerance happened to
mask this stale attribution but it was semantically wrong — phase 4
is the right time to correct it. Also adds expected_call_site_lines
[8,8] so the new field is exercised on an existing cross-file case.
- rs-cmdi-003: adds expected_call_site_lines [10,10] (run_cmd call).
This fixture's sink (Command::new inside run_cmd at line 5) was the
motivating case for phases 1-3; adding the call-site assertion
guards against regression to caller-line attribution.
New fixtures:
- rust/cmdi/cmdi_indirect_multisink.rs (rs-cmdi-009): helper run_both
takes two tainted params and invokes two Command sinks on
consecutive lines. Locks in that primary line lands inside the
helper (lines 5-6), not at the caller (line 12). Notes document
that SinkSite is currently one-per-callee so both findings today
collapse onto the first sink; expected_sink_lines=[5,6] and
expected_call_site_lines=[12,12] stay valid either way.
- python/cmdi/cross_indirect_sink/{app.py,helper.py} (py-cmdi-cross-
004): sink os.system lives in helper.py (cross-file), caller in
app.py reads env source and calls run_cmd. Verifies phase 3's
cross-file primary attribution: Diag.path = helper.py, Diag.line =
5, with app.py:7 recorded in flow_steps as a Call step.
Acceptance:
- `cargo test --test benchmark_test -- --ignored --nocapture` passes.
- rs-cmdi-003 is TP/TP/TP (the target flip FN->TP at LOC). All
pre-existing TP/TP/TP fixtures remain TP/TP/TP; 2 new fixtures are
TP/TP/TP.
- Aggregate rule-level: TP=158 FP=10 FN=1 TN=97, P=0.940 R=0.994
F1=0.966 on the 266-case corpus (was TP=156 FP=10 FN=1 TN=97 on
264 pre-phase-4, delta is the +2 new cases both resolving TP).
- Full `cargo test` green (1566 lib tests + all integration tests).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(taint): phase 5/5 lock Finding.primary_location contract via regression test
Add a regression test in src/taint/ssa_transfer.rs that wires up a synthetic
SsaFuncSummary with a SinkSite at other.rs:42:10 and drives the three
emission stages (pick_primary_sink_sites → emit_ssa_taint_events →
ssa_events_to_findings) against a minimal caller SSA body. Asserts the
resulting Finding.primary_location is exactly that triple.
The existing integration tests in src/taint/tests.rs cover the coarse
FuncSummary path end-to-end through analyse_file. This test locks in the
lower-level SSA-side plumbing so a future refactor that silently drops the
site between pick → emit → findings fails here rather than only at the
benchmark layer.
Also refreshes tests/benchmark/results/latest.json (timestamp only; rs-cmdi-003
remains TP/TP/TP and the aggregate P/R/F1 are unchanged from phase 4).
Closes the primary sink-location attribution feature (phases 1-5/5):
* Phase 1 — SinkSite data model on summaries.
* Phase 2 — SinkSite threaded into SsaTaintEvent and Finding.
* Phase 3 — diag + SARIF consume primary_location.
* Phase 4 — benchmark validates primary_call_site_lines across corpus.
* Phase 5 — regression test locks the event→finding contract.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* refactor: clean up formatting and improve readability in multiple files
* refactor: simplify type definition for deduplication key in findings
* test(harness): add must_not_match expectation for FP regression guards
Extends ExpectedFinding with must_not_match field that asserts a
diagnostic must NOT fire — presence is a hard failure. Non-consuming
scan so it coexists with must_match entries on the same rule_id.
Adds forbidden_violations accumulator and updates summary line.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(regression): update expectations to ensure must_not_match for various taint and resource leak rules
* feat: implement auto-seeding for JS/TS handler parameters to enhance taint tracking
* feat: update switch statement handling to improve control flow analysis
* feat: implement promisify alias handling for JS/TS to enhance taint tracking
* feat: enhance taint tracking by refining expectation handling and adding mode filtering
* feat: refine SQL handling in stream processing and enhance auto-seeding for handler parameters
* feat: update taint tracking rules to enforce full mode matching and improve flow analysis
* feat: enhance Ruby subshell handling to improve taint tracking and flow analysis
* feat: update xss_response expectations to refine taint flow analysis and enhance regression guarding
* feat: refine framework detection and update expectation handling for Echo and Sinatra
* feat: implement max_count for taint tracking expectations and deduplicate findings
* feat: add strict_unexpected handling for taint-unsanitised-flow in expectation files
* feat: enhance deduplication of taint-unsanitised-flow findings by collapsing based on line and severity
* feat: add strict_unexpected handling for taint-unsanitised-flow in multiple expectation files
* feat: add structural invariant checks for SSA bodies
* feat: ensure deterministic phi emission order using BTreeSet
* feat: enhance handling of terminators to ensure authoritative flow through successor edges
* feat: enhance Goto terminator handling to ensure all successors are marked executable
* feat: refactor code for improved readability and organization
* feat: simplify predicate checks and enhance readability in SSA handling
* feat: implement per-file parse timeout and enhance file size handling
* feat: migrate analysis engine toggles from environment variables to configuration file
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: update dependencies and enhance documentation on language maturity
* feat: enhance security headers and improve request body limits
* feat: implement sink capability bits for deduplication and enhance evidence tagging
* feat: implement dynamic activation handling for gated sinks and enhance validation logic
* feat: enhance configuration documentation and clarify inline analysis cache behavior
* feat: implement panic recovery during analysis to continue scans past errors
* feat: add expectations configuration for taint analysis and performance metrics
* feat: enhance error handling and logging during file reading and mutex locking
* feat: add cross-file body loading tests and plumbing for CF-1 phase
* feat: implement cross-file k=1 context-sensitive inline taint analysis with new tests and fixtures
* feat: implement indexed-scan parity in cross-file inline analysis with new dropdown and copy functionality
* feat: enhance classification span handling in CFG and AST for improved source attribution
* feat: add new Express routes for handling user input and telemetry data
* feat: implement ternary expression handling in CFG with diamond structure for JS/TS
* feat: implement Phase CF-3 abstract-domain transfer channels in summaries
* feat: add support for string-prefix transfer in cross-file calls and update tests
* docs: reduce RESULTS.md doc size
* feat: implement Phase CF-4 per-return-path summary decomposition with tests
* feat: update parameter handling in pass1 and refactor SsaFuncSummary initialization
* feat: implement Phase CF-5 for cross-file SCC joint fixed-point convergence with new flags and tests
* feat: implement Phase CF-6 with parameter-granularity points-to summaries and associated tests
* refactor: update comments and documentation for clarity and consistency
* style: format code for consistency and readability
* refactor: simplify verdict handling and improve edge checking logic
* refactor: optimize path and identifier collection by avoiding unnecessary cloning
* chore: update Cargo.toml for Rust version 1.85 and add ignored files; modify CHANGELOG and README for clarity on state analysis defaults
* refactor: update documentation and improve clarity in configuration files
* refactor: update documentation and improve clarity in configuration files
* feat: add JS/TS pass-2 convergence tests and expectations configuration
* feat: add Phase 5 regression tests for inline cache origin attribution and update related logic
* feat: implement Phase 7 deduplication and alternative path linking for taint findings
* feat: implement structural DFS index for anonymous functions and update naming conventions
* feat: add Phase 8 regression tests for container-element taint in JS and Python
* feat: add engine-depth profiles and explain-engine option for CLI
* feat: update expectations and add new README fixtures for multi-file scan regression
* feat: implement Phase 11 callback-alias and factory patterns with regression tests
* feat: implement Terminator::Switch for multi-way dispatch and add regression tests
* feat: add real-CVE benchmark fixtures for CVE-2023-48022, CVE-2019-14939, and CVE-2023-26159 with corresponding patched variants
* refactor: extract cfg and ssa_transfer to submodules
* refactor: cargo fmt
* refactor: remove unnecessary blank line in cfg_tests.rs
* refactor: remove unnecessary planning file
* chore: update Rust version to 1.88 and bump dependencies in Cargo files
* feat: enhance triage UI with new layout and controls, update README for clarity
* feat: enhance triage UI with new layout and controls, update README for clarity
* chore: remove outdated section from README for version 0.5.0
* docs: improve clarity and consistency in README content
* chore: add "GPL-3.0-or-later" to license options in about.toml
* chore: update license handling in about.toml and check-licenses.mjs
* style: format code for improved readability in TriagePage component
* style: format code for improved readability in TriagePage component
* chore: enhance license handling and improve body_id scoping in seed lookup
* feat: introduce owner and parent body IDs for enhanced seed scoping
* feat: implement direction-aware engine provenance with new CLI flag for strict CI gating
* feat: add Undef SSA operation for improved control-flow handling
* style: improve code formatting for consistency and readability in multiple files
* feat: add 16-function chain SCC across multiple files for enhanced analysis
* style: simplify code formatting for improved readability in multiple files
* fix: update CapHitReason default implementation and improve README clarity
* docs: enhance README with detailed explanations of taint analysis and limitations
* docs: refine README for clarity and consistency in taint analysis section
* style: improve code formatting for better readability in NewScanModal and scans
* fix: update cargo-about command to use --offline for deterministic license generation
* fix: update cargo-about command to use --offline for deterministic license generation
* ci: add step to prime cargo registry cache for deterministic license generation
* feat: add support for non-sink collections in authorization analysis
* feat: enhance authorization checks with row-level ownership equality and binding tracking
* feat: implement self-scoped user handling and enhance ownership checks
* refactor: simplify assertions and formatting in authorization analysis tests
* fix: normalize line endings in THIRDPARTY-LICENSES.html generation and update README with AI disclosure
* docs: update AI disclosure section for clarity and conciseness
* feat: add AI Contribution Policy and update contributing guidelines for AI assistance disclosure
* feat: enhance authorization analysis with SSA-derived variable type classification
* feat: implement auth_finding_to_diag function for enhanced security diagnostics
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add direction-aware engine provenance with LossDirection classification and new CLI flag
* feat: simplify strip_cap_from_call_args call by removing unnecessary line breaks
* feat: enhance error message handling in cli_validation_tests for better Windows compatibility
* feat: optimize release profile settings in Cargo.toml and update CodeQL configuration
* feat: enhance release build process with SBOM generation and SLSA provenance
* feat: update actions/checkout and actions/setup-node to v6, enhance CLI options, and improve auth-check summaries
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: update benchmark data and enhance path sanitization logic with new safety checks
* feat: document AI assistance in frontend UI development and human review process
* feat: add return path facts for enhanced path safety checks and update documentation
* chore: update release date for version 0.5.0 in CHANGELOG.md
* chore: clean up ci.yml by removing outdated comments and clarifying steps
* feat: implement cross-language path sanitizers and validators for enhanced security
* feat: enhance SSA value usage tracking by including block terminators and improve path safety checks
* feat: enhance switch statement handling by adding per-case path constraints and support for exclusive cases
* refactor: simplify conditional formatting and improve code readability in executor and lower modules
* feat: add vulnerable examples for various languages demonstrating authentication and sanitization issues
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: add transform classifiers for Java, Go, and Ruby with corresponding tests
* refactor: clarify comments on reassign-to-constant idiom and sink behavior in guards.rs
---------
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-25 17:59:11 -04:00
The biggest release since launch. The taint engine was rebuilt on top of an SSA IR, cross-file analysis was deepened across the board, and Nyx now ships a local web UI for triaging findings without leaving your machine.
> Heads-up: false positives or regressions on cross-file flows are possible. Please open an issue with a minimal reproduction if you hit one.
### Highlights
- **New SSA-based taint engine.** Block-level worklist analysis over a pruned SSA IR, replacing the legacy BFS engine across all 10 languages. More precise, easier to extend, and the foundation for everything else in this release.
- **Cross-file analysis.** Function summaries (including the new SSA summaries) flow across files via SQLite-backed persistence. Callee bodies can be inlined for context-sensitive analysis (k=1) and walked symbolically across file boundaries.
- **Symbolic execution layer.** Candidate findings are walked symbolically from source to sink, producing concrete attack witnesses, pruning infeasible paths, and (optionally) handing constraints off to Z3.
- **Local web UI (`nyx serve` ).** React + Vite frontend for browsing findings, viewing flow paths, and triaging results. Triage decisions persist to `.nyx/triage.json` so they version with your code.
- **Hostile-repo hardening.** Path containment, loopback-only serving, CSRF tokens, bounded artifact reads. Safe to run on untrusted code.
- **Tighter false-positive controls.** Type-aware sink suppression, abstract interpretation (intervals + string prefixes), constraint solving, allowlist and type-check guard recognition, and confidence scoring on every finding.
### Engine
- SSA IR with dominance-frontier phi insertion. The optimization pipeline runs constant propagation, branch pruning, copy propagation, alias analysis, DCE, type facts, and points-to in sequence.
2026-04-29 00:58:38 -04:00
- Multi-label classification. A single API can carry both Source and Sink labels (e.g. PHP `file_get_contents` , Java `readObject` ).
- Gated sinks. `setAttribute` , `parseFromString` , etc. only activate when the constant attribute argument is dangerous, and only the payload argument is treated as taint-bearing.
Release/0.5.0 (#35)
* feat: Introduce function-scoped variable interning for state analysis with new tests and fixtures
* feat: Add Phase 26 symbolic execution enhancements with bitwise operator support, abstract interpretation refinements, and new taint analysis tests
* feat: Refine state analysis to handle factory-pattern resource returns with mixed-path tests and leak detection enhancements
* feat: Add Phase 27 debug views with symbolic execution, abstract interpretation, SSA, and call graph viewers; integrate with debug layout and styles
* feat: Add Phase 31 type-qualified symbolic resolution with receiver-based callee disambiguation and testing
* feat: Extend symbolic execution with state iteration, enhanced debug views, and debounced input handling
* feat: Add Phase 13 resource and auth pattern extensions with new tests and fixtures
* feat: Introduce CFG debug graph renderer with compact mode, toolbar, and DAG layout integration
* feat: Add Phase 28 encoding and decoding transform modeling with structural symex enhancements and new taint analysis tests
* feat: Extend abstract interpretation with type facts and constant value tracking in debug views and server logic
* feat: Add linear path handling and witness extraction to symbolic execution with Phase 28 transform mismatch detection
* feat: Refine Go auth and sanitizer handling with enhanced rules, state updates, and benchmark improvements
* feat: Enable auth-state analysis by default and update relevant tests in benchmark config
* test: Update state_tests to reflect default enablement of auth-state analysis and add auth suppression test
* docs: update CHANGELOG.md
* feat: Introduce per-index taint tracking in `HeapState` with `HeapSlot`, overflow handling, and revised SSA transfers
* feat: Introduce C/C++ language labels and refine heap state tracking in SSA transfers
* feat: Implement per-index array slot tracking in symbolic heap with overflow collapse
* feat: Add implicit definition handling for uninitialized declarations in SSA value allocation
* feat: Refactor function parameters and constants for improved clarity and maintainability
* refactor: Reorder module imports and improve formatting for consistency
* refactor: Fix formatting erorrs
* refactor: Fix clippy warnings
* refactor: Fix fmt warnings (again)
* chore: Update dependencies and improve feature configuration
* Add comprehensive tests for undertested modules (#36) (COPILOT)
* Add comprehensive tests for undertested modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
* Add comprehensive tests for ext, project, walk, and errors modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: Update dependencies and improve feature configuration
* fix: formatting errors in new tests
* chore: Update license list in about.toml
* chore: made functions input inline
* chore: updated cfg graph to take up the full page
* chore: add Prettier configuration and update code formatting
* Add frontend test suite with Vitest (111 tests) (#37)
* Add Vitest test suite for frontend - 111 tests across utils, components, hooks, and graph utilities
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/7cf0dba2-ecff-4740-ba4d-92717e74a0b7
* ci: add frontend test step to CI workflow
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/5bc0ac9f-0a32-4d03-9cb7-7a15aea53fca
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: simplify array initialization in test files for consistency
* ran typecheck
* feat: add AnalysisWorkspace component and integrate it into CfgViewerPage
* feat: update routing in AppLayout and improve empty state message in ExplorerPage
* feat: enhance scan progress tracking with additional metrics and stages
* feat: update license information and add license check script
* feat: implement cross-file symbolic execution with callee body persistence
* feat: replace dagre graphs with Graphology + ELK + Sigma for more advanced call stack and cfg rendering
* feat: ensure CFG function view is scoped to the selected function, preventing bleed into sibling functions
* feat: enhance resource tracking with proxy method summaries and improve finding extraction
* feat: add terminal function exit detection for accurate resource leak analysis
* feat: add warnings for loops and functions without bodies to improve error recovery
* feat: update lambda expression handling to ensure proper function classification and control flow
* feat: remove bounded formatting/string ops and add JSON.parse sanitizer for improved data handling
* feat: add inline return taint analysis and regression tests for improved security checks
* feat: add engine version management and migration handling for database schema updates
* feat: enhance first_call_ident to skip nested function bodies and add regression tests
* feat: enhance callee name resolution with two-segment normalization and disambiguation
* feat: add cross-file context flags and debug assertions for taint analysis
* feat: refactor taint analysis structure to unify context handling and improve clarity
* feat: enhance dead code elimination to preserve Sink, Source, and Sanitizer labels with new tests
* docs: updated CHANGELOG.md
* fmt: formatting fixes
* fix: fixed frontend formatting and lint warnings
* fix: optimized ci
* fix: optimized ci
* Add comprehensive multi-file test coverage to Nyx (#38)
* Initial checklist for multi-file test suite expansion
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* Add 12 new multi-file test fixtures with TP/TN/near-miss coverage
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* deleted root repo
* rebuilt to test for regressions
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* feat: enhance import alias resolution and taint tracking
* feat: implement security hardening with CSRF protection and path validation
* feat: add support for import alias bindings in Python, PHP, and Rust
* feat: enhance CFG analysis modes and improve code readability
* feat: add detection for parameterized SQL queries to enhance security
* feat: add safe internal redirect handling and enhance session destroy validation
* feat: implement security improvements by addressing vulnerabilities in execAsync, session management, and file downloads
* feat: enhance taint detection by adding support for inline source member expressions in call arguments
* feat: implement pre-emission of Source nodes for inline source member expressions in call arguments
* feat: add support for Throw statement in control flow and error handling
* feat: add debug and echo endpoints with potential information leakage
* feat: implement internal redirect suppression and enhance taint detection
* feat: implement module alias tracking for dynamic dispatch in JS/TS
* feat: add authorization analysis module with Express support
* feat: add authorization analysis module with Express support
* feat: add tests for admin guard requirements and clean checks in authorization analysis
* feat: integrate Koa and Fastify frameworks into authorization analysis
* feat: add Flask and Django support to authorization analysis module
* feat: add support for Rails and Sinatra frameworks in authorization analysis
* feat: add support for Axum, ActixWeb, and Rocket frameworks in authorization analysis
* feat: add support for ActixWeb, Axum, and Rocket frameworks in authorization analysis
* feat: add support for Rails and Sinatra in authorization analysis
* chore: add .DS_Store to .gitignore
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: update usage of Option methods for improved clarity and consistency
* refactor: improve code readability by simplifying conditional checks and formatting
* refactor: improve code formatting and readability by simplifying conditional checks
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: simplify conditional checks in axum.rs for improved readability
* feat: add CodeQL analysis configuration for enhanced security scanning
* test: add comprehensive tests for `src/output.rs` SARIF builder (#39)
* chore: start test coverage improvement work
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* test: add comprehensive tests for src/output.rs SARIF builder
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* refactor: improve code formatting and readability in output.rs
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* refactor: improve code formatting and readability in output.rs
* Potential fix for code scanning alert no. 210: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* Potential fix for code scanning alert no. 211: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* refactor: enhance triage file path handling with improved error management and validation
* refactor: updated func summaries for richer detail
* refactor: update SSA summary extraction to use canonical FuncKey for distinct entries
* refactor: enhance callee metadata structure to support arity, receiver, and qualifier for better overload resolution
* refactor: add support for keyword arguments in function calls and enhance receiver extraction for method-style calls
* refactor: implement new Flask routes for safe and unsafe shell command execution
* refactor: separate receiver handling in SSA operations and enhance taint propagation
* refactor: improve arity handling by using arg_uses for positional argument count and enhance witness scoring for tainted arguments
* refactor: implement auth decorator extraction and classification for multiple languages
* refactor: enhance Rust module path resolution and use map handling for cross-file disambiguation
* refactor: introduce CalleeQuery struct for structured callee resolution and enhance resolver logic
* refactor: implement same-file identity collision handling for `runTask` to ensure correct resolver behavior
* refactor: standardize default struct initialization across multiple files
* feat: add scripts for formatting checks and auto-fixes with test summaries
* refactor: simplify character splitting and enhance namespace qualifier handling
* refactor: improve documentation clarity and enhance code readability in resolver logic
* refactor: replace default struct initialization with explicit field assignments for clarity
* feat: enhance anonymous function naming by deriving context-based bindings
* refactor: streamline match expressions for improved readability and performance
* refactor: streamline match expressions for improved readability and performance
* refactor: replace loop with while let for improved clarity and performance
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: implement shell metacharacter validation and bounded-length checks in Rust analysis
* feat: add static map analysis for command injection suppression and type safety
* refactor: simplify match statements and reduce line breaks for improved readability
* feat(summary): phase 1/5 SinkSite data model for primary sink-location attribution
Introduce SinkSite (file_rel, line, col, snippet, cap) carrying the
primary sink source-location through function summaries. Swap
SsaFuncSummary.param_to_sink and FuncSummary.param_to_sink from a coarse
Cap map to a deduped SmallVec<[SinkSite; 1]> per parameter, with a
backward-compatible cap_sites() helper and serde defaults so pre-phase-1
on-disk rows continue to deserialise cleanly.
Extraction: SinkSiteLocator bundles the tree/bytes/file_rel needed by
extract_ssa_func_summary; ParsedFile::extract_ssa_artifacts wires the
locator in for the persisted pass-1 path, while pass-2 intra-file
transient summaries fall back to cap-only sites (behavior unchanged).
Merge: GlobalSummaries::insert now unions sink sites with
(file_rel, line, col, cap) dedup via shared union_param_sink_sites
helper.
Database: JSON-serialised summary columns carry the new shape
automatically; no schema change needed.
Phase 2 will consume SinkSite in build_taint_diag() to overwrite the
caller-site Finding.line with the callee's sink line when resolved via
summary. Phase 1 keeps behavior unchanged: scanning
tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs still produces the
same (wrong) line 10 finding.
Adds round-trip tests covering SinkSite solo, SsaFuncSummary with sink
sites, legacy-JSON default handling for both summary types, and merge
dedup.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* feat(taint): phase 2/5 thread SinkSite into SsaTaintEvent and Finding
Plumb Phase 1's SinkSite through the event pipeline into Findings,
no output change yet. SsaTaintEvent gains `primary_sink_site:
Option<SinkSite>`; when the main or callback sink-emission path has
non-empty `param_to_sink_sites`, filter to sites whose
`(line != 0) && (cap ∩ sink_caps != ∅)` and emit one event per
distinct site — the multi-primary collapse keeps each downstream
Finding single-primary.
Resolution: ResolvedSummary and SinkInfo gain mirror
`param_to_sink_sites` fields, populated from `SsaFuncSummary.param_to_sink`
(SSA + callback paths) and `FuncSummary.param_to_sink` (global paths).
Label, local-summary, and interop resolution paths leave the field
empty — they only ever had cap-level info to begin with.
Finding: new `primary_location: Option<SinkLocation>` with
`file_rel/line/col`. `ssa_events_to_findings` maps
`event.primary_sink_site` → `Finding.primary_location`, filtering
cap-only sites (`line == 0`) to `None` so the (0,0) sentinel never
leaks to formatters. Dedup key extended with the primary location
so multi-site events aren't collapsed back together.
Invariants (debug_assert!):
* every SinkSite reaching emission has `line != 0 && cap ∩ sink_caps
!= ∅` — enforced by the pick_primary_sink_sites* filters;
* every populated Finding.primary_location has `line != 0` AND
non-empty `file_rel` — the cap-only → None translation upstream
guarantees this.
Deliberately independent of `uses_summary`: that flag tracks whether
the *taint chain* used a summary, whereas primary attribution
requires only that the *sink* itself was summary-resolved. A local
source reaching a cross-file sink produces `uses_summary=false`
alongside a populated primary_location — documented on
Finding.primary_location, covered by
`cross_file_sink_finding_carries_primary_location`.
build_taint_diag, SARIF/JSON/explanation formatters, and the
benchmark scorer remain untouched: finding.line still comes from
`cfg_graph[finding.sink]`, so cmdi_indirect.rs still reports line 10
and the benchmark's rs-cmdi-003 row still shows FN in the LOC column.
Tests: `cross_file_sink_finding_carries_primary_location` (proves
plumbing via a synthetic FuncSummary carrying a SinkSite at 42:5) and
`cross_file_sink_cap_only_site_leaves_primary_location_none`
(regression guard against cap-only sites surfacing). All 1566 lib
tests + integration tests pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(output): phase 3/5 consume primary sink location in diag + SARIF
When a finding's primary_location (populated in phase 2 from a callee
summary's SinkSite) names the dangerous instruction inside a callee
body, attribute the diagnostic line to that location instead of the
caller's call site. The call site is demoted to a Call step in
flow_steps, and a synthetic Sink step at the primary location is
appended so analysts still see the full trace.
Changes:
- Add scan_root parameter to build_taint_diag so file_rel can be
resolved back to an absolute path via a shared resolve_file_rel
helper. Empty file_rel (single-file scans where namespace == "")
resolves to the file under analysis.
- Extend SinkLocation with snippet, carried from the upstream
SinkSite so the formatter needs no second file read.
- Relax the ssa_events_to_findings debug_assert to allow empty
file_rel, which is valid when scan root equals the file itself.
- SARIF: emit data-flow as codeFlows[0].threadFlows[0].locations[];
locations[0] already reflects the primary sink position via the
updated diag line/col.
Acceptance: scan on tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs
now reports line 5 (Command::new) as the primary sink, with the call
site at line 10 visible in flow_steps.
Two expect.json fixtures updated (must_match line_range widened):
- javascript/taint/context_sensitive_call: 12-14 -> 7-14 (line 8 is
the real sink inside run()).
- rust/cfg/closure_async: 10-10 -> 10-11 (line 11 is Command::new
inside the closure).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(bench): phase 4/5 validate primary sink attribution across corpus
Extend the benchmark scorer and ground truth to lock in phase 3's
primary-location behavior, and add fixtures that exercise the new
capability end-to-end.
Scorer (tests/benchmark_test.rs):
- Add optional `expected_call_site_lines: Option<Vec<[usize; 2]>>` on
Case. When present, score_location_level additionally requires at
least one flow_step in the finding's evidence trace to fall within
±2 of the call-site range. When absent, the check is skipped —
fully forward-compatible with existing fixtures.
- Retain ±2 tolerance on expected_sink_lines (compared against the
now-primary Diag.line post-phase-3).
Ground truth edits:
- rs-cmdi-cross-001: expected_sink_lines [8,8] -> [9,9]. Line 8 is the
transform::wrap call site (a cross-file propagator, not a sink);
line 9 is Command::new, the real sink. The ±2 tolerance happened to
mask this stale attribution but it was semantically wrong — phase 4
is the right time to correct it. Also adds expected_call_site_lines
[8,8] so the new field is exercised on an existing cross-file case.
- rs-cmdi-003: adds expected_call_site_lines [10,10] (run_cmd call).
This fixture's sink (Command::new inside run_cmd at line 5) was the
motivating case for phases 1-3; adding the call-site assertion
guards against regression to caller-line attribution.
New fixtures:
- rust/cmdi/cmdi_indirect_multisink.rs (rs-cmdi-009): helper run_both
takes two tainted params and invokes two Command sinks on
consecutive lines. Locks in that primary line lands inside the
helper (lines 5-6), not at the caller (line 12). Notes document
that SinkSite is currently one-per-callee so both findings today
collapse onto the first sink; expected_sink_lines=[5,6] and
expected_call_site_lines=[12,12] stay valid either way.
- python/cmdi/cross_indirect_sink/{app.py,helper.py} (py-cmdi-cross-
004): sink os.system lives in helper.py (cross-file), caller in
app.py reads env source and calls run_cmd. Verifies phase 3's
cross-file primary attribution: Diag.path = helper.py, Diag.line =
5, with app.py:7 recorded in flow_steps as a Call step.
Acceptance:
- `cargo test --test benchmark_test -- --ignored --nocapture` passes.
- rs-cmdi-003 is TP/TP/TP (the target flip FN->TP at LOC). All
pre-existing TP/TP/TP fixtures remain TP/TP/TP; 2 new fixtures are
TP/TP/TP.
- Aggregate rule-level: TP=158 FP=10 FN=1 TN=97, P=0.940 R=0.994
F1=0.966 on the 266-case corpus (was TP=156 FP=10 FN=1 TN=97 on
264 pre-phase-4, delta is the +2 new cases both resolving TP).
- Full `cargo test` green (1566 lib tests + all integration tests).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(taint): phase 5/5 lock Finding.primary_location contract via regression test
Add a regression test in src/taint/ssa_transfer.rs that wires up a synthetic
SsaFuncSummary with a SinkSite at other.rs:42:10 and drives the three
emission stages (pick_primary_sink_sites → emit_ssa_taint_events →
ssa_events_to_findings) against a minimal caller SSA body. Asserts the
resulting Finding.primary_location is exactly that triple.
The existing integration tests in src/taint/tests.rs cover the coarse
FuncSummary path end-to-end through analyse_file. This test locks in the
lower-level SSA-side plumbing so a future refactor that silently drops the
site between pick → emit → findings fails here rather than only at the
benchmark layer.
Also refreshes tests/benchmark/results/latest.json (timestamp only; rs-cmdi-003
remains TP/TP/TP and the aggregate P/R/F1 are unchanged from phase 4).
Closes the primary sink-location attribution feature (phases 1-5/5):
* Phase 1 — SinkSite data model on summaries.
* Phase 2 — SinkSite threaded into SsaTaintEvent and Finding.
* Phase 3 — diag + SARIF consume primary_location.
* Phase 4 — benchmark validates primary_call_site_lines across corpus.
* Phase 5 — regression test locks the event→finding contract.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* refactor: clean up formatting and improve readability in multiple files
* refactor: simplify type definition for deduplication key in findings
* test(harness): add must_not_match expectation for FP regression guards
Extends ExpectedFinding with must_not_match field that asserts a
diagnostic must NOT fire — presence is a hard failure. Non-consuming
scan so it coexists with must_match entries on the same rule_id.
Adds forbidden_violations accumulator and updates summary line.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(regression): update expectations to ensure must_not_match for various taint and resource leak rules
* feat: implement auto-seeding for JS/TS handler parameters to enhance taint tracking
* feat: update switch statement handling to improve control flow analysis
* feat: implement promisify alias handling for JS/TS to enhance taint tracking
* feat: enhance taint tracking by refining expectation handling and adding mode filtering
* feat: refine SQL handling in stream processing and enhance auto-seeding for handler parameters
* feat: update taint tracking rules to enforce full mode matching and improve flow analysis
* feat: enhance Ruby subshell handling to improve taint tracking and flow analysis
* feat: update xss_response expectations to refine taint flow analysis and enhance regression guarding
* feat: refine framework detection and update expectation handling for Echo and Sinatra
* feat: implement max_count for taint tracking expectations and deduplicate findings
* feat: add strict_unexpected handling for taint-unsanitised-flow in expectation files
* feat: enhance deduplication of taint-unsanitised-flow findings by collapsing based on line and severity
* feat: add strict_unexpected handling for taint-unsanitised-flow in multiple expectation files
* feat: add structural invariant checks for SSA bodies
* feat: ensure deterministic phi emission order using BTreeSet
* feat: enhance handling of terminators to ensure authoritative flow through successor edges
* feat: enhance Goto terminator handling to ensure all successors are marked executable
* feat: refactor code for improved readability and organization
* feat: simplify predicate checks and enhance readability in SSA handling
* feat: implement per-file parse timeout and enhance file size handling
* feat: migrate analysis engine toggles from environment variables to configuration file
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: update dependencies and enhance documentation on language maturity
* feat: enhance security headers and improve request body limits
* feat: implement sink capability bits for deduplication and enhance evidence tagging
* feat: implement dynamic activation handling for gated sinks and enhance validation logic
* feat: enhance configuration documentation and clarify inline analysis cache behavior
* feat: implement panic recovery during analysis to continue scans past errors
* feat: add expectations configuration for taint analysis and performance metrics
* feat: enhance error handling and logging during file reading and mutex locking
* feat: add cross-file body loading tests and plumbing for CF-1 phase
* feat: implement cross-file k=1 context-sensitive inline taint analysis with new tests and fixtures
* feat: implement indexed-scan parity in cross-file inline analysis with new dropdown and copy functionality
* feat: enhance classification span handling in CFG and AST for improved source attribution
* feat: add new Express routes for handling user input and telemetry data
* feat: implement ternary expression handling in CFG with diamond structure for JS/TS
* feat: implement Phase CF-3 abstract-domain transfer channels in summaries
* feat: add support for string-prefix transfer in cross-file calls and update tests
* docs: reduce RESULTS.md doc size
* feat: implement Phase CF-4 per-return-path summary decomposition with tests
* feat: update parameter handling in pass1 and refactor SsaFuncSummary initialization
* feat: implement Phase CF-5 for cross-file SCC joint fixed-point convergence with new flags and tests
* feat: implement Phase CF-6 with parameter-granularity points-to summaries and associated tests
* refactor: update comments and documentation for clarity and consistency
* style: format code for consistency and readability
* refactor: simplify verdict handling and improve edge checking logic
* refactor: optimize path and identifier collection by avoiding unnecessary cloning
* chore: update Cargo.toml for Rust version 1.85 and add ignored files; modify CHANGELOG and README for clarity on state analysis defaults
* refactor: update documentation and improve clarity in configuration files
* refactor: update documentation and improve clarity in configuration files
* feat: add JS/TS pass-2 convergence tests and expectations configuration
* feat: add Phase 5 regression tests for inline cache origin attribution and update related logic
* feat: implement Phase 7 deduplication and alternative path linking for taint findings
* feat: implement structural DFS index for anonymous functions and update naming conventions
* feat: add Phase 8 regression tests for container-element taint in JS and Python
* feat: add engine-depth profiles and explain-engine option for CLI
* feat: update expectations and add new README fixtures for multi-file scan regression
* feat: implement Phase 11 callback-alias and factory patterns with regression tests
* feat: implement Terminator::Switch for multi-way dispatch and add regression tests
* feat: add real-CVE benchmark fixtures for CVE-2023-48022, CVE-2019-14939, and CVE-2023-26159 with corresponding patched variants
* refactor: extract cfg and ssa_transfer to submodules
* refactor: cargo fmt
* refactor: remove unnecessary blank line in cfg_tests.rs
* refactor: remove unnecessary planning file
* chore: update Rust version to 1.88 and bump dependencies in Cargo files
* feat: enhance triage UI with new layout and controls, update README for clarity
* feat: enhance triage UI with new layout and controls, update README for clarity
* chore: remove outdated section from README for version 0.5.0
* docs: improve clarity and consistency in README content
* chore: add "GPL-3.0-or-later" to license options in about.toml
* chore: update license handling in about.toml and check-licenses.mjs
* style: format code for improved readability in TriagePage component
* style: format code for improved readability in TriagePage component
* chore: enhance license handling and improve body_id scoping in seed lookup
* feat: introduce owner and parent body IDs for enhanced seed scoping
* feat: implement direction-aware engine provenance with new CLI flag for strict CI gating
* feat: add Undef SSA operation for improved control-flow handling
* style: improve code formatting for consistency and readability in multiple files
* feat: add 16-function chain SCC across multiple files for enhanced analysis
* style: simplify code formatting for improved readability in multiple files
* fix: update CapHitReason default implementation and improve README clarity
* docs: enhance README with detailed explanations of taint analysis and limitations
* docs: refine README for clarity and consistency in taint analysis section
* style: improve code formatting for better readability in NewScanModal and scans
* fix: update cargo-about command to use --offline for deterministic license generation
* fix: update cargo-about command to use --offline for deterministic license generation
* ci: add step to prime cargo registry cache for deterministic license generation
* feat: add support for non-sink collections in authorization analysis
* feat: enhance authorization checks with row-level ownership equality and binding tracking
* feat: implement self-scoped user handling and enhance ownership checks
* refactor: simplify assertions and formatting in authorization analysis tests
* fix: normalize line endings in THIRDPARTY-LICENSES.html generation and update README with AI disclosure
* docs: update AI disclosure section for clarity and conciseness
* feat: add AI Contribution Policy and update contributing guidelines for AI assistance disclosure
* feat: enhance authorization analysis with SSA-derived variable type classification
* feat: implement auth_finding_to_diag function for enhanced security diagnostics
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add direction-aware engine provenance with LossDirection classification and new CLI flag
* feat: simplify strip_cap_from_call_args call by removing unnecessary line breaks
* feat: enhance error message handling in cli_validation_tests for better Windows compatibility
* feat: optimize release profile settings in Cargo.toml and update CodeQL configuration
* feat: enhance release build process with SBOM generation and SLSA provenance
* feat: update actions/checkout and actions/setup-node to v6, enhance CLI options, and improve auth-check summaries
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: update benchmark data and enhance path sanitization logic with new safety checks
* feat: document AI assistance in frontend UI development and human review process
* feat: add return path facts for enhanced path safety checks and update documentation
* chore: update release date for version 0.5.0 in CHANGELOG.md
* chore: clean up ci.yml by removing outdated comments and clarifying steps
* feat: implement cross-language path sanitizers and validators for enhanced security
* feat: enhance SSA value usage tracking by including block terminators and improve path safety checks
* feat: enhance switch statement handling by adding per-case path constraints and support for exclusive cases
* refactor: simplify conditional formatting and improve code readability in executor and lower modules
* feat: add vulnerable examples for various languages demonstrating authentication and sanitization issues
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: add transform classifiers for Java, Go, and Ruby with corresponding tests
* refactor: clarify comments on reassign-to-constant idiom and sink behavior in guards.rs
---------
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-25 17:59:11 -04:00
- Container taint with per-index precision and bounded points-to. Aliased containers share heap identity correctly.
- Loop-aware analysis: induction-variable pruning, widening at loop heads, bounded unrolling in symex.
- Path-sensitive phi evaluation propagates validation when all tainted predecessors are guarded.
- Per-return-path summaries decompose function effects when paths produce different taint behavior.
2026-04-29 00:58:38 -04:00
- Cross-file SCC fixed-point. Mutually recursive functions across files now reach a joint convergence.
Release/0.5.0 (#35)
* feat: Introduce function-scoped variable interning for state analysis with new tests and fixtures
* feat: Add Phase 26 symbolic execution enhancements with bitwise operator support, abstract interpretation refinements, and new taint analysis tests
* feat: Refine state analysis to handle factory-pattern resource returns with mixed-path tests and leak detection enhancements
* feat: Add Phase 27 debug views with symbolic execution, abstract interpretation, SSA, and call graph viewers; integrate with debug layout and styles
* feat: Add Phase 31 type-qualified symbolic resolution with receiver-based callee disambiguation and testing
* feat: Extend symbolic execution with state iteration, enhanced debug views, and debounced input handling
* feat: Add Phase 13 resource and auth pattern extensions with new tests and fixtures
* feat: Introduce CFG debug graph renderer with compact mode, toolbar, and DAG layout integration
* feat: Add Phase 28 encoding and decoding transform modeling with structural symex enhancements and new taint analysis tests
* feat: Extend abstract interpretation with type facts and constant value tracking in debug views and server logic
* feat: Add linear path handling and witness extraction to symbolic execution with Phase 28 transform mismatch detection
* feat: Refine Go auth and sanitizer handling with enhanced rules, state updates, and benchmark improvements
* feat: Enable auth-state analysis by default and update relevant tests in benchmark config
* test: Update state_tests to reflect default enablement of auth-state analysis and add auth suppression test
* docs: update CHANGELOG.md
* feat: Introduce per-index taint tracking in `HeapState` with `HeapSlot`, overflow handling, and revised SSA transfers
* feat: Introduce C/C++ language labels and refine heap state tracking in SSA transfers
* feat: Implement per-index array slot tracking in symbolic heap with overflow collapse
* feat: Add implicit definition handling for uninitialized declarations in SSA value allocation
* feat: Refactor function parameters and constants for improved clarity and maintainability
* refactor: Reorder module imports and improve formatting for consistency
* refactor: Fix formatting erorrs
* refactor: Fix clippy warnings
* refactor: Fix fmt warnings (again)
* chore: Update dependencies and improve feature configuration
* Add comprehensive tests for undertested modules (#36) (COPILOT)
* Add comprehensive tests for undertested modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
* Add comprehensive tests for ext, project, walk, and errors modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: Update dependencies and improve feature configuration
* fix: formatting errors in new tests
* chore: Update license list in about.toml
* chore: made functions input inline
* chore: updated cfg graph to take up the full page
* chore: add Prettier configuration and update code formatting
* Add frontend test suite with Vitest (111 tests) (#37)
* Add Vitest test suite for frontend - 111 tests across utils, components, hooks, and graph utilities
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/7cf0dba2-ecff-4740-ba4d-92717e74a0b7
* ci: add frontend test step to CI workflow
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/5bc0ac9f-0a32-4d03-9cb7-7a15aea53fca
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: simplify array initialization in test files for consistency
* ran typecheck
* feat: add AnalysisWorkspace component and integrate it into CfgViewerPage
* feat: update routing in AppLayout and improve empty state message in ExplorerPage
* feat: enhance scan progress tracking with additional metrics and stages
* feat: update license information and add license check script
* feat: implement cross-file symbolic execution with callee body persistence
* feat: replace dagre graphs with Graphology + ELK + Sigma for more advanced call stack and cfg rendering
* feat: ensure CFG function view is scoped to the selected function, preventing bleed into sibling functions
* feat: enhance resource tracking with proxy method summaries and improve finding extraction
* feat: add terminal function exit detection for accurate resource leak analysis
* feat: add warnings for loops and functions without bodies to improve error recovery
* feat: update lambda expression handling to ensure proper function classification and control flow
* feat: remove bounded formatting/string ops and add JSON.parse sanitizer for improved data handling
* feat: add inline return taint analysis and regression tests for improved security checks
* feat: add engine version management and migration handling for database schema updates
* feat: enhance first_call_ident to skip nested function bodies and add regression tests
* feat: enhance callee name resolution with two-segment normalization and disambiguation
* feat: add cross-file context flags and debug assertions for taint analysis
* feat: refactor taint analysis structure to unify context handling and improve clarity
* feat: enhance dead code elimination to preserve Sink, Source, and Sanitizer labels with new tests
* docs: updated CHANGELOG.md
* fmt: formatting fixes
* fix: fixed frontend formatting and lint warnings
* fix: optimized ci
* fix: optimized ci
* Add comprehensive multi-file test coverage to Nyx (#38)
* Initial checklist for multi-file test suite expansion
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* Add 12 new multi-file test fixtures with TP/TN/near-miss coverage
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* deleted root repo
* rebuilt to test for regressions
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* feat: enhance import alias resolution and taint tracking
* feat: implement security hardening with CSRF protection and path validation
* feat: add support for import alias bindings in Python, PHP, and Rust
* feat: enhance CFG analysis modes and improve code readability
* feat: add detection for parameterized SQL queries to enhance security
* feat: add safe internal redirect handling and enhance session destroy validation
* feat: implement security improvements by addressing vulnerabilities in execAsync, session management, and file downloads
* feat: enhance taint detection by adding support for inline source member expressions in call arguments
* feat: implement pre-emission of Source nodes for inline source member expressions in call arguments
* feat: add support for Throw statement in control flow and error handling
* feat: add debug and echo endpoints with potential information leakage
* feat: implement internal redirect suppression and enhance taint detection
* feat: implement module alias tracking for dynamic dispatch in JS/TS
* feat: add authorization analysis module with Express support
* feat: add authorization analysis module with Express support
* feat: add tests for admin guard requirements and clean checks in authorization analysis
* feat: integrate Koa and Fastify frameworks into authorization analysis
* feat: add Flask and Django support to authorization analysis module
* feat: add support for Rails and Sinatra frameworks in authorization analysis
* feat: add support for Axum, ActixWeb, and Rocket frameworks in authorization analysis
* feat: add support for ActixWeb, Axum, and Rocket frameworks in authorization analysis
* feat: add support for Rails and Sinatra in authorization analysis
* chore: add .DS_Store to .gitignore
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: update usage of Option methods for improved clarity and consistency
* refactor: improve code readability by simplifying conditional checks and formatting
* refactor: improve code formatting and readability by simplifying conditional checks
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: simplify conditional checks in axum.rs for improved readability
* feat: add CodeQL analysis configuration for enhanced security scanning
* test: add comprehensive tests for `src/output.rs` SARIF builder (#39)
* chore: start test coverage improvement work
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* test: add comprehensive tests for src/output.rs SARIF builder
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* refactor: improve code formatting and readability in output.rs
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* refactor: improve code formatting and readability in output.rs
* Potential fix for code scanning alert no. 210: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* Potential fix for code scanning alert no. 211: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* refactor: enhance triage file path handling with improved error management and validation
* refactor: updated func summaries for richer detail
* refactor: update SSA summary extraction to use canonical FuncKey for distinct entries
* refactor: enhance callee metadata structure to support arity, receiver, and qualifier for better overload resolution
* refactor: add support for keyword arguments in function calls and enhance receiver extraction for method-style calls
* refactor: implement new Flask routes for safe and unsafe shell command execution
* refactor: separate receiver handling in SSA operations and enhance taint propagation
* refactor: improve arity handling by using arg_uses for positional argument count and enhance witness scoring for tainted arguments
* refactor: implement auth decorator extraction and classification for multiple languages
* refactor: enhance Rust module path resolution and use map handling for cross-file disambiguation
* refactor: introduce CalleeQuery struct for structured callee resolution and enhance resolver logic
* refactor: implement same-file identity collision handling for `runTask` to ensure correct resolver behavior
* refactor: standardize default struct initialization across multiple files
* feat: add scripts for formatting checks and auto-fixes with test summaries
* refactor: simplify character splitting and enhance namespace qualifier handling
* refactor: improve documentation clarity and enhance code readability in resolver logic
* refactor: replace default struct initialization with explicit field assignments for clarity
* feat: enhance anonymous function naming by deriving context-based bindings
* refactor: streamline match expressions for improved readability and performance
* refactor: streamline match expressions for improved readability and performance
* refactor: replace loop with while let for improved clarity and performance
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: implement shell metacharacter validation and bounded-length checks in Rust analysis
* feat: add static map analysis for command injection suppression and type safety
* refactor: simplify match statements and reduce line breaks for improved readability
* feat(summary): phase 1/5 SinkSite data model for primary sink-location attribution
Introduce SinkSite (file_rel, line, col, snippet, cap) carrying the
primary sink source-location through function summaries. Swap
SsaFuncSummary.param_to_sink and FuncSummary.param_to_sink from a coarse
Cap map to a deduped SmallVec<[SinkSite; 1]> per parameter, with a
backward-compatible cap_sites() helper and serde defaults so pre-phase-1
on-disk rows continue to deserialise cleanly.
Extraction: SinkSiteLocator bundles the tree/bytes/file_rel needed by
extract_ssa_func_summary; ParsedFile::extract_ssa_artifacts wires the
locator in for the persisted pass-1 path, while pass-2 intra-file
transient summaries fall back to cap-only sites (behavior unchanged).
Merge: GlobalSummaries::insert now unions sink sites with
(file_rel, line, col, cap) dedup via shared union_param_sink_sites
helper.
Database: JSON-serialised summary columns carry the new shape
automatically; no schema change needed.
Phase 2 will consume SinkSite in build_taint_diag() to overwrite the
caller-site Finding.line with the callee's sink line when resolved via
summary. Phase 1 keeps behavior unchanged: scanning
tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs still produces the
same (wrong) line 10 finding.
Adds round-trip tests covering SinkSite solo, SsaFuncSummary with sink
sites, legacy-JSON default handling for both summary types, and merge
dedup.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* feat(taint): phase 2/5 thread SinkSite into SsaTaintEvent and Finding
Plumb Phase 1's SinkSite through the event pipeline into Findings,
no output change yet. SsaTaintEvent gains `primary_sink_site:
Option<SinkSite>`; when the main or callback sink-emission path has
non-empty `param_to_sink_sites`, filter to sites whose
`(line != 0) && (cap ∩ sink_caps != ∅)` and emit one event per
distinct site — the multi-primary collapse keeps each downstream
Finding single-primary.
Resolution: ResolvedSummary and SinkInfo gain mirror
`param_to_sink_sites` fields, populated from `SsaFuncSummary.param_to_sink`
(SSA + callback paths) and `FuncSummary.param_to_sink` (global paths).
Label, local-summary, and interop resolution paths leave the field
empty — they only ever had cap-level info to begin with.
Finding: new `primary_location: Option<SinkLocation>` with
`file_rel/line/col`. `ssa_events_to_findings` maps
`event.primary_sink_site` → `Finding.primary_location`, filtering
cap-only sites (`line == 0`) to `None` so the (0,0) sentinel never
leaks to formatters. Dedup key extended with the primary location
so multi-site events aren't collapsed back together.
Invariants (debug_assert!):
* every SinkSite reaching emission has `line != 0 && cap ∩ sink_caps
!= ∅` — enforced by the pick_primary_sink_sites* filters;
* every populated Finding.primary_location has `line != 0` AND
non-empty `file_rel` — the cap-only → None translation upstream
guarantees this.
Deliberately independent of `uses_summary`: that flag tracks whether
the *taint chain* used a summary, whereas primary attribution
requires only that the *sink* itself was summary-resolved. A local
source reaching a cross-file sink produces `uses_summary=false`
alongside a populated primary_location — documented on
Finding.primary_location, covered by
`cross_file_sink_finding_carries_primary_location`.
build_taint_diag, SARIF/JSON/explanation formatters, and the
benchmark scorer remain untouched: finding.line still comes from
`cfg_graph[finding.sink]`, so cmdi_indirect.rs still reports line 10
and the benchmark's rs-cmdi-003 row still shows FN in the LOC column.
Tests: `cross_file_sink_finding_carries_primary_location` (proves
plumbing via a synthetic FuncSummary carrying a SinkSite at 42:5) and
`cross_file_sink_cap_only_site_leaves_primary_location_none`
(regression guard against cap-only sites surfacing). All 1566 lib
tests + integration tests pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(output): phase 3/5 consume primary sink location in diag + SARIF
When a finding's primary_location (populated in phase 2 from a callee
summary's SinkSite) names the dangerous instruction inside a callee
body, attribute the diagnostic line to that location instead of the
caller's call site. The call site is demoted to a Call step in
flow_steps, and a synthetic Sink step at the primary location is
appended so analysts still see the full trace.
Changes:
- Add scan_root parameter to build_taint_diag so file_rel can be
resolved back to an absolute path via a shared resolve_file_rel
helper. Empty file_rel (single-file scans where namespace == "")
resolves to the file under analysis.
- Extend SinkLocation with snippet, carried from the upstream
SinkSite so the formatter needs no second file read.
- Relax the ssa_events_to_findings debug_assert to allow empty
file_rel, which is valid when scan root equals the file itself.
- SARIF: emit data-flow as codeFlows[0].threadFlows[0].locations[];
locations[0] already reflects the primary sink position via the
updated diag line/col.
Acceptance: scan on tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs
now reports line 5 (Command::new) as the primary sink, with the call
site at line 10 visible in flow_steps.
Two expect.json fixtures updated (must_match line_range widened):
- javascript/taint/context_sensitive_call: 12-14 -> 7-14 (line 8 is
the real sink inside run()).
- rust/cfg/closure_async: 10-10 -> 10-11 (line 11 is Command::new
inside the closure).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(bench): phase 4/5 validate primary sink attribution across corpus
Extend the benchmark scorer and ground truth to lock in phase 3's
primary-location behavior, and add fixtures that exercise the new
capability end-to-end.
Scorer (tests/benchmark_test.rs):
- Add optional `expected_call_site_lines: Option<Vec<[usize; 2]>>` on
Case. When present, score_location_level additionally requires at
least one flow_step in the finding's evidence trace to fall within
±2 of the call-site range. When absent, the check is skipped —
fully forward-compatible with existing fixtures.
- Retain ±2 tolerance on expected_sink_lines (compared against the
now-primary Diag.line post-phase-3).
Ground truth edits:
- rs-cmdi-cross-001: expected_sink_lines [8,8] -> [9,9]. Line 8 is the
transform::wrap call site (a cross-file propagator, not a sink);
line 9 is Command::new, the real sink. The ±2 tolerance happened to
mask this stale attribution but it was semantically wrong — phase 4
is the right time to correct it. Also adds expected_call_site_lines
[8,8] so the new field is exercised on an existing cross-file case.
- rs-cmdi-003: adds expected_call_site_lines [10,10] (run_cmd call).
This fixture's sink (Command::new inside run_cmd at line 5) was the
motivating case for phases 1-3; adding the call-site assertion
guards against regression to caller-line attribution.
New fixtures:
- rust/cmdi/cmdi_indirect_multisink.rs (rs-cmdi-009): helper run_both
takes two tainted params and invokes two Command sinks on
consecutive lines. Locks in that primary line lands inside the
helper (lines 5-6), not at the caller (line 12). Notes document
that SinkSite is currently one-per-callee so both findings today
collapse onto the first sink; expected_sink_lines=[5,6] and
expected_call_site_lines=[12,12] stay valid either way.
- python/cmdi/cross_indirect_sink/{app.py,helper.py} (py-cmdi-cross-
004): sink os.system lives in helper.py (cross-file), caller in
app.py reads env source and calls run_cmd. Verifies phase 3's
cross-file primary attribution: Diag.path = helper.py, Diag.line =
5, with app.py:7 recorded in flow_steps as a Call step.
Acceptance:
- `cargo test --test benchmark_test -- --ignored --nocapture` passes.
- rs-cmdi-003 is TP/TP/TP (the target flip FN->TP at LOC). All
pre-existing TP/TP/TP fixtures remain TP/TP/TP; 2 new fixtures are
TP/TP/TP.
- Aggregate rule-level: TP=158 FP=10 FN=1 TN=97, P=0.940 R=0.994
F1=0.966 on the 266-case corpus (was TP=156 FP=10 FN=1 TN=97 on
264 pre-phase-4, delta is the +2 new cases both resolving TP).
- Full `cargo test` green (1566 lib tests + all integration tests).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(taint): phase 5/5 lock Finding.primary_location contract via regression test
Add a regression test in src/taint/ssa_transfer.rs that wires up a synthetic
SsaFuncSummary with a SinkSite at other.rs:42:10 and drives the three
emission stages (pick_primary_sink_sites → emit_ssa_taint_events →
ssa_events_to_findings) against a minimal caller SSA body. Asserts the
resulting Finding.primary_location is exactly that triple.
The existing integration tests in src/taint/tests.rs cover the coarse
FuncSummary path end-to-end through analyse_file. This test locks in the
lower-level SSA-side plumbing so a future refactor that silently drops the
site between pick → emit → findings fails here rather than only at the
benchmark layer.
Also refreshes tests/benchmark/results/latest.json (timestamp only; rs-cmdi-003
remains TP/TP/TP and the aggregate P/R/F1 are unchanged from phase 4).
Closes the primary sink-location attribution feature (phases 1-5/5):
* Phase 1 — SinkSite data model on summaries.
* Phase 2 — SinkSite threaded into SsaTaintEvent and Finding.
* Phase 3 — diag + SARIF consume primary_location.
* Phase 4 — benchmark validates primary_call_site_lines across corpus.
* Phase 5 — regression test locks the event→finding contract.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* refactor: clean up formatting and improve readability in multiple files
* refactor: simplify type definition for deduplication key in findings
* test(harness): add must_not_match expectation for FP regression guards
Extends ExpectedFinding with must_not_match field that asserts a
diagnostic must NOT fire — presence is a hard failure. Non-consuming
scan so it coexists with must_match entries on the same rule_id.
Adds forbidden_violations accumulator and updates summary line.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(regression): update expectations to ensure must_not_match for various taint and resource leak rules
* feat: implement auto-seeding for JS/TS handler parameters to enhance taint tracking
* feat: update switch statement handling to improve control flow analysis
* feat: implement promisify alias handling for JS/TS to enhance taint tracking
* feat: enhance taint tracking by refining expectation handling and adding mode filtering
* feat: refine SQL handling in stream processing and enhance auto-seeding for handler parameters
* feat: update taint tracking rules to enforce full mode matching and improve flow analysis
* feat: enhance Ruby subshell handling to improve taint tracking and flow analysis
* feat: update xss_response expectations to refine taint flow analysis and enhance regression guarding
* feat: refine framework detection and update expectation handling for Echo and Sinatra
* feat: implement max_count for taint tracking expectations and deduplicate findings
* feat: add strict_unexpected handling for taint-unsanitised-flow in expectation files
* feat: enhance deduplication of taint-unsanitised-flow findings by collapsing based on line and severity
* feat: add strict_unexpected handling for taint-unsanitised-flow in multiple expectation files
* feat: add structural invariant checks for SSA bodies
* feat: ensure deterministic phi emission order using BTreeSet
* feat: enhance handling of terminators to ensure authoritative flow through successor edges
* feat: enhance Goto terminator handling to ensure all successors are marked executable
* feat: refactor code for improved readability and organization
* feat: simplify predicate checks and enhance readability in SSA handling
* feat: implement per-file parse timeout and enhance file size handling
* feat: migrate analysis engine toggles from environment variables to configuration file
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: update dependencies and enhance documentation on language maturity
* feat: enhance security headers and improve request body limits
* feat: implement sink capability bits for deduplication and enhance evidence tagging
* feat: implement dynamic activation handling for gated sinks and enhance validation logic
* feat: enhance configuration documentation and clarify inline analysis cache behavior
* feat: implement panic recovery during analysis to continue scans past errors
* feat: add expectations configuration for taint analysis and performance metrics
* feat: enhance error handling and logging during file reading and mutex locking
* feat: add cross-file body loading tests and plumbing for CF-1 phase
* feat: implement cross-file k=1 context-sensitive inline taint analysis with new tests and fixtures
* feat: implement indexed-scan parity in cross-file inline analysis with new dropdown and copy functionality
* feat: enhance classification span handling in CFG and AST for improved source attribution
* feat: add new Express routes for handling user input and telemetry data
* feat: implement ternary expression handling in CFG with diamond structure for JS/TS
* feat: implement Phase CF-3 abstract-domain transfer channels in summaries
* feat: add support for string-prefix transfer in cross-file calls and update tests
* docs: reduce RESULTS.md doc size
* feat: implement Phase CF-4 per-return-path summary decomposition with tests
* feat: update parameter handling in pass1 and refactor SsaFuncSummary initialization
* feat: implement Phase CF-5 for cross-file SCC joint fixed-point convergence with new flags and tests
* feat: implement Phase CF-6 with parameter-granularity points-to summaries and associated tests
* refactor: update comments and documentation for clarity and consistency
* style: format code for consistency and readability
* refactor: simplify verdict handling and improve edge checking logic
* refactor: optimize path and identifier collection by avoiding unnecessary cloning
* chore: update Cargo.toml for Rust version 1.85 and add ignored files; modify CHANGELOG and README for clarity on state analysis defaults
* refactor: update documentation and improve clarity in configuration files
* refactor: update documentation and improve clarity in configuration files
* feat: add JS/TS pass-2 convergence tests and expectations configuration
* feat: add Phase 5 regression tests for inline cache origin attribution and update related logic
* feat: implement Phase 7 deduplication and alternative path linking for taint findings
* feat: implement structural DFS index for anonymous functions and update naming conventions
* feat: add Phase 8 regression tests for container-element taint in JS and Python
* feat: add engine-depth profiles and explain-engine option for CLI
* feat: update expectations and add new README fixtures for multi-file scan regression
* feat: implement Phase 11 callback-alias and factory patterns with regression tests
* feat: implement Terminator::Switch for multi-way dispatch and add regression tests
* feat: add real-CVE benchmark fixtures for CVE-2023-48022, CVE-2019-14939, and CVE-2023-26159 with corresponding patched variants
* refactor: extract cfg and ssa_transfer to submodules
* refactor: cargo fmt
* refactor: remove unnecessary blank line in cfg_tests.rs
* refactor: remove unnecessary planning file
* chore: update Rust version to 1.88 and bump dependencies in Cargo files
* feat: enhance triage UI with new layout and controls, update README for clarity
* feat: enhance triage UI with new layout and controls, update README for clarity
* chore: remove outdated section from README for version 0.5.0
* docs: improve clarity and consistency in README content
* chore: add "GPL-3.0-or-later" to license options in about.toml
* chore: update license handling in about.toml and check-licenses.mjs
* style: format code for improved readability in TriagePage component
* style: format code for improved readability in TriagePage component
* chore: enhance license handling and improve body_id scoping in seed lookup
* feat: introduce owner and parent body IDs for enhanced seed scoping
* feat: implement direction-aware engine provenance with new CLI flag for strict CI gating
* feat: add Undef SSA operation for improved control-flow handling
* style: improve code formatting for consistency and readability in multiple files
* feat: add 16-function chain SCC across multiple files for enhanced analysis
* style: simplify code formatting for improved readability in multiple files
* fix: update CapHitReason default implementation and improve README clarity
* docs: enhance README with detailed explanations of taint analysis and limitations
* docs: refine README for clarity and consistency in taint analysis section
* style: improve code formatting for better readability in NewScanModal and scans
* fix: update cargo-about command to use --offline for deterministic license generation
* fix: update cargo-about command to use --offline for deterministic license generation
* ci: add step to prime cargo registry cache for deterministic license generation
* feat: add support for non-sink collections in authorization analysis
* feat: enhance authorization checks with row-level ownership equality and binding tracking
* feat: implement self-scoped user handling and enhance ownership checks
* refactor: simplify assertions and formatting in authorization analysis tests
* fix: normalize line endings in THIRDPARTY-LICENSES.html generation and update README with AI disclosure
* docs: update AI disclosure section for clarity and conciseness
* feat: add AI Contribution Policy and update contributing guidelines for AI assistance disclosure
* feat: enhance authorization analysis with SSA-derived variable type classification
* feat: implement auth_finding_to_diag function for enhanced security diagnostics
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add direction-aware engine provenance with LossDirection classification and new CLI flag
* feat: simplify strip_cap_from_call_args call by removing unnecessary line breaks
* feat: enhance error message handling in cli_validation_tests for better Windows compatibility
* feat: optimize release profile settings in Cargo.toml and update CodeQL configuration
* feat: enhance release build process with SBOM generation and SLSA provenance
* feat: update actions/checkout and actions/setup-node to v6, enhance CLI options, and improve auth-check summaries
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: update benchmark data and enhance path sanitization logic with new safety checks
* feat: document AI assistance in frontend UI development and human review process
* feat: add return path facts for enhanced path safety checks and update documentation
* chore: update release date for version 0.5.0 in CHANGELOG.md
* chore: clean up ci.yml by removing outdated comments and clarifying steps
* feat: implement cross-language path sanitizers and validators for enhanced security
* feat: enhance SSA value usage tracking by including block terminators and improve path safety checks
* feat: enhance switch statement handling by adding per-case path constraints and support for exclusive cases
* refactor: simplify conditional formatting and improve code readability in executor and lower modules
* feat: add vulnerable examples for various languages demonstrating authentication and sanitization issues
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: add transform classifiers for Java, Go, and Ruby with corresponding tests
* refactor: clarify comments on reassign-to-constant idiom and sink behavior in guards.rs
---------
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-25 17:59:11 -04:00
- Demand-driven backwards analysis (off by default) annotates findings with cutoff diagnostics.
- Direction-aware engine notes (`UnderReport` , `OverReport` , `Bail` ) flow into confidence scoring, ranking, and the new `--require-converged` strict mode.
2026-04-29 02:57:57 -04:00
- Synthetic field-write inheritance: `u.Path = "/foo"` no longer drops taint carried by other fields of `u` . Fixes Owncast CVE-2023-3188 (SSRF).
- Phantom-Param-aware field suppression skips method/function references that share a base name with a tainted variable.
2026-05-11 12:42:39 -04:00
- Validation err-check narrowing for the two-statement Go idiom `_, err := strconv.Atoi(input); if err != nil { return }` : `input` is marked validated on the surviving `err == nil` branch.
2026-04-29 02:57:57 -04:00
- Go: `strings.Replace` / `strings.ReplaceAll` recognised as a sanitizer when the OLD literal contains a known-dangerous payload (shell metachars, path-traversal, HTML, SQL) and the NEW literal does not reintroduce one.
- Go: literal-strip cap detection extended to shell metachars (`;` , `|` , `&` , `$` , backtick) and SQL metachars (`'` , `"` , `--` ).
- Go: `interpreted_string_literal` / `raw_string_literal` handled in tree-sitter so const-string arg extraction works for Go's double-quoted and backtick forms.
Release/0.5.0 (#35)
* feat: Introduce function-scoped variable interning for state analysis with new tests and fixtures
* feat: Add Phase 26 symbolic execution enhancements with bitwise operator support, abstract interpretation refinements, and new taint analysis tests
* feat: Refine state analysis to handle factory-pattern resource returns with mixed-path tests and leak detection enhancements
* feat: Add Phase 27 debug views with symbolic execution, abstract interpretation, SSA, and call graph viewers; integrate with debug layout and styles
* feat: Add Phase 31 type-qualified symbolic resolution with receiver-based callee disambiguation and testing
* feat: Extend symbolic execution with state iteration, enhanced debug views, and debounced input handling
* feat: Add Phase 13 resource and auth pattern extensions with new tests and fixtures
* feat: Introduce CFG debug graph renderer with compact mode, toolbar, and DAG layout integration
* feat: Add Phase 28 encoding and decoding transform modeling with structural symex enhancements and new taint analysis tests
* feat: Extend abstract interpretation with type facts and constant value tracking in debug views and server logic
* feat: Add linear path handling and witness extraction to symbolic execution with Phase 28 transform mismatch detection
* feat: Refine Go auth and sanitizer handling with enhanced rules, state updates, and benchmark improvements
* feat: Enable auth-state analysis by default and update relevant tests in benchmark config
* test: Update state_tests to reflect default enablement of auth-state analysis and add auth suppression test
* docs: update CHANGELOG.md
* feat: Introduce per-index taint tracking in `HeapState` with `HeapSlot`, overflow handling, and revised SSA transfers
* feat: Introduce C/C++ language labels and refine heap state tracking in SSA transfers
* feat: Implement per-index array slot tracking in symbolic heap with overflow collapse
* feat: Add implicit definition handling for uninitialized declarations in SSA value allocation
* feat: Refactor function parameters and constants for improved clarity and maintainability
* refactor: Reorder module imports and improve formatting for consistency
* refactor: Fix formatting erorrs
* refactor: Fix clippy warnings
* refactor: Fix fmt warnings (again)
* chore: Update dependencies and improve feature configuration
* Add comprehensive tests for undertested modules (#36) (COPILOT)
* Add comprehensive tests for undertested modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
* Add comprehensive tests for ext, project, walk, and errors modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: Update dependencies and improve feature configuration
* fix: formatting errors in new tests
* chore: Update license list in about.toml
* chore: made functions input inline
* chore: updated cfg graph to take up the full page
* chore: add Prettier configuration and update code formatting
* Add frontend test suite with Vitest (111 tests) (#37)
* Add Vitest test suite for frontend - 111 tests across utils, components, hooks, and graph utilities
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/7cf0dba2-ecff-4740-ba4d-92717e74a0b7
* ci: add frontend test step to CI workflow
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/5bc0ac9f-0a32-4d03-9cb7-7a15aea53fca
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: simplify array initialization in test files for consistency
* ran typecheck
* feat: add AnalysisWorkspace component and integrate it into CfgViewerPage
* feat: update routing in AppLayout and improve empty state message in ExplorerPage
* feat: enhance scan progress tracking with additional metrics and stages
* feat: update license information and add license check script
* feat: implement cross-file symbolic execution with callee body persistence
* feat: replace dagre graphs with Graphology + ELK + Sigma for more advanced call stack and cfg rendering
* feat: ensure CFG function view is scoped to the selected function, preventing bleed into sibling functions
* feat: enhance resource tracking with proxy method summaries and improve finding extraction
* feat: add terminal function exit detection for accurate resource leak analysis
* feat: add warnings for loops and functions without bodies to improve error recovery
* feat: update lambda expression handling to ensure proper function classification and control flow
* feat: remove bounded formatting/string ops and add JSON.parse sanitizer for improved data handling
* feat: add inline return taint analysis and regression tests for improved security checks
* feat: add engine version management and migration handling for database schema updates
* feat: enhance first_call_ident to skip nested function bodies and add regression tests
* feat: enhance callee name resolution with two-segment normalization and disambiguation
* feat: add cross-file context flags and debug assertions for taint analysis
* feat: refactor taint analysis structure to unify context handling and improve clarity
* feat: enhance dead code elimination to preserve Sink, Source, and Sanitizer labels with new tests
* docs: updated CHANGELOG.md
* fmt: formatting fixes
* fix: fixed frontend formatting and lint warnings
* fix: optimized ci
* fix: optimized ci
* Add comprehensive multi-file test coverage to Nyx (#38)
* Initial checklist for multi-file test suite expansion
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* Add 12 new multi-file test fixtures with TP/TN/near-miss coverage
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* deleted root repo
* rebuilt to test for regressions
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* feat: enhance import alias resolution and taint tracking
* feat: implement security hardening with CSRF protection and path validation
* feat: add support for import alias bindings in Python, PHP, and Rust
* feat: enhance CFG analysis modes and improve code readability
* feat: add detection for parameterized SQL queries to enhance security
* feat: add safe internal redirect handling and enhance session destroy validation
* feat: implement security improvements by addressing vulnerabilities in execAsync, session management, and file downloads
* feat: enhance taint detection by adding support for inline source member expressions in call arguments
* feat: implement pre-emission of Source nodes for inline source member expressions in call arguments
* feat: add support for Throw statement in control flow and error handling
* feat: add debug and echo endpoints with potential information leakage
* feat: implement internal redirect suppression and enhance taint detection
* feat: implement module alias tracking for dynamic dispatch in JS/TS
* feat: add authorization analysis module with Express support
* feat: add authorization analysis module with Express support
* feat: add tests for admin guard requirements and clean checks in authorization analysis
* feat: integrate Koa and Fastify frameworks into authorization analysis
* feat: add Flask and Django support to authorization analysis module
* feat: add support for Rails and Sinatra frameworks in authorization analysis
* feat: add support for Axum, ActixWeb, and Rocket frameworks in authorization analysis
* feat: add support for ActixWeb, Axum, and Rocket frameworks in authorization analysis
* feat: add support for Rails and Sinatra in authorization analysis
* chore: add .DS_Store to .gitignore
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: update usage of Option methods for improved clarity and consistency
* refactor: improve code readability by simplifying conditional checks and formatting
* refactor: improve code formatting and readability by simplifying conditional checks
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: simplify conditional checks in axum.rs for improved readability
* feat: add CodeQL analysis configuration for enhanced security scanning
* test: add comprehensive tests for `src/output.rs` SARIF builder (#39)
* chore: start test coverage improvement work
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* test: add comprehensive tests for src/output.rs SARIF builder
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* refactor: improve code formatting and readability in output.rs
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* refactor: improve code formatting and readability in output.rs
* Potential fix for code scanning alert no. 210: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* Potential fix for code scanning alert no. 211: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* refactor: enhance triage file path handling with improved error management and validation
* refactor: updated func summaries for richer detail
* refactor: update SSA summary extraction to use canonical FuncKey for distinct entries
* refactor: enhance callee metadata structure to support arity, receiver, and qualifier for better overload resolution
* refactor: add support for keyword arguments in function calls and enhance receiver extraction for method-style calls
* refactor: implement new Flask routes for safe and unsafe shell command execution
* refactor: separate receiver handling in SSA operations and enhance taint propagation
* refactor: improve arity handling by using arg_uses for positional argument count and enhance witness scoring for tainted arguments
* refactor: implement auth decorator extraction and classification for multiple languages
* refactor: enhance Rust module path resolution and use map handling for cross-file disambiguation
* refactor: introduce CalleeQuery struct for structured callee resolution and enhance resolver logic
* refactor: implement same-file identity collision handling for `runTask` to ensure correct resolver behavior
* refactor: standardize default struct initialization across multiple files
* feat: add scripts for formatting checks and auto-fixes with test summaries
* refactor: simplify character splitting and enhance namespace qualifier handling
* refactor: improve documentation clarity and enhance code readability in resolver logic
* refactor: replace default struct initialization with explicit field assignments for clarity
* feat: enhance anonymous function naming by deriving context-based bindings
* refactor: streamline match expressions for improved readability and performance
* refactor: streamline match expressions for improved readability and performance
* refactor: replace loop with while let for improved clarity and performance
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: implement shell metacharacter validation and bounded-length checks in Rust analysis
* feat: add static map analysis for command injection suppression and type safety
* refactor: simplify match statements and reduce line breaks for improved readability
* feat(summary): phase 1/5 SinkSite data model for primary sink-location attribution
Introduce SinkSite (file_rel, line, col, snippet, cap) carrying the
primary sink source-location through function summaries. Swap
SsaFuncSummary.param_to_sink and FuncSummary.param_to_sink from a coarse
Cap map to a deduped SmallVec<[SinkSite; 1]> per parameter, with a
backward-compatible cap_sites() helper and serde defaults so pre-phase-1
on-disk rows continue to deserialise cleanly.
Extraction: SinkSiteLocator bundles the tree/bytes/file_rel needed by
extract_ssa_func_summary; ParsedFile::extract_ssa_artifacts wires the
locator in for the persisted pass-1 path, while pass-2 intra-file
transient summaries fall back to cap-only sites (behavior unchanged).
Merge: GlobalSummaries::insert now unions sink sites with
(file_rel, line, col, cap) dedup via shared union_param_sink_sites
helper.
Database: JSON-serialised summary columns carry the new shape
automatically; no schema change needed.
Phase 2 will consume SinkSite in build_taint_diag() to overwrite the
caller-site Finding.line with the callee's sink line when resolved via
summary. Phase 1 keeps behavior unchanged: scanning
tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs still produces the
same (wrong) line 10 finding.
Adds round-trip tests covering SinkSite solo, SsaFuncSummary with sink
sites, legacy-JSON default handling for both summary types, and merge
dedup.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* feat(taint): phase 2/5 thread SinkSite into SsaTaintEvent and Finding
Plumb Phase 1's SinkSite through the event pipeline into Findings,
no output change yet. SsaTaintEvent gains `primary_sink_site:
Option<SinkSite>`; when the main or callback sink-emission path has
non-empty `param_to_sink_sites`, filter to sites whose
`(line != 0) && (cap ∩ sink_caps != ∅)` and emit one event per
distinct site — the multi-primary collapse keeps each downstream
Finding single-primary.
Resolution: ResolvedSummary and SinkInfo gain mirror
`param_to_sink_sites` fields, populated from `SsaFuncSummary.param_to_sink`
(SSA + callback paths) and `FuncSummary.param_to_sink` (global paths).
Label, local-summary, and interop resolution paths leave the field
empty — they only ever had cap-level info to begin with.
Finding: new `primary_location: Option<SinkLocation>` with
`file_rel/line/col`. `ssa_events_to_findings` maps
`event.primary_sink_site` → `Finding.primary_location`, filtering
cap-only sites (`line == 0`) to `None` so the (0,0) sentinel never
leaks to formatters. Dedup key extended with the primary location
so multi-site events aren't collapsed back together.
Invariants (debug_assert!):
* every SinkSite reaching emission has `line != 0 && cap ∩ sink_caps
!= ∅` — enforced by the pick_primary_sink_sites* filters;
* every populated Finding.primary_location has `line != 0` AND
non-empty `file_rel` — the cap-only → None translation upstream
guarantees this.
Deliberately independent of `uses_summary`: that flag tracks whether
the *taint chain* used a summary, whereas primary attribution
requires only that the *sink* itself was summary-resolved. A local
source reaching a cross-file sink produces `uses_summary=false`
alongside a populated primary_location — documented on
Finding.primary_location, covered by
`cross_file_sink_finding_carries_primary_location`.
build_taint_diag, SARIF/JSON/explanation formatters, and the
benchmark scorer remain untouched: finding.line still comes from
`cfg_graph[finding.sink]`, so cmdi_indirect.rs still reports line 10
and the benchmark's rs-cmdi-003 row still shows FN in the LOC column.
Tests: `cross_file_sink_finding_carries_primary_location` (proves
plumbing via a synthetic FuncSummary carrying a SinkSite at 42:5) and
`cross_file_sink_cap_only_site_leaves_primary_location_none`
(regression guard against cap-only sites surfacing). All 1566 lib
tests + integration tests pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(output): phase 3/5 consume primary sink location in diag + SARIF
When a finding's primary_location (populated in phase 2 from a callee
summary's SinkSite) names the dangerous instruction inside a callee
body, attribute the diagnostic line to that location instead of the
caller's call site. The call site is demoted to a Call step in
flow_steps, and a synthetic Sink step at the primary location is
appended so analysts still see the full trace.
Changes:
- Add scan_root parameter to build_taint_diag so file_rel can be
resolved back to an absolute path via a shared resolve_file_rel
helper. Empty file_rel (single-file scans where namespace == "")
resolves to the file under analysis.
- Extend SinkLocation with snippet, carried from the upstream
SinkSite so the formatter needs no second file read.
- Relax the ssa_events_to_findings debug_assert to allow empty
file_rel, which is valid when scan root equals the file itself.
- SARIF: emit data-flow as codeFlows[0].threadFlows[0].locations[];
locations[0] already reflects the primary sink position via the
updated diag line/col.
Acceptance: scan on tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs
now reports line 5 (Command::new) as the primary sink, with the call
site at line 10 visible in flow_steps.
Two expect.json fixtures updated (must_match line_range widened):
- javascript/taint/context_sensitive_call: 12-14 -> 7-14 (line 8 is
the real sink inside run()).
- rust/cfg/closure_async: 10-10 -> 10-11 (line 11 is Command::new
inside the closure).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(bench): phase 4/5 validate primary sink attribution across corpus
Extend the benchmark scorer and ground truth to lock in phase 3's
primary-location behavior, and add fixtures that exercise the new
capability end-to-end.
Scorer (tests/benchmark_test.rs):
- Add optional `expected_call_site_lines: Option<Vec<[usize; 2]>>` on
Case. When present, score_location_level additionally requires at
least one flow_step in the finding's evidence trace to fall within
±2 of the call-site range. When absent, the check is skipped —
fully forward-compatible with existing fixtures.
- Retain ±2 tolerance on expected_sink_lines (compared against the
now-primary Diag.line post-phase-3).
Ground truth edits:
- rs-cmdi-cross-001: expected_sink_lines [8,8] -> [9,9]. Line 8 is the
transform::wrap call site (a cross-file propagator, not a sink);
line 9 is Command::new, the real sink. The ±2 tolerance happened to
mask this stale attribution but it was semantically wrong — phase 4
is the right time to correct it. Also adds expected_call_site_lines
[8,8] so the new field is exercised on an existing cross-file case.
- rs-cmdi-003: adds expected_call_site_lines [10,10] (run_cmd call).
This fixture's sink (Command::new inside run_cmd at line 5) was the
motivating case for phases 1-3; adding the call-site assertion
guards against regression to caller-line attribution.
New fixtures:
- rust/cmdi/cmdi_indirect_multisink.rs (rs-cmdi-009): helper run_both
takes two tainted params and invokes two Command sinks on
consecutive lines. Locks in that primary line lands inside the
helper (lines 5-6), not at the caller (line 12). Notes document
that SinkSite is currently one-per-callee so both findings today
collapse onto the first sink; expected_sink_lines=[5,6] and
expected_call_site_lines=[12,12] stay valid either way.
- python/cmdi/cross_indirect_sink/{app.py,helper.py} (py-cmdi-cross-
004): sink os.system lives in helper.py (cross-file), caller in
app.py reads env source and calls run_cmd. Verifies phase 3's
cross-file primary attribution: Diag.path = helper.py, Diag.line =
5, with app.py:7 recorded in flow_steps as a Call step.
Acceptance:
- `cargo test --test benchmark_test -- --ignored --nocapture` passes.
- rs-cmdi-003 is TP/TP/TP (the target flip FN->TP at LOC). All
pre-existing TP/TP/TP fixtures remain TP/TP/TP; 2 new fixtures are
TP/TP/TP.
- Aggregate rule-level: TP=158 FP=10 FN=1 TN=97, P=0.940 R=0.994
F1=0.966 on the 266-case corpus (was TP=156 FP=10 FN=1 TN=97 on
264 pre-phase-4, delta is the +2 new cases both resolving TP).
- Full `cargo test` green (1566 lib tests + all integration tests).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(taint): phase 5/5 lock Finding.primary_location contract via regression test
Add a regression test in src/taint/ssa_transfer.rs that wires up a synthetic
SsaFuncSummary with a SinkSite at other.rs:42:10 and drives the three
emission stages (pick_primary_sink_sites → emit_ssa_taint_events →
ssa_events_to_findings) against a minimal caller SSA body. Asserts the
resulting Finding.primary_location is exactly that triple.
The existing integration tests in src/taint/tests.rs cover the coarse
FuncSummary path end-to-end through analyse_file. This test locks in the
lower-level SSA-side plumbing so a future refactor that silently drops the
site between pick → emit → findings fails here rather than only at the
benchmark layer.
Also refreshes tests/benchmark/results/latest.json (timestamp only; rs-cmdi-003
remains TP/TP/TP and the aggregate P/R/F1 are unchanged from phase 4).
Closes the primary sink-location attribution feature (phases 1-5/5):
* Phase 1 — SinkSite data model on summaries.
* Phase 2 — SinkSite threaded into SsaTaintEvent and Finding.
* Phase 3 — diag + SARIF consume primary_location.
* Phase 4 — benchmark validates primary_call_site_lines across corpus.
* Phase 5 — regression test locks the event→finding contract.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* refactor: clean up formatting and improve readability in multiple files
* refactor: simplify type definition for deduplication key in findings
* test(harness): add must_not_match expectation for FP regression guards
Extends ExpectedFinding with must_not_match field that asserts a
diagnostic must NOT fire — presence is a hard failure. Non-consuming
scan so it coexists with must_match entries on the same rule_id.
Adds forbidden_violations accumulator and updates summary line.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(regression): update expectations to ensure must_not_match for various taint and resource leak rules
* feat: implement auto-seeding for JS/TS handler parameters to enhance taint tracking
* feat: update switch statement handling to improve control flow analysis
* feat: implement promisify alias handling for JS/TS to enhance taint tracking
* feat: enhance taint tracking by refining expectation handling and adding mode filtering
* feat: refine SQL handling in stream processing and enhance auto-seeding for handler parameters
* feat: update taint tracking rules to enforce full mode matching and improve flow analysis
* feat: enhance Ruby subshell handling to improve taint tracking and flow analysis
* feat: update xss_response expectations to refine taint flow analysis and enhance regression guarding
* feat: refine framework detection and update expectation handling for Echo and Sinatra
* feat: implement max_count for taint tracking expectations and deduplicate findings
* feat: add strict_unexpected handling for taint-unsanitised-flow in expectation files
* feat: enhance deduplication of taint-unsanitised-flow findings by collapsing based on line and severity
* feat: add strict_unexpected handling for taint-unsanitised-flow in multiple expectation files
* feat: add structural invariant checks for SSA bodies
* feat: ensure deterministic phi emission order using BTreeSet
* feat: enhance handling of terminators to ensure authoritative flow through successor edges
* feat: enhance Goto terminator handling to ensure all successors are marked executable
* feat: refactor code for improved readability and organization
* feat: simplify predicate checks and enhance readability in SSA handling
* feat: implement per-file parse timeout and enhance file size handling
* feat: migrate analysis engine toggles from environment variables to configuration file
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: update dependencies and enhance documentation on language maturity
* feat: enhance security headers and improve request body limits
* feat: implement sink capability bits for deduplication and enhance evidence tagging
* feat: implement dynamic activation handling for gated sinks and enhance validation logic
* feat: enhance configuration documentation and clarify inline analysis cache behavior
* feat: implement panic recovery during analysis to continue scans past errors
* feat: add expectations configuration for taint analysis and performance metrics
* feat: enhance error handling and logging during file reading and mutex locking
* feat: add cross-file body loading tests and plumbing for CF-1 phase
* feat: implement cross-file k=1 context-sensitive inline taint analysis with new tests and fixtures
* feat: implement indexed-scan parity in cross-file inline analysis with new dropdown and copy functionality
* feat: enhance classification span handling in CFG and AST for improved source attribution
* feat: add new Express routes for handling user input and telemetry data
* feat: implement ternary expression handling in CFG with diamond structure for JS/TS
* feat: implement Phase CF-3 abstract-domain transfer channels in summaries
* feat: add support for string-prefix transfer in cross-file calls and update tests
* docs: reduce RESULTS.md doc size
* feat: implement Phase CF-4 per-return-path summary decomposition with tests
* feat: update parameter handling in pass1 and refactor SsaFuncSummary initialization
* feat: implement Phase CF-5 for cross-file SCC joint fixed-point convergence with new flags and tests
* feat: implement Phase CF-6 with parameter-granularity points-to summaries and associated tests
* refactor: update comments and documentation for clarity and consistency
* style: format code for consistency and readability
* refactor: simplify verdict handling and improve edge checking logic
* refactor: optimize path and identifier collection by avoiding unnecessary cloning
* chore: update Cargo.toml for Rust version 1.85 and add ignored files; modify CHANGELOG and README for clarity on state analysis defaults
* refactor: update documentation and improve clarity in configuration files
* refactor: update documentation and improve clarity in configuration files
* feat: add JS/TS pass-2 convergence tests and expectations configuration
* feat: add Phase 5 regression tests for inline cache origin attribution and update related logic
* feat: implement Phase 7 deduplication and alternative path linking for taint findings
* feat: implement structural DFS index for anonymous functions and update naming conventions
* feat: add Phase 8 regression tests for container-element taint in JS and Python
* feat: add engine-depth profiles and explain-engine option for CLI
* feat: update expectations and add new README fixtures for multi-file scan regression
* feat: implement Phase 11 callback-alias and factory patterns with regression tests
* feat: implement Terminator::Switch for multi-way dispatch and add regression tests
* feat: add real-CVE benchmark fixtures for CVE-2023-48022, CVE-2019-14939, and CVE-2023-26159 with corresponding patched variants
* refactor: extract cfg and ssa_transfer to submodules
* refactor: cargo fmt
* refactor: remove unnecessary blank line in cfg_tests.rs
* refactor: remove unnecessary planning file
* chore: update Rust version to 1.88 and bump dependencies in Cargo files
* feat: enhance triage UI with new layout and controls, update README for clarity
* feat: enhance triage UI with new layout and controls, update README for clarity
* chore: remove outdated section from README for version 0.5.0
* docs: improve clarity and consistency in README content
* chore: add "GPL-3.0-or-later" to license options in about.toml
* chore: update license handling in about.toml and check-licenses.mjs
* style: format code for improved readability in TriagePage component
* style: format code for improved readability in TriagePage component
* chore: enhance license handling and improve body_id scoping in seed lookup
* feat: introduce owner and parent body IDs for enhanced seed scoping
* feat: implement direction-aware engine provenance with new CLI flag for strict CI gating
* feat: add Undef SSA operation for improved control-flow handling
* style: improve code formatting for consistency and readability in multiple files
* feat: add 16-function chain SCC across multiple files for enhanced analysis
* style: simplify code formatting for improved readability in multiple files
* fix: update CapHitReason default implementation and improve README clarity
* docs: enhance README with detailed explanations of taint analysis and limitations
* docs: refine README for clarity and consistency in taint analysis section
* style: improve code formatting for better readability in NewScanModal and scans
* fix: update cargo-about command to use --offline for deterministic license generation
* fix: update cargo-about command to use --offline for deterministic license generation
* ci: add step to prime cargo registry cache for deterministic license generation
* feat: add support for non-sink collections in authorization analysis
* feat: enhance authorization checks with row-level ownership equality and binding tracking
* feat: implement self-scoped user handling and enhance ownership checks
* refactor: simplify assertions and formatting in authorization analysis tests
* fix: normalize line endings in THIRDPARTY-LICENSES.html generation and update README with AI disclosure
* docs: update AI disclosure section for clarity and conciseness
* feat: add AI Contribution Policy and update contributing guidelines for AI assistance disclosure
* feat: enhance authorization analysis with SSA-derived variable type classification
* feat: implement auth_finding_to_diag function for enhanced security diagnostics
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add direction-aware engine provenance with LossDirection classification and new CLI flag
* feat: simplify strip_cap_from_call_args call by removing unnecessary line breaks
* feat: enhance error message handling in cli_validation_tests for better Windows compatibility
* feat: optimize release profile settings in Cargo.toml and update CodeQL configuration
* feat: enhance release build process with SBOM generation and SLSA provenance
* feat: update actions/checkout and actions/setup-node to v6, enhance CLI options, and improve auth-check summaries
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: update benchmark data and enhance path sanitization logic with new safety checks
* feat: document AI assistance in frontend UI development and human review process
* feat: add return path facts for enhanced path safety checks and update documentation
* chore: update release date for version 0.5.0 in CHANGELOG.md
* chore: clean up ci.yml by removing outdated comments and clarifying steps
* feat: implement cross-language path sanitizers and validators for enhanced security
* feat: enhance SSA value usage tracking by including block terminators and improve path safety checks
* feat: enhance switch statement handling by adding per-case path constraints and support for exclusive cases
* refactor: simplify conditional formatting and improve code readability in executor and lower modules
* feat: add vulnerable examples for various languages demonstrating authentication and sanitization issues
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: add transform classifiers for Java, Go, and Ruby with corresponding tests
* refactor: clarify comments on reassign-to-constant idiom and sink behavior in guards.rs
---------
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-25 17:59:11 -04:00
### Symbolic Execution
- Expression trees (`SymbolicValue` ) preserve computation structure through the path walk: integers, strings, binary ops, concatenations, calls, phi merges.
- Witness strings reconstruct concrete attack payloads at sink nodes.
- Bounded multi-path forking with reachability pruning.
- Cross-file: callee summaries are modeled directly, and pre-lowered callee bodies are loaded from SQLite so witnesses can keep walking across files.
- Interprocedural mode: nested frames with full state propagation, transitive descent up to 3 levels, structured cutoff tracking.
- Field-sensitive symbolic heap with bounded fields per object.
- Symbolic string theory: `Substr` , `Replace` , `ToLower` , `ToUpper` , `Trim` , `StrLen` modeled with concrete folding and sanitizer pattern detection.
- Optional Z3 integration (compile-time `smt` feature) for cross-variable constraint solving.
### Security & Coverage
- Vulnerability classes added: SSRF (10 languages), deserialization (Python, Ruby, Java, PHP), and `Cap::UNAUTHORIZED_ID` for auth-as-taint (off by default behind config flag).
- Auth analysis: receiver-type sink gating, row-level ownership-equality detection, self-actor recognition (`let user = require_auth()` ), sink classification (in-memory vs realtime vs outbound), helper-summary lifting, and SQL JOIN-through-ACL recognition.
- State analysis (resource lifecycle, use-after-close, leaks, unauthed access) is now on by default. RAII-aware for Rust and C++; recognizes Python `with` , Go `defer` , Java try-with-resources.
- Framework rule packs: Express, Flask/Django, Spring/JNDI, Rails. Per-language label depth significantly expanded.
- C/C++ taint depth: output-parameter source propagation, implicit definitions for uninitialized declarations.
- Negative test corpus (30 fixtures) and a 262-case benchmark with CI gates on rule-level Precision/Recall/F1.
2026-04-29 02:57:57 -04:00
### Detection metrics
- Aggregate rule-level F1 reaches **0.998** (P=0.995, R=1.000). All real-CVE fixtures fire; only one open FP (`go-safe-009` ).
- Go: 98.0% F1 on the 53-case corpus (1 FP / 0 FNs).
- CVE-2023-3188 (owncast SSRF) now detects.
Release/0.5.0 (#35)
* feat: Introduce function-scoped variable interning for state analysis with new tests and fixtures
* feat: Add Phase 26 symbolic execution enhancements with bitwise operator support, abstract interpretation refinements, and new taint analysis tests
* feat: Refine state analysis to handle factory-pattern resource returns with mixed-path tests and leak detection enhancements
* feat: Add Phase 27 debug views with symbolic execution, abstract interpretation, SSA, and call graph viewers; integrate with debug layout and styles
* feat: Add Phase 31 type-qualified symbolic resolution with receiver-based callee disambiguation and testing
* feat: Extend symbolic execution with state iteration, enhanced debug views, and debounced input handling
* feat: Add Phase 13 resource and auth pattern extensions with new tests and fixtures
* feat: Introduce CFG debug graph renderer with compact mode, toolbar, and DAG layout integration
* feat: Add Phase 28 encoding and decoding transform modeling with structural symex enhancements and new taint analysis tests
* feat: Extend abstract interpretation with type facts and constant value tracking in debug views and server logic
* feat: Add linear path handling and witness extraction to symbolic execution with Phase 28 transform mismatch detection
* feat: Refine Go auth and sanitizer handling with enhanced rules, state updates, and benchmark improvements
* feat: Enable auth-state analysis by default and update relevant tests in benchmark config
* test: Update state_tests to reflect default enablement of auth-state analysis and add auth suppression test
* docs: update CHANGELOG.md
* feat: Introduce per-index taint tracking in `HeapState` with `HeapSlot`, overflow handling, and revised SSA transfers
* feat: Introduce C/C++ language labels and refine heap state tracking in SSA transfers
* feat: Implement per-index array slot tracking in symbolic heap with overflow collapse
* feat: Add implicit definition handling for uninitialized declarations in SSA value allocation
* feat: Refactor function parameters and constants for improved clarity and maintainability
* refactor: Reorder module imports and improve formatting for consistency
* refactor: Fix formatting erorrs
* refactor: Fix clippy warnings
* refactor: Fix fmt warnings (again)
* chore: Update dependencies and improve feature configuration
* Add comprehensive tests for undertested modules (#36) (COPILOT)
* Add comprehensive tests for undertested modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
* Add comprehensive tests for ext, project, walk, and errors modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: Update dependencies and improve feature configuration
* fix: formatting errors in new tests
* chore: Update license list in about.toml
* chore: made functions input inline
* chore: updated cfg graph to take up the full page
* chore: add Prettier configuration and update code formatting
* Add frontend test suite with Vitest (111 tests) (#37)
* Add Vitest test suite for frontend - 111 tests across utils, components, hooks, and graph utilities
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/7cf0dba2-ecff-4740-ba4d-92717e74a0b7
* ci: add frontend test step to CI workflow
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/5bc0ac9f-0a32-4d03-9cb7-7a15aea53fca
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: simplify array initialization in test files for consistency
* ran typecheck
* feat: add AnalysisWorkspace component and integrate it into CfgViewerPage
* feat: update routing in AppLayout and improve empty state message in ExplorerPage
* feat: enhance scan progress tracking with additional metrics and stages
* feat: update license information and add license check script
* feat: implement cross-file symbolic execution with callee body persistence
* feat: replace dagre graphs with Graphology + ELK + Sigma for more advanced call stack and cfg rendering
* feat: ensure CFG function view is scoped to the selected function, preventing bleed into sibling functions
* feat: enhance resource tracking with proxy method summaries and improve finding extraction
* feat: add terminal function exit detection for accurate resource leak analysis
* feat: add warnings for loops and functions without bodies to improve error recovery
* feat: update lambda expression handling to ensure proper function classification and control flow
* feat: remove bounded formatting/string ops and add JSON.parse sanitizer for improved data handling
* feat: add inline return taint analysis and regression tests for improved security checks
* feat: add engine version management and migration handling for database schema updates
* feat: enhance first_call_ident to skip nested function bodies and add regression tests
* feat: enhance callee name resolution with two-segment normalization and disambiguation
* feat: add cross-file context flags and debug assertions for taint analysis
* feat: refactor taint analysis structure to unify context handling and improve clarity
* feat: enhance dead code elimination to preserve Sink, Source, and Sanitizer labels with new tests
* docs: updated CHANGELOG.md
* fmt: formatting fixes
* fix: fixed frontend formatting and lint warnings
* fix: optimized ci
* fix: optimized ci
* Add comprehensive multi-file test coverage to Nyx (#38)
* Initial checklist for multi-file test suite expansion
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* Add 12 new multi-file test fixtures with TP/TN/near-miss coverage
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* deleted root repo
* rebuilt to test for regressions
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* feat: enhance import alias resolution and taint tracking
* feat: implement security hardening with CSRF protection and path validation
* feat: add support for import alias bindings in Python, PHP, and Rust
* feat: enhance CFG analysis modes and improve code readability
* feat: add detection for parameterized SQL queries to enhance security
* feat: add safe internal redirect handling and enhance session destroy validation
* feat: implement security improvements by addressing vulnerabilities in execAsync, session management, and file downloads
* feat: enhance taint detection by adding support for inline source member expressions in call arguments
* feat: implement pre-emission of Source nodes for inline source member expressions in call arguments
* feat: add support for Throw statement in control flow and error handling
* feat: add debug and echo endpoints with potential information leakage
* feat: implement internal redirect suppression and enhance taint detection
* feat: implement module alias tracking for dynamic dispatch in JS/TS
* feat: add authorization analysis module with Express support
* feat: add authorization analysis module with Express support
* feat: add tests for admin guard requirements and clean checks in authorization analysis
* feat: integrate Koa and Fastify frameworks into authorization analysis
* feat: add Flask and Django support to authorization analysis module
* feat: add support for Rails and Sinatra frameworks in authorization analysis
* feat: add support for Axum, ActixWeb, and Rocket frameworks in authorization analysis
* feat: add support for ActixWeb, Axum, and Rocket frameworks in authorization analysis
* feat: add support for Rails and Sinatra in authorization analysis
* chore: add .DS_Store to .gitignore
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: update usage of Option methods for improved clarity and consistency
* refactor: improve code readability by simplifying conditional checks and formatting
* refactor: improve code formatting and readability by simplifying conditional checks
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: simplify conditional checks in axum.rs for improved readability
* feat: add CodeQL analysis configuration for enhanced security scanning
* test: add comprehensive tests for `src/output.rs` SARIF builder (#39)
* chore: start test coverage improvement work
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* test: add comprehensive tests for src/output.rs SARIF builder
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* refactor: improve code formatting and readability in output.rs
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* refactor: improve code formatting and readability in output.rs
* Potential fix for code scanning alert no. 210: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* Potential fix for code scanning alert no. 211: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* refactor: enhance triage file path handling with improved error management and validation
* refactor: updated func summaries for richer detail
* refactor: update SSA summary extraction to use canonical FuncKey for distinct entries
* refactor: enhance callee metadata structure to support arity, receiver, and qualifier for better overload resolution
* refactor: add support for keyword arguments in function calls and enhance receiver extraction for method-style calls
* refactor: implement new Flask routes for safe and unsafe shell command execution
* refactor: separate receiver handling in SSA operations and enhance taint propagation
* refactor: improve arity handling by using arg_uses for positional argument count and enhance witness scoring for tainted arguments
* refactor: implement auth decorator extraction and classification for multiple languages
* refactor: enhance Rust module path resolution and use map handling for cross-file disambiguation
* refactor: introduce CalleeQuery struct for structured callee resolution and enhance resolver logic
* refactor: implement same-file identity collision handling for `runTask` to ensure correct resolver behavior
* refactor: standardize default struct initialization across multiple files
* feat: add scripts for formatting checks and auto-fixes with test summaries
* refactor: simplify character splitting and enhance namespace qualifier handling
* refactor: improve documentation clarity and enhance code readability in resolver logic
* refactor: replace default struct initialization with explicit field assignments for clarity
* feat: enhance anonymous function naming by deriving context-based bindings
* refactor: streamline match expressions for improved readability and performance
* refactor: streamline match expressions for improved readability and performance
* refactor: replace loop with while let for improved clarity and performance
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: implement shell metacharacter validation and bounded-length checks in Rust analysis
* feat: add static map analysis for command injection suppression and type safety
* refactor: simplify match statements and reduce line breaks for improved readability
* feat(summary): phase 1/5 SinkSite data model for primary sink-location attribution
Introduce SinkSite (file_rel, line, col, snippet, cap) carrying the
primary sink source-location through function summaries. Swap
SsaFuncSummary.param_to_sink and FuncSummary.param_to_sink from a coarse
Cap map to a deduped SmallVec<[SinkSite; 1]> per parameter, with a
backward-compatible cap_sites() helper and serde defaults so pre-phase-1
on-disk rows continue to deserialise cleanly.
Extraction: SinkSiteLocator bundles the tree/bytes/file_rel needed by
extract_ssa_func_summary; ParsedFile::extract_ssa_artifacts wires the
locator in for the persisted pass-1 path, while pass-2 intra-file
transient summaries fall back to cap-only sites (behavior unchanged).
Merge: GlobalSummaries::insert now unions sink sites with
(file_rel, line, col, cap) dedup via shared union_param_sink_sites
helper.
Database: JSON-serialised summary columns carry the new shape
automatically; no schema change needed.
Phase 2 will consume SinkSite in build_taint_diag() to overwrite the
caller-site Finding.line with the callee's sink line when resolved via
summary. Phase 1 keeps behavior unchanged: scanning
tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs still produces the
same (wrong) line 10 finding.
Adds round-trip tests covering SinkSite solo, SsaFuncSummary with sink
sites, legacy-JSON default handling for both summary types, and merge
dedup.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* feat(taint): phase 2/5 thread SinkSite into SsaTaintEvent and Finding
Plumb Phase 1's SinkSite through the event pipeline into Findings,
no output change yet. SsaTaintEvent gains `primary_sink_site:
Option<SinkSite>`; when the main or callback sink-emission path has
non-empty `param_to_sink_sites`, filter to sites whose
`(line != 0) && (cap ∩ sink_caps != ∅)` and emit one event per
distinct site — the multi-primary collapse keeps each downstream
Finding single-primary.
Resolution: ResolvedSummary and SinkInfo gain mirror
`param_to_sink_sites` fields, populated from `SsaFuncSummary.param_to_sink`
(SSA + callback paths) and `FuncSummary.param_to_sink` (global paths).
Label, local-summary, and interop resolution paths leave the field
empty — they only ever had cap-level info to begin with.
Finding: new `primary_location: Option<SinkLocation>` with
`file_rel/line/col`. `ssa_events_to_findings` maps
`event.primary_sink_site` → `Finding.primary_location`, filtering
cap-only sites (`line == 0`) to `None` so the (0,0) sentinel never
leaks to formatters. Dedup key extended with the primary location
so multi-site events aren't collapsed back together.
Invariants (debug_assert!):
* every SinkSite reaching emission has `line != 0 && cap ∩ sink_caps
!= ∅` — enforced by the pick_primary_sink_sites* filters;
* every populated Finding.primary_location has `line != 0` AND
non-empty `file_rel` — the cap-only → None translation upstream
guarantees this.
Deliberately independent of `uses_summary`: that flag tracks whether
the *taint chain* used a summary, whereas primary attribution
requires only that the *sink* itself was summary-resolved. A local
source reaching a cross-file sink produces `uses_summary=false`
alongside a populated primary_location — documented on
Finding.primary_location, covered by
`cross_file_sink_finding_carries_primary_location`.
build_taint_diag, SARIF/JSON/explanation formatters, and the
benchmark scorer remain untouched: finding.line still comes from
`cfg_graph[finding.sink]`, so cmdi_indirect.rs still reports line 10
and the benchmark's rs-cmdi-003 row still shows FN in the LOC column.
Tests: `cross_file_sink_finding_carries_primary_location` (proves
plumbing via a synthetic FuncSummary carrying a SinkSite at 42:5) and
`cross_file_sink_cap_only_site_leaves_primary_location_none`
(regression guard against cap-only sites surfacing). All 1566 lib
tests + integration tests pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(output): phase 3/5 consume primary sink location in diag + SARIF
When a finding's primary_location (populated in phase 2 from a callee
summary's SinkSite) names the dangerous instruction inside a callee
body, attribute the diagnostic line to that location instead of the
caller's call site. The call site is demoted to a Call step in
flow_steps, and a synthetic Sink step at the primary location is
appended so analysts still see the full trace.
Changes:
- Add scan_root parameter to build_taint_diag so file_rel can be
resolved back to an absolute path via a shared resolve_file_rel
helper. Empty file_rel (single-file scans where namespace == "")
resolves to the file under analysis.
- Extend SinkLocation with snippet, carried from the upstream
SinkSite so the formatter needs no second file read.
- Relax the ssa_events_to_findings debug_assert to allow empty
file_rel, which is valid when scan root equals the file itself.
- SARIF: emit data-flow as codeFlows[0].threadFlows[0].locations[];
locations[0] already reflects the primary sink position via the
updated diag line/col.
Acceptance: scan on tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs
now reports line 5 (Command::new) as the primary sink, with the call
site at line 10 visible in flow_steps.
Two expect.json fixtures updated (must_match line_range widened):
- javascript/taint/context_sensitive_call: 12-14 -> 7-14 (line 8 is
the real sink inside run()).
- rust/cfg/closure_async: 10-10 -> 10-11 (line 11 is Command::new
inside the closure).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(bench): phase 4/5 validate primary sink attribution across corpus
Extend the benchmark scorer and ground truth to lock in phase 3's
primary-location behavior, and add fixtures that exercise the new
capability end-to-end.
Scorer (tests/benchmark_test.rs):
- Add optional `expected_call_site_lines: Option<Vec<[usize; 2]>>` on
Case. When present, score_location_level additionally requires at
least one flow_step in the finding's evidence trace to fall within
±2 of the call-site range. When absent, the check is skipped —
fully forward-compatible with existing fixtures.
- Retain ±2 tolerance on expected_sink_lines (compared against the
now-primary Diag.line post-phase-3).
Ground truth edits:
- rs-cmdi-cross-001: expected_sink_lines [8,8] -> [9,9]. Line 8 is the
transform::wrap call site (a cross-file propagator, not a sink);
line 9 is Command::new, the real sink. The ±2 tolerance happened to
mask this stale attribution but it was semantically wrong — phase 4
is the right time to correct it. Also adds expected_call_site_lines
[8,8] so the new field is exercised on an existing cross-file case.
- rs-cmdi-003: adds expected_call_site_lines [10,10] (run_cmd call).
This fixture's sink (Command::new inside run_cmd at line 5) was the
motivating case for phases 1-3; adding the call-site assertion
guards against regression to caller-line attribution.
New fixtures:
- rust/cmdi/cmdi_indirect_multisink.rs (rs-cmdi-009): helper run_both
takes two tainted params and invokes two Command sinks on
consecutive lines. Locks in that primary line lands inside the
helper (lines 5-6), not at the caller (line 12). Notes document
that SinkSite is currently one-per-callee so both findings today
collapse onto the first sink; expected_sink_lines=[5,6] and
expected_call_site_lines=[12,12] stay valid either way.
- python/cmdi/cross_indirect_sink/{app.py,helper.py} (py-cmdi-cross-
004): sink os.system lives in helper.py (cross-file), caller in
app.py reads env source and calls run_cmd. Verifies phase 3's
cross-file primary attribution: Diag.path = helper.py, Diag.line =
5, with app.py:7 recorded in flow_steps as a Call step.
Acceptance:
- `cargo test --test benchmark_test -- --ignored --nocapture` passes.
- rs-cmdi-003 is TP/TP/TP (the target flip FN->TP at LOC). All
pre-existing TP/TP/TP fixtures remain TP/TP/TP; 2 new fixtures are
TP/TP/TP.
- Aggregate rule-level: TP=158 FP=10 FN=1 TN=97, P=0.940 R=0.994
F1=0.966 on the 266-case corpus (was TP=156 FP=10 FN=1 TN=97 on
264 pre-phase-4, delta is the +2 new cases both resolving TP).
- Full `cargo test` green (1566 lib tests + all integration tests).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(taint): phase 5/5 lock Finding.primary_location contract via regression test
Add a regression test in src/taint/ssa_transfer.rs that wires up a synthetic
SsaFuncSummary with a SinkSite at other.rs:42:10 and drives the three
emission stages (pick_primary_sink_sites → emit_ssa_taint_events →
ssa_events_to_findings) against a minimal caller SSA body. Asserts the
resulting Finding.primary_location is exactly that triple.
The existing integration tests in src/taint/tests.rs cover the coarse
FuncSummary path end-to-end through analyse_file. This test locks in the
lower-level SSA-side plumbing so a future refactor that silently drops the
site between pick → emit → findings fails here rather than only at the
benchmark layer.
Also refreshes tests/benchmark/results/latest.json (timestamp only; rs-cmdi-003
remains TP/TP/TP and the aggregate P/R/F1 are unchanged from phase 4).
Closes the primary sink-location attribution feature (phases 1-5/5):
* Phase 1 — SinkSite data model on summaries.
* Phase 2 — SinkSite threaded into SsaTaintEvent and Finding.
* Phase 3 — diag + SARIF consume primary_location.
* Phase 4 — benchmark validates primary_call_site_lines across corpus.
* Phase 5 — regression test locks the event→finding contract.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* refactor: clean up formatting and improve readability in multiple files
* refactor: simplify type definition for deduplication key in findings
* test(harness): add must_not_match expectation for FP regression guards
Extends ExpectedFinding with must_not_match field that asserts a
diagnostic must NOT fire — presence is a hard failure. Non-consuming
scan so it coexists with must_match entries on the same rule_id.
Adds forbidden_violations accumulator and updates summary line.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(regression): update expectations to ensure must_not_match for various taint and resource leak rules
* feat: implement auto-seeding for JS/TS handler parameters to enhance taint tracking
* feat: update switch statement handling to improve control flow analysis
* feat: implement promisify alias handling for JS/TS to enhance taint tracking
* feat: enhance taint tracking by refining expectation handling and adding mode filtering
* feat: refine SQL handling in stream processing and enhance auto-seeding for handler parameters
* feat: update taint tracking rules to enforce full mode matching and improve flow analysis
* feat: enhance Ruby subshell handling to improve taint tracking and flow analysis
* feat: update xss_response expectations to refine taint flow analysis and enhance regression guarding
* feat: refine framework detection and update expectation handling for Echo and Sinatra
* feat: implement max_count for taint tracking expectations and deduplicate findings
* feat: add strict_unexpected handling for taint-unsanitised-flow in expectation files
* feat: enhance deduplication of taint-unsanitised-flow findings by collapsing based on line and severity
* feat: add strict_unexpected handling for taint-unsanitised-flow in multiple expectation files
* feat: add structural invariant checks for SSA bodies
* feat: ensure deterministic phi emission order using BTreeSet
* feat: enhance handling of terminators to ensure authoritative flow through successor edges
* feat: enhance Goto terminator handling to ensure all successors are marked executable
* feat: refactor code for improved readability and organization
* feat: simplify predicate checks and enhance readability in SSA handling
* feat: implement per-file parse timeout and enhance file size handling
* feat: migrate analysis engine toggles from environment variables to configuration file
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: update dependencies and enhance documentation on language maturity
* feat: enhance security headers and improve request body limits
* feat: implement sink capability bits for deduplication and enhance evidence tagging
* feat: implement dynamic activation handling for gated sinks and enhance validation logic
* feat: enhance configuration documentation and clarify inline analysis cache behavior
* feat: implement panic recovery during analysis to continue scans past errors
* feat: add expectations configuration for taint analysis and performance metrics
* feat: enhance error handling and logging during file reading and mutex locking
* feat: add cross-file body loading tests and plumbing for CF-1 phase
* feat: implement cross-file k=1 context-sensitive inline taint analysis with new tests and fixtures
* feat: implement indexed-scan parity in cross-file inline analysis with new dropdown and copy functionality
* feat: enhance classification span handling in CFG and AST for improved source attribution
* feat: add new Express routes for handling user input and telemetry data
* feat: implement ternary expression handling in CFG with diamond structure for JS/TS
* feat: implement Phase CF-3 abstract-domain transfer channels in summaries
* feat: add support for string-prefix transfer in cross-file calls and update tests
* docs: reduce RESULTS.md doc size
* feat: implement Phase CF-4 per-return-path summary decomposition with tests
* feat: update parameter handling in pass1 and refactor SsaFuncSummary initialization
* feat: implement Phase CF-5 for cross-file SCC joint fixed-point convergence with new flags and tests
* feat: implement Phase CF-6 with parameter-granularity points-to summaries and associated tests
* refactor: update comments and documentation for clarity and consistency
* style: format code for consistency and readability
* refactor: simplify verdict handling and improve edge checking logic
* refactor: optimize path and identifier collection by avoiding unnecessary cloning
* chore: update Cargo.toml for Rust version 1.85 and add ignored files; modify CHANGELOG and README for clarity on state analysis defaults
* refactor: update documentation and improve clarity in configuration files
* refactor: update documentation and improve clarity in configuration files
* feat: add JS/TS pass-2 convergence tests and expectations configuration
* feat: add Phase 5 regression tests for inline cache origin attribution and update related logic
* feat: implement Phase 7 deduplication and alternative path linking for taint findings
* feat: implement structural DFS index for anonymous functions and update naming conventions
* feat: add Phase 8 regression tests for container-element taint in JS and Python
* feat: add engine-depth profiles and explain-engine option for CLI
* feat: update expectations and add new README fixtures for multi-file scan regression
* feat: implement Phase 11 callback-alias and factory patterns with regression tests
* feat: implement Terminator::Switch for multi-way dispatch and add regression tests
* feat: add real-CVE benchmark fixtures for CVE-2023-48022, CVE-2019-14939, and CVE-2023-26159 with corresponding patched variants
* refactor: extract cfg and ssa_transfer to submodules
* refactor: cargo fmt
* refactor: remove unnecessary blank line in cfg_tests.rs
* refactor: remove unnecessary planning file
* chore: update Rust version to 1.88 and bump dependencies in Cargo files
* feat: enhance triage UI with new layout and controls, update README for clarity
* feat: enhance triage UI with new layout and controls, update README for clarity
* chore: remove outdated section from README for version 0.5.0
* docs: improve clarity and consistency in README content
* chore: add "GPL-3.0-or-later" to license options in about.toml
* chore: update license handling in about.toml and check-licenses.mjs
* style: format code for improved readability in TriagePage component
* style: format code for improved readability in TriagePage component
* chore: enhance license handling and improve body_id scoping in seed lookup
* feat: introduce owner and parent body IDs for enhanced seed scoping
* feat: implement direction-aware engine provenance with new CLI flag for strict CI gating
* feat: add Undef SSA operation for improved control-flow handling
* style: improve code formatting for consistency and readability in multiple files
* feat: add 16-function chain SCC across multiple files for enhanced analysis
* style: simplify code formatting for improved readability in multiple files
* fix: update CapHitReason default implementation and improve README clarity
* docs: enhance README with detailed explanations of taint analysis and limitations
* docs: refine README for clarity and consistency in taint analysis section
* style: improve code formatting for better readability in NewScanModal and scans
* fix: update cargo-about command to use --offline for deterministic license generation
* fix: update cargo-about command to use --offline for deterministic license generation
* ci: add step to prime cargo registry cache for deterministic license generation
* feat: add support for non-sink collections in authorization analysis
* feat: enhance authorization checks with row-level ownership equality and binding tracking
* feat: implement self-scoped user handling and enhance ownership checks
* refactor: simplify assertions and formatting in authorization analysis tests
* fix: normalize line endings in THIRDPARTY-LICENSES.html generation and update README with AI disclosure
* docs: update AI disclosure section for clarity and conciseness
* feat: add AI Contribution Policy and update contributing guidelines for AI assistance disclosure
* feat: enhance authorization analysis with SSA-derived variable type classification
* feat: implement auth_finding_to_diag function for enhanced security diagnostics
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add direction-aware engine provenance with LossDirection classification and new CLI flag
* feat: simplify strip_cap_from_call_args call by removing unnecessary line breaks
* feat: enhance error message handling in cli_validation_tests for better Windows compatibility
* feat: optimize release profile settings in Cargo.toml and update CodeQL configuration
* feat: enhance release build process with SBOM generation and SLSA provenance
* feat: update actions/checkout and actions/setup-node to v6, enhance CLI options, and improve auth-check summaries
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: update benchmark data and enhance path sanitization logic with new safety checks
* feat: document AI assistance in frontend UI development and human review process
* feat: add return path facts for enhanced path safety checks and update documentation
* chore: update release date for version 0.5.0 in CHANGELOG.md
* chore: clean up ci.yml by removing outdated comments and clarifying steps
* feat: implement cross-language path sanitizers and validators for enhanced security
* feat: enhance SSA value usage tracking by including block terminators and improve path safety checks
* feat: enhance switch statement handling by adding per-case path constraints and support for exclusive cases
* refactor: simplify conditional formatting and improve code readability in executor and lower modules
* feat: add vulnerable examples for various languages demonstrating authentication and sanitization issues
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: add transform classifiers for Java, Go, and Ruby with corresponding tests
* refactor: clarify comments on reassign-to-constant idiom and sink behavior in guards.rs
---------
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-25 17:59:11 -04:00
### CLI & Output
2026-04-29 00:58:38 -04:00
- `nyx serve` : local web UI on `localhost` only (refuses non-loopback binds).
Release/0.5.0 (#35)
* feat: Introduce function-scoped variable interning for state analysis with new tests and fixtures
* feat: Add Phase 26 symbolic execution enhancements with bitwise operator support, abstract interpretation refinements, and new taint analysis tests
* feat: Refine state analysis to handle factory-pattern resource returns with mixed-path tests and leak detection enhancements
* feat: Add Phase 27 debug views with symbolic execution, abstract interpretation, SSA, and call graph viewers; integrate with debug layout and styles
* feat: Add Phase 31 type-qualified symbolic resolution with receiver-based callee disambiguation and testing
* feat: Extend symbolic execution with state iteration, enhanced debug views, and debounced input handling
* feat: Add Phase 13 resource and auth pattern extensions with new tests and fixtures
* feat: Introduce CFG debug graph renderer with compact mode, toolbar, and DAG layout integration
* feat: Add Phase 28 encoding and decoding transform modeling with structural symex enhancements and new taint analysis tests
* feat: Extend abstract interpretation with type facts and constant value tracking in debug views and server logic
* feat: Add linear path handling and witness extraction to symbolic execution with Phase 28 transform mismatch detection
* feat: Refine Go auth and sanitizer handling with enhanced rules, state updates, and benchmark improvements
* feat: Enable auth-state analysis by default and update relevant tests in benchmark config
* test: Update state_tests to reflect default enablement of auth-state analysis and add auth suppression test
* docs: update CHANGELOG.md
* feat: Introduce per-index taint tracking in `HeapState` with `HeapSlot`, overflow handling, and revised SSA transfers
* feat: Introduce C/C++ language labels and refine heap state tracking in SSA transfers
* feat: Implement per-index array slot tracking in symbolic heap with overflow collapse
* feat: Add implicit definition handling for uninitialized declarations in SSA value allocation
* feat: Refactor function parameters and constants for improved clarity and maintainability
* refactor: Reorder module imports and improve formatting for consistency
* refactor: Fix formatting erorrs
* refactor: Fix clippy warnings
* refactor: Fix fmt warnings (again)
* chore: Update dependencies and improve feature configuration
* Add comprehensive tests for undertested modules (#36) (COPILOT)
* Add comprehensive tests for undertested modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
* Add comprehensive tests for ext, project, walk, and errors modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: Update dependencies and improve feature configuration
* fix: formatting errors in new tests
* chore: Update license list in about.toml
* chore: made functions input inline
* chore: updated cfg graph to take up the full page
* chore: add Prettier configuration and update code formatting
* Add frontend test suite with Vitest (111 tests) (#37)
* Add Vitest test suite for frontend - 111 tests across utils, components, hooks, and graph utilities
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/7cf0dba2-ecff-4740-ba4d-92717e74a0b7
* ci: add frontend test step to CI workflow
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/5bc0ac9f-0a32-4d03-9cb7-7a15aea53fca
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: simplify array initialization in test files for consistency
* ran typecheck
* feat: add AnalysisWorkspace component and integrate it into CfgViewerPage
* feat: update routing in AppLayout and improve empty state message in ExplorerPage
* feat: enhance scan progress tracking with additional metrics and stages
* feat: update license information and add license check script
* feat: implement cross-file symbolic execution with callee body persistence
* feat: replace dagre graphs with Graphology + ELK + Sigma for more advanced call stack and cfg rendering
* feat: ensure CFG function view is scoped to the selected function, preventing bleed into sibling functions
* feat: enhance resource tracking with proxy method summaries and improve finding extraction
* feat: add terminal function exit detection for accurate resource leak analysis
* feat: add warnings for loops and functions without bodies to improve error recovery
* feat: update lambda expression handling to ensure proper function classification and control flow
* feat: remove bounded formatting/string ops and add JSON.parse sanitizer for improved data handling
* feat: add inline return taint analysis and regression tests for improved security checks
* feat: add engine version management and migration handling for database schema updates
* feat: enhance first_call_ident to skip nested function bodies and add regression tests
* feat: enhance callee name resolution with two-segment normalization and disambiguation
* feat: add cross-file context flags and debug assertions for taint analysis
* feat: refactor taint analysis structure to unify context handling and improve clarity
* feat: enhance dead code elimination to preserve Sink, Source, and Sanitizer labels with new tests
* docs: updated CHANGELOG.md
* fmt: formatting fixes
* fix: fixed frontend formatting and lint warnings
* fix: optimized ci
* fix: optimized ci
* Add comprehensive multi-file test coverage to Nyx (#38)
* Initial checklist for multi-file test suite expansion
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* Add 12 new multi-file test fixtures with TP/TN/near-miss coverage
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* deleted root repo
* rebuilt to test for regressions
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* feat: enhance import alias resolution and taint tracking
* feat: implement security hardening with CSRF protection and path validation
* feat: add support for import alias bindings in Python, PHP, and Rust
* feat: enhance CFG analysis modes and improve code readability
* feat: add detection for parameterized SQL queries to enhance security
* feat: add safe internal redirect handling and enhance session destroy validation
* feat: implement security improvements by addressing vulnerabilities in execAsync, session management, and file downloads
* feat: enhance taint detection by adding support for inline source member expressions in call arguments
* feat: implement pre-emission of Source nodes for inline source member expressions in call arguments
* feat: add support for Throw statement in control flow and error handling
* feat: add debug and echo endpoints with potential information leakage
* feat: implement internal redirect suppression and enhance taint detection
* feat: implement module alias tracking for dynamic dispatch in JS/TS
* feat: add authorization analysis module with Express support
* feat: add authorization analysis module with Express support
* feat: add tests for admin guard requirements and clean checks in authorization analysis
* feat: integrate Koa and Fastify frameworks into authorization analysis
* feat: add Flask and Django support to authorization analysis module
* feat: add support for Rails and Sinatra frameworks in authorization analysis
* feat: add support for Axum, ActixWeb, and Rocket frameworks in authorization analysis
* feat: add support for ActixWeb, Axum, and Rocket frameworks in authorization analysis
* feat: add support for Rails and Sinatra in authorization analysis
* chore: add .DS_Store to .gitignore
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: update usage of Option methods for improved clarity and consistency
* refactor: improve code readability by simplifying conditional checks and formatting
* refactor: improve code formatting and readability by simplifying conditional checks
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: simplify conditional checks in axum.rs for improved readability
* feat: add CodeQL analysis configuration for enhanced security scanning
* test: add comprehensive tests for `src/output.rs` SARIF builder (#39)
* chore: start test coverage improvement work
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* test: add comprehensive tests for src/output.rs SARIF builder
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* refactor: improve code formatting and readability in output.rs
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* refactor: improve code formatting and readability in output.rs
* Potential fix for code scanning alert no. 210: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* Potential fix for code scanning alert no. 211: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* refactor: enhance triage file path handling with improved error management and validation
* refactor: updated func summaries for richer detail
* refactor: update SSA summary extraction to use canonical FuncKey for distinct entries
* refactor: enhance callee metadata structure to support arity, receiver, and qualifier for better overload resolution
* refactor: add support for keyword arguments in function calls and enhance receiver extraction for method-style calls
* refactor: implement new Flask routes for safe and unsafe shell command execution
* refactor: separate receiver handling in SSA operations and enhance taint propagation
* refactor: improve arity handling by using arg_uses for positional argument count and enhance witness scoring for tainted arguments
* refactor: implement auth decorator extraction and classification for multiple languages
* refactor: enhance Rust module path resolution and use map handling for cross-file disambiguation
* refactor: introduce CalleeQuery struct for structured callee resolution and enhance resolver logic
* refactor: implement same-file identity collision handling for `runTask` to ensure correct resolver behavior
* refactor: standardize default struct initialization across multiple files
* feat: add scripts for formatting checks and auto-fixes with test summaries
* refactor: simplify character splitting and enhance namespace qualifier handling
* refactor: improve documentation clarity and enhance code readability in resolver logic
* refactor: replace default struct initialization with explicit field assignments for clarity
* feat: enhance anonymous function naming by deriving context-based bindings
* refactor: streamline match expressions for improved readability and performance
* refactor: streamline match expressions for improved readability and performance
* refactor: replace loop with while let for improved clarity and performance
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: implement shell metacharacter validation and bounded-length checks in Rust analysis
* feat: add static map analysis for command injection suppression and type safety
* refactor: simplify match statements and reduce line breaks for improved readability
* feat(summary): phase 1/5 SinkSite data model for primary sink-location attribution
Introduce SinkSite (file_rel, line, col, snippet, cap) carrying the
primary sink source-location through function summaries. Swap
SsaFuncSummary.param_to_sink and FuncSummary.param_to_sink from a coarse
Cap map to a deduped SmallVec<[SinkSite; 1]> per parameter, with a
backward-compatible cap_sites() helper and serde defaults so pre-phase-1
on-disk rows continue to deserialise cleanly.
Extraction: SinkSiteLocator bundles the tree/bytes/file_rel needed by
extract_ssa_func_summary; ParsedFile::extract_ssa_artifacts wires the
locator in for the persisted pass-1 path, while pass-2 intra-file
transient summaries fall back to cap-only sites (behavior unchanged).
Merge: GlobalSummaries::insert now unions sink sites with
(file_rel, line, col, cap) dedup via shared union_param_sink_sites
helper.
Database: JSON-serialised summary columns carry the new shape
automatically; no schema change needed.
Phase 2 will consume SinkSite in build_taint_diag() to overwrite the
caller-site Finding.line with the callee's sink line when resolved via
summary. Phase 1 keeps behavior unchanged: scanning
tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs still produces the
same (wrong) line 10 finding.
Adds round-trip tests covering SinkSite solo, SsaFuncSummary with sink
sites, legacy-JSON default handling for both summary types, and merge
dedup.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* feat(taint): phase 2/5 thread SinkSite into SsaTaintEvent and Finding
Plumb Phase 1's SinkSite through the event pipeline into Findings,
no output change yet. SsaTaintEvent gains `primary_sink_site:
Option<SinkSite>`; when the main or callback sink-emission path has
non-empty `param_to_sink_sites`, filter to sites whose
`(line != 0) && (cap ∩ sink_caps != ∅)` and emit one event per
distinct site — the multi-primary collapse keeps each downstream
Finding single-primary.
Resolution: ResolvedSummary and SinkInfo gain mirror
`param_to_sink_sites` fields, populated from `SsaFuncSummary.param_to_sink`
(SSA + callback paths) and `FuncSummary.param_to_sink` (global paths).
Label, local-summary, and interop resolution paths leave the field
empty — they only ever had cap-level info to begin with.
Finding: new `primary_location: Option<SinkLocation>` with
`file_rel/line/col`. `ssa_events_to_findings` maps
`event.primary_sink_site` → `Finding.primary_location`, filtering
cap-only sites (`line == 0`) to `None` so the (0,0) sentinel never
leaks to formatters. Dedup key extended with the primary location
so multi-site events aren't collapsed back together.
Invariants (debug_assert!):
* every SinkSite reaching emission has `line != 0 && cap ∩ sink_caps
!= ∅` — enforced by the pick_primary_sink_sites* filters;
* every populated Finding.primary_location has `line != 0` AND
non-empty `file_rel` — the cap-only → None translation upstream
guarantees this.
Deliberately independent of `uses_summary`: that flag tracks whether
the *taint chain* used a summary, whereas primary attribution
requires only that the *sink* itself was summary-resolved. A local
source reaching a cross-file sink produces `uses_summary=false`
alongside a populated primary_location — documented on
Finding.primary_location, covered by
`cross_file_sink_finding_carries_primary_location`.
build_taint_diag, SARIF/JSON/explanation formatters, and the
benchmark scorer remain untouched: finding.line still comes from
`cfg_graph[finding.sink]`, so cmdi_indirect.rs still reports line 10
and the benchmark's rs-cmdi-003 row still shows FN in the LOC column.
Tests: `cross_file_sink_finding_carries_primary_location` (proves
plumbing via a synthetic FuncSummary carrying a SinkSite at 42:5) and
`cross_file_sink_cap_only_site_leaves_primary_location_none`
(regression guard against cap-only sites surfacing). All 1566 lib
tests + integration tests pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(output): phase 3/5 consume primary sink location in diag + SARIF
When a finding's primary_location (populated in phase 2 from a callee
summary's SinkSite) names the dangerous instruction inside a callee
body, attribute the diagnostic line to that location instead of the
caller's call site. The call site is demoted to a Call step in
flow_steps, and a synthetic Sink step at the primary location is
appended so analysts still see the full trace.
Changes:
- Add scan_root parameter to build_taint_diag so file_rel can be
resolved back to an absolute path via a shared resolve_file_rel
helper. Empty file_rel (single-file scans where namespace == "")
resolves to the file under analysis.
- Extend SinkLocation with snippet, carried from the upstream
SinkSite so the formatter needs no second file read.
- Relax the ssa_events_to_findings debug_assert to allow empty
file_rel, which is valid when scan root equals the file itself.
- SARIF: emit data-flow as codeFlows[0].threadFlows[0].locations[];
locations[0] already reflects the primary sink position via the
updated diag line/col.
Acceptance: scan on tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs
now reports line 5 (Command::new) as the primary sink, with the call
site at line 10 visible in flow_steps.
Two expect.json fixtures updated (must_match line_range widened):
- javascript/taint/context_sensitive_call: 12-14 -> 7-14 (line 8 is
the real sink inside run()).
- rust/cfg/closure_async: 10-10 -> 10-11 (line 11 is Command::new
inside the closure).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(bench): phase 4/5 validate primary sink attribution across corpus
Extend the benchmark scorer and ground truth to lock in phase 3's
primary-location behavior, and add fixtures that exercise the new
capability end-to-end.
Scorer (tests/benchmark_test.rs):
- Add optional `expected_call_site_lines: Option<Vec<[usize; 2]>>` on
Case. When present, score_location_level additionally requires at
least one flow_step in the finding's evidence trace to fall within
±2 of the call-site range. When absent, the check is skipped —
fully forward-compatible with existing fixtures.
- Retain ±2 tolerance on expected_sink_lines (compared against the
now-primary Diag.line post-phase-3).
Ground truth edits:
- rs-cmdi-cross-001: expected_sink_lines [8,8] -> [9,9]. Line 8 is the
transform::wrap call site (a cross-file propagator, not a sink);
line 9 is Command::new, the real sink. The ±2 tolerance happened to
mask this stale attribution but it was semantically wrong — phase 4
is the right time to correct it. Also adds expected_call_site_lines
[8,8] so the new field is exercised on an existing cross-file case.
- rs-cmdi-003: adds expected_call_site_lines [10,10] (run_cmd call).
This fixture's sink (Command::new inside run_cmd at line 5) was the
motivating case for phases 1-3; adding the call-site assertion
guards against regression to caller-line attribution.
New fixtures:
- rust/cmdi/cmdi_indirect_multisink.rs (rs-cmdi-009): helper run_both
takes two tainted params and invokes two Command sinks on
consecutive lines. Locks in that primary line lands inside the
helper (lines 5-6), not at the caller (line 12). Notes document
that SinkSite is currently one-per-callee so both findings today
collapse onto the first sink; expected_sink_lines=[5,6] and
expected_call_site_lines=[12,12] stay valid either way.
- python/cmdi/cross_indirect_sink/{app.py,helper.py} (py-cmdi-cross-
004): sink os.system lives in helper.py (cross-file), caller in
app.py reads env source and calls run_cmd. Verifies phase 3's
cross-file primary attribution: Diag.path = helper.py, Diag.line =
5, with app.py:7 recorded in flow_steps as a Call step.
Acceptance:
- `cargo test --test benchmark_test -- --ignored --nocapture` passes.
- rs-cmdi-003 is TP/TP/TP (the target flip FN->TP at LOC). All
pre-existing TP/TP/TP fixtures remain TP/TP/TP; 2 new fixtures are
TP/TP/TP.
- Aggregate rule-level: TP=158 FP=10 FN=1 TN=97, P=0.940 R=0.994
F1=0.966 on the 266-case corpus (was TP=156 FP=10 FN=1 TN=97 on
264 pre-phase-4, delta is the +2 new cases both resolving TP).
- Full `cargo test` green (1566 lib tests + all integration tests).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(taint): phase 5/5 lock Finding.primary_location contract via regression test
Add a regression test in src/taint/ssa_transfer.rs that wires up a synthetic
SsaFuncSummary with a SinkSite at other.rs:42:10 and drives the three
emission stages (pick_primary_sink_sites → emit_ssa_taint_events →
ssa_events_to_findings) against a minimal caller SSA body. Asserts the
resulting Finding.primary_location is exactly that triple.
The existing integration tests in src/taint/tests.rs cover the coarse
FuncSummary path end-to-end through analyse_file. This test locks in the
lower-level SSA-side plumbing so a future refactor that silently drops the
site between pick → emit → findings fails here rather than only at the
benchmark layer.
Also refreshes tests/benchmark/results/latest.json (timestamp only; rs-cmdi-003
remains TP/TP/TP and the aggregate P/R/F1 are unchanged from phase 4).
Closes the primary sink-location attribution feature (phases 1-5/5):
* Phase 1 — SinkSite data model on summaries.
* Phase 2 — SinkSite threaded into SsaTaintEvent and Finding.
* Phase 3 — diag + SARIF consume primary_location.
* Phase 4 — benchmark validates primary_call_site_lines across corpus.
* Phase 5 — regression test locks the event→finding contract.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* refactor: clean up formatting and improve readability in multiple files
* refactor: simplify type definition for deduplication key in findings
* test(harness): add must_not_match expectation for FP regression guards
Extends ExpectedFinding with must_not_match field that asserts a
diagnostic must NOT fire — presence is a hard failure. Non-consuming
scan so it coexists with must_match entries on the same rule_id.
Adds forbidden_violations accumulator and updates summary line.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(regression): update expectations to ensure must_not_match for various taint and resource leak rules
* feat: implement auto-seeding for JS/TS handler parameters to enhance taint tracking
* feat: update switch statement handling to improve control flow analysis
* feat: implement promisify alias handling for JS/TS to enhance taint tracking
* feat: enhance taint tracking by refining expectation handling and adding mode filtering
* feat: refine SQL handling in stream processing and enhance auto-seeding for handler parameters
* feat: update taint tracking rules to enforce full mode matching and improve flow analysis
* feat: enhance Ruby subshell handling to improve taint tracking and flow analysis
* feat: update xss_response expectations to refine taint flow analysis and enhance regression guarding
* feat: refine framework detection and update expectation handling for Echo and Sinatra
* feat: implement max_count for taint tracking expectations and deduplicate findings
* feat: add strict_unexpected handling for taint-unsanitised-flow in expectation files
* feat: enhance deduplication of taint-unsanitised-flow findings by collapsing based on line and severity
* feat: add strict_unexpected handling for taint-unsanitised-flow in multiple expectation files
* feat: add structural invariant checks for SSA bodies
* feat: ensure deterministic phi emission order using BTreeSet
* feat: enhance handling of terminators to ensure authoritative flow through successor edges
* feat: enhance Goto terminator handling to ensure all successors are marked executable
* feat: refactor code for improved readability and organization
* feat: simplify predicate checks and enhance readability in SSA handling
* feat: implement per-file parse timeout and enhance file size handling
* feat: migrate analysis engine toggles from environment variables to configuration file
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: update dependencies and enhance documentation on language maturity
* feat: enhance security headers and improve request body limits
* feat: implement sink capability bits for deduplication and enhance evidence tagging
* feat: implement dynamic activation handling for gated sinks and enhance validation logic
* feat: enhance configuration documentation and clarify inline analysis cache behavior
* feat: implement panic recovery during analysis to continue scans past errors
* feat: add expectations configuration for taint analysis and performance metrics
* feat: enhance error handling and logging during file reading and mutex locking
* feat: add cross-file body loading tests and plumbing for CF-1 phase
* feat: implement cross-file k=1 context-sensitive inline taint analysis with new tests and fixtures
* feat: implement indexed-scan parity in cross-file inline analysis with new dropdown and copy functionality
* feat: enhance classification span handling in CFG and AST for improved source attribution
* feat: add new Express routes for handling user input and telemetry data
* feat: implement ternary expression handling in CFG with diamond structure for JS/TS
* feat: implement Phase CF-3 abstract-domain transfer channels in summaries
* feat: add support for string-prefix transfer in cross-file calls and update tests
* docs: reduce RESULTS.md doc size
* feat: implement Phase CF-4 per-return-path summary decomposition with tests
* feat: update parameter handling in pass1 and refactor SsaFuncSummary initialization
* feat: implement Phase CF-5 for cross-file SCC joint fixed-point convergence with new flags and tests
* feat: implement Phase CF-6 with parameter-granularity points-to summaries and associated tests
* refactor: update comments and documentation for clarity and consistency
* style: format code for consistency and readability
* refactor: simplify verdict handling and improve edge checking logic
* refactor: optimize path and identifier collection by avoiding unnecessary cloning
* chore: update Cargo.toml for Rust version 1.85 and add ignored files; modify CHANGELOG and README for clarity on state analysis defaults
* refactor: update documentation and improve clarity in configuration files
* refactor: update documentation and improve clarity in configuration files
* feat: add JS/TS pass-2 convergence tests and expectations configuration
* feat: add Phase 5 regression tests for inline cache origin attribution and update related logic
* feat: implement Phase 7 deduplication and alternative path linking for taint findings
* feat: implement structural DFS index for anonymous functions and update naming conventions
* feat: add Phase 8 regression tests for container-element taint in JS and Python
* feat: add engine-depth profiles and explain-engine option for CLI
* feat: update expectations and add new README fixtures for multi-file scan regression
* feat: implement Phase 11 callback-alias and factory patterns with regression tests
* feat: implement Terminator::Switch for multi-way dispatch and add regression tests
* feat: add real-CVE benchmark fixtures for CVE-2023-48022, CVE-2019-14939, and CVE-2023-26159 with corresponding patched variants
* refactor: extract cfg and ssa_transfer to submodules
* refactor: cargo fmt
* refactor: remove unnecessary blank line in cfg_tests.rs
* refactor: remove unnecessary planning file
* chore: update Rust version to 1.88 and bump dependencies in Cargo files
* feat: enhance triage UI with new layout and controls, update README for clarity
* feat: enhance triage UI with new layout and controls, update README for clarity
* chore: remove outdated section from README for version 0.5.0
* docs: improve clarity and consistency in README content
* chore: add "GPL-3.0-or-later" to license options in about.toml
* chore: update license handling in about.toml and check-licenses.mjs
* style: format code for improved readability in TriagePage component
* style: format code for improved readability in TriagePage component
* chore: enhance license handling and improve body_id scoping in seed lookup
* feat: introduce owner and parent body IDs for enhanced seed scoping
* feat: implement direction-aware engine provenance with new CLI flag for strict CI gating
* feat: add Undef SSA operation for improved control-flow handling
* style: improve code formatting for consistency and readability in multiple files
* feat: add 16-function chain SCC across multiple files for enhanced analysis
* style: simplify code formatting for improved readability in multiple files
* fix: update CapHitReason default implementation and improve README clarity
* docs: enhance README with detailed explanations of taint analysis and limitations
* docs: refine README for clarity and consistency in taint analysis section
* style: improve code formatting for better readability in NewScanModal and scans
* fix: update cargo-about command to use --offline for deterministic license generation
* fix: update cargo-about command to use --offline for deterministic license generation
* ci: add step to prime cargo registry cache for deterministic license generation
* feat: add support for non-sink collections in authorization analysis
* feat: enhance authorization checks with row-level ownership equality and binding tracking
* feat: implement self-scoped user handling and enhance ownership checks
* refactor: simplify assertions and formatting in authorization analysis tests
* fix: normalize line endings in THIRDPARTY-LICENSES.html generation and update README with AI disclosure
* docs: update AI disclosure section for clarity and conciseness
* feat: add AI Contribution Policy and update contributing guidelines for AI assistance disclosure
* feat: enhance authorization analysis with SSA-derived variable type classification
* feat: implement auth_finding_to_diag function for enhanced security diagnostics
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add direction-aware engine provenance with LossDirection classification and new CLI flag
* feat: simplify strip_cap_from_call_args call by removing unnecessary line breaks
* feat: enhance error message handling in cli_validation_tests for better Windows compatibility
* feat: optimize release profile settings in Cargo.toml and update CodeQL configuration
* feat: enhance release build process with SBOM generation and SLSA provenance
* feat: update actions/checkout and actions/setup-node to v6, enhance CLI options, and improve auth-check summaries
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: update benchmark data and enhance path sanitization logic with new safety checks
* feat: document AI assistance in frontend UI development and human review process
* feat: add return path facts for enhanced path safety checks and update documentation
* chore: update release date for version 0.5.0 in CHANGELOG.md
* chore: clean up ci.yml by removing outdated comments and clarifying steps
* feat: implement cross-language path sanitizers and validators for enhanced security
* feat: enhance SSA value usage tracking by including block terminators and improve path safety checks
* feat: enhance switch statement handling by adding per-case path constraints and support for exclusive cases
* refactor: simplify conditional formatting and improve code readability in executor and lower modules
* feat: add vulnerable examples for various languages demonstrating authentication and sanitization issues
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: add transform classifiers for Java, Go, and Ruby with corresponding tests
* refactor: clarify comments on reassign-to-constant idiom and sink behavior in guards.rs
---------
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-25 17:59:11 -04:00
- `--require-converged` filters out findings where the engine bailed early.
- Analysis-engine toggles graduated from `NYX_*` env vars to first-class flags and `[analysis.engine]` config: `--constraint-solving` , `--abstract-interp` , `--context-sensitive` , `--symex` , `--cross-file-symex` , `--symex-interproc` , `--smt` , `--parse-timeout-ms` . Old env vars still work when Nyx is consumed as a library.
- Confidence (`High` /`Medium` /`Low` ) shown on every finding, including console headers.
2026-04-29 00:58:38 -04:00
- Engine notes surfaced in console (`[capped: N notes, over-report]` ), JSON (`engine_notes` , `confidence_capped` ), and SARIF (`result.properties.loss_direction` ).
Release/0.5.0 (#35)
* feat: Introduce function-scoped variable interning for state analysis with new tests and fixtures
* feat: Add Phase 26 symbolic execution enhancements with bitwise operator support, abstract interpretation refinements, and new taint analysis tests
* feat: Refine state analysis to handle factory-pattern resource returns with mixed-path tests and leak detection enhancements
* feat: Add Phase 27 debug views with symbolic execution, abstract interpretation, SSA, and call graph viewers; integrate with debug layout and styles
* feat: Add Phase 31 type-qualified symbolic resolution with receiver-based callee disambiguation and testing
* feat: Extend symbolic execution with state iteration, enhanced debug views, and debounced input handling
* feat: Add Phase 13 resource and auth pattern extensions with new tests and fixtures
* feat: Introduce CFG debug graph renderer with compact mode, toolbar, and DAG layout integration
* feat: Add Phase 28 encoding and decoding transform modeling with structural symex enhancements and new taint analysis tests
* feat: Extend abstract interpretation with type facts and constant value tracking in debug views and server logic
* feat: Add linear path handling and witness extraction to symbolic execution with Phase 28 transform mismatch detection
* feat: Refine Go auth and sanitizer handling with enhanced rules, state updates, and benchmark improvements
* feat: Enable auth-state analysis by default and update relevant tests in benchmark config
* test: Update state_tests to reflect default enablement of auth-state analysis and add auth suppression test
* docs: update CHANGELOG.md
* feat: Introduce per-index taint tracking in `HeapState` with `HeapSlot`, overflow handling, and revised SSA transfers
* feat: Introduce C/C++ language labels and refine heap state tracking in SSA transfers
* feat: Implement per-index array slot tracking in symbolic heap with overflow collapse
* feat: Add implicit definition handling for uninitialized declarations in SSA value allocation
* feat: Refactor function parameters and constants for improved clarity and maintainability
* refactor: Reorder module imports and improve formatting for consistency
* refactor: Fix formatting erorrs
* refactor: Fix clippy warnings
* refactor: Fix fmt warnings (again)
* chore: Update dependencies and improve feature configuration
* Add comprehensive tests for undertested modules (#36) (COPILOT)
* Add comprehensive tests for undertested modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
* Add comprehensive tests for ext, project, walk, and errors modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: Update dependencies and improve feature configuration
* fix: formatting errors in new tests
* chore: Update license list in about.toml
* chore: made functions input inline
* chore: updated cfg graph to take up the full page
* chore: add Prettier configuration and update code formatting
* Add frontend test suite with Vitest (111 tests) (#37)
* Add Vitest test suite for frontend - 111 tests across utils, components, hooks, and graph utilities
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/7cf0dba2-ecff-4740-ba4d-92717e74a0b7
* ci: add frontend test step to CI workflow
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/5bc0ac9f-0a32-4d03-9cb7-7a15aea53fca
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: simplify array initialization in test files for consistency
* ran typecheck
* feat: add AnalysisWorkspace component and integrate it into CfgViewerPage
* feat: update routing in AppLayout and improve empty state message in ExplorerPage
* feat: enhance scan progress tracking with additional metrics and stages
* feat: update license information and add license check script
* feat: implement cross-file symbolic execution with callee body persistence
* feat: replace dagre graphs with Graphology + ELK + Sigma for more advanced call stack and cfg rendering
* feat: ensure CFG function view is scoped to the selected function, preventing bleed into sibling functions
* feat: enhance resource tracking with proxy method summaries and improve finding extraction
* feat: add terminal function exit detection for accurate resource leak analysis
* feat: add warnings for loops and functions without bodies to improve error recovery
* feat: update lambda expression handling to ensure proper function classification and control flow
* feat: remove bounded formatting/string ops and add JSON.parse sanitizer for improved data handling
* feat: add inline return taint analysis and regression tests for improved security checks
* feat: add engine version management and migration handling for database schema updates
* feat: enhance first_call_ident to skip nested function bodies and add regression tests
* feat: enhance callee name resolution with two-segment normalization and disambiguation
* feat: add cross-file context flags and debug assertions for taint analysis
* feat: refactor taint analysis structure to unify context handling and improve clarity
* feat: enhance dead code elimination to preserve Sink, Source, and Sanitizer labels with new tests
* docs: updated CHANGELOG.md
* fmt: formatting fixes
* fix: fixed frontend formatting and lint warnings
* fix: optimized ci
* fix: optimized ci
* Add comprehensive multi-file test coverage to Nyx (#38)
* Initial checklist for multi-file test suite expansion
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* Add 12 new multi-file test fixtures with TP/TN/near-miss coverage
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* deleted root repo
* rebuilt to test for regressions
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* feat: enhance import alias resolution and taint tracking
* feat: implement security hardening with CSRF protection and path validation
* feat: add support for import alias bindings in Python, PHP, and Rust
* feat: enhance CFG analysis modes and improve code readability
* feat: add detection for parameterized SQL queries to enhance security
* feat: add safe internal redirect handling and enhance session destroy validation
* feat: implement security improvements by addressing vulnerabilities in execAsync, session management, and file downloads
* feat: enhance taint detection by adding support for inline source member expressions in call arguments
* feat: implement pre-emission of Source nodes for inline source member expressions in call arguments
* feat: add support for Throw statement in control flow and error handling
* feat: add debug and echo endpoints with potential information leakage
* feat: implement internal redirect suppression and enhance taint detection
* feat: implement module alias tracking for dynamic dispatch in JS/TS
* feat: add authorization analysis module with Express support
* feat: add authorization analysis module with Express support
* feat: add tests for admin guard requirements and clean checks in authorization analysis
* feat: integrate Koa and Fastify frameworks into authorization analysis
* feat: add Flask and Django support to authorization analysis module
* feat: add support for Rails and Sinatra frameworks in authorization analysis
* feat: add support for Axum, ActixWeb, and Rocket frameworks in authorization analysis
* feat: add support for ActixWeb, Axum, and Rocket frameworks in authorization analysis
* feat: add support for Rails and Sinatra in authorization analysis
* chore: add .DS_Store to .gitignore
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: update usage of Option methods for improved clarity and consistency
* refactor: improve code readability by simplifying conditional checks and formatting
* refactor: improve code formatting and readability by simplifying conditional checks
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: simplify conditional checks in axum.rs for improved readability
* feat: add CodeQL analysis configuration for enhanced security scanning
* test: add comprehensive tests for `src/output.rs` SARIF builder (#39)
* chore: start test coverage improvement work
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* test: add comprehensive tests for src/output.rs SARIF builder
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* refactor: improve code formatting and readability in output.rs
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* refactor: improve code formatting and readability in output.rs
* Potential fix for code scanning alert no. 210: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* Potential fix for code scanning alert no. 211: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* refactor: enhance triage file path handling with improved error management and validation
* refactor: updated func summaries for richer detail
* refactor: update SSA summary extraction to use canonical FuncKey for distinct entries
* refactor: enhance callee metadata structure to support arity, receiver, and qualifier for better overload resolution
* refactor: add support for keyword arguments in function calls and enhance receiver extraction for method-style calls
* refactor: implement new Flask routes for safe and unsafe shell command execution
* refactor: separate receiver handling in SSA operations and enhance taint propagation
* refactor: improve arity handling by using arg_uses for positional argument count and enhance witness scoring for tainted arguments
* refactor: implement auth decorator extraction and classification for multiple languages
* refactor: enhance Rust module path resolution and use map handling for cross-file disambiguation
* refactor: introduce CalleeQuery struct for structured callee resolution and enhance resolver logic
* refactor: implement same-file identity collision handling for `runTask` to ensure correct resolver behavior
* refactor: standardize default struct initialization across multiple files
* feat: add scripts for formatting checks and auto-fixes with test summaries
* refactor: simplify character splitting and enhance namespace qualifier handling
* refactor: improve documentation clarity and enhance code readability in resolver logic
* refactor: replace default struct initialization with explicit field assignments for clarity
* feat: enhance anonymous function naming by deriving context-based bindings
* refactor: streamline match expressions for improved readability and performance
* refactor: streamline match expressions for improved readability and performance
* refactor: replace loop with while let for improved clarity and performance
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: implement shell metacharacter validation and bounded-length checks in Rust analysis
* feat: add static map analysis for command injection suppression and type safety
* refactor: simplify match statements and reduce line breaks for improved readability
* feat(summary): phase 1/5 SinkSite data model for primary sink-location attribution
Introduce SinkSite (file_rel, line, col, snippet, cap) carrying the
primary sink source-location through function summaries. Swap
SsaFuncSummary.param_to_sink and FuncSummary.param_to_sink from a coarse
Cap map to a deduped SmallVec<[SinkSite; 1]> per parameter, with a
backward-compatible cap_sites() helper and serde defaults so pre-phase-1
on-disk rows continue to deserialise cleanly.
Extraction: SinkSiteLocator bundles the tree/bytes/file_rel needed by
extract_ssa_func_summary; ParsedFile::extract_ssa_artifacts wires the
locator in for the persisted pass-1 path, while pass-2 intra-file
transient summaries fall back to cap-only sites (behavior unchanged).
Merge: GlobalSummaries::insert now unions sink sites with
(file_rel, line, col, cap) dedup via shared union_param_sink_sites
helper.
Database: JSON-serialised summary columns carry the new shape
automatically; no schema change needed.
Phase 2 will consume SinkSite in build_taint_diag() to overwrite the
caller-site Finding.line with the callee's sink line when resolved via
summary. Phase 1 keeps behavior unchanged: scanning
tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs still produces the
same (wrong) line 10 finding.
Adds round-trip tests covering SinkSite solo, SsaFuncSummary with sink
sites, legacy-JSON default handling for both summary types, and merge
dedup.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* feat(taint): phase 2/5 thread SinkSite into SsaTaintEvent and Finding
Plumb Phase 1's SinkSite through the event pipeline into Findings,
no output change yet. SsaTaintEvent gains `primary_sink_site:
Option<SinkSite>`; when the main or callback sink-emission path has
non-empty `param_to_sink_sites`, filter to sites whose
`(line != 0) && (cap ∩ sink_caps != ∅)` and emit one event per
distinct site — the multi-primary collapse keeps each downstream
Finding single-primary.
Resolution: ResolvedSummary and SinkInfo gain mirror
`param_to_sink_sites` fields, populated from `SsaFuncSummary.param_to_sink`
(SSA + callback paths) and `FuncSummary.param_to_sink` (global paths).
Label, local-summary, and interop resolution paths leave the field
empty — they only ever had cap-level info to begin with.
Finding: new `primary_location: Option<SinkLocation>` with
`file_rel/line/col`. `ssa_events_to_findings` maps
`event.primary_sink_site` → `Finding.primary_location`, filtering
cap-only sites (`line == 0`) to `None` so the (0,0) sentinel never
leaks to formatters. Dedup key extended with the primary location
so multi-site events aren't collapsed back together.
Invariants (debug_assert!):
* every SinkSite reaching emission has `line != 0 && cap ∩ sink_caps
!= ∅` — enforced by the pick_primary_sink_sites* filters;
* every populated Finding.primary_location has `line != 0` AND
non-empty `file_rel` — the cap-only → None translation upstream
guarantees this.
Deliberately independent of `uses_summary`: that flag tracks whether
the *taint chain* used a summary, whereas primary attribution
requires only that the *sink* itself was summary-resolved. A local
source reaching a cross-file sink produces `uses_summary=false`
alongside a populated primary_location — documented on
Finding.primary_location, covered by
`cross_file_sink_finding_carries_primary_location`.
build_taint_diag, SARIF/JSON/explanation formatters, and the
benchmark scorer remain untouched: finding.line still comes from
`cfg_graph[finding.sink]`, so cmdi_indirect.rs still reports line 10
and the benchmark's rs-cmdi-003 row still shows FN in the LOC column.
Tests: `cross_file_sink_finding_carries_primary_location` (proves
plumbing via a synthetic FuncSummary carrying a SinkSite at 42:5) and
`cross_file_sink_cap_only_site_leaves_primary_location_none`
(regression guard against cap-only sites surfacing). All 1566 lib
tests + integration tests pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(output): phase 3/5 consume primary sink location in diag + SARIF
When a finding's primary_location (populated in phase 2 from a callee
summary's SinkSite) names the dangerous instruction inside a callee
body, attribute the diagnostic line to that location instead of the
caller's call site. The call site is demoted to a Call step in
flow_steps, and a synthetic Sink step at the primary location is
appended so analysts still see the full trace.
Changes:
- Add scan_root parameter to build_taint_diag so file_rel can be
resolved back to an absolute path via a shared resolve_file_rel
helper. Empty file_rel (single-file scans where namespace == "")
resolves to the file under analysis.
- Extend SinkLocation with snippet, carried from the upstream
SinkSite so the formatter needs no second file read.
- Relax the ssa_events_to_findings debug_assert to allow empty
file_rel, which is valid when scan root equals the file itself.
- SARIF: emit data-flow as codeFlows[0].threadFlows[0].locations[];
locations[0] already reflects the primary sink position via the
updated diag line/col.
Acceptance: scan on tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs
now reports line 5 (Command::new) as the primary sink, with the call
site at line 10 visible in flow_steps.
Two expect.json fixtures updated (must_match line_range widened):
- javascript/taint/context_sensitive_call: 12-14 -> 7-14 (line 8 is
the real sink inside run()).
- rust/cfg/closure_async: 10-10 -> 10-11 (line 11 is Command::new
inside the closure).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(bench): phase 4/5 validate primary sink attribution across corpus
Extend the benchmark scorer and ground truth to lock in phase 3's
primary-location behavior, and add fixtures that exercise the new
capability end-to-end.
Scorer (tests/benchmark_test.rs):
- Add optional `expected_call_site_lines: Option<Vec<[usize; 2]>>` on
Case. When present, score_location_level additionally requires at
least one flow_step in the finding's evidence trace to fall within
±2 of the call-site range. When absent, the check is skipped —
fully forward-compatible with existing fixtures.
- Retain ±2 tolerance on expected_sink_lines (compared against the
now-primary Diag.line post-phase-3).
Ground truth edits:
- rs-cmdi-cross-001: expected_sink_lines [8,8] -> [9,9]. Line 8 is the
transform::wrap call site (a cross-file propagator, not a sink);
line 9 is Command::new, the real sink. The ±2 tolerance happened to
mask this stale attribution but it was semantically wrong — phase 4
is the right time to correct it. Also adds expected_call_site_lines
[8,8] so the new field is exercised on an existing cross-file case.
- rs-cmdi-003: adds expected_call_site_lines [10,10] (run_cmd call).
This fixture's sink (Command::new inside run_cmd at line 5) was the
motivating case for phases 1-3; adding the call-site assertion
guards against regression to caller-line attribution.
New fixtures:
- rust/cmdi/cmdi_indirect_multisink.rs (rs-cmdi-009): helper run_both
takes two tainted params and invokes two Command sinks on
consecutive lines. Locks in that primary line lands inside the
helper (lines 5-6), not at the caller (line 12). Notes document
that SinkSite is currently one-per-callee so both findings today
collapse onto the first sink; expected_sink_lines=[5,6] and
expected_call_site_lines=[12,12] stay valid either way.
- python/cmdi/cross_indirect_sink/{app.py,helper.py} (py-cmdi-cross-
004): sink os.system lives in helper.py (cross-file), caller in
app.py reads env source and calls run_cmd. Verifies phase 3's
cross-file primary attribution: Diag.path = helper.py, Diag.line =
5, with app.py:7 recorded in flow_steps as a Call step.
Acceptance:
- `cargo test --test benchmark_test -- --ignored --nocapture` passes.
- rs-cmdi-003 is TP/TP/TP (the target flip FN->TP at LOC). All
pre-existing TP/TP/TP fixtures remain TP/TP/TP; 2 new fixtures are
TP/TP/TP.
- Aggregate rule-level: TP=158 FP=10 FN=1 TN=97, P=0.940 R=0.994
F1=0.966 on the 266-case corpus (was TP=156 FP=10 FN=1 TN=97 on
264 pre-phase-4, delta is the +2 new cases both resolving TP).
- Full `cargo test` green (1566 lib tests + all integration tests).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(taint): phase 5/5 lock Finding.primary_location contract via regression test
Add a regression test in src/taint/ssa_transfer.rs that wires up a synthetic
SsaFuncSummary with a SinkSite at other.rs:42:10 and drives the three
emission stages (pick_primary_sink_sites → emit_ssa_taint_events →
ssa_events_to_findings) against a minimal caller SSA body. Asserts the
resulting Finding.primary_location is exactly that triple.
The existing integration tests in src/taint/tests.rs cover the coarse
FuncSummary path end-to-end through analyse_file. This test locks in the
lower-level SSA-side plumbing so a future refactor that silently drops the
site between pick → emit → findings fails here rather than only at the
benchmark layer.
Also refreshes tests/benchmark/results/latest.json (timestamp only; rs-cmdi-003
remains TP/TP/TP and the aggregate P/R/F1 are unchanged from phase 4).
Closes the primary sink-location attribution feature (phases 1-5/5):
* Phase 1 — SinkSite data model on summaries.
* Phase 2 — SinkSite threaded into SsaTaintEvent and Finding.
* Phase 3 — diag + SARIF consume primary_location.
* Phase 4 — benchmark validates primary_call_site_lines across corpus.
* Phase 5 — regression test locks the event→finding contract.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* refactor: clean up formatting and improve readability in multiple files
* refactor: simplify type definition for deduplication key in findings
* test(harness): add must_not_match expectation for FP regression guards
Extends ExpectedFinding with must_not_match field that asserts a
diagnostic must NOT fire — presence is a hard failure. Non-consuming
scan so it coexists with must_match entries on the same rule_id.
Adds forbidden_violations accumulator and updates summary line.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(regression): update expectations to ensure must_not_match for various taint and resource leak rules
* feat: implement auto-seeding for JS/TS handler parameters to enhance taint tracking
* feat: update switch statement handling to improve control flow analysis
* feat: implement promisify alias handling for JS/TS to enhance taint tracking
* feat: enhance taint tracking by refining expectation handling and adding mode filtering
* feat: refine SQL handling in stream processing and enhance auto-seeding for handler parameters
* feat: update taint tracking rules to enforce full mode matching and improve flow analysis
* feat: enhance Ruby subshell handling to improve taint tracking and flow analysis
* feat: update xss_response expectations to refine taint flow analysis and enhance regression guarding
* feat: refine framework detection and update expectation handling for Echo and Sinatra
* feat: implement max_count for taint tracking expectations and deduplicate findings
* feat: add strict_unexpected handling for taint-unsanitised-flow in expectation files
* feat: enhance deduplication of taint-unsanitised-flow findings by collapsing based on line and severity
* feat: add strict_unexpected handling for taint-unsanitised-flow in multiple expectation files
* feat: add structural invariant checks for SSA bodies
* feat: ensure deterministic phi emission order using BTreeSet
* feat: enhance handling of terminators to ensure authoritative flow through successor edges
* feat: enhance Goto terminator handling to ensure all successors are marked executable
* feat: refactor code for improved readability and organization
* feat: simplify predicate checks and enhance readability in SSA handling
* feat: implement per-file parse timeout and enhance file size handling
* feat: migrate analysis engine toggles from environment variables to configuration file
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: update dependencies and enhance documentation on language maturity
* feat: enhance security headers and improve request body limits
* feat: implement sink capability bits for deduplication and enhance evidence tagging
* feat: implement dynamic activation handling for gated sinks and enhance validation logic
* feat: enhance configuration documentation and clarify inline analysis cache behavior
* feat: implement panic recovery during analysis to continue scans past errors
* feat: add expectations configuration for taint analysis and performance metrics
* feat: enhance error handling and logging during file reading and mutex locking
* feat: add cross-file body loading tests and plumbing for CF-1 phase
* feat: implement cross-file k=1 context-sensitive inline taint analysis with new tests and fixtures
* feat: implement indexed-scan parity in cross-file inline analysis with new dropdown and copy functionality
* feat: enhance classification span handling in CFG and AST for improved source attribution
* feat: add new Express routes for handling user input and telemetry data
* feat: implement ternary expression handling in CFG with diamond structure for JS/TS
* feat: implement Phase CF-3 abstract-domain transfer channels in summaries
* feat: add support for string-prefix transfer in cross-file calls and update tests
* docs: reduce RESULTS.md doc size
* feat: implement Phase CF-4 per-return-path summary decomposition with tests
* feat: update parameter handling in pass1 and refactor SsaFuncSummary initialization
* feat: implement Phase CF-5 for cross-file SCC joint fixed-point convergence with new flags and tests
* feat: implement Phase CF-6 with parameter-granularity points-to summaries and associated tests
* refactor: update comments and documentation for clarity and consistency
* style: format code for consistency and readability
* refactor: simplify verdict handling and improve edge checking logic
* refactor: optimize path and identifier collection by avoiding unnecessary cloning
* chore: update Cargo.toml for Rust version 1.85 and add ignored files; modify CHANGELOG and README for clarity on state analysis defaults
* refactor: update documentation and improve clarity in configuration files
* refactor: update documentation and improve clarity in configuration files
* feat: add JS/TS pass-2 convergence tests and expectations configuration
* feat: add Phase 5 regression tests for inline cache origin attribution and update related logic
* feat: implement Phase 7 deduplication and alternative path linking for taint findings
* feat: implement structural DFS index for anonymous functions and update naming conventions
* feat: add Phase 8 regression tests for container-element taint in JS and Python
* feat: add engine-depth profiles and explain-engine option for CLI
* feat: update expectations and add new README fixtures for multi-file scan regression
* feat: implement Phase 11 callback-alias and factory patterns with regression tests
* feat: implement Terminator::Switch for multi-way dispatch and add regression tests
* feat: add real-CVE benchmark fixtures for CVE-2023-48022, CVE-2019-14939, and CVE-2023-26159 with corresponding patched variants
* refactor: extract cfg and ssa_transfer to submodules
* refactor: cargo fmt
* refactor: remove unnecessary blank line in cfg_tests.rs
* refactor: remove unnecessary planning file
* chore: update Rust version to 1.88 and bump dependencies in Cargo files
* feat: enhance triage UI with new layout and controls, update README for clarity
* feat: enhance triage UI with new layout and controls, update README for clarity
* chore: remove outdated section from README for version 0.5.0
* docs: improve clarity and consistency in README content
* chore: add "GPL-3.0-or-later" to license options in about.toml
* chore: update license handling in about.toml and check-licenses.mjs
* style: format code for improved readability in TriagePage component
* style: format code for improved readability in TriagePage component
* chore: enhance license handling and improve body_id scoping in seed lookup
* feat: introduce owner and parent body IDs for enhanced seed scoping
* feat: implement direction-aware engine provenance with new CLI flag for strict CI gating
* feat: add Undef SSA operation for improved control-flow handling
* style: improve code formatting for consistency and readability in multiple files
* feat: add 16-function chain SCC across multiple files for enhanced analysis
* style: simplify code formatting for improved readability in multiple files
* fix: update CapHitReason default implementation and improve README clarity
* docs: enhance README with detailed explanations of taint analysis and limitations
* docs: refine README for clarity and consistency in taint analysis section
* style: improve code formatting for better readability in NewScanModal and scans
* fix: update cargo-about command to use --offline for deterministic license generation
* fix: update cargo-about command to use --offline for deterministic license generation
* ci: add step to prime cargo registry cache for deterministic license generation
* feat: add support for non-sink collections in authorization analysis
* feat: enhance authorization checks with row-level ownership equality and binding tracking
* feat: implement self-scoped user handling and enhance ownership checks
* refactor: simplify assertions and formatting in authorization analysis tests
* fix: normalize line endings in THIRDPARTY-LICENSES.html generation and update README with AI disclosure
* docs: update AI disclosure section for clarity and conciseness
* feat: add AI Contribution Policy and update contributing guidelines for AI assistance disclosure
* feat: enhance authorization analysis with SSA-derived variable type classification
* feat: implement auth_finding_to_diag function for enhanced security diagnostics
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add direction-aware engine provenance with LossDirection classification and new CLI flag
* feat: simplify strip_cap_from_call_args call by removing unnecessary line breaks
* feat: enhance error message handling in cli_validation_tests for better Windows compatibility
* feat: optimize release profile settings in Cargo.toml and update CodeQL configuration
* feat: enhance release build process with SBOM generation and SLSA provenance
* feat: update actions/checkout and actions/setup-node to v6, enhance CLI options, and improve auth-check summaries
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: update benchmark data and enhance path sanitization logic with new safety checks
* feat: document AI assistance in frontend UI development and human review process
* feat: add return path facts for enhanced path safety checks and update documentation
* chore: update release date for version 0.5.0 in CHANGELOG.md
* chore: clean up ci.yml by removing outdated comments and clarifying steps
* feat: implement cross-language path sanitizers and validators for enhanced security
* feat: enhance SSA value usage tracking by including block terminators and improve path safety checks
* feat: enhance switch statement handling by adding per-case path constraints and support for exclusive cases
* refactor: simplify conditional formatting and improve code readability in executor and lower modules
* feat: add vulnerable examples for various languages demonstrating authentication and sanitization issues
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: add transform classifiers for Java, Go, and Ruby with corresponding tests
* refactor: clarify comments on reassign-to-constant idiom and sink behavior in guards.rs
---------
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-25 17:59:11 -04:00
- Flow paths reconstructed step-by-step with file/line/snippet for each hop.
- Concrete attack witness strings synthesized by the symbolic executor.
- Primary sink locations now point at the callee's real sink line; caller call sites are preserved as flow steps.
- Richer scan progress: explicit stages, timing breakdowns, language counters, skipped/reused file counts.
- Tighter taint-finding deduplication.
### Hardening
- Centralized path containment rejects traversal, symlink escapes, and oversized reads across UI, debug, and triage routes.
- `nyx serve` validates `Host` headers, requires per-session CSRF tokens for mutations, and refuses scans outside the original repo root.
- Walker re-validates symlink targets against the scan root.
- Bounded reads on framework manifests and `.nyx/triage.json` imports.
- UI falls back to plain text on pathologically long lines to defeat regex-DoS in syntax highlighting.
- Parser timeout is now configuration-backed with hostile-input regression coverage.
### Persistence
- SQLite schema bumped to v2. Anonymous-function identity is now a structural DFS index instead of a byte offset, so inserting a line above an unchanged function no longer invalidates its `FuncKey` . Pre-0.5.0 caches are silently cleared on open; triage data and scan history are preserved.
- Engine-version metadata; persisted summaries and file hashes invalidate on mismatch.
- Stale SSA tables recreate when required columns are missing; deserialization failures log instead of silently dropping rows.
### Frontend
- Replaced the legacy `app.js` with a React + Vite + TypeScript SPA.
- Interactive graph workspace for CFG and call-graph views (Graphology + ELK + Sigma) with neighborhood reduction and a full-page inspector.
- Triage UI with database-backed decisions (true positive, false positive, deferred, suppressed) and `.nyx/triage.json` round-trip.
- Scan history, rules management, and finding detail panels with evidence and flow visualization.
- Vitest browser-side test suite wired into CI.
2026-04-29 02:57:57 -04:00
- Bumped to React 19, Vite 8, TypeScript 6.0, ESLint 10, `@vitejs/plugin-react` 6, with aligned `@types/react*` .
- `SSEContext` : typed `reconnectTimer` ref as `ReturnType<typeof setTimeout> | undefined` to satisfy TS 6's stricter `useRef` overloads.
- `FindingsPage` : included `toast` in `useCallback` deps to avoid stale-closure warnings.
- `tsconfig.json` : dropped `baseUrl` , using a relative `./src/*` path mapping instead.
Release/0.5.0 (#35)
* feat: Introduce function-scoped variable interning for state analysis with new tests and fixtures
* feat: Add Phase 26 symbolic execution enhancements with bitwise operator support, abstract interpretation refinements, and new taint analysis tests
* feat: Refine state analysis to handle factory-pattern resource returns with mixed-path tests and leak detection enhancements
* feat: Add Phase 27 debug views with symbolic execution, abstract interpretation, SSA, and call graph viewers; integrate with debug layout and styles
* feat: Add Phase 31 type-qualified symbolic resolution with receiver-based callee disambiguation and testing
* feat: Extend symbolic execution with state iteration, enhanced debug views, and debounced input handling
* feat: Add Phase 13 resource and auth pattern extensions with new tests and fixtures
* feat: Introduce CFG debug graph renderer with compact mode, toolbar, and DAG layout integration
* feat: Add Phase 28 encoding and decoding transform modeling with structural symex enhancements and new taint analysis tests
* feat: Extend abstract interpretation with type facts and constant value tracking in debug views and server logic
* feat: Add linear path handling and witness extraction to symbolic execution with Phase 28 transform mismatch detection
* feat: Refine Go auth and sanitizer handling with enhanced rules, state updates, and benchmark improvements
* feat: Enable auth-state analysis by default and update relevant tests in benchmark config
* test: Update state_tests to reflect default enablement of auth-state analysis and add auth suppression test
* docs: update CHANGELOG.md
* feat: Introduce per-index taint tracking in `HeapState` with `HeapSlot`, overflow handling, and revised SSA transfers
* feat: Introduce C/C++ language labels and refine heap state tracking in SSA transfers
* feat: Implement per-index array slot tracking in symbolic heap with overflow collapse
* feat: Add implicit definition handling for uninitialized declarations in SSA value allocation
* feat: Refactor function parameters and constants for improved clarity and maintainability
* refactor: Reorder module imports and improve formatting for consistency
* refactor: Fix formatting erorrs
* refactor: Fix clippy warnings
* refactor: Fix fmt warnings (again)
* chore: Update dependencies and improve feature configuration
* Add comprehensive tests for undertested modules (#36) (COPILOT)
* Add comprehensive tests for undertested modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
* Add comprehensive tests for ext, project, walk, and errors modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: Update dependencies and improve feature configuration
* fix: formatting errors in new tests
* chore: Update license list in about.toml
* chore: made functions input inline
* chore: updated cfg graph to take up the full page
* chore: add Prettier configuration and update code formatting
* Add frontend test suite with Vitest (111 tests) (#37)
* Add Vitest test suite for frontend - 111 tests across utils, components, hooks, and graph utilities
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/7cf0dba2-ecff-4740-ba4d-92717e74a0b7
* ci: add frontend test step to CI workflow
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/5bc0ac9f-0a32-4d03-9cb7-7a15aea53fca
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: simplify array initialization in test files for consistency
* ran typecheck
* feat: add AnalysisWorkspace component and integrate it into CfgViewerPage
* feat: update routing in AppLayout and improve empty state message in ExplorerPage
* feat: enhance scan progress tracking with additional metrics and stages
* feat: update license information and add license check script
* feat: implement cross-file symbolic execution with callee body persistence
* feat: replace dagre graphs with Graphology + ELK + Sigma for more advanced call stack and cfg rendering
* feat: ensure CFG function view is scoped to the selected function, preventing bleed into sibling functions
* feat: enhance resource tracking with proxy method summaries and improve finding extraction
* feat: add terminal function exit detection for accurate resource leak analysis
* feat: add warnings for loops and functions without bodies to improve error recovery
* feat: update lambda expression handling to ensure proper function classification and control flow
* feat: remove bounded formatting/string ops and add JSON.parse sanitizer for improved data handling
* feat: add inline return taint analysis and regression tests for improved security checks
* feat: add engine version management and migration handling for database schema updates
* feat: enhance first_call_ident to skip nested function bodies and add regression tests
* feat: enhance callee name resolution with two-segment normalization and disambiguation
* feat: add cross-file context flags and debug assertions for taint analysis
* feat: refactor taint analysis structure to unify context handling and improve clarity
* feat: enhance dead code elimination to preserve Sink, Source, and Sanitizer labels with new tests
* docs: updated CHANGELOG.md
* fmt: formatting fixes
* fix: fixed frontend formatting and lint warnings
* fix: optimized ci
* fix: optimized ci
* Add comprehensive multi-file test coverage to Nyx (#38)
* Initial checklist for multi-file test suite expansion
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* Add 12 new multi-file test fixtures with TP/TN/near-miss coverage
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* deleted root repo
* rebuilt to test for regressions
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* feat: enhance import alias resolution and taint tracking
* feat: implement security hardening with CSRF protection and path validation
* feat: add support for import alias bindings in Python, PHP, and Rust
* feat: enhance CFG analysis modes and improve code readability
* feat: add detection for parameterized SQL queries to enhance security
* feat: add safe internal redirect handling and enhance session destroy validation
* feat: implement security improvements by addressing vulnerabilities in execAsync, session management, and file downloads
* feat: enhance taint detection by adding support for inline source member expressions in call arguments
* feat: implement pre-emission of Source nodes for inline source member expressions in call arguments
* feat: add support for Throw statement in control flow and error handling
* feat: add debug and echo endpoints with potential information leakage
* feat: implement internal redirect suppression and enhance taint detection
* feat: implement module alias tracking for dynamic dispatch in JS/TS
* feat: add authorization analysis module with Express support
* feat: add authorization analysis module with Express support
* feat: add tests for admin guard requirements and clean checks in authorization analysis
* feat: integrate Koa and Fastify frameworks into authorization analysis
* feat: add Flask and Django support to authorization analysis module
* feat: add support for Rails and Sinatra frameworks in authorization analysis
* feat: add support for Axum, ActixWeb, and Rocket frameworks in authorization analysis
* feat: add support for ActixWeb, Axum, and Rocket frameworks in authorization analysis
* feat: add support for Rails and Sinatra in authorization analysis
* chore: add .DS_Store to .gitignore
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: update usage of Option methods for improved clarity and consistency
* refactor: improve code readability by simplifying conditional checks and formatting
* refactor: improve code formatting and readability by simplifying conditional checks
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: simplify conditional checks in axum.rs for improved readability
* feat: add CodeQL analysis configuration for enhanced security scanning
* test: add comprehensive tests for `src/output.rs` SARIF builder (#39)
* chore: start test coverage improvement work
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* test: add comprehensive tests for src/output.rs SARIF builder
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* refactor: improve code formatting and readability in output.rs
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* refactor: improve code formatting and readability in output.rs
* Potential fix for code scanning alert no. 210: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* Potential fix for code scanning alert no. 211: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* refactor: enhance triage file path handling with improved error management and validation
* refactor: updated func summaries for richer detail
* refactor: update SSA summary extraction to use canonical FuncKey for distinct entries
* refactor: enhance callee metadata structure to support arity, receiver, and qualifier for better overload resolution
* refactor: add support for keyword arguments in function calls and enhance receiver extraction for method-style calls
* refactor: implement new Flask routes for safe and unsafe shell command execution
* refactor: separate receiver handling in SSA operations and enhance taint propagation
* refactor: improve arity handling by using arg_uses for positional argument count and enhance witness scoring for tainted arguments
* refactor: implement auth decorator extraction and classification for multiple languages
* refactor: enhance Rust module path resolution and use map handling for cross-file disambiguation
* refactor: introduce CalleeQuery struct for structured callee resolution and enhance resolver logic
* refactor: implement same-file identity collision handling for `runTask` to ensure correct resolver behavior
* refactor: standardize default struct initialization across multiple files
* feat: add scripts for formatting checks and auto-fixes with test summaries
* refactor: simplify character splitting and enhance namespace qualifier handling
* refactor: improve documentation clarity and enhance code readability in resolver logic
* refactor: replace default struct initialization with explicit field assignments for clarity
* feat: enhance anonymous function naming by deriving context-based bindings
* refactor: streamline match expressions for improved readability and performance
* refactor: streamline match expressions for improved readability and performance
* refactor: replace loop with while let for improved clarity and performance
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: implement shell metacharacter validation and bounded-length checks in Rust analysis
* feat: add static map analysis for command injection suppression and type safety
* refactor: simplify match statements and reduce line breaks for improved readability
* feat(summary): phase 1/5 SinkSite data model for primary sink-location attribution
Introduce SinkSite (file_rel, line, col, snippet, cap) carrying the
primary sink source-location through function summaries. Swap
SsaFuncSummary.param_to_sink and FuncSummary.param_to_sink from a coarse
Cap map to a deduped SmallVec<[SinkSite; 1]> per parameter, with a
backward-compatible cap_sites() helper and serde defaults so pre-phase-1
on-disk rows continue to deserialise cleanly.
Extraction: SinkSiteLocator bundles the tree/bytes/file_rel needed by
extract_ssa_func_summary; ParsedFile::extract_ssa_artifacts wires the
locator in for the persisted pass-1 path, while pass-2 intra-file
transient summaries fall back to cap-only sites (behavior unchanged).
Merge: GlobalSummaries::insert now unions sink sites with
(file_rel, line, col, cap) dedup via shared union_param_sink_sites
helper.
Database: JSON-serialised summary columns carry the new shape
automatically; no schema change needed.
Phase 2 will consume SinkSite in build_taint_diag() to overwrite the
caller-site Finding.line with the callee's sink line when resolved via
summary. Phase 1 keeps behavior unchanged: scanning
tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs still produces the
same (wrong) line 10 finding.
Adds round-trip tests covering SinkSite solo, SsaFuncSummary with sink
sites, legacy-JSON default handling for both summary types, and merge
dedup.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* feat(taint): phase 2/5 thread SinkSite into SsaTaintEvent and Finding
Plumb Phase 1's SinkSite through the event pipeline into Findings,
no output change yet. SsaTaintEvent gains `primary_sink_site:
Option<SinkSite>`; when the main or callback sink-emission path has
non-empty `param_to_sink_sites`, filter to sites whose
`(line != 0) && (cap ∩ sink_caps != ∅)` and emit one event per
distinct site — the multi-primary collapse keeps each downstream
Finding single-primary.
Resolution: ResolvedSummary and SinkInfo gain mirror
`param_to_sink_sites` fields, populated from `SsaFuncSummary.param_to_sink`
(SSA + callback paths) and `FuncSummary.param_to_sink` (global paths).
Label, local-summary, and interop resolution paths leave the field
empty — they only ever had cap-level info to begin with.
Finding: new `primary_location: Option<SinkLocation>` with
`file_rel/line/col`. `ssa_events_to_findings` maps
`event.primary_sink_site` → `Finding.primary_location`, filtering
cap-only sites (`line == 0`) to `None` so the (0,0) sentinel never
leaks to formatters. Dedup key extended with the primary location
so multi-site events aren't collapsed back together.
Invariants (debug_assert!):
* every SinkSite reaching emission has `line != 0 && cap ∩ sink_caps
!= ∅` — enforced by the pick_primary_sink_sites* filters;
* every populated Finding.primary_location has `line != 0` AND
non-empty `file_rel` — the cap-only → None translation upstream
guarantees this.
Deliberately independent of `uses_summary`: that flag tracks whether
the *taint chain* used a summary, whereas primary attribution
requires only that the *sink* itself was summary-resolved. A local
source reaching a cross-file sink produces `uses_summary=false`
alongside a populated primary_location — documented on
Finding.primary_location, covered by
`cross_file_sink_finding_carries_primary_location`.
build_taint_diag, SARIF/JSON/explanation formatters, and the
benchmark scorer remain untouched: finding.line still comes from
`cfg_graph[finding.sink]`, so cmdi_indirect.rs still reports line 10
and the benchmark's rs-cmdi-003 row still shows FN in the LOC column.
Tests: `cross_file_sink_finding_carries_primary_location` (proves
plumbing via a synthetic FuncSummary carrying a SinkSite at 42:5) and
`cross_file_sink_cap_only_site_leaves_primary_location_none`
(regression guard against cap-only sites surfacing). All 1566 lib
tests + integration tests pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(output): phase 3/5 consume primary sink location in diag + SARIF
When a finding's primary_location (populated in phase 2 from a callee
summary's SinkSite) names the dangerous instruction inside a callee
body, attribute the diagnostic line to that location instead of the
caller's call site. The call site is demoted to a Call step in
flow_steps, and a synthetic Sink step at the primary location is
appended so analysts still see the full trace.
Changes:
- Add scan_root parameter to build_taint_diag so file_rel can be
resolved back to an absolute path via a shared resolve_file_rel
helper. Empty file_rel (single-file scans where namespace == "")
resolves to the file under analysis.
- Extend SinkLocation with snippet, carried from the upstream
SinkSite so the formatter needs no second file read.
- Relax the ssa_events_to_findings debug_assert to allow empty
file_rel, which is valid when scan root equals the file itself.
- SARIF: emit data-flow as codeFlows[0].threadFlows[0].locations[];
locations[0] already reflects the primary sink position via the
updated diag line/col.
Acceptance: scan on tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs
now reports line 5 (Command::new) as the primary sink, with the call
site at line 10 visible in flow_steps.
Two expect.json fixtures updated (must_match line_range widened):
- javascript/taint/context_sensitive_call: 12-14 -> 7-14 (line 8 is
the real sink inside run()).
- rust/cfg/closure_async: 10-10 -> 10-11 (line 11 is Command::new
inside the closure).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(bench): phase 4/5 validate primary sink attribution across corpus
Extend the benchmark scorer and ground truth to lock in phase 3's
primary-location behavior, and add fixtures that exercise the new
capability end-to-end.
Scorer (tests/benchmark_test.rs):
- Add optional `expected_call_site_lines: Option<Vec<[usize; 2]>>` on
Case. When present, score_location_level additionally requires at
least one flow_step in the finding's evidence trace to fall within
±2 of the call-site range. When absent, the check is skipped —
fully forward-compatible with existing fixtures.
- Retain ±2 tolerance on expected_sink_lines (compared against the
now-primary Diag.line post-phase-3).
Ground truth edits:
- rs-cmdi-cross-001: expected_sink_lines [8,8] -> [9,9]. Line 8 is the
transform::wrap call site (a cross-file propagator, not a sink);
line 9 is Command::new, the real sink. The ±2 tolerance happened to
mask this stale attribution but it was semantically wrong — phase 4
is the right time to correct it. Also adds expected_call_site_lines
[8,8] so the new field is exercised on an existing cross-file case.
- rs-cmdi-003: adds expected_call_site_lines [10,10] (run_cmd call).
This fixture's sink (Command::new inside run_cmd at line 5) was the
motivating case for phases 1-3; adding the call-site assertion
guards against regression to caller-line attribution.
New fixtures:
- rust/cmdi/cmdi_indirect_multisink.rs (rs-cmdi-009): helper run_both
takes two tainted params and invokes two Command sinks on
consecutive lines. Locks in that primary line lands inside the
helper (lines 5-6), not at the caller (line 12). Notes document
that SinkSite is currently one-per-callee so both findings today
collapse onto the first sink; expected_sink_lines=[5,6] and
expected_call_site_lines=[12,12] stay valid either way.
- python/cmdi/cross_indirect_sink/{app.py,helper.py} (py-cmdi-cross-
004): sink os.system lives in helper.py (cross-file), caller in
app.py reads env source and calls run_cmd. Verifies phase 3's
cross-file primary attribution: Diag.path = helper.py, Diag.line =
5, with app.py:7 recorded in flow_steps as a Call step.
Acceptance:
- `cargo test --test benchmark_test -- --ignored --nocapture` passes.
- rs-cmdi-003 is TP/TP/TP (the target flip FN->TP at LOC). All
pre-existing TP/TP/TP fixtures remain TP/TP/TP; 2 new fixtures are
TP/TP/TP.
- Aggregate rule-level: TP=158 FP=10 FN=1 TN=97, P=0.940 R=0.994
F1=0.966 on the 266-case corpus (was TP=156 FP=10 FN=1 TN=97 on
264 pre-phase-4, delta is the +2 new cases both resolving TP).
- Full `cargo test` green (1566 lib tests + all integration tests).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(taint): phase 5/5 lock Finding.primary_location contract via regression test
Add a regression test in src/taint/ssa_transfer.rs that wires up a synthetic
SsaFuncSummary with a SinkSite at other.rs:42:10 and drives the three
emission stages (pick_primary_sink_sites → emit_ssa_taint_events →
ssa_events_to_findings) against a minimal caller SSA body. Asserts the
resulting Finding.primary_location is exactly that triple.
The existing integration tests in src/taint/tests.rs cover the coarse
FuncSummary path end-to-end through analyse_file. This test locks in the
lower-level SSA-side plumbing so a future refactor that silently drops the
site between pick → emit → findings fails here rather than only at the
benchmark layer.
Also refreshes tests/benchmark/results/latest.json (timestamp only; rs-cmdi-003
remains TP/TP/TP and the aggregate P/R/F1 are unchanged from phase 4).
Closes the primary sink-location attribution feature (phases 1-5/5):
* Phase 1 — SinkSite data model on summaries.
* Phase 2 — SinkSite threaded into SsaTaintEvent and Finding.
* Phase 3 — diag + SARIF consume primary_location.
* Phase 4 — benchmark validates primary_call_site_lines across corpus.
* Phase 5 — regression test locks the event→finding contract.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* refactor: clean up formatting and improve readability in multiple files
* refactor: simplify type definition for deduplication key in findings
* test(harness): add must_not_match expectation for FP regression guards
Extends ExpectedFinding with must_not_match field that asserts a
diagnostic must NOT fire — presence is a hard failure. Non-consuming
scan so it coexists with must_match entries on the same rule_id.
Adds forbidden_violations accumulator and updates summary line.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(regression): update expectations to ensure must_not_match for various taint and resource leak rules
* feat: implement auto-seeding for JS/TS handler parameters to enhance taint tracking
* feat: update switch statement handling to improve control flow analysis
* feat: implement promisify alias handling for JS/TS to enhance taint tracking
* feat: enhance taint tracking by refining expectation handling and adding mode filtering
* feat: refine SQL handling in stream processing and enhance auto-seeding for handler parameters
* feat: update taint tracking rules to enforce full mode matching and improve flow analysis
* feat: enhance Ruby subshell handling to improve taint tracking and flow analysis
* feat: update xss_response expectations to refine taint flow analysis and enhance regression guarding
* feat: refine framework detection and update expectation handling for Echo and Sinatra
* feat: implement max_count for taint tracking expectations and deduplicate findings
* feat: add strict_unexpected handling for taint-unsanitised-flow in expectation files
* feat: enhance deduplication of taint-unsanitised-flow findings by collapsing based on line and severity
* feat: add strict_unexpected handling for taint-unsanitised-flow in multiple expectation files
* feat: add structural invariant checks for SSA bodies
* feat: ensure deterministic phi emission order using BTreeSet
* feat: enhance handling of terminators to ensure authoritative flow through successor edges
* feat: enhance Goto terminator handling to ensure all successors are marked executable
* feat: refactor code for improved readability and organization
* feat: simplify predicate checks and enhance readability in SSA handling
* feat: implement per-file parse timeout and enhance file size handling
* feat: migrate analysis engine toggles from environment variables to configuration file
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: update dependencies and enhance documentation on language maturity
* feat: enhance security headers and improve request body limits
* feat: implement sink capability bits for deduplication and enhance evidence tagging
* feat: implement dynamic activation handling for gated sinks and enhance validation logic
* feat: enhance configuration documentation and clarify inline analysis cache behavior
* feat: implement panic recovery during analysis to continue scans past errors
* feat: add expectations configuration for taint analysis and performance metrics
* feat: enhance error handling and logging during file reading and mutex locking
* feat: add cross-file body loading tests and plumbing for CF-1 phase
* feat: implement cross-file k=1 context-sensitive inline taint analysis with new tests and fixtures
* feat: implement indexed-scan parity in cross-file inline analysis with new dropdown and copy functionality
* feat: enhance classification span handling in CFG and AST for improved source attribution
* feat: add new Express routes for handling user input and telemetry data
* feat: implement ternary expression handling in CFG with diamond structure for JS/TS
* feat: implement Phase CF-3 abstract-domain transfer channels in summaries
* feat: add support for string-prefix transfer in cross-file calls and update tests
* docs: reduce RESULTS.md doc size
* feat: implement Phase CF-4 per-return-path summary decomposition with tests
* feat: update parameter handling in pass1 and refactor SsaFuncSummary initialization
* feat: implement Phase CF-5 for cross-file SCC joint fixed-point convergence with new flags and tests
* feat: implement Phase CF-6 with parameter-granularity points-to summaries and associated tests
* refactor: update comments and documentation for clarity and consistency
* style: format code for consistency and readability
* refactor: simplify verdict handling and improve edge checking logic
* refactor: optimize path and identifier collection by avoiding unnecessary cloning
* chore: update Cargo.toml for Rust version 1.85 and add ignored files; modify CHANGELOG and README for clarity on state analysis defaults
* refactor: update documentation and improve clarity in configuration files
* refactor: update documentation and improve clarity in configuration files
* feat: add JS/TS pass-2 convergence tests and expectations configuration
* feat: add Phase 5 regression tests for inline cache origin attribution and update related logic
* feat: implement Phase 7 deduplication and alternative path linking for taint findings
* feat: implement structural DFS index for anonymous functions and update naming conventions
* feat: add Phase 8 regression tests for container-element taint in JS and Python
* feat: add engine-depth profiles and explain-engine option for CLI
* feat: update expectations and add new README fixtures for multi-file scan regression
* feat: implement Phase 11 callback-alias and factory patterns with regression tests
* feat: implement Terminator::Switch for multi-way dispatch and add regression tests
* feat: add real-CVE benchmark fixtures for CVE-2023-48022, CVE-2019-14939, and CVE-2023-26159 with corresponding patched variants
* refactor: extract cfg and ssa_transfer to submodules
* refactor: cargo fmt
* refactor: remove unnecessary blank line in cfg_tests.rs
* refactor: remove unnecessary planning file
* chore: update Rust version to 1.88 and bump dependencies in Cargo files
* feat: enhance triage UI with new layout and controls, update README for clarity
* feat: enhance triage UI with new layout and controls, update README for clarity
* chore: remove outdated section from README for version 0.5.0
* docs: improve clarity and consistency in README content
* chore: add "GPL-3.0-or-later" to license options in about.toml
* chore: update license handling in about.toml and check-licenses.mjs
* style: format code for improved readability in TriagePage component
* style: format code for improved readability in TriagePage component
* chore: enhance license handling and improve body_id scoping in seed lookup
* feat: introduce owner and parent body IDs for enhanced seed scoping
* feat: implement direction-aware engine provenance with new CLI flag for strict CI gating
* feat: add Undef SSA operation for improved control-flow handling
* style: improve code formatting for consistency and readability in multiple files
* feat: add 16-function chain SCC across multiple files for enhanced analysis
* style: simplify code formatting for improved readability in multiple files
* fix: update CapHitReason default implementation and improve README clarity
* docs: enhance README with detailed explanations of taint analysis and limitations
* docs: refine README for clarity and consistency in taint analysis section
* style: improve code formatting for better readability in NewScanModal and scans
* fix: update cargo-about command to use --offline for deterministic license generation
* fix: update cargo-about command to use --offline for deterministic license generation
* ci: add step to prime cargo registry cache for deterministic license generation
* feat: add support for non-sink collections in authorization analysis
* feat: enhance authorization checks with row-level ownership equality and binding tracking
* feat: implement self-scoped user handling and enhance ownership checks
* refactor: simplify assertions and formatting in authorization analysis tests
* fix: normalize line endings in THIRDPARTY-LICENSES.html generation and update README with AI disclosure
* docs: update AI disclosure section for clarity and conciseness
* feat: add AI Contribution Policy and update contributing guidelines for AI assistance disclosure
* feat: enhance authorization analysis with SSA-derived variable type classification
* feat: implement auth_finding_to_diag function for enhanced security diagnostics
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add direction-aware engine provenance with LossDirection classification and new CLI flag
* feat: simplify strip_cap_from_call_args call by removing unnecessary line breaks
* feat: enhance error message handling in cli_validation_tests for better Windows compatibility
* feat: optimize release profile settings in Cargo.toml and update CodeQL configuration
* feat: enhance release build process with SBOM generation and SLSA provenance
* feat: update actions/checkout and actions/setup-node to v6, enhance CLI options, and improve auth-check summaries
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: update benchmark data and enhance path sanitization logic with new safety checks
* feat: document AI assistance in frontend UI development and human review process
* feat: add return path facts for enhanced path safety checks and update documentation
* chore: update release date for version 0.5.0 in CHANGELOG.md
* chore: clean up ci.yml by removing outdated comments and clarifying steps
* feat: implement cross-language path sanitizers and validators for enhanced security
* feat: enhance SSA value usage tracking by including block terminators and improve path safety checks
* feat: enhance switch statement handling by adding per-case path constraints and support for exclusive cases
* refactor: simplify conditional formatting and improve code readability in executor and lower modules
* feat: add vulnerable examples for various languages demonstrating authentication and sanitization issues
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: add transform classifiers for Java, Go, and Ruby with corresponding tests
* refactor: clarify comments on reassign-to-constant idiom and sink behavior in guards.rs
---------
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-25 17:59:11 -04:00
### Removed
- Legacy BFS taint engine, `TaintTransfer` , `TaintState` , and the `NYX_LEGACY` fallback.
- Legacy vanilla-JS frontend (`app.js` ).
2026-04-29 00:58:38 -04:00
## [0.4.0] - 2026-02-25
Release/0.5.0 (#35)
* feat: Introduce function-scoped variable interning for state analysis with new tests and fixtures
* feat: Add Phase 26 symbolic execution enhancements with bitwise operator support, abstract interpretation refinements, and new taint analysis tests
* feat: Refine state analysis to handle factory-pattern resource returns with mixed-path tests and leak detection enhancements
* feat: Add Phase 27 debug views with symbolic execution, abstract interpretation, SSA, and call graph viewers; integrate with debug layout and styles
* feat: Add Phase 31 type-qualified symbolic resolution with receiver-based callee disambiguation and testing
* feat: Extend symbolic execution with state iteration, enhanced debug views, and debounced input handling
* feat: Add Phase 13 resource and auth pattern extensions with new tests and fixtures
* feat: Introduce CFG debug graph renderer with compact mode, toolbar, and DAG layout integration
* feat: Add Phase 28 encoding and decoding transform modeling with structural symex enhancements and new taint analysis tests
* feat: Extend abstract interpretation with type facts and constant value tracking in debug views and server logic
* feat: Add linear path handling and witness extraction to symbolic execution with Phase 28 transform mismatch detection
* feat: Refine Go auth and sanitizer handling with enhanced rules, state updates, and benchmark improvements
* feat: Enable auth-state analysis by default and update relevant tests in benchmark config
* test: Update state_tests to reflect default enablement of auth-state analysis and add auth suppression test
* docs: update CHANGELOG.md
* feat: Introduce per-index taint tracking in `HeapState` with `HeapSlot`, overflow handling, and revised SSA transfers
* feat: Introduce C/C++ language labels and refine heap state tracking in SSA transfers
* feat: Implement per-index array slot tracking in symbolic heap with overflow collapse
* feat: Add implicit definition handling for uninitialized declarations in SSA value allocation
* feat: Refactor function parameters and constants for improved clarity and maintainability
* refactor: Reorder module imports and improve formatting for consistency
* refactor: Fix formatting erorrs
* refactor: Fix clippy warnings
* refactor: Fix fmt warnings (again)
* chore: Update dependencies and improve feature configuration
* Add comprehensive tests for undertested modules (#36) (COPILOT)
* Add comprehensive tests for undertested modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
* Add comprehensive tests for ext, project, walk, and errors modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: Update dependencies and improve feature configuration
* fix: formatting errors in new tests
* chore: Update license list in about.toml
* chore: made functions input inline
* chore: updated cfg graph to take up the full page
* chore: add Prettier configuration and update code formatting
* Add frontend test suite with Vitest (111 tests) (#37)
* Add Vitest test suite for frontend - 111 tests across utils, components, hooks, and graph utilities
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/7cf0dba2-ecff-4740-ba4d-92717e74a0b7
* ci: add frontend test step to CI workflow
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/5bc0ac9f-0a32-4d03-9cb7-7a15aea53fca
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: simplify array initialization in test files for consistency
* ran typecheck
* feat: add AnalysisWorkspace component and integrate it into CfgViewerPage
* feat: update routing in AppLayout and improve empty state message in ExplorerPage
* feat: enhance scan progress tracking with additional metrics and stages
* feat: update license information and add license check script
* feat: implement cross-file symbolic execution with callee body persistence
* feat: replace dagre graphs with Graphology + ELK + Sigma for more advanced call stack and cfg rendering
* feat: ensure CFG function view is scoped to the selected function, preventing bleed into sibling functions
* feat: enhance resource tracking with proxy method summaries and improve finding extraction
* feat: add terminal function exit detection for accurate resource leak analysis
* feat: add warnings for loops and functions without bodies to improve error recovery
* feat: update lambda expression handling to ensure proper function classification and control flow
* feat: remove bounded formatting/string ops and add JSON.parse sanitizer for improved data handling
* feat: add inline return taint analysis and regression tests for improved security checks
* feat: add engine version management and migration handling for database schema updates
* feat: enhance first_call_ident to skip nested function bodies and add regression tests
* feat: enhance callee name resolution with two-segment normalization and disambiguation
* feat: add cross-file context flags and debug assertions for taint analysis
* feat: refactor taint analysis structure to unify context handling and improve clarity
* feat: enhance dead code elimination to preserve Sink, Source, and Sanitizer labels with new tests
* docs: updated CHANGELOG.md
* fmt: formatting fixes
* fix: fixed frontend formatting and lint warnings
* fix: optimized ci
* fix: optimized ci
* Add comprehensive multi-file test coverage to Nyx (#38)
* Initial checklist for multi-file test suite expansion
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* Add 12 new multi-file test fixtures with TP/TN/near-miss coverage
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* deleted root repo
* rebuilt to test for regressions
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* feat: enhance import alias resolution and taint tracking
* feat: implement security hardening with CSRF protection and path validation
* feat: add support for import alias bindings in Python, PHP, and Rust
* feat: enhance CFG analysis modes and improve code readability
* feat: add detection for parameterized SQL queries to enhance security
* feat: add safe internal redirect handling and enhance session destroy validation
* feat: implement security improvements by addressing vulnerabilities in execAsync, session management, and file downloads
* feat: enhance taint detection by adding support for inline source member expressions in call arguments
* feat: implement pre-emission of Source nodes for inline source member expressions in call arguments
* feat: add support for Throw statement in control flow and error handling
* feat: add debug and echo endpoints with potential information leakage
* feat: implement internal redirect suppression and enhance taint detection
* feat: implement module alias tracking for dynamic dispatch in JS/TS
* feat: add authorization analysis module with Express support
* feat: add authorization analysis module with Express support
* feat: add tests for admin guard requirements and clean checks in authorization analysis
* feat: integrate Koa and Fastify frameworks into authorization analysis
* feat: add Flask and Django support to authorization analysis module
* feat: add support for Rails and Sinatra frameworks in authorization analysis
* feat: add support for Axum, ActixWeb, and Rocket frameworks in authorization analysis
* feat: add support for ActixWeb, Axum, and Rocket frameworks in authorization analysis
* feat: add support for Rails and Sinatra in authorization analysis
* chore: add .DS_Store to .gitignore
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: update usage of Option methods for improved clarity and consistency
* refactor: improve code readability by simplifying conditional checks and formatting
* refactor: improve code formatting and readability by simplifying conditional checks
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: simplify conditional checks in axum.rs for improved readability
* feat: add CodeQL analysis configuration for enhanced security scanning
* test: add comprehensive tests for `src/output.rs` SARIF builder (#39)
* chore: start test coverage improvement work
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* test: add comprehensive tests for src/output.rs SARIF builder
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* refactor: improve code formatting and readability in output.rs
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* refactor: improve code formatting and readability in output.rs
* Potential fix for code scanning alert no. 210: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* Potential fix for code scanning alert no. 211: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* refactor: enhance triage file path handling with improved error management and validation
* refactor: updated func summaries for richer detail
* refactor: update SSA summary extraction to use canonical FuncKey for distinct entries
* refactor: enhance callee metadata structure to support arity, receiver, and qualifier for better overload resolution
* refactor: add support for keyword arguments in function calls and enhance receiver extraction for method-style calls
* refactor: implement new Flask routes for safe and unsafe shell command execution
* refactor: separate receiver handling in SSA operations and enhance taint propagation
* refactor: improve arity handling by using arg_uses for positional argument count and enhance witness scoring for tainted arguments
* refactor: implement auth decorator extraction and classification for multiple languages
* refactor: enhance Rust module path resolution and use map handling for cross-file disambiguation
* refactor: introduce CalleeQuery struct for structured callee resolution and enhance resolver logic
* refactor: implement same-file identity collision handling for `runTask` to ensure correct resolver behavior
* refactor: standardize default struct initialization across multiple files
* feat: add scripts for formatting checks and auto-fixes with test summaries
* refactor: simplify character splitting and enhance namespace qualifier handling
* refactor: improve documentation clarity and enhance code readability in resolver logic
* refactor: replace default struct initialization with explicit field assignments for clarity
* feat: enhance anonymous function naming by deriving context-based bindings
* refactor: streamline match expressions for improved readability and performance
* refactor: streamline match expressions for improved readability and performance
* refactor: replace loop with while let for improved clarity and performance
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: implement shell metacharacter validation and bounded-length checks in Rust analysis
* feat: add static map analysis for command injection suppression and type safety
* refactor: simplify match statements and reduce line breaks for improved readability
* feat(summary): phase 1/5 SinkSite data model for primary sink-location attribution
Introduce SinkSite (file_rel, line, col, snippet, cap) carrying the
primary sink source-location through function summaries. Swap
SsaFuncSummary.param_to_sink and FuncSummary.param_to_sink from a coarse
Cap map to a deduped SmallVec<[SinkSite; 1]> per parameter, with a
backward-compatible cap_sites() helper and serde defaults so pre-phase-1
on-disk rows continue to deserialise cleanly.
Extraction: SinkSiteLocator bundles the tree/bytes/file_rel needed by
extract_ssa_func_summary; ParsedFile::extract_ssa_artifacts wires the
locator in for the persisted pass-1 path, while pass-2 intra-file
transient summaries fall back to cap-only sites (behavior unchanged).
Merge: GlobalSummaries::insert now unions sink sites with
(file_rel, line, col, cap) dedup via shared union_param_sink_sites
helper.
Database: JSON-serialised summary columns carry the new shape
automatically; no schema change needed.
Phase 2 will consume SinkSite in build_taint_diag() to overwrite the
caller-site Finding.line with the callee's sink line when resolved via
summary. Phase 1 keeps behavior unchanged: scanning
tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs still produces the
same (wrong) line 10 finding.
Adds round-trip tests covering SinkSite solo, SsaFuncSummary with sink
sites, legacy-JSON default handling for both summary types, and merge
dedup.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* feat(taint): phase 2/5 thread SinkSite into SsaTaintEvent and Finding
Plumb Phase 1's SinkSite through the event pipeline into Findings,
no output change yet. SsaTaintEvent gains `primary_sink_site:
Option<SinkSite>`; when the main or callback sink-emission path has
non-empty `param_to_sink_sites`, filter to sites whose
`(line != 0) && (cap ∩ sink_caps != ∅)` and emit one event per
distinct site — the multi-primary collapse keeps each downstream
Finding single-primary.
Resolution: ResolvedSummary and SinkInfo gain mirror
`param_to_sink_sites` fields, populated from `SsaFuncSummary.param_to_sink`
(SSA + callback paths) and `FuncSummary.param_to_sink` (global paths).
Label, local-summary, and interop resolution paths leave the field
empty — they only ever had cap-level info to begin with.
Finding: new `primary_location: Option<SinkLocation>` with
`file_rel/line/col`. `ssa_events_to_findings` maps
`event.primary_sink_site` → `Finding.primary_location`, filtering
cap-only sites (`line == 0`) to `None` so the (0,0) sentinel never
leaks to formatters. Dedup key extended with the primary location
so multi-site events aren't collapsed back together.
Invariants (debug_assert!):
* every SinkSite reaching emission has `line != 0 && cap ∩ sink_caps
!= ∅` — enforced by the pick_primary_sink_sites* filters;
* every populated Finding.primary_location has `line != 0` AND
non-empty `file_rel` — the cap-only → None translation upstream
guarantees this.
Deliberately independent of `uses_summary`: that flag tracks whether
the *taint chain* used a summary, whereas primary attribution
requires only that the *sink* itself was summary-resolved. A local
source reaching a cross-file sink produces `uses_summary=false`
alongside a populated primary_location — documented on
Finding.primary_location, covered by
`cross_file_sink_finding_carries_primary_location`.
build_taint_diag, SARIF/JSON/explanation formatters, and the
benchmark scorer remain untouched: finding.line still comes from
`cfg_graph[finding.sink]`, so cmdi_indirect.rs still reports line 10
and the benchmark's rs-cmdi-003 row still shows FN in the LOC column.
Tests: `cross_file_sink_finding_carries_primary_location` (proves
plumbing via a synthetic FuncSummary carrying a SinkSite at 42:5) and
`cross_file_sink_cap_only_site_leaves_primary_location_none`
(regression guard against cap-only sites surfacing). All 1566 lib
tests + integration tests pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(output): phase 3/5 consume primary sink location in diag + SARIF
When a finding's primary_location (populated in phase 2 from a callee
summary's SinkSite) names the dangerous instruction inside a callee
body, attribute the diagnostic line to that location instead of the
caller's call site. The call site is demoted to a Call step in
flow_steps, and a synthetic Sink step at the primary location is
appended so analysts still see the full trace.
Changes:
- Add scan_root parameter to build_taint_diag so file_rel can be
resolved back to an absolute path via a shared resolve_file_rel
helper. Empty file_rel (single-file scans where namespace == "")
resolves to the file under analysis.
- Extend SinkLocation with snippet, carried from the upstream
SinkSite so the formatter needs no second file read.
- Relax the ssa_events_to_findings debug_assert to allow empty
file_rel, which is valid when scan root equals the file itself.
- SARIF: emit data-flow as codeFlows[0].threadFlows[0].locations[];
locations[0] already reflects the primary sink position via the
updated diag line/col.
Acceptance: scan on tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs
now reports line 5 (Command::new) as the primary sink, with the call
site at line 10 visible in flow_steps.
Two expect.json fixtures updated (must_match line_range widened):
- javascript/taint/context_sensitive_call: 12-14 -> 7-14 (line 8 is
the real sink inside run()).
- rust/cfg/closure_async: 10-10 -> 10-11 (line 11 is Command::new
inside the closure).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(bench): phase 4/5 validate primary sink attribution across corpus
Extend the benchmark scorer and ground truth to lock in phase 3's
primary-location behavior, and add fixtures that exercise the new
capability end-to-end.
Scorer (tests/benchmark_test.rs):
- Add optional `expected_call_site_lines: Option<Vec<[usize; 2]>>` on
Case. When present, score_location_level additionally requires at
least one flow_step in the finding's evidence trace to fall within
±2 of the call-site range. When absent, the check is skipped —
fully forward-compatible with existing fixtures.
- Retain ±2 tolerance on expected_sink_lines (compared against the
now-primary Diag.line post-phase-3).
Ground truth edits:
- rs-cmdi-cross-001: expected_sink_lines [8,8] -> [9,9]. Line 8 is the
transform::wrap call site (a cross-file propagator, not a sink);
line 9 is Command::new, the real sink. The ±2 tolerance happened to
mask this stale attribution but it was semantically wrong — phase 4
is the right time to correct it. Also adds expected_call_site_lines
[8,8] so the new field is exercised on an existing cross-file case.
- rs-cmdi-003: adds expected_call_site_lines [10,10] (run_cmd call).
This fixture's sink (Command::new inside run_cmd at line 5) was the
motivating case for phases 1-3; adding the call-site assertion
guards against regression to caller-line attribution.
New fixtures:
- rust/cmdi/cmdi_indirect_multisink.rs (rs-cmdi-009): helper run_both
takes two tainted params and invokes two Command sinks on
consecutive lines. Locks in that primary line lands inside the
helper (lines 5-6), not at the caller (line 12). Notes document
that SinkSite is currently one-per-callee so both findings today
collapse onto the first sink; expected_sink_lines=[5,6] and
expected_call_site_lines=[12,12] stay valid either way.
- python/cmdi/cross_indirect_sink/{app.py,helper.py} (py-cmdi-cross-
004): sink os.system lives in helper.py (cross-file), caller in
app.py reads env source and calls run_cmd. Verifies phase 3's
cross-file primary attribution: Diag.path = helper.py, Diag.line =
5, with app.py:7 recorded in flow_steps as a Call step.
Acceptance:
- `cargo test --test benchmark_test -- --ignored --nocapture` passes.
- rs-cmdi-003 is TP/TP/TP (the target flip FN->TP at LOC). All
pre-existing TP/TP/TP fixtures remain TP/TP/TP; 2 new fixtures are
TP/TP/TP.
- Aggregate rule-level: TP=158 FP=10 FN=1 TN=97, P=0.940 R=0.994
F1=0.966 on the 266-case corpus (was TP=156 FP=10 FN=1 TN=97 on
264 pre-phase-4, delta is the +2 new cases both resolving TP).
- Full `cargo test` green (1566 lib tests + all integration tests).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(taint): phase 5/5 lock Finding.primary_location contract via regression test
Add a regression test in src/taint/ssa_transfer.rs that wires up a synthetic
SsaFuncSummary with a SinkSite at other.rs:42:10 and drives the three
emission stages (pick_primary_sink_sites → emit_ssa_taint_events →
ssa_events_to_findings) against a minimal caller SSA body. Asserts the
resulting Finding.primary_location is exactly that triple.
The existing integration tests in src/taint/tests.rs cover the coarse
FuncSummary path end-to-end through analyse_file. This test locks in the
lower-level SSA-side plumbing so a future refactor that silently drops the
site between pick → emit → findings fails here rather than only at the
benchmark layer.
Also refreshes tests/benchmark/results/latest.json (timestamp only; rs-cmdi-003
remains TP/TP/TP and the aggregate P/R/F1 are unchanged from phase 4).
Closes the primary sink-location attribution feature (phases 1-5/5):
* Phase 1 — SinkSite data model on summaries.
* Phase 2 — SinkSite threaded into SsaTaintEvent and Finding.
* Phase 3 — diag + SARIF consume primary_location.
* Phase 4 — benchmark validates primary_call_site_lines across corpus.
* Phase 5 — regression test locks the event→finding contract.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* refactor: clean up formatting and improve readability in multiple files
* refactor: simplify type definition for deduplication key in findings
* test(harness): add must_not_match expectation for FP regression guards
Extends ExpectedFinding with must_not_match field that asserts a
diagnostic must NOT fire — presence is a hard failure. Non-consuming
scan so it coexists with must_match entries on the same rule_id.
Adds forbidden_violations accumulator and updates summary line.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(regression): update expectations to ensure must_not_match for various taint and resource leak rules
* feat: implement auto-seeding for JS/TS handler parameters to enhance taint tracking
* feat: update switch statement handling to improve control flow analysis
* feat: implement promisify alias handling for JS/TS to enhance taint tracking
* feat: enhance taint tracking by refining expectation handling and adding mode filtering
* feat: refine SQL handling in stream processing and enhance auto-seeding for handler parameters
* feat: update taint tracking rules to enforce full mode matching and improve flow analysis
* feat: enhance Ruby subshell handling to improve taint tracking and flow analysis
* feat: update xss_response expectations to refine taint flow analysis and enhance regression guarding
* feat: refine framework detection and update expectation handling for Echo and Sinatra
* feat: implement max_count for taint tracking expectations and deduplicate findings
* feat: add strict_unexpected handling for taint-unsanitised-flow in expectation files
* feat: enhance deduplication of taint-unsanitised-flow findings by collapsing based on line and severity
* feat: add strict_unexpected handling for taint-unsanitised-flow in multiple expectation files
* feat: add structural invariant checks for SSA bodies
* feat: ensure deterministic phi emission order using BTreeSet
* feat: enhance handling of terminators to ensure authoritative flow through successor edges
* feat: enhance Goto terminator handling to ensure all successors are marked executable
* feat: refactor code for improved readability and organization
* feat: simplify predicate checks and enhance readability in SSA handling
* feat: implement per-file parse timeout and enhance file size handling
* feat: migrate analysis engine toggles from environment variables to configuration file
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: update dependencies and enhance documentation on language maturity
* feat: enhance security headers and improve request body limits
* feat: implement sink capability bits for deduplication and enhance evidence tagging
* feat: implement dynamic activation handling for gated sinks and enhance validation logic
* feat: enhance configuration documentation and clarify inline analysis cache behavior
* feat: implement panic recovery during analysis to continue scans past errors
* feat: add expectations configuration for taint analysis and performance metrics
* feat: enhance error handling and logging during file reading and mutex locking
* feat: add cross-file body loading tests and plumbing for CF-1 phase
* feat: implement cross-file k=1 context-sensitive inline taint analysis with new tests and fixtures
* feat: implement indexed-scan parity in cross-file inline analysis with new dropdown and copy functionality
* feat: enhance classification span handling in CFG and AST for improved source attribution
* feat: add new Express routes for handling user input and telemetry data
* feat: implement ternary expression handling in CFG with diamond structure for JS/TS
* feat: implement Phase CF-3 abstract-domain transfer channels in summaries
* feat: add support for string-prefix transfer in cross-file calls and update tests
* docs: reduce RESULTS.md doc size
* feat: implement Phase CF-4 per-return-path summary decomposition with tests
* feat: update parameter handling in pass1 and refactor SsaFuncSummary initialization
* feat: implement Phase CF-5 for cross-file SCC joint fixed-point convergence with new flags and tests
* feat: implement Phase CF-6 with parameter-granularity points-to summaries and associated tests
* refactor: update comments and documentation for clarity and consistency
* style: format code for consistency and readability
* refactor: simplify verdict handling and improve edge checking logic
* refactor: optimize path and identifier collection by avoiding unnecessary cloning
* chore: update Cargo.toml for Rust version 1.85 and add ignored files; modify CHANGELOG and README for clarity on state analysis defaults
* refactor: update documentation and improve clarity in configuration files
* refactor: update documentation and improve clarity in configuration files
* feat: add JS/TS pass-2 convergence tests and expectations configuration
* feat: add Phase 5 regression tests for inline cache origin attribution and update related logic
* feat: implement Phase 7 deduplication and alternative path linking for taint findings
* feat: implement structural DFS index for anonymous functions and update naming conventions
* feat: add Phase 8 regression tests for container-element taint in JS and Python
* feat: add engine-depth profiles and explain-engine option for CLI
* feat: update expectations and add new README fixtures for multi-file scan regression
* feat: implement Phase 11 callback-alias and factory patterns with regression tests
* feat: implement Terminator::Switch for multi-way dispatch and add regression tests
* feat: add real-CVE benchmark fixtures for CVE-2023-48022, CVE-2019-14939, and CVE-2023-26159 with corresponding patched variants
* refactor: extract cfg and ssa_transfer to submodules
* refactor: cargo fmt
* refactor: remove unnecessary blank line in cfg_tests.rs
* refactor: remove unnecessary planning file
* chore: update Rust version to 1.88 and bump dependencies in Cargo files
* feat: enhance triage UI with new layout and controls, update README for clarity
* feat: enhance triage UI with new layout and controls, update README for clarity
* chore: remove outdated section from README for version 0.5.0
* docs: improve clarity and consistency in README content
* chore: add "GPL-3.0-or-later" to license options in about.toml
* chore: update license handling in about.toml and check-licenses.mjs
* style: format code for improved readability in TriagePage component
* style: format code for improved readability in TriagePage component
* chore: enhance license handling and improve body_id scoping in seed lookup
* feat: introduce owner and parent body IDs for enhanced seed scoping
* feat: implement direction-aware engine provenance with new CLI flag for strict CI gating
* feat: add Undef SSA operation for improved control-flow handling
* style: improve code formatting for consistency and readability in multiple files
* feat: add 16-function chain SCC across multiple files for enhanced analysis
* style: simplify code formatting for improved readability in multiple files
* fix: update CapHitReason default implementation and improve README clarity
* docs: enhance README with detailed explanations of taint analysis and limitations
* docs: refine README for clarity and consistency in taint analysis section
* style: improve code formatting for better readability in NewScanModal and scans
* fix: update cargo-about command to use --offline for deterministic license generation
* fix: update cargo-about command to use --offline for deterministic license generation
* ci: add step to prime cargo registry cache for deterministic license generation
* feat: add support for non-sink collections in authorization analysis
* feat: enhance authorization checks with row-level ownership equality and binding tracking
* feat: implement self-scoped user handling and enhance ownership checks
* refactor: simplify assertions and formatting in authorization analysis tests
* fix: normalize line endings in THIRDPARTY-LICENSES.html generation and update README with AI disclosure
* docs: update AI disclosure section for clarity and conciseness
* feat: add AI Contribution Policy and update contributing guidelines for AI assistance disclosure
* feat: enhance authorization analysis with SSA-derived variable type classification
* feat: implement auth_finding_to_diag function for enhanced security diagnostics
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add direction-aware engine provenance with LossDirection classification and new CLI flag
* feat: simplify strip_cap_from_call_args call by removing unnecessary line breaks
* feat: enhance error message handling in cli_validation_tests for better Windows compatibility
* feat: optimize release profile settings in Cargo.toml and update CodeQL configuration
* feat: enhance release build process with SBOM generation and SLSA provenance
* feat: update actions/checkout and actions/setup-node to v6, enhance CLI options, and improve auth-check summaries
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: update benchmark data and enhance path sanitization logic with new safety checks
* feat: document AI assistance in frontend UI development and human review process
* feat: add return path facts for enhanced path safety checks and update documentation
* chore: update release date for version 0.5.0 in CHANGELOG.md
* chore: clean up ci.yml by removing outdated comments and clarifying steps
* feat: implement cross-language path sanitizers and validators for enhanced security
* feat: enhance SSA value usage tracking by including block terminators and improve path safety checks
* feat: enhance switch statement handling by adding per-case path constraints and support for exclusive cases
* refactor: simplify conditional formatting and improve code readability in executor and lower modules
* feat: add vulnerable examples for various languages demonstrating authentication and sanitization issues
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: add transform classifiers for Java, Go, and Ruby with corresponding tests
* refactor: clarify comments on reassign-to-constant idiom and sink behavior in guards.rs
---------
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-25 17:59:11 -04:00
A precision and ergonomics release. Findings are now ranked, lower-noise by default, and easier to triage in CI.
### Highlights
- **Attack-surface ranking.** Every finding gets an exploitability score combining severity, analysis kind, evidence strength, and path-validation. Console output shows the score in the header line; `--no-rank` opts out.
- **Low-noise prioritization.** Quality-category findings are excluded by default (`--include-quality` brings them back). High-frequency Quality rules are rolled up per `(file, rule)` with example occurrences. LOW budgets cap noise without ever displacing High/Medium findings.
- **State-model dataflow analysis.** New per-variable resource-lifecycle and auth-level analysis catches use-after-close, double-close, must-leak, may-leak (branch-aware), and unauthenticated-sink access. Opt-in via `scanner.enable_state_analysis` .
- **Inline `nyx:ignore` suppressions** with same-line and next-line directives, comma lists, wildcard suffixes, and string-literal guards across all 10 languages.
- **AST pattern overhaul.** All 10 language pattern files rewritten with consistent metadata, namespaced IDs (`<lang>.<category>.<specific>` ), and 30+ new patterns. 11 broken tree-sitter queries fixed.
- **Monotone forward-dataflow taint engine.** Replaced the BFS engine with a proper worklist over a finite lattice. Termination is now guaranteed by lattice height, eliminating BFS-budget bailouts on large files.
- **Path-sensitive taint analysis.** Branch predicates flow with the analysis. Contradictory guards prune infeasible paths; validation calls produce annotated findings without changing severity.
- **Interprocedural call graph.** Whole-program graph with three-valued callee resolution (`Resolved` /`NotFound` /`Ambiguous` ), SCC analysis, and topo ordering ready for bottom-up taint propagation.
### CLI & Output
- `--severity <EXPR>` replaces `--high-only` . Supports `HIGH` , `HIGH,MEDIUM` , `>=MEDIUM` . Filtering is now applied at the output stage so taint and CFG findings are correctly downgraded too.
- `--mode <full|ast|cfg|taint>` replaces `--ast-only` and `--cfg-only` .
- `--index <auto|off|rebuild>` replaces `--no-index` and `--rebuild-index` .
- `--fail-on <SEVERITY>` for CI exit-code gating.
- `--min-score <N>` for ranking-aware filtering.
- `--show-suppressed` reveals suppressed findings dimmed with `[SUPPRESSED]` .
- `--keep-nonprod-severity` (renamed from `--include-nonprod` ).
- `--quiet` mirrors `output.quiet` .
- Console renderer overhauled: severity is the strongest visual anchor, file paths are dim blue, taint flows use `→` arrows, multi-line call chains are normalized.
- Confidence shown alongside score in the header line.
- Pattern-level confidence is now set at the pattern definition site, not heuristically inferred from severity.
### Breaking
2026-04-29 00:58:38 -04:00
- Config and data directory renamed from `dev.ecpeter23.nyx` to `nyx` . Existing config and SQLite indexes at the old path won't be picked up. Copy them across or re-run `nyx scan` .
Release/0.5.0 (#35)
* feat: Introduce function-scoped variable interning for state analysis with new tests and fixtures
* feat: Add Phase 26 symbolic execution enhancements with bitwise operator support, abstract interpretation refinements, and new taint analysis tests
* feat: Refine state analysis to handle factory-pattern resource returns with mixed-path tests and leak detection enhancements
* feat: Add Phase 27 debug views with symbolic execution, abstract interpretation, SSA, and call graph viewers; integrate with debug layout and styles
* feat: Add Phase 31 type-qualified symbolic resolution with receiver-based callee disambiguation and testing
* feat: Extend symbolic execution with state iteration, enhanced debug views, and debounced input handling
* feat: Add Phase 13 resource and auth pattern extensions with new tests and fixtures
* feat: Introduce CFG debug graph renderer with compact mode, toolbar, and DAG layout integration
* feat: Add Phase 28 encoding and decoding transform modeling with structural symex enhancements and new taint analysis tests
* feat: Extend abstract interpretation with type facts and constant value tracking in debug views and server logic
* feat: Add linear path handling and witness extraction to symbolic execution with Phase 28 transform mismatch detection
* feat: Refine Go auth and sanitizer handling with enhanced rules, state updates, and benchmark improvements
* feat: Enable auth-state analysis by default and update relevant tests in benchmark config
* test: Update state_tests to reflect default enablement of auth-state analysis and add auth suppression test
* docs: update CHANGELOG.md
* feat: Introduce per-index taint tracking in `HeapState` with `HeapSlot`, overflow handling, and revised SSA transfers
* feat: Introduce C/C++ language labels and refine heap state tracking in SSA transfers
* feat: Implement per-index array slot tracking in symbolic heap with overflow collapse
* feat: Add implicit definition handling for uninitialized declarations in SSA value allocation
* feat: Refactor function parameters and constants for improved clarity and maintainability
* refactor: Reorder module imports and improve formatting for consistency
* refactor: Fix formatting erorrs
* refactor: Fix clippy warnings
* refactor: Fix fmt warnings (again)
* chore: Update dependencies and improve feature configuration
* Add comprehensive tests for undertested modules (#36) (COPILOT)
* Add comprehensive tests for undertested modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
* Add comprehensive tests for ext, project, walk, and errors modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: Update dependencies and improve feature configuration
* fix: formatting errors in new tests
* chore: Update license list in about.toml
* chore: made functions input inline
* chore: updated cfg graph to take up the full page
* chore: add Prettier configuration and update code formatting
* Add frontend test suite with Vitest (111 tests) (#37)
* Add Vitest test suite for frontend - 111 tests across utils, components, hooks, and graph utilities
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/7cf0dba2-ecff-4740-ba4d-92717e74a0b7
* ci: add frontend test step to CI workflow
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/5bc0ac9f-0a32-4d03-9cb7-7a15aea53fca
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: simplify array initialization in test files for consistency
* ran typecheck
* feat: add AnalysisWorkspace component and integrate it into CfgViewerPage
* feat: update routing in AppLayout and improve empty state message in ExplorerPage
* feat: enhance scan progress tracking with additional metrics and stages
* feat: update license information and add license check script
* feat: implement cross-file symbolic execution with callee body persistence
* feat: replace dagre graphs with Graphology + ELK + Sigma for more advanced call stack and cfg rendering
* feat: ensure CFG function view is scoped to the selected function, preventing bleed into sibling functions
* feat: enhance resource tracking with proxy method summaries and improve finding extraction
* feat: add terminal function exit detection for accurate resource leak analysis
* feat: add warnings for loops and functions without bodies to improve error recovery
* feat: update lambda expression handling to ensure proper function classification and control flow
* feat: remove bounded formatting/string ops and add JSON.parse sanitizer for improved data handling
* feat: add inline return taint analysis and regression tests for improved security checks
* feat: add engine version management and migration handling for database schema updates
* feat: enhance first_call_ident to skip nested function bodies and add regression tests
* feat: enhance callee name resolution with two-segment normalization and disambiguation
* feat: add cross-file context flags and debug assertions for taint analysis
* feat: refactor taint analysis structure to unify context handling and improve clarity
* feat: enhance dead code elimination to preserve Sink, Source, and Sanitizer labels with new tests
* docs: updated CHANGELOG.md
* fmt: formatting fixes
* fix: fixed frontend formatting and lint warnings
* fix: optimized ci
* fix: optimized ci
* Add comprehensive multi-file test coverage to Nyx (#38)
* Initial checklist for multi-file test suite expansion
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* Add 12 new multi-file test fixtures with TP/TN/near-miss coverage
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* deleted root repo
* rebuilt to test for regressions
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* feat: enhance import alias resolution and taint tracking
* feat: implement security hardening with CSRF protection and path validation
* feat: add support for import alias bindings in Python, PHP, and Rust
* feat: enhance CFG analysis modes and improve code readability
* feat: add detection for parameterized SQL queries to enhance security
* feat: add safe internal redirect handling and enhance session destroy validation
* feat: implement security improvements by addressing vulnerabilities in execAsync, session management, and file downloads
* feat: enhance taint detection by adding support for inline source member expressions in call arguments
* feat: implement pre-emission of Source nodes for inline source member expressions in call arguments
* feat: add support for Throw statement in control flow and error handling
* feat: add debug and echo endpoints with potential information leakage
* feat: implement internal redirect suppression and enhance taint detection
* feat: implement module alias tracking for dynamic dispatch in JS/TS
* feat: add authorization analysis module with Express support
* feat: add authorization analysis module with Express support
* feat: add tests for admin guard requirements and clean checks in authorization analysis
* feat: integrate Koa and Fastify frameworks into authorization analysis
* feat: add Flask and Django support to authorization analysis module
* feat: add support for Rails and Sinatra frameworks in authorization analysis
* feat: add support for Axum, ActixWeb, and Rocket frameworks in authorization analysis
* feat: add support for ActixWeb, Axum, and Rocket frameworks in authorization analysis
* feat: add support for Rails and Sinatra in authorization analysis
* chore: add .DS_Store to .gitignore
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: update usage of Option methods for improved clarity and consistency
* refactor: improve code readability by simplifying conditional checks and formatting
* refactor: improve code formatting and readability by simplifying conditional checks
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: simplify conditional checks in axum.rs for improved readability
* feat: add CodeQL analysis configuration for enhanced security scanning
* test: add comprehensive tests for `src/output.rs` SARIF builder (#39)
* chore: start test coverage improvement work
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* test: add comprehensive tests for src/output.rs SARIF builder
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* refactor: improve code formatting and readability in output.rs
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* refactor: improve code formatting and readability in output.rs
* Potential fix for code scanning alert no. 210: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* Potential fix for code scanning alert no. 211: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* refactor: enhance triage file path handling with improved error management and validation
* refactor: updated func summaries for richer detail
* refactor: update SSA summary extraction to use canonical FuncKey for distinct entries
* refactor: enhance callee metadata structure to support arity, receiver, and qualifier for better overload resolution
* refactor: add support for keyword arguments in function calls and enhance receiver extraction for method-style calls
* refactor: implement new Flask routes for safe and unsafe shell command execution
* refactor: separate receiver handling in SSA operations and enhance taint propagation
* refactor: improve arity handling by using arg_uses for positional argument count and enhance witness scoring for tainted arguments
* refactor: implement auth decorator extraction and classification for multiple languages
* refactor: enhance Rust module path resolution and use map handling for cross-file disambiguation
* refactor: introduce CalleeQuery struct for structured callee resolution and enhance resolver logic
* refactor: implement same-file identity collision handling for `runTask` to ensure correct resolver behavior
* refactor: standardize default struct initialization across multiple files
* feat: add scripts for formatting checks and auto-fixes with test summaries
* refactor: simplify character splitting and enhance namespace qualifier handling
* refactor: improve documentation clarity and enhance code readability in resolver logic
* refactor: replace default struct initialization with explicit field assignments for clarity
* feat: enhance anonymous function naming by deriving context-based bindings
* refactor: streamline match expressions for improved readability and performance
* refactor: streamline match expressions for improved readability and performance
* refactor: replace loop with while let for improved clarity and performance
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: implement shell metacharacter validation and bounded-length checks in Rust analysis
* feat: add static map analysis for command injection suppression and type safety
* refactor: simplify match statements and reduce line breaks for improved readability
* feat(summary): phase 1/5 SinkSite data model for primary sink-location attribution
Introduce SinkSite (file_rel, line, col, snippet, cap) carrying the
primary sink source-location through function summaries. Swap
SsaFuncSummary.param_to_sink and FuncSummary.param_to_sink from a coarse
Cap map to a deduped SmallVec<[SinkSite; 1]> per parameter, with a
backward-compatible cap_sites() helper and serde defaults so pre-phase-1
on-disk rows continue to deserialise cleanly.
Extraction: SinkSiteLocator bundles the tree/bytes/file_rel needed by
extract_ssa_func_summary; ParsedFile::extract_ssa_artifacts wires the
locator in for the persisted pass-1 path, while pass-2 intra-file
transient summaries fall back to cap-only sites (behavior unchanged).
Merge: GlobalSummaries::insert now unions sink sites with
(file_rel, line, col, cap) dedup via shared union_param_sink_sites
helper.
Database: JSON-serialised summary columns carry the new shape
automatically; no schema change needed.
Phase 2 will consume SinkSite in build_taint_diag() to overwrite the
caller-site Finding.line with the callee's sink line when resolved via
summary. Phase 1 keeps behavior unchanged: scanning
tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs still produces the
same (wrong) line 10 finding.
Adds round-trip tests covering SinkSite solo, SsaFuncSummary with sink
sites, legacy-JSON default handling for both summary types, and merge
dedup.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* feat(taint): phase 2/5 thread SinkSite into SsaTaintEvent and Finding
Plumb Phase 1's SinkSite through the event pipeline into Findings,
no output change yet. SsaTaintEvent gains `primary_sink_site:
Option<SinkSite>`; when the main or callback sink-emission path has
non-empty `param_to_sink_sites`, filter to sites whose
`(line != 0) && (cap ∩ sink_caps != ∅)` and emit one event per
distinct site — the multi-primary collapse keeps each downstream
Finding single-primary.
Resolution: ResolvedSummary and SinkInfo gain mirror
`param_to_sink_sites` fields, populated from `SsaFuncSummary.param_to_sink`
(SSA + callback paths) and `FuncSummary.param_to_sink` (global paths).
Label, local-summary, and interop resolution paths leave the field
empty — they only ever had cap-level info to begin with.
Finding: new `primary_location: Option<SinkLocation>` with
`file_rel/line/col`. `ssa_events_to_findings` maps
`event.primary_sink_site` → `Finding.primary_location`, filtering
cap-only sites (`line == 0`) to `None` so the (0,0) sentinel never
leaks to formatters. Dedup key extended with the primary location
so multi-site events aren't collapsed back together.
Invariants (debug_assert!):
* every SinkSite reaching emission has `line != 0 && cap ∩ sink_caps
!= ∅` — enforced by the pick_primary_sink_sites* filters;
* every populated Finding.primary_location has `line != 0` AND
non-empty `file_rel` — the cap-only → None translation upstream
guarantees this.
Deliberately independent of `uses_summary`: that flag tracks whether
the *taint chain* used a summary, whereas primary attribution
requires only that the *sink* itself was summary-resolved. A local
source reaching a cross-file sink produces `uses_summary=false`
alongside a populated primary_location — documented on
Finding.primary_location, covered by
`cross_file_sink_finding_carries_primary_location`.
build_taint_diag, SARIF/JSON/explanation formatters, and the
benchmark scorer remain untouched: finding.line still comes from
`cfg_graph[finding.sink]`, so cmdi_indirect.rs still reports line 10
and the benchmark's rs-cmdi-003 row still shows FN in the LOC column.
Tests: `cross_file_sink_finding_carries_primary_location` (proves
plumbing via a synthetic FuncSummary carrying a SinkSite at 42:5) and
`cross_file_sink_cap_only_site_leaves_primary_location_none`
(regression guard against cap-only sites surfacing). All 1566 lib
tests + integration tests pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(output): phase 3/5 consume primary sink location in diag + SARIF
When a finding's primary_location (populated in phase 2 from a callee
summary's SinkSite) names the dangerous instruction inside a callee
body, attribute the diagnostic line to that location instead of the
caller's call site. The call site is demoted to a Call step in
flow_steps, and a synthetic Sink step at the primary location is
appended so analysts still see the full trace.
Changes:
- Add scan_root parameter to build_taint_diag so file_rel can be
resolved back to an absolute path via a shared resolve_file_rel
helper. Empty file_rel (single-file scans where namespace == "")
resolves to the file under analysis.
- Extend SinkLocation with snippet, carried from the upstream
SinkSite so the formatter needs no second file read.
- Relax the ssa_events_to_findings debug_assert to allow empty
file_rel, which is valid when scan root equals the file itself.
- SARIF: emit data-flow as codeFlows[0].threadFlows[0].locations[];
locations[0] already reflects the primary sink position via the
updated diag line/col.
Acceptance: scan on tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs
now reports line 5 (Command::new) as the primary sink, with the call
site at line 10 visible in flow_steps.
Two expect.json fixtures updated (must_match line_range widened):
- javascript/taint/context_sensitive_call: 12-14 -> 7-14 (line 8 is
the real sink inside run()).
- rust/cfg/closure_async: 10-10 -> 10-11 (line 11 is Command::new
inside the closure).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(bench): phase 4/5 validate primary sink attribution across corpus
Extend the benchmark scorer and ground truth to lock in phase 3's
primary-location behavior, and add fixtures that exercise the new
capability end-to-end.
Scorer (tests/benchmark_test.rs):
- Add optional `expected_call_site_lines: Option<Vec<[usize; 2]>>` on
Case. When present, score_location_level additionally requires at
least one flow_step in the finding's evidence trace to fall within
±2 of the call-site range. When absent, the check is skipped —
fully forward-compatible with existing fixtures.
- Retain ±2 tolerance on expected_sink_lines (compared against the
now-primary Diag.line post-phase-3).
Ground truth edits:
- rs-cmdi-cross-001: expected_sink_lines [8,8] -> [9,9]. Line 8 is the
transform::wrap call site (a cross-file propagator, not a sink);
line 9 is Command::new, the real sink. The ±2 tolerance happened to
mask this stale attribution but it was semantically wrong — phase 4
is the right time to correct it. Also adds expected_call_site_lines
[8,8] so the new field is exercised on an existing cross-file case.
- rs-cmdi-003: adds expected_call_site_lines [10,10] (run_cmd call).
This fixture's sink (Command::new inside run_cmd at line 5) was the
motivating case for phases 1-3; adding the call-site assertion
guards against regression to caller-line attribution.
New fixtures:
- rust/cmdi/cmdi_indirect_multisink.rs (rs-cmdi-009): helper run_both
takes two tainted params and invokes two Command sinks on
consecutive lines. Locks in that primary line lands inside the
helper (lines 5-6), not at the caller (line 12). Notes document
that SinkSite is currently one-per-callee so both findings today
collapse onto the first sink; expected_sink_lines=[5,6] and
expected_call_site_lines=[12,12] stay valid either way.
- python/cmdi/cross_indirect_sink/{app.py,helper.py} (py-cmdi-cross-
004): sink os.system lives in helper.py (cross-file), caller in
app.py reads env source and calls run_cmd. Verifies phase 3's
cross-file primary attribution: Diag.path = helper.py, Diag.line =
5, with app.py:7 recorded in flow_steps as a Call step.
Acceptance:
- `cargo test --test benchmark_test -- --ignored --nocapture` passes.
- rs-cmdi-003 is TP/TP/TP (the target flip FN->TP at LOC). All
pre-existing TP/TP/TP fixtures remain TP/TP/TP; 2 new fixtures are
TP/TP/TP.
- Aggregate rule-level: TP=158 FP=10 FN=1 TN=97, P=0.940 R=0.994
F1=0.966 on the 266-case corpus (was TP=156 FP=10 FN=1 TN=97 on
264 pre-phase-4, delta is the +2 new cases both resolving TP).
- Full `cargo test` green (1566 lib tests + all integration tests).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(taint): phase 5/5 lock Finding.primary_location contract via regression test
Add a regression test in src/taint/ssa_transfer.rs that wires up a synthetic
SsaFuncSummary with a SinkSite at other.rs:42:10 and drives the three
emission stages (pick_primary_sink_sites → emit_ssa_taint_events →
ssa_events_to_findings) against a minimal caller SSA body. Asserts the
resulting Finding.primary_location is exactly that triple.
The existing integration tests in src/taint/tests.rs cover the coarse
FuncSummary path end-to-end through analyse_file. This test locks in the
lower-level SSA-side plumbing so a future refactor that silently drops the
site between pick → emit → findings fails here rather than only at the
benchmark layer.
Also refreshes tests/benchmark/results/latest.json (timestamp only; rs-cmdi-003
remains TP/TP/TP and the aggregate P/R/F1 are unchanged from phase 4).
Closes the primary sink-location attribution feature (phases 1-5/5):
* Phase 1 — SinkSite data model on summaries.
* Phase 2 — SinkSite threaded into SsaTaintEvent and Finding.
* Phase 3 — diag + SARIF consume primary_location.
* Phase 4 — benchmark validates primary_call_site_lines across corpus.
* Phase 5 — regression test locks the event→finding contract.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* refactor: clean up formatting and improve readability in multiple files
* refactor: simplify type definition for deduplication key in findings
* test(harness): add must_not_match expectation for FP regression guards
Extends ExpectedFinding with must_not_match field that asserts a
diagnostic must NOT fire — presence is a hard failure. Non-consuming
scan so it coexists with must_match entries on the same rule_id.
Adds forbidden_violations accumulator and updates summary line.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(regression): update expectations to ensure must_not_match for various taint and resource leak rules
* feat: implement auto-seeding for JS/TS handler parameters to enhance taint tracking
* feat: update switch statement handling to improve control flow analysis
* feat: implement promisify alias handling for JS/TS to enhance taint tracking
* feat: enhance taint tracking by refining expectation handling and adding mode filtering
* feat: refine SQL handling in stream processing and enhance auto-seeding for handler parameters
* feat: update taint tracking rules to enforce full mode matching and improve flow analysis
* feat: enhance Ruby subshell handling to improve taint tracking and flow analysis
* feat: update xss_response expectations to refine taint flow analysis and enhance regression guarding
* feat: refine framework detection and update expectation handling for Echo and Sinatra
* feat: implement max_count for taint tracking expectations and deduplicate findings
* feat: add strict_unexpected handling for taint-unsanitised-flow in expectation files
* feat: enhance deduplication of taint-unsanitised-flow findings by collapsing based on line and severity
* feat: add strict_unexpected handling for taint-unsanitised-flow in multiple expectation files
* feat: add structural invariant checks for SSA bodies
* feat: ensure deterministic phi emission order using BTreeSet
* feat: enhance handling of terminators to ensure authoritative flow through successor edges
* feat: enhance Goto terminator handling to ensure all successors are marked executable
* feat: refactor code for improved readability and organization
* feat: simplify predicate checks and enhance readability in SSA handling
* feat: implement per-file parse timeout and enhance file size handling
* feat: migrate analysis engine toggles from environment variables to configuration file
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: update dependencies and enhance documentation on language maturity
* feat: enhance security headers and improve request body limits
* feat: implement sink capability bits for deduplication and enhance evidence tagging
* feat: implement dynamic activation handling for gated sinks and enhance validation logic
* feat: enhance configuration documentation and clarify inline analysis cache behavior
* feat: implement panic recovery during analysis to continue scans past errors
* feat: add expectations configuration for taint analysis and performance metrics
* feat: enhance error handling and logging during file reading and mutex locking
* feat: add cross-file body loading tests and plumbing for CF-1 phase
* feat: implement cross-file k=1 context-sensitive inline taint analysis with new tests and fixtures
* feat: implement indexed-scan parity in cross-file inline analysis with new dropdown and copy functionality
* feat: enhance classification span handling in CFG and AST for improved source attribution
* feat: add new Express routes for handling user input and telemetry data
* feat: implement ternary expression handling in CFG with diamond structure for JS/TS
* feat: implement Phase CF-3 abstract-domain transfer channels in summaries
* feat: add support for string-prefix transfer in cross-file calls and update tests
* docs: reduce RESULTS.md doc size
* feat: implement Phase CF-4 per-return-path summary decomposition with tests
* feat: update parameter handling in pass1 and refactor SsaFuncSummary initialization
* feat: implement Phase CF-5 for cross-file SCC joint fixed-point convergence with new flags and tests
* feat: implement Phase CF-6 with parameter-granularity points-to summaries and associated tests
* refactor: update comments and documentation for clarity and consistency
* style: format code for consistency and readability
* refactor: simplify verdict handling and improve edge checking logic
* refactor: optimize path and identifier collection by avoiding unnecessary cloning
* chore: update Cargo.toml for Rust version 1.85 and add ignored files; modify CHANGELOG and README for clarity on state analysis defaults
* refactor: update documentation and improve clarity in configuration files
* refactor: update documentation and improve clarity in configuration files
* feat: add JS/TS pass-2 convergence tests and expectations configuration
* feat: add Phase 5 regression tests for inline cache origin attribution and update related logic
* feat: implement Phase 7 deduplication and alternative path linking for taint findings
* feat: implement structural DFS index for anonymous functions and update naming conventions
* feat: add Phase 8 regression tests for container-element taint in JS and Python
* feat: add engine-depth profiles and explain-engine option for CLI
* feat: update expectations and add new README fixtures for multi-file scan regression
* feat: implement Phase 11 callback-alias and factory patterns with regression tests
* feat: implement Terminator::Switch for multi-way dispatch and add regression tests
* feat: add real-CVE benchmark fixtures for CVE-2023-48022, CVE-2019-14939, and CVE-2023-26159 with corresponding patched variants
* refactor: extract cfg and ssa_transfer to submodules
* refactor: cargo fmt
* refactor: remove unnecessary blank line in cfg_tests.rs
* refactor: remove unnecessary planning file
* chore: update Rust version to 1.88 and bump dependencies in Cargo files
* feat: enhance triage UI with new layout and controls, update README for clarity
* feat: enhance triage UI with new layout and controls, update README for clarity
* chore: remove outdated section from README for version 0.5.0
* docs: improve clarity and consistency in README content
* chore: add "GPL-3.0-or-later" to license options in about.toml
* chore: update license handling in about.toml and check-licenses.mjs
* style: format code for improved readability in TriagePage component
* style: format code for improved readability in TriagePage component
* chore: enhance license handling and improve body_id scoping in seed lookup
* feat: introduce owner and parent body IDs for enhanced seed scoping
* feat: implement direction-aware engine provenance with new CLI flag for strict CI gating
* feat: add Undef SSA operation for improved control-flow handling
* style: improve code formatting for consistency and readability in multiple files
* feat: add 16-function chain SCC across multiple files for enhanced analysis
* style: simplify code formatting for improved readability in multiple files
* fix: update CapHitReason default implementation and improve README clarity
* docs: enhance README with detailed explanations of taint analysis and limitations
* docs: refine README for clarity and consistency in taint analysis section
* style: improve code formatting for better readability in NewScanModal and scans
* fix: update cargo-about command to use --offline for deterministic license generation
* fix: update cargo-about command to use --offline for deterministic license generation
* ci: add step to prime cargo registry cache for deterministic license generation
* feat: add support for non-sink collections in authorization analysis
* feat: enhance authorization checks with row-level ownership equality and binding tracking
* feat: implement self-scoped user handling and enhance ownership checks
* refactor: simplify assertions and formatting in authorization analysis tests
* fix: normalize line endings in THIRDPARTY-LICENSES.html generation and update README with AI disclosure
* docs: update AI disclosure section for clarity and conciseness
* feat: add AI Contribution Policy and update contributing guidelines for AI assistance disclosure
* feat: enhance authorization analysis with SSA-derived variable type classification
* feat: implement auth_finding_to_diag function for enhanced security diagnostics
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add direction-aware engine provenance with LossDirection classification and new CLI flag
* feat: simplify strip_cap_from_call_args call by removing unnecessary line breaks
* feat: enhance error message handling in cli_validation_tests for better Windows compatibility
* feat: optimize release profile settings in Cargo.toml and update CodeQL configuration
* feat: enhance release build process with SBOM generation and SLSA provenance
* feat: update actions/checkout and actions/setup-node to v6, enhance CLI options, and improve auth-check summaries
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: update benchmark data and enhance path sanitization logic with new safety checks
* feat: document AI assistance in frontend UI development and human review process
* feat: add return path facts for enhanced path safety checks and update documentation
* chore: update release date for version 0.5.0 in CHANGELOG.md
* chore: clean up ci.yml by removing outdated comments and clarifying steps
* feat: implement cross-language path sanitizers and validators for enhanced security
* feat: enhance SSA value usage tracking by including block terminators and improve path safety checks
* feat: enhance switch statement handling by adding per-case path constraints and support for exclusive cases
* refactor: simplify conditional formatting and improve code readability in executor and lower modules
* feat: add vulnerable examples for various languages demonstrating authentication and sanitization issues
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: add transform classifiers for Java, Go, and Ruby with corresponding tests
* refactor: clarify comments on reassign-to-constant idiom and sink behavior in guards.rs
---------
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-25 17:59:11 -04:00
- `Severity::from_str` now returns `Err` for unknown values instead of silently defaulting to Low.
### Notable Fixes
- KINDS-map audit across all 10 languages: 89 missing tree-sitter node types added. Switch/case, try/catch/finally, class bodies, lambdas, closures, and namespaces are no longer silently dropped.
2026-04-29 00:58:38 -04:00
- `else_clause` mapping fixed for C, C++, Rust, JS, TS, Python, PHP. Code inside else blocks was being dropped from the CFG.
Release/0.5.0 (#35)
* feat: Introduce function-scoped variable interning for state analysis with new tests and fixtures
* feat: Add Phase 26 symbolic execution enhancements with bitwise operator support, abstract interpretation refinements, and new taint analysis tests
* feat: Refine state analysis to handle factory-pattern resource returns with mixed-path tests and leak detection enhancements
* feat: Add Phase 27 debug views with symbolic execution, abstract interpretation, SSA, and call graph viewers; integrate with debug layout and styles
* feat: Add Phase 31 type-qualified symbolic resolution with receiver-based callee disambiguation and testing
* feat: Extend symbolic execution with state iteration, enhanced debug views, and debounced input handling
* feat: Add Phase 13 resource and auth pattern extensions with new tests and fixtures
* feat: Introduce CFG debug graph renderer with compact mode, toolbar, and DAG layout integration
* feat: Add Phase 28 encoding and decoding transform modeling with structural symex enhancements and new taint analysis tests
* feat: Extend abstract interpretation with type facts and constant value tracking in debug views and server logic
* feat: Add linear path handling and witness extraction to symbolic execution with Phase 28 transform mismatch detection
* feat: Refine Go auth and sanitizer handling with enhanced rules, state updates, and benchmark improvements
* feat: Enable auth-state analysis by default and update relevant tests in benchmark config
* test: Update state_tests to reflect default enablement of auth-state analysis and add auth suppression test
* docs: update CHANGELOG.md
* feat: Introduce per-index taint tracking in `HeapState` with `HeapSlot`, overflow handling, and revised SSA transfers
* feat: Introduce C/C++ language labels and refine heap state tracking in SSA transfers
* feat: Implement per-index array slot tracking in symbolic heap with overflow collapse
* feat: Add implicit definition handling for uninitialized declarations in SSA value allocation
* feat: Refactor function parameters and constants for improved clarity and maintainability
* refactor: Reorder module imports and improve formatting for consistency
* refactor: Fix formatting erorrs
* refactor: Fix clippy warnings
* refactor: Fix fmt warnings (again)
* chore: Update dependencies and improve feature configuration
* Add comprehensive tests for undertested modules (#36) (COPILOT)
* Add comprehensive tests for undertested modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
* Add comprehensive tests for ext, project, walk, and errors modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: Update dependencies and improve feature configuration
* fix: formatting errors in new tests
* chore: Update license list in about.toml
* chore: made functions input inline
* chore: updated cfg graph to take up the full page
* chore: add Prettier configuration and update code formatting
* Add frontend test suite with Vitest (111 tests) (#37)
* Add Vitest test suite for frontend - 111 tests across utils, components, hooks, and graph utilities
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/7cf0dba2-ecff-4740-ba4d-92717e74a0b7
* ci: add frontend test step to CI workflow
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/5bc0ac9f-0a32-4d03-9cb7-7a15aea53fca
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: simplify array initialization in test files for consistency
* ran typecheck
* feat: add AnalysisWorkspace component and integrate it into CfgViewerPage
* feat: update routing in AppLayout and improve empty state message in ExplorerPage
* feat: enhance scan progress tracking with additional metrics and stages
* feat: update license information and add license check script
* feat: implement cross-file symbolic execution with callee body persistence
* feat: replace dagre graphs with Graphology + ELK + Sigma for more advanced call stack and cfg rendering
* feat: ensure CFG function view is scoped to the selected function, preventing bleed into sibling functions
* feat: enhance resource tracking with proxy method summaries and improve finding extraction
* feat: add terminal function exit detection for accurate resource leak analysis
* feat: add warnings for loops and functions without bodies to improve error recovery
* feat: update lambda expression handling to ensure proper function classification and control flow
* feat: remove bounded formatting/string ops and add JSON.parse sanitizer for improved data handling
* feat: add inline return taint analysis and regression tests for improved security checks
* feat: add engine version management and migration handling for database schema updates
* feat: enhance first_call_ident to skip nested function bodies and add regression tests
* feat: enhance callee name resolution with two-segment normalization and disambiguation
* feat: add cross-file context flags and debug assertions for taint analysis
* feat: refactor taint analysis structure to unify context handling and improve clarity
* feat: enhance dead code elimination to preserve Sink, Source, and Sanitizer labels with new tests
* docs: updated CHANGELOG.md
* fmt: formatting fixes
* fix: fixed frontend formatting and lint warnings
* fix: optimized ci
* fix: optimized ci
* Add comprehensive multi-file test coverage to Nyx (#38)
* Initial checklist for multi-file test suite expansion
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* Add 12 new multi-file test fixtures with TP/TN/near-miss coverage
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* deleted root repo
* rebuilt to test for regressions
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* feat: enhance import alias resolution and taint tracking
* feat: implement security hardening with CSRF protection and path validation
* feat: add support for import alias bindings in Python, PHP, and Rust
* feat: enhance CFG analysis modes and improve code readability
* feat: add detection for parameterized SQL queries to enhance security
* feat: add safe internal redirect handling and enhance session destroy validation
* feat: implement security improvements by addressing vulnerabilities in execAsync, session management, and file downloads
* feat: enhance taint detection by adding support for inline source member expressions in call arguments
* feat: implement pre-emission of Source nodes for inline source member expressions in call arguments
* feat: add support for Throw statement in control flow and error handling
* feat: add debug and echo endpoints with potential information leakage
* feat: implement internal redirect suppression and enhance taint detection
* feat: implement module alias tracking for dynamic dispatch in JS/TS
* feat: add authorization analysis module with Express support
* feat: add authorization analysis module with Express support
* feat: add tests for admin guard requirements and clean checks in authorization analysis
* feat: integrate Koa and Fastify frameworks into authorization analysis
* feat: add Flask and Django support to authorization analysis module
* feat: add support for Rails and Sinatra frameworks in authorization analysis
* feat: add support for Axum, ActixWeb, and Rocket frameworks in authorization analysis
* feat: add support for ActixWeb, Axum, and Rocket frameworks in authorization analysis
* feat: add support for Rails and Sinatra in authorization analysis
* chore: add .DS_Store to .gitignore
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: update usage of Option methods for improved clarity and consistency
* refactor: improve code readability by simplifying conditional checks and formatting
* refactor: improve code formatting and readability by simplifying conditional checks
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: simplify conditional checks in axum.rs for improved readability
* feat: add CodeQL analysis configuration for enhanced security scanning
* test: add comprehensive tests for `src/output.rs` SARIF builder (#39)
* chore: start test coverage improvement work
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* test: add comprehensive tests for src/output.rs SARIF builder
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* refactor: improve code formatting and readability in output.rs
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* refactor: improve code formatting and readability in output.rs
* Potential fix for code scanning alert no. 210: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* Potential fix for code scanning alert no. 211: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* refactor: enhance triage file path handling with improved error management and validation
* refactor: updated func summaries for richer detail
* refactor: update SSA summary extraction to use canonical FuncKey for distinct entries
* refactor: enhance callee metadata structure to support arity, receiver, and qualifier for better overload resolution
* refactor: add support for keyword arguments in function calls and enhance receiver extraction for method-style calls
* refactor: implement new Flask routes for safe and unsafe shell command execution
* refactor: separate receiver handling in SSA operations and enhance taint propagation
* refactor: improve arity handling by using arg_uses for positional argument count and enhance witness scoring for tainted arguments
* refactor: implement auth decorator extraction and classification for multiple languages
* refactor: enhance Rust module path resolution and use map handling for cross-file disambiguation
* refactor: introduce CalleeQuery struct for structured callee resolution and enhance resolver logic
* refactor: implement same-file identity collision handling for `runTask` to ensure correct resolver behavior
* refactor: standardize default struct initialization across multiple files
* feat: add scripts for formatting checks and auto-fixes with test summaries
* refactor: simplify character splitting and enhance namespace qualifier handling
* refactor: improve documentation clarity and enhance code readability in resolver logic
* refactor: replace default struct initialization with explicit field assignments for clarity
* feat: enhance anonymous function naming by deriving context-based bindings
* refactor: streamline match expressions for improved readability and performance
* refactor: streamline match expressions for improved readability and performance
* refactor: replace loop with while let for improved clarity and performance
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: implement shell metacharacter validation and bounded-length checks in Rust analysis
* feat: add static map analysis for command injection suppression and type safety
* refactor: simplify match statements and reduce line breaks for improved readability
* feat(summary): phase 1/5 SinkSite data model for primary sink-location attribution
Introduce SinkSite (file_rel, line, col, snippet, cap) carrying the
primary sink source-location through function summaries. Swap
SsaFuncSummary.param_to_sink and FuncSummary.param_to_sink from a coarse
Cap map to a deduped SmallVec<[SinkSite; 1]> per parameter, with a
backward-compatible cap_sites() helper and serde defaults so pre-phase-1
on-disk rows continue to deserialise cleanly.
Extraction: SinkSiteLocator bundles the tree/bytes/file_rel needed by
extract_ssa_func_summary; ParsedFile::extract_ssa_artifacts wires the
locator in for the persisted pass-1 path, while pass-2 intra-file
transient summaries fall back to cap-only sites (behavior unchanged).
Merge: GlobalSummaries::insert now unions sink sites with
(file_rel, line, col, cap) dedup via shared union_param_sink_sites
helper.
Database: JSON-serialised summary columns carry the new shape
automatically; no schema change needed.
Phase 2 will consume SinkSite in build_taint_diag() to overwrite the
caller-site Finding.line with the callee's sink line when resolved via
summary. Phase 1 keeps behavior unchanged: scanning
tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs still produces the
same (wrong) line 10 finding.
Adds round-trip tests covering SinkSite solo, SsaFuncSummary with sink
sites, legacy-JSON default handling for both summary types, and merge
dedup.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* feat(taint): phase 2/5 thread SinkSite into SsaTaintEvent and Finding
Plumb Phase 1's SinkSite through the event pipeline into Findings,
no output change yet. SsaTaintEvent gains `primary_sink_site:
Option<SinkSite>`; when the main or callback sink-emission path has
non-empty `param_to_sink_sites`, filter to sites whose
`(line != 0) && (cap ∩ sink_caps != ∅)` and emit one event per
distinct site — the multi-primary collapse keeps each downstream
Finding single-primary.
Resolution: ResolvedSummary and SinkInfo gain mirror
`param_to_sink_sites` fields, populated from `SsaFuncSummary.param_to_sink`
(SSA + callback paths) and `FuncSummary.param_to_sink` (global paths).
Label, local-summary, and interop resolution paths leave the field
empty — they only ever had cap-level info to begin with.
Finding: new `primary_location: Option<SinkLocation>` with
`file_rel/line/col`. `ssa_events_to_findings` maps
`event.primary_sink_site` → `Finding.primary_location`, filtering
cap-only sites (`line == 0`) to `None` so the (0,0) sentinel never
leaks to formatters. Dedup key extended with the primary location
so multi-site events aren't collapsed back together.
Invariants (debug_assert!):
* every SinkSite reaching emission has `line != 0 && cap ∩ sink_caps
!= ∅` — enforced by the pick_primary_sink_sites* filters;
* every populated Finding.primary_location has `line != 0` AND
non-empty `file_rel` — the cap-only → None translation upstream
guarantees this.
Deliberately independent of `uses_summary`: that flag tracks whether
the *taint chain* used a summary, whereas primary attribution
requires only that the *sink* itself was summary-resolved. A local
source reaching a cross-file sink produces `uses_summary=false`
alongside a populated primary_location — documented on
Finding.primary_location, covered by
`cross_file_sink_finding_carries_primary_location`.
build_taint_diag, SARIF/JSON/explanation formatters, and the
benchmark scorer remain untouched: finding.line still comes from
`cfg_graph[finding.sink]`, so cmdi_indirect.rs still reports line 10
and the benchmark's rs-cmdi-003 row still shows FN in the LOC column.
Tests: `cross_file_sink_finding_carries_primary_location` (proves
plumbing via a synthetic FuncSummary carrying a SinkSite at 42:5) and
`cross_file_sink_cap_only_site_leaves_primary_location_none`
(regression guard against cap-only sites surfacing). All 1566 lib
tests + integration tests pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(output): phase 3/5 consume primary sink location in diag + SARIF
When a finding's primary_location (populated in phase 2 from a callee
summary's SinkSite) names the dangerous instruction inside a callee
body, attribute the diagnostic line to that location instead of the
caller's call site. The call site is demoted to a Call step in
flow_steps, and a synthetic Sink step at the primary location is
appended so analysts still see the full trace.
Changes:
- Add scan_root parameter to build_taint_diag so file_rel can be
resolved back to an absolute path via a shared resolve_file_rel
helper. Empty file_rel (single-file scans where namespace == "")
resolves to the file under analysis.
- Extend SinkLocation with snippet, carried from the upstream
SinkSite so the formatter needs no second file read.
- Relax the ssa_events_to_findings debug_assert to allow empty
file_rel, which is valid when scan root equals the file itself.
- SARIF: emit data-flow as codeFlows[0].threadFlows[0].locations[];
locations[0] already reflects the primary sink position via the
updated diag line/col.
Acceptance: scan on tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs
now reports line 5 (Command::new) as the primary sink, with the call
site at line 10 visible in flow_steps.
Two expect.json fixtures updated (must_match line_range widened):
- javascript/taint/context_sensitive_call: 12-14 -> 7-14 (line 8 is
the real sink inside run()).
- rust/cfg/closure_async: 10-10 -> 10-11 (line 11 is Command::new
inside the closure).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(bench): phase 4/5 validate primary sink attribution across corpus
Extend the benchmark scorer and ground truth to lock in phase 3's
primary-location behavior, and add fixtures that exercise the new
capability end-to-end.
Scorer (tests/benchmark_test.rs):
- Add optional `expected_call_site_lines: Option<Vec<[usize; 2]>>` on
Case. When present, score_location_level additionally requires at
least one flow_step in the finding's evidence trace to fall within
±2 of the call-site range. When absent, the check is skipped —
fully forward-compatible with existing fixtures.
- Retain ±2 tolerance on expected_sink_lines (compared against the
now-primary Diag.line post-phase-3).
Ground truth edits:
- rs-cmdi-cross-001: expected_sink_lines [8,8] -> [9,9]. Line 8 is the
transform::wrap call site (a cross-file propagator, not a sink);
line 9 is Command::new, the real sink. The ±2 tolerance happened to
mask this stale attribution but it was semantically wrong — phase 4
is the right time to correct it. Also adds expected_call_site_lines
[8,8] so the new field is exercised on an existing cross-file case.
- rs-cmdi-003: adds expected_call_site_lines [10,10] (run_cmd call).
This fixture's sink (Command::new inside run_cmd at line 5) was the
motivating case for phases 1-3; adding the call-site assertion
guards against regression to caller-line attribution.
New fixtures:
- rust/cmdi/cmdi_indirect_multisink.rs (rs-cmdi-009): helper run_both
takes two tainted params and invokes two Command sinks on
consecutive lines. Locks in that primary line lands inside the
helper (lines 5-6), not at the caller (line 12). Notes document
that SinkSite is currently one-per-callee so both findings today
collapse onto the first sink; expected_sink_lines=[5,6] and
expected_call_site_lines=[12,12] stay valid either way.
- python/cmdi/cross_indirect_sink/{app.py,helper.py} (py-cmdi-cross-
004): sink os.system lives in helper.py (cross-file), caller in
app.py reads env source and calls run_cmd. Verifies phase 3's
cross-file primary attribution: Diag.path = helper.py, Diag.line =
5, with app.py:7 recorded in flow_steps as a Call step.
Acceptance:
- `cargo test --test benchmark_test -- --ignored --nocapture` passes.
- rs-cmdi-003 is TP/TP/TP (the target flip FN->TP at LOC). All
pre-existing TP/TP/TP fixtures remain TP/TP/TP; 2 new fixtures are
TP/TP/TP.
- Aggregate rule-level: TP=158 FP=10 FN=1 TN=97, P=0.940 R=0.994
F1=0.966 on the 266-case corpus (was TP=156 FP=10 FN=1 TN=97 on
264 pre-phase-4, delta is the +2 new cases both resolving TP).
- Full `cargo test` green (1566 lib tests + all integration tests).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(taint): phase 5/5 lock Finding.primary_location contract via regression test
Add a regression test in src/taint/ssa_transfer.rs that wires up a synthetic
SsaFuncSummary with a SinkSite at other.rs:42:10 and drives the three
emission stages (pick_primary_sink_sites → emit_ssa_taint_events →
ssa_events_to_findings) against a minimal caller SSA body. Asserts the
resulting Finding.primary_location is exactly that triple.
The existing integration tests in src/taint/tests.rs cover the coarse
FuncSummary path end-to-end through analyse_file. This test locks in the
lower-level SSA-side plumbing so a future refactor that silently drops the
site between pick → emit → findings fails here rather than only at the
benchmark layer.
Also refreshes tests/benchmark/results/latest.json (timestamp only; rs-cmdi-003
remains TP/TP/TP and the aggregate P/R/F1 are unchanged from phase 4).
Closes the primary sink-location attribution feature (phases 1-5/5):
* Phase 1 — SinkSite data model on summaries.
* Phase 2 — SinkSite threaded into SsaTaintEvent and Finding.
* Phase 3 — diag + SARIF consume primary_location.
* Phase 4 — benchmark validates primary_call_site_lines across corpus.
* Phase 5 — regression test locks the event→finding contract.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* refactor: clean up formatting and improve readability in multiple files
* refactor: simplify type definition for deduplication key in findings
* test(harness): add must_not_match expectation for FP regression guards
Extends ExpectedFinding with must_not_match field that asserts a
diagnostic must NOT fire — presence is a hard failure. Non-consuming
scan so it coexists with must_match entries on the same rule_id.
Adds forbidden_violations accumulator and updates summary line.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(regression): update expectations to ensure must_not_match for various taint and resource leak rules
* feat: implement auto-seeding for JS/TS handler parameters to enhance taint tracking
* feat: update switch statement handling to improve control flow analysis
* feat: implement promisify alias handling for JS/TS to enhance taint tracking
* feat: enhance taint tracking by refining expectation handling and adding mode filtering
* feat: refine SQL handling in stream processing and enhance auto-seeding for handler parameters
* feat: update taint tracking rules to enforce full mode matching and improve flow analysis
* feat: enhance Ruby subshell handling to improve taint tracking and flow analysis
* feat: update xss_response expectations to refine taint flow analysis and enhance regression guarding
* feat: refine framework detection and update expectation handling for Echo and Sinatra
* feat: implement max_count for taint tracking expectations and deduplicate findings
* feat: add strict_unexpected handling for taint-unsanitised-flow in expectation files
* feat: enhance deduplication of taint-unsanitised-flow findings by collapsing based on line and severity
* feat: add strict_unexpected handling for taint-unsanitised-flow in multiple expectation files
* feat: add structural invariant checks for SSA bodies
* feat: ensure deterministic phi emission order using BTreeSet
* feat: enhance handling of terminators to ensure authoritative flow through successor edges
* feat: enhance Goto terminator handling to ensure all successors are marked executable
* feat: refactor code for improved readability and organization
* feat: simplify predicate checks and enhance readability in SSA handling
* feat: implement per-file parse timeout and enhance file size handling
* feat: migrate analysis engine toggles from environment variables to configuration file
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: update dependencies and enhance documentation on language maturity
* feat: enhance security headers and improve request body limits
* feat: implement sink capability bits for deduplication and enhance evidence tagging
* feat: implement dynamic activation handling for gated sinks and enhance validation logic
* feat: enhance configuration documentation and clarify inline analysis cache behavior
* feat: implement panic recovery during analysis to continue scans past errors
* feat: add expectations configuration for taint analysis and performance metrics
* feat: enhance error handling and logging during file reading and mutex locking
* feat: add cross-file body loading tests and plumbing for CF-1 phase
* feat: implement cross-file k=1 context-sensitive inline taint analysis with new tests and fixtures
* feat: implement indexed-scan parity in cross-file inline analysis with new dropdown and copy functionality
* feat: enhance classification span handling in CFG and AST for improved source attribution
* feat: add new Express routes for handling user input and telemetry data
* feat: implement ternary expression handling in CFG with diamond structure for JS/TS
* feat: implement Phase CF-3 abstract-domain transfer channels in summaries
* feat: add support for string-prefix transfer in cross-file calls and update tests
* docs: reduce RESULTS.md doc size
* feat: implement Phase CF-4 per-return-path summary decomposition with tests
* feat: update parameter handling in pass1 and refactor SsaFuncSummary initialization
* feat: implement Phase CF-5 for cross-file SCC joint fixed-point convergence with new flags and tests
* feat: implement Phase CF-6 with parameter-granularity points-to summaries and associated tests
* refactor: update comments and documentation for clarity and consistency
* style: format code for consistency and readability
* refactor: simplify verdict handling and improve edge checking logic
* refactor: optimize path and identifier collection by avoiding unnecessary cloning
* chore: update Cargo.toml for Rust version 1.85 and add ignored files; modify CHANGELOG and README for clarity on state analysis defaults
* refactor: update documentation and improve clarity in configuration files
* refactor: update documentation and improve clarity in configuration files
* feat: add JS/TS pass-2 convergence tests and expectations configuration
* feat: add Phase 5 regression tests for inline cache origin attribution and update related logic
* feat: implement Phase 7 deduplication and alternative path linking for taint findings
* feat: implement structural DFS index for anonymous functions and update naming conventions
* feat: add Phase 8 regression tests for container-element taint in JS and Python
* feat: add engine-depth profiles and explain-engine option for CLI
* feat: update expectations and add new README fixtures for multi-file scan regression
* feat: implement Phase 11 callback-alias and factory patterns with regression tests
* feat: implement Terminator::Switch for multi-way dispatch and add regression tests
* feat: add real-CVE benchmark fixtures for CVE-2023-48022, CVE-2019-14939, and CVE-2023-26159 with corresponding patched variants
* refactor: extract cfg and ssa_transfer to submodules
* refactor: cargo fmt
* refactor: remove unnecessary blank line in cfg_tests.rs
* refactor: remove unnecessary planning file
* chore: update Rust version to 1.88 and bump dependencies in Cargo files
* feat: enhance triage UI with new layout and controls, update README for clarity
* feat: enhance triage UI with new layout and controls, update README for clarity
* chore: remove outdated section from README for version 0.5.0
* docs: improve clarity and consistency in README content
* chore: add "GPL-3.0-or-later" to license options in about.toml
* chore: update license handling in about.toml and check-licenses.mjs
* style: format code for improved readability in TriagePage component
* style: format code for improved readability in TriagePage component
* chore: enhance license handling and improve body_id scoping in seed lookup
* feat: introduce owner and parent body IDs for enhanced seed scoping
* feat: implement direction-aware engine provenance with new CLI flag for strict CI gating
* feat: add Undef SSA operation for improved control-flow handling
* style: improve code formatting for consistency and readability in multiple files
* feat: add 16-function chain SCC across multiple files for enhanced analysis
* style: simplify code formatting for improved readability in multiple files
* fix: update CapHitReason default implementation and improve README clarity
* docs: enhance README with detailed explanations of taint analysis and limitations
* docs: refine README for clarity and consistency in taint analysis section
* style: improve code formatting for better readability in NewScanModal and scans
* fix: update cargo-about command to use --offline for deterministic license generation
* fix: update cargo-about command to use --offline for deterministic license generation
* ci: add step to prime cargo registry cache for deterministic license generation
* feat: add support for non-sink collections in authorization analysis
* feat: enhance authorization checks with row-level ownership equality and binding tracking
* feat: implement self-scoped user handling and enhance ownership checks
* refactor: simplify assertions and formatting in authorization analysis tests
* fix: normalize line endings in THIRDPARTY-LICENSES.html generation and update README with AI disclosure
* docs: update AI disclosure section for clarity and conciseness
* feat: add AI Contribution Policy and update contributing guidelines for AI assistance disclosure
* feat: enhance authorization analysis with SSA-derived variable type classification
* feat: implement auth_finding_to_diag function for enhanced security diagnostics
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add direction-aware engine provenance with LossDirection classification and new CLI flag
* feat: simplify strip_cap_from_call_args call by removing unnecessary line breaks
* feat: enhance error message handling in cli_validation_tests for better Windows compatibility
* feat: optimize release profile settings in Cargo.toml and update CodeQL configuration
* feat: enhance release build process with SBOM generation and SLSA provenance
* feat: update actions/checkout and actions/setup-node to v6, enhance CLI options, and improve auth-check summaries
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: update benchmark data and enhance path sanitization logic with new safety checks
* feat: document AI assistance in frontend UI development and human review process
* feat: add return path facts for enhanced path safety checks and update documentation
* chore: update release date for version 0.5.0 in CHANGELOG.md
* chore: clean up ci.yml by removing outdated comments and clarifying steps
* feat: implement cross-language path sanitizers and validators for enhanced security
* feat: enhance SSA value usage tracking by including block terminators and improve path safety checks
* feat: enhance switch statement handling by adding per-case path constraints and support for exclusive cases
* refactor: simplify conditional formatting and improve code readability in executor and lower modules
* feat: add vulnerable examples for various languages demonstrating authentication and sanitization issues
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: add transform classifiers for Java, Go, and Ruby with corresponding tests
* refactor: clarify comments on reassign-to-constant idiom and sink behavior in guards.rs
---------
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-25 17:59:11 -04:00
- Rust `if let` / `while let` taint propagation now works.
- Taint BFS non-termination on large JS files (the BFS engine has since been replaced).
- C++ `popen` pattern ID collision with C.
- Constant-arg sink suppression for AST patterns.
2026-04-29 00:58:38 -04:00
## [0.3.0] - 2026-02-25
Release/0.5.0 (#35)
* feat: Introduce function-scoped variable interning for state analysis with new tests and fixtures
* feat: Add Phase 26 symbolic execution enhancements with bitwise operator support, abstract interpretation refinements, and new taint analysis tests
* feat: Refine state analysis to handle factory-pattern resource returns with mixed-path tests and leak detection enhancements
* feat: Add Phase 27 debug views with symbolic execution, abstract interpretation, SSA, and call graph viewers; integrate with debug layout and styles
* feat: Add Phase 31 type-qualified symbolic resolution with receiver-based callee disambiguation and testing
* feat: Extend symbolic execution with state iteration, enhanced debug views, and debounced input handling
* feat: Add Phase 13 resource and auth pattern extensions with new tests and fixtures
* feat: Introduce CFG debug graph renderer with compact mode, toolbar, and DAG layout integration
* feat: Add Phase 28 encoding and decoding transform modeling with structural symex enhancements and new taint analysis tests
* feat: Extend abstract interpretation with type facts and constant value tracking in debug views and server logic
* feat: Add linear path handling and witness extraction to symbolic execution with Phase 28 transform mismatch detection
* feat: Refine Go auth and sanitizer handling with enhanced rules, state updates, and benchmark improvements
* feat: Enable auth-state analysis by default and update relevant tests in benchmark config
* test: Update state_tests to reflect default enablement of auth-state analysis and add auth suppression test
* docs: update CHANGELOG.md
* feat: Introduce per-index taint tracking in `HeapState` with `HeapSlot`, overflow handling, and revised SSA transfers
* feat: Introduce C/C++ language labels and refine heap state tracking in SSA transfers
* feat: Implement per-index array slot tracking in symbolic heap with overflow collapse
* feat: Add implicit definition handling for uninitialized declarations in SSA value allocation
* feat: Refactor function parameters and constants for improved clarity and maintainability
* refactor: Reorder module imports and improve formatting for consistency
* refactor: Fix formatting erorrs
* refactor: Fix clippy warnings
* refactor: Fix fmt warnings (again)
* chore: Update dependencies and improve feature configuration
* Add comprehensive tests for undertested modules (#36) (COPILOT)
* Add comprehensive tests for undertested modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
* Add comprehensive tests for ext, project, walk, and errors modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: Update dependencies and improve feature configuration
* fix: formatting errors in new tests
* chore: Update license list in about.toml
* chore: made functions input inline
* chore: updated cfg graph to take up the full page
* chore: add Prettier configuration and update code formatting
* Add frontend test suite with Vitest (111 tests) (#37)
* Add Vitest test suite for frontend - 111 tests across utils, components, hooks, and graph utilities
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/7cf0dba2-ecff-4740-ba4d-92717e74a0b7
* ci: add frontend test step to CI workflow
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/5bc0ac9f-0a32-4d03-9cb7-7a15aea53fca
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: simplify array initialization in test files for consistency
* ran typecheck
* feat: add AnalysisWorkspace component and integrate it into CfgViewerPage
* feat: update routing in AppLayout and improve empty state message in ExplorerPage
* feat: enhance scan progress tracking with additional metrics and stages
* feat: update license information and add license check script
* feat: implement cross-file symbolic execution with callee body persistence
* feat: replace dagre graphs with Graphology + ELK + Sigma for more advanced call stack and cfg rendering
* feat: ensure CFG function view is scoped to the selected function, preventing bleed into sibling functions
* feat: enhance resource tracking with proxy method summaries and improve finding extraction
* feat: add terminal function exit detection for accurate resource leak analysis
* feat: add warnings for loops and functions without bodies to improve error recovery
* feat: update lambda expression handling to ensure proper function classification and control flow
* feat: remove bounded formatting/string ops and add JSON.parse sanitizer for improved data handling
* feat: add inline return taint analysis and regression tests for improved security checks
* feat: add engine version management and migration handling for database schema updates
* feat: enhance first_call_ident to skip nested function bodies and add regression tests
* feat: enhance callee name resolution with two-segment normalization and disambiguation
* feat: add cross-file context flags and debug assertions for taint analysis
* feat: refactor taint analysis structure to unify context handling and improve clarity
* feat: enhance dead code elimination to preserve Sink, Source, and Sanitizer labels with new tests
* docs: updated CHANGELOG.md
* fmt: formatting fixes
* fix: fixed frontend formatting and lint warnings
* fix: optimized ci
* fix: optimized ci
* Add comprehensive multi-file test coverage to Nyx (#38)
* Initial checklist for multi-file test suite expansion
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* Add 12 new multi-file test fixtures with TP/TN/near-miss coverage
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* deleted root repo
* rebuilt to test for regressions
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* feat: enhance import alias resolution and taint tracking
* feat: implement security hardening with CSRF protection and path validation
* feat: add support for import alias bindings in Python, PHP, and Rust
* feat: enhance CFG analysis modes and improve code readability
* feat: add detection for parameterized SQL queries to enhance security
* feat: add safe internal redirect handling and enhance session destroy validation
* feat: implement security improvements by addressing vulnerabilities in execAsync, session management, and file downloads
* feat: enhance taint detection by adding support for inline source member expressions in call arguments
* feat: implement pre-emission of Source nodes for inline source member expressions in call arguments
* feat: add support for Throw statement in control flow and error handling
* feat: add debug and echo endpoints with potential information leakage
* feat: implement internal redirect suppression and enhance taint detection
* feat: implement module alias tracking for dynamic dispatch in JS/TS
* feat: add authorization analysis module with Express support
* feat: add authorization analysis module with Express support
* feat: add tests for admin guard requirements and clean checks in authorization analysis
* feat: integrate Koa and Fastify frameworks into authorization analysis
* feat: add Flask and Django support to authorization analysis module
* feat: add support for Rails and Sinatra frameworks in authorization analysis
* feat: add support for Axum, ActixWeb, and Rocket frameworks in authorization analysis
* feat: add support for ActixWeb, Axum, and Rocket frameworks in authorization analysis
* feat: add support for Rails and Sinatra in authorization analysis
* chore: add .DS_Store to .gitignore
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: update usage of Option methods for improved clarity and consistency
* refactor: improve code readability by simplifying conditional checks and formatting
* refactor: improve code formatting and readability by simplifying conditional checks
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: simplify conditional checks in axum.rs for improved readability
* feat: add CodeQL analysis configuration for enhanced security scanning
* test: add comprehensive tests for `src/output.rs` SARIF builder (#39)
* chore: start test coverage improvement work
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* test: add comprehensive tests for src/output.rs SARIF builder
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* refactor: improve code formatting and readability in output.rs
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* refactor: improve code formatting and readability in output.rs
* Potential fix for code scanning alert no. 210: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* Potential fix for code scanning alert no. 211: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* refactor: enhance triage file path handling with improved error management and validation
* refactor: updated func summaries for richer detail
* refactor: update SSA summary extraction to use canonical FuncKey for distinct entries
* refactor: enhance callee metadata structure to support arity, receiver, and qualifier for better overload resolution
* refactor: add support for keyword arguments in function calls and enhance receiver extraction for method-style calls
* refactor: implement new Flask routes for safe and unsafe shell command execution
* refactor: separate receiver handling in SSA operations and enhance taint propagation
* refactor: improve arity handling by using arg_uses for positional argument count and enhance witness scoring for tainted arguments
* refactor: implement auth decorator extraction and classification for multiple languages
* refactor: enhance Rust module path resolution and use map handling for cross-file disambiguation
* refactor: introduce CalleeQuery struct for structured callee resolution and enhance resolver logic
* refactor: implement same-file identity collision handling for `runTask` to ensure correct resolver behavior
* refactor: standardize default struct initialization across multiple files
* feat: add scripts for formatting checks and auto-fixes with test summaries
* refactor: simplify character splitting and enhance namespace qualifier handling
* refactor: improve documentation clarity and enhance code readability in resolver logic
* refactor: replace default struct initialization with explicit field assignments for clarity
* feat: enhance anonymous function naming by deriving context-based bindings
* refactor: streamline match expressions for improved readability and performance
* refactor: streamline match expressions for improved readability and performance
* refactor: replace loop with while let for improved clarity and performance
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: implement shell metacharacter validation and bounded-length checks in Rust analysis
* feat: add static map analysis for command injection suppression and type safety
* refactor: simplify match statements and reduce line breaks for improved readability
* feat(summary): phase 1/5 SinkSite data model for primary sink-location attribution
Introduce SinkSite (file_rel, line, col, snippet, cap) carrying the
primary sink source-location through function summaries. Swap
SsaFuncSummary.param_to_sink and FuncSummary.param_to_sink from a coarse
Cap map to a deduped SmallVec<[SinkSite; 1]> per parameter, with a
backward-compatible cap_sites() helper and serde defaults so pre-phase-1
on-disk rows continue to deserialise cleanly.
Extraction: SinkSiteLocator bundles the tree/bytes/file_rel needed by
extract_ssa_func_summary; ParsedFile::extract_ssa_artifacts wires the
locator in for the persisted pass-1 path, while pass-2 intra-file
transient summaries fall back to cap-only sites (behavior unchanged).
Merge: GlobalSummaries::insert now unions sink sites with
(file_rel, line, col, cap) dedup via shared union_param_sink_sites
helper.
Database: JSON-serialised summary columns carry the new shape
automatically; no schema change needed.
Phase 2 will consume SinkSite in build_taint_diag() to overwrite the
caller-site Finding.line with the callee's sink line when resolved via
summary. Phase 1 keeps behavior unchanged: scanning
tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs still produces the
same (wrong) line 10 finding.
Adds round-trip tests covering SinkSite solo, SsaFuncSummary with sink
sites, legacy-JSON default handling for both summary types, and merge
dedup.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* feat(taint): phase 2/5 thread SinkSite into SsaTaintEvent and Finding
Plumb Phase 1's SinkSite through the event pipeline into Findings,
no output change yet. SsaTaintEvent gains `primary_sink_site:
Option<SinkSite>`; when the main or callback sink-emission path has
non-empty `param_to_sink_sites`, filter to sites whose
`(line != 0) && (cap ∩ sink_caps != ∅)` and emit one event per
distinct site — the multi-primary collapse keeps each downstream
Finding single-primary.
Resolution: ResolvedSummary and SinkInfo gain mirror
`param_to_sink_sites` fields, populated from `SsaFuncSummary.param_to_sink`
(SSA + callback paths) and `FuncSummary.param_to_sink` (global paths).
Label, local-summary, and interop resolution paths leave the field
empty — they only ever had cap-level info to begin with.
Finding: new `primary_location: Option<SinkLocation>` with
`file_rel/line/col`. `ssa_events_to_findings` maps
`event.primary_sink_site` → `Finding.primary_location`, filtering
cap-only sites (`line == 0`) to `None` so the (0,0) sentinel never
leaks to formatters. Dedup key extended with the primary location
so multi-site events aren't collapsed back together.
Invariants (debug_assert!):
* every SinkSite reaching emission has `line != 0 && cap ∩ sink_caps
!= ∅` — enforced by the pick_primary_sink_sites* filters;
* every populated Finding.primary_location has `line != 0` AND
non-empty `file_rel` — the cap-only → None translation upstream
guarantees this.
Deliberately independent of `uses_summary`: that flag tracks whether
the *taint chain* used a summary, whereas primary attribution
requires only that the *sink* itself was summary-resolved. A local
source reaching a cross-file sink produces `uses_summary=false`
alongside a populated primary_location — documented on
Finding.primary_location, covered by
`cross_file_sink_finding_carries_primary_location`.
build_taint_diag, SARIF/JSON/explanation formatters, and the
benchmark scorer remain untouched: finding.line still comes from
`cfg_graph[finding.sink]`, so cmdi_indirect.rs still reports line 10
and the benchmark's rs-cmdi-003 row still shows FN in the LOC column.
Tests: `cross_file_sink_finding_carries_primary_location` (proves
plumbing via a synthetic FuncSummary carrying a SinkSite at 42:5) and
`cross_file_sink_cap_only_site_leaves_primary_location_none`
(regression guard against cap-only sites surfacing). All 1566 lib
tests + integration tests pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(output): phase 3/5 consume primary sink location in diag + SARIF
When a finding's primary_location (populated in phase 2 from a callee
summary's SinkSite) names the dangerous instruction inside a callee
body, attribute the diagnostic line to that location instead of the
caller's call site. The call site is demoted to a Call step in
flow_steps, and a synthetic Sink step at the primary location is
appended so analysts still see the full trace.
Changes:
- Add scan_root parameter to build_taint_diag so file_rel can be
resolved back to an absolute path via a shared resolve_file_rel
helper. Empty file_rel (single-file scans where namespace == "")
resolves to the file under analysis.
- Extend SinkLocation with snippet, carried from the upstream
SinkSite so the formatter needs no second file read.
- Relax the ssa_events_to_findings debug_assert to allow empty
file_rel, which is valid when scan root equals the file itself.
- SARIF: emit data-flow as codeFlows[0].threadFlows[0].locations[];
locations[0] already reflects the primary sink position via the
updated diag line/col.
Acceptance: scan on tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs
now reports line 5 (Command::new) as the primary sink, with the call
site at line 10 visible in flow_steps.
Two expect.json fixtures updated (must_match line_range widened):
- javascript/taint/context_sensitive_call: 12-14 -> 7-14 (line 8 is
the real sink inside run()).
- rust/cfg/closure_async: 10-10 -> 10-11 (line 11 is Command::new
inside the closure).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(bench): phase 4/5 validate primary sink attribution across corpus
Extend the benchmark scorer and ground truth to lock in phase 3's
primary-location behavior, and add fixtures that exercise the new
capability end-to-end.
Scorer (tests/benchmark_test.rs):
- Add optional `expected_call_site_lines: Option<Vec<[usize; 2]>>` on
Case. When present, score_location_level additionally requires at
least one flow_step in the finding's evidence trace to fall within
±2 of the call-site range. When absent, the check is skipped —
fully forward-compatible with existing fixtures.
- Retain ±2 tolerance on expected_sink_lines (compared against the
now-primary Diag.line post-phase-3).
Ground truth edits:
- rs-cmdi-cross-001: expected_sink_lines [8,8] -> [9,9]. Line 8 is the
transform::wrap call site (a cross-file propagator, not a sink);
line 9 is Command::new, the real sink. The ±2 tolerance happened to
mask this stale attribution but it was semantically wrong — phase 4
is the right time to correct it. Also adds expected_call_site_lines
[8,8] so the new field is exercised on an existing cross-file case.
- rs-cmdi-003: adds expected_call_site_lines [10,10] (run_cmd call).
This fixture's sink (Command::new inside run_cmd at line 5) was the
motivating case for phases 1-3; adding the call-site assertion
guards against regression to caller-line attribution.
New fixtures:
- rust/cmdi/cmdi_indirect_multisink.rs (rs-cmdi-009): helper run_both
takes two tainted params and invokes two Command sinks on
consecutive lines. Locks in that primary line lands inside the
helper (lines 5-6), not at the caller (line 12). Notes document
that SinkSite is currently one-per-callee so both findings today
collapse onto the first sink; expected_sink_lines=[5,6] and
expected_call_site_lines=[12,12] stay valid either way.
- python/cmdi/cross_indirect_sink/{app.py,helper.py} (py-cmdi-cross-
004): sink os.system lives in helper.py (cross-file), caller in
app.py reads env source and calls run_cmd. Verifies phase 3's
cross-file primary attribution: Diag.path = helper.py, Diag.line =
5, with app.py:7 recorded in flow_steps as a Call step.
Acceptance:
- `cargo test --test benchmark_test -- --ignored --nocapture` passes.
- rs-cmdi-003 is TP/TP/TP (the target flip FN->TP at LOC). All
pre-existing TP/TP/TP fixtures remain TP/TP/TP; 2 new fixtures are
TP/TP/TP.
- Aggregate rule-level: TP=158 FP=10 FN=1 TN=97, P=0.940 R=0.994
F1=0.966 on the 266-case corpus (was TP=156 FP=10 FN=1 TN=97 on
264 pre-phase-4, delta is the +2 new cases both resolving TP).
- Full `cargo test` green (1566 lib tests + all integration tests).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(taint): phase 5/5 lock Finding.primary_location contract via regression test
Add a regression test in src/taint/ssa_transfer.rs that wires up a synthetic
SsaFuncSummary with a SinkSite at other.rs:42:10 and drives the three
emission stages (pick_primary_sink_sites → emit_ssa_taint_events →
ssa_events_to_findings) against a minimal caller SSA body. Asserts the
resulting Finding.primary_location is exactly that triple.
The existing integration tests in src/taint/tests.rs cover the coarse
FuncSummary path end-to-end through analyse_file. This test locks in the
lower-level SSA-side plumbing so a future refactor that silently drops the
site between pick → emit → findings fails here rather than only at the
benchmark layer.
Also refreshes tests/benchmark/results/latest.json (timestamp only; rs-cmdi-003
remains TP/TP/TP and the aggregate P/R/F1 are unchanged from phase 4).
Closes the primary sink-location attribution feature (phases 1-5/5):
* Phase 1 — SinkSite data model on summaries.
* Phase 2 — SinkSite threaded into SsaTaintEvent and Finding.
* Phase 3 — diag + SARIF consume primary_location.
* Phase 4 — benchmark validates primary_call_site_lines across corpus.
* Phase 5 — regression test locks the event→finding contract.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* refactor: clean up formatting and improve readability in multiple files
* refactor: simplify type definition for deduplication key in findings
* test(harness): add must_not_match expectation for FP regression guards
Extends ExpectedFinding with must_not_match field that asserts a
diagnostic must NOT fire — presence is a hard failure. Non-consuming
scan so it coexists with must_match entries on the same rule_id.
Adds forbidden_violations accumulator and updates summary line.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(regression): update expectations to ensure must_not_match for various taint and resource leak rules
* feat: implement auto-seeding for JS/TS handler parameters to enhance taint tracking
* feat: update switch statement handling to improve control flow analysis
* feat: implement promisify alias handling for JS/TS to enhance taint tracking
* feat: enhance taint tracking by refining expectation handling and adding mode filtering
* feat: refine SQL handling in stream processing and enhance auto-seeding for handler parameters
* feat: update taint tracking rules to enforce full mode matching and improve flow analysis
* feat: enhance Ruby subshell handling to improve taint tracking and flow analysis
* feat: update xss_response expectations to refine taint flow analysis and enhance regression guarding
* feat: refine framework detection and update expectation handling for Echo and Sinatra
* feat: implement max_count for taint tracking expectations and deduplicate findings
* feat: add strict_unexpected handling for taint-unsanitised-flow in expectation files
* feat: enhance deduplication of taint-unsanitised-flow findings by collapsing based on line and severity
* feat: add strict_unexpected handling for taint-unsanitised-flow in multiple expectation files
* feat: add structural invariant checks for SSA bodies
* feat: ensure deterministic phi emission order using BTreeSet
* feat: enhance handling of terminators to ensure authoritative flow through successor edges
* feat: enhance Goto terminator handling to ensure all successors are marked executable
* feat: refactor code for improved readability and organization
* feat: simplify predicate checks and enhance readability in SSA handling
* feat: implement per-file parse timeout and enhance file size handling
* feat: migrate analysis engine toggles from environment variables to configuration file
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: update dependencies and enhance documentation on language maturity
* feat: enhance security headers and improve request body limits
* feat: implement sink capability bits for deduplication and enhance evidence tagging
* feat: implement dynamic activation handling for gated sinks and enhance validation logic
* feat: enhance configuration documentation and clarify inline analysis cache behavior
* feat: implement panic recovery during analysis to continue scans past errors
* feat: add expectations configuration for taint analysis and performance metrics
* feat: enhance error handling and logging during file reading and mutex locking
* feat: add cross-file body loading tests and plumbing for CF-1 phase
* feat: implement cross-file k=1 context-sensitive inline taint analysis with new tests and fixtures
* feat: implement indexed-scan parity in cross-file inline analysis with new dropdown and copy functionality
* feat: enhance classification span handling in CFG and AST for improved source attribution
* feat: add new Express routes for handling user input and telemetry data
* feat: implement ternary expression handling in CFG with diamond structure for JS/TS
* feat: implement Phase CF-3 abstract-domain transfer channels in summaries
* feat: add support for string-prefix transfer in cross-file calls and update tests
* docs: reduce RESULTS.md doc size
* feat: implement Phase CF-4 per-return-path summary decomposition with tests
* feat: update parameter handling in pass1 and refactor SsaFuncSummary initialization
* feat: implement Phase CF-5 for cross-file SCC joint fixed-point convergence with new flags and tests
* feat: implement Phase CF-6 with parameter-granularity points-to summaries and associated tests
* refactor: update comments and documentation for clarity and consistency
* style: format code for consistency and readability
* refactor: simplify verdict handling and improve edge checking logic
* refactor: optimize path and identifier collection by avoiding unnecessary cloning
* chore: update Cargo.toml for Rust version 1.85 and add ignored files; modify CHANGELOG and README for clarity on state analysis defaults
* refactor: update documentation and improve clarity in configuration files
* refactor: update documentation and improve clarity in configuration files
* feat: add JS/TS pass-2 convergence tests and expectations configuration
* feat: add Phase 5 regression tests for inline cache origin attribution and update related logic
* feat: implement Phase 7 deduplication and alternative path linking for taint findings
* feat: implement structural DFS index for anonymous functions and update naming conventions
* feat: add Phase 8 regression tests for container-element taint in JS and Python
* feat: add engine-depth profiles and explain-engine option for CLI
* feat: update expectations and add new README fixtures for multi-file scan regression
* feat: implement Phase 11 callback-alias and factory patterns with regression tests
* feat: implement Terminator::Switch for multi-way dispatch and add regression tests
* feat: add real-CVE benchmark fixtures for CVE-2023-48022, CVE-2019-14939, and CVE-2023-26159 with corresponding patched variants
* refactor: extract cfg and ssa_transfer to submodules
* refactor: cargo fmt
* refactor: remove unnecessary blank line in cfg_tests.rs
* refactor: remove unnecessary planning file
* chore: update Rust version to 1.88 and bump dependencies in Cargo files
* feat: enhance triage UI with new layout and controls, update README for clarity
* feat: enhance triage UI with new layout and controls, update README for clarity
* chore: remove outdated section from README for version 0.5.0
* docs: improve clarity and consistency in README content
* chore: add "GPL-3.0-or-later" to license options in about.toml
* chore: update license handling in about.toml and check-licenses.mjs
* style: format code for improved readability in TriagePage component
* style: format code for improved readability in TriagePage component
* chore: enhance license handling and improve body_id scoping in seed lookup
* feat: introduce owner and parent body IDs for enhanced seed scoping
* feat: implement direction-aware engine provenance with new CLI flag for strict CI gating
* feat: add Undef SSA operation for improved control-flow handling
* style: improve code formatting for consistency and readability in multiple files
* feat: add 16-function chain SCC across multiple files for enhanced analysis
* style: simplify code formatting for improved readability in multiple files
* fix: update CapHitReason default implementation and improve README clarity
* docs: enhance README with detailed explanations of taint analysis and limitations
* docs: refine README for clarity and consistency in taint analysis section
* style: improve code formatting for better readability in NewScanModal and scans
* fix: update cargo-about command to use --offline for deterministic license generation
* fix: update cargo-about command to use --offline for deterministic license generation
* ci: add step to prime cargo registry cache for deterministic license generation
* feat: add support for non-sink collections in authorization analysis
* feat: enhance authorization checks with row-level ownership equality and binding tracking
* feat: implement self-scoped user handling and enhance ownership checks
* refactor: simplify assertions and formatting in authorization analysis tests
* fix: normalize line endings in THIRDPARTY-LICENSES.html generation and update README with AI disclosure
* docs: update AI disclosure section for clarity and conciseness
* feat: add AI Contribution Policy and update contributing guidelines for AI assistance disclosure
* feat: enhance authorization analysis with SSA-derived variable type classification
* feat: implement auth_finding_to_diag function for enhanced security diagnostics
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add direction-aware engine provenance with LossDirection classification and new CLI flag
* feat: simplify strip_cap_from_call_args call by removing unnecessary line breaks
* feat: enhance error message handling in cli_validation_tests for better Windows compatibility
* feat: optimize release profile settings in Cargo.toml and update CodeQL configuration
* feat: enhance release build process with SBOM generation and SLSA provenance
* feat: update actions/checkout and actions/setup-node to v6, enhance CLI options, and improve auth-check summaries
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: update benchmark data and enhance path sanitization logic with new safety checks
* feat: document AI assistance in frontend UI development and human review process
* feat: add return path facts for enhanced path safety checks and update documentation
* chore: update release date for version 0.5.0 in CHANGELOG.md
* chore: clean up ci.yml by removing outdated comments and clarifying steps
* feat: implement cross-language path sanitizers and validators for enhanced security
* feat: enhance SSA value usage tracking by including block terminators and improve path safety checks
* feat: enhance switch statement handling by adding per-case path constraints and support for exclusive cases
* refactor: simplify conditional formatting and improve code readability in executor and lower modules
* feat: add vulnerable examples for various languages demonstrating authentication and sanitization issues
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: add transform classifiers for Java, Go, and Ruby with corresponding tests
* refactor: clarify comments on reassign-to-constant idiom and sink behavior in guards.rs
---------
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-25 17:59:11 -04:00
Configurability, SARIF, and an aggressive false-positive purge.
### Highlights
- **Configurable analysis rules.** Sources, sanitizers, sinks, terminators, and event handlers can be defined per language in `nyx.local` or via `nyx config add-rule` /`add-terminator` . Config rules take priority over built-in rules.
- **`nyx config` CLI subcommand** with `show` , `path` , `add-rule` , `add-terminator` .
- **SARIF 2.1.0 output (`-f sarif` ).** Spec-compliant for GitHub Code Scanning, Azure DevOps, and other SARIF consumers.
- **`SourceKind` taint classification.** Findings carry an inferred source kind (`UserInput` , `EnvironmentConfig` , `FileSystem` , `Database` , `Unknown` ) and severity is now derived from it instead of being hardcoded to High.
- **Non-prod severity downgrade by default.** Findings in tests, vendor, benchmarks, examples, fixtures, build scripts, and `*.min.js` are downgraded one tier. `--include-nonprod` restores original severity.
- **Resource leak detection** for Python, Ruby, PHP, JavaScript, and TypeScript (file handles, sockets, locks, mysqli, curl, fs streams).
- **Progress bars and quiet mode.** Indicatif-driven progress for discovery, Pass 1, and Pass 2 (auto-hidden in JSON/SARIF/quiet modes).
### Performance
- Single fused parse+CFG pass replaces the previous two-parse summary extraction.
- Light-weight dataflow sweep in CFG builder is now O(N) per function instead of O(N²) over the whole file.
- Parallel summary merging via rayon fold/reduce.
- Indexed scans now read and hash each file once instead of up to 4 times.
- SQLite mutex mode relaxed (r2d2 + WAL provides safety without global lock).
- Zero-allocation taint hashing and in-place taint transfer.
### Notable Fixes
- One-hop constant-binding suppression: `cmd = "git"; subprocess.run([cmd, ...])` no longer flags.
- Exec-path guards (`which` , `resolve_binary` , `shutil.which` ) recognized.
- `signal.connect` / `event.connect` no longer match Python db-connection acquire patterns.
- `threading.Lock()` without `.acquire()` no longer flags as unreleased.
- `FileResponse(f)` / `send_file(f)` recognized as ownership transfer.
- `el.href` no longer matches `location.href` patterns.
- Constant-only sink calls (`subprocess.run(["make","clean"])` ) suppressed.
- `std::cout` no longer treated as a sink.
- Break/continue inside loops correctly wires into the loop header/exit, fixing false unreachable-code findings.
- Preprocessor `#ifdef` /`#endif` blocks no longer orphan subsequent code in C/C++.
- `freopen` no longer matches `fopen` acquire patterns.
- Struct-field, linked-list, and global assignment recognized as ownership transfers.
2026-04-29 00:58:38 -04:00
## [0.2.0] - 2026-02-24
Release/0.5.0 (#35)
* feat: Introduce function-scoped variable interning for state analysis with new tests and fixtures
* feat: Add Phase 26 symbolic execution enhancements with bitwise operator support, abstract interpretation refinements, and new taint analysis tests
* feat: Refine state analysis to handle factory-pattern resource returns with mixed-path tests and leak detection enhancements
* feat: Add Phase 27 debug views with symbolic execution, abstract interpretation, SSA, and call graph viewers; integrate with debug layout and styles
* feat: Add Phase 31 type-qualified symbolic resolution with receiver-based callee disambiguation and testing
* feat: Extend symbolic execution with state iteration, enhanced debug views, and debounced input handling
* feat: Add Phase 13 resource and auth pattern extensions with new tests and fixtures
* feat: Introduce CFG debug graph renderer with compact mode, toolbar, and DAG layout integration
* feat: Add Phase 28 encoding and decoding transform modeling with structural symex enhancements and new taint analysis tests
* feat: Extend abstract interpretation with type facts and constant value tracking in debug views and server logic
* feat: Add linear path handling and witness extraction to symbolic execution with Phase 28 transform mismatch detection
* feat: Refine Go auth and sanitizer handling with enhanced rules, state updates, and benchmark improvements
* feat: Enable auth-state analysis by default and update relevant tests in benchmark config
* test: Update state_tests to reflect default enablement of auth-state analysis and add auth suppression test
* docs: update CHANGELOG.md
* feat: Introduce per-index taint tracking in `HeapState` with `HeapSlot`, overflow handling, and revised SSA transfers
* feat: Introduce C/C++ language labels and refine heap state tracking in SSA transfers
* feat: Implement per-index array slot tracking in symbolic heap with overflow collapse
* feat: Add implicit definition handling for uninitialized declarations in SSA value allocation
* feat: Refactor function parameters and constants for improved clarity and maintainability
* refactor: Reorder module imports and improve formatting for consistency
* refactor: Fix formatting erorrs
* refactor: Fix clippy warnings
* refactor: Fix fmt warnings (again)
* chore: Update dependencies and improve feature configuration
* Add comprehensive tests for undertested modules (#36) (COPILOT)
* Add comprehensive tests for undertested modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
* Add comprehensive tests for ext, project, walk, and errors modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: Update dependencies and improve feature configuration
* fix: formatting errors in new tests
* chore: Update license list in about.toml
* chore: made functions input inline
* chore: updated cfg graph to take up the full page
* chore: add Prettier configuration and update code formatting
* Add frontend test suite with Vitest (111 tests) (#37)
* Add Vitest test suite for frontend - 111 tests across utils, components, hooks, and graph utilities
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/7cf0dba2-ecff-4740-ba4d-92717e74a0b7
* ci: add frontend test step to CI workflow
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/5bc0ac9f-0a32-4d03-9cb7-7a15aea53fca
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: simplify array initialization in test files for consistency
* ran typecheck
* feat: add AnalysisWorkspace component and integrate it into CfgViewerPage
* feat: update routing in AppLayout and improve empty state message in ExplorerPage
* feat: enhance scan progress tracking with additional metrics and stages
* feat: update license information and add license check script
* feat: implement cross-file symbolic execution with callee body persistence
* feat: replace dagre graphs with Graphology + ELK + Sigma for more advanced call stack and cfg rendering
* feat: ensure CFG function view is scoped to the selected function, preventing bleed into sibling functions
* feat: enhance resource tracking with proxy method summaries and improve finding extraction
* feat: add terminal function exit detection for accurate resource leak analysis
* feat: add warnings for loops and functions without bodies to improve error recovery
* feat: update lambda expression handling to ensure proper function classification and control flow
* feat: remove bounded formatting/string ops and add JSON.parse sanitizer for improved data handling
* feat: add inline return taint analysis and regression tests for improved security checks
* feat: add engine version management and migration handling for database schema updates
* feat: enhance first_call_ident to skip nested function bodies and add regression tests
* feat: enhance callee name resolution with two-segment normalization and disambiguation
* feat: add cross-file context flags and debug assertions for taint analysis
* feat: refactor taint analysis structure to unify context handling and improve clarity
* feat: enhance dead code elimination to preserve Sink, Source, and Sanitizer labels with new tests
* docs: updated CHANGELOG.md
* fmt: formatting fixes
* fix: fixed frontend formatting and lint warnings
* fix: optimized ci
* fix: optimized ci
* Add comprehensive multi-file test coverage to Nyx (#38)
* Initial checklist for multi-file test suite expansion
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* Add 12 new multi-file test fixtures with TP/TN/near-miss coverage
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* deleted root repo
* rebuilt to test for regressions
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* feat: enhance import alias resolution and taint tracking
* feat: implement security hardening with CSRF protection and path validation
* feat: add support for import alias bindings in Python, PHP, and Rust
* feat: enhance CFG analysis modes and improve code readability
* feat: add detection for parameterized SQL queries to enhance security
* feat: add safe internal redirect handling and enhance session destroy validation
* feat: implement security improvements by addressing vulnerabilities in execAsync, session management, and file downloads
* feat: enhance taint detection by adding support for inline source member expressions in call arguments
* feat: implement pre-emission of Source nodes for inline source member expressions in call arguments
* feat: add support for Throw statement in control flow and error handling
* feat: add debug and echo endpoints with potential information leakage
* feat: implement internal redirect suppression and enhance taint detection
* feat: implement module alias tracking for dynamic dispatch in JS/TS
* feat: add authorization analysis module with Express support
* feat: add authorization analysis module with Express support
* feat: add tests for admin guard requirements and clean checks in authorization analysis
* feat: integrate Koa and Fastify frameworks into authorization analysis
* feat: add Flask and Django support to authorization analysis module
* feat: add support for Rails and Sinatra frameworks in authorization analysis
* feat: add support for Axum, ActixWeb, and Rocket frameworks in authorization analysis
* feat: add support for ActixWeb, Axum, and Rocket frameworks in authorization analysis
* feat: add support for Rails and Sinatra in authorization analysis
* chore: add .DS_Store to .gitignore
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: update usage of Option methods for improved clarity and consistency
* refactor: improve code readability by simplifying conditional checks and formatting
* refactor: improve code formatting and readability by simplifying conditional checks
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: simplify conditional checks in axum.rs for improved readability
* feat: add CodeQL analysis configuration for enhanced security scanning
* test: add comprehensive tests for `src/output.rs` SARIF builder (#39)
* chore: start test coverage improvement work
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* test: add comprehensive tests for src/output.rs SARIF builder
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* refactor: improve code formatting and readability in output.rs
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* refactor: improve code formatting and readability in output.rs
* Potential fix for code scanning alert no. 210: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* Potential fix for code scanning alert no. 211: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* refactor: enhance triage file path handling with improved error management and validation
* refactor: updated func summaries for richer detail
* refactor: update SSA summary extraction to use canonical FuncKey for distinct entries
* refactor: enhance callee metadata structure to support arity, receiver, and qualifier for better overload resolution
* refactor: add support for keyword arguments in function calls and enhance receiver extraction for method-style calls
* refactor: implement new Flask routes for safe and unsafe shell command execution
* refactor: separate receiver handling in SSA operations and enhance taint propagation
* refactor: improve arity handling by using arg_uses for positional argument count and enhance witness scoring for tainted arguments
* refactor: implement auth decorator extraction and classification for multiple languages
* refactor: enhance Rust module path resolution and use map handling for cross-file disambiguation
* refactor: introduce CalleeQuery struct for structured callee resolution and enhance resolver logic
* refactor: implement same-file identity collision handling for `runTask` to ensure correct resolver behavior
* refactor: standardize default struct initialization across multiple files
* feat: add scripts for formatting checks and auto-fixes with test summaries
* refactor: simplify character splitting and enhance namespace qualifier handling
* refactor: improve documentation clarity and enhance code readability in resolver logic
* refactor: replace default struct initialization with explicit field assignments for clarity
* feat: enhance anonymous function naming by deriving context-based bindings
* refactor: streamline match expressions for improved readability and performance
* refactor: streamline match expressions for improved readability and performance
* refactor: replace loop with while let for improved clarity and performance
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: implement shell metacharacter validation and bounded-length checks in Rust analysis
* feat: add static map analysis for command injection suppression and type safety
* refactor: simplify match statements and reduce line breaks for improved readability
* feat(summary): phase 1/5 SinkSite data model for primary sink-location attribution
Introduce SinkSite (file_rel, line, col, snippet, cap) carrying the
primary sink source-location through function summaries. Swap
SsaFuncSummary.param_to_sink and FuncSummary.param_to_sink from a coarse
Cap map to a deduped SmallVec<[SinkSite; 1]> per parameter, with a
backward-compatible cap_sites() helper and serde defaults so pre-phase-1
on-disk rows continue to deserialise cleanly.
Extraction: SinkSiteLocator bundles the tree/bytes/file_rel needed by
extract_ssa_func_summary; ParsedFile::extract_ssa_artifacts wires the
locator in for the persisted pass-1 path, while pass-2 intra-file
transient summaries fall back to cap-only sites (behavior unchanged).
Merge: GlobalSummaries::insert now unions sink sites with
(file_rel, line, col, cap) dedup via shared union_param_sink_sites
helper.
Database: JSON-serialised summary columns carry the new shape
automatically; no schema change needed.
Phase 2 will consume SinkSite in build_taint_diag() to overwrite the
caller-site Finding.line with the callee's sink line when resolved via
summary. Phase 1 keeps behavior unchanged: scanning
tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs still produces the
same (wrong) line 10 finding.
Adds round-trip tests covering SinkSite solo, SsaFuncSummary with sink
sites, legacy-JSON default handling for both summary types, and merge
dedup.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* feat(taint): phase 2/5 thread SinkSite into SsaTaintEvent and Finding
Plumb Phase 1's SinkSite through the event pipeline into Findings,
no output change yet. SsaTaintEvent gains `primary_sink_site:
Option<SinkSite>`; when the main or callback sink-emission path has
non-empty `param_to_sink_sites`, filter to sites whose
`(line != 0) && (cap ∩ sink_caps != ∅)` and emit one event per
distinct site — the multi-primary collapse keeps each downstream
Finding single-primary.
Resolution: ResolvedSummary and SinkInfo gain mirror
`param_to_sink_sites` fields, populated from `SsaFuncSummary.param_to_sink`
(SSA + callback paths) and `FuncSummary.param_to_sink` (global paths).
Label, local-summary, and interop resolution paths leave the field
empty — they only ever had cap-level info to begin with.
Finding: new `primary_location: Option<SinkLocation>` with
`file_rel/line/col`. `ssa_events_to_findings` maps
`event.primary_sink_site` → `Finding.primary_location`, filtering
cap-only sites (`line == 0`) to `None` so the (0,0) sentinel never
leaks to formatters. Dedup key extended with the primary location
so multi-site events aren't collapsed back together.
Invariants (debug_assert!):
* every SinkSite reaching emission has `line != 0 && cap ∩ sink_caps
!= ∅` — enforced by the pick_primary_sink_sites* filters;
* every populated Finding.primary_location has `line != 0` AND
non-empty `file_rel` — the cap-only → None translation upstream
guarantees this.
Deliberately independent of `uses_summary`: that flag tracks whether
the *taint chain* used a summary, whereas primary attribution
requires only that the *sink* itself was summary-resolved. A local
source reaching a cross-file sink produces `uses_summary=false`
alongside a populated primary_location — documented on
Finding.primary_location, covered by
`cross_file_sink_finding_carries_primary_location`.
build_taint_diag, SARIF/JSON/explanation formatters, and the
benchmark scorer remain untouched: finding.line still comes from
`cfg_graph[finding.sink]`, so cmdi_indirect.rs still reports line 10
and the benchmark's rs-cmdi-003 row still shows FN in the LOC column.
Tests: `cross_file_sink_finding_carries_primary_location` (proves
plumbing via a synthetic FuncSummary carrying a SinkSite at 42:5) and
`cross_file_sink_cap_only_site_leaves_primary_location_none`
(regression guard against cap-only sites surfacing). All 1566 lib
tests + integration tests pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(output): phase 3/5 consume primary sink location in diag + SARIF
When a finding's primary_location (populated in phase 2 from a callee
summary's SinkSite) names the dangerous instruction inside a callee
body, attribute the diagnostic line to that location instead of the
caller's call site. The call site is demoted to a Call step in
flow_steps, and a synthetic Sink step at the primary location is
appended so analysts still see the full trace.
Changes:
- Add scan_root parameter to build_taint_diag so file_rel can be
resolved back to an absolute path via a shared resolve_file_rel
helper. Empty file_rel (single-file scans where namespace == "")
resolves to the file under analysis.
- Extend SinkLocation with snippet, carried from the upstream
SinkSite so the formatter needs no second file read.
- Relax the ssa_events_to_findings debug_assert to allow empty
file_rel, which is valid when scan root equals the file itself.
- SARIF: emit data-flow as codeFlows[0].threadFlows[0].locations[];
locations[0] already reflects the primary sink position via the
updated diag line/col.
Acceptance: scan on tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs
now reports line 5 (Command::new) as the primary sink, with the call
site at line 10 visible in flow_steps.
Two expect.json fixtures updated (must_match line_range widened):
- javascript/taint/context_sensitive_call: 12-14 -> 7-14 (line 8 is
the real sink inside run()).
- rust/cfg/closure_async: 10-10 -> 10-11 (line 11 is Command::new
inside the closure).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(bench): phase 4/5 validate primary sink attribution across corpus
Extend the benchmark scorer and ground truth to lock in phase 3's
primary-location behavior, and add fixtures that exercise the new
capability end-to-end.
Scorer (tests/benchmark_test.rs):
- Add optional `expected_call_site_lines: Option<Vec<[usize; 2]>>` on
Case. When present, score_location_level additionally requires at
least one flow_step in the finding's evidence trace to fall within
±2 of the call-site range. When absent, the check is skipped —
fully forward-compatible with existing fixtures.
- Retain ±2 tolerance on expected_sink_lines (compared against the
now-primary Diag.line post-phase-3).
Ground truth edits:
- rs-cmdi-cross-001: expected_sink_lines [8,8] -> [9,9]. Line 8 is the
transform::wrap call site (a cross-file propagator, not a sink);
line 9 is Command::new, the real sink. The ±2 tolerance happened to
mask this stale attribution but it was semantically wrong — phase 4
is the right time to correct it. Also adds expected_call_site_lines
[8,8] so the new field is exercised on an existing cross-file case.
- rs-cmdi-003: adds expected_call_site_lines [10,10] (run_cmd call).
This fixture's sink (Command::new inside run_cmd at line 5) was the
motivating case for phases 1-3; adding the call-site assertion
guards against regression to caller-line attribution.
New fixtures:
- rust/cmdi/cmdi_indirect_multisink.rs (rs-cmdi-009): helper run_both
takes two tainted params and invokes two Command sinks on
consecutive lines. Locks in that primary line lands inside the
helper (lines 5-6), not at the caller (line 12). Notes document
that SinkSite is currently one-per-callee so both findings today
collapse onto the first sink; expected_sink_lines=[5,6] and
expected_call_site_lines=[12,12] stay valid either way.
- python/cmdi/cross_indirect_sink/{app.py,helper.py} (py-cmdi-cross-
004): sink os.system lives in helper.py (cross-file), caller in
app.py reads env source and calls run_cmd. Verifies phase 3's
cross-file primary attribution: Diag.path = helper.py, Diag.line =
5, with app.py:7 recorded in flow_steps as a Call step.
Acceptance:
- `cargo test --test benchmark_test -- --ignored --nocapture` passes.
- rs-cmdi-003 is TP/TP/TP (the target flip FN->TP at LOC). All
pre-existing TP/TP/TP fixtures remain TP/TP/TP; 2 new fixtures are
TP/TP/TP.
- Aggregate rule-level: TP=158 FP=10 FN=1 TN=97, P=0.940 R=0.994
F1=0.966 on the 266-case corpus (was TP=156 FP=10 FN=1 TN=97 on
264 pre-phase-4, delta is the +2 new cases both resolving TP).
- Full `cargo test` green (1566 lib tests + all integration tests).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(taint): phase 5/5 lock Finding.primary_location contract via regression test
Add a regression test in src/taint/ssa_transfer.rs that wires up a synthetic
SsaFuncSummary with a SinkSite at other.rs:42:10 and drives the three
emission stages (pick_primary_sink_sites → emit_ssa_taint_events →
ssa_events_to_findings) against a minimal caller SSA body. Asserts the
resulting Finding.primary_location is exactly that triple.
The existing integration tests in src/taint/tests.rs cover the coarse
FuncSummary path end-to-end through analyse_file. This test locks in the
lower-level SSA-side plumbing so a future refactor that silently drops the
site between pick → emit → findings fails here rather than only at the
benchmark layer.
Also refreshes tests/benchmark/results/latest.json (timestamp only; rs-cmdi-003
remains TP/TP/TP and the aggregate P/R/F1 are unchanged from phase 4).
Closes the primary sink-location attribution feature (phases 1-5/5):
* Phase 1 — SinkSite data model on summaries.
* Phase 2 — SinkSite threaded into SsaTaintEvent and Finding.
* Phase 3 — diag + SARIF consume primary_location.
* Phase 4 — benchmark validates primary_call_site_lines across corpus.
* Phase 5 — regression test locks the event→finding contract.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* refactor: clean up formatting and improve readability in multiple files
* refactor: simplify type definition for deduplication key in findings
* test(harness): add must_not_match expectation for FP regression guards
Extends ExpectedFinding with must_not_match field that asserts a
diagnostic must NOT fire — presence is a hard failure. Non-consuming
scan so it coexists with must_match entries on the same rule_id.
Adds forbidden_violations accumulator and updates summary line.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(regression): update expectations to ensure must_not_match for various taint and resource leak rules
* feat: implement auto-seeding for JS/TS handler parameters to enhance taint tracking
* feat: update switch statement handling to improve control flow analysis
* feat: implement promisify alias handling for JS/TS to enhance taint tracking
* feat: enhance taint tracking by refining expectation handling and adding mode filtering
* feat: refine SQL handling in stream processing and enhance auto-seeding for handler parameters
* feat: update taint tracking rules to enforce full mode matching and improve flow analysis
* feat: enhance Ruby subshell handling to improve taint tracking and flow analysis
* feat: update xss_response expectations to refine taint flow analysis and enhance regression guarding
* feat: refine framework detection and update expectation handling for Echo and Sinatra
* feat: implement max_count for taint tracking expectations and deduplicate findings
* feat: add strict_unexpected handling for taint-unsanitised-flow in expectation files
* feat: enhance deduplication of taint-unsanitised-flow findings by collapsing based on line and severity
* feat: add strict_unexpected handling for taint-unsanitised-flow in multiple expectation files
* feat: add structural invariant checks for SSA bodies
* feat: ensure deterministic phi emission order using BTreeSet
* feat: enhance handling of terminators to ensure authoritative flow through successor edges
* feat: enhance Goto terminator handling to ensure all successors are marked executable
* feat: refactor code for improved readability and organization
* feat: simplify predicate checks and enhance readability in SSA handling
* feat: implement per-file parse timeout and enhance file size handling
* feat: migrate analysis engine toggles from environment variables to configuration file
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: update dependencies and enhance documentation on language maturity
* feat: enhance security headers and improve request body limits
* feat: implement sink capability bits for deduplication and enhance evidence tagging
* feat: implement dynamic activation handling for gated sinks and enhance validation logic
* feat: enhance configuration documentation and clarify inline analysis cache behavior
* feat: implement panic recovery during analysis to continue scans past errors
* feat: add expectations configuration for taint analysis and performance metrics
* feat: enhance error handling and logging during file reading and mutex locking
* feat: add cross-file body loading tests and plumbing for CF-1 phase
* feat: implement cross-file k=1 context-sensitive inline taint analysis with new tests and fixtures
* feat: implement indexed-scan parity in cross-file inline analysis with new dropdown and copy functionality
* feat: enhance classification span handling in CFG and AST for improved source attribution
* feat: add new Express routes for handling user input and telemetry data
* feat: implement ternary expression handling in CFG with diamond structure for JS/TS
* feat: implement Phase CF-3 abstract-domain transfer channels in summaries
* feat: add support for string-prefix transfer in cross-file calls and update tests
* docs: reduce RESULTS.md doc size
* feat: implement Phase CF-4 per-return-path summary decomposition with tests
* feat: update parameter handling in pass1 and refactor SsaFuncSummary initialization
* feat: implement Phase CF-5 for cross-file SCC joint fixed-point convergence with new flags and tests
* feat: implement Phase CF-6 with parameter-granularity points-to summaries and associated tests
* refactor: update comments and documentation for clarity and consistency
* style: format code for consistency and readability
* refactor: simplify verdict handling and improve edge checking logic
* refactor: optimize path and identifier collection by avoiding unnecessary cloning
* chore: update Cargo.toml for Rust version 1.85 and add ignored files; modify CHANGELOG and README for clarity on state analysis defaults
* refactor: update documentation and improve clarity in configuration files
* refactor: update documentation and improve clarity in configuration files
* feat: add JS/TS pass-2 convergence tests and expectations configuration
* feat: add Phase 5 regression tests for inline cache origin attribution and update related logic
* feat: implement Phase 7 deduplication and alternative path linking for taint findings
* feat: implement structural DFS index for anonymous functions and update naming conventions
* feat: add Phase 8 regression tests for container-element taint in JS and Python
* feat: add engine-depth profiles and explain-engine option for CLI
* feat: update expectations and add new README fixtures for multi-file scan regression
* feat: implement Phase 11 callback-alias and factory patterns with regression tests
* feat: implement Terminator::Switch for multi-way dispatch and add regression tests
* feat: add real-CVE benchmark fixtures for CVE-2023-48022, CVE-2019-14939, and CVE-2023-26159 with corresponding patched variants
* refactor: extract cfg and ssa_transfer to submodules
* refactor: cargo fmt
* refactor: remove unnecessary blank line in cfg_tests.rs
* refactor: remove unnecessary planning file
* chore: update Rust version to 1.88 and bump dependencies in Cargo files
* feat: enhance triage UI with new layout and controls, update README for clarity
* feat: enhance triage UI with new layout and controls, update README for clarity
* chore: remove outdated section from README for version 0.5.0
* docs: improve clarity and consistency in README content
* chore: add "GPL-3.0-or-later" to license options in about.toml
* chore: update license handling in about.toml and check-licenses.mjs
* style: format code for improved readability in TriagePage component
* style: format code for improved readability in TriagePage component
* chore: enhance license handling and improve body_id scoping in seed lookup
* feat: introduce owner and parent body IDs for enhanced seed scoping
* feat: implement direction-aware engine provenance with new CLI flag for strict CI gating
* feat: add Undef SSA operation for improved control-flow handling
* style: improve code formatting for consistency and readability in multiple files
* feat: add 16-function chain SCC across multiple files for enhanced analysis
* style: simplify code formatting for improved readability in multiple files
* fix: update CapHitReason default implementation and improve README clarity
* docs: enhance README with detailed explanations of taint analysis and limitations
* docs: refine README for clarity and consistency in taint analysis section
* style: improve code formatting for better readability in NewScanModal and scans
* fix: update cargo-about command to use --offline for deterministic license generation
* fix: update cargo-about command to use --offline for deterministic license generation
* ci: add step to prime cargo registry cache for deterministic license generation
* feat: add support for non-sink collections in authorization analysis
* feat: enhance authorization checks with row-level ownership equality and binding tracking
* feat: implement self-scoped user handling and enhance ownership checks
* refactor: simplify assertions and formatting in authorization analysis tests
* fix: normalize line endings in THIRDPARTY-LICENSES.html generation and update README with AI disclosure
* docs: update AI disclosure section for clarity and conciseness
* feat: add AI Contribution Policy and update contributing guidelines for AI assistance disclosure
* feat: enhance authorization analysis with SSA-derived variable type classification
* feat: implement auth_finding_to_diag function for enhanced security diagnostics
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add direction-aware engine provenance with LossDirection classification and new CLI flag
* feat: simplify strip_cap_from_call_args call by removing unnecessary line breaks
* feat: enhance error message handling in cli_validation_tests for better Windows compatibility
* feat: optimize release profile settings in Cargo.toml and update CodeQL configuration
* feat: enhance release build process with SBOM generation and SLSA provenance
* feat: update actions/checkout and actions/setup-node to v6, enhance CLI options, and improve auth-check summaries
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: update benchmark data and enhance path sanitization logic with new safety checks
* feat: document AI assistance in frontend UI development and human review process
* feat: add return path facts for enhanced path safety checks and update documentation
* chore: update release date for version 0.5.0 in CHANGELOG.md
* chore: clean up ci.yml by removing outdated comments and clarifying steps
* feat: implement cross-language path sanitizers and validators for enhanced security
* feat: enhance SSA value usage tracking by including block terminators and improve path safety checks
* feat: enhance switch statement handling by adding per-case path constraints and support for exclusive cases
* refactor: simplify conditional formatting and improve code readability in executor and lower modules
* feat: add vulnerable examples for various languages demonstrating authentication and sanitization issues
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: add transform classifiers for Java, Go, and Ruby with corresponding tests
* refactor: clarify comments on reassign-to-constant idiom and sink behavior in guards.rs
---------
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-25 17:59:11 -04:00
The cross-file release.
- **Two-pass cross-file taint analysis.** Pass 1 extracts `FuncSummary` per function (caps, propagation, callees), Pass 2 runs BFS taint propagation with cross-file callee resolution.
- **CFG analysis engine** with five detectors: unguarded sinks, auth gaps in web handlers, unreachable security code, error fallthrough, resource leaks.
- **Cross-language interop** via explicit `InteropEdge` structs (no false-positive name collisions).
- **Function summaries persisted to SQLite** (`function_summaries` table).
- **Multi-language CFG + taint support** for all 10 languages.
- **Resource leak detection** for C/C++, Go, Rust, and Java.
- **Finding scoring system** combining severity, entry-point proximity, path complexity, taint confirmation, and confidence.
- **Analysis modes**: `Full` (default), `Ast` (`--ast-only` ), `Taint` (`--cfg-only` ).
- **Cap bitflags expanded**: `ENV_VAR` , `HTML_ESCAPE` , `SHELL_ESCAPE` , `URL_ENCODE` , `JSON_PARSE` , `FILE_IO` .
- Performance: read-once/hash-once via `_from_bytes` variants, lock-free rayon, SQLite WAL + 8 MB cache + 256 MB mmap.
- Tracing instrumentation on all pipeline stages; criterion benchmark suite.
2026-04-29 00:58:38 -04:00
## [0.2.0-alpha] - 2025-06-28
Release/0.5.0 (#35)
* feat: Introduce function-scoped variable interning for state analysis with new tests and fixtures
* feat: Add Phase 26 symbolic execution enhancements with bitwise operator support, abstract interpretation refinements, and new taint analysis tests
* feat: Refine state analysis to handle factory-pattern resource returns with mixed-path tests and leak detection enhancements
* feat: Add Phase 27 debug views with symbolic execution, abstract interpretation, SSA, and call graph viewers; integrate with debug layout and styles
* feat: Add Phase 31 type-qualified symbolic resolution with receiver-based callee disambiguation and testing
* feat: Extend symbolic execution with state iteration, enhanced debug views, and debounced input handling
* feat: Add Phase 13 resource and auth pattern extensions with new tests and fixtures
* feat: Introduce CFG debug graph renderer with compact mode, toolbar, and DAG layout integration
* feat: Add Phase 28 encoding and decoding transform modeling with structural symex enhancements and new taint analysis tests
* feat: Extend abstract interpretation with type facts and constant value tracking in debug views and server logic
* feat: Add linear path handling and witness extraction to symbolic execution with Phase 28 transform mismatch detection
* feat: Refine Go auth and sanitizer handling with enhanced rules, state updates, and benchmark improvements
* feat: Enable auth-state analysis by default and update relevant tests in benchmark config
* test: Update state_tests to reflect default enablement of auth-state analysis and add auth suppression test
* docs: update CHANGELOG.md
* feat: Introduce per-index taint tracking in `HeapState` with `HeapSlot`, overflow handling, and revised SSA transfers
* feat: Introduce C/C++ language labels and refine heap state tracking in SSA transfers
* feat: Implement per-index array slot tracking in symbolic heap with overflow collapse
* feat: Add implicit definition handling for uninitialized declarations in SSA value allocation
* feat: Refactor function parameters and constants for improved clarity and maintainability
* refactor: Reorder module imports and improve formatting for consistency
* refactor: Fix formatting erorrs
* refactor: Fix clippy warnings
* refactor: Fix fmt warnings (again)
* chore: Update dependencies and improve feature configuration
* Add comprehensive tests for undertested modules (#36) (COPILOT)
* Add comprehensive tests for undertested modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
* Add comprehensive tests for ext, project, walk, and errors modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: Update dependencies and improve feature configuration
* fix: formatting errors in new tests
* chore: Update license list in about.toml
* chore: made functions input inline
* chore: updated cfg graph to take up the full page
* chore: add Prettier configuration and update code formatting
* Add frontend test suite with Vitest (111 tests) (#37)
* Add Vitest test suite for frontend - 111 tests across utils, components, hooks, and graph utilities
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/7cf0dba2-ecff-4740-ba4d-92717e74a0b7
* ci: add frontend test step to CI workflow
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/5bc0ac9f-0a32-4d03-9cb7-7a15aea53fca
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: simplify array initialization in test files for consistency
* ran typecheck
* feat: add AnalysisWorkspace component and integrate it into CfgViewerPage
* feat: update routing in AppLayout and improve empty state message in ExplorerPage
* feat: enhance scan progress tracking with additional metrics and stages
* feat: update license information and add license check script
* feat: implement cross-file symbolic execution with callee body persistence
* feat: replace dagre graphs with Graphology + ELK + Sigma for more advanced call stack and cfg rendering
* feat: ensure CFG function view is scoped to the selected function, preventing bleed into sibling functions
* feat: enhance resource tracking with proxy method summaries and improve finding extraction
* feat: add terminal function exit detection for accurate resource leak analysis
* feat: add warnings for loops and functions without bodies to improve error recovery
* feat: update lambda expression handling to ensure proper function classification and control flow
* feat: remove bounded formatting/string ops and add JSON.parse sanitizer for improved data handling
* feat: add inline return taint analysis and regression tests for improved security checks
* feat: add engine version management and migration handling for database schema updates
* feat: enhance first_call_ident to skip nested function bodies and add regression tests
* feat: enhance callee name resolution with two-segment normalization and disambiguation
* feat: add cross-file context flags and debug assertions for taint analysis
* feat: refactor taint analysis structure to unify context handling and improve clarity
* feat: enhance dead code elimination to preserve Sink, Source, and Sanitizer labels with new tests
* docs: updated CHANGELOG.md
* fmt: formatting fixes
* fix: fixed frontend formatting and lint warnings
* fix: optimized ci
* fix: optimized ci
* Add comprehensive multi-file test coverage to Nyx (#38)
* Initial checklist for multi-file test suite expansion
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* Add 12 new multi-file test fixtures with TP/TN/near-miss coverage
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* deleted root repo
* rebuilt to test for regressions
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* feat: enhance import alias resolution and taint tracking
* feat: implement security hardening with CSRF protection and path validation
* feat: add support for import alias bindings in Python, PHP, and Rust
* feat: enhance CFG analysis modes and improve code readability
* feat: add detection for parameterized SQL queries to enhance security
* feat: add safe internal redirect handling and enhance session destroy validation
* feat: implement security improvements by addressing vulnerabilities in execAsync, session management, and file downloads
* feat: enhance taint detection by adding support for inline source member expressions in call arguments
* feat: implement pre-emission of Source nodes for inline source member expressions in call arguments
* feat: add support for Throw statement in control flow and error handling
* feat: add debug and echo endpoints with potential information leakage
* feat: implement internal redirect suppression and enhance taint detection
* feat: implement module alias tracking for dynamic dispatch in JS/TS
* feat: add authorization analysis module with Express support
* feat: add authorization analysis module with Express support
* feat: add tests for admin guard requirements and clean checks in authorization analysis
* feat: integrate Koa and Fastify frameworks into authorization analysis
* feat: add Flask and Django support to authorization analysis module
* feat: add support for Rails and Sinatra frameworks in authorization analysis
* feat: add support for Axum, ActixWeb, and Rocket frameworks in authorization analysis
* feat: add support for ActixWeb, Axum, and Rocket frameworks in authorization analysis
* feat: add support for Rails and Sinatra in authorization analysis
* chore: add .DS_Store to .gitignore
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: update usage of Option methods for improved clarity and consistency
* refactor: improve code readability by simplifying conditional checks and formatting
* refactor: improve code formatting and readability by simplifying conditional checks
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: simplify conditional checks in axum.rs for improved readability
* feat: add CodeQL analysis configuration for enhanced security scanning
* test: add comprehensive tests for `src/output.rs` SARIF builder (#39)
* chore: start test coverage improvement work
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* test: add comprehensive tests for src/output.rs SARIF builder
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* refactor: improve code formatting and readability in output.rs
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* refactor: improve code formatting and readability in output.rs
* Potential fix for code scanning alert no. 210: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* Potential fix for code scanning alert no. 211: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* refactor: enhance triage file path handling with improved error management and validation
* refactor: updated func summaries for richer detail
* refactor: update SSA summary extraction to use canonical FuncKey for distinct entries
* refactor: enhance callee metadata structure to support arity, receiver, and qualifier for better overload resolution
* refactor: add support for keyword arguments in function calls and enhance receiver extraction for method-style calls
* refactor: implement new Flask routes for safe and unsafe shell command execution
* refactor: separate receiver handling in SSA operations and enhance taint propagation
* refactor: improve arity handling by using arg_uses for positional argument count and enhance witness scoring for tainted arguments
* refactor: implement auth decorator extraction and classification for multiple languages
* refactor: enhance Rust module path resolution and use map handling for cross-file disambiguation
* refactor: introduce CalleeQuery struct for structured callee resolution and enhance resolver logic
* refactor: implement same-file identity collision handling for `runTask` to ensure correct resolver behavior
* refactor: standardize default struct initialization across multiple files
* feat: add scripts for formatting checks and auto-fixes with test summaries
* refactor: simplify character splitting and enhance namespace qualifier handling
* refactor: improve documentation clarity and enhance code readability in resolver logic
* refactor: replace default struct initialization with explicit field assignments for clarity
* feat: enhance anonymous function naming by deriving context-based bindings
* refactor: streamline match expressions for improved readability and performance
* refactor: streamline match expressions for improved readability and performance
* refactor: replace loop with while let for improved clarity and performance
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: implement shell metacharacter validation and bounded-length checks in Rust analysis
* feat: add static map analysis for command injection suppression and type safety
* refactor: simplify match statements and reduce line breaks for improved readability
* feat(summary): phase 1/5 SinkSite data model for primary sink-location attribution
Introduce SinkSite (file_rel, line, col, snippet, cap) carrying the
primary sink source-location through function summaries. Swap
SsaFuncSummary.param_to_sink and FuncSummary.param_to_sink from a coarse
Cap map to a deduped SmallVec<[SinkSite; 1]> per parameter, with a
backward-compatible cap_sites() helper and serde defaults so pre-phase-1
on-disk rows continue to deserialise cleanly.
Extraction: SinkSiteLocator bundles the tree/bytes/file_rel needed by
extract_ssa_func_summary; ParsedFile::extract_ssa_artifacts wires the
locator in for the persisted pass-1 path, while pass-2 intra-file
transient summaries fall back to cap-only sites (behavior unchanged).
Merge: GlobalSummaries::insert now unions sink sites with
(file_rel, line, col, cap) dedup via shared union_param_sink_sites
helper.
Database: JSON-serialised summary columns carry the new shape
automatically; no schema change needed.
Phase 2 will consume SinkSite in build_taint_diag() to overwrite the
caller-site Finding.line with the callee's sink line when resolved via
summary. Phase 1 keeps behavior unchanged: scanning
tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs still produces the
same (wrong) line 10 finding.
Adds round-trip tests covering SinkSite solo, SsaFuncSummary with sink
sites, legacy-JSON default handling for both summary types, and merge
dedup.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* feat(taint): phase 2/5 thread SinkSite into SsaTaintEvent and Finding
Plumb Phase 1's SinkSite through the event pipeline into Findings,
no output change yet. SsaTaintEvent gains `primary_sink_site:
Option<SinkSite>`; when the main or callback sink-emission path has
non-empty `param_to_sink_sites`, filter to sites whose
`(line != 0) && (cap ∩ sink_caps != ∅)` and emit one event per
distinct site — the multi-primary collapse keeps each downstream
Finding single-primary.
Resolution: ResolvedSummary and SinkInfo gain mirror
`param_to_sink_sites` fields, populated from `SsaFuncSummary.param_to_sink`
(SSA + callback paths) and `FuncSummary.param_to_sink` (global paths).
Label, local-summary, and interop resolution paths leave the field
empty — they only ever had cap-level info to begin with.
Finding: new `primary_location: Option<SinkLocation>` with
`file_rel/line/col`. `ssa_events_to_findings` maps
`event.primary_sink_site` → `Finding.primary_location`, filtering
cap-only sites (`line == 0`) to `None` so the (0,0) sentinel never
leaks to formatters. Dedup key extended with the primary location
so multi-site events aren't collapsed back together.
Invariants (debug_assert!):
* every SinkSite reaching emission has `line != 0 && cap ∩ sink_caps
!= ∅` — enforced by the pick_primary_sink_sites* filters;
* every populated Finding.primary_location has `line != 0` AND
non-empty `file_rel` — the cap-only → None translation upstream
guarantees this.
Deliberately independent of `uses_summary`: that flag tracks whether
the *taint chain* used a summary, whereas primary attribution
requires only that the *sink* itself was summary-resolved. A local
source reaching a cross-file sink produces `uses_summary=false`
alongside a populated primary_location — documented on
Finding.primary_location, covered by
`cross_file_sink_finding_carries_primary_location`.
build_taint_diag, SARIF/JSON/explanation formatters, and the
benchmark scorer remain untouched: finding.line still comes from
`cfg_graph[finding.sink]`, so cmdi_indirect.rs still reports line 10
and the benchmark's rs-cmdi-003 row still shows FN in the LOC column.
Tests: `cross_file_sink_finding_carries_primary_location` (proves
plumbing via a synthetic FuncSummary carrying a SinkSite at 42:5) and
`cross_file_sink_cap_only_site_leaves_primary_location_none`
(regression guard against cap-only sites surfacing). All 1566 lib
tests + integration tests pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(output): phase 3/5 consume primary sink location in diag + SARIF
When a finding's primary_location (populated in phase 2 from a callee
summary's SinkSite) names the dangerous instruction inside a callee
body, attribute the diagnostic line to that location instead of the
caller's call site. The call site is demoted to a Call step in
flow_steps, and a synthetic Sink step at the primary location is
appended so analysts still see the full trace.
Changes:
- Add scan_root parameter to build_taint_diag so file_rel can be
resolved back to an absolute path via a shared resolve_file_rel
helper. Empty file_rel (single-file scans where namespace == "")
resolves to the file under analysis.
- Extend SinkLocation with snippet, carried from the upstream
SinkSite so the formatter needs no second file read.
- Relax the ssa_events_to_findings debug_assert to allow empty
file_rel, which is valid when scan root equals the file itself.
- SARIF: emit data-flow as codeFlows[0].threadFlows[0].locations[];
locations[0] already reflects the primary sink position via the
updated diag line/col.
Acceptance: scan on tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs
now reports line 5 (Command::new) as the primary sink, with the call
site at line 10 visible in flow_steps.
Two expect.json fixtures updated (must_match line_range widened):
- javascript/taint/context_sensitive_call: 12-14 -> 7-14 (line 8 is
the real sink inside run()).
- rust/cfg/closure_async: 10-10 -> 10-11 (line 11 is Command::new
inside the closure).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(bench): phase 4/5 validate primary sink attribution across corpus
Extend the benchmark scorer and ground truth to lock in phase 3's
primary-location behavior, and add fixtures that exercise the new
capability end-to-end.
Scorer (tests/benchmark_test.rs):
- Add optional `expected_call_site_lines: Option<Vec<[usize; 2]>>` on
Case. When present, score_location_level additionally requires at
least one flow_step in the finding's evidence trace to fall within
±2 of the call-site range. When absent, the check is skipped —
fully forward-compatible with existing fixtures.
- Retain ±2 tolerance on expected_sink_lines (compared against the
now-primary Diag.line post-phase-3).
Ground truth edits:
- rs-cmdi-cross-001: expected_sink_lines [8,8] -> [9,9]. Line 8 is the
transform::wrap call site (a cross-file propagator, not a sink);
line 9 is Command::new, the real sink. The ±2 tolerance happened to
mask this stale attribution but it was semantically wrong — phase 4
is the right time to correct it. Also adds expected_call_site_lines
[8,8] so the new field is exercised on an existing cross-file case.
- rs-cmdi-003: adds expected_call_site_lines [10,10] (run_cmd call).
This fixture's sink (Command::new inside run_cmd at line 5) was the
motivating case for phases 1-3; adding the call-site assertion
guards against regression to caller-line attribution.
New fixtures:
- rust/cmdi/cmdi_indirect_multisink.rs (rs-cmdi-009): helper run_both
takes two tainted params and invokes two Command sinks on
consecutive lines. Locks in that primary line lands inside the
helper (lines 5-6), not at the caller (line 12). Notes document
that SinkSite is currently one-per-callee so both findings today
collapse onto the first sink; expected_sink_lines=[5,6] and
expected_call_site_lines=[12,12] stay valid either way.
- python/cmdi/cross_indirect_sink/{app.py,helper.py} (py-cmdi-cross-
004): sink os.system lives in helper.py (cross-file), caller in
app.py reads env source and calls run_cmd. Verifies phase 3's
cross-file primary attribution: Diag.path = helper.py, Diag.line =
5, with app.py:7 recorded in flow_steps as a Call step.
Acceptance:
- `cargo test --test benchmark_test -- --ignored --nocapture` passes.
- rs-cmdi-003 is TP/TP/TP (the target flip FN->TP at LOC). All
pre-existing TP/TP/TP fixtures remain TP/TP/TP; 2 new fixtures are
TP/TP/TP.
- Aggregate rule-level: TP=158 FP=10 FN=1 TN=97, P=0.940 R=0.994
F1=0.966 on the 266-case corpus (was TP=156 FP=10 FN=1 TN=97 on
264 pre-phase-4, delta is the +2 new cases both resolving TP).
- Full `cargo test` green (1566 lib tests + all integration tests).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(taint): phase 5/5 lock Finding.primary_location contract via regression test
Add a regression test in src/taint/ssa_transfer.rs that wires up a synthetic
SsaFuncSummary with a SinkSite at other.rs:42:10 and drives the three
emission stages (pick_primary_sink_sites → emit_ssa_taint_events →
ssa_events_to_findings) against a minimal caller SSA body. Asserts the
resulting Finding.primary_location is exactly that triple.
The existing integration tests in src/taint/tests.rs cover the coarse
FuncSummary path end-to-end through analyse_file. This test locks in the
lower-level SSA-side plumbing so a future refactor that silently drops the
site between pick → emit → findings fails here rather than only at the
benchmark layer.
Also refreshes tests/benchmark/results/latest.json (timestamp only; rs-cmdi-003
remains TP/TP/TP and the aggregate P/R/F1 are unchanged from phase 4).
Closes the primary sink-location attribution feature (phases 1-5/5):
* Phase 1 — SinkSite data model on summaries.
* Phase 2 — SinkSite threaded into SsaTaintEvent and Finding.
* Phase 3 — diag + SARIF consume primary_location.
* Phase 4 — benchmark validates primary_call_site_lines across corpus.
* Phase 5 — regression test locks the event→finding contract.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* refactor: clean up formatting and improve readability in multiple files
* refactor: simplify type definition for deduplication key in findings
* test(harness): add must_not_match expectation for FP regression guards
Extends ExpectedFinding with must_not_match field that asserts a
diagnostic must NOT fire — presence is a hard failure. Non-consuming
scan so it coexists with must_match entries on the same rule_id.
Adds forbidden_violations accumulator and updates summary line.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(regression): update expectations to ensure must_not_match for various taint and resource leak rules
* feat: implement auto-seeding for JS/TS handler parameters to enhance taint tracking
* feat: update switch statement handling to improve control flow analysis
* feat: implement promisify alias handling for JS/TS to enhance taint tracking
* feat: enhance taint tracking by refining expectation handling and adding mode filtering
* feat: refine SQL handling in stream processing and enhance auto-seeding for handler parameters
* feat: update taint tracking rules to enforce full mode matching and improve flow analysis
* feat: enhance Ruby subshell handling to improve taint tracking and flow analysis
* feat: update xss_response expectations to refine taint flow analysis and enhance regression guarding
* feat: refine framework detection and update expectation handling for Echo and Sinatra
* feat: implement max_count for taint tracking expectations and deduplicate findings
* feat: add strict_unexpected handling for taint-unsanitised-flow in expectation files
* feat: enhance deduplication of taint-unsanitised-flow findings by collapsing based on line and severity
* feat: add strict_unexpected handling for taint-unsanitised-flow in multiple expectation files
* feat: add structural invariant checks for SSA bodies
* feat: ensure deterministic phi emission order using BTreeSet
* feat: enhance handling of terminators to ensure authoritative flow through successor edges
* feat: enhance Goto terminator handling to ensure all successors are marked executable
* feat: refactor code for improved readability and organization
* feat: simplify predicate checks and enhance readability in SSA handling
* feat: implement per-file parse timeout and enhance file size handling
* feat: migrate analysis engine toggles from environment variables to configuration file
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: update dependencies and enhance documentation on language maturity
* feat: enhance security headers and improve request body limits
* feat: implement sink capability bits for deduplication and enhance evidence tagging
* feat: implement dynamic activation handling for gated sinks and enhance validation logic
* feat: enhance configuration documentation and clarify inline analysis cache behavior
* feat: implement panic recovery during analysis to continue scans past errors
* feat: add expectations configuration for taint analysis and performance metrics
* feat: enhance error handling and logging during file reading and mutex locking
* feat: add cross-file body loading tests and plumbing for CF-1 phase
* feat: implement cross-file k=1 context-sensitive inline taint analysis with new tests and fixtures
* feat: implement indexed-scan parity in cross-file inline analysis with new dropdown and copy functionality
* feat: enhance classification span handling in CFG and AST for improved source attribution
* feat: add new Express routes for handling user input and telemetry data
* feat: implement ternary expression handling in CFG with diamond structure for JS/TS
* feat: implement Phase CF-3 abstract-domain transfer channels in summaries
* feat: add support for string-prefix transfer in cross-file calls and update tests
* docs: reduce RESULTS.md doc size
* feat: implement Phase CF-4 per-return-path summary decomposition with tests
* feat: update parameter handling in pass1 and refactor SsaFuncSummary initialization
* feat: implement Phase CF-5 for cross-file SCC joint fixed-point convergence with new flags and tests
* feat: implement Phase CF-6 with parameter-granularity points-to summaries and associated tests
* refactor: update comments and documentation for clarity and consistency
* style: format code for consistency and readability
* refactor: simplify verdict handling and improve edge checking logic
* refactor: optimize path and identifier collection by avoiding unnecessary cloning
* chore: update Cargo.toml for Rust version 1.85 and add ignored files; modify CHANGELOG and README for clarity on state analysis defaults
* refactor: update documentation and improve clarity in configuration files
* refactor: update documentation and improve clarity in configuration files
* feat: add JS/TS pass-2 convergence tests and expectations configuration
* feat: add Phase 5 regression tests for inline cache origin attribution and update related logic
* feat: implement Phase 7 deduplication and alternative path linking for taint findings
* feat: implement structural DFS index for anonymous functions and update naming conventions
* feat: add Phase 8 regression tests for container-element taint in JS and Python
* feat: add engine-depth profiles and explain-engine option for CLI
* feat: update expectations and add new README fixtures for multi-file scan regression
* feat: implement Phase 11 callback-alias and factory patterns with regression tests
* feat: implement Terminator::Switch for multi-way dispatch and add regression tests
* feat: add real-CVE benchmark fixtures for CVE-2023-48022, CVE-2019-14939, and CVE-2023-26159 with corresponding patched variants
* refactor: extract cfg and ssa_transfer to submodules
* refactor: cargo fmt
* refactor: remove unnecessary blank line in cfg_tests.rs
* refactor: remove unnecessary planning file
* chore: update Rust version to 1.88 and bump dependencies in Cargo files
* feat: enhance triage UI with new layout and controls, update README for clarity
* feat: enhance triage UI with new layout and controls, update README for clarity
* chore: remove outdated section from README for version 0.5.0
* docs: improve clarity and consistency in README content
* chore: add "GPL-3.0-or-later" to license options in about.toml
* chore: update license handling in about.toml and check-licenses.mjs
* style: format code for improved readability in TriagePage component
* style: format code for improved readability in TriagePage component
* chore: enhance license handling and improve body_id scoping in seed lookup
* feat: introduce owner and parent body IDs for enhanced seed scoping
* feat: implement direction-aware engine provenance with new CLI flag for strict CI gating
* feat: add Undef SSA operation for improved control-flow handling
* style: improve code formatting for consistency and readability in multiple files
* feat: add 16-function chain SCC across multiple files for enhanced analysis
* style: simplify code formatting for improved readability in multiple files
* fix: update CapHitReason default implementation and improve README clarity
* docs: enhance README with detailed explanations of taint analysis and limitations
* docs: refine README for clarity and consistency in taint analysis section
* style: improve code formatting for better readability in NewScanModal and scans
* fix: update cargo-about command to use --offline for deterministic license generation
* fix: update cargo-about command to use --offline for deterministic license generation
* ci: add step to prime cargo registry cache for deterministic license generation
* feat: add support for non-sink collections in authorization analysis
* feat: enhance authorization checks with row-level ownership equality and binding tracking
* feat: implement self-scoped user handling and enhance ownership checks
* refactor: simplify assertions and formatting in authorization analysis tests
* fix: normalize line endings in THIRDPARTY-LICENSES.html generation and update README with AI disclosure
* docs: update AI disclosure section for clarity and conciseness
* feat: add AI Contribution Policy and update contributing guidelines for AI assistance disclosure
* feat: enhance authorization analysis with SSA-derived variable type classification
* feat: implement auth_finding_to_diag function for enhanced security diagnostics
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add direction-aware engine provenance with LossDirection classification and new CLI flag
* feat: simplify strip_cap_from_call_args call by removing unnecessary line breaks
* feat: enhance error message handling in cli_validation_tests for better Windows compatibility
* feat: optimize release profile settings in Cargo.toml and update CodeQL configuration
* feat: enhance release build process with SBOM generation and SLSA provenance
* feat: update actions/checkout and actions/setup-node to v6, enhance CLI options, and improve auth-check summaries
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: update benchmark data and enhance path sanitization logic with new safety checks
* feat: document AI assistance in frontend UI development and human review process
* feat: add return path facts for enhanced path safety checks and update documentation
* chore: update release date for version 0.5.0 in CHANGELOG.md
* chore: clean up ci.yml by removing outdated comments and clarifying steps
* feat: implement cross-language path sanitizers and validators for enhanced security
* feat: enhance SSA value usage tracking by including block terminators and improve path safety checks
* feat: enhance switch statement handling by adding per-case path constraints and support for exclusive cases
* refactor: simplify conditional formatting and improve code readability in executor and lower modules
* feat: add vulnerable examples for various languages demonstrating authentication and sanitization issues
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: add transform classifiers for Java, Go, and Ruby with corresponding tests
* refactor: clarify comments on reassign-to-constant idiom and sink behavior in guards.rs
---------
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-25 17:59:11 -04:00
- Experimental intra-procedural CFG + taint analysis for Rust. Builds a CFG, applies dataflow, and flags unsanitised Source → Sink paths (e.g. `env::var` → `Command::new` ).
- O(1) node-kind lookup via per-language PHF tables.
- Debug channel `target=cfg` (`RUST_LOG=nyx::cfg=debug` ) to inspect generated graphs.
- Fixed Windows release pipeline (PowerShell has no `zip` command).
2026-04-29 00:58:38 -04:00
## [0.1.1-alpha] - 2025-06-25
Release/0.5.0 (#35)
* feat: Introduce function-scoped variable interning for state analysis with new tests and fixtures
* feat: Add Phase 26 symbolic execution enhancements with bitwise operator support, abstract interpretation refinements, and new taint analysis tests
* feat: Refine state analysis to handle factory-pattern resource returns with mixed-path tests and leak detection enhancements
* feat: Add Phase 27 debug views with symbolic execution, abstract interpretation, SSA, and call graph viewers; integrate with debug layout and styles
* feat: Add Phase 31 type-qualified symbolic resolution with receiver-based callee disambiguation and testing
* feat: Extend symbolic execution with state iteration, enhanced debug views, and debounced input handling
* feat: Add Phase 13 resource and auth pattern extensions with new tests and fixtures
* feat: Introduce CFG debug graph renderer with compact mode, toolbar, and DAG layout integration
* feat: Add Phase 28 encoding and decoding transform modeling with structural symex enhancements and new taint analysis tests
* feat: Extend abstract interpretation with type facts and constant value tracking in debug views and server logic
* feat: Add linear path handling and witness extraction to symbolic execution with Phase 28 transform mismatch detection
* feat: Refine Go auth and sanitizer handling with enhanced rules, state updates, and benchmark improvements
* feat: Enable auth-state analysis by default and update relevant tests in benchmark config
* test: Update state_tests to reflect default enablement of auth-state analysis and add auth suppression test
* docs: update CHANGELOG.md
* feat: Introduce per-index taint tracking in `HeapState` with `HeapSlot`, overflow handling, and revised SSA transfers
* feat: Introduce C/C++ language labels and refine heap state tracking in SSA transfers
* feat: Implement per-index array slot tracking in symbolic heap with overflow collapse
* feat: Add implicit definition handling for uninitialized declarations in SSA value allocation
* feat: Refactor function parameters and constants for improved clarity and maintainability
* refactor: Reorder module imports and improve formatting for consistency
* refactor: Fix formatting erorrs
* refactor: Fix clippy warnings
* refactor: Fix fmt warnings (again)
* chore: Update dependencies and improve feature configuration
* Add comprehensive tests for undertested modules (#36) (COPILOT)
* Add comprehensive tests for undertested modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
* Add comprehensive tests for ext, project, walk, and errors modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: Update dependencies and improve feature configuration
* fix: formatting errors in new tests
* chore: Update license list in about.toml
* chore: made functions input inline
* chore: updated cfg graph to take up the full page
* chore: add Prettier configuration and update code formatting
* Add frontend test suite with Vitest (111 tests) (#37)
* Add Vitest test suite for frontend - 111 tests across utils, components, hooks, and graph utilities
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/7cf0dba2-ecff-4740-ba4d-92717e74a0b7
* ci: add frontend test step to CI workflow
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/5bc0ac9f-0a32-4d03-9cb7-7a15aea53fca
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: simplify array initialization in test files for consistency
* ran typecheck
* feat: add AnalysisWorkspace component and integrate it into CfgViewerPage
* feat: update routing in AppLayout and improve empty state message in ExplorerPage
* feat: enhance scan progress tracking with additional metrics and stages
* feat: update license information and add license check script
* feat: implement cross-file symbolic execution with callee body persistence
* feat: replace dagre graphs with Graphology + ELK + Sigma for more advanced call stack and cfg rendering
* feat: ensure CFG function view is scoped to the selected function, preventing bleed into sibling functions
* feat: enhance resource tracking with proxy method summaries and improve finding extraction
* feat: add terminal function exit detection for accurate resource leak analysis
* feat: add warnings for loops and functions without bodies to improve error recovery
* feat: update lambda expression handling to ensure proper function classification and control flow
* feat: remove bounded formatting/string ops and add JSON.parse sanitizer for improved data handling
* feat: add inline return taint analysis and regression tests for improved security checks
* feat: add engine version management and migration handling for database schema updates
* feat: enhance first_call_ident to skip nested function bodies and add regression tests
* feat: enhance callee name resolution with two-segment normalization and disambiguation
* feat: add cross-file context flags and debug assertions for taint analysis
* feat: refactor taint analysis structure to unify context handling and improve clarity
* feat: enhance dead code elimination to preserve Sink, Source, and Sanitizer labels with new tests
* docs: updated CHANGELOG.md
* fmt: formatting fixes
* fix: fixed frontend formatting and lint warnings
* fix: optimized ci
* fix: optimized ci
* Add comprehensive multi-file test coverage to Nyx (#38)
* Initial checklist for multi-file test suite expansion
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* Add 12 new multi-file test fixtures with TP/TN/near-miss coverage
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* deleted root repo
* rebuilt to test for regressions
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* feat: enhance import alias resolution and taint tracking
* feat: implement security hardening with CSRF protection and path validation
* feat: add support for import alias bindings in Python, PHP, and Rust
* feat: enhance CFG analysis modes and improve code readability
* feat: add detection for parameterized SQL queries to enhance security
* feat: add safe internal redirect handling and enhance session destroy validation
* feat: implement security improvements by addressing vulnerabilities in execAsync, session management, and file downloads
* feat: enhance taint detection by adding support for inline source member expressions in call arguments
* feat: implement pre-emission of Source nodes for inline source member expressions in call arguments
* feat: add support for Throw statement in control flow and error handling
* feat: add debug and echo endpoints with potential information leakage
* feat: implement internal redirect suppression and enhance taint detection
* feat: implement module alias tracking for dynamic dispatch in JS/TS
* feat: add authorization analysis module with Express support
* feat: add authorization analysis module with Express support
* feat: add tests for admin guard requirements and clean checks in authorization analysis
* feat: integrate Koa and Fastify frameworks into authorization analysis
* feat: add Flask and Django support to authorization analysis module
* feat: add support for Rails and Sinatra frameworks in authorization analysis
* feat: add support for Axum, ActixWeb, and Rocket frameworks in authorization analysis
* feat: add support for ActixWeb, Axum, and Rocket frameworks in authorization analysis
* feat: add support for Rails and Sinatra in authorization analysis
* chore: add .DS_Store to .gitignore
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: update usage of Option methods for improved clarity and consistency
* refactor: improve code readability by simplifying conditional checks and formatting
* refactor: improve code formatting and readability by simplifying conditional checks
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: simplify conditional checks in axum.rs for improved readability
* feat: add CodeQL analysis configuration for enhanced security scanning
* test: add comprehensive tests for `src/output.rs` SARIF builder (#39)
* chore: start test coverage improvement work
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* test: add comprehensive tests for src/output.rs SARIF builder
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* refactor: improve code formatting and readability in output.rs
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* refactor: improve code formatting and readability in output.rs
* Potential fix for code scanning alert no. 210: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* Potential fix for code scanning alert no. 211: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* refactor: enhance triage file path handling with improved error management and validation
* refactor: updated func summaries for richer detail
* refactor: update SSA summary extraction to use canonical FuncKey for distinct entries
* refactor: enhance callee metadata structure to support arity, receiver, and qualifier for better overload resolution
* refactor: add support for keyword arguments in function calls and enhance receiver extraction for method-style calls
* refactor: implement new Flask routes for safe and unsafe shell command execution
* refactor: separate receiver handling in SSA operations and enhance taint propagation
* refactor: improve arity handling by using arg_uses for positional argument count and enhance witness scoring for tainted arguments
* refactor: implement auth decorator extraction and classification for multiple languages
* refactor: enhance Rust module path resolution and use map handling for cross-file disambiguation
* refactor: introduce CalleeQuery struct for structured callee resolution and enhance resolver logic
* refactor: implement same-file identity collision handling for `runTask` to ensure correct resolver behavior
* refactor: standardize default struct initialization across multiple files
* feat: add scripts for formatting checks and auto-fixes with test summaries
* refactor: simplify character splitting and enhance namespace qualifier handling
* refactor: improve documentation clarity and enhance code readability in resolver logic
* refactor: replace default struct initialization with explicit field assignments for clarity
* feat: enhance anonymous function naming by deriving context-based bindings
* refactor: streamline match expressions for improved readability and performance
* refactor: streamline match expressions for improved readability and performance
* refactor: replace loop with while let for improved clarity and performance
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: implement shell metacharacter validation and bounded-length checks in Rust analysis
* feat: add static map analysis for command injection suppression and type safety
* refactor: simplify match statements and reduce line breaks for improved readability
* feat(summary): phase 1/5 SinkSite data model for primary sink-location attribution
Introduce SinkSite (file_rel, line, col, snippet, cap) carrying the
primary sink source-location through function summaries. Swap
SsaFuncSummary.param_to_sink and FuncSummary.param_to_sink from a coarse
Cap map to a deduped SmallVec<[SinkSite; 1]> per parameter, with a
backward-compatible cap_sites() helper and serde defaults so pre-phase-1
on-disk rows continue to deserialise cleanly.
Extraction: SinkSiteLocator bundles the tree/bytes/file_rel needed by
extract_ssa_func_summary; ParsedFile::extract_ssa_artifacts wires the
locator in for the persisted pass-1 path, while pass-2 intra-file
transient summaries fall back to cap-only sites (behavior unchanged).
Merge: GlobalSummaries::insert now unions sink sites with
(file_rel, line, col, cap) dedup via shared union_param_sink_sites
helper.
Database: JSON-serialised summary columns carry the new shape
automatically; no schema change needed.
Phase 2 will consume SinkSite in build_taint_diag() to overwrite the
caller-site Finding.line with the callee's sink line when resolved via
summary. Phase 1 keeps behavior unchanged: scanning
tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs still produces the
same (wrong) line 10 finding.
Adds round-trip tests covering SinkSite solo, SsaFuncSummary with sink
sites, legacy-JSON default handling for both summary types, and merge
dedup.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* feat(taint): phase 2/5 thread SinkSite into SsaTaintEvent and Finding
Plumb Phase 1's SinkSite through the event pipeline into Findings,
no output change yet. SsaTaintEvent gains `primary_sink_site:
Option<SinkSite>`; when the main or callback sink-emission path has
non-empty `param_to_sink_sites`, filter to sites whose
`(line != 0) && (cap ∩ sink_caps != ∅)` and emit one event per
distinct site — the multi-primary collapse keeps each downstream
Finding single-primary.
Resolution: ResolvedSummary and SinkInfo gain mirror
`param_to_sink_sites` fields, populated from `SsaFuncSummary.param_to_sink`
(SSA + callback paths) and `FuncSummary.param_to_sink` (global paths).
Label, local-summary, and interop resolution paths leave the field
empty — they only ever had cap-level info to begin with.
Finding: new `primary_location: Option<SinkLocation>` with
`file_rel/line/col`. `ssa_events_to_findings` maps
`event.primary_sink_site` → `Finding.primary_location`, filtering
cap-only sites (`line == 0`) to `None` so the (0,0) sentinel never
leaks to formatters. Dedup key extended with the primary location
so multi-site events aren't collapsed back together.
Invariants (debug_assert!):
* every SinkSite reaching emission has `line != 0 && cap ∩ sink_caps
!= ∅` — enforced by the pick_primary_sink_sites* filters;
* every populated Finding.primary_location has `line != 0` AND
non-empty `file_rel` — the cap-only → None translation upstream
guarantees this.
Deliberately independent of `uses_summary`: that flag tracks whether
the *taint chain* used a summary, whereas primary attribution
requires only that the *sink* itself was summary-resolved. A local
source reaching a cross-file sink produces `uses_summary=false`
alongside a populated primary_location — documented on
Finding.primary_location, covered by
`cross_file_sink_finding_carries_primary_location`.
build_taint_diag, SARIF/JSON/explanation formatters, and the
benchmark scorer remain untouched: finding.line still comes from
`cfg_graph[finding.sink]`, so cmdi_indirect.rs still reports line 10
and the benchmark's rs-cmdi-003 row still shows FN in the LOC column.
Tests: `cross_file_sink_finding_carries_primary_location` (proves
plumbing via a synthetic FuncSummary carrying a SinkSite at 42:5) and
`cross_file_sink_cap_only_site_leaves_primary_location_none`
(regression guard against cap-only sites surfacing). All 1566 lib
tests + integration tests pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(output): phase 3/5 consume primary sink location in diag + SARIF
When a finding's primary_location (populated in phase 2 from a callee
summary's SinkSite) names the dangerous instruction inside a callee
body, attribute the diagnostic line to that location instead of the
caller's call site. The call site is demoted to a Call step in
flow_steps, and a synthetic Sink step at the primary location is
appended so analysts still see the full trace.
Changes:
- Add scan_root parameter to build_taint_diag so file_rel can be
resolved back to an absolute path via a shared resolve_file_rel
helper. Empty file_rel (single-file scans where namespace == "")
resolves to the file under analysis.
- Extend SinkLocation with snippet, carried from the upstream
SinkSite so the formatter needs no second file read.
- Relax the ssa_events_to_findings debug_assert to allow empty
file_rel, which is valid when scan root equals the file itself.
- SARIF: emit data-flow as codeFlows[0].threadFlows[0].locations[];
locations[0] already reflects the primary sink position via the
updated diag line/col.
Acceptance: scan on tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs
now reports line 5 (Command::new) as the primary sink, with the call
site at line 10 visible in flow_steps.
Two expect.json fixtures updated (must_match line_range widened):
- javascript/taint/context_sensitive_call: 12-14 -> 7-14 (line 8 is
the real sink inside run()).
- rust/cfg/closure_async: 10-10 -> 10-11 (line 11 is Command::new
inside the closure).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(bench): phase 4/5 validate primary sink attribution across corpus
Extend the benchmark scorer and ground truth to lock in phase 3's
primary-location behavior, and add fixtures that exercise the new
capability end-to-end.
Scorer (tests/benchmark_test.rs):
- Add optional `expected_call_site_lines: Option<Vec<[usize; 2]>>` on
Case. When present, score_location_level additionally requires at
least one flow_step in the finding's evidence trace to fall within
±2 of the call-site range. When absent, the check is skipped —
fully forward-compatible with existing fixtures.
- Retain ±2 tolerance on expected_sink_lines (compared against the
now-primary Diag.line post-phase-3).
Ground truth edits:
- rs-cmdi-cross-001: expected_sink_lines [8,8] -> [9,9]. Line 8 is the
transform::wrap call site (a cross-file propagator, not a sink);
line 9 is Command::new, the real sink. The ±2 tolerance happened to
mask this stale attribution but it was semantically wrong — phase 4
is the right time to correct it. Also adds expected_call_site_lines
[8,8] so the new field is exercised on an existing cross-file case.
- rs-cmdi-003: adds expected_call_site_lines [10,10] (run_cmd call).
This fixture's sink (Command::new inside run_cmd at line 5) was the
motivating case for phases 1-3; adding the call-site assertion
guards against regression to caller-line attribution.
New fixtures:
- rust/cmdi/cmdi_indirect_multisink.rs (rs-cmdi-009): helper run_both
takes two tainted params and invokes two Command sinks on
consecutive lines. Locks in that primary line lands inside the
helper (lines 5-6), not at the caller (line 12). Notes document
that SinkSite is currently one-per-callee so both findings today
collapse onto the first sink; expected_sink_lines=[5,6] and
expected_call_site_lines=[12,12] stay valid either way.
- python/cmdi/cross_indirect_sink/{app.py,helper.py} (py-cmdi-cross-
004): sink os.system lives in helper.py (cross-file), caller in
app.py reads env source and calls run_cmd. Verifies phase 3's
cross-file primary attribution: Diag.path = helper.py, Diag.line =
5, with app.py:7 recorded in flow_steps as a Call step.
Acceptance:
- `cargo test --test benchmark_test -- --ignored --nocapture` passes.
- rs-cmdi-003 is TP/TP/TP (the target flip FN->TP at LOC). All
pre-existing TP/TP/TP fixtures remain TP/TP/TP; 2 new fixtures are
TP/TP/TP.
- Aggregate rule-level: TP=158 FP=10 FN=1 TN=97, P=0.940 R=0.994
F1=0.966 on the 266-case corpus (was TP=156 FP=10 FN=1 TN=97 on
264 pre-phase-4, delta is the +2 new cases both resolving TP).
- Full `cargo test` green (1566 lib tests + all integration tests).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(taint): phase 5/5 lock Finding.primary_location contract via regression test
Add a regression test in src/taint/ssa_transfer.rs that wires up a synthetic
SsaFuncSummary with a SinkSite at other.rs:42:10 and drives the three
emission stages (pick_primary_sink_sites → emit_ssa_taint_events →
ssa_events_to_findings) against a minimal caller SSA body. Asserts the
resulting Finding.primary_location is exactly that triple.
The existing integration tests in src/taint/tests.rs cover the coarse
FuncSummary path end-to-end through analyse_file. This test locks in the
lower-level SSA-side plumbing so a future refactor that silently drops the
site between pick → emit → findings fails here rather than only at the
benchmark layer.
Also refreshes tests/benchmark/results/latest.json (timestamp only; rs-cmdi-003
remains TP/TP/TP and the aggregate P/R/F1 are unchanged from phase 4).
Closes the primary sink-location attribution feature (phases 1-5/5):
* Phase 1 — SinkSite data model on summaries.
* Phase 2 — SinkSite threaded into SsaTaintEvent and Finding.
* Phase 3 — diag + SARIF consume primary_location.
* Phase 4 — benchmark validates primary_call_site_lines across corpus.
* Phase 5 — regression test locks the event→finding contract.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* refactor: clean up formatting and improve readability in multiple files
* refactor: simplify type definition for deduplication key in findings
* test(harness): add must_not_match expectation for FP regression guards
Extends ExpectedFinding with must_not_match field that asserts a
diagnostic must NOT fire — presence is a hard failure. Non-consuming
scan so it coexists with must_match entries on the same rule_id.
Adds forbidden_violations accumulator and updates summary line.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(regression): update expectations to ensure must_not_match for various taint and resource leak rules
* feat: implement auto-seeding for JS/TS handler parameters to enhance taint tracking
* feat: update switch statement handling to improve control flow analysis
* feat: implement promisify alias handling for JS/TS to enhance taint tracking
* feat: enhance taint tracking by refining expectation handling and adding mode filtering
* feat: refine SQL handling in stream processing and enhance auto-seeding for handler parameters
* feat: update taint tracking rules to enforce full mode matching and improve flow analysis
* feat: enhance Ruby subshell handling to improve taint tracking and flow analysis
* feat: update xss_response expectations to refine taint flow analysis and enhance regression guarding
* feat: refine framework detection and update expectation handling for Echo and Sinatra
* feat: implement max_count for taint tracking expectations and deduplicate findings
* feat: add strict_unexpected handling for taint-unsanitised-flow in expectation files
* feat: enhance deduplication of taint-unsanitised-flow findings by collapsing based on line and severity
* feat: add strict_unexpected handling for taint-unsanitised-flow in multiple expectation files
* feat: add structural invariant checks for SSA bodies
* feat: ensure deterministic phi emission order using BTreeSet
* feat: enhance handling of terminators to ensure authoritative flow through successor edges
* feat: enhance Goto terminator handling to ensure all successors are marked executable
* feat: refactor code for improved readability and organization
* feat: simplify predicate checks and enhance readability in SSA handling
* feat: implement per-file parse timeout and enhance file size handling
* feat: migrate analysis engine toggles from environment variables to configuration file
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: update dependencies and enhance documentation on language maturity
* feat: enhance security headers and improve request body limits
* feat: implement sink capability bits for deduplication and enhance evidence tagging
* feat: implement dynamic activation handling for gated sinks and enhance validation logic
* feat: enhance configuration documentation and clarify inline analysis cache behavior
* feat: implement panic recovery during analysis to continue scans past errors
* feat: add expectations configuration for taint analysis and performance metrics
* feat: enhance error handling and logging during file reading and mutex locking
* feat: add cross-file body loading tests and plumbing for CF-1 phase
* feat: implement cross-file k=1 context-sensitive inline taint analysis with new tests and fixtures
* feat: implement indexed-scan parity in cross-file inline analysis with new dropdown and copy functionality
* feat: enhance classification span handling in CFG and AST for improved source attribution
* feat: add new Express routes for handling user input and telemetry data
* feat: implement ternary expression handling in CFG with diamond structure for JS/TS
* feat: implement Phase CF-3 abstract-domain transfer channels in summaries
* feat: add support for string-prefix transfer in cross-file calls and update tests
* docs: reduce RESULTS.md doc size
* feat: implement Phase CF-4 per-return-path summary decomposition with tests
* feat: update parameter handling in pass1 and refactor SsaFuncSummary initialization
* feat: implement Phase CF-5 for cross-file SCC joint fixed-point convergence with new flags and tests
* feat: implement Phase CF-6 with parameter-granularity points-to summaries and associated tests
* refactor: update comments and documentation for clarity and consistency
* style: format code for consistency and readability
* refactor: simplify verdict handling and improve edge checking logic
* refactor: optimize path and identifier collection by avoiding unnecessary cloning
* chore: update Cargo.toml for Rust version 1.85 and add ignored files; modify CHANGELOG and README for clarity on state analysis defaults
* refactor: update documentation and improve clarity in configuration files
* refactor: update documentation and improve clarity in configuration files
* feat: add JS/TS pass-2 convergence tests and expectations configuration
* feat: add Phase 5 regression tests for inline cache origin attribution and update related logic
* feat: implement Phase 7 deduplication and alternative path linking for taint findings
* feat: implement structural DFS index for anonymous functions and update naming conventions
* feat: add Phase 8 regression tests for container-element taint in JS and Python
* feat: add engine-depth profiles and explain-engine option for CLI
* feat: update expectations and add new README fixtures for multi-file scan regression
* feat: implement Phase 11 callback-alias and factory patterns with regression tests
* feat: implement Terminator::Switch for multi-way dispatch and add regression tests
* feat: add real-CVE benchmark fixtures for CVE-2023-48022, CVE-2019-14939, and CVE-2023-26159 with corresponding patched variants
* refactor: extract cfg and ssa_transfer to submodules
* refactor: cargo fmt
* refactor: remove unnecessary blank line in cfg_tests.rs
* refactor: remove unnecessary planning file
* chore: update Rust version to 1.88 and bump dependencies in Cargo files
* feat: enhance triage UI with new layout and controls, update README for clarity
* feat: enhance triage UI with new layout and controls, update README for clarity
* chore: remove outdated section from README for version 0.5.0
* docs: improve clarity and consistency in README content
* chore: add "GPL-3.0-or-later" to license options in about.toml
* chore: update license handling in about.toml and check-licenses.mjs
* style: format code for improved readability in TriagePage component
* style: format code for improved readability in TriagePage component
* chore: enhance license handling and improve body_id scoping in seed lookup
* feat: introduce owner and parent body IDs for enhanced seed scoping
* feat: implement direction-aware engine provenance with new CLI flag for strict CI gating
* feat: add Undef SSA operation for improved control-flow handling
* style: improve code formatting for consistency and readability in multiple files
* feat: add 16-function chain SCC across multiple files for enhanced analysis
* style: simplify code formatting for improved readability in multiple files
* fix: update CapHitReason default implementation and improve README clarity
* docs: enhance README with detailed explanations of taint analysis and limitations
* docs: refine README for clarity and consistency in taint analysis section
* style: improve code formatting for better readability in NewScanModal and scans
* fix: update cargo-about command to use --offline for deterministic license generation
* fix: update cargo-about command to use --offline for deterministic license generation
* ci: add step to prime cargo registry cache for deterministic license generation
* feat: add support for non-sink collections in authorization analysis
* feat: enhance authorization checks with row-level ownership equality and binding tracking
* feat: implement self-scoped user handling and enhance ownership checks
* refactor: simplify assertions and formatting in authorization analysis tests
* fix: normalize line endings in THIRDPARTY-LICENSES.html generation and update README with AI disclosure
* docs: update AI disclosure section for clarity and conciseness
* feat: add AI Contribution Policy and update contributing guidelines for AI assistance disclosure
* feat: enhance authorization analysis with SSA-derived variable type classification
* feat: implement auth_finding_to_diag function for enhanced security diagnostics
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add direction-aware engine provenance with LossDirection classification and new CLI flag
* feat: simplify strip_cap_from_call_args call by removing unnecessary line breaks
* feat: enhance error message handling in cli_validation_tests for better Windows compatibility
* feat: optimize release profile settings in Cargo.toml and update CodeQL configuration
* feat: enhance release build process with SBOM generation and SLSA provenance
* feat: update actions/checkout and actions/setup-node to v6, enhance CLI options, and improve auth-check summaries
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: update benchmark data and enhance path sanitization logic with new safety checks
* feat: document AI assistance in frontend UI development and human review process
* feat: add return path facts for enhanced path safety checks and update documentation
* chore: update release date for version 0.5.0 in CHANGELOG.md
* chore: clean up ci.yml by removing outdated comments and clarifying steps
* feat: implement cross-language path sanitizers and validators for enhanced security
* feat: enhance SSA value usage tracking by including block terminators and improve path safety checks
* feat: enhance switch statement handling by adding per-case path constraints and support for exclusive cases
* refactor: simplify conditional formatting and improve code readability in executor and lower modules
* feat: add vulnerable examples for various languages demonstrating authentication and sanitization issues
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: add transform classifiers for Java, Go, and Ruby with corresponding tests
* refactor: clarify comments on reassign-to-constant idiom and sink behavior in guards.rs
---------
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-25 17:59:11 -04:00
- Fixed `scan --no-index` not respecting the `max_results` config setting (#1 ).
- Integration tests covering indexing and scanning pipelines (#3 , #4 , #5 , #8 ).
2026-04-29 00:58:38 -04:00
## [0.1.0-alpha] - 2025-06-25
Release/0.5.0 (#35)
* feat: Introduce function-scoped variable interning for state analysis with new tests and fixtures
* feat: Add Phase 26 symbolic execution enhancements with bitwise operator support, abstract interpretation refinements, and new taint analysis tests
* feat: Refine state analysis to handle factory-pattern resource returns with mixed-path tests and leak detection enhancements
* feat: Add Phase 27 debug views with symbolic execution, abstract interpretation, SSA, and call graph viewers; integrate with debug layout and styles
* feat: Add Phase 31 type-qualified symbolic resolution with receiver-based callee disambiguation and testing
* feat: Extend symbolic execution with state iteration, enhanced debug views, and debounced input handling
* feat: Add Phase 13 resource and auth pattern extensions with new tests and fixtures
* feat: Introduce CFG debug graph renderer with compact mode, toolbar, and DAG layout integration
* feat: Add Phase 28 encoding and decoding transform modeling with structural symex enhancements and new taint analysis tests
* feat: Extend abstract interpretation with type facts and constant value tracking in debug views and server logic
* feat: Add linear path handling and witness extraction to symbolic execution with Phase 28 transform mismatch detection
* feat: Refine Go auth and sanitizer handling with enhanced rules, state updates, and benchmark improvements
* feat: Enable auth-state analysis by default and update relevant tests in benchmark config
* test: Update state_tests to reflect default enablement of auth-state analysis and add auth suppression test
* docs: update CHANGELOG.md
* feat: Introduce per-index taint tracking in `HeapState` with `HeapSlot`, overflow handling, and revised SSA transfers
* feat: Introduce C/C++ language labels and refine heap state tracking in SSA transfers
* feat: Implement per-index array slot tracking in symbolic heap with overflow collapse
* feat: Add implicit definition handling for uninitialized declarations in SSA value allocation
* feat: Refactor function parameters and constants for improved clarity and maintainability
* refactor: Reorder module imports and improve formatting for consistency
* refactor: Fix formatting erorrs
* refactor: Fix clippy warnings
* refactor: Fix fmt warnings (again)
* chore: Update dependencies and improve feature configuration
* Add comprehensive tests for undertested modules (#36) (COPILOT)
* Add comprehensive tests for undertested modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
* Add comprehensive tests for ext, project, walk, and errors modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: Update dependencies and improve feature configuration
* fix: formatting errors in new tests
* chore: Update license list in about.toml
* chore: made functions input inline
* chore: updated cfg graph to take up the full page
* chore: add Prettier configuration and update code formatting
* Add frontend test suite with Vitest (111 tests) (#37)
* Add Vitest test suite for frontend - 111 tests across utils, components, hooks, and graph utilities
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/7cf0dba2-ecff-4740-ba4d-92717e74a0b7
* ci: add frontend test step to CI workflow
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/5bc0ac9f-0a32-4d03-9cb7-7a15aea53fca
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: simplify array initialization in test files for consistency
* ran typecheck
* feat: add AnalysisWorkspace component and integrate it into CfgViewerPage
* feat: update routing in AppLayout and improve empty state message in ExplorerPage
* feat: enhance scan progress tracking with additional metrics and stages
* feat: update license information and add license check script
* feat: implement cross-file symbolic execution with callee body persistence
* feat: replace dagre graphs with Graphology + ELK + Sigma for more advanced call stack and cfg rendering
* feat: ensure CFG function view is scoped to the selected function, preventing bleed into sibling functions
* feat: enhance resource tracking with proxy method summaries and improve finding extraction
* feat: add terminal function exit detection for accurate resource leak analysis
* feat: add warnings for loops and functions without bodies to improve error recovery
* feat: update lambda expression handling to ensure proper function classification and control flow
* feat: remove bounded formatting/string ops and add JSON.parse sanitizer for improved data handling
* feat: add inline return taint analysis and regression tests for improved security checks
* feat: add engine version management and migration handling for database schema updates
* feat: enhance first_call_ident to skip nested function bodies and add regression tests
* feat: enhance callee name resolution with two-segment normalization and disambiguation
* feat: add cross-file context flags and debug assertions for taint analysis
* feat: refactor taint analysis structure to unify context handling and improve clarity
* feat: enhance dead code elimination to preserve Sink, Source, and Sanitizer labels with new tests
* docs: updated CHANGELOG.md
* fmt: formatting fixes
* fix: fixed frontend formatting and lint warnings
* fix: optimized ci
* fix: optimized ci
* Add comprehensive multi-file test coverage to Nyx (#38)
* Initial checklist for multi-file test suite expansion
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* Add 12 new multi-file test fixtures with TP/TN/near-miss coverage
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* deleted root repo
* rebuilt to test for regressions
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* feat: enhance import alias resolution and taint tracking
* feat: implement security hardening with CSRF protection and path validation
* feat: add support for import alias bindings in Python, PHP, and Rust
* feat: enhance CFG analysis modes and improve code readability
* feat: add detection for parameterized SQL queries to enhance security
* feat: add safe internal redirect handling and enhance session destroy validation
* feat: implement security improvements by addressing vulnerabilities in execAsync, session management, and file downloads
* feat: enhance taint detection by adding support for inline source member expressions in call arguments
* feat: implement pre-emission of Source nodes for inline source member expressions in call arguments
* feat: add support for Throw statement in control flow and error handling
* feat: add debug and echo endpoints with potential information leakage
* feat: implement internal redirect suppression and enhance taint detection
* feat: implement module alias tracking for dynamic dispatch in JS/TS
* feat: add authorization analysis module with Express support
* feat: add authorization analysis module with Express support
* feat: add tests for admin guard requirements and clean checks in authorization analysis
* feat: integrate Koa and Fastify frameworks into authorization analysis
* feat: add Flask and Django support to authorization analysis module
* feat: add support for Rails and Sinatra frameworks in authorization analysis
* feat: add support for Axum, ActixWeb, and Rocket frameworks in authorization analysis
* feat: add support for ActixWeb, Axum, and Rocket frameworks in authorization analysis
* feat: add support for Rails and Sinatra in authorization analysis
* chore: add .DS_Store to .gitignore
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: update usage of Option methods for improved clarity and consistency
* refactor: improve code readability by simplifying conditional checks and formatting
* refactor: improve code formatting and readability by simplifying conditional checks
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: simplify conditional checks in axum.rs for improved readability
* feat: add CodeQL analysis configuration for enhanced security scanning
* test: add comprehensive tests for `src/output.rs` SARIF builder (#39)
* chore: start test coverage improvement work
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* test: add comprehensive tests for src/output.rs SARIF builder
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* refactor: improve code formatting and readability in output.rs
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* refactor: improve code formatting and readability in output.rs
* Potential fix for code scanning alert no. 210: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* Potential fix for code scanning alert no. 211: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* refactor: enhance triage file path handling with improved error management and validation
* refactor: updated func summaries for richer detail
* refactor: update SSA summary extraction to use canonical FuncKey for distinct entries
* refactor: enhance callee metadata structure to support arity, receiver, and qualifier for better overload resolution
* refactor: add support for keyword arguments in function calls and enhance receiver extraction for method-style calls
* refactor: implement new Flask routes for safe and unsafe shell command execution
* refactor: separate receiver handling in SSA operations and enhance taint propagation
* refactor: improve arity handling by using arg_uses for positional argument count and enhance witness scoring for tainted arguments
* refactor: implement auth decorator extraction and classification for multiple languages
* refactor: enhance Rust module path resolution and use map handling for cross-file disambiguation
* refactor: introduce CalleeQuery struct for structured callee resolution and enhance resolver logic
* refactor: implement same-file identity collision handling for `runTask` to ensure correct resolver behavior
* refactor: standardize default struct initialization across multiple files
* feat: add scripts for formatting checks and auto-fixes with test summaries
* refactor: simplify character splitting and enhance namespace qualifier handling
* refactor: improve documentation clarity and enhance code readability in resolver logic
* refactor: replace default struct initialization with explicit field assignments for clarity
* feat: enhance anonymous function naming by deriving context-based bindings
* refactor: streamline match expressions for improved readability and performance
* refactor: streamline match expressions for improved readability and performance
* refactor: replace loop with while let for improved clarity and performance
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: implement shell metacharacter validation and bounded-length checks in Rust analysis
* feat: add static map analysis for command injection suppression and type safety
* refactor: simplify match statements and reduce line breaks for improved readability
* feat(summary): phase 1/5 SinkSite data model for primary sink-location attribution
Introduce SinkSite (file_rel, line, col, snippet, cap) carrying the
primary sink source-location through function summaries. Swap
SsaFuncSummary.param_to_sink and FuncSummary.param_to_sink from a coarse
Cap map to a deduped SmallVec<[SinkSite; 1]> per parameter, with a
backward-compatible cap_sites() helper and serde defaults so pre-phase-1
on-disk rows continue to deserialise cleanly.
Extraction: SinkSiteLocator bundles the tree/bytes/file_rel needed by
extract_ssa_func_summary; ParsedFile::extract_ssa_artifacts wires the
locator in for the persisted pass-1 path, while pass-2 intra-file
transient summaries fall back to cap-only sites (behavior unchanged).
Merge: GlobalSummaries::insert now unions sink sites with
(file_rel, line, col, cap) dedup via shared union_param_sink_sites
helper.
Database: JSON-serialised summary columns carry the new shape
automatically; no schema change needed.
Phase 2 will consume SinkSite in build_taint_diag() to overwrite the
caller-site Finding.line with the callee's sink line when resolved via
summary. Phase 1 keeps behavior unchanged: scanning
tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs still produces the
same (wrong) line 10 finding.
Adds round-trip tests covering SinkSite solo, SsaFuncSummary with sink
sites, legacy-JSON default handling for both summary types, and merge
dedup.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* feat(taint): phase 2/5 thread SinkSite into SsaTaintEvent and Finding
Plumb Phase 1's SinkSite through the event pipeline into Findings,
no output change yet. SsaTaintEvent gains `primary_sink_site:
Option<SinkSite>`; when the main or callback sink-emission path has
non-empty `param_to_sink_sites`, filter to sites whose
`(line != 0) && (cap ∩ sink_caps != ∅)` and emit one event per
distinct site — the multi-primary collapse keeps each downstream
Finding single-primary.
Resolution: ResolvedSummary and SinkInfo gain mirror
`param_to_sink_sites` fields, populated from `SsaFuncSummary.param_to_sink`
(SSA + callback paths) and `FuncSummary.param_to_sink` (global paths).
Label, local-summary, and interop resolution paths leave the field
empty — they only ever had cap-level info to begin with.
Finding: new `primary_location: Option<SinkLocation>` with
`file_rel/line/col`. `ssa_events_to_findings` maps
`event.primary_sink_site` → `Finding.primary_location`, filtering
cap-only sites (`line == 0`) to `None` so the (0,0) sentinel never
leaks to formatters. Dedup key extended with the primary location
so multi-site events aren't collapsed back together.
Invariants (debug_assert!):
* every SinkSite reaching emission has `line != 0 && cap ∩ sink_caps
!= ∅` — enforced by the pick_primary_sink_sites* filters;
* every populated Finding.primary_location has `line != 0` AND
non-empty `file_rel` — the cap-only → None translation upstream
guarantees this.
Deliberately independent of `uses_summary`: that flag tracks whether
the *taint chain* used a summary, whereas primary attribution
requires only that the *sink* itself was summary-resolved. A local
source reaching a cross-file sink produces `uses_summary=false`
alongside a populated primary_location — documented on
Finding.primary_location, covered by
`cross_file_sink_finding_carries_primary_location`.
build_taint_diag, SARIF/JSON/explanation formatters, and the
benchmark scorer remain untouched: finding.line still comes from
`cfg_graph[finding.sink]`, so cmdi_indirect.rs still reports line 10
and the benchmark's rs-cmdi-003 row still shows FN in the LOC column.
Tests: `cross_file_sink_finding_carries_primary_location` (proves
plumbing via a synthetic FuncSummary carrying a SinkSite at 42:5) and
`cross_file_sink_cap_only_site_leaves_primary_location_none`
(regression guard against cap-only sites surfacing). All 1566 lib
tests + integration tests pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(output): phase 3/5 consume primary sink location in diag + SARIF
When a finding's primary_location (populated in phase 2 from a callee
summary's SinkSite) names the dangerous instruction inside a callee
body, attribute the diagnostic line to that location instead of the
caller's call site. The call site is demoted to a Call step in
flow_steps, and a synthetic Sink step at the primary location is
appended so analysts still see the full trace.
Changes:
- Add scan_root parameter to build_taint_diag so file_rel can be
resolved back to an absolute path via a shared resolve_file_rel
helper. Empty file_rel (single-file scans where namespace == "")
resolves to the file under analysis.
- Extend SinkLocation with snippet, carried from the upstream
SinkSite so the formatter needs no second file read.
- Relax the ssa_events_to_findings debug_assert to allow empty
file_rel, which is valid when scan root equals the file itself.
- SARIF: emit data-flow as codeFlows[0].threadFlows[0].locations[];
locations[0] already reflects the primary sink position via the
updated diag line/col.
Acceptance: scan on tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs
now reports line 5 (Command::new) as the primary sink, with the call
site at line 10 visible in flow_steps.
Two expect.json fixtures updated (must_match line_range widened):
- javascript/taint/context_sensitive_call: 12-14 -> 7-14 (line 8 is
the real sink inside run()).
- rust/cfg/closure_async: 10-10 -> 10-11 (line 11 is Command::new
inside the closure).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(bench): phase 4/5 validate primary sink attribution across corpus
Extend the benchmark scorer and ground truth to lock in phase 3's
primary-location behavior, and add fixtures that exercise the new
capability end-to-end.
Scorer (tests/benchmark_test.rs):
- Add optional `expected_call_site_lines: Option<Vec<[usize; 2]>>` on
Case. When present, score_location_level additionally requires at
least one flow_step in the finding's evidence trace to fall within
±2 of the call-site range. When absent, the check is skipped —
fully forward-compatible with existing fixtures.
- Retain ±2 tolerance on expected_sink_lines (compared against the
now-primary Diag.line post-phase-3).
Ground truth edits:
- rs-cmdi-cross-001: expected_sink_lines [8,8] -> [9,9]. Line 8 is the
transform::wrap call site (a cross-file propagator, not a sink);
line 9 is Command::new, the real sink. The ±2 tolerance happened to
mask this stale attribution but it was semantically wrong — phase 4
is the right time to correct it. Also adds expected_call_site_lines
[8,8] so the new field is exercised on an existing cross-file case.
- rs-cmdi-003: adds expected_call_site_lines [10,10] (run_cmd call).
This fixture's sink (Command::new inside run_cmd at line 5) was the
motivating case for phases 1-3; adding the call-site assertion
guards against regression to caller-line attribution.
New fixtures:
- rust/cmdi/cmdi_indirect_multisink.rs (rs-cmdi-009): helper run_both
takes two tainted params and invokes two Command sinks on
consecutive lines. Locks in that primary line lands inside the
helper (lines 5-6), not at the caller (line 12). Notes document
that SinkSite is currently one-per-callee so both findings today
collapse onto the first sink; expected_sink_lines=[5,6] and
expected_call_site_lines=[12,12] stay valid either way.
- python/cmdi/cross_indirect_sink/{app.py,helper.py} (py-cmdi-cross-
004): sink os.system lives in helper.py (cross-file), caller in
app.py reads env source and calls run_cmd. Verifies phase 3's
cross-file primary attribution: Diag.path = helper.py, Diag.line =
5, with app.py:7 recorded in flow_steps as a Call step.
Acceptance:
- `cargo test --test benchmark_test -- --ignored --nocapture` passes.
- rs-cmdi-003 is TP/TP/TP (the target flip FN->TP at LOC). All
pre-existing TP/TP/TP fixtures remain TP/TP/TP; 2 new fixtures are
TP/TP/TP.
- Aggregate rule-level: TP=158 FP=10 FN=1 TN=97, P=0.940 R=0.994
F1=0.966 on the 266-case corpus (was TP=156 FP=10 FN=1 TN=97 on
264 pre-phase-4, delta is the +2 new cases both resolving TP).
- Full `cargo test` green (1566 lib tests + all integration tests).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(taint): phase 5/5 lock Finding.primary_location contract via regression test
Add a regression test in src/taint/ssa_transfer.rs that wires up a synthetic
SsaFuncSummary with a SinkSite at other.rs:42:10 and drives the three
emission stages (pick_primary_sink_sites → emit_ssa_taint_events →
ssa_events_to_findings) against a minimal caller SSA body. Asserts the
resulting Finding.primary_location is exactly that triple.
The existing integration tests in src/taint/tests.rs cover the coarse
FuncSummary path end-to-end through analyse_file. This test locks in the
lower-level SSA-side plumbing so a future refactor that silently drops the
site between pick → emit → findings fails here rather than only at the
benchmark layer.
Also refreshes tests/benchmark/results/latest.json (timestamp only; rs-cmdi-003
remains TP/TP/TP and the aggregate P/R/F1 are unchanged from phase 4).
Closes the primary sink-location attribution feature (phases 1-5/5):
* Phase 1 — SinkSite data model on summaries.
* Phase 2 — SinkSite threaded into SsaTaintEvent and Finding.
* Phase 3 — diag + SARIF consume primary_location.
* Phase 4 — benchmark validates primary_call_site_lines across corpus.
* Phase 5 — regression test locks the event→finding contract.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* refactor: clean up formatting and improve readability in multiple files
* refactor: simplify type definition for deduplication key in findings
* test(harness): add must_not_match expectation for FP regression guards
Extends ExpectedFinding with must_not_match field that asserts a
diagnostic must NOT fire — presence is a hard failure. Non-consuming
scan so it coexists with must_match entries on the same rule_id.
Adds forbidden_violations accumulator and updates summary line.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(regression): update expectations to ensure must_not_match for various taint and resource leak rules
* feat: implement auto-seeding for JS/TS handler parameters to enhance taint tracking
* feat: update switch statement handling to improve control flow analysis
* feat: implement promisify alias handling for JS/TS to enhance taint tracking
* feat: enhance taint tracking by refining expectation handling and adding mode filtering
* feat: refine SQL handling in stream processing and enhance auto-seeding for handler parameters
* feat: update taint tracking rules to enforce full mode matching and improve flow analysis
* feat: enhance Ruby subshell handling to improve taint tracking and flow analysis
* feat: update xss_response expectations to refine taint flow analysis and enhance regression guarding
* feat: refine framework detection and update expectation handling for Echo and Sinatra
* feat: implement max_count for taint tracking expectations and deduplicate findings
* feat: add strict_unexpected handling for taint-unsanitised-flow in expectation files
* feat: enhance deduplication of taint-unsanitised-flow findings by collapsing based on line and severity
* feat: add strict_unexpected handling for taint-unsanitised-flow in multiple expectation files
* feat: add structural invariant checks for SSA bodies
* feat: ensure deterministic phi emission order using BTreeSet
* feat: enhance handling of terminators to ensure authoritative flow through successor edges
* feat: enhance Goto terminator handling to ensure all successors are marked executable
* feat: refactor code for improved readability and organization
* feat: simplify predicate checks and enhance readability in SSA handling
* feat: implement per-file parse timeout and enhance file size handling
* feat: migrate analysis engine toggles from environment variables to configuration file
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: update dependencies and enhance documentation on language maturity
* feat: enhance security headers and improve request body limits
* feat: implement sink capability bits for deduplication and enhance evidence tagging
* feat: implement dynamic activation handling for gated sinks and enhance validation logic
* feat: enhance configuration documentation and clarify inline analysis cache behavior
* feat: implement panic recovery during analysis to continue scans past errors
* feat: add expectations configuration for taint analysis and performance metrics
* feat: enhance error handling and logging during file reading and mutex locking
* feat: add cross-file body loading tests and plumbing for CF-1 phase
* feat: implement cross-file k=1 context-sensitive inline taint analysis with new tests and fixtures
* feat: implement indexed-scan parity in cross-file inline analysis with new dropdown and copy functionality
* feat: enhance classification span handling in CFG and AST for improved source attribution
* feat: add new Express routes for handling user input and telemetry data
* feat: implement ternary expression handling in CFG with diamond structure for JS/TS
* feat: implement Phase CF-3 abstract-domain transfer channels in summaries
* feat: add support for string-prefix transfer in cross-file calls and update tests
* docs: reduce RESULTS.md doc size
* feat: implement Phase CF-4 per-return-path summary decomposition with tests
* feat: update parameter handling in pass1 and refactor SsaFuncSummary initialization
* feat: implement Phase CF-5 for cross-file SCC joint fixed-point convergence with new flags and tests
* feat: implement Phase CF-6 with parameter-granularity points-to summaries and associated tests
* refactor: update comments and documentation for clarity and consistency
* style: format code for consistency and readability
* refactor: simplify verdict handling and improve edge checking logic
* refactor: optimize path and identifier collection by avoiding unnecessary cloning
* chore: update Cargo.toml for Rust version 1.85 and add ignored files; modify CHANGELOG and README for clarity on state analysis defaults
* refactor: update documentation and improve clarity in configuration files
* refactor: update documentation and improve clarity in configuration files
* feat: add JS/TS pass-2 convergence tests and expectations configuration
* feat: add Phase 5 regression tests for inline cache origin attribution and update related logic
* feat: implement Phase 7 deduplication and alternative path linking for taint findings
* feat: implement structural DFS index for anonymous functions and update naming conventions
* feat: add Phase 8 regression tests for container-element taint in JS and Python
* feat: add engine-depth profiles and explain-engine option for CLI
* feat: update expectations and add new README fixtures for multi-file scan regression
* feat: implement Phase 11 callback-alias and factory patterns with regression tests
* feat: implement Terminator::Switch for multi-way dispatch and add regression tests
* feat: add real-CVE benchmark fixtures for CVE-2023-48022, CVE-2019-14939, and CVE-2023-26159 with corresponding patched variants
* refactor: extract cfg and ssa_transfer to submodules
* refactor: cargo fmt
* refactor: remove unnecessary blank line in cfg_tests.rs
* refactor: remove unnecessary planning file
* chore: update Rust version to 1.88 and bump dependencies in Cargo files
* feat: enhance triage UI with new layout and controls, update README for clarity
* feat: enhance triage UI with new layout and controls, update README for clarity
* chore: remove outdated section from README for version 0.5.0
* docs: improve clarity and consistency in README content
* chore: add "GPL-3.0-or-later" to license options in about.toml
* chore: update license handling in about.toml and check-licenses.mjs
* style: format code for improved readability in TriagePage component
* style: format code for improved readability in TriagePage component
* chore: enhance license handling and improve body_id scoping in seed lookup
* feat: introduce owner and parent body IDs for enhanced seed scoping
* feat: implement direction-aware engine provenance with new CLI flag for strict CI gating
* feat: add Undef SSA operation for improved control-flow handling
* style: improve code formatting for consistency and readability in multiple files
* feat: add 16-function chain SCC across multiple files for enhanced analysis
* style: simplify code formatting for improved readability in multiple files
* fix: update CapHitReason default implementation and improve README clarity
* docs: enhance README with detailed explanations of taint analysis and limitations
* docs: refine README for clarity and consistency in taint analysis section
* style: improve code formatting for better readability in NewScanModal and scans
* fix: update cargo-about command to use --offline for deterministic license generation
* fix: update cargo-about command to use --offline for deterministic license generation
* ci: add step to prime cargo registry cache for deterministic license generation
* feat: add support for non-sink collections in authorization analysis
* feat: enhance authorization checks with row-level ownership equality and binding tracking
* feat: implement self-scoped user handling and enhance ownership checks
* refactor: simplify assertions and formatting in authorization analysis tests
* fix: normalize line endings in THIRDPARTY-LICENSES.html generation and update README with AI disclosure
* docs: update AI disclosure section for clarity and conciseness
* feat: add AI Contribution Policy and update contributing guidelines for AI assistance disclosure
* feat: enhance authorization analysis with SSA-derived variable type classification
* feat: implement auth_finding_to_diag function for enhanced security diagnostics
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add direction-aware engine provenance with LossDirection classification and new CLI flag
* feat: simplify strip_cap_from_call_args call by removing unnecessary line breaks
* feat: enhance error message handling in cli_validation_tests for better Windows compatibility
* feat: optimize release profile settings in Cargo.toml and update CodeQL configuration
* feat: enhance release build process with SBOM generation and SLSA provenance
* feat: update actions/checkout and actions/setup-node to v6, enhance CLI options, and improve auth-check summaries
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: update benchmark data and enhance path sanitization logic with new safety checks
* feat: document AI assistance in frontend UI development and human review process
* feat: add return path facts for enhanced path safety checks and update documentation
* chore: update release date for version 0.5.0 in CHANGELOG.md
* chore: clean up ci.yml by removing outdated comments and clarifying steps
* feat: implement cross-language path sanitizers and validators for enhanced security
* feat: enhance SSA value usage tracking by including block terminators and improve path safety checks
* feat: enhance switch statement handling by adding per-case path constraints and support for exclusive cases
* refactor: simplify conditional formatting and improve code readability in executor and lower modules
* feat: add vulnerable examples for various languages demonstrating authentication and sanitization issues
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: add transform classifiers for Java, Go, and Ruby with corresponding tests
* refactor: clarify comments on reassign-to-constant idiom and sink behavior in guards.rs
---------
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-25 17:59:11 -04:00
Initial alpha release.
- Multi-language AST pattern scanning via `tree-sitter` for Rust, C/C++, Java, Go, PHP, Python, Ruby, TypeScript, JavaScript.
- `scan` command: filesystem walker, pattern execution, console output.
- `index` command: build, rebuild, and status reporting of SQLite-backed index.
- `list` command: list indexed projects with optional verbosity.
- `clean` command: remove one or all project indexes.
- Configuration system with `nyx.conf` (generated) and `nyx.local` (user overrides).
- Default severity levels: High, Medium, Low.
