Release/0.5.0 (#35)
* feat: Introduce function-scoped variable interning for state analysis with new tests and fixtures
* feat: Add Phase 26 symbolic execution enhancements with bitwise operator support, abstract interpretation refinements, and new taint analysis tests
* feat: Refine state analysis to handle factory-pattern resource returns with mixed-path tests and leak detection enhancements
* feat: Add Phase 27 debug views with symbolic execution, abstract interpretation, SSA, and call graph viewers; integrate with debug layout and styles
* feat: Add Phase 31 type-qualified symbolic resolution with receiver-based callee disambiguation and testing
* feat: Extend symbolic execution with state iteration, enhanced debug views, and debounced input handling
* feat: Add Phase 13 resource and auth pattern extensions with new tests and fixtures
* feat: Introduce CFG debug graph renderer with compact mode, toolbar, and DAG layout integration
* feat: Add Phase 28 encoding and decoding transform modeling with structural symex enhancements and new taint analysis tests
* feat: Extend abstract interpretation with type facts and constant value tracking in debug views and server logic
* feat: Add linear path handling and witness extraction to symbolic execution with Phase 28 transform mismatch detection
* feat: Refine Go auth and sanitizer handling with enhanced rules, state updates, and benchmark improvements
* feat: Enable auth-state analysis by default and update relevant tests in benchmark config
* test: Update state_tests to reflect default enablement of auth-state analysis and add auth suppression test
* docs: update CHANGELOG.md
* feat: Introduce per-index taint tracking in `HeapState` with `HeapSlot`, overflow handling, and revised SSA transfers
* feat: Introduce C/C++ language labels and refine heap state tracking in SSA transfers
* feat: Implement per-index array slot tracking in symbolic heap with overflow collapse
* feat: Add implicit definition handling for uninitialized declarations in SSA value allocation
* feat: Refactor function parameters and constants for improved clarity and maintainability
* refactor: Reorder module imports and improve formatting for consistency
* refactor: Fix formatting erorrs
* refactor: Fix clippy warnings
* refactor: Fix fmt warnings (again)
* chore: Update dependencies and improve feature configuration
* Add comprehensive tests for undertested modules (#36) (COPILOT)
* Add comprehensive tests for undertested modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
* Add comprehensive tests for ext, project, walk, and errors modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: Update dependencies and improve feature configuration
* fix: formatting errors in new tests
* chore: Update license list in about.toml
* chore: made functions input inline
* chore: updated cfg graph to take up the full page
* chore: add Prettier configuration and update code formatting
* Add frontend test suite with Vitest (111 tests) (#37)
* Add Vitest test suite for frontend - 111 tests across utils, components, hooks, and graph utilities
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/7cf0dba2-ecff-4740-ba4d-92717e74a0b7
* ci: add frontend test step to CI workflow
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/5bc0ac9f-0a32-4d03-9cb7-7a15aea53fca
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: simplify array initialization in test files for consistency
* ran typecheck
* feat: add AnalysisWorkspace component and integrate it into CfgViewerPage
* feat: update routing in AppLayout and improve empty state message in ExplorerPage
* feat: enhance scan progress tracking with additional metrics and stages
* feat: update license information and add license check script
* feat: implement cross-file symbolic execution with callee body persistence
* feat: replace dagre graphs with Graphology + ELK + Sigma for more advanced call stack and cfg rendering
* feat: ensure CFG function view is scoped to the selected function, preventing bleed into sibling functions
* feat: enhance resource tracking with proxy method summaries and improve finding extraction
* feat: add terminal function exit detection for accurate resource leak analysis
* feat: add warnings for loops and functions without bodies to improve error recovery
* feat: update lambda expression handling to ensure proper function classification and control flow
* feat: remove bounded formatting/string ops and add JSON.parse sanitizer for improved data handling
* feat: add inline return taint analysis and regression tests for improved security checks
* feat: add engine version management and migration handling for database schema updates
* feat: enhance first_call_ident to skip nested function bodies and add regression tests
* feat: enhance callee name resolution with two-segment normalization and disambiguation
* feat: add cross-file context flags and debug assertions for taint analysis
* feat: refactor taint analysis structure to unify context handling and improve clarity
* feat: enhance dead code elimination to preserve Sink, Source, and Sanitizer labels with new tests
* docs: updated CHANGELOG.md
* fmt: formatting fixes
* fix: fixed frontend formatting and lint warnings
* fix: optimized ci
* fix: optimized ci
* Add comprehensive multi-file test coverage to Nyx (#38)
* Initial checklist for multi-file test suite expansion
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* Add 12 new multi-file test fixtures with TP/TN/near-miss coverage
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* deleted root repo
* rebuilt to test for regressions
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* feat: enhance import alias resolution and taint tracking
* feat: implement security hardening with CSRF protection and path validation
* feat: add support for import alias bindings in Python, PHP, and Rust
* feat: enhance CFG analysis modes and improve code readability
* feat: add detection for parameterized SQL queries to enhance security
* feat: add safe internal redirect handling and enhance session destroy validation
* feat: implement security improvements by addressing vulnerabilities in execAsync, session management, and file downloads
* feat: enhance taint detection by adding support for inline source member expressions in call arguments
* feat: implement pre-emission of Source nodes for inline source member expressions in call arguments
* feat: add support for Throw statement in control flow and error handling
* feat: add debug and echo endpoints with potential information leakage
* feat: implement internal redirect suppression and enhance taint detection
* feat: implement module alias tracking for dynamic dispatch in JS/TS
* feat: add authorization analysis module with Express support
* feat: add authorization analysis module with Express support
* feat: add tests for admin guard requirements and clean checks in authorization analysis
* feat: integrate Koa and Fastify frameworks into authorization analysis
* feat: add Flask and Django support to authorization analysis module
* feat: add support for Rails and Sinatra frameworks in authorization analysis
* feat: add support for Axum, ActixWeb, and Rocket frameworks in authorization analysis
* feat: add support for ActixWeb, Axum, and Rocket frameworks in authorization analysis
* feat: add support for Rails and Sinatra in authorization analysis
* chore: add .DS_Store to .gitignore
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: update usage of Option methods for improved clarity and consistency
* refactor: improve code readability by simplifying conditional checks and formatting
* refactor: improve code formatting and readability by simplifying conditional checks
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: simplify conditional checks in axum.rs for improved readability
* feat: add CodeQL analysis configuration for enhanced security scanning
* test: add comprehensive tests for `src/output.rs` SARIF builder (#39)
* chore: start test coverage improvement work
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* test: add comprehensive tests for src/output.rs SARIF builder
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* refactor: improve code formatting and readability in output.rs
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* refactor: improve code formatting and readability in output.rs
* Potential fix for code scanning alert no. 210: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* Potential fix for code scanning alert no. 211: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* refactor: enhance triage file path handling with improved error management and validation
* refactor: updated func summaries for richer detail
* refactor: update SSA summary extraction to use canonical FuncKey for distinct entries
* refactor: enhance callee metadata structure to support arity, receiver, and qualifier for better overload resolution
* refactor: add support for keyword arguments in function calls and enhance receiver extraction for method-style calls
* refactor: implement new Flask routes for safe and unsafe shell command execution
* refactor: separate receiver handling in SSA operations and enhance taint propagation
* refactor: improve arity handling by using arg_uses for positional argument count and enhance witness scoring for tainted arguments
* refactor: implement auth decorator extraction and classification for multiple languages
* refactor: enhance Rust module path resolution and use map handling for cross-file disambiguation
* refactor: introduce CalleeQuery struct for structured callee resolution and enhance resolver logic
* refactor: implement same-file identity collision handling for `runTask` to ensure correct resolver behavior
* refactor: standardize default struct initialization across multiple files
* feat: add scripts for formatting checks and auto-fixes with test summaries
* refactor: simplify character splitting and enhance namespace qualifier handling
* refactor: improve documentation clarity and enhance code readability in resolver logic
* refactor: replace default struct initialization with explicit field assignments for clarity
* feat: enhance anonymous function naming by deriving context-based bindings
* refactor: streamline match expressions for improved readability and performance
* refactor: streamline match expressions for improved readability and performance
* refactor: replace loop with while let for improved clarity and performance
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: implement shell metacharacter validation and bounded-length checks in Rust analysis
* feat: add static map analysis for command injection suppression and type safety
* refactor: simplify match statements and reduce line breaks for improved readability
* feat(summary): phase 1/5 SinkSite data model for primary sink-location attribution
Introduce SinkSite (file_rel, line, col, snippet, cap) carrying the
primary sink source-location through function summaries. Swap
SsaFuncSummary.param_to_sink and FuncSummary.param_to_sink from a coarse
Cap map to a deduped SmallVec<[SinkSite; 1]> per parameter, with a
backward-compatible cap_sites() helper and serde defaults so pre-phase-1
on-disk rows continue to deserialise cleanly.
Extraction: SinkSiteLocator bundles the tree/bytes/file_rel needed by
extract_ssa_func_summary; ParsedFile::extract_ssa_artifacts wires the
locator in for the persisted pass-1 path, while pass-2 intra-file
transient summaries fall back to cap-only sites (behavior unchanged).
Merge: GlobalSummaries::insert now unions sink sites with
(file_rel, line, col, cap) dedup via shared union_param_sink_sites
helper.
Database: JSON-serialised summary columns carry the new shape
automatically; no schema change needed.
Phase 2 will consume SinkSite in build_taint_diag() to overwrite the
caller-site Finding.line with the callee's sink line when resolved via
summary. Phase 1 keeps behavior unchanged: scanning
tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs still produces the
same (wrong) line 10 finding.
Adds round-trip tests covering SinkSite solo, SsaFuncSummary with sink
sites, legacy-JSON default handling for both summary types, and merge
dedup.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* feat(taint): phase 2/5 thread SinkSite into SsaTaintEvent and Finding
Plumb Phase 1's SinkSite through the event pipeline into Findings,
no output change yet. SsaTaintEvent gains `primary_sink_site:
Option<SinkSite>`; when the main or callback sink-emission path has
non-empty `param_to_sink_sites`, filter to sites whose
`(line != 0) && (cap ∩ sink_caps != ∅)` and emit one event per
distinct site — the multi-primary collapse keeps each downstream
Finding single-primary.
Resolution: ResolvedSummary and SinkInfo gain mirror
`param_to_sink_sites` fields, populated from `SsaFuncSummary.param_to_sink`
(SSA + callback paths) and `FuncSummary.param_to_sink` (global paths).
Label, local-summary, and interop resolution paths leave the field
empty — they only ever had cap-level info to begin with.
Finding: new `primary_location: Option<SinkLocation>` with
`file_rel/line/col`. `ssa_events_to_findings` maps
`event.primary_sink_site` → `Finding.primary_location`, filtering
cap-only sites (`line == 0`) to `None` so the (0,0) sentinel never
leaks to formatters. Dedup key extended with the primary location
so multi-site events aren't collapsed back together.
Invariants (debug_assert!):
* every SinkSite reaching emission has `line != 0 && cap ∩ sink_caps
!= ∅` — enforced by the pick_primary_sink_sites* filters;
* every populated Finding.primary_location has `line != 0` AND
non-empty `file_rel` — the cap-only → None translation upstream
guarantees this.
Deliberately independent of `uses_summary`: that flag tracks whether
the *taint chain* used a summary, whereas primary attribution
requires only that the *sink* itself was summary-resolved. A local
source reaching a cross-file sink produces `uses_summary=false`
alongside a populated primary_location — documented on
Finding.primary_location, covered by
`cross_file_sink_finding_carries_primary_location`.
build_taint_diag, SARIF/JSON/explanation formatters, and the
benchmark scorer remain untouched: finding.line still comes from
`cfg_graph[finding.sink]`, so cmdi_indirect.rs still reports line 10
and the benchmark's rs-cmdi-003 row still shows FN in the LOC column.
Tests: `cross_file_sink_finding_carries_primary_location` (proves
plumbing via a synthetic FuncSummary carrying a SinkSite at 42:5) and
`cross_file_sink_cap_only_site_leaves_primary_location_none`
(regression guard against cap-only sites surfacing). All 1566 lib
tests + integration tests pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(output): phase 3/5 consume primary sink location in diag + SARIF
When a finding's primary_location (populated in phase 2 from a callee
summary's SinkSite) names the dangerous instruction inside a callee
body, attribute the diagnostic line to that location instead of the
caller's call site. The call site is demoted to a Call step in
flow_steps, and a synthetic Sink step at the primary location is
appended so analysts still see the full trace.
Changes:
- Add scan_root parameter to build_taint_diag so file_rel can be
resolved back to an absolute path via a shared resolve_file_rel
helper. Empty file_rel (single-file scans where namespace == "")
resolves to the file under analysis.
- Extend SinkLocation with snippet, carried from the upstream
SinkSite so the formatter needs no second file read.
- Relax the ssa_events_to_findings debug_assert to allow empty
file_rel, which is valid when scan root equals the file itself.
- SARIF: emit data-flow as codeFlows[0].threadFlows[0].locations[];
locations[0] already reflects the primary sink position via the
updated diag line/col.
Acceptance: scan on tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs
now reports line 5 (Command::new) as the primary sink, with the call
site at line 10 visible in flow_steps.
Two expect.json fixtures updated (must_match line_range widened):
- javascript/taint/context_sensitive_call: 12-14 -> 7-14 (line 8 is
the real sink inside run()).
- rust/cfg/closure_async: 10-10 -> 10-11 (line 11 is Command::new
inside the closure).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(bench): phase 4/5 validate primary sink attribution across corpus
Extend the benchmark scorer and ground truth to lock in phase 3's
primary-location behavior, and add fixtures that exercise the new
capability end-to-end.
Scorer (tests/benchmark_test.rs):
- Add optional `expected_call_site_lines: Option<Vec<[usize; 2]>>` on
Case. When present, score_location_level additionally requires at
least one flow_step in the finding's evidence trace to fall within
±2 of the call-site range. When absent, the check is skipped —
fully forward-compatible with existing fixtures.
- Retain ±2 tolerance on expected_sink_lines (compared against the
now-primary Diag.line post-phase-3).
Ground truth edits:
- rs-cmdi-cross-001: expected_sink_lines [8,8] -> [9,9]. Line 8 is the
transform::wrap call site (a cross-file propagator, not a sink);
line 9 is Command::new, the real sink. The ±2 tolerance happened to
mask this stale attribution but it was semantically wrong — phase 4
is the right time to correct it. Also adds expected_call_site_lines
[8,8] so the new field is exercised on an existing cross-file case.
- rs-cmdi-003: adds expected_call_site_lines [10,10] (run_cmd call).
This fixture's sink (Command::new inside run_cmd at line 5) was the
motivating case for phases 1-3; adding the call-site assertion
guards against regression to caller-line attribution.
New fixtures:
- rust/cmdi/cmdi_indirect_multisink.rs (rs-cmdi-009): helper run_both
takes two tainted params and invokes two Command sinks on
consecutive lines. Locks in that primary line lands inside the
helper (lines 5-6), not at the caller (line 12). Notes document
that SinkSite is currently one-per-callee so both findings today
collapse onto the first sink; expected_sink_lines=[5,6] and
expected_call_site_lines=[12,12] stay valid either way.
- python/cmdi/cross_indirect_sink/{app.py,helper.py} (py-cmdi-cross-
004): sink os.system lives in helper.py (cross-file), caller in
app.py reads env source and calls run_cmd. Verifies phase 3's
cross-file primary attribution: Diag.path = helper.py, Diag.line =
5, with app.py:7 recorded in flow_steps as a Call step.
Acceptance:
- `cargo test --test benchmark_test -- --ignored --nocapture` passes.
- rs-cmdi-003 is TP/TP/TP (the target flip FN->TP at LOC). All
pre-existing TP/TP/TP fixtures remain TP/TP/TP; 2 new fixtures are
TP/TP/TP.
- Aggregate rule-level: TP=158 FP=10 FN=1 TN=97, P=0.940 R=0.994
F1=0.966 on the 266-case corpus (was TP=156 FP=10 FN=1 TN=97 on
264 pre-phase-4, delta is the +2 new cases both resolving TP).
- Full `cargo test` green (1566 lib tests + all integration tests).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(taint): phase 5/5 lock Finding.primary_location contract via regression test
Add a regression test in src/taint/ssa_transfer.rs that wires up a synthetic
SsaFuncSummary with a SinkSite at other.rs:42:10 and drives the three
emission stages (pick_primary_sink_sites → emit_ssa_taint_events →
ssa_events_to_findings) against a minimal caller SSA body. Asserts the
resulting Finding.primary_location is exactly that triple.
The existing integration tests in src/taint/tests.rs cover the coarse
FuncSummary path end-to-end through analyse_file. This test locks in the
lower-level SSA-side plumbing so a future refactor that silently drops the
site between pick → emit → findings fails here rather than only at the
benchmark layer.
Also refreshes tests/benchmark/results/latest.json (timestamp only; rs-cmdi-003
remains TP/TP/TP and the aggregate P/R/F1 are unchanged from phase 4).
Closes the primary sink-location attribution feature (phases 1-5/5):
* Phase 1 — SinkSite data model on summaries.
* Phase 2 — SinkSite threaded into SsaTaintEvent and Finding.
* Phase 3 — diag + SARIF consume primary_location.
* Phase 4 — benchmark validates primary_call_site_lines across corpus.
* Phase 5 — regression test locks the event→finding contract.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* refactor: clean up formatting and improve readability in multiple files
* refactor: simplify type definition for deduplication key in findings
* test(harness): add must_not_match expectation for FP regression guards
Extends ExpectedFinding with must_not_match field that asserts a
diagnostic must NOT fire — presence is a hard failure. Non-consuming
scan so it coexists with must_match entries on the same rule_id.
Adds forbidden_violations accumulator and updates summary line.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(regression): update expectations to ensure must_not_match for various taint and resource leak rules
* feat: implement auto-seeding for JS/TS handler parameters to enhance taint tracking
* feat: update switch statement handling to improve control flow analysis
* feat: implement promisify alias handling for JS/TS to enhance taint tracking
* feat: enhance taint tracking by refining expectation handling and adding mode filtering
* feat: refine SQL handling in stream processing and enhance auto-seeding for handler parameters
* feat: update taint tracking rules to enforce full mode matching and improve flow analysis
* feat: enhance Ruby subshell handling to improve taint tracking and flow analysis
* feat: update xss_response expectations to refine taint flow analysis and enhance regression guarding
* feat: refine framework detection and update expectation handling for Echo and Sinatra
* feat: implement max_count for taint tracking expectations and deduplicate findings
* feat: add strict_unexpected handling for taint-unsanitised-flow in expectation files
* feat: enhance deduplication of taint-unsanitised-flow findings by collapsing based on line and severity
* feat: add strict_unexpected handling for taint-unsanitised-flow in multiple expectation files
* feat: add structural invariant checks for SSA bodies
* feat: ensure deterministic phi emission order using BTreeSet
* feat: enhance handling of terminators to ensure authoritative flow through successor edges
* feat: enhance Goto terminator handling to ensure all successors are marked executable
* feat: refactor code for improved readability and organization
* feat: simplify predicate checks and enhance readability in SSA handling
* feat: implement per-file parse timeout and enhance file size handling
* feat: migrate analysis engine toggles from environment variables to configuration file
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: update dependencies and enhance documentation on language maturity
* feat: enhance security headers and improve request body limits
* feat: implement sink capability bits for deduplication and enhance evidence tagging
* feat: implement dynamic activation handling for gated sinks and enhance validation logic
* feat: enhance configuration documentation and clarify inline analysis cache behavior
* feat: implement panic recovery during analysis to continue scans past errors
* feat: add expectations configuration for taint analysis and performance metrics
* feat: enhance error handling and logging during file reading and mutex locking
* feat: add cross-file body loading tests and plumbing for CF-1 phase
* feat: implement cross-file k=1 context-sensitive inline taint analysis with new tests and fixtures
* feat: implement indexed-scan parity in cross-file inline analysis with new dropdown and copy functionality
* feat: enhance classification span handling in CFG and AST for improved source attribution
* feat: add new Express routes for handling user input and telemetry data
* feat: implement ternary expression handling in CFG with diamond structure for JS/TS
* feat: implement Phase CF-3 abstract-domain transfer channels in summaries
* feat: add support for string-prefix transfer in cross-file calls and update tests
* docs: reduce RESULTS.md doc size
* feat: implement Phase CF-4 per-return-path summary decomposition with tests
* feat: update parameter handling in pass1 and refactor SsaFuncSummary initialization
* feat: implement Phase CF-5 for cross-file SCC joint fixed-point convergence with new flags and tests
* feat: implement Phase CF-6 with parameter-granularity points-to summaries and associated tests
* refactor: update comments and documentation for clarity and consistency
* style: format code for consistency and readability
* refactor: simplify verdict handling and improve edge checking logic
* refactor: optimize path and identifier collection by avoiding unnecessary cloning
* chore: update Cargo.toml for Rust version 1.85 and add ignored files; modify CHANGELOG and README for clarity on state analysis defaults
* refactor: update documentation and improve clarity in configuration files
* refactor: update documentation and improve clarity in configuration files
* feat: add JS/TS pass-2 convergence tests and expectations configuration
* feat: add Phase 5 regression tests for inline cache origin attribution and update related logic
* feat: implement Phase 7 deduplication and alternative path linking for taint findings
* feat: implement structural DFS index for anonymous functions and update naming conventions
* feat: add Phase 8 regression tests for container-element taint in JS and Python
* feat: add engine-depth profiles and explain-engine option for CLI
* feat: update expectations and add new README fixtures for multi-file scan regression
* feat: implement Phase 11 callback-alias and factory patterns with regression tests
* feat: implement Terminator::Switch for multi-way dispatch and add regression tests
* feat: add real-CVE benchmark fixtures for CVE-2023-48022, CVE-2019-14939, and CVE-2023-26159 with corresponding patched variants
* refactor: extract cfg and ssa_transfer to submodules
* refactor: cargo fmt
* refactor: remove unnecessary blank line in cfg_tests.rs
* refactor: remove unnecessary planning file
* chore: update Rust version to 1.88 and bump dependencies in Cargo files
* feat: enhance triage UI with new layout and controls, update README for clarity
* feat: enhance triage UI with new layout and controls, update README for clarity
* chore: remove outdated section from README for version 0.5.0
* docs: improve clarity and consistency in README content
* chore: add "GPL-3.0-or-later" to license options in about.toml
* chore: update license handling in about.toml and check-licenses.mjs
* style: format code for improved readability in TriagePage component
* style: format code for improved readability in TriagePage component
* chore: enhance license handling and improve body_id scoping in seed lookup
* feat: introduce owner and parent body IDs for enhanced seed scoping
* feat: implement direction-aware engine provenance with new CLI flag for strict CI gating
* feat: add Undef SSA operation for improved control-flow handling
* style: improve code formatting for consistency and readability in multiple files
* feat: add 16-function chain SCC across multiple files for enhanced analysis
* style: simplify code formatting for improved readability in multiple files
* fix: update CapHitReason default implementation and improve README clarity
* docs: enhance README with detailed explanations of taint analysis and limitations
* docs: refine README for clarity and consistency in taint analysis section
* style: improve code formatting for better readability in NewScanModal and scans
* fix: update cargo-about command to use --offline for deterministic license generation
* fix: update cargo-about command to use --offline for deterministic license generation
* ci: add step to prime cargo registry cache for deterministic license generation
* feat: add support for non-sink collections in authorization analysis
* feat: enhance authorization checks with row-level ownership equality and binding tracking
* feat: implement self-scoped user handling and enhance ownership checks
* refactor: simplify assertions and formatting in authorization analysis tests
* fix: normalize line endings in THIRDPARTY-LICENSES.html generation and update README with AI disclosure
* docs: update AI disclosure section for clarity and conciseness
* feat: add AI Contribution Policy and update contributing guidelines for AI assistance disclosure
* feat: enhance authorization analysis with SSA-derived variable type classification
* feat: implement auth_finding_to_diag function for enhanced security diagnostics
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add direction-aware engine provenance with LossDirection classification and new CLI flag
* feat: simplify strip_cap_from_call_args call by removing unnecessary line breaks
* feat: enhance error message handling in cli_validation_tests for better Windows compatibility
* feat: optimize release profile settings in Cargo.toml and update CodeQL configuration
* feat: enhance release build process with SBOM generation and SLSA provenance
* feat: update actions/checkout and actions/setup-node to v6, enhance CLI options, and improve auth-check summaries
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: update benchmark data and enhance path sanitization logic with new safety checks
* feat: document AI assistance in frontend UI development and human review process
* feat: add return path facts for enhanced path safety checks and update documentation
* chore: update release date for version 0.5.0 in CHANGELOG.md
* chore: clean up ci.yml by removing outdated comments and clarifying steps
* feat: implement cross-language path sanitizers and validators for enhanced security
* feat: enhance SSA value usage tracking by including block terminators and improve path safety checks
* feat: enhance switch statement handling by adding per-case path constraints and support for exclusive cases
* refactor: simplify conditional formatting and improve code readability in executor and lower modules
* feat: add vulnerable examples for various languages demonstrating authentication and sanitization issues
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: add transform classifiers for Java, Go, and Ruby with corresponding tests
* refactor: clarify comments on reassign-to-constant idiom and sink behavior in guards.rs
---------
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-25 17:59:11 -04:00
|
|
|
|
use crate::commands::scan::Diag;
|
|
|
|
|
|
use crate::evidence::{Confidence, Evidence};
|
|
|
|
|
|
use crate::patterns::{FindingCategory, Severity};
|
|
|
|
|
|
use crate::utils::path::{DEFAULT_UI_MAX_FILE_BYTES, open_repo_text_file};
|
|
|
|
|
|
use serde::Serialize;
|
|
|
|
|
|
use std::collections::{BTreeSet, HashMap};
|
|
|
|
|
|
use std::path::Path;
|
|
|
|
|
|
|
|
|
|
|
|
/// Compact related-finding reference for the detail panel.
|
|
|
|
|
|
#[derive(Debug, Clone, Serialize)]
|
|
|
|
|
|
pub struct RelatedFindingView {
|
|
|
|
|
|
pub index: usize,
|
|
|
|
|
|
pub rule_id: String,
|
|
|
|
|
|
pub path: String,
|
|
|
|
|
|
pub line: usize,
|
|
|
|
|
|
pub severity: Severity,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Valid triage states for findings.
|
|
|
|
|
|
pub const VALID_TRIAGE_STATES: &[&str] = &[
|
|
|
|
|
|
"open",
|
|
|
|
|
|
"investigating",
|
|
|
|
|
|
"false_positive",
|
|
|
|
|
|
"accepted_risk",
|
|
|
|
|
|
"suppressed",
|
|
|
|
|
|
"fixed",
|
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
|
|
/// Check if a string is a valid triage state.
|
|
|
|
|
|
pub fn is_valid_triage_state(s: &str) -> bool {
|
|
|
|
|
|
VALID_TRIAGE_STATES.contains(&s)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Serializable API representation of a Diag finding.
|
|
|
|
|
|
#[derive(Debug, Clone, Serialize)]
|
|
|
|
|
|
pub struct FindingView {
|
|
|
|
|
|
pub index: usize,
|
|
|
|
|
|
pub fingerprint: String,
|
|
|
|
|
|
#[serde(skip_serializing_if = "String::is_empty")]
|
|
|
|
|
|
pub portable_fingerprint: String,
|
|
|
|
|
|
pub path: String,
|
|
|
|
|
|
pub line: usize,
|
|
|
|
|
|
pub col: usize,
|
|
|
|
|
|
pub severity: Severity,
|
|
|
|
|
|
pub rule_id: String,
|
|
|
|
|
|
pub category: FindingCategory,
|
|
|
|
|
|
pub confidence: Option<Confidence>,
|
|
|
|
|
|
pub rank_score: Option<f64>,
|
|
|
|
|
|
pub message: Option<String>,
|
|
|
|
|
|
pub labels: Vec<(String, String)>,
|
|
|
|
|
|
pub path_validated: bool,
|
|
|
|
|
|
pub suppressed: bool,
|
|
|
|
|
|
pub language: Option<String>,
|
|
|
|
|
|
pub status: String,
|
|
|
|
|
|
pub triage_state: String,
|
|
|
|
|
|
#[serde(skip_serializing_if = "String::is_empty")]
|
|
|
|
|
|
pub triage_note: String,
|
|
|
|
|
|
#[serde(skip_serializing_if = "Option::is_none")]
|
|
|
|
|
|
pub code_context: Option<CodeContextView>,
|
|
|
|
|
|
#[serde(skip_serializing_if = "Option::is_none")]
|
|
|
|
|
|
pub evidence: Option<Evidence>,
|
|
|
|
|
|
#[serde(skip_serializing_if = "Option::is_none")]
|
|
|
|
|
|
pub guard_kind: Option<String>,
|
|
|
|
|
|
#[serde(skip_serializing_if = "Option::is_none")]
|
|
|
|
|
|
pub rank_reason: Option<Vec<(String, String)>>,
|
|
|
|
|
|
#[serde(skip_serializing_if = "Option::is_none")]
|
|
|
|
|
|
pub sanitizer_status: Option<String>,
|
|
|
|
|
|
#[serde(skip_serializing_if = "Vec::is_empty")]
|
|
|
|
|
|
pub related_findings: Vec<RelatedFindingView>,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Lines of source code around a finding for display.
|
|
|
|
|
|
#[derive(Debug, Clone, Serialize)]
|
|
|
|
|
|
pub struct CodeContextView {
|
|
|
|
|
|
pub start_line: usize,
|
|
|
|
|
|
pub lines: Vec<String>,
|
|
|
|
|
|
pub highlight_line: usize,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Aggregate statistics for a set of findings.
|
|
|
|
|
|
#[derive(Debug, Clone, Serialize, Default)]
|
|
|
|
|
|
pub struct FindingSummary {
|
|
|
|
|
|
pub total: usize,
|
|
|
|
|
|
pub by_severity: HashMap<String, usize>,
|
|
|
|
|
|
pub by_category: HashMap<String, usize>,
|
|
|
|
|
|
pub by_rule: HashMap<String, usize>,
|
|
|
|
|
|
pub by_file: HashMap<String, usize>,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// A scan job as seen by the API.
|
|
|
|
|
|
#[derive(Debug, Clone, Serialize)]
|
|
|
|
|
|
pub struct ScanView {
|
|
|
|
|
|
pub id: String,
|
|
|
|
|
|
pub status: String,
|
|
|
|
|
|
pub scan_root: String,
|
|
|
|
|
|
pub started_at: Option<String>,
|
|
|
|
|
|
pub finished_at: Option<String>,
|
|
|
|
|
|
pub duration_secs: Option<f64>,
|
|
|
|
|
|
pub finding_count: Option<usize>,
|
|
|
|
|
|
pub error: Option<String>,
|
|
|
|
|
|
#[serde(skip_serializing_if = "Option::is_none")]
|
|
|
|
|
|
pub engine_version: Option<String>,
|
|
|
|
|
|
#[serde(skip_serializing_if = "Option::is_none")]
|
|
|
|
|
|
pub languages: Option<Vec<String>>,
|
|
|
|
|
|
#[serde(skip_serializing_if = "Option::is_none")]
|
|
|
|
|
|
pub files_scanned: Option<u64>,
|
|
|
|
|
|
#[serde(skip_serializing_if = "Option::is_none")]
|
|
|
|
|
|
pub timing: Option<crate::server::progress::TimingBreakdown>,
|
|
|
|
|
|
#[serde(skip_serializing_if = "Option::is_none")]
|
|
|
|
|
|
pub metrics: Option<crate::server::progress::ScanMetricsSnapshot>,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Custom rule view for the config API.
|
|
|
|
|
|
#[derive(Debug, Clone, Serialize, serde::Deserialize)]
|
|
|
|
|
|
pub struct RuleView {
|
|
|
|
|
|
pub lang: String,
|
|
|
|
|
|
pub matchers: Vec<String>,
|
|
|
|
|
|
pub kind: String,
|
|
|
|
|
|
pub cap: String,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Terminator view for the config API.
|
|
|
|
|
|
#[derive(Debug, Clone, Serialize, serde::Deserialize)]
|
|
|
|
|
|
pub struct TerminatorView {
|
|
|
|
|
|
pub lang: String,
|
|
|
|
|
|
pub name: String,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Rule list item for GET /api/rules (built-in + custom, with metadata).
|
|
|
|
|
|
#[derive(Debug, Clone, Serialize)]
|
|
|
|
|
|
pub struct RuleListItem {
|
|
|
|
|
|
pub id: String,
|
|
|
|
|
|
pub title: String,
|
|
|
|
|
|
pub language: String,
|
|
|
|
|
|
pub kind: String,
|
|
|
|
|
|
pub cap: String,
|
|
|
|
|
|
pub matchers: Vec<String>,
|
|
|
|
|
|
pub enabled: bool,
|
|
|
|
|
|
pub is_custom: bool,
|
|
|
|
|
|
pub is_gated: bool,
|
2026-05-07 01:29:31 -04:00
|
|
|
|
pub is_class: bool,
|
Release/0.5.0 (#35)
* feat: Introduce function-scoped variable interning for state analysis with new tests and fixtures
* feat: Add Phase 26 symbolic execution enhancements with bitwise operator support, abstract interpretation refinements, and new taint analysis tests
* feat: Refine state analysis to handle factory-pattern resource returns with mixed-path tests and leak detection enhancements
* feat: Add Phase 27 debug views with symbolic execution, abstract interpretation, SSA, and call graph viewers; integrate with debug layout and styles
* feat: Add Phase 31 type-qualified symbolic resolution with receiver-based callee disambiguation and testing
* feat: Extend symbolic execution with state iteration, enhanced debug views, and debounced input handling
* feat: Add Phase 13 resource and auth pattern extensions with new tests and fixtures
* feat: Introduce CFG debug graph renderer with compact mode, toolbar, and DAG layout integration
* feat: Add Phase 28 encoding and decoding transform modeling with structural symex enhancements and new taint analysis tests
* feat: Extend abstract interpretation with type facts and constant value tracking in debug views and server logic
* feat: Add linear path handling and witness extraction to symbolic execution with Phase 28 transform mismatch detection
* feat: Refine Go auth and sanitizer handling with enhanced rules, state updates, and benchmark improvements
* feat: Enable auth-state analysis by default and update relevant tests in benchmark config
* test: Update state_tests to reflect default enablement of auth-state analysis and add auth suppression test
* docs: update CHANGELOG.md
* feat: Introduce per-index taint tracking in `HeapState` with `HeapSlot`, overflow handling, and revised SSA transfers
* feat: Introduce C/C++ language labels and refine heap state tracking in SSA transfers
* feat: Implement per-index array slot tracking in symbolic heap with overflow collapse
* feat: Add implicit definition handling for uninitialized declarations in SSA value allocation
* feat: Refactor function parameters and constants for improved clarity and maintainability
* refactor: Reorder module imports and improve formatting for consistency
* refactor: Fix formatting erorrs
* refactor: Fix clippy warnings
* refactor: Fix fmt warnings (again)
* chore: Update dependencies and improve feature configuration
* Add comprehensive tests for undertested modules (#36) (COPILOT)
* Add comprehensive tests for undertested modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
* Add comprehensive tests for ext, project, walk, and errors modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: Update dependencies and improve feature configuration
* fix: formatting errors in new tests
* chore: Update license list in about.toml
* chore: made functions input inline
* chore: updated cfg graph to take up the full page
* chore: add Prettier configuration and update code formatting
* Add frontend test suite with Vitest (111 tests) (#37)
* Add Vitest test suite for frontend - 111 tests across utils, components, hooks, and graph utilities
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/7cf0dba2-ecff-4740-ba4d-92717e74a0b7
* ci: add frontend test step to CI workflow
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/5bc0ac9f-0a32-4d03-9cb7-7a15aea53fca
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: simplify array initialization in test files for consistency
* ran typecheck
* feat: add AnalysisWorkspace component and integrate it into CfgViewerPage
* feat: update routing in AppLayout and improve empty state message in ExplorerPage
* feat: enhance scan progress tracking with additional metrics and stages
* feat: update license information and add license check script
* feat: implement cross-file symbolic execution with callee body persistence
* feat: replace dagre graphs with Graphology + ELK + Sigma for more advanced call stack and cfg rendering
* feat: ensure CFG function view is scoped to the selected function, preventing bleed into sibling functions
* feat: enhance resource tracking with proxy method summaries and improve finding extraction
* feat: add terminal function exit detection for accurate resource leak analysis
* feat: add warnings for loops and functions without bodies to improve error recovery
* feat: update lambda expression handling to ensure proper function classification and control flow
* feat: remove bounded formatting/string ops and add JSON.parse sanitizer for improved data handling
* feat: add inline return taint analysis and regression tests for improved security checks
* feat: add engine version management and migration handling for database schema updates
* feat: enhance first_call_ident to skip nested function bodies and add regression tests
* feat: enhance callee name resolution with two-segment normalization and disambiguation
* feat: add cross-file context flags and debug assertions for taint analysis
* feat: refactor taint analysis structure to unify context handling and improve clarity
* feat: enhance dead code elimination to preserve Sink, Source, and Sanitizer labels with new tests
* docs: updated CHANGELOG.md
* fmt: formatting fixes
* fix: fixed frontend formatting and lint warnings
* fix: optimized ci
* fix: optimized ci
* Add comprehensive multi-file test coverage to Nyx (#38)
* Initial checklist for multi-file test suite expansion
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* Add 12 new multi-file test fixtures with TP/TN/near-miss coverage
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* deleted root repo
* rebuilt to test for regressions
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* feat: enhance import alias resolution and taint tracking
* feat: implement security hardening with CSRF protection and path validation
* feat: add support for import alias bindings in Python, PHP, and Rust
* feat: enhance CFG analysis modes and improve code readability
* feat: add detection for parameterized SQL queries to enhance security
* feat: add safe internal redirect handling and enhance session destroy validation
* feat: implement security improvements by addressing vulnerabilities in execAsync, session management, and file downloads
* feat: enhance taint detection by adding support for inline source member expressions in call arguments
* feat: implement pre-emission of Source nodes for inline source member expressions in call arguments
* feat: add support for Throw statement in control flow and error handling
* feat: add debug and echo endpoints with potential information leakage
* feat: implement internal redirect suppression and enhance taint detection
* feat: implement module alias tracking for dynamic dispatch in JS/TS
* feat: add authorization analysis module with Express support
* feat: add authorization analysis module with Express support
* feat: add tests for admin guard requirements and clean checks in authorization analysis
* feat: integrate Koa and Fastify frameworks into authorization analysis
* feat: add Flask and Django support to authorization analysis module
* feat: add support for Rails and Sinatra frameworks in authorization analysis
* feat: add support for Axum, ActixWeb, and Rocket frameworks in authorization analysis
* feat: add support for ActixWeb, Axum, and Rocket frameworks in authorization analysis
* feat: add support for Rails and Sinatra in authorization analysis
* chore: add .DS_Store to .gitignore
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: update usage of Option methods for improved clarity and consistency
* refactor: improve code readability by simplifying conditional checks and formatting
* refactor: improve code formatting and readability by simplifying conditional checks
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: simplify conditional checks in axum.rs for improved readability
* feat: add CodeQL analysis configuration for enhanced security scanning
* test: add comprehensive tests for `src/output.rs` SARIF builder (#39)
* chore: start test coverage improvement work
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* test: add comprehensive tests for src/output.rs SARIF builder
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* refactor: improve code formatting and readability in output.rs
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* refactor: improve code formatting and readability in output.rs
* Potential fix for code scanning alert no. 210: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* Potential fix for code scanning alert no. 211: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* refactor: enhance triage file path handling with improved error management and validation
* refactor: updated func summaries for richer detail
* refactor: update SSA summary extraction to use canonical FuncKey for distinct entries
* refactor: enhance callee metadata structure to support arity, receiver, and qualifier for better overload resolution
* refactor: add support for keyword arguments in function calls and enhance receiver extraction for method-style calls
* refactor: implement new Flask routes for safe and unsafe shell command execution
* refactor: separate receiver handling in SSA operations and enhance taint propagation
* refactor: improve arity handling by using arg_uses for positional argument count and enhance witness scoring for tainted arguments
* refactor: implement auth decorator extraction and classification for multiple languages
* refactor: enhance Rust module path resolution and use map handling for cross-file disambiguation
* refactor: introduce CalleeQuery struct for structured callee resolution and enhance resolver logic
* refactor: implement same-file identity collision handling for `runTask` to ensure correct resolver behavior
* refactor: standardize default struct initialization across multiple files
* feat: add scripts for formatting checks and auto-fixes with test summaries
* refactor: simplify character splitting and enhance namespace qualifier handling
* refactor: improve documentation clarity and enhance code readability in resolver logic
* refactor: replace default struct initialization with explicit field assignments for clarity
* feat: enhance anonymous function naming by deriving context-based bindings
* refactor: streamline match expressions for improved readability and performance
* refactor: streamline match expressions for improved readability and performance
* refactor: replace loop with while let for improved clarity and performance
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: implement shell metacharacter validation and bounded-length checks in Rust analysis
* feat: add static map analysis for command injection suppression and type safety
* refactor: simplify match statements and reduce line breaks for improved readability
* feat(summary): phase 1/5 SinkSite data model for primary sink-location attribution
Introduce SinkSite (file_rel, line, col, snippet, cap) carrying the
primary sink source-location through function summaries. Swap
SsaFuncSummary.param_to_sink and FuncSummary.param_to_sink from a coarse
Cap map to a deduped SmallVec<[SinkSite; 1]> per parameter, with a
backward-compatible cap_sites() helper and serde defaults so pre-phase-1
on-disk rows continue to deserialise cleanly.
Extraction: SinkSiteLocator bundles the tree/bytes/file_rel needed by
extract_ssa_func_summary; ParsedFile::extract_ssa_artifacts wires the
locator in for the persisted pass-1 path, while pass-2 intra-file
transient summaries fall back to cap-only sites (behavior unchanged).
Merge: GlobalSummaries::insert now unions sink sites with
(file_rel, line, col, cap) dedup via shared union_param_sink_sites
helper.
Database: JSON-serialised summary columns carry the new shape
automatically; no schema change needed.
Phase 2 will consume SinkSite in build_taint_diag() to overwrite the
caller-site Finding.line with the callee's sink line when resolved via
summary. Phase 1 keeps behavior unchanged: scanning
tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs still produces the
same (wrong) line 10 finding.
Adds round-trip tests covering SinkSite solo, SsaFuncSummary with sink
sites, legacy-JSON default handling for both summary types, and merge
dedup.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* feat(taint): phase 2/5 thread SinkSite into SsaTaintEvent and Finding
Plumb Phase 1's SinkSite through the event pipeline into Findings,
no output change yet. SsaTaintEvent gains `primary_sink_site:
Option<SinkSite>`; when the main or callback sink-emission path has
non-empty `param_to_sink_sites`, filter to sites whose
`(line != 0) && (cap ∩ sink_caps != ∅)` and emit one event per
distinct site — the multi-primary collapse keeps each downstream
Finding single-primary.
Resolution: ResolvedSummary and SinkInfo gain mirror
`param_to_sink_sites` fields, populated from `SsaFuncSummary.param_to_sink`
(SSA + callback paths) and `FuncSummary.param_to_sink` (global paths).
Label, local-summary, and interop resolution paths leave the field
empty — they only ever had cap-level info to begin with.
Finding: new `primary_location: Option<SinkLocation>` with
`file_rel/line/col`. `ssa_events_to_findings` maps
`event.primary_sink_site` → `Finding.primary_location`, filtering
cap-only sites (`line == 0`) to `None` so the (0,0) sentinel never
leaks to formatters. Dedup key extended with the primary location
so multi-site events aren't collapsed back together.
Invariants (debug_assert!):
* every SinkSite reaching emission has `line != 0 && cap ∩ sink_caps
!= ∅` — enforced by the pick_primary_sink_sites* filters;
* every populated Finding.primary_location has `line != 0` AND
non-empty `file_rel` — the cap-only → None translation upstream
guarantees this.
Deliberately independent of `uses_summary`: that flag tracks whether
the *taint chain* used a summary, whereas primary attribution
requires only that the *sink* itself was summary-resolved. A local
source reaching a cross-file sink produces `uses_summary=false`
alongside a populated primary_location — documented on
Finding.primary_location, covered by
`cross_file_sink_finding_carries_primary_location`.
build_taint_diag, SARIF/JSON/explanation formatters, and the
benchmark scorer remain untouched: finding.line still comes from
`cfg_graph[finding.sink]`, so cmdi_indirect.rs still reports line 10
and the benchmark's rs-cmdi-003 row still shows FN in the LOC column.
Tests: `cross_file_sink_finding_carries_primary_location` (proves
plumbing via a synthetic FuncSummary carrying a SinkSite at 42:5) and
`cross_file_sink_cap_only_site_leaves_primary_location_none`
(regression guard against cap-only sites surfacing). All 1566 lib
tests + integration tests pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(output): phase 3/5 consume primary sink location in diag + SARIF
When a finding's primary_location (populated in phase 2 from a callee
summary's SinkSite) names the dangerous instruction inside a callee
body, attribute the diagnostic line to that location instead of the
caller's call site. The call site is demoted to a Call step in
flow_steps, and a synthetic Sink step at the primary location is
appended so analysts still see the full trace.
Changes:
- Add scan_root parameter to build_taint_diag so file_rel can be
resolved back to an absolute path via a shared resolve_file_rel
helper. Empty file_rel (single-file scans where namespace == "")
resolves to the file under analysis.
- Extend SinkLocation with snippet, carried from the upstream
SinkSite so the formatter needs no second file read.
- Relax the ssa_events_to_findings debug_assert to allow empty
file_rel, which is valid when scan root equals the file itself.
- SARIF: emit data-flow as codeFlows[0].threadFlows[0].locations[];
locations[0] already reflects the primary sink position via the
updated diag line/col.
Acceptance: scan on tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs
now reports line 5 (Command::new) as the primary sink, with the call
site at line 10 visible in flow_steps.
Two expect.json fixtures updated (must_match line_range widened):
- javascript/taint/context_sensitive_call: 12-14 -> 7-14 (line 8 is
the real sink inside run()).
- rust/cfg/closure_async: 10-10 -> 10-11 (line 11 is Command::new
inside the closure).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(bench): phase 4/5 validate primary sink attribution across corpus
Extend the benchmark scorer and ground truth to lock in phase 3's
primary-location behavior, and add fixtures that exercise the new
capability end-to-end.
Scorer (tests/benchmark_test.rs):
- Add optional `expected_call_site_lines: Option<Vec<[usize; 2]>>` on
Case. When present, score_location_level additionally requires at
least one flow_step in the finding's evidence trace to fall within
±2 of the call-site range. When absent, the check is skipped —
fully forward-compatible with existing fixtures.
- Retain ±2 tolerance on expected_sink_lines (compared against the
now-primary Diag.line post-phase-3).
Ground truth edits:
- rs-cmdi-cross-001: expected_sink_lines [8,8] -> [9,9]. Line 8 is the
transform::wrap call site (a cross-file propagator, not a sink);
line 9 is Command::new, the real sink. The ±2 tolerance happened to
mask this stale attribution but it was semantically wrong — phase 4
is the right time to correct it. Also adds expected_call_site_lines
[8,8] so the new field is exercised on an existing cross-file case.
- rs-cmdi-003: adds expected_call_site_lines [10,10] (run_cmd call).
This fixture's sink (Command::new inside run_cmd at line 5) was the
motivating case for phases 1-3; adding the call-site assertion
guards against regression to caller-line attribution.
New fixtures:
- rust/cmdi/cmdi_indirect_multisink.rs (rs-cmdi-009): helper run_both
takes two tainted params and invokes two Command sinks on
consecutive lines. Locks in that primary line lands inside the
helper (lines 5-6), not at the caller (line 12). Notes document
that SinkSite is currently one-per-callee so both findings today
collapse onto the first sink; expected_sink_lines=[5,6] and
expected_call_site_lines=[12,12] stay valid either way.
- python/cmdi/cross_indirect_sink/{app.py,helper.py} (py-cmdi-cross-
004): sink os.system lives in helper.py (cross-file), caller in
app.py reads env source and calls run_cmd. Verifies phase 3's
cross-file primary attribution: Diag.path = helper.py, Diag.line =
5, with app.py:7 recorded in flow_steps as a Call step.
Acceptance:
- `cargo test --test benchmark_test -- --ignored --nocapture` passes.
- rs-cmdi-003 is TP/TP/TP (the target flip FN->TP at LOC). All
pre-existing TP/TP/TP fixtures remain TP/TP/TP; 2 new fixtures are
TP/TP/TP.
- Aggregate rule-level: TP=158 FP=10 FN=1 TN=97, P=0.940 R=0.994
F1=0.966 on the 266-case corpus (was TP=156 FP=10 FN=1 TN=97 on
264 pre-phase-4, delta is the +2 new cases both resolving TP).
- Full `cargo test` green (1566 lib tests + all integration tests).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(taint): phase 5/5 lock Finding.primary_location contract via regression test
Add a regression test in src/taint/ssa_transfer.rs that wires up a synthetic
SsaFuncSummary with a SinkSite at other.rs:42:10 and drives the three
emission stages (pick_primary_sink_sites → emit_ssa_taint_events →
ssa_events_to_findings) against a minimal caller SSA body. Asserts the
resulting Finding.primary_location is exactly that triple.
The existing integration tests in src/taint/tests.rs cover the coarse
FuncSummary path end-to-end through analyse_file. This test locks in the
lower-level SSA-side plumbing so a future refactor that silently drops the
site between pick → emit → findings fails here rather than only at the
benchmark layer.
Also refreshes tests/benchmark/results/latest.json (timestamp only; rs-cmdi-003
remains TP/TP/TP and the aggregate P/R/F1 are unchanged from phase 4).
Closes the primary sink-location attribution feature (phases 1-5/5):
* Phase 1 — SinkSite data model on summaries.
* Phase 2 — SinkSite threaded into SsaTaintEvent and Finding.
* Phase 3 — diag + SARIF consume primary_location.
* Phase 4 — benchmark validates primary_call_site_lines across corpus.
* Phase 5 — regression test locks the event→finding contract.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* refactor: clean up formatting and improve readability in multiple files
* refactor: simplify type definition for deduplication key in findings
* test(harness): add must_not_match expectation for FP regression guards
Extends ExpectedFinding with must_not_match field that asserts a
diagnostic must NOT fire — presence is a hard failure. Non-consuming
scan so it coexists with must_match entries on the same rule_id.
Adds forbidden_violations accumulator and updates summary line.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(regression): update expectations to ensure must_not_match for various taint and resource leak rules
* feat: implement auto-seeding for JS/TS handler parameters to enhance taint tracking
* feat: update switch statement handling to improve control flow analysis
* feat: implement promisify alias handling for JS/TS to enhance taint tracking
* feat: enhance taint tracking by refining expectation handling and adding mode filtering
* feat: refine SQL handling in stream processing and enhance auto-seeding for handler parameters
* feat: update taint tracking rules to enforce full mode matching and improve flow analysis
* feat: enhance Ruby subshell handling to improve taint tracking and flow analysis
* feat: update xss_response expectations to refine taint flow analysis and enhance regression guarding
* feat: refine framework detection and update expectation handling for Echo and Sinatra
* feat: implement max_count for taint tracking expectations and deduplicate findings
* feat: add strict_unexpected handling for taint-unsanitised-flow in expectation files
* feat: enhance deduplication of taint-unsanitised-flow findings by collapsing based on line and severity
* feat: add strict_unexpected handling for taint-unsanitised-flow in multiple expectation files
* feat: add structural invariant checks for SSA bodies
* feat: ensure deterministic phi emission order using BTreeSet
* feat: enhance handling of terminators to ensure authoritative flow through successor edges
* feat: enhance Goto terminator handling to ensure all successors are marked executable
* feat: refactor code for improved readability and organization
* feat: simplify predicate checks and enhance readability in SSA handling
* feat: implement per-file parse timeout and enhance file size handling
* feat: migrate analysis engine toggles from environment variables to configuration file
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: update dependencies and enhance documentation on language maturity
* feat: enhance security headers and improve request body limits
* feat: implement sink capability bits for deduplication and enhance evidence tagging
* feat: implement dynamic activation handling for gated sinks and enhance validation logic
* feat: enhance configuration documentation and clarify inline analysis cache behavior
* feat: implement panic recovery during analysis to continue scans past errors
* feat: add expectations configuration for taint analysis and performance metrics
* feat: enhance error handling and logging during file reading and mutex locking
* feat: add cross-file body loading tests and plumbing for CF-1 phase
* feat: implement cross-file k=1 context-sensitive inline taint analysis with new tests and fixtures
* feat: implement indexed-scan parity in cross-file inline analysis with new dropdown and copy functionality
* feat: enhance classification span handling in CFG and AST for improved source attribution
* feat: add new Express routes for handling user input and telemetry data
* feat: implement ternary expression handling in CFG with diamond structure for JS/TS
* feat: implement Phase CF-3 abstract-domain transfer channels in summaries
* feat: add support for string-prefix transfer in cross-file calls and update tests
* docs: reduce RESULTS.md doc size
* feat: implement Phase CF-4 per-return-path summary decomposition with tests
* feat: update parameter handling in pass1 and refactor SsaFuncSummary initialization
* feat: implement Phase CF-5 for cross-file SCC joint fixed-point convergence with new flags and tests
* feat: implement Phase CF-6 with parameter-granularity points-to summaries and associated tests
* refactor: update comments and documentation for clarity and consistency
* style: format code for consistency and readability
* refactor: simplify verdict handling and improve edge checking logic
* refactor: optimize path and identifier collection by avoiding unnecessary cloning
* chore: update Cargo.toml for Rust version 1.85 and add ignored files; modify CHANGELOG and README for clarity on state analysis defaults
* refactor: update documentation and improve clarity in configuration files
* refactor: update documentation and improve clarity in configuration files
* feat: add JS/TS pass-2 convergence tests and expectations configuration
* feat: add Phase 5 regression tests for inline cache origin attribution and update related logic
* feat: implement Phase 7 deduplication and alternative path linking for taint findings
* feat: implement structural DFS index for anonymous functions and update naming conventions
* feat: add Phase 8 regression tests for container-element taint in JS and Python
* feat: add engine-depth profiles and explain-engine option for CLI
* feat: update expectations and add new README fixtures for multi-file scan regression
* feat: implement Phase 11 callback-alias and factory patterns with regression tests
* feat: implement Terminator::Switch for multi-way dispatch and add regression tests
* feat: add real-CVE benchmark fixtures for CVE-2023-48022, CVE-2019-14939, and CVE-2023-26159 with corresponding patched variants
* refactor: extract cfg and ssa_transfer to submodules
* refactor: cargo fmt
* refactor: remove unnecessary blank line in cfg_tests.rs
* refactor: remove unnecessary planning file
* chore: update Rust version to 1.88 and bump dependencies in Cargo files
* feat: enhance triage UI with new layout and controls, update README for clarity
* feat: enhance triage UI with new layout and controls, update README for clarity
* chore: remove outdated section from README for version 0.5.0
* docs: improve clarity and consistency in README content
* chore: add "GPL-3.0-or-later" to license options in about.toml
* chore: update license handling in about.toml and check-licenses.mjs
* style: format code for improved readability in TriagePage component
* style: format code for improved readability in TriagePage component
* chore: enhance license handling and improve body_id scoping in seed lookup
* feat: introduce owner and parent body IDs for enhanced seed scoping
* feat: implement direction-aware engine provenance with new CLI flag for strict CI gating
* feat: add Undef SSA operation for improved control-flow handling
* style: improve code formatting for consistency and readability in multiple files
* feat: add 16-function chain SCC across multiple files for enhanced analysis
* style: simplify code formatting for improved readability in multiple files
* fix: update CapHitReason default implementation and improve README clarity
* docs: enhance README with detailed explanations of taint analysis and limitations
* docs: refine README for clarity and consistency in taint analysis section
* style: improve code formatting for better readability in NewScanModal and scans
* fix: update cargo-about command to use --offline for deterministic license generation
* fix: update cargo-about command to use --offline for deterministic license generation
* ci: add step to prime cargo registry cache for deterministic license generation
* feat: add support for non-sink collections in authorization analysis
* feat: enhance authorization checks with row-level ownership equality and binding tracking
* feat: implement self-scoped user handling and enhance ownership checks
* refactor: simplify assertions and formatting in authorization analysis tests
* fix: normalize line endings in THIRDPARTY-LICENSES.html generation and update README with AI disclosure
* docs: update AI disclosure section for clarity and conciseness
* feat: add AI Contribution Policy and update contributing guidelines for AI assistance disclosure
* feat: enhance authorization analysis with SSA-derived variable type classification
* feat: implement auth_finding_to_diag function for enhanced security diagnostics
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add direction-aware engine provenance with LossDirection classification and new CLI flag
* feat: simplify strip_cap_from_call_args call by removing unnecessary line breaks
* feat: enhance error message handling in cli_validation_tests for better Windows compatibility
* feat: optimize release profile settings in Cargo.toml and update CodeQL configuration
* feat: enhance release build process with SBOM generation and SLSA provenance
* feat: update actions/checkout and actions/setup-node to v6, enhance CLI options, and improve auth-check summaries
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: update benchmark data and enhance path sanitization logic with new safety checks
* feat: document AI assistance in frontend UI development and human review process
* feat: add return path facts for enhanced path safety checks and update documentation
* chore: update release date for version 0.5.0 in CHANGELOG.md
* chore: clean up ci.yml by removing outdated comments and clarifying steps
* feat: implement cross-language path sanitizers and validators for enhanced security
* feat: enhance SSA value usage tracking by including block terminators and improve path safety checks
* feat: enhance switch statement handling by adding per-case path constraints and support for exclusive cases
* refactor: simplify conditional formatting and improve code readability in executor and lower modules
* feat: add vulnerable examples for various languages demonstrating authentication and sanitization issues
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: add transform classifiers for Java, Go, and Ruby with corresponding tests
* refactor: clarify comments on reassign-to-constant idiom and sink behavior in guards.rs
---------
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-25 17:59:11 -04:00
|
|
|
|
pub case_sensitive: bool,
|
|
|
|
|
|
pub finding_count: usize,
|
|
|
|
|
|
pub suppression_rate: f64,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Full rule detail for GET /api/rules/:id
|
|
|
|
|
|
#[derive(Debug, Clone, Serialize)]
|
|
|
|
|
|
pub struct RuleDetailView {
|
|
|
|
|
|
pub id: String,
|
|
|
|
|
|
pub title: String,
|
|
|
|
|
|
pub language: String,
|
|
|
|
|
|
pub kind: String,
|
|
|
|
|
|
pub cap: String,
|
|
|
|
|
|
pub matchers: Vec<String>,
|
|
|
|
|
|
pub case_sensitive: bool,
|
|
|
|
|
|
pub enabled: bool,
|
|
|
|
|
|
pub is_custom: bool,
|
|
|
|
|
|
pub is_gated: bool,
|
2026-05-07 01:29:31 -04:00
|
|
|
|
pub is_class: bool,
|
Release/0.5.0 (#35)
* feat: Introduce function-scoped variable interning for state analysis with new tests and fixtures
* feat: Add Phase 26 symbolic execution enhancements with bitwise operator support, abstract interpretation refinements, and new taint analysis tests
* feat: Refine state analysis to handle factory-pattern resource returns with mixed-path tests and leak detection enhancements
* feat: Add Phase 27 debug views with symbolic execution, abstract interpretation, SSA, and call graph viewers; integrate with debug layout and styles
* feat: Add Phase 31 type-qualified symbolic resolution with receiver-based callee disambiguation and testing
* feat: Extend symbolic execution with state iteration, enhanced debug views, and debounced input handling
* feat: Add Phase 13 resource and auth pattern extensions with new tests and fixtures
* feat: Introduce CFG debug graph renderer with compact mode, toolbar, and DAG layout integration
* feat: Add Phase 28 encoding and decoding transform modeling with structural symex enhancements and new taint analysis tests
* feat: Extend abstract interpretation with type facts and constant value tracking in debug views and server logic
* feat: Add linear path handling and witness extraction to symbolic execution with Phase 28 transform mismatch detection
* feat: Refine Go auth and sanitizer handling with enhanced rules, state updates, and benchmark improvements
* feat: Enable auth-state analysis by default and update relevant tests in benchmark config
* test: Update state_tests to reflect default enablement of auth-state analysis and add auth suppression test
* docs: update CHANGELOG.md
* feat: Introduce per-index taint tracking in `HeapState` with `HeapSlot`, overflow handling, and revised SSA transfers
* feat: Introduce C/C++ language labels and refine heap state tracking in SSA transfers
* feat: Implement per-index array slot tracking in symbolic heap with overflow collapse
* feat: Add implicit definition handling for uninitialized declarations in SSA value allocation
* feat: Refactor function parameters and constants for improved clarity and maintainability
* refactor: Reorder module imports and improve formatting for consistency
* refactor: Fix formatting erorrs
* refactor: Fix clippy warnings
* refactor: Fix fmt warnings (again)
* chore: Update dependencies and improve feature configuration
* Add comprehensive tests for undertested modules (#36) (COPILOT)
* Add comprehensive tests for undertested modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
* Add comprehensive tests for ext, project, walk, and errors modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: Update dependencies and improve feature configuration
* fix: formatting errors in new tests
* chore: Update license list in about.toml
* chore: made functions input inline
* chore: updated cfg graph to take up the full page
* chore: add Prettier configuration and update code formatting
* Add frontend test suite with Vitest (111 tests) (#37)
* Add Vitest test suite for frontend - 111 tests across utils, components, hooks, and graph utilities
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/7cf0dba2-ecff-4740-ba4d-92717e74a0b7
* ci: add frontend test step to CI workflow
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/5bc0ac9f-0a32-4d03-9cb7-7a15aea53fca
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: simplify array initialization in test files for consistency
* ran typecheck
* feat: add AnalysisWorkspace component and integrate it into CfgViewerPage
* feat: update routing in AppLayout and improve empty state message in ExplorerPage
* feat: enhance scan progress tracking with additional metrics and stages
* feat: update license information and add license check script
* feat: implement cross-file symbolic execution with callee body persistence
* feat: replace dagre graphs with Graphology + ELK + Sigma for more advanced call stack and cfg rendering
* feat: ensure CFG function view is scoped to the selected function, preventing bleed into sibling functions
* feat: enhance resource tracking with proxy method summaries and improve finding extraction
* feat: add terminal function exit detection for accurate resource leak analysis
* feat: add warnings for loops and functions without bodies to improve error recovery
* feat: update lambda expression handling to ensure proper function classification and control flow
* feat: remove bounded formatting/string ops and add JSON.parse sanitizer for improved data handling
* feat: add inline return taint analysis and regression tests for improved security checks
* feat: add engine version management and migration handling for database schema updates
* feat: enhance first_call_ident to skip nested function bodies and add regression tests
* feat: enhance callee name resolution with two-segment normalization and disambiguation
* feat: add cross-file context flags and debug assertions for taint analysis
* feat: refactor taint analysis structure to unify context handling and improve clarity
* feat: enhance dead code elimination to preserve Sink, Source, and Sanitizer labels with new tests
* docs: updated CHANGELOG.md
* fmt: formatting fixes
* fix: fixed frontend formatting and lint warnings
* fix: optimized ci
* fix: optimized ci
* Add comprehensive multi-file test coverage to Nyx (#38)
* Initial checklist for multi-file test suite expansion
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* Add 12 new multi-file test fixtures with TP/TN/near-miss coverage
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* deleted root repo
* rebuilt to test for regressions
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* feat: enhance import alias resolution and taint tracking
* feat: implement security hardening with CSRF protection and path validation
* feat: add support for import alias bindings in Python, PHP, and Rust
* feat: enhance CFG analysis modes and improve code readability
* feat: add detection for parameterized SQL queries to enhance security
* feat: add safe internal redirect handling and enhance session destroy validation
* feat: implement security improvements by addressing vulnerabilities in execAsync, session management, and file downloads
* feat: enhance taint detection by adding support for inline source member expressions in call arguments
* feat: implement pre-emission of Source nodes for inline source member expressions in call arguments
* feat: add support for Throw statement in control flow and error handling
* feat: add debug and echo endpoints with potential information leakage
* feat: implement internal redirect suppression and enhance taint detection
* feat: implement module alias tracking for dynamic dispatch in JS/TS
* feat: add authorization analysis module with Express support
* feat: add authorization analysis module with Express support
* feat: add tests for admin guard requirements and clean checks in authorization analysis
* feat: integrate Koa and Fastify frameworks into authorization analysis
* feat: add Flask and Django support to authorization analysis module
* feat: add support for Rails and Sinatra frameworks in authorization analysis
* feat: add support for Axum, ActixWeb, and Rocket frameworks in authorization analysis
* feat: add support for ActixWeb, Axum, and Rocket frameworks in authorization analysis
* feat: add support for Rails and Sinatra in authorization analysis
* chore: add .DS_Store to .gitignore
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: update usage of Option methods for improved clarity and consistency
* refactor: improve code readability by simplifying conditional checks and formatting
* refactor: improve code formatting and readability by simplifying conditional checks
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: simplify conditional checks in axum.rs for improved readability
* feat: add CodeQL analysis configuration for enhanced security scanning
* test: add comprehensive tests for `src/output.rs` SARIF builder (#39)
* chore: start test coverage improvement work
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* test: add comprehensive tests for src/output.rs SARIF builder
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* refactor: improve code formatting and readability in output.rs
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* refactor: improve code formatting and readability in output.rs
* Potential fix for code scanning alert no. 210: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* Potential fix for code scanning alert no. 211: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* refactor: enhance triage file path handling with improved error management and validation
* refactor: updated func summaries for richer detail
* refactor: update SSA summary extraction to use canonical FuncKey for distinct entries
* refactor: enhance callee metadata structure to support arity, receiver, and qualifier for better overload resolution
* refactor: add support for keyword arguments in function calls and enhance receiver extraction for method-style calls
* refactor: implement new Flask routes for safe and unsafe shell command execution
* refactor: separate receiver handling in SSA operations and enhance taint propagation
* refactor: improve arity handling by using arg_uses for positional argument count and enhance witness scoring for tainted arguments
* refactor: implement auth decorator extraction and classification for multiple languages
* refactor: enhance Rust module path resolution and use map handling for cross-file disambiguation
* refactor: introduce CalleeQuery struct for structured callee resolution and enhance resolver logic
* refactor: implement same-file identity collision handling for `runTask` to ensure correct resolver behavior
* refactor: standardize default struct initialization across multiple files
* feat: add scripts for formatting checks and auto-fixes with test summaries
* refactor: simplify character splitting and enhance namespace qualifier handling
* refactor: improve documentation clarity and enhance code readability in resolver logic
* refactor: replace default struct initialization with explicit field assignments for clarity
* feat: enhance anonymous function naming by deriving context-based bindings
* refactor: streamline match expressions for improved readability and performance
* refactor: streamline match expressions for improved readability and performance
* refactor: replace loop with while let for improved clarity and performance
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: implement shell metacharacter validation and bounded-length checks in Rust analysis
* feat: add static map analysis for command injection suppression and type safety
* refactor: simplify match statements and reduce line breaks for improved readability
* feat(summary): phase 1/5 SinkSite data model for primary sink-location attribution
Introduce SinkSite (file_rel, line, col, snippet, cap) carrying the
primary sink source-location through function summaries. Swap
SsaFuncSummary.param_to_sink and FuncSummary.param_to_sink from a coarse
Cap map to a deduped SmallVec<[SinkSite; 1]> per parameter, with a
backward-compatible cap_sites() helper and serde defaults so pre-phase-1
on-disk rows continue to deserialise cleanly.
Extraction: SinkSiteLocator bundles the tree/bytes/file_rel needed by
extract_ssa_func_summary; ParsedFile::extract_ssa_artifacts wires the
locator in for the persisted pass-1 path, while pass-2 intra-file
transient summaries fall back to cap-only sites (behavior unchanged).
Merge: GlobalSummaries::insert now unions sink sites with
(file_rel, line, col, cap) dedup via shared union_param_sink_sites
helper.
Database: JSON-serialised summary columns carry the new shape
automatically; no schema change needed.
Phase 2 will consume SinkSite in build_taint_diag() to overwrite the
caller-site Finding.line with the callee's sink line when resolved via
summary. Phase 1 keeps behavior unchanged: scanning
tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs still produces the
same (wrong) line 10 finding.
Adds round-trip tests covering SinkSite solo, SsaFuncSummary with sink
sites, legacy-JSON default handling for both summary types, and merge
dedup.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* feat(taint): phase 2/5 thread SinkSite into SsaTaintEvent and Finding
Plumb Phase 1's SinkSite through the event pipeline into Findings,
no output change yet. SsaTaintEvent gains `primary_sink_site:
Option<SinkSite>`; when the main or callback sink-emission path has
non-empty `param_to_sink_sites`, filter to sites whose
`(line != 0) && (cap ∩ sink_caps != ∅)` and emit one event per
distinct site — the multi-primary collapse keeps each downstream
Finding single-primary.
Resolution: ResolvedSummary and SinkInfo gain mirror
`param_to_sink_sites` fields, populated from `SsaFuncSummary.param_to_sink`
(SSA + callback paths) and `FuncSummary.param_to_sink` (global paths).
Label, local-summary, and interop resolution paths leave the field
empty — they only ever had cap-level info to begin with.
Finding: new `primary_location: Option<SinkLocation>` with
`file_rel/line/col`. `ssa_events_to_findings` maps
`event.primary_sink_site` → `Finding.primary_location`, filtering
cap-only sites (`line == 0`) to `None` so the (0,0) sentinel never
leaks to formatters. Dedup key extended with the primary location
so multi-site events aren't collapsed back together.
Invariants (debug_assert!):
* every SinkSite reaching emission has `line != 0 && cap ∩ sink_caps
!= ∅` — enforced by the pick_primary_sink_sites* filters;
* every populated Finding.primary_location has `line != 0` AND
non-empty `file_rel` — the cap-only → None translation upstream
guarantees this.
Deliberately independent of `uses_summary`: that flag tracks whether
the *taint chain* used a summary, whereas primary attribution
requires only that the *sink* itself was summary-resolved. A local
source reaching a cross-file sink produces `uses_summary=false`
alongside a populated primary_location — documented on
Finding.primary_location, covered by
`cross_file_sink_finding_carries_primary_location`.
build_taint_diag, SARIF/JSON/explanation formatters, and the
benchmark scorer remain untouched: finding.line still comes from
`cfg_graph[finding.sink]`, so cmdi_indirect.rs still reports line 10
and the benchmark's rs-cmdi-003 row still shows FN in the LOC column.
Tests: `cross_file_sink_finding_carries_primary_location` (proves
plumbing via a synthetic FuncSummary carrying a SinkSite at 42:5) and
`cross_file_sink_cap_only_site_leaves_primary_location_none`
(regression guard against cap-only sites surfacing). All 1566 lib
tests + integration tests pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(output): phase 3/5 consume primary sink location in diag + SARIF
When a finding's primary_location (populated in phase 2 from a callee
summary's SinkSite) names the dangerous instruction inside a callee
body, attribute the diagnostic line to that location instead of the
caller's call site. The call site is demoted to a Call step in
flow_steps, and a synthetic Sink step at the primary location is
appended so analysts still see the full trace.
Changes:
- Add scan_root parameter to build_taint_diag so file_rel can be
resolved back to an absolute path via a shared resolve_file_rel
helper. Empty file_rel (single-file scans where namespace == "")
resolves to the file under analysis.
- Extend SinkLocation with snippet, carried from the upstream
SinkSite so the formatter needs no second file read.
- Relax the ssa_events_to_findings debug_assert to allow empty
file_rel, which is valid when scan root equals the file itself.
- SARIF: emit data-flow as codeFlows[0].threadFlows[0].locations[];
locations[0] already reflects the primary sink position via the
updated diag line/col.
Acceptance: scan on tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs
now reports line 5 (Command::new) as the primary sink, with the call
site at line 10 visible in flow_steps.
Two expect.json fixtures updated (must_match line_range widened):
- javascript/taint/context_sensitive_call: 12-14 -> 7-14 (line 8 is
the real sink inside run()).
- rust/cfg/closure_async: 10-10 -> 10-11 (line 11 is Command::new
inside the closure).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(bench): phase 4/5 validate primary sink attribution across corpus
Extend the benchmark scorer and ground truth to lock in phase 3's
primary-location behavior, and add fixtures that exercise the new
capability end-to-end.
Scorer (tests/benchmark_test.rs):
- Add optional `expected_call_site_lines: Option<Vec<[usize; 2]>>` on
Case. When present, score_location_level additionally requires at
least one flow_step in the finding's evidence trace to fall within
±2 of the call-site range. When absent, the check is skipped —
fully forward-compatible with existing fixtures.
- Retain ±2 tolerance on expected_sink_lines (compared against the
now-primary Diag.line post-phase-3).
Ground truth edits:
- rs-cmdi-cross-001: expected_sink_lines [8,8] -> [9,9]. Line 8 is the
transform::wrap call site (a cross-file propagator, not a sink);
line 9 is Command::new, the real sink. The ±2 tolerance happened to
mask this stale attribution but it was semantically wrong — phase 4
is the right time to correct it. Also adds expected_call_site_lines
[8,8] so the new field is exercised on an existing cross-file case.
- rs-cmdi-003: adds expected_call_site_lines [10,10] (run_cmd call).
This fixture's sink (Command::new inside run_cmd at line 5) was the
motivating case for phases 1-3; adding the call-site assertion
guards against regression to caller-line attribution.
New fixtures:
- rust/cmdi/cmdi_indirect_multisink.rs (rs-cmdi-009): helper run_both
takes two tainted params and invokes two Command sinks on
consecutive lines. Locks in that primary line lands inside the
helper (lines 5-6), not at the caller (line 12). Notes document
that SinkSite is currently one-per-callee so both findings today
collapse onto the first sink; expected_sink_lines=[5,6] and
expected_call_site_lines=[12,12] stay valid either way.
- python/cmdi/cross_indirect_sink/{app.py,helper.py} (py-cmdi-cross-
004): sink os.system lives in helper.py (cross-file), caller in
app.py reads env source and calls run_cmd. Verifies phase 3's
cross-file primary attribution: Diag.path = helper.py, Diag.line =
5, with app.py:7 recorded in flow_steps as a Call step.
Acceptance:
- `cargo test --test benchmark_test -- --ignored --nocapture` passes.
- rs-cmdi-003 is TP/TP/TP (the target flip FN->TP at LOC). All
pre-existing TP/TP/TP fixtures remain TP/TP/TP; 2 new fixtures are
TP/TP/TP.
- Aggregate rule-level: TP=158 FP=10 FN=1 TN=97, P=0.940 R=0.994
F1=0.966 on the 266-case corpus (was TP=156 FP=10 FN=1 TN=97 on
264 pre-phase-4, delta is the +2 new cases both resolving TP).
- Full `cargo test` green (1566 lib tests + all integration tests).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(taint): phase 5/5 lock Finding.primary_location contract via regression test
Add a regression test in src/taint/ssa_transfer.rs that wires up a synthetic
SsaFuncSummary with a SinkSite at other.rs:42:10 and drives the three
emission stages (pick_primary_sink_sites → emit_ssa_taint_events →
ssa_events_to_findings) against a minimal caller SSA body. Asserts the
resulting Finding.primary_location is exactly that triple.
The existing integration tests in src/taint/tests.rs cover the coarse
FuncSummary path end-to-end through analyse_file. This test locks in the
lower-level SSA-side plumbing so a future refactor that silently drops the
site between pick → emit → findings fails here rather than only at the
benchmark layer.
Also refreshes tests/benchmark/results/latest.json (timestamp only; rs-cmdi-003
remains TP/TP/TP and the aggregate P/R/F1 are unchanged from phase 4).
Closes the primary sink-location attribution feature (phases 1-5/5):
* Phase 1 — SinkSite data model on summaries.
* Phase 2 — SinkSite threaded into SsaTaintEvent and Finding.
* Phase 3 — diag + SARIF consume primary_location.
* Phase 4 — benchmark validates primary_call_site_lines across corpus.
* Phase 5 — regression test locks the event→finding contract.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* refactor: clean up formatting and improve readability in multiple files
* refactor: simplify type definition for deduplication key in findings
* test(harness): add must_not_match expectation for FP regression guards
Extends ExpectedFinding with must_not_match field that asserts a
diagnostic must NOT fire — presence is a hard failure. Non-consuming
scan so it coexists with must_match entries on the same rule_id.
Adds forbidden_violations accumulator and updates summary line.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(regression): update expectations to ensure must_not_match for various taint and resource leak rules
* feat: implement auto-seeding for JS/TS handler parameters to enhance taint tracking
* feat: update switch statement handling to improve control flow analysis
* feat: implement promisify alias handling for JS/TS to enhance taint tracking
* feat: enhance taint tracking by refining expectation handling and adding mode filtering
* feat: refine SQL handling in stream processing and enhance auto-seeding for handler parameters
* feat: update taint tracking rules to enforce full mode matching and improve flow analysis
* feat: enhance Ruby subshell handling to improve taint tracking and flow analysis
* feat: update xss_response expectations to refine taint flow analysis and enhance regression guarding
* feat: refine framework detection and update expectation handling for Echo and Sinatra
* feat: implement max_count for taint tracking expectations and deduplicate findings
* feat: add strict_unexpected handling for taint-unsanitised-flow in expectation files
* feat: enhance deduplication of taint-unsanitised-flow findings by collapsing based on line and severity
* feat: add strict_unexpected handling for taint-unsanitised-flow in multiple expectation files
* feat: add structural invariant checks for SSA bodies
* feat: ensure deterministic phi emission order using BTreeSet
* feat: enhance handling of terminators to ensure authoritative flow through successor edges
* feat: enhance Goto terminator handling to ensure all successors are marked executable
* feat: refactor code for improved readability and organization
* feat: simplify predicate checks and enhance readability in SSA handling
* feat: implement per-file parse timeout and enhance file size handling
* feat: migrate analysis engine toggles from environment variables to configuration file
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: update dependencies and enhance documentation on language maturity
* feat: enhance security headers and improve request body limits
* feat: implement sink capability bits for deduplication and enhance evidence tagging
* feat: implement dynamic activation handling for gated sinks and enhance validation logic
* feat: enhance configuration documentation and clarify inline analysis cache behavior
* feat: implement panic recovery during analysis to continue scans past errors
* feat: add expectations configuration for taint analysis and performance metrics
* feat: enhance error handling and logging during file reading and mutex locking
* feat: add cross-file body loading tests and plumbing for CF-1 phase
* feat: implement cross-file k=1 context-sensitive inline taint analysis with new tests and fixtures
* feat: implement indexed-scan parity in cross-file inline analysis with new dropdown and copy functionality
* feat: enhance classification span handling in CFG and AST for improved source attribution
* feat: add new Express routes for handling user input and telemetry data
* feat: implement ternary expression handling in CFG with diamond structure for JS/TS
* feat: implement Phase CF-3 abstract-domain transfer channels in summaries
* feat: add support for string-prefix transfer in cross-file calls and update tests
* docs: reduce RESULTS.md doc size
* feat: implement Phase CF-4 per-return-path summary decomposition with tests
* feat: update parameter handling in pass1 and refactor SsaFuncSummary initialization
* feat: implement Phase CF-5 for cross-file SCC joint fixed-point convergence with new flags and tests
* feat: implement Phase CF-6 with parameter-granularity points-to summaries and associated tests
* refactor: update comments and documentation for clarity and consistency
* style: format code for consistency and readability
* refactor: simplify verdict handling and improve edge checking logic
* refactor: optimize path and identifier collection by avoiding unnecessary cloning
* chore: update Cargo.toml for Rust version 1.85 and add ignored files; modify CHANGELOG and README for clarity on state analysis defaults
* refactor: update documentation and improve clarity in configuration files
* refactor: update documentation and improve clarity in configuration files
* feat: add JS/TS pass-2 convergence tests and expectations configuration
* feat: add Phase 5 regression tests for inline cache origin attribution and update related logic
* feat: implement Phase 7 deduplication and alternative path linking for taint findings
* feat: implement structural DFS index for anonymous functions and update naming conventions
* feat: add Phase 8 regression tests for container-element taint in JS and Python
* feat: add engine-depth profiles and explain-engine option for CLI
* feat: update expectations and add new README fixtures for multi-file scan regression
* feat: implement Phase 11 callback-alias and factory patterns with regression tests
* feat: implement Terminator::Switch for multi-way dispatch and add regression tests
* feat: add real-CVE benchmark fixtures for CVE-2023-48022, CVE-2019-14939, and CVE-2023-26159 with corresponding patched variants
* refactor: extract cfg and ssa_transfer to submodules
* refactor: cargo fmt
* refactor: remove unnecessary blank line in cfg_tests.rs
* refactor: remove unnecessary planning file
* chore: update Rust version to 1.88 and bump dependencies in Cargo files
* feat: enhance triage UI with new layout and controls, update README for clarity
* feat: enhance triage UI with new layout and controls, update README for clarity
* chore: remove outdated section from README for version 0.5.0
* docs: improve clarity and consistency in README content
* chore: add "GPL-3.0-or-later" to license options in about.toml
* chore: update license handling in about.toml and check-licenses.mjs
* style: format code for improved readability in TriagePage component
* style: format code for improved readability in TriagePage component
* chore: enhance license handling and improve body_id scoping in seed lookup
* feat: introduce owner and parent body IDs for enhanced seed scoping
* feat: implement direction-aware engine provenance with new CLI flag for strict CI gating
* feat: add Undef SSA operation for improved control-flow handling
* style: improve code formatting for consistency and readability in multiple files
* feat: add 16-function chain SCC across multiple files for enhanced analysis
* style: simplify code formatting for improved readability in multiple files
* fix: update CapHitReason default implementation and improve README clarity
* docs: enhance README with detailed explanations of taint analysis and limitations
* docs: refine README for clarity and consistency in taint analysis section
* style: improve code formatting for better readability in NewScanModal and scans
* fix: update cargo-about command to use --offline for deterministic license generation
* fix: update cargo-about command to use --offline for deterministic license generation
* ci: add step to prime cargo registry cache for deterministic license generation
* feat: add support for non-sink collections in authorization analysis
* feat: enhance authorization checks with row-level ownership equality and binding tracking
* feat: implement self-scoped user handling and enhance ownership checks
* refactor: simplify assertions and formatting in authorization analysis tests
* fix: normalize line endings in THIRDPARTY-LICENSES.html generation and update README with AI disclosure
* docs: update AI disclosure section for clarity and conciseness
* feat: add AI Contribution Policy and update contributing guidelines for AI assistance disclosure
* feat: enhance authorization analysis with SSA-derived variable type classification
* feat: implement auth_finding_to_diag function for enhanced security diagnostics
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add direction-aware engine provenance with LossDirection classification and new CLI flag
* feat: simplify strip_cap_from_call_args call by removing unnecessary line breaks
* feat: enhance error message handling in cli_validation_tests for better Windows compatibility
* feat: optimize release profile settings in Cargo.toml and update CodeQL configuration
* feat: enhance release build process with SBOM generation and SLSA provenance
* feat: update actions/checkout and actions/setup-node to v6, enhance CLI options, and improve auth-check summaries
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: update benchmark data and enhance path sanitization logic with new safety checks
* feat: document AI assistance in frontend UI development and human review process
* feat: add return path facts for enhanced path safety checks and update documentation
* chore: update release date for version 0.5.0 in CHANGELOG.md
* chore: clean up ci.yml by removing outdated comments and clarifying steps
* feat: implement cross-language path sanitizers and validators for enhanced security
* feat: enhance SSA value usage tracking by including block terminators and improve path safety checks
* feat: enhance switch statement handling by adding per-case path constraints and support for exclusive cases
* refactor: simplify conditional formatting and improve code readability in executor and lower modules
* feat: add vulnerable examples for various languages demonstrating authentication and sanitization issues
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: add transform classifiers for Java, Go, and Ruby with corresponding tests
* refactor: clarify comments on reassign-to-constant idiom and sink behavior in guards.rs
---------
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-25 17:59:11 -04:00
|
|
|
|
pub finding_count: usize,
|
|
|
|
|
|
pub suppression_rate: f64,
|
|
|
|
|
|
pub example_findings: Vec<RelatedFindingView>,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Label entry for sources/sinks/sanitizers listing.
|
|
|
|
|
|
///
|
|
|
|
|
|
/// `case_sensitive` and `is_builtin` default to `false` on deserialize so POST
|
|
|
|
|
|
/// bodies from the UI (which only supply `lang`, `matchers`, `cap`) succeed.
|
|
|
|
|
|
#[derive(Debug, Clone, Serialize, serde::Deserialize)]
|
|
|
|
|
|
pub struct LabelEntryView {
|
|
|
|
|
|
pub lang: String,
|
|
|
|
|
|
pub matchers: Vec<String>,
|
|
|
|
|
|
pub cap: String,
|
|
|
|
|
|
#[serde(default)]
|
|
|
|
|
|
pub case_sensitive: bool,
|
|
|
|
|
|
#[serde(default)]
|
|
|
|
|
|
pub is_builtin: bool,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Profile view for profile listing.
|
|
|
|
|
|
#[derive(Debug, Clone, Serialize)]
|
|
|
|
|
|
pub struct ProfileView {
|
|
|
|
|
|
pub name: String,
|
|
|
|
|
|
pub is_builtin: bool,
|
|
|
|
|
|
pub settings: serde_json::Value,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Distinct filter values available in a set of findings.
|
|
|
|
|
|
#[derive(Debug, Clone, Serialize, Default)]
|
|
|
|
|
|
pub struct FilterValues {
|
|
|
|
|
|
pub severities: Vec<String>,
|
|
|
|
|
|
pub categories: Vec<String>,
|
|
|
|
|
|
pub confidences: Vec<String>,
|
|
|
|
|
|
pub languages: Vec<String>,
|
|
|
|
|
|
pub rules: Vec<String>,
|
|
|
|
|
|
pub statuses: Vec<String>,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Collect distinct filter values from a slice of diagnostics.
|
|
|
|
|
|
pub fn collect_filter_values(findings: &[Diag]) -> FilterValues {
|
|
|
|
|
|
let mut severities = BTreeSet::new();
|
|
|
|
|
|
let mut categories = BTreeSet::new();
|
|
|
|
|
|
let mut confidences = BTreeSet::new();
|
|
|
|
|
|
let mut languages = BTreeSet::new();
|
|
|
|
|
|
let mut rules = BTreeSet::new();
|
|
|
|
|
|
let mut statuses = BTreeSet::new();
|
|
|
|
|
|
|
|
|
|
|
|
for d in findings {
|
|
|
|
|
|
severities.insert(d.severity.as_db_str().to_string());
|
|
|
|
|
|
categories.insert(d.category.to_string());
|
|
|
|
|
|
if let Some(c) = d.confidence {
|
|
|
|
|
|
confidences.insert(format!("{c:?}"));
|
|
|
|
|
|
}
|
|
|
|
|
|
if let Some(lang) = lang_for_finding_path(&d.path) {
|
|
|
|
|
|
languages.insert(lang);
|
|
|
|
|
|
}
|
|
|
|
|
|
rules.insert(d.id.clone());
|
|
|
|
|
|
statuses.insert(status_for_diag(d).to_string());
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// Always include all valid triage states so the filter dropdown is complete
|
|
|
|
|
|
for s in VALID_TRIAGE_STATES {
|
|
|
|
|
|
statuses.insert(s.to_string());
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
FilterValues {
|
|
|
|
|
|
severities: severities.into_iter().collect(),
|
|
|
|
|
|
categories: categories.into_iter().collect(),
|
|
|
|
|
|
confidences: confidences.into_iter().collect(),
|
|
|
|
|
|
languages: languages.into_iter().collect(),
|
|
|
|
|
|
rules: rules.into_iter().collect(),
|
|
|
|
|
|
statuses: statuses.into_iter().collect(),
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Map a finding file path extension to a human-readable language name.
|
|
|
|
|
|
pub fn lang_for_finding_path(path: &str) -> Option<String> {
|
|
|
|
|
|
let ext = path.rsplit('.').next()?;
|
|
|
|
|
|
match ext.to_ascii_lowercase().as_str() {
|
|
|
|
|
|
"rs" => Some("Rust".into()),
|
|
|
|
|
|
"c" => Some("C".into()),
|
|
|
|
|
|
"cpp" => Some("C++".into()),
|
|
|
|
|
|
"java" => Some("Java".into()),
|
|
|
|
|
|
"go" => Some("Go".into()),
|
|
|
|
|
|
"php" => Some("PHP".into()),
|
|
|
|
|
|
"py" => Some("Python".into()),
|
|
|
|
|
|
"ts" => Some("TypeScript".into()),
|
|
|
|
|
|
"js" => Some("JavaScript".into()),
|
|
|
|
|
|
"rb" => Some("Ruby".into()),
|
|
|
|
|
|
_ => None,
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Compute the status string for a diagnostic.
|
|
|
|
|
|
fn status_for_diag(d: &Diag) -> &'static str {
|
|
|
|
|
|
if d.suppressed {
|
|
|
|
|
|
"suppressed"
|
|
|
|
|
|
} else if d.path_validated {
|
|
|
|
|
|
"validated"
|
|
|
|
|
|
} else {
|
|
|
|
|
|
"open"
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Convert a Diag to a FindingView at a given index.
|
|
|
|
|
|
pub fn finding_from_diag(index: usize, d: &Diag) -> FindingView {
|
|
|
|
|
|
FindingView {
|
|
|
|
|
|
index,
|
|
|
|
|
|
fingerprint: compute_fingerprint(d),
|
|
|
|
|
|
portable_fingerprint: String::new(), // set by caller with scan_root
|
|
|
|
|
|
path: d.path.clone(),
|
|
|
|
|
|
line: d.line,
|
|
|
|
|
|
col: d.col,
|
|
|
|
|
|
severity: d.severity,
|
|
|
|
|
|
rule_id: d.id.clone(),
|
|
|
|
|
|
category: d.category,
|
|
|
|
|
|
confidence: d.confidence,
|
|
|
|
|
|
rank_score: d.rank_score,
|
|
|
|
|
|
message: d.message.clone(),
|
|
|
|
|
|
labels: d.labels.clone(),
|
|
|
|
|
|
path_validated: d.path_validated,
|
|
|
|
|
|
suppressed: d.suppressed,
|
|
|
|
|
|
language: lang_for_finding_path(&d.path),
|
|
|
|
|
|
status: status_for_diag(d).to_string(),
|
|
|
|
|
|
triage_state: "open".to_string(),
|
|
|
|
|
|
triage_note: String::new(),
|
|
|
|
|
|
code_context: None,
|
|
|
|
|
|
evidence: None,
|
|
|
|
|
|
guard_kind: None,
|
|
|
|
|
|
rank_reason: None,
|
|
|
|
|
|
sanitizer_status: None,
|
|
|
|
|
|
related_findings: vec![],
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Convert a Diag to a FindingView with code context loaded from disk.
|
|
|
|
|
|
pub fn finding_from_diag_with_context(index: usize, d: &Diag, scan_root: &Path) -> FindingView {
|
|
|
|
|
|
let mut view = finding_from_diag(index, d);
|
|
|
|
|
|
view.code_context = load_code_context(&d.path, d.line, scan_root);
|
|
|
|
|
|
view
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Convert a Diag to a FindingView with full detail (evidence, related findings).
|
|
|
|
|
|
pub fn finding_from_diag_with_detail(
|
|
|
|
|
|
index: usize,
|
|
|
|
|
|
d: &Diag,
|
|
|
|
|
|
scan_root: &Path,
|
|
|
|
|
|
all_findings: &[Diag],
|
|
|
|
|
|
) -> FindingView {
|
|
|
|
|
|
let mut view = finding_from_diag_with_context(index, d, scan_root);
|
|
|
|
|
|
|
|
|
|
|
|
// Evidence (pass through the core type directly)
|
|
|
|
|
|
view.evidence = d.evidence.clone();
|
|
|
|
|
|
view.guard_kind = d.guard_kind.clone();
|
|
|
|
|
|
view.rank_reason = d.rank_reason.clone();
|
|
|
|
|
|
|
|
|
|
|
|
// Sanitizer status
|
|
|
|
|
|
view.sanitizer_status = Some(compute_sanitizer_status(d));
|
|
|
|
|
|
|
|
|
|
|
|
// Related findings: same rule_id OR same file, excluding self, capped at 10
|
|
|
|
|
|
let mut related = Vec::new();
|
|
|
|
|
|
for (i, other) in all_findings.iter().enumerate() {
|
|
|
|
|
|
if i == index {
|
|
|
|
|
|
continue;
|
|
|
|
|
|
}
|
|
|
|
|
|
if other.id == d.id || other.path == d.path {
|
|
|
|
|
|
related.push(RelatedFindingView {
|
|
|
|
|
|
index: i,
|
|
|
|
|
|
rule_id: other.id.clone(),
|
|
|
|
|
|
path: other.path.clone(),
|
|
|
|
|
|
line: other.line,
|
|
|
|
|
|
severity: other.severity,
|
|
|
|
|
|
});
|
|
|
|
|
|
if related.len() >= 10 {
|
|
|
|
|
|
break;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
view.related_findings = related;
|
|
|
|
|
|
|
|
|
|
|
|
view
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Compute the sanitizer status for a diagnostic based on its evidence.
|
|
|
|
|
|
fn compute_sanitizer_status(d: &Diag) -> String {
|
|
|
|
|
|
match &d.evidence {
|
|
|
|
|
|
Some(ev) if !ev.sanitizers.is_empty() => {
|
|
|
|
|
|
if d.suppressed {
|
|
|
|
|
|
"applied".into()
|
|
|
|
|
|
} else {
|
|
|
|
|
|
"bypassed".into()
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
_ => "none".into(),
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Load surrounding lines of code for a finding.
|
|
|
|
|
|
fn load_code_context(path: &str, line: usize, scan_root: &Path) -> Option<CodeContextView> {
|
|
|
|
|
|
let opened = open_repo_text_file(scan_root, path, DEFAULT_UI_MAX_FILE_BYTES).ok()?;
|
|
|
|
|
|
let content = opened.content;
|
|
|
|
|
|
let all_lines: Vec<&str> = content.lines().collect();
|
|
|
|
|
|
|
|
|
|
|
|
if line == 0 || line > all_lines.len() {
|
|
|
|
|
|
return None;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
let context_radius = 5;
|
|
|
|
|
|
let start = line.saturating_sub(context_radius).max(1);
|
|
|
|
|
|
let end = (line + context_radius).min(all_lines.len());
|
|
|
|
|
|
|
|
|
|
|
|
let lines: Vec<String> = all_lines[start - 1..end]
|
|
|
|
|
|
.iter()
|
|
|
|
|
|
.map(|l| (*l).to_string())
|
|
|
|
|
|
.collect();
|
|
|
|
|
|
|
|
|
|
|
|
Some(CodeContextView {
|
|
|
|
|
|
start_line: start,
|
|
|
|
|
|
lines,
|
|
|
|
|
|
highlight_line: line,
|
|
|
|
|
|
})
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// ── Scan Comparison Types ────────────────────────────────────────────────────
|
|
|
|
|
|
|
|
|
|
|
|
/// Full response from the scan comparison endpoint.
|
|
|
|
|
|
#[derive(Debug, Clone, Serialize)]
|
|
|
|
|
|
pub struct CompareResponse {
|
|
|
|
|
|
pub left_scan: CompareScanInfo,
|
|
|
|
|
|
pub right_scan: CompareScanInfo,
|
|
|
|
|
|
pub summary: CompareSummary,
|
|
|
|
|
|
pub new_findings: Vec<ComparedFinding>,
|
|
|
|
|
|
pub fixed_findings: Vec<ComparedFinding>,
|
|
|
|
|
|
pub changed_findings: Vec<ChangedFinding>,
|
|
|
|
|
|
pub unchanged_findings: Vec<ComparedFinding>,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Minimal scan metadata for comparison headers.
|
|
|
|
|
|
#[derive(Debug, Clone, Serialize)]
|
|
|
|
|
|
pub struct CompareScanInfo {
|
|
|
|
|
|
pub id: String,
|
|
|
|
|
|
pub started_at: Option<String>,
|
|
|
|
|
|
pub finding_count: usize,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Aggregate counts and severity deltas for a comparison.
|
|
|
|
|
|
#[derive(Debug, Clone, Serialize)]
|
|
|
|
|
|
pub struct CompareSummary {
|
|
|
|
|
|
pub new_count: usize,
|
|
|
|
|
|
pub fixed_count: usize,
|
|
|
|
|
|
pub changed_count: usize,
|
|
|
|
|
|
pub unchanged_count: usize,
|
|
|
|
|
|
pub severity_delta: HashMap<String, i64>,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// A finding annotated with its fingerprint for comparison views.
|
|
|
|
|
|
#[derive(Debug, Clone, Serialize)]
|
|
|
|
|
|
pub struct ComparedFinding {
|
|
|
|
|
|
pub fingerprint: String,
|
|
|
|
|
|
#[serde(flatten)]
|
|
|
|
|
|
pub finding: FindingView,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// A finding that exists in both scans but with changed properties.
|
|
|
|
|
|
#[derive(Debug, Clone, Serialize)]
|
|
|
|
|
|
pub struct ChangedFinding {
|
|
|
|
|
|
pub fingerprint: String,
|
|
|
|
|
|
#[serde(flatten)]
|
|
|
|
|
|
pub finding: FindingView,
|
|
|
|
|
|
pub changes: Vec<FieldChange>,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// A single field that differs between two scans for the same fingerprint.
|
|
|
|
|
|
#[derive(Debug, Clone, Serialize)]
|
|
|
|
|
|
pub struct FieldChange {
|
|
|
|
|
|
pub field: String,
|
|
|
|
|
|
pub old_value: String,
|
|
|
|
|
|
pub new_value: String,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Compute a stable fingerprint for a finding based on identity fields.
|
|
|
|
|
|
///
|
|
|
|
|
|
/// The fingerprint is a blake3 hash of (rule_id, file_path, sink_snippet,
|
|
|
|
|
|
/// source_snippet, function_context). Line/col are intentionally excluded
|
|
|
|
|
|
/// so that fingerprints survive code movement.
|
|
|
|
|
|
pub fn compute_fingerprint(d: &Diag) -> String {
|
|
|
|
|
|
let sink_snippet = d
|
|
|
|
|
|
.evidence
|
|
|
|
|
|
.as_ref()
|
|
|
|
|
|
.and_then(|e| e.sink.as_ref())
|
|
|
|
|
|
.and_then(|s| s.snippet.as_deref())
|
|
|
|
|
|
.unwrap_or("");
|
|
|
|
|
|
let source_snippet = d
|
|
|
|
|
|
.evidence
|
|
|
|
|
|
.as_ref()
|
|
|
|
|
|
.and_then(|e| e.source.as_ref())
|
|
|
|
|
|
.and_then(|s| s.snippet.as_deref())
|
|
|
|
|
|
.unwrap_or("");
|
|
|
|
|
|
let func_ctx = d
|
|
|
|
|
|
.evidence
|
|
|
|
|
|
.as_ref()
|
|
|
|
|
|
.and_then(|e| e.flow_steps.iter().find_map(|s| s.function.as_deref()))
|
|
|
|
|
|
.unwrap_or("");
|
|
|
|
|
|
let input = format!(
|
|
|
|
|
|
"{}\0{}\0{}\0{}\0{}",
|
|
|
|
|
|
d.id, d.path, sink_snippet, source_snippet, func_ctx
|
|
|
|
|
|
);
|
|
|
|
|
|
blake3::hash(input.as_bytes()).to_hex().to_string()
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Overlay triage states from the database onto a slice of FindingViews.
|
|
|
|
|
|
///
|
|
|
|
|
|
/// For each finding, first checks for an explicit triage state by fingerprint.
|
|
|
|
|
|
/// If none, checks suppression rules in order: fingerprint → rule → rule_in_file → file.
|
|
|
|
|
|
pub fn overlay_triage_states(
|
|
|
|
|
|
views: &mut [FindingView],
|
|
|
|
|
|
triage_map: &std::collections::HashMap<String, (String, String, String)>,
|
|
|
|
|
|
suppression_rules: &[crate::database::index::SuppressionRule],
|
|
|
|
|
|
) {
|
|
|
|
|
|
for view in views.iter_mut() {
|
|
|
|
|
|
if let Some((state, note, _)) = triage_map.get(&view.fingerprint) {
|
|
|
|
|
|
view.triage_state = state.clone();
|
|
|
|
|
|
view.triage_note = note.clone();
|
|
|
|
|
|
view.status = state.clone();
|
|
|
|
|
|
} else {
|
|
|
|
|
|
for rule in suppression_rules {
|
|
|
|
|
|
let matches = match rule.suppress_by.as_str() {
|
|
|
|
|
|
"fingerprint" => view.fingerprint == rule.match_value,
|
|
|
|
|
|
"rule" => view.rule_id == rule.match_value,
|
|
|
|
|
|
"rule_in_file" => {
|
|
|
|
|
|
let key = format!("{}:{}", view.rule_id, view.path);
|
|
|
|
|
|
key == rule.match_value
|
|
|
|
|
|
}
|
|
|
|
|
|
"file" => view.path == rule.match_value,
|
|
|
|
|
|
_ => false,
|
|
|
|
|
|
};
|
|
|
|
|
|
if matches {
|
|
|
|
|
|
view.triage_state = rule.state.clone();
|
|
|
|
|
|
view.triage_note = rule.note.clone();
|
|
|
|
|
|
view.status = rule.state.clone();
|
|
|
|
|
|
break;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Compute a portable fingerprint using a path relative to scan_root.
|
|
|
|
|
|
///
|
|
|
|
|
|
/// This fingerprint is stable across machines because it strips the absolute
|
|
|
|
|
|
/// path prefix. Used for `.nyx/triage.json` sync files that get committed to git.
|
|
|
|
|
|
pub fn compute_portable_fingerprint(d: &Diag, scan_root: &Path) -> String {
|
|
|
|
|
|
let rel_path = d
|
|
|
|
|
|
.path
|
|
|
|
|
|
.strip_prefix(scan_root.to_string_lossy().as_ref())
|
|
|
|
|
|
.unwrap_or(&d.path)
|
|
|
|
|
|
.trim_start_matches('/');
|
|
|
|
|
|
let sink_snippet = d
|
|
|
|
|
|
.evidence
|
|
|
|
|
|
.as_ref()
|
|
|
|
|
|
.and_then(|e| e.sink.as_ref())
|
|
|
|
|
|
.and_then(|s| s.snippet.as_deref())
|
|
|
|
|
|
.unwrap_or("");
|
|
|
|
|
|
let source_snippet = d
|
|
|
|
|
|
.evidence
|
|
|
|
|
|
.as_ref()
|
|
|
|
|
|
.and_then(|e| e.source.as_ref())
|
|
|
|
|
|
.and_then(|s| s.snippet.as_deref())
|
|
|
|
|
|
.unwrap_or("");
|
|
|
|
|
|
let func_ctx = d
|
|
|
|
|
|
.evidence
|
|
|
|
|
|
.as_ref()
|
|
|
|
|
|
.and_then(|e| e.flow_steps.iter().find_map(|s| s.function.as_deref()))
|
|
|
|
|
|
.unwrap_or("");
|
|
|
|
|
|
let input = format!(
|
|
|
|
|
|
"{}\0{}\0{}\0{}\0{}",
|
|
|
|
|
|
d.id, rel_path, sink_snippet, source_snippet, func_ctx
|
|
|
|
|
|
);
|
|
|
|
|
|
blake3::hash(input.as_bytes()).to_hex().to_string()
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Build a summary from a slice of findings.
|
|
|
|
|
|
pub fn summarize_findings(findings: &[Diag]) -> FindingSummary {
|
|
|
|
|
|
let mut summary = FindingSummary {
|
|
|
|
|
|
total: findings.len(),
|
|
|
|
|
|
..Default::default()
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
for d in findings {
|
|
|
|
|
|
let sev_key = d.severity.as_db_str().to_string();
|
|
|
|
|
|
*summary.by_severity.entry(sev_key).or_insert(0) += 1;
|
|
|
|
|
|
*summary
|
|
|
|
|
|
.by_category
|
|
|
|
|
|
.entry(d.category.to_string())
|
|
|
|
|
|
.or_insert(0) += 1;
|
|
|
|
|
|
*summary.by_rule.entry(d.id.clone()).or_insert(0) += 1;
|
|
|
|
|
|
*summary.by_file.entry(d.path.clone()).or_insert(0) += 1;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
summary
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// ── Overview Types ───────────────────────────────────────────────────────────
|
|
|
|
|
|
|
|
|
|
|
|
/// Full response for GET /api/overview.
|
|
|
|
|
|
#[derive(Debug, Clone, Serialize)]
|
|
|
|
|
|
pub struct OverviewResponse {
|
|
|
|
|
|
pub state: String,
|
|
|
|
|
|
pub total_findings: usize,
|
|
|
|
|
|
pub new_since_last: usize,
|
|
|
|
|
|
pub fixed_since_last: usize,
|
|
|
|
|
|
pub high_confidence_rate: f64,
|
|
|
|
|
|
pub triage_coverage: f64,
|
|
|
|
|
|
pub latest_scan_duration_secs: Option<f64>,
|
|
|
|
|
|
pub latest_scan_id: Option<String>,
|
|
|
|
|
|
pub latest_scan_at: Option<String>,
|
|
|
|
|
|
pub by_severity: HashMap<String, usize>,
|
|
|
|
|
|
pub by_category: HashMap<String, usize>,
|
|
|
|
|
|
pub by_language: HashMap<String, usize>,
|
|
|
|
|
|
pub top_files: Vec<OverviewCount>,
|
|
|
|
|
|
pub top_directories: Vec<OverviewCount>,
|
|
|
|
|
|
pub top_rules: Vec<OverviewCount>,
|
|
|
|
|
|
pub noisy_rules: Vec<NoisyRule>,
|
|
|
|
|
|
pub recent_scans: Vec<ScanSummary>,
|
|
|
|
|
|
pub insights: Vec<Insight>,
|
2026-04-29 00:58:38 -04:00
|
|
|
|
|
|
|
|
|
|
// ── Tier 1 ──
|
|
|
|
|
|
#[serde(skip_serializing_if = "Option::is_none")]
|
|
|
|
|
|
pub health: Option<HealthScore>,
|
|
|
|
|
|
#[serde(skip_serializing_if = "Option::is_none")]
|
|
|
|
|
|
pub posture: Option<PostureSummary>,
|
|
|
|
|
|
#[serde(skip_serializing_if = "Option::is_none")]
|
|
|
|
|
|
pub backlog: Option<BacklogStats>,
|
|
|
|
|
|
#[serde(default, skip_serializing_if = "Vec::is_empty")]
|
|
|
|
|
|
pub weighted_top_files: Vec<WeightedFile>,
|
|
|
|
|
|
#[serde(skip_serializing_if = "Option::is_none")]
|
|
|
|
|
|
pub confidence_distribution: Option<ConfidenceDistribution>,
|
|
|
|
|
|
|
|
|
|
|
|
// ── Tier 2 ──
|
|
|
|
|
|
#[serde(skip_serializing_if = "Option::is_none")]
|
|
|
|
|
|
pub scanner_quality: Option<ScannerQuality>,
|
|
|
|
|
|
#[serde(default, skip_serializing_if = "Vec::is_empty")]
|
|
|
|
|
|
pub issue_categories: Vec<IssueCategoryBucket>,
|
|
|
|
|
|
#[serde(default, skip_serializing_if = "Vec::is_empty")]
|
|
|
|
|
|
pub hot_sinks: Vec<HotSink>,
|
|
|
|
|
|
#[serde(default, skip_serializing_if = "Vec::is_empty")]
|
|
|
|
|
|
pub owasp_buckets: Vec<OwaspBucket>,
|
|
|
|
|
|
#[serde(skip_serializing_if = "Option::is_none")]
|
|
|
|
|
|
pub cross_file_ratio: Option<f64>,
|
|
|
|
|
|
|
|
|
|
|
|
// ── Tier 3 ──
|
|
|
|
|
|
#[serde(skip_serializing_if = "Option::is_none")]
|
|
|
|
|
|
pub baseline: Option<BaselineInfo>,
|
|
|
|
|
|
#[serde(default, skip_serializing_if = "Vec::is_empty")]
|
|
|
|
|
|
pub language_health: Vec<LanguageHealth>,
|
|
|
|
|
|
#[serde(skip_serializing_if = "Option::is_none")]
|
|
|
|
|
|
pub suppression_hygiene: Option<SuppressionHygiene>,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Composite repo-health rollup.
|
|
|
|
|
|
#[derive(Debug, Clone, Serialize)]
|
|
|
|
|
|
pub struct HealthScore {
|
|
|
|
|
|
/// 0–100 score; higher is better.
|
|
|
|
|
|
pub score: u8,
|
|
|
|
|
|
/// Letter grade A–F derived from score.
|
|
|
|
|
|
pub grade: String,
|
|
|
|
|
|
/// Sub-component contributions (0–100 each) for transparency.
|
|
|
|
|
|
pub components: Vec<HealthComponent>,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Single line item in the health-score breakdown.
|
|
|
|
|
|
#[derive(Debug, Clone, Serialize)]
|
|
|
|
|
|
pub struct HealthComponent {
|
|
|
|
|
|
/// Human label (e.g. "Severity pressure", "Trend", "Triage").
|
|
|
|
|
|
pub label: String,
|
2026-04-29 19:53:34 -04:00
|
|
|
|
/// 0–100, already inverted so higher = healthier.
|
2026-04-29 00:58:38 -04:00
|
|
|
|
pub score: u8,
|
|
|
|
|
|
/// Weight applied when blending into the final score (0.0–1.0).
|
|
|
|
|
|
pub weight: f64,
|
|
|
|
|
|
/// Short rationale shown in tooltip.
|
|
|
|
|
|
pub detail: String,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// One-line trend posture for the page header.
|
|
|
|
|
|
#[derive(Debug, Clone, Serialize)]
|
|
|
|
|
|
pub struct PostureSummary {
|
|
|
|
|
|
/// "improving" | "regressing" | "stable" | "unknown"
|
|
|
|
|
|
pub trend: String,
|
|
|
|
|
|
/// "success" | "warning" | "danger" | "info"
|
|
|
|
|
|
pub severity: String,
|
|
|
|
|
|
/// Short message shown verbatim in the banner.
|
|
|
|
|
|
pub message: String,
|
|
|
|
|
|
/// Findings that were previously fixed and have re-appeared.
|
|
|
|
|
|
pub reintroduced_count: usize,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Backlog age statistics computed from finding_first_seen.
|
|
|
|
|
|
#[derive(Debug, Clone, Serialize)]
|
|
|
|
|
|
pub struct BacklogStats {
|
|
|
|
|
|
/// Days since the oldest still-open finding was first seen.
|
|
|
|
|
|
pub oldest_open_days: Option<u32>,
|
|
|
|
|
|
/// Median age of currently-open findings, in days.
|
|
|
|
|
|
pub median_age_days: Option<u32>,
|
|
|
|
|
|
/// Findings older than 30 days that remain open.
|
|
|
|
|
|
pub stale_count: usize,
|
2026-04-29 19:53:34 -04:00
|
|
|
|
/// Histogram buckets (label, count), fixed 5 buckets.
|
2026-04-29 00:58:38 -04:00
|
|
|
|
pub age_buckets: Vec<OverviewCount>,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Top-file row including severity stack for the weighted ranking.
|
|
|
|
|
|
#[derive(Debug, Clone, Serialize)]
|
|
|
|
|
|
pub struct WeightedFile {
|
|
|
|
|
|
pub name: String,
|
|
|
|
|
|
pub score: u32,
|
|
|
|
|
|
pub high: usize,
|
|
|
|
|
|
pub medium: usize,
|
|
|
|
|
|
pub low: usize,
|
|
|
|
|
|
pub total: usize,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Confidence-level distribution.
|
|
|
|
|
|
#[derive(Debug, Clone, Serialize, Default)]
|
|
|
|
|
|
pub struct ConfidenceDistribution {
|
|
|
|
|
|
pub high: usize,
|
|
|
|
|
|
pub medium: usize,
|
|
|
|
|
|
pub low: usize,
|
|
|
|
|
|
pub none: usize,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Engine-quality metrics that describe analysis depth/coverage.
|
|
|
|
|
|
#[derive(Debug, Clone, Serialize)]
|
|
|
|
|
|
pub struct ScannerQuality {
|
|
|
|
|
|
pub files_scanned: u64,
|
|
|
|
|
|
pub files_skipped: u64,
|
2026-04-29 19:53:34 -04:00
|
|
|
|
/// 0.0–1.0, files_scanned / (files_scanned + files_skipped).
|
2026-04-29 00:58:38 -04:00
|
|
|
|
pub parse_success_rate: f64,
|
|
|
|
|
|
pub functions_analyzed: u64,
|
|
|
|
|
|
pub call_edges: u64,
|
|
|
|
|
|
pub unresolved_calls: u64,
|
2026-04-29 19:53:34 -04:00
|
|
|
|
/// 0.0–1.0, call_edges / (call_edges + unresolved_calls).
|
2026-04-29 00:58:38 -04:00
|
|
|
|
pub call_resolution_rate: f64,
|
|
|
|
|
|
/// % of taint findings that received a symbolic verdict (Confirmed|Infeasible|Inconclusive).
|
|
|
|
|
|
pub symex_verified_rate: f64,
|
|
|
|
|
|
/// Count broken down by symbolic verdict label.
|
|
|
|
|
|
pub symex_breakdown: HashMap<String, usize>,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// One issue-category bucket (rule-family derived). Broader than OWASP, with
|
|
|
|
|
|
/// engine-friendly labels like "Tainted Flow" or "Code Quality".
|
|
|
|
|
|
#[derive(Debug, Clone, Serialize)]
|
|
|
|
|
|
pub struct IssueCategoryBucket {
|
|
|
|
|
|
pub label: String,
|
|
|
|
|
|
pub count: usize,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-04-29 19:53:34 -04:00
|
|
|
|
/// "Hot sink", a single callee that absorbs many findings.
|
2026-04-29 00:58:38 -04:00
|
|
|
|
#[derive(Debug, Clone, Serialize)]
|
|
|
|
|
|
pub struct HotSink {
|
|
|
|
|
|
/// Callee name (best-effort; from flow_steps last Sink).
|
|
|
|
|
|
pub callee: String,
|
|
|
|
|
|
pub count: usize,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// One OWASP Top-10 (2021) bucket.
|
|
|
|
|
|
#[derive(Debug, Clone, Serialize)]
|
|
|
|
|
|
pub struct OwaspBucket {
|
2026-04-29 19:53:34 -04:00
|
|
|
|
/// "A01:2021, Broken Access Control" etc.
|
2026-04-29 00:58:38 -04:00
|
|
|
|
pub code: String,
|
|
|
|
|
|
pub label: String,
|
|
|
|
|
|
pub count: usize,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Per-language posture.
|
|
|
|
|
|
#[derive(Debug, Clone, Serialize)]
|
|
|
|
|
|
pub struct LanguageHealth {
|
|
|
|
|
|
pub language: String,
|
|
|
|
|
|
pub findings: usize,
|
|
|
|
|
|
pub high: usize,
|
|
|
|
|
|
pub medium: usize,
|
|
|
|
|
|
pub low: usize,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Suppression-quality breakdown.
|
|
|
|
|
|
#[derive(Debug, Clone, Serialize)]
|
|
|
|
|
|
pub struct SuppressionHygiene {
|
|
|
|
|
|
/// Findings explicitly triaged by fingerprint.
|
|
|
|
|
|
pub fingerprint_level: usize,
|
|
|
|
|
|
/// Findings suppressed by rule-level suppression.
|
|
|
|
|
|
pub rule_level: usize,
|
|
|
|
|
|
/// Findings suppressed by file-level suppression.
|
|
|
|
|
|
pub file_level: usize,
|
|
|
|
|
|
/// Findings suppressed by rule-in-file suppression.
|
|
|
|
|
|
pub rule_in_file_level: usize,
|
|
|
|
|
|
/// % of suppressed findings using low-specificity (rule/file/rule_in_file) rules.
|
|
|
|
|
|
pub blanket_rate: f64,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Pinned baseline scan and current drift relative to it.
|
|
|
|
|
|
#[derive(Debug, Clone, Serialize)]
|
|
|
|
|
|
pub struct BaselineInfo {
|
|
|
|
|
|
pub scan_id: String,
|
|
|
|
|
|
#[serde(skip_serializing_if = "Option::is_none")]
|
|
|
|
|
|
pub started_at: Option<String>,
|
|
|
|
|
|
pub baseline_total: usize,
|
|
|
|
|
|
pub drift_new: usize,
|
|
|
|
|
|
pub drift_fixed: usize,
|
Release/0.5.0 (#35)
* feat: Introduce function-scoped variable interning for state analysis with new tests and fixtures
* feat: Add Phase 26 symbolic execution enhancements with bitwise operator support, abstract interpretation refinements, and new taint analysis tests
* feat: Refine state analysis to handle factory-pattern resource returns with mixed-path tests and leak detection enhancements
* feat: Add Phase 27 debug views with symbolic execution, abstract interpretation, SSA, and call graph viewers; integrate with debug layout and styles
* feat: Add Phase 31 type-qualified symbolic resolution with receiver-based callee disambiguation and testing
* feat: Extend symbolic execution with state iteration, enhanced debug views, and debounced input handling
* feat: Add Phase 13 resource and auth pattern extensions with new tests and fixtures
* feat: Introduce CFG debug graph renderer with compact mode, toolbar, and DAG layout integration
* feat: Add Phase 28 encoding and decoding transform modeling with structural symex enhancements and new taint analysis tests
* feat: Extend abstract interpretation with type facts and constant value tracking in debug views and server logic
* feat: Add linear path handling and witness extraction to symbolic execution with Phase 28 transform mismatch detection
* feat: Refine Go auth and sanitizer handling with enhanced rules, state updates, and benchmark improvements
* feat: Enable auth-state analysis by default and update relevant tests in benchmark config
* test: Update state_tests to reflect default enablement of auth-state analysis and add auth suppression test
* docs: update CHANGELOG.md
* feat: Introduce per-index taint tracking in `HeapState` with `HeapSlot`, overflow handling, and revised SSA transfers
* feat: Introduce C/C++ language labels and refine heap state tracking in SSA transfers
* feat: Implement per-index array slot tracking in symbolic heap with overflow collapse
* feat: Add implicit definition handling for uninitialized declarations in SSA value allocation
* feat: Refactor function parameters and constants for improved clarity and maintainability
* refactor: Reorder module imports and improve formatting for consistency
* refactor: Fix formatting erorrs
* refactor: Fix clippy warnings
* refactor: Fix fmt warnings (again)
* chore: Update dependencies and improve feature configuration
* Add comprehensive tests for undertested modules (#36) (COPILOT)
* Add comprehensive tests for undertested modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
* Add comprehensive tests for ext, project, walk, and errors modules
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: Update dependencies and improve feature configuration
* fix: formatting errors in new tests
* chore: Update license list in about.toml
* chore: made functions input inline
* chore: updated cfg graph to take up the full page
* chore: add Prettier configuration and update code formatting
* Add frontend test suite with Vitest (111 tests) (#37)
* Add Vitest test suite for frontend - 111 tests across utils, components, hooks, and graph utilities
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/7cf0dba2-ecff-4740-ba4d-92717e74a0b7
* ci: add frontend test step to CI workflow
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/5bc0ac9f-0a32-4d03-9cb7-7a15aea53fca
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* chore: simplify array initialization in test files for consistency
* ran typecheck
* feat: add AnalysisWorkspace component and integrate it into CfgViewerPage
* feat: update routing in AppLayout and improve empty state message in ExplorerPage
* feat: enhance scan progress tracking with additional metrics and stages
* feat: update license information and add license check script
* feat: implement cross-file symbolic execution with callee body persistence
* feat: replace dagre graphs with Graphology + ELK + Sigma for more advanced call stack and cfg rendering
* feat: ensure CFG function view is scoped to the selected function, preventing bleed into sibling functions
* feat: enhance resource tracking with proxy method summaries and improve finding extraction
* feat: add terminal function exit detection for accurate resource leak analysis
* feat: add warnings for loops and functions without bodies to improve error recovery
* feat: update lambda expression handling to ensure proper function classification and control flow
* feat: remove bounded formatting/string ops and add JSON.parse sanitizer for improved data handling
* feat: add inline return taint analysis and regression tests for improved security checks
* feat: add engine version management and migration handling for database schema updates
* feat: enhance first_call_ident to skip nested function bodies and add regression tests
* feat: enhance callee name resolution with two-segment normalization and disambiguation
* feat: add cross-file context flags and debug assertions for taint analysis
* feat: refactor taint analysis structure to unify context handling and improve clarity
* feat: enhance dead code elimination to preserve Sink, Source, and Sanitizer labels with new tests
* docs: updated CHANGELOG.md
* fmt: formatting fixes
* fix: fixed frontend formatting and lint warnings
* fix: optimized ci
* fix: optimized ci
* Add comprehensive multi-file test coverage to Nyx (#38)
* Initial checklist for multi-file test suite expansion
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* Add 12 new multi-file test fixtures with TP/TN/near-miss coverage
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* deleted root repo
* rebuilt to test for regressions
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* feat: enhance import alias resolution and taint tracking
* feat: implement security hardening with CSRF protection and path validation
* feat: add support for import alias bindings in Python, PHP, and Rust
* feat: enhance CFG analysis modes and improve code readability
* feat: add detection for parameterized SQL queries to enhance security
* feat: add safe internal redirect handling and enhance session destroy validation
* feat: implement security improvements by addressing vulnerabilities in execAsync, session management, and file downloads
* feat: enhance taint detection by adding support for inline source member expressions in call arguments
* feat: implement pre-emission of Source nodes for inline source member expressions in call arguments
* feat: add support for Throw statement in control flow and error handling
* feat: add debug and echo endpoints with potential information leakage
* feat: implement internal redirect suppression and enhance taint detection
* feat: implement module alias tracking for dynamic dispatch in JS/TS
* feat: add authorization analysis module with Express support
* feat: add authorization analysis module with Express support
* feat: add tests for admin guard requirements and clean checks in authorization analysis
* feat: integrate Koa and Fastify frameworks into authorization analysis
* feat: add Flask and Django support to authorization analysis module
* feat: add support for Rails and Sinatra frameworks in authorization analysis
* feat: add support for Axum, ActixWeb, and Rocket frameworks in authorization analysis
* feat: add support for ActixWeb, Axum, and Rocket frameworks in authorization analysis
* feat: add support for Rails and Sinatra in authorization analysis
* chore: add .DS_Store to .gitignore
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: update usage of Option methods for improved clarity and consistency
* refactor: improve code readability by simplifying conditional checks and formatting
* refactor: improve code formatting and readability by simplifying conditional checks
* refactor: simplify conditional checks and improve readability in multiple files
* refactor: simplify conditional checks in axum.rs for improved readability
* feat: add CodeQL analysis configuration for enhanced security scanning
* test: add comprehensive tests for `src/output.rs` SARIF builder (#39)
* chore: start test coverage improvement work
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* test: add comprehensive tests for src/output.rs SARIF builder
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
* refactor: improve code formatting and readability in output.rs
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>
* refactor: improve code formatting and readability in output.rs
* Potential fix for code scanning alert no. 210: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* Potential fix for code scanning alert no. 211: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* refactor: enhance triage file path handling with improved error management and validation
* refactor: updated func summaries for richer detail
* refactor: update SSA summary extraction to use canonical FuncKey for distinct entries
* refactor: enhance callee metadata structure to support arity, receiver, and qualifier for better overload resolution
* refactor: add support for keyword arguments in function calls and enhance receiver extraction for method-style calls
* refactor: implement new Flask routes for safe and unsafe shell command execution
* refactor: separate receiver handling in SSA operations and enhance taint propagation
* refactor: improve arity handling by using arg_uses for positional argument count and enhance witness scoring for tainted arguments
* refactor: implement auth decorator extraction and classification for multiple languages
* refactor: enhance Rust module path resolution and use map handling for cross-file disambiguation
* refactor: introduce CalleeQuery struct for structured callee resolution and enhance resolver logic
* refactor: implement same-file identity collision handling for `runTask` to ensure correct resolver behavior
* refactor: standardize default struct initialization across multiple files
* feat: add scripts for formatting checks and auto-fixes with test summaries
* refactor: simplify character splitting and enhance namespace qualifier handling
* refactor: improve documentation clarity and enhance code readability in resolver logic
* refactor: replace default struct initialization with explicit field assignments for clarity
* feat: enhance anonymous function naming by deriving context-based bindings
* refactor: streamline match expressions for improved readability and performance
* refactor: streamline match expressions for improved readability and performance
* refactor: replace loop with while let for improved clarity and performance
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: add SSA constant propagation support to analysis context for improved accuracy
* feat: implement shell metacharacter validation and bounded-length checks in Rust analysis
* feat: add static map analysis for command injection suppression and type safety
* refactor: simplify match statements and reduce line breaks for improved readability
* feat(summary): phase 1/5 SinkSite data model for primary sink-location attribution
Introduce SinkSite (file_rel, line, col, snippet, cap) carrying the
primary sink source-location through function summaries. Swap
SsaFuncSummary.param_to_sink and FuncSummary.param_to_sink from a coarse
Cap map to a deduped SmallVec<[SinkSite; 1]> per parameter, with a
backward-compatible cap_sites() helper and serde defaults so pre-phase-1
on-disk rows continue to deserialise cleanly.
Extraction: SinkSiteLocator bundles the tree/bytes/file_rel needed by
extract_ssa_func_summary; ParsedFile::extract_ssa_artifacts wires the
locator in for the persisted pass-1 path, while pass-2 intra-file
transient summaries fall back to cap-only sites (behavior unchanged).
Merge: GlobalSummaries::insert now unions sink sites with
(file_rel, line, col, cap) dedup via shared union_param_sink_sites
helper.
Database: JSON-serialised summary columns carry the new shape
automatically; no schema change needed.
Phase 2 will consume SinkSite in build_taint_diag() to overwrite the
caller-site Finding.line with the callee's sink line when resolved via
summary. Phase 1 keeps behavior unchanged: scanning
tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs still produces the
same (wrong) line 10 finding.
Adds round-trip tests covering SinkSite solo, SsaFuncSummary with sink
sites, legacy-JSON default handling for both summary types, and merge
dedup.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* feat(taint): phase 2/5 thread SinkSite into SsaTaintEvent and Finding
Plumb Phase 1's SinkSite through the event pipeline into Findings,
no output change yet. SsaTaintEvent gains `primary_sink_site:
Option<SinkSite>`; when the main or callback sink-emission path has
non-empty `param_to_sink_sites`, filter to sites whose
`(line != 0) && (cap ∩ sink_caps != ∅)` and emit one event per
distinct site — the multi-primary collapse keeps each downstream
Finding single-primary.
Resolution: ResolvedSummary and SinkInfo gain mirror
`param_to_sink_sites` fields, populated from `SsaFuncSummary.param_to_sink`
(SSA + callback paths) and `FuncSummary.param_to_sink` (global paths).
Label, local-summary, and interop resolution paths leave the field
empty — they only ever had cap-level info to begin with.
Finding: new `primary_location: Option<SinkLocation>` with
`file_rel/line/col`. `ssa_events_to_findings` maps
`event.primary_sink_site` → `Finding.primary_location`, filtering
cap-only sites (`line == 0`) to `None` so the (0,0) sentinel never
leaks to formatters. Dedup key extended with the primary location
so multi-site events aren't collapsed back together.
Invariants (debug_assert!):
* every SinkSite reaching emission has `line != 0 && cap ∩ sink_caps
!= ∅` — enforced by the pick_primary_sink_sites* filters;
* every populated Finding.primary_location has `line != 0` AND
non-empty `file_rel` — the cap-only → None translation upstream
guarantees this.
Deliberately independent of `uses_summary`: that flag tracks whether
the *taint chain* used a summary, whereas primary attribution
requires only that the *sink* itself was summary-resolved. A local
source reaching a cross-file sink produces `uses_summary=false`
alongside a populated primary_location — documented on
Finding.primary_location, covered by
`cross_file_sink_finding_carries_primary_location`.
build_taint_diag, SARIF/JSON/explanation formatters, and the
benchmark scorer remain untouched: finding.line still comes from
`cfg_graph[finding.sink]`, so cmdi_indirect.rs still reports line 10
and the benchmark's rs-cmdi-003 row still shows FN in the LOC column.
Tests: `cross_file_sink_finding_carries_primary_location` (proves
plumbing via a synthetic FuncSummary carrying a SinkSite at 42:5) and
`cross_file_sink_cap_only_site_leaves_primary_location_none`
(regression guard against cap-only sites surfacing). All 1566 lib
tests + integration tests pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(output): phase 3/5 consume primary sink location in diag + SARIF
When a finding's primary_location (populated in phase 2 from a callee
summary's SinkSite) names the dangerous instruction inside a callee
body, attribute the diagnostic line to that location instead of the
caller's call site. The call site is demoted to a Call step in
flow_steps, and a synthetic Sink step at the primary location is
appended so analysts still see the full trace.
Changes:
- Add scan_root parameter to build_taint_diag so file_rel can be
resolved back to an absolute path via a shared resolve_file_rel
helper. Empty file_rel (single-file scans where namespace == "")
resolves to the file under analysis.
- Extend SinkLocation with snippet, carried from the upstream
SinkSite so the formatter needs no second file read.
- Relax the ssa_events_to_findings debug_assert to allow empty
file_rel, which is valid when scan root equals the file itself.
- SARIF: emit data-flow as codeFlows[0].threadFlows[0].locations[];
locations[0] already reflects the primary sink position via the
updated diag line/col.
Acceptance: scan on tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs
now reports line 5 (Command::new) as the primary sink, with the call
site at line 10 visible in flow_steps.
Two expect.json fixtures updated (must_match line_range widened):
- javascript/taint/context_sensitive_call: 12-14 -> 7-14 (line 8 is
the real sink inside run()).
- rust/cfg/closure_async: 10-10 -> 10-11 (line 11 is Command::new
inside the closure).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(bench): phase 4/5 validate primary sink attribution across corpus
Extend the benchmark scorer and ground truth to lock in phase 3's
primary-location behavior, and add fixtures that exercise the new
capability end-to-end.
Scorer (tests/benchmark_test.rs):
- Add optional `expected_call_site_lines: Option<Vec<[usize; 2]>>` on
Case. When present, score_location_level additionally requires at
least one flow_step in the finding's evidence trace to fall within
±2 of the call-site range. When absent, the check is skipped —
fully forward-compatible with existing fixtures.
- Retain ±2 tolerance on expected_sink_lines (compared against the
now-primary Diag.line post-phase-3).
Ground truth edits:
- rs-cmdi-cross-001: expected_sink_lines [8,8] -> [9,9]. Line 8 is the
transform::wrap call site (a cross-file propagator, not a sink);
line 9 is Command::new, the real sink. The ±2 tolerance happened to
mask this stale attribution but it was semantically wrong — phase 4
is the right time to correct it. Also adds expected_call_site_lines
[8,8] so the new field is exercised on an existing cross-file case.
- rs-cmdi-003: adds expected_call_site_lines [10,10] (run_cmd call).
This fixture's sink (Command::new inside run_cmd at line 5) was the
motivating case for phases 1-3; adding the call-site assertion
guards against regression to caller-line attribution.
New fixtures:
- rust/cmdi/cmdi_indirect_multisink.rs (rs-cmdi-009): helper run_both
takes two tainted params and invokes two Command sinks on
consecutive lines. Locks in that primary line lands inside the
helper (lines 5-6), not at the caller (line 12). Notes document
that SinkSite is currently one-per-callee so both findings today
collapse onto the first sink; expected_sink_lines=[5,6] and
expected_call_site_lines=[12,12] stay valid either way.
- python/cmdi/cross_indirect_sink/{app.py,helper.py} (py-cmdi-cross-
004): sink os.system lives in helper.py (cross-file), caller in
app.py reads env source and calls run_cmd. Verifies phase 3's
cross-file primary attribution: Diag.path = helper.py, Diag.line =
5, with app.py:7 recorded in flow_steps as a Call step.
Acceptance:
- `cargo test --test benchmark_test -- --ignored --nocapture` passes.
- rs-cmdi-003 is TP/TP/TP (the target flip FN->TP at LOC). All
pre-existing TP/TP/TP fixtures remain TP/TP/TP; 2 new fixtures are
TP/TP/TP.
- Aggregate rule-level: TP=158 FP=10 FN=1 TN=97, P=0.940 R=0.994
F1=0.966 on the 266-case corpus (was TP=156 FP=10 FN=1 TN=97 on
264 pre-phase-4, delta is the +2 new cases both resolving TP).
- Full `cargo test` green (1566 lib tests + all integration tests).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(taint): phase 5/5 lock Finding.primary_location contract via regression test
Add a regression test in src/taint/ssa_transfer.rs that wires up a synthetic
SsaFuncSummary with a SinkSite at other.rs:42:10 and drives the three
emission stages (pick_primary_sink_sites → emit_ssa_taint_events →
ssa_events_to_findings) against a minimal caller SSA body. Asserts the
resulting Finding.primary_location is exactly that triple.
The existing integration tests in src/taint/tests.rs cover the coarse
FuncSummary path end-to-end through analyse_file. This test locks in the
lower-level SSA-side plumbing so a future refactor that silently drops the
site between pick → emit → findings fails here rather than only at the
benchmark layer.
Also refreshes tests/benchmark/results/latest.json (timestamp only; rs-cmdi-003
remains TP/TP/TP and the aggregate P/R/F1 are unchanged from phase 4).
Closes the primary sink-location attribution feature (phases 1-5/5):
* Phase 1 — SinkSite data model on summaries.
* Phase 2 — SinkSite threaded into SsaTaintEvent and Finding.
* Phase 3 — diag + SARIF consume primary_location.
* Phase 4 — benchmark validates primary_call_site_lines across corpus.
* Phase 5 — regression test locks the event→finding contract.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* refactor: clean up formatting and improve readability in multiple files
* refactor: simplify type definition for deduplication key in findings
* test(harness): add must_not_match expectation for FP regression guards
Extends ExpectedFinding with must_not_match field that asserts a
diagnostic must NOT fire — presence is a hard failure. Non-consuming
scan so it coexists with must_match entries on the same rule_id.
Adds forbidden_violations accumulator and updates summary line.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(regression): update expectations to ensure must_not_match for various taint and resource leak rules
* feat: implement auto-seeding for JS/TS handler parameters to enhance taint tracking
* feat: update switch statement handling to improve control flow analysis
* feat: implement promisify alias handling for JS/TS to enhance taint tracking
* feat: enhance taint tracking by refining expectation handling and adding mode filtering
* feat: refine SQL handling in stream processing and enhance auto-seeding for handler parameters
* feat: update taint tracking rules to enforce full mode matching and improve flow analysis
* feat: enhance Ruby subshell handling to improve taint tracking and flow analysis
* feat: update xss_response expectations to refine taint flow analysis and enhance regression guarding
* feat: refine framework detection and update expectation handling for Echo and Sinatra
* feat: implement max_count for taint tracking expectations and deduplicate findings
* feat: add strict_unexpected handling for taint-unsanitised-flow in expectation files
* feat: enhance deduplication of taint-unsanitised-flow findings by collapsing based on line and severity
* feat: add strict_unexpected handling for taint-unsanitised-flow in multiple expectation files
* feat: add structural invariant checks for SSA bodies
* feat: ensure deterministic phi emission order using BTreeSet
* feat: enhance handling of terminators to ensure authoritative flow through successor edges
* feat: enhance Goto terminator handling to ensure all successors are marked executable
* feat: refactor code for improved readability and organization
* feat: simplify predicate checks and enhance readability in SSA handling
* feat: implement per-file parse timeout and enhance file size handling
* feat: migrate analysis engine toggles from environment variables to configuration file
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: remove unnecessary whitespace in hostile_input_tests.rs
* feat: update dependencies and enhance documentation on language maturity
* feat: enhance security headers and improve request body limits
* feat: implement sink capability bits for deduplication and enhance evidence tagging
* feat: implement dynamic activation handling for gated sinks and enhance validation logic
* feat: enhance configuration documentation and clarify inline analysis cache behavior
* feat: implement panic recovery during analysis to continue scans past errors
* feat: add expectations configuration for taint analysis and performance metrics
* feat: enhance error handling and logging during file reading and mutex locking
* feat: add cross-file body loading tests and plumbing for CF-1 phase
* feat: implement cross-file k=1 context-sensitive inline taint analysis with new tests and fixtures
* feat: implement indexed-scan parity in cross-file inline analysis with new dropdown and copy functionality
* feat: enhance classification span handling in CFG and AST for improved source attribution
* feat: add new Express routes for handling user input and telemetry data
* feat: implement ternary expression handling in CFG with diamond structure for JS/TS
* feat: implement Phase CF-3 abstract-domain transfer channels in summaries
* feat: add support for string-prefix transfer in cross-file calls and update tests
* docs: reduce RESULTS.md doc size
* feat: implement Phase CF-4 per-return-path summary decomposition with tests
* feat: update parameter handling in pass1 and refactor SsaFuncSummary initialization
* feat: implement Phase CF-5 for cross-file SCC joint fixed-point convergence with new flags and tests
* feat: implement Phase CF-6 with parameter-granularity points-to summaries and associated tests
* refactor: update comments and documentation for clarity and consistency
* style: format code for consistency and readability
* refactor: simplify verdict handling and improve edge checking logic
* refactor: optimize path and identifier collection by avoiding unnecessary cloning
* chore: update Cargo.toml for Rust version 1.85 and add ignored files; modify CHANGELOG and README for clarity on state analysis defaults
* refactor: update documentation and improve clarity in configuration files
* refactor: update documentation and improve clarity in configuration files
* feat: add JS/TS pass-2 convergence tests and expectations configuration
* feat: add Phase 5 regression tests for inline cache origin attribution and update related logic
* feat: implement Phase 7 deduplication and alternative path linking for taint findings
* feat: implement structural DFS index for anonymous functions and update naming conventions
* feat: add Phase 8 regression tests for container-element taint in JS and Python
* feat: add engine-depth profiles and explain-engine option for CLI
* feat: update expectations and add new README fixtures for multi-file scan regression
* feat: implement Phase 11 callback-alias and factory patterns with regression tests
* feat: implement Terminator::Switch for multi-way dispatch and add regression tests
* feat: add real-CVE benchmark fixtures for CVE-2023-48022, CVE-2019-14939, and CVE-2023-26159 with corresponding patched variants
* refactor: extract cfg and ssa_transfer to submodules
* refactor: cargo fmt
* refactor: remove unnecessary blank line in cfg_tests.rs
* refactor: remove unnecessary planning file
* chore: update Rust version to 1.88 and bump dependencies in Cargo files
* feat: enhance triage UI with new layout and controls, update README for clarity
* feat: enhance triage UI with new layout and controls, update README for clarity
* chore: remove outdated section from README for version 0.5.0
* docs: improve clarity and consistency in README content
* chore: add "GPL-3.0-or-later" to license options in about.toml
* chore: update license handling in about.toml and check-licenses.mjs
* style: format code for improved readability in TriagePage component
* style: format code for improved readability in TriagePage component
* chore: enhance license handling and improve body_id scoping in seed lookup
* feat: introduce owner and parent body IDs for enhanced seed scoping
* feat: implement direction-aware engine provenance with new CLI flag for strict CI gating
* feat: add Undef SSA operation for improved control-flow handling
* style: improve code formatting for consistency and readability in multiple files
* feat: add 16-function chain SCC across multiple files for enhanced analysis
* style: simplify code formatting for improved readability in multiple files
* fix: update CapHitReason default implementation and improve README clarity
* docs: enhance README with detailed explanations of taint analysis and limitations
* docs: refine README for clarity and consistency in taint analysis section
* style: improve code formatting for better readability in NewScanModal and scans
* fix: update cargo-about command to use --offline for deterministic license generation
* fix: update cargo-about command to use --offline for deterministic license generation
* ci: add step to prime cargo registry cache for deterministic license generation
* feat: add support for non-sink collections in authorization analysis
* feat: enhance authorization checks with row-level ownership equality and binding tracking
* feat: implement self-scoped user handling and enhance ownership checks
* refactor: simplify assertions and formatting in authorization analysis tests
* fix: normalize line endings in THIRDPARTY-LICENSES.html generation and update README with AI disclosure
* docs: update AI disclosure section for clarity and conciseness
* feat: add AI Contribution Policy and update contributing guidelines for AI assistance disclosure
* feat: enhance authorization analysis with SSA-derived variable type classification
* feat: implement auth_finding_to_diag function for enhanced security diagnostics
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add args_value_refs to CallSite struct for enhanced argument tracking
* feat: add direction-aware engine provenance with LossDirection classification and new CLI flag
* feat: simplify strip_cap_from_call_args call by removing unnecessary line breaks
* feat: enhance error message handling in cli_validation_tests for better Windows compatibility
* feat: optimize release profile settings in Cargo.toml and update CodeQL configuration
* feat: enhance release build process with SBOM generation and SLSA provenance
* feat: update actions/checkout and actions/setup-node to v6, enhance CLI options, and improve auth-check summaries
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: introduce PathFact handling for path safety checks and rejection logic
* feat: update benchmark data and enhance path sanitization logic with new safety checks
* feat: document AI assistance in frontend UI development and human review process
* feat: add return path facts for enhanced path safety checks and update documentation
* chore: update release date for version 0.5.0 in CHANGELOG.md
* chore: clean up ci.yml by removing outdated comments and clarifying steps
* feat: implement cross-language path sanitizers and validators for enhanced security
* feat: enhance SSA value usage tracking by including block terminators and improve path safety checks
* feat: enhance switch statement handling by adding per-case path constraints and support for exclusive cases
* refactor: simplify conditional formatting and improve code readability in executor and lower modules
* feat: add vulnerable examples for various languages demonstrating authentication and sanitization issues
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers
* feat: add transform classifiers for Java, Go, and Ruby with corresponding tests
* refactor: clarify comments on reassign-to-constant idiom and sink behavior in guards.rs
---------
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-25 17:59:11 -04:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// A name + count pair for overview top-N lists.
|
|
|
|
|
|
#[derive(Debug, Clone, Serialize)]
|
|
|
|
|
|
pub struct OverviewCount {
|
|
|
|
|
|
pub name: String,
|
|
|
|
|
|
pub count: usize,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// A rule that has high finding count + high suppression rate.
|
|
|
|
|
|
#[derive(Debug, Clone, Serialize)]
|
|
|
|
|
|
pub struct NoisyRule {
|
|
|
|
|
|
pub rule_id: String,
|
|
|
|
|
|
pub finding_count: usize,
|
|
|
|
|
|
pub suppression_rate: f64,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Compact scan info for the overview recent-scans list.
|
|
|
|
|
|
#[derive(Debug, Clone, Serialize)]
|
|
|
|
|
|
pub struct ScanSummary {
|
|
|
|
|
|
pub id: String,
|
|
|
|
|
|
pub status: String,
|
|
|
|
|
|
pub started_at: Option<String>,
|
|
|
|
|
|
pub duration_secs: Option<f64>,
|
|
|
|
|
|
pub finding_count: Option<i64>,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// An actionable insight for the overview page.
|
|
|
|
|
|
#[derive(Debug, Clone, Serialize)]
|
|
|
|
|
|
pub struct Insight {
|
|
|
|
|
|
pub kind: String,
|
|
|
|
|
|
pub message: String,
|
|
|
|
|
|
pub severity: String,
|
|
|
|
|
|
#[serde(skip_serializing_if = "Option::is_none")]
|
|
|
|
|
|
pub action_url: Option<String>,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// A single trend data point for GET /api/overview/trends.
|
|
|
|
|
|
#[derive(Debug, Clone, Serialize)]
|
|
|
|
|
|
pub struct TrendPoint {
|
|
|
|
|
|
pub scan_id: String,
|
|
|
|
|
|
pub timestamp: String,
|
|
|
|
|
|
pub total: usize,
|
|
|
|
|
|
pub by_severity: HashMap<String, usize>,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Count findings grouped by language.
|
|
|
|
|
|
pub fn by_language_from_findings(findings: &[Diag]) -> HashMap<String, usize> {
|
|
|
|
|
|
let mut map = HashMap::new();
|
|
|
|
|
|
for d in findings {
|
|
|
|
|
|
if let Some(lang) = lang_for_finding_path(&d.path) {
|
|
|
|
|
|
*map.entry(lang).or_insert(0) += 1;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
map
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Extract top N directories by finding count.
|
|
|
|
|
|
pub fn top_directories_from_findings(findings: &[Diag], limit: usize) -> Vec<OverviewCount> {
|
|
|
|
|
|
let mut dir_counts: HashMap<String, usize> = HashMap::new();
|
|
|
|
|
|
for d in findings {
|
|
|
|
|
|
let dir = match d.path.rfind('/') {
|
|
|
|
|
|
Some(i) => &d.path[..i],
|
|
|
|
|
|
None => ".",
|
|
|
|
|
|
};
|
|
|
|
|
|
*dir_counts.entry(dir.to_string()).or_insert(0) += 1;
|
|
|
|
|
|
}
|
|
|
|
|
|
let mut sorted: Vec<_> = dir_counts.into_iter().collect();
|
|
|
|
|
|
sorted.sort_by_key(|b| std::cmp::Reverse(b.1));
|
|
|
|
|
|
sorted.truncate(limit);
|
|
|
|
|
|
sorted
|
|
|
|
|
|
.into_iter()
|
|
|
|
|
|
.map(|(name, count)| OverviewCount { name, count })
|
|
|
|
|
|
.collect()
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Sort a HashMap by value descending, take top N, return as OverviewCount.
|
|
|
|
|
|
pub fn top_n_from_map(map: &HashMap<String, usize>, limit: usize) -> Vec<OverviewCount> {
|
|
|
|
|
|
let mut sorted: Vec<_> = map.iter().collect();
|
|
|
|
|
|
sorted.sort_by(|a, b| b.1.cmp(a.1));
|
|
|
|
|
|
sorted
|
|
|
|
|
|
.into_iter()
|
|
|
|
|
|
.take(limit)
|
|
|
|
|
|
.map(|(name, &count)| OverviewCount {
|
|
|
|
|
|
name: name.clone(),
|
|
|
|
|
|
count,
|
|
|
|
|
|
})
|
|
|
|
|
|
.collect()
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
#[cfg(test)]
|
|
|
|
|
|
mod tests {
|
|
|
|
|
|
use super::*;
|
|
|
|
|
|
|
|
|
|
|
|
fn diag_for_path(path: String) -> Diag {
|
|
|
|
|
|
Diag {
|
|
|
|
|
|
path,
|
|
|
|
|
|
line: 1,
|
|
|
|
|
|
col: 1,
|
|
|
|
|
|
severity: Severity::Low,
|
|
|
|
|
|
id: "test.rule".to_string(),
|
|
|
|
|
|
category: FindingCategory::Security,
|
|
|
|
|
|
path_validated: false,
|
|
|
|
|
|
guard_kind: None,
|
|
|
|
|
|
message: None,
|
|
|
|
|
|
labels: Vec::new(),
|
|
|
|
|
|
confidence: None,
|
|
|
|
|
|
evidence: None,
|
|
|
|
|
|
rank_score: None,
|
|
|
|
|
|
rank_reason: None,
|
|
|
|
|
|
suppressed: false,
|
|
|
|
|
|
suppression: None,
|
|
|
|
|
|
rollup: None,
|
|
|
|
|
|
finding_id: String::new(),
|
|
|
|
|
|
alternative_finding_ids: Vec::new(),
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
#[test]
|
|
|
|
|
|
fn code_context_does_not_read_outside_repo_for_absolute_paths() {
|
|
|
|
|
|
let root = tempfile::tempdir().unwrap();
|
|
|
|
|
|
let outside = tempfile::NamedTempFile::new().unwrap();
|
|
|
|
|
|
std::fs::write(outside.path(), "secret").unwrap();
|
|
|
|
|
|
|
|
|
|
|
|
let diag = diag_for_path(outside.path().to_string_lossy().to_string());
|
|
|
|
|
|
let view = finding_from_diag_with_context(0, &diag, root.path());
|
|
|
|
|
|
|
|
|
|
|
|
assert!(view.code_context.is_none());
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
#[test]
|
|
|
|
|
|
fn code_context_reads_repo_files() {
|
|
|
|
|
|
let root = tempfile::tempdir().unwrap();
|
|
|
|
|
|
let file = root.path().join("src.rs");
|
|
|
|
|
|
std::fs::write(&file, "line1\nline2\n").unwrap();
|
|
|
|
|
|
|
|
|
|
|
|
let diag = diag_for_path(file.to_string_lossy().to_string());
|
|
|
|
|
|
let view = finding_from_diag_with_context(0, &diag, root.path());
|
|
|
|
|
|
|
|
|
|
|
|
assert!(view.code_context.is_some());
|
|
|
|
|
|
assert_eq!(view.code_context.unwrap().highlight_line, 1);
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|