mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-27 20:29:39 +02:00
553 lines
48 KiB
Markdown
553 lines
48 KiB
Markdown
|
# Nyx Benchmark Results
|
|||
|
|
|
|||
|
|
Current baseline (as of Auth Rule FP-Remediation Phase B5 corpus add, 2026-04-23):
|
|||
|
|
|
|||
|
|
| Metric | File-level | Rule-level | CI floor |
|
|||
|
|
|-----------------------|------------|------------|----------|
|
|||
|
|
| Precision | 0.946 | 0.946 | 0.861 |
|
|||
|
|
| Recall | 1.000 | 0.994 | 0.944 |
|
|||
|
|
| F1 | 0.972 | 0.970 | 0.901 |
|
|||
|
|
|
|||
|
|
Corpus: 305 cases across 10 languages — 267 synthetic + 28 real-CVE cases (14 vulnerable/patched pairs) + 10 auth-rule cases (3 positive + 7 negative). Scanner 0.5.0, full analysis mode. CI floors are unchanged from Phase CF-7; the Auth-B5 delta is within 1 pp and does not warrant tightening.
|
|||
|
|
|
|||
|
|
Machine-readable per-run data lives in `tests/benchmark/results/` (`latest.json` plus dated snapshots). This file is a narrative changelog — only the two most recent phases are kept in full detail; earlier phases are condensed into the history table at the end.
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
## Auth Rule FP Remediation — Phase B5 (2026-04-23)
|
|||
|
|
|
|||
|
|
### Motivation
|
|||
|
|
|
|||
|
|
Until B5, the `rs.auth.missing_ownership_check` rule (introduced as part of `auth_analysis`) was defended only by `cargo test --test auth_analysis_tests` integration assertions; it had **zero** entries in the benchmark corpus. So precision/recall regressions on auth fixtures wouldn't show up in the headline P/R/F1 numbers, and the Phase A1–A3 / B1–B4 fixture work in `tests/fixtures/auth_analysis/` was invisible to anyone reading `RESULTS.md`. This phase mirrors the relevant Rust auth fixtures into `tests/benchmark/corpus/rust/auth/`, adds ground-truth cases for each, and surfaces the resulting `auth` vuln-class metrics in the by-class breakdown.
|
|||
|
|
|
|||
|
|
### What changed
|
|||
|
|
|
|||
|
|
- **10 new fixtures** copied to `tests/benchmark/corpus/rust/auth/` (mirrors of the integration fixtures — keep both in sync when fixtures evolve).
|
|||
|
|
- **Ground truth**: 10 new cases (`rs-auth-001` … `rs-auth-003` positive, `rs-auth-101` … `rs-auth-107` negative); `corpus_size` bumped 295 → 305.
|
|||
|
|
- **Positive cases** assert `expected_rule_ids: ["rs.auth.missing_ownership_check"]` and `expected_sink_lines` pinned to the specific call line; one of them (`rs-auth-002`) is the Phase-A "true positive control" mandated by the FP-remediation plan.
|
|||
|
|
- **Negative cases** assert `is_vulnerable: false` + `forbidden_rule_ids: ["rs.auth.missing_ownership_check"]` (the schema's noise-budget-zero shape), one per Phase A1/A2/A3/B2/B3/B4 fixture so each regression has a dedicated wire.
|
|||
|
|
- **Regression thresholds unchanged**: floors stay at `P≥0.861 R≥0.944 F1≥0.901`.
|
|||
|
|
|
|||
|
|
### Auth Corpus
|
|||
|
|
|
|||
|
|
| Case ID | Fixture | Phase covered | Vulnerable | Why it's in the corpus |
|
|||
|
|
|--------------|----------------------------------------------|---------------|------------|------------------------|
|
|||
|
|
| rs-auth-001 | actix_scoped_write_missing.rs | regression | yes | Original positive baseline — must keep flagging |
|
|||
|
|
| rs-auth-002 | true_positive_missing_check.rs | A control | yes | Phase A's positive control — must still flag after every FP fix |
|
|||
|
|
| rs-auth-003 | row_ownership_no_early_exit.rs | A2 guard | yes | Equality without early exit — A2 must NOT silence this |
|
|||
|
|
| rs-auth-101 | hashmap_local_noise.rs | A1 | no | std::collections noise — A1 receiver-type/var gate suppresses |
|
|||
|
|
| rs-auth-102 | helper_scoped_params.rs | A1 | no | Library helper with locally-bound HashSet — A1 suppresses |
|
|||
|
|
| rs-auth-103 | row_ownership_equality.rs | A2 | no | `if owner_id != user.id { return … }` covers downstream column reads |
|
|||
|
|
| rs-auth-104 | self_scoped_user.rs | A3 | no | `let user = require_auth(..).await?` — `user.id` is self, not a foreign id |
|
|||
|
|
| rs-auth-105 | db_connection_type_inferred.rs | B2 | no | SSA-derived `DatabaseConnection` type drives sink classification |
|
|||
|
|
| rs-auth-106 | sql_join_acl.rs | B3 | no | `JOIN group_members WHERE gm.user_id = ?1` makes returned rows membership-gated |
|
|||
|
|
| rs-auth-107 | transitive_helper.rs | B4 | no | Helper-summary lifting recognises `validate_target(group_id, user.id)` as an auth check |
|
|||
|
|
|
|||
|
|
### Delta
|
|||
|
|
|
|||
|
|
Aggregate rule-level metrics on the 305-case corpus: **P = 0.946, R = 0.994, F1 = 0.970** (vs Phase 15's `P = 0.945, R = 0.994, F1 = 0.969` on 295 cases — auth cases all hit P=1.0 R=1.0 and net to 3 TP + 7 TN, lifting precision by 1 pp via dilution). The new `by_vuln_class` row is `auth: TP=3 FP=0 FN=0 TN=0 P=1.000 R=1.000 F1=1.000`; the seven negatives roll into the existing `safe` class. The Rust per-language line moves from **TP=22 FP=0 FN=0 TN=13** (before) to **TP=25 FP=0 FN=0 TN=20** (after).
|
|||
|
|
|
|||
|
|
### Notes
|
|||
|
|
|
|||
|
|
- Fixture mirroring is an explicit choice over a symlink: `scan_corpus_file` copies the case into a tempdir before scanning, and absolute symlinks would break that path. When the integration fixture changes, copy the new file into the corpus mirror as well.
|
|||
|
|
- The negative cases are the regression wires for the FP-remediation work. Each one corresponds to a phase landed in the project memory tracker; if a future change reintroduces the FP, the matching `rs-auth-1xx` case flips to FP and the Rust precision drops below the floor.
|
|||
|
|
- `actix_scoped_write_missing.rs` is the only auth fixture that overlaps the "generic_ownership_check_is_consistent_across_languages" integration test — keep both wires alive (the integration test exercises the multi-language consistency, the bench wire defends the precision number).
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
## Phase 15 — Real-CVE language-gap expansion (2026-04-23)
|
|||
|
|
|
|||
|
|
### Motivation
|
|||
|
|
|
|||
|
|
Phase 13 and Phase 14 covered 9 CVEs across Python, JavaScript, TypeScript, Go, Java, Ruby, and PHP — every Stable and Beta tier language. The Preview-tier languages (C, C++) had zero real-CVE coverage, so the memory-safety and command-injection pattern rules for those languages were defended only by synthetic micro-fixtures. Phase 15 fills that gap with 4 Preview-tier CVEs (2 C, 2 C++) and adds a second Java CVE in the Runtime.exec class (to complement the existing Commons Collections deserialization case). Rust was considered but dropped: its code-quality pattern rules (`rs.memory.*`, `rs.quality.*`) are not CVE-class, and the taint-flow sink set (sqlx / rusqlite / diesel / reqwest / `std::process::Command`) did not yield a permissive-licensed, well-documented CVE reducible to ~30 LOC with a clean patched variant. Go was considered for a second CVE but dropped: idiomatic prepared statements make Go SQLi CVEs rare, `gob` decoding is niche, and published `InsecureSkipVerify` CVEs mostly describe receiver-side TLS bypass rather than the client-side pattern the rule detects.
|
|||
|
|
|
|||
|
|
### What changed
|
|||
|
|
|
|||
|
|
- **Five additional CVE pairs** added to `tests/benchmark/cve_corpus/` (10 fixture files, vulnerable + patched per CVE). Same header convention, same minimal-reproducer discipline, same `provenance: "real_cve"` marker. First entries ever for `cve_corpus/c/` and `cve_corpus/cpp/`.
|
|||
|
|
- **Ground truth**: 10 new cases; `corpus_size` bumped 285 → 295. Vulnerable fixtures assert on an `expected_rule_ids` entry (the pattern-rule that fires on the disclosed sink) plus `taint-unsanitised-flow` as an acceptable alternative. Patched fixtures assert on `forbidden_rule_ids` (the CVE's class-specific rule plus the cross-cutting taint ID) so Nyx does not refire on the fix.
|
|||
|
|
- **No harness changes**: the `cve_corpus/` path resolution and `real_cve` provenance scaffolding landed in Phase 13; Phase 15 is pure fixture + ground-truth expansion.
|
|||
|
|
- **Regression thresholds unchanged**: floors stay at `P≥0.861 R≥0.944 F1≥0.901`.
|
|||
|
|
|
|||
|
|
### Real-CVE Corpus
|
|||
|
|
|
|||
|
|
| CVE | Language | Project | License | Vuln class | Vulnerable outcome | Patched outcome |
|
|||
|
|
|------------------|------------|------------------------------|----------------------|------------------|--------------------|-----------------|
|
|||
|
|
| CVE-2023-48022 | Python | Ray | Apache-2.0 | CMDI | TP (rule + line) | TN |
|
|||
|
|
| CVE-2017-18342 | Python | PyYAML | MIT | Deserialization | TP (rule + line) | TN |
|
|||
|
|
| CVE-2019-14939 | JavaScript | mongo-express | MIT | code_exec | TP (rule + line) | TN |
|
|||
|
|
| CVE-2023-26159 | TypeScript | follow-redirects | MIT | SSRF | TP (rule + line) | TN |
|
|||
|
|
| CVE-2022-30323 | Go | hashicorp/go-getter | MPL-2.0 | CMDI | TP (rule + line) | TN |
|
|||
|
|
| CVE-2015-7501 | Java | Apache Commons Collections | Apache-2.0 | Deserialization | TP (rule + line) | TN |
|
|||
|
|
| CVE-2013-0156 | Ruby | Ruby on Rails | MIT | Deserialization | TP (rule) | TN |
|
|||
|
|
| CVE-2017-9841 | PHP | PHPUnit | BSD-3-Clause | code_exec | TP (rule + line) | TN |
|
|||
|
|
| CVE-2018-15133 | PHP | Laravel | MIT | Deserialization | TP (rule + line) | TN |
|
|||
|
|
| CVE-2016-3714 | C | ImageMagick (ImageTragick) | ImageMagick License | CMDI | TP (rule + line) | TN |
|
|||
|
|
| CVE-2019-18634 | C | sudo (pwfeedback) | ISC | memory_safety | TP (rule + line) | TN |
|
|||
|
|
| CVE-2019-13132 | C++ | ZeroMQ libzmq | MPL-2.0 | memory_safety | TP (rule + line) | TN |
|
|||
|
|
| CVE-2022-1941 | C++ | Protocol Buffers | BSD-3-Clause | memory_safety | TP (rule + line) | TN |
|
|||
|
|
| CVE-2017-12629 | Java | Apache Solr | Apache-2.0 | CMDI | TP (rule + line) | TN |
|
|||
|
|
|
|||
|
|
New-in-Phase-15 detail:
|
|||
|
|
|
|||
|
|
- **CVE-2016-3714** (ImageMagick "ImageTragick" delegate RCE). Vulnerable fixture: user-controlled filename is substituted into a shell template and handed to `system()` — Nyx fires `c.cmdi.system` at the documented sink line. Patched fixture: in-process coder + basename check, no `system()` path — zero findings.
|
|||
|
|
- **CVE-2019-18634** (sudo pwfeedback stack overflow). Vulnerable fixture: stdin-sourced token `strcpy`'d into a fixed on-stack feedback buffer — Nyx fires `c.memory.strcpy`. Patched fixture: a bounded `copy_bounded` helper replaces the unchecked copy — zero findings.
|
|||
|
|
- **CVE-2019-13132** (ZeroMQ libzmq V2 metadata overflow). Vulnerable fixture: peer-controlled bytes `strcpy`'d into a fixed on-stack identity buffer, mirroring the ZMTP v2 decode path — Nyx fires `cpp.memory.strcpy`. Patched fixture: bounded `std::string.assign` + hard length cap — zero findings.
|
|||
|
|
- **CVE-2022-1941** (Protocol Buffers C++ `ParseContext` unknown-field overflow). Vulnerable fixture: wire-declared length trusted and `strcpy`'d into a scratch buffer — Nyx fires `cpp.memory.strcpy`. Patched fixture: bounded `std::string.assign` + `MAX_LABEL` cap — zero findings.
|
|||
|
|
- **CVE-2017-12629** (Apache Solr XSLT response writer RCE). Vulnerable fixture: `req.getParameter("tr") → Runtime.getRuntime().exec(new String[]{"/bin/sh","-c","xsltproc "+tr})` — Nyx fires `java.cmdi.runtime_exec` and `taint-unsanitised-flow` (source line 29 → sink line 33). Patched fixture: fixed allowlist of transformer names mapped to classpath resources, no `Runtime.exec` path — zero findings.
|
|||
|
|
|
|||
|
|
Per-CVE precision/recall: each vulnerable case contributes 1 TP (Java CVE-2017-12629 contributes 2 — pattern-rule + taint edge) and its patched sibling 1 TN, so per-CVE precision and recall are both 1.000 at the rule level.
|
|||
|
|
|
|||
|
|
### Delta
|
|||
|
|
|
|||
|
|
Aggregate rule-level F1 on the 295-case corpus is **0.969** (P=**0.945**, R=**0.994**), a +0.001 delta vs the Phase 14 baseline (F1=0.968, P=0.944, R=0.994). File-level F1 **0.972** (P=0.945, R=1.000). The precision win is the ten new cases contributing 10 TP + 5 TN with no spurious firings on the fixes, diluting the existing FP rate slightly.
|
|||
|
|
|
|||
|
|
### Notes on selection
|
|||
|
|
|
|||
|
|
Phase 15 followed the same criteria as Phase 13/14: publicly disclosed CVE with a stable NVD advisory URL, vulnerability class already covered by a Nyx pattern rule so the vulnerable fixture produces a concrete `expected_rule_ids` hit (not just a generic `taint-unsanitised-flow`), extractable to ~30 LOC, permissive upstream license. The C/C++ picks target the two most abundant CVE classes for those languages — unchecked-copy memory-safety bugs (`strcpy` / `sprintf`-family) and shell-injection command-execution (`system()`-family). Each picked CVE is a well-known, historically damaging bug: ImageTragick mass-exploited image-upload endpoints in 2016, sudo pwfeedback gave any local user root on default-configured Linux distros in 2019, libzmq CVE-2019-13132 was pre-auth RCE on curve-disabled sockets, protobuf CVE-2022-1941 exposed every gRPC or Envoy binary decoding untrusted bytes, and Solr CVE-2017-12629 was a flagship unauthenticated-RCE vector for the entire Lucene / Solr fleet. Fixtures are minimal reproducers of the unsafe sink pattern, with explicit disclaimers — they are not verbatim excerpts of upstream internals.
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
## Phase 14 — Real-CVE corpus expansion (2026-04-23)
|
|||
|
|
|
|||
|
|
### Motivation
|
|||
|
|
|
|||
|
|
Phase 13 seeded the real-CVE subtree with one CVE per stable-tier language (Python / JavaScript / TypeScript). Six fixtures is enough to demonstrate the mechanism but not enough to defend the Beta- and Preview-tier languages against regressions on real-world code. Phase 14 extends the subtree to cover Go, Java, Ruby, and PHP, plus a second Python CVE in a different vulnerability class (deserialization, not CMDI). The goal is the same as Phase 13: regression protection on demonstrably real disclosed bugs, not synthetic analogues.
|
|||
|
|
|
|||
|
|
### What changed
|
|||
|
|
|
|||
|
|
- **Six additional CVE pairs** added to `tests/benchmark/cve_corpus/` (12 fixture files, vulnerable + patched per CVE). Same header convention, same minimal-reproducer discipline, same `provenance: "real_cve"` marker.
|
|||
|
|
- **Ground truth**: 12 new cases; `corpus_size` bumped 273 → 285. Vulnerable fixtures assert on an `expected_rule_ids` entry (the pattern-rule that fires on the disclosed sink) plus `taint-unsanitised-flow` as an acceptable alternative. Patched fixtures assert on `forbidden_rule_ids` (the CVE's class-specific rule) so Nyx does not refire on the fix.
|
|||
|
|
- **No harness changes**: the `cve_corpus/` path resolution and `real_cve` provenance scaffolding landed in Phase 13; Phase 14 is pure fixture + ground-truth expansion.
|
|||
|
|
- **Regression thresholds unchanged**: floors stay at `P≥0.861 R≥0.944 F1≥0.901`.
|
|||
|
|
|
|||
|
|
### Real-CVE Corpus
|
|||
|
|
|
|||
|
|
| CVE | Language | Project | License | Vuln class | Vulnerable outcome | Patched outcome |
|
|||
|
|
|------------------|------------|------------------------------|--------------|------------------|--------------------|-----------------|
|
|||
|
|
| CVE-2023-48022 | Python | Ray | Apache-2.0 | CMDI | TP (rule + line) | TN |
|
|||
|
|
| CVE-2017-18342 | Python | PyYAML | MIT | Deserialization | TP (rule + line) | TN |
|
|||
|
|
| CVE-2019-14939 | JavaScript | mongo-express | MIT | code_exec | TP (rule + line) | TN |
|
|||
|
|
| CVE-2023-26159 | TypeScript | follow-redirects | MIT | SSRF | TP (rule + line) | TN |
|
|||
|
|
| CVE-2022-30323 | Go | hashicorp/go-getter | MPL-2.0 | CMDI | TP (rule + line) | TN |
|
|||
|
|
| CVE-2015-7501 | Java | Apache Commons Collections | Apache-2.0 | Deserialization | TP (rule + line) | TN |
|
|||
|
|
| CVE-2013-0156 | Ruby | Ruby on Rails | MIT | Deserialization | TP (rule) | TN |
|
|||
|
|
| CVE-2017-9841 | PHP | PHPUnit | BSD-3-Clause | code_exec | TP (rule + line) | TN |
|
|||
|
|
| CVE-2018-15133 | PHP | Laravel | MIT | Deserialization | TP (rule + line) | TN |
|
|||
|
|
|
|||
|
|
New-in-Phase-14 detail:
|
|||
|
|
|
|||
|
|
- **CVE-2017-18342** (PyYAML `yaml.load` default loader). Vulnerable fixture: `request.get_data → yaml.load` — Nyx fires `py.deser.yaml_load` and `taint-unsanitised-flow` at the documented sink line. Patched fixture: `yaml.safe_load` — zero findings.
|
|||
|
|
- **CVE-2022-30323** (hashicorp/go-getter URL → git argv injection). Vulnerable fixture: `r.URL.Query().Get("src") → exec.Command("git", "clone", url, ...)` — Nyx fires `go.cmdi.exec_command` and `taint-unsanitised-flow`. Patched fixture: scheme allowlist + in-process go-git `PlainClone` removes the `exec.Command` path entirely — zero findings.
|
|||
|
|
- **CVE-2015-7501** (Apache Commons Collections `InvokerTransformer` gadget chain). Vulnerable fixture: `req.getInputStream → new ObjectInputStream(...).readObject()` — Nyx fires `java.deser.readobject` and `taint-unsanitised-flow`. Patched fixture: Jackson JSON codec replaces native Java deserialization — zero findings.
|
|||
|
|
- **CVE-2013-0156** (Rails XML-params YAML tag RCE). Vulnerable fixture: `YAML.load(params[:prefs])` — Nyx fires `rb.deser.yaml_load` (no taint edge because Ruby `params[...]` is not currently labeled as a taint source; the AST pattern is what catches this class). Patched fixture: `JSON.parse` replaces `YAML.load` — zero findings.
|
|||
|
|
- **CVE-2017-9841** (PHPUnit `eval-stdin.php` webshell). Vulnerable fixture: `file_get_contents('php://input') → eval(...)` — Nyx fires `php.code_exec.eval` and `taint-unsanitised-flow`. Patched fixture: SAPI guard and the eval sink removed — zero findings.
|
|||
|
|
- **CVE-2018-15133** (Laravel cookie `unserialize` on leaked APP_KEY). Vulnerable fixture: `$_COOKIE['XSRF-TOKEN'] → base64_decode → unserialize` — Nyx fires `php.deser.unserialize` and `taint-unsanitised-flow`. Patched fixture: HMAC-verified JSON payload — zero findings.
|
|||
|
|
|
|||
|
|
Per-CVE precision/recall: each vulnerable case contributes 1 TP and its patched sibling 1 TN, so per-CVE precision and recall are both 1.000 at the rule level.
|
|||
|
|
|
|||
|
|
### Delta
|
|||
|
|
|
|||
|
|
Aggregate rule-level F1 on the 285-case corpus is **0.968** (P=**0.944**, R=**0.994**), a +0.001 delta vs the Phase 13 baseline (F1=0.967, P=0.942, R=0.994). File-level F1 **0.971** (P=0.944, R=1.000). The precision win is the twelve new cases contributing 6 TP + 6 TN with no spurious firings on the fixes, diluting the existing FP rate slightly.
|
|||
|
|
|
|||
|
|
### Notes on selection
|
|||
|
|
|
|||
|
|
Phase 14's picks followed the Phase 13 criteria: publicly disclosed CVE with a known patch, vulnerability class already covered by a Nyx pattern rule (so the vulnerable fixture produces a concrete `expected_rule_ids` hit, not just a generic `taint-unsanitised-flow`), extractable to ~30 LOC, permissive upstream license. Each added CVE is a well-known, historically damaging bug — mass-scanned webshells (PHPUnit 2017), pre-auth RCE on every Rails app (2013-0156), the original Java deserialization gadget chain (Commons Collections 2015), the go-getter fleet-wide Terraform/Packer/Nomad/Vault exposure (2022), and a textbook Laravel cookie-forgery chain (2018).
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
## Phase 13 — Real-CVE replay corpus (2026-04-23)
|
|||
|
|
|
|||
|
|
### Motivation
|
|||
|
|
|
|||
|
|
The corpus up to Phase CF-7 was 267 synthetic micro-fixtures (8–20 LOC each). A 95% F1 on toy code does not imply a 95% F1 on real applications. Phase 13 adds a small number of *real* historical CVEs — vulnerable code extracted from the patched upstream project and held under a stable expected rule — so the benchmark floor is now defended by regression protection on demonstrably real bugs, not just synthetic analogues.
|
|||
|
|
|
|||
|
|
### What changed
|
|||
|
|
|
|||
|
|
- **New subtree**: `tests/benchmark/cve_corpus/<lang>/<CVE-ID>/` with a `vulnerable.*` and a `patched.*` file per CVE. Each file carries a header comment with the CVE ID, upstream project, upstream license, and advisory link.
|
|||
|
|
- **Harness**: `tests/benchmark_test.rs::scan_corpus_file` now resolves any `file` entry whose path starts with `cve_corpus/` from the `benchmark_dir` (one level above `corpus/`) instead of the synthetic-corpus root. The change is a single if-branch; all existing synthetic cases are unaffected.
|
|||
|
|
- **Ground truth**: six new cases added with `provenance: "real_cve"`. Vulnerable fixtures assert on `expected_rule_ids`; patched fixtures assert on `forbidden_rule_ids` so Nyx does not *refire* on the fix.
|
|||
|
|
- **Regression thresholds unchanged**: floors stay at `P≥0.861 R≥0.944 F1≥0.901`. The Phase 13 rule-level F1 delta is +0.001 against the CF-7 baseline — the repo's policy ("tighten on durable, measurable improvements") does not justify movement on a corpus-expansion phase.
|
|||
|
|
|
|||
|
|
### Real-CVE Corpus
|
|||
|
|
|
|||
|
|
| CVE | Language | Project | License | Vuln class | Vulnerable outcome | Patched outcome |
|
|||
|
|
|------------------|------------|-----------------|------------|------------|--------------------|-----------------|
|
|||
|
|
| CVE-2023-48022 | Python | Ray | Apache-2.0 | CMDI | TP (rule + line) | TN |
|
|||
|
|
| CVE-2019-14939 | JavaScript | mongo-express | MIT | code_exec | TP (rule + line) | TN |
|
|||
|
|
| CVE-2023-26159 | TypeScript | follow-redirects | MIT | SSRF | TP (rule + line) | TN |
|
|||
|
|
|
|||
|
|
- **CVE-2023-48022** (Ray job-submission RCE). Vulnerable fixture: `request.get_json → os.system` with shell concatenation — Nyx fires `py.cmdi.os_system` and the cross-cutting `taint-unsanitised-flow` at the documented sink line. Patched fixture: `shlex.split → subprocess.run(argv, shell=False)` — zero findings.
|
|||
|
|
- **CVE-2019-14939** (mongo-express `/checkValid` eval RCE). Vulnerable fixture: `req.body.document → eval("(" + document + ")")` — Nyx fires `js.code_exec.eval` and `taint-unsanitised-flow`. Patched fixture: `EJSON.parse(document)` inside a try/catch — zero findings.
|
|||
|
|
- **CVE-2023-26159** (follow-redirects credential-leak / SSRF surface). Vulnerable fixture: `req.query.url → axios.get(target)` — Nyx fires `taint-unsanitised-flow` (no TypeScript SSRF-specific rule ID is emitted on this sink, which matches the rest of the TS SSRF corpus). Patched fixture: allowlist check over the parsed host + fixed internal URL handed to axios — zero findings.
|
|||
|
|
|
|||
|
|
Per-CVE precision/recall: each vulnerable case contributes 1 TP (and its patched sibling 1 TN), so per-CVE precision and recall are both 1.000 at the rule level.
|
|||
|
|
|
|||
|
|
### Delta
|
|||
|
|
|
|||
|
|
Aggregate rule-level F1 on the new 273-case corpus is 0.967 (P=0.942, R=0.994) — a hair above the pre-Phase-13 baseline of 0.966, and materially above the rule-level precision floor (0.894). The win is concentrated in honest regression protection on real code; precision edges up because the six new cases contribute 3 TP + 3 TN and no spurious firings on the fixes.
|
|||
|
|
|
|||
|
|
### Notes on selection
|
|||
|
|
|
|||
|
|
The starter set is intentionally small (1 CVE per stable-tier language, vulnerable + patched pair per CVE). Criteria applied when choosing each CVE: publicly disclosed with a known patch, vulnerability class that Nyx's existing rules cover (CMDI / code_exec / SSRF), extractable to ~30 LOC of representative code, permissive upstream license (Apache-2.0 / MIT) so the attribution header is sufficient. Fixtures are minimal reproducers of the *unsafe sink pattern*, not verbatim excerpts of upstream internals — the goal is regression protection on the documented pattern, not re-running the original exploit end-to-end.
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
## Phase CF-7 — Demand-driven backwards analysis (2026-04-22)
|
|||
|
|
|
|||
|
|
### Motivation
|
|||
|
|
|
|||
|
|
The forward taint engine proceeds source-to-sink, spending budget on
|
|||
|
|
every function the source might touch. Its precision ceiling is fixed
|
|||
|
|
by what summaries + inline re-analysis can preserve on every edge of a
|
|||
|
|
flow — a single lossy edge drops the finding. This phase adds the
|
|||
|
|
opposite direction: start at each sink value and walk *reverse* SSA
|
|||
|
|
edges (and cross-file callee bodies via
|
|||
|
|
`GlobalSummaries.bodies_by_key`) until a source is reached, the
|
|||
|
|
accumulated predicate renders the flow infeasible, or a budget is
|
|||
|
|
exhausted. Off by default; benchmark is neutral.
|
|||
|
|
|
|||
|
|
### Changes
|
|||
|
|
|
|||
|
|
1. **`src/taint/backwards.rs`** — new module with the core types:
|
|||
|
|
`DemandState` (sink-side demand: caps + validated-predicate bits +
|
|||
|
|
cross-function depth), `BackwardFlow` (the reached verdict per
|
|||
|
|
walked value), `BackwardsCtx` (minimal driver-inputs view),
|
|||
|
|
`FindingVerdict` (Confirmed / Inconclusive / Infeasible /
|
|||
|
|
BudgetExhausted), and the `analyse_sink_backwards` driver. The
|
|||
|
|
backwards transfer handles every `SsaOp` variant — `Assign`/`Phi`
|
|||
|
|
fan out to operands, `Call` tries cross-file body expansion before
|
|||
|
|
falling back to arg-fanout, `Source`/`Const`/`Param`/`CatchParam`
|
|||
|
|
terminate. Source recognition also consults the defining CFG
|
|||
|
|
node's `DataLabel::Source(_)` so Python-style call-sites like
|
|||
|
|
`request.args.get` are treated as source terminals. Budgets:
|
|||
|
|
`DEFAULT_BACKWARDS_DEPTH = 2`, `BACKWARDS_VALUE_BUDGET = 1024`,
|
|||
|
|
`MAX_BACKWARDS_CALLEE_BLOCKS = 500`.
|
|||
|
|
2. **Finding annotation** (`src/taint/mod.rs`): after forward taint
|
|||
|
|
and symex complete, if `analysis.engine.backwards_analysis` is on,
|
|||
|
|
the pass walks each finding's sink and writes its verdict onto
|
|||
|
|
`Finding.symbolic.cutoff_notes` via `annotate_finding`. Placed
|
|||
|
|
after symex so its witness-style `symbolic` output survives;
|
|||
|
|
backwards layers `backwards-confirmed` / `backwards-infeasible` /
|
|||
|
|
`backwards-budget-exhausted` onto the notes vector.
|
|||
|
|
3. **Confidence integration** (`src/evidence.rs`):
|
|||
|
|
`compute_taint_confidence` treats `backwards-confirmed` as a
|
|||
|
|
`+1` signal and `backwards-infeasible` as a `-3` penalty (a
|
|||
|
|
smaller-magnitude signal than the symex verdict, which reasons
|
|||
|
|
about concrete payloads). `compute_confidence_limiters` surfaces
|
|||
|
|
infeasible/budget verdicts as user-readable strings.
|
|||
|
|
4. **Switch surfaces**: new `AnalysisOptions.backwards_analysis` field
|
|||
|
|
(default `false`), CLI pair
|
|||
|
|
`--backwards-analysis / --no-backwards-analysis`, and legacy
|
|||
|
|
env-var `NYX_BACKWARDS=1`. Same tri-state pattern as the other
|
|||
|
|
engine toggles.
|
|||
|
|
5. **Docs** (`docs/advanced-analysis.md`): new "Demand-driven
|
|||
|
|
analysis" section documents the pass, how to enable it, and the
|
|||
|
|
first-cut limitations (no reverse-call-graph expansion past
|
|||
|
|
`ReachedParam`; constraint pruning uses predicate-summary bits
|
|||
|
|
only, not the full SMT backend; depth-bounded at k=2).
|
|||
|
|
|
|||
|
|
### Test coverage
|
|||
|
|
|
|||
|
|
* **Unit tests** (`src/taint/backwards.rs` — 12 tests): demand-state
|
|||
|
|
seeding, backward transfer per op (`Source`, `Const`, `Param`,
|
|||
|
|
`Assign`, `Phi`), driver end-to-end on a trivial
|
|||
|
|
Source→Assign→sink body, phi fan-out producing per-predecessor
|
|||
|
|
flows, verdict aggregation (`Confirmed` beats `Infeasible`), and
|
|||
|
|
`annotate_finding` idempotence + inconclusive no-op.
|
|||
|
|
* **Integration** (`tests/backwards_analysis_tests.rs` + 4 fixtures):
|
|||
|
|
`demand_driven_reach_source` confirms a SQL-injection source is
|
|||
|
|
reached and picks up `backwards-confirmed` when the switch is on;
|
|||
|
|
`demand_driven_prove_infeasible` locks in first-cut structural
|
|||
|
|
behaviour (SMT-backed prune is a follow-up); `demand_driven_catch_new_fn`
|
|||
|
|
locks in the first-cut ReachedParam termination; `demand_driven_no_source`
|
|||
|
|
regression-guards against synthetic findings on source-free code. A
|
|||
|
|
fifth sub-case asserts backwards OFF is a strict no-op (no
|
|||
|
|
annotations appear).
|
|||
|
|
|
|||
|
|
### Benchmark delta
|
|||
|
|
|
|||
|
|
Off-by-default posture preserves the benchmark floor byte-for-byte
|
|||
|
|
(P=0.940, R=0.994, F1=0.966 rule-level; P=0.941, R=1.000, F1=0.970
|
|||
|
|
file-level). On-path precision improvements require two follow-ups:
|
|||
|
|
reverse-call-graph expansion for flows that escape a function's
|
|||
|
|
`ReachedParam` boundary, and full SMT integration for the infeasible
|
|||
|
|
path class. Both are tracked as CF-7 follow-up work; the
|
|||
|
|
off-by-default switch lets operators opt in without disturbing CI.
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
## Phase CF-6 — Parameter-granularity points-to summaries (2026-04-22)
|
|||
|
|
|
|||
|
|
### Motivation
|
|||
|
|
|
|||
|
|
Prior to CF-6, the cross-file summary channel had no way to express
|
|||
|
|
"callee mutates a shared heap object through one parameter so another
|
|||
|
|
parameter's alias sees the new taint." Container-op patterns (`push`,
|
|||
|
|
`set`, …) were already captured through `param_to_container_store`, but
|
|||
|
|
direct field writes — `obj.x = val` — fell outside
|
|||
|
|
`classify_container_op`'s recognised-method list, so a common class of
|
|||
|
|
flow (void helper that stores through a parameter) was invisible to
|
|||
|
|
cross-file taint. Whole-program points-to is out of scope for a
|
|||
|
|
security scanner; a minimal parameter-granularity summary closes the
|
|||
|
|
real flows at a negligible cost.
|
|||
|
|
|
|||
|
|
### Changes
|
|||
|
|
|
|||
|
|
1. **`PointsToSummary` data type** (`src/summary/points_to.rs`):
|
|||
|
|
bounded `SmallVec<[AliasEdge; 4]>` of directed `(source, target,
|
|||
|
|
kind)` edges where endpoints are `AliasPosition::Param(u32)` or
|
|||
|
|
`AliasPosition::Return` and `AliasKind` is `MayAlias` only for CF-6.
|
|||
|
|
Edge count is capped at `MAX_ALIAS_EDGES = 8`; overflow sets an
|
|||
|
|
`overflow` flag that callers honour as "any param aliases any other
|
|||
|
|
param and the return" — the conservative greatest-lower-bound over
|
|||
|
|
the alias lattice.
|
|||
|
|
2. **Intra-procedural analysis** (`src/ssa/param_points_to.rs`): a
|
|||
|
|
single bounded pass over the SSA body. For each `SsaOp::Assign`
|
|||
|
|
whose `var_name` is a dotted/indexed path, we resolve the root base
|
|||
|
|
to a formal-parameter index via `formal_param_names` (authoritative
|
|||
|
|
declaration-order map) and trace the RHS through Assign/Phi chains to
|
|||
|
|
another parameter, emitting `Param(src) → Param(dst)`. For each
|
|||
|
|
`Terminator::Return(Some(v))` whose value traces to a parameter we
|
|||
|
|
emit `Param(i) → Return`. Declaration-order indexing matters: SSA
|
|||
|
|
lowering skips formal params that are never read, so SSA-level
|
|||
|
|
indices and caller-side positional indices can diverge. Trusting
|
|||
|
|
formal-order is the only way to keep the summary's edges aligned with
|
|||
|
|
the caller's `args[i]` slots.
|
|||
|
|
3. **`SsaFuncSummary.points_to`** (`src/summary/ssa_summary.rs`): new
|
|||
|
|
`#[serde(default, skip_serializing_if = PointsToSummary::is_empty)]`
|
|||
|
|
field. Legacy on-disk rows deserialise cleanly with an empty
|
|||
|
|
summary, so no engine-version bump is required.
|
|||
|
|
4. **Summary application at cross-file call sites**
|
|||
|
|
(`src/taint/ssa_transfer.rs`): `resolved_points_to` is captured
|
|||
|
|
alongside the other cross-file fields before `callee_summary` is
|
|||
|
|
moved into the main taint branch. Each `Param(src) → Param(dst)`
|
|||
|
|
edge unions caller-`args[src]`'s taint into the heap of caller-
|
|||
|
|
`args[dst]`'s points-to set *and* directly taints the dst SSA
|
|||
|
|
value — the direct channel is necessary when the caller's heap
|
|||
|
|
analysis has no allocation site for the arg (common for plain
|
|||
|
|
constructors in Python / JS / Java). Each `Param(src) → Return`
|
|||
|
|
edge threads caller-`args[src]`'s points-to set through
|
|||
|
|
`dynamic_pts` onto the call's return value. Overflow synthesises
|
|||
|
|
the conservative all-pairs graph.
|
|||
|
|
5. **`ssa_summary_fits_arity`** (`src/summary/mod.rs`): arity filter
|
|||
|
|
extended to reject points-to entries referencing parameters past the
|
|||
|
|
key's declared arity (same guard that `param_to_return` /
|
|||
|
|
`param_to_sink` already use). Prevents synthetic-capture
|
|||
|
|
mis-attributions from leaking into cross-file resolution.
|
|||
|
|
6. **Observable-effects filter** (`src/taint/mod.rs`): summary
|
|||
|
|
filtering in `lower_all_functions` now treats a non-empty
|
|||
|
|
`PointsToSummary` as an observable effect so void helpers whose only
|
|||
|
|
signal is a parameter alias survive the "no effects, skip" filter.
|
|||
|
|
|
|||
|
|
### Test coverage
|
|||
|
|
|
|||
|
|
* **Unit tests** (`src/summary/points_to.rs`): data-structure
|
|||
|
|
invariants (dedup, overflow promotion, serde round-trip, legacy JSON
|
|||
|
|
decodes).
|
|||
|
|
* **Unit tests** (`src/ssa/param_points_to.rs`): 5 structural shapes
|
|||
|
|
(field-write emits edge, return-alias emits edge, self-alias is
|
|||
|
|
dropped, out-of-range param rejected, bounded graph terminates).
|
|||
|
|
* **Summary serde + arity** (`src/summary/tests.rs`): round-trip with
|
|||
|
|
points_to populated, legacy JSON deserialises with empty points_to,
|
|||
|
|
arity filter rejects out-of-range param indices.
|
|||
|
|
* **Cross-file integration** (`tests/cross_file_alias_tests.rs` + 3
|
|||
|
|
fixtures): `cross_file_alias_mutating_helper` (Python void helper →
|
|||
|
|
py.cmdi finding through param alias), `cross_file_alias_returned_alias`
|
|||
|
|
(JS passthrough → shell-exec finding through return alias),
|
|||
|
|
`cross_file_alias_bounded_graph` (Python 20-edge graph → scan
|
|||
|
|
terminates under the overflow fallback).
|
|||
|
|
|
|||
|
|
### Benchmark
|
|||
|
|
|
|||
|
|
Rule-level F1 unchanged at 0.966 (P=0.940, R=0.994); file-level F1
|
|||
|
|
unchanged at 0.970 (P=0.941, R=1.000). Neutral, as expected: the
|
|||
|
|
existing benchmark corpus does not exercise cross-file field-alias
|
|||
|
|
flows, so CF-6's precision win is latent and will surface as the corpus
|
|||
|
|
grows. All 2173 tests pass (1687 lib + 486 integration).
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
## Phase CF-5 — Cross-file SCC joint fixed-point (2026-04-22)
|
|||
|
|
|
|||
|
|
### Motivation
|
|||
|
|
|
|||
|
|
The pass-2 orchestrator already iterates mutually-recursive SCCs to
|
|||
|
|
convergence on merged summaries (`MAX_SCC_FIXPOINT_ITERS`-bounded with a
|
|||
|
|
`SCC_FIXPOINT_SAFETY_CAP = 64` guard). Post-CF-1/CF-2, those iterations
|
|||
|
|
run cross-file inline re-analysis under the *current* merged summaries on
|
|||
|
|
each iteration, so the summary-equality convergence predicate implicitly
|
|||
|
|
covers inline convergence for monotone summaries. What was missing was
|
|||
|
|
an explicit signal distinguishing *cross-file* SCCs (where the recursion
|
|||
|
|
crosses file boundaries and the inline+summary interaction is what drives
|
|||
|
|
precision) from *intra-file* SCCs (where the iteration is purely about
|
|||
|
|
summary fixpoint). Without that signal, cap-hit diagnostics conflated
|
|||
|
|
the two root causes and the orchestrator could not target cross-file
|
|||
|
|
SCCs for specialised handling.
|
|||
|
|
|
|||
|
|
### Changes
|
|||
|
|
|
|||
|
|
1. **`scc_spans_files()` helper + `FileBatch.cross_file` flag**
|
|||
|
|
(`src/callgraph.rs`): an SCC is flagged cross-file when its nodes
|
|||
|
|
belong to more than one namespace. `scc_file_batches_with_metadata`
|
|||
|
|
unions the flag across all SCCs contributing to each topo batch.
|
|||
|
|
`cross_file ⊆ has_mutual_recursion` by construction (a non-recursive
|
|||
|
|
cross-file chain resolves topologically and is not batched).
|
|||
|
|
2. **Inline cache lifecycle hooks** (`src/taint/ssa_transfer.rs`): new
|
|||
|
|
`inline_cache_clear_epoch()` and `inline_cache_fingerprint()` helpers
|
|||
|
|
give the SCC orchestrator a concrete contract for per-iteration cache
|
|||
|
|
semantics. The per-file cache is already reconstructed fresh inside
|
|||
|
|
`analyse_file`, so today these are no-op plumbing — kept explicit so
|
|||
|
|
any future shared-cache refactor has a pre-agreed API.
|
|||
|
|
3. **Cross-file-specific cap-hit tag** (`src/commands/scan.rs`):
|
|||
|
|
`SCC_UNCONVERGED_CROSS_FILE_NOTE_PREFIX` is a strict superset of
|
|||
|
|
`SCC_UNCONVERGED_NOTE_PREFIX`; callers filtering on the base prefix
|
|||
|
|
still match, while consumers that want the narrower cross-file case
|
|||
|
|
can match on the longer constant. `tag_unconverged_findings()`
|
|||
|
|
takes a `cross_file: bool` switch and `run_topo_batches()` threads
|
|||
|
|
the batch flag through.
|
|||
|
|
4. **Observability**: cross-file SCCs emit a dedicated `debug!` log at
|
|||
|
|
iteration start; cap-hit warnings carry the `cross_file = {bool}`
|
|||
|
|
field so operators can root-cause imprecision quickly.
|
|||
|
|
|
|||
|
|
### Fixtures and tests
|
|||
|
|
|
|||
|
|
- `tests/fixtures/cross_file_scc_mutual_recursion/` (Python, 2-file
|
|||
|
|
mutual recursion with CMDI sink): transitive taint must reach the
|
|||
|
|
caller across the cycle.
|
|||
|
|
- `tests/fixtures/cross_file_scc_three_way_cycle/` (Python, 3-file
|
|||
|
|
cycle): pinned iteration envelope proves the SCC fix-point loop does
|
|||
|
|
the work, not topo order.
|
|||
|
|
- `tests/fixtures/cross_file_scc_recursive_with_sanitiser/` (Python,
|
|||
|
|
2-file sanitised cycle): joint convergence carries the `shlex.quote`
|
|||
|
|
sanitizer across the cycle and suppresses the caller's CMDI.
|
|||
|
|
- `tests/scc_cross_file_tests.rs`: wires the three fixtures into the
|
|||
|
|
integration harness.
|
|||
|
|
- Callgraph unit tests: `scc_file_batches_with_metadata_marks_cross_file`,
|
|||
|
|
`scc_file_batches_with_metadata_intra_file_scc_not_cross_file`,
|
|||
|
|
`scc_spans_files_single_node`.
|
|||
|
|
- Inline-cache lifecycle unit tests
|
|||
|
|
(`inline_cache_epoch_tests` in `src/taint/ssa_transfer.rs`):
|
|||
|
|
`clear_epoch_drops_all_entries`,
|
|||
|
|
`fingerprint_is_order_independent`,
|
|||
|
|
`fingerprint_changes_when_return_caps_change`,
|
|||
|
|
`fingerprint_tracks_missing_return_taint_as_zero`.
|
|||
|
|
- Tag-variant unit tests (`scc_tagging_tests` in `src/commands/scan.rs`):
|
|||
|
|
cross-file and non-cross-file variants emit the expected prefixes.
|
|||
|
|
|
|||
|
|
### Benchmark delta
|
|||
|
|
|
|||
|
|
Byte-for-byte neutral vs CF-3 (P/R/F1 unchanged at 0.940 / 0.994 /
|
|||
|
|
0.966). The corpus exercises cross-file SCCs that already converge
|
|||
|
|
cleanly under the existing summary-snapshot loop, so CF-5's value is
|
|||
|
|
diagnostic clarity (tighter cap-hit tag, `cross_file` metric) and an
|
|||
|
|
API surface the future joint-cache refactor can hook into — not a
|
|||
|
|
precision shift on today's fixtures.
|
|||
|
|
|
|||
|
|
### Known limitations
|
|||
|
|
|
|||
|
|
- `inline_cache_clear_epoch` is a semantic hook, not a shared-cache
|
|||
|
|
lifecycle: the per-file cache is already ambient-cleared at each
|
|||
|
|
iteration via `analyse_file` reconstruction. A true cross-file
|
|||
|
|
shared cache would be a more involved refactor (rayon-safe shared
|
|||
|
|
`RefCell<InlineCache>` across SCC files, epoch-tag invalidation on
|
|||
|
|
cache miss/hit).
|
|||
|
|
- Benchmark-visible precision win will require corpus fixtures that
|
|||
|
|
specifically exercise cross-file SCCs with precision-degrading
|
|||
|
|
summary approximation; the current corpus's cross-file cycles all
|
|||
|
|
converge in 0–5 iterations and land on the same answer at both the
|
|||
|
|
summary and inline path.
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
## Phase CF-3 — Abstract-domain transfer channels in summaries (2026-04-22)
|
|||
|
|
|
|||
|
|
### Motivation
|
|||
|
|
|
|||
|
|
Phase 17 abstract interpretation tracks per-SSA-value intervals, string prefix/suffix facts, and known-bit masks during pass 2 and uses them to suppress findings via `is_abstract_safe_for_sink`. None of those facts crossed function boundaries through summaries: a caller that proved `port ∈ [1024, 65535]` lost the bound the moment the value entered a cross-file callee. CF-3 records, per parameter, a bounded symbolic description of how that parameter's abstract value maps to the return, so callers can synthesise the return abstract at summary-path call sites without re-running the callee.
|
|||
|
|
|
|||
|
|
### Changes
|
|||
|
|
|
|||
|
|
1. **`AbstractTransfer` domain** (`src/abstract_interp/mod.rs`) — product of bounded per-subdomain forms: `IntervalTransfer` (`Top` | `Identity` | `Affine { add, mul }` | `Clamped { lo, hi }`), `StringTransfer` (`Unknown` | `Identity` | `LiteralPrefix(String)` capped at `MAX_LITERAL_PREFIX_LEN = 64`). Bit subdomain is intentionally not carried cross-file.
|
|||
|
|
2. **Summary schema** (`src/summary/ssa_summary.rs`): new `SsaFuncSummary.abstract_transfer: Vec<(usize, AbstractTransfer)>`, serde-gated so old DBs deserialise unchanged and only propagating functions contribute bytes.
|
|||
|
|
3. **Pass-1 extraction** (`src/taint/ssa_transfer.rs::derive_abstract_transfer`): structural inference. *Identity* when every return-block return value traces (through single-use `Assign` and same-param `Phi` merges, depth ≤ 8) to the same `SsaOp::Param { index }`. *Clamped / LiteralPrefix* attached when the callee's baseline `return_abstract` has a bounded interval or known prefix.
|
|||
|
|
4. **Pass-2 application** (`SsaOp::Call` arm of `transfer_inst`): runs whenever the callee was resolved via SSA summary. Per-param transfers evaluate on the caller's current abstract value of the argument, joined then `meet`-ed with baseline `return_abstract` (falling back to the less restrictive side if the meet contradicts).
|
|||
|
|
|
|||
|
|
### Fixtures and tests
|
|||
|
|
|
|||
|
|
- `tests/abstract_transfer_tests.rs` (29 tests): serde round-trip, per-subdomain `apply` semantics, join widening, LCP join on shared literal prefixes, and an end-to-end pass-1 structural test.
|
|||
|
|
- `tests/fixtures/cross_file_abstract_port_range/`, `tests/fixtures/cross_file_abstract_bounded_index/`: cross-file summary-path regression guards.
|
|||
|
|
- `tests/fixtures/cross_file_abstract_url_prefix_lock/`: JS literal-prefix SSRF suppression (landed via follow-up below).
|
|||
|
|
|
|||
|
|
#### CF-3 follow-up — JS literal-prefix SSRF suppression fix (2026-04-22)
|
|||
|
|
|
|||
|
|
Two surgical changes downstream of CF-3:
|
|||
|
|
|
|||
|
|
- **`src/ssa/copy_prop.rs`** — copy-prop now skips single-use `Assign` instructions whose CFG node carries `string_prefix`. Without this, copy-prop + DCE eliminated `url = 'lit' + userInput` in pass 2's optimised SSA, rewriting `fetch(url)`'s arg to the bare param and erasing the prefix. Mirrors the existing `is_numeric_length_access` guard.
|
|||
|
|
- **`src/taint/ssa_transfer.rs::transfer_abstract`** — added a `Call` arm symmetric with the Assign-with-prefix arm: when a `Call` instruction's CFG node carries `string_prefix` (e.g. `url = wrapper('lit' + x)`), seed the call result's `StringFact` with the prefix. Lets `axios.get(url)` consume the prefix lock through cross-file identity-passthrough wrappers like CF-3's `asIs`.
|
|||
|
|
|
|||
|
|
Single-file and cross-file `'lit' + userInput → fetch/axios.get` both now produce zero findings.
|
|||
|
|
|
|||
|
|
### Benchmark delta
|
|||
|
|
|
|||
|
|
Byte-for-byte neutral vs pre-CF-3 (P/R/F1 unchanged at 0.940 / 0.994 / 0.966). Expected: the corpus does not yet exercise call chains where an identity-passthrough cross-file callee is the only thing between a caller-side abstract bound and a downstream suppression. The precision win will materialise when broader corpora exercise cross-file integer-bound propagation.
|
|||
|
|
|
|||
|
|
### Known limitations
|
|||
|
|
|
|||
|
|
- Per-return-path decomposition is CF-4's scope. A callee whose return traces to `param_0` on one branch and `param_1` on another yields `identity_consistent = false` and falls back to the baseline-invariant form (or Top).
|
|||
|
|
- Only single-use `Assign` and consistent-origin `Phi` merges are followed by the Identity tracer; richer alias reasoning is CF-6.
|
|||
|
|
- `Affine` is defined in the domain but the pass-1 structural inferrer never emits it yet.
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
## Phase CF-2 — Cross-file k=1 context-sensitive inline taint (2026-04-22)
|
|||
|
|
|
|||
|
|
Intra-file k=1 inline analysis (Phase 11) was extended to fire on cross-file call edges too. Before CF-2 every cross-file call collapsed into the callee's worst-case `SsaFuncSummary`; CF-2 exposes call-site-specific argument taint, call-site constants, and path-predicate structure to cross-file callees.
|
|||
|
|
|
|||
|
|
### Key changes
|
|||
|
|
|
|||
|
|
- **Cross-file body fallback in `inline_analyse_callee`** (`src/taint/ssa_transfer.rs`): intra-file lookup runs first; on miss, resolves the call via `GlobalSummaries.resolve_callee` and loads the body from `transfer.cross_file_bodies`. Body-size budget, k=1 depth cap, and the `context_sensitive` config switch shared with intra-file path via `InlineCache`.
|
|||
|
|
- **Origin source-span pre-fill in param seed**: populate `source_span` from the caller's CFG before origins cross into a callee body, so cross-file inline preserves caller attribution.
|
|||
|
|
- **Indexed-scan parity (CF-2 follow-up)**: `CrossFileNodeMeta` extended to carry full `NodeInfo` snapshot; `rebuild_body_graph` rehydrates a proxy `Cfg` at DB load time. `build_index` now persists `ssa_bodies` rows at index-build time (prior behaviour silently wrote zero bodies). Engine-version salt bumped to `+cf3-xfile-meta`.
|
|||
|
|
|
|||
|
|
### Fixtures
|
|||
|
|
|
|||
|
|
Four cross-file fixtures under `tests/fixtures/cross_file_context_*`: `two_call_sites` (Python, primary CF-2 win), `callback` (JS, callback-as-argument via summary path), `sanitizer` (JS, regression guard that CF-2 inline doesn't add findings where the summary path strips taint), `deep_chain` (Python three-file chain). Each has in-memory and indexed-scan test variants.
|
|||
|
|
|
|||
|
|
### Benchmark delta
|
|||
|
|
|
|||
|
|
Precision **+2.9pp** vs pre-CF-2 (0.911 → 0.940); recall unchanged (0.994); F1 **+1.5pp** (0.951 → 0.966). No per-language regression; Python/Rust/TypeScript at 1.000, others ≥ 0.889. Indexed-scan parity follow-up was neutral (correctness fix, not a precision delta).
|
|||
|
|
|
|||
|
|
### Known limitations
|
|||
|
|
|
|||
|
|
- k=1 is preserved: cross-file inline will not recursively inline the next cross-file hop. CF-5 (SCC joint fixed-point) revisits this for mutually recursive cross-file SCCs.
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
## History
|
|||
|
|
|
|||
|
|
Earlier phases, most recent first. Metrics are rule-level unless noted.
|
|||
|
|
|
|||
|
|
| Date | Phase | Corpus | P | R | F1 | Notes |
|
|||
|
|
|------------|----------------------------------------|--------|--------|--------|--------|-------|
|
|||
|
|
| 2026-04-20 | Rust Weak Spot Fixes | 262 | 0.906 | 0.994 | 0.948 | Rust FN→0 across FILE_IO/SSRF/SQL/DESERIALIZE sink families; SHELL_ESCAPE added to Phase 10 type suppression; identity-method peeling for constructor typing; Rust rule-level P/R/F1 jumped +7.8/+21.1/+13.2pp. |
|
|||
|
|
| 2026-04-20 | TypeScript Weak Spot Fixes | 262 | 0.899 | 0.981 | 0.938 | Closed all three Phase 19 TS weak spots: encodeURIComponent→axios cap-overlap (StringFact prefix-locked SSRF suppression), Fastify framework detection from in-file imports, TSX/JSX grammar wiring. TS rule-level F1 → 1.000. |
|
|||
|
|
| 2026-04-20 | Rust Honesty Expansion | 262 | 0.891 | 0.961 | 0.925 | Rust corpus expanded 18→31 cases with honest FNs in classes lacking Rust rules (SQL, deserialize, reqwest builder chains). Correction, not a regression. |
|
|||
|
|
| 2026-04-20 | TypeScript Coverage Expansion | 246 | 0.904 | 0.986 | 0.944 | TS corpus 0→32 cases (12 vuln classes, adversarial type-system stressors, framework/cap-overlap/interproc cases). |
|
|||
|
|
| 2026-03-24 | Phase 19 — Benchmark Expansion | 214 | 0.827 | 0.950 | 0.885 | +73 cases (+52%); C, C++, Rust added as first-class languages; interprocedural + path-pruning cases; `buffer_overflow` and `fmt_string` classes for C/C++. Thresholds reset to baseline −5pp. |
|
|||
|
|
| 2026-03-22 | Phase 8.5 — Cross-file SSA validation | 141 | 0.840 | 0.975 | 0.903 | `param_to_sink_param` field on `SsaFuncSummary`; directory-based multi-file benchmark cases; 6 new cross-file cases across PY/JS/Go (propagation, source detection, wrong-cap sanitizer) — all TP. |
|
|||
|
|
| 2026-03-22 | Ruby Parity | 123 | 0.821 | 0.986 | 0.896 | Ruby corpus 1→21 cases across 8 vuln classes; no label rule changes. |
|
|||
|
|
| 2026-03-22 | Phase 5 — SSA Lowering X-lang hardening| 103 | 0.841 | 0.983 | 0.906 | PHP closures + throw; Python try/except + raise; new exception-edge fixtures. Precision +17.0pp vs Phase 30 via confidence scoring / allowlist / type-check guards. |
|
|||
|
|
| 2026-03-21 | Phase 30 — SSRF Semantic Completion | 103 | 0.671 | 0.966 | 0.792 | New SSRF sink matchers (axios, got, undici, httpx, http.NewRequestWithContext, Net::HTTP, HTTParty, requests.*); `flask_request.*` source; Ruby added to corpus. |
|
|||
|
|
| 2026-03-21 | Phase 22.5b — Constant-arg suppression | 95 | 0.654 | 0.964 | 0.779 | AST + CFG suppression of calls with all-literal args; removed buggy `!source_derived` guard in `guards.rs`. |
|
|||
|
|
| 2026-03-21 | Phase 22.5 | 95 | 0.624 | 0.964 | 0.757 | py-ssrf-001 rule-ID fix; bare `exec`/`execSync` as JS cmdi sinks; Python `Template` as XSS sink. |
|
|||
|
|
| 2026-03-21 | Phase 22 baseline | 95 | 0.620 | 0.891 | 0.731 | First benchmarked baseline post-Phase-22 symbolic strings. |
|
|||
|
|
|
|||
|
|
### Recurring known limitations
|
|||
|
|
|
|||
|
|
- **Variable-receiver method calls** (e.g. `client.send(...)` vs `HttpClient.send(...)`): suffix-matching misses without type-qualified resolution. Partly addressed by Phase 10 type-aware callee resolution; residual cases remain where the receiver has no inferred type.
|
|||
|
|
- **Import aliasing**: arbitrary import aliases (`from flask import request as r`) are not traced; only explicitly listed aliases resolve.
|
|||
|
|
- **No SSRF sanitizers as function calls**: URL-parsing doesn't sanitize; allowlist checks are condition patterns, modelled via `classify_condition()` validation markers rather than call-site credits.
|
|||
|
|
- **Rust structural `cfg-unguarded-sink`** still fires for SHELL_ESCAPE when a source is in scope but not flowing to the sink arg — intentional for high-risk sinks; requires plumbing `TypeFactResult` into `AnalysisContext` to suppress.
|
|||
|
|
- **Rust negative-validation `contains` dominators** and **match-arm guards** are not yet modelled by `classify_condition()`.
|
|||
|
|
- **DNS-rebinding / async callback flows**: out of scope for static analysis without runtime context.
|