nyx/tests/fixtures/real_world/java/taint/reflection.expect.json

{
  "description": "User-controlled class name flows into Class.forName \u2014 arbitrary class instantiation",
  "tags": [
    "taint",
    "reflection",
    "servlet"
  ],
  "modes": [
    "full"
  ],
  "expected": [
    {
      "rule_id": "java.reflection.class_forname",
      "severity": null,
      "must_match": true,
      "line_range": [
        6,
        10
      ],
      "evidence_contains": [],
      "notes": "AST pattern detects Class.forName() call"
    },
    {
      "rule_id": "taint-unsanitised-flow",
      "severity": null,
      "must_match": true,
      "line_range": [
        5,
        10
      ],
      "evidence_contains": [],
      "notes": "request.getParameter(\"class\") flows directly into Class.forName(className)"
    }
  ]
}
Phase 1 (#33) * chore: Exclude CLAUDE.md from Cargo.toml * feat: add callgraph module and integrate into main analysis flow * feat: enhance CLI with new severity filtering and analysis modes * feat: update CHANGELOG with recent enhancements and fixes to severity filtering and output handling * feat: implement state-model dataflow analysis for resource lifecycle and auth state * feat: enhance diagnostic output formatting and add evidence structure * feat: implement attack surface ranking for diagnostics with scoring and sorting * feat: add comprehensive documentation for installation, usage, and rules reference * feat: add multiple language support for command execution and evaluation endpoints * feat: implement inline suppression for findings using `nyx:ignore` comments * feat: add confidence levels to AST patterns and update output structure * feat: implement low-noise prioritization system with category filtering, rollup grouping, and configurable budgets * feat: bump version to 0.4.0 and update changelog with new features and improvements * feat: add dead code allowances to various functions in mod.rs and real_world_tests.rs 2026-02-25 21:16:36 -05:00			`{`
			`"description": "User-controlled class name flows into Class.forName \u2014 arbitrary class instantiation",`
			`"tags": [`
			`"taint",`
			`"reflection",`
			`"servlet"`
			`],`
			`"modes": [`
			`"full"`
			`],`
			`"expected": [`
			`{`
			`"rule_id": "java.reflection.class_forname",`
			`"severity": null,`
			`"must_match": true,`
			`"line_range": [`
			`6,`
			`10`
			`],`
			`"evidence_contains": [],`
			`"notes": "AST pattern detects Class.forName() call"`
			`},`
			`{`
			`"rule_id": "taint-unsanitised-flow",`
			`"severity": null,`
			`"must_match": true,`
			`"line_range": [`
			`5,`
			`10`
			`],`
			`"evidence_contains": [],`
			`"notes": "request.getParameter(\"class\") flows directly into Class.forName(className)"`
			`}`
			`]`
			`}`