nyx/tests/fixtures/patterns/java/negative.java

import java.sql.*;
import java.security.SecureRandom;
import org.yaml.snakeyaml.Yaml;
import org.yaml.snakeyaml.LoaderOptions;
import org.yaml.snakeyaml.constructor.SafeConstructor;
import org.apache.commons.text.StringSubstitutor;

class Negative {
    // Safe: parameterized query
    void safeQuery(Connection conn, String user) throws Exception {
        PreparedStatement ps = conn.prepareStatement("SELECT * FROM users WHERE name = ?");
        ps.setString(1, user);
        ResultSet rs = ps.executeQuery();
    }

    // Safe: SecureRandom instead of Random
    void safeRandom() {
        SecureRandom sr = new SecureRandom();
        int token = sr.nextInt();
    }

    // Safe: no concatenation in SQL
    void safeLiteralQuery(Statement stmt) throws Exception {
        stmt.executeQuery("SELECT COUNT(*) FROM users");
    }

    // Safe: SnakeYAML 2.0 / explicit SafeConstructor — CVE-2022-1471 fix shape.
    void safeSnakeyamlSafeConstructor(String body) {
        LoaderOptions opts = new LoaderOptions();
        Yaml yaml = new Yaml(new SafeConstructor(opts));
        Object data = yaml.load(body);
    }

    // Safe: empty StringSubstitutor — no interpolator factory — CVE-2022-42889 fix shape.
    String safeStringSubstitutorPassthrough(String input) {
        StringSubstitutor s = new StringSubstitutor();
        return s.replace(input);
    }
}
Phase 1 (#33) * chore: Exclude CLAUDE.md from Cargo.toml * feat: add callgraph module and integrate into main analysis flow * feat: enhance CLI with new severity filtering and analysis modes * feat: update CHANGELOG with recent enhancements and fixes to severity filtering and output handling * feat: implement state-model dataflow analysis for resource lifecycle and auth state * feat: enhance diagnostic output formatting and add evidence structure * feat: implement attack surface ranking for diagnostics with scoring and sorting * feat: add comprehensive documentation for installation, usage, and rules reference * feat: add multiple language support for command execution and evaluation endpoints * feat: implement inline suppression for findings using `nyx:ignore` comments * feat: add confidence levels to AST patterns and update output structure * feat: implement low-noise prioritization system with category filtering, rollup grouping, and configurable budgets * feat: bump version to 0.4.0 and update changelog with new features and improvements * feat: add dead code allowances to various functions in mod.rs and real_world_tests.rs 2026-02-25 21:16:36 -05:00			`import java.sql.*;`
			`import java.security.SecureRandom;`
Python fp and docs updtes (#58) * refactor: Update comments for clarity and add expectations.json files for performance metrics * feat: Implement FP guard for JS/TS local-collection receivers to suppress missing ownership checks * feat: Enhance Rust parameter handling to classify local collections and prevent false ownership checks * refactor: Simplify code formatting for better readability in multiple files * refactor: Improve UTF-8 sequence length handling and enhance clarity in loop iteration * feat: Update Java and Python patterns to include new security rules * refactor: Improve comment clarity and consistency across multiple Rust files * refactor: Simplify code formatting for improved readability in integration tests and module files * refactor: Improve comment formatting and enhance clarity in assertions across multiple files 2026-04-29 19:53:34 -04:00			`import org.yaml.snakeyaml.Yaml;`
			`import org.yaml.snakeyaml.LoaderOptions;`
			`import org.yaml.snakeyaml.constructor.SafeConstructor;`
			`import org.apache.commons.text.StringSubstitutor;`
Phase 1 (#33) * chore: Exclude CLAUDE.md from Cargo.toml * feat: add callgraph module and integrate into main analysis flow * feat: enhance CLI with new severity filtering and analysis modes * feat: update CHANGELOG with recent enhancements and fixes to severity filtering and output handling * feat: implement state-model dataflow analysis for resource lifecycle and auth state * feat: enhance diagnostic output formatting and add evidence structure * feat: implement attack surface ranking for diagnostics with scoring and sorting * feat: add comprehensive documentation for installation, usage, and rules reference * feat: add multiple language support for command execution and evaluation endpoints * feat: implement inline suppression for findings using `nyx:ignore` comments * feat: add confidence levels to AST patterns and update output structure * feat: implement low-noise prioritization system with category filtering, rollup grouping, and configurable budgets * feat: bump version to 0.4.0 and update changelog with new features and improvements * feat: add dead code allowances to various functions in mod.rs and real_world_tests.rs 2026-02-25 21:16:36 -05:00
			`class Negative {`
			`// Safe: parameterized query`
			`void safeQuery(Connection conn, String user) throws Exception {`
			`PreparedStatement ps = conn.prepareStatement("SELECT * FROM users WHERE name = ?");`
			`ps.setString(1, user);`
			`ResultSet rs = ps.executeQuery();`
			`}`

			`// Safe: SecureRandom instead of Random`
			`void safeRandom() {`
			`SecureRandom sr = new SecureRandom();`
			`int token = sr.nextInt();`
			`}`

			`// Safe: no concatenation in SQL`
			`void safeLiteralQuery(Statement stmt) throws Exception {`
			`stmt.executeQuery("SELECT COUNT(*) FROM users");`
			`}`
Python fp and docs updtes (#58) * refactor: Update comments for clarity and add expectations.json files for performance metrics * feat: Implement FP guard for JS/TS local-collection receivers to suppress missing ownership checks * feat: Enhance Rust parameter handling to classify local collections and prevent false ownership checks * refactor: Simplify code formatting for better readability in multiple files * refactor: Improve UTF-8 sequence length handling and enhance clarity in loop iteration * feat: Update Java and Python patterns to include new security rules * refactor: Improve comment clarity and consistency across multiple Rust files * refactor: Simplify code formatting for improved readability in integration tests and module files * refactor: Improve comment formatting and enhance clarity in assertions across multiple files 2026-04-29 19:53:34 -04:00
			`// Safe: SnakeYAML 2.0 / explicit SafeConstructor — CVE-2022-1471 fix shape.`
			`void safeSnakeyamlSafeConstructor(String body) {`
			`LoaderOptions opts = new LoaderOptions();`
			`Yaml yaml = new Yaml(new SafeConstructor(opts));`
			`Object data = yaml.load(body);`
			`}`

			`// Safe: empty StringSubstitutor — no interpolator factory — CVE-2022-42889 fix shape.`
			`String safeStringSubstitutorPassthrough(String input) {`
			`StringSubstitutor s = new StringSubstitutor();`
			`return s.replace(input);`
			`}`
Phase 1 (#33) * chore: Exclude CLAUDE.md from Cargo.toml * feat: add callgraph module and integrate into main analysis flow * feat: enhance CLI with new severity filtering and analysis modes * feat: update CHANGELOG with recent enhancements and fixes to severity filtering and output handling * feat: implement state-model dataflow analysis for resource lifecycle and auth state * feat: enhance diagnostic output formatting and add evidence structure * feat: implement attack surface ranking for diagnostics with scoring and sorting * feat: add comprehensive documentation for installation, usage, and rules reference * feat: add multiple language support for command execution and evaluation endpoints * feat: implement inline suppression for findings using `nyx:ignore` comments * feat: add confidence levels to AST patterns and update output structure * feat: implement low-noise prioritization system with category filtering, rollup grouping, and configurable budgets * feat: bump version to 0.4.0 and update changelog with new features and improvements * feat: add dead code allowances to various functions in mod.rs and real_world_tests.rs 2026-02-25 21:16:36 -05:00			`}`