Feat/configurable sanitizers and js precision (#32)

* chore: Exclude CLAUDE.md from Cargo.toml * feat: Add configurable analysis rules and CLI commands for custom sanitizers and terminators * feat: Enhance resource management and analysis efficiency - Implemented parallel summary merging in `scan_filesystem` using rayon for improved performance. - Introduced `GlobalSummaries::merge()` for efficient merging of summaries. - Optimized file reading and hashing to eliminate redundant I/O operations. - Added `should_scan_with_hash()` and `upsert_file_with_hash()` methods to streamline file processing. - Enhanced taint analysis with in-place mutations to reduce memory allocations. - Updated resource acquisition patterns to exclude false positives for `freopen` and wrapper functions. * feat: Implement severity downgrade for findings in non-production paths and add source kind inference * feat: Update versioning information in SECURITY.md for new stable line * feat: Update categories in Cargo.toml to include parser-implementations and text-processing * feat: Update dependencies in Cargo.lock for improved compatibility and performance * feat: Update dependencies in Cargo.lock and Cargo.toml for improved compatibility
2026-06-09 19:45:13 +02:00 · 2026-02-25 04:02:11 -05:00 · 2026-02-25 04:02:11 -05:00 · 19b578c5c4
commit 19b578c5c4
parent f96a89e7c1
37 changed files with 3775 additions and 432 deletions
--- a/src/cli.rs
+++ b/src/cli.rs
@ -9,6 +9,14 @@ pub struct Cli {
    pub(crate) command: Commands,
 }

+impl Commands {
+    /// Whether this command produces structured (machine-readable) output on
+    /// stdout, meaning human status messages must be suppressed entirely.
+    pub fn is_structured_output(&self) -> bool {
+        matches!(self, Commands::Scan { format, .. } if format == "json" || format == "sarif")
+    }
+}
+
 #[derive(Subcommand)]
 pub enum Commands {
    /// Scan project for vulnerabilities
@ -25,8 +33,8 @@ pub enum Commands {
        #[arg(long)]
        rebuild_index: bool,

-        /// Output format
-        #[arg(short, long, value_enum, default_value = "")]
+        /// Output format (console, json, sarif)
+        #[arg(short, long, default_value = "")]
        format: String,

        /// Show only high severity issues
@ -41,6 +49,11 @@ pub enum Commands {

        #[arg(long)]
        all_targets: bool,
+
+        /// Include findings from test/vendor/build paths at original severity
+        /// (by default these are downgraded)
+        #[arg(long)]
+        include_nonprod: bool,
    },

    /// Manage project indexes
@ -65,6 +78,51 @@ pub enum Commands {
        #[arg(long)]
        all: bool,
    },
+
+    /// Manage analysis configuration
+    Config {
+        #[command(subcommand)]
+        action: ConfigAction,
+    },
+}
+
+#[derive(Subcommand)]
+pub enum ConfigAction {
+    /// Print effective merged configuration as TOML
+    Show,
+
+    /// Print configuration directory path
+    Path,
+
+    /// Add a label rule to nyx.local
+    AddRule {
+        /// Language slug (e.g. javascript, rust, python)
+        #[arg(long)]
+        lang: String,
+
+        /// Function or property name to match
+        #[arg(long)]
+        matcher: String,
+
+        /// Rule kind: source, sanitizer, or sink
+        #[arg(long)]
+        kind: String,
+
+        /// Capability: env_var, html_escape, shell_escape, url_encode, json_parse, file_io, or all
+        #[arg(long)]
+        cap: String,
+    },
+
+    /// Add a terminator function to nyx.local
+    AddTerminator {
+        /// Language slug (e.g. javascript, rust, python)
+        #[arg(long)]
+        lang: String,
+
+        /// Function name that terminates execution (e.g. process.exit)
+        #[arg(long)]
+        name: String,
+    },
 }

 #[derive(Subcommand)]