Phase 1 (#33)

* chore: Exclude CLAUDE.md from Cargo.toml * feat: add callgraph module and integrate into main analysis flow * feat: enhance CLI with new severity filtering and analysis modes * feat: update CHANGELOG with recent enhancements and fixes to severity filtering and output handling * feat: implement state-model dataflow analysis for resource lifecycle and auth state * feat: enhance diagnostic output formatting and add evidence structure * feat: implement attack surface ranking for diagnostics with scoring and sorting * feat: add comprehensive documentation for installation, usage, and rules reference * feat: add multiple language support for command execution and evaluation endpoints * feat: implement inline suppression for findings using `nyx:ignore` comments * feat: add confidence levels to AST patterns and update output structure * feat: implement low-noise prioritization system with category filtering, rollup grouping, and configurable budgets * feat: bump version to 0.4.0 and update changelog with new features and improvements * feat: add dead code allowances to various functions in mod.rs and real_world_tests.rs
2026-06-09 19:45:13 +02:00 · 2026-02-25 21:16:36 -05:00 · 2026-02-25 21:16:36 -05:00 · 1bbe4b1cfb
commit 1bbe4b1cfb
parent 19b578c5c4
456 changed files with 25628 additions and 1228 deletions
--- a/docs/rules/java.md
+++ b/docs/rules/java.md
@ -0,0 +1,135 @@
+# Java Rules
+
+Nyx detects Java vulnerabilities through AST patterns and taint analysis, covering deserialization, command execution, reflection, SQL injection, weak crypto, and XSS.
+
+## Taint Labels
+
+Java has moderate taint label coverage. Sources, sinks, and sanitizers are defined in `src/labels/java.rs`.
+
+### Sources
+
+| Matcher | Cap |
+|---------|-----|
+| `System.getenv` | all |
+| `getParameter`, `getInputStream`, `getHeader`, `getCookies`, `getReader`, `getQueryString`, `getPathInfo` | all |
+| `readObject`, `readLine` | all |
+
+### Sanitizers
+
+| Matcher | Cap |
+|---------|-----|
+| `HtmlUtils.htmlEscape`, `StringEscapeUtils.escapeHtml4` | HTML_ESCAPE |
+
+### Sinks
+
+| Matcher | Cap |
+|---------|-----|
+| `Runtime.exec`, `ProcessBuilder` | SHELL_ESCAPE |
+| `executeQuery`, `executeUpdate`, `prepareStatement` | SHELL_ESCAPE |
+| `Class.forName` | SHELL_ESCAPE |
+| `println`, `print`, `write` | HTML_ESCAPE |
+
+---
+
+## AST Pattern Rules
+
+### Deserialization
+
+| Rule ID | Severity | Tier | Description |
+|---------|----------|------|-------------|
+| `java.deser.readobject` | High | A | `ObjectInputStream.readObject()` — unsafe deserialization |
+
+### Command Execution
+
+| Rule ID | Severity | Tier | Description |
+|---------|----------|------|-------------|
+| `java.cmdi.runtime_exec` | High | A | `Runtime.getRuntime().exec()` — shell command execution |
+
+### Reflection
+
+| Rule ID | Severity | Tier | Description |
+|---------|----------|------|-------------|
+| `java.reflection.class_forname` | Medium | A | `Class.forName()` — dynamic class loading |
+| `java.reflection.method_invoke` | Medium | A | `Method.invoke()` — reflective method invocation |
+
+### SQL Injection
+
+| Rule ID | Severity | Tier | Description |
+|---------|----------|------|-------------|
+| `java.sqli.execute_concat` | Medium | B | SQL `execute*()` with concatenated string argument |
+
+### Weak Crypto
+
+| Rule ID | Severity | Tier | Description |
+|---------|----------|------|-------------|
+| `java.crypto.insecure_random` | Low | A | `new Random()` — `java.util.Random` is not cryptographically secure |
+| `java.crypto.weak_digest` | Low | A | `MessageDigest.getInstance("MD5"/"SHA1")` |
+
+### XSS
+
+| Rule ID | Severity | Tier | Description |
+|---------|----------|------|-------------|
+| `java.xss.getwriter_print` | Medium | A | `response.getWriter().print/println/write` — direct output |
+
+---
+
+## Examples
+
+### `java.deser.readobject` — Unsafe deserialization
+
+**Vulnerable:**
+```java
+ObjectInputStream ois = new ObjectInputStream(request.getInputStream());
+Object obj = ois.readObject();  // Arbitrary object instantiation
+```
+
+**Safe alternative:**
+```java
+// Use a safe format like JSON
+ObjectMapper mapper = new ObjectMapper();
+MyType obj = mapper.readValue(request.getInputStream(), MyType.class);
+```
+
+### `java.sqli.execute_concat` — SQL concatenation
+
+**Vulnerable:**
+```java
+String query = "SELECT * FROM users WHERE id=" + userId;
+stmt.executeQuery(query);  // SQL injection
+```
+
+**Safe alternative:**
+```java
+PreparedStatement ps = conn.prepareStatement("SELECT * FROM users WHERE id=?");
+ps.setString(1, userId);
+ResultSet rs = ps.executeQuery();
+```
+
+### `java.cmdi.runtime_exec` — Command execution
+
+**Vulnerable:**
+```java
+Runtime.getRuntime().exec("cmd /c " + userCommand);
+```
+
+**Safe alternative:**
+```java
+ProcessBuilder pb = new ProcessBuilder("cmd", "/c", "dir");
+// Use explicit argument list, never concatenate user input
+```
+
+### `java.reflection.class_forname` — Dynamic class loading
+
+**Flagged:**
+```java
+Class<?> cls = Class.forName(className);
+Object obj = cls.getDeclaredConstructor().newInstance();
+```
+
+**Safe alternative:**
+```java
+// Use an allowlist of permitted class names
+Map<String, Class<?>> allowed = Map.of("User", User.class, "Order", Order.class);
+Class<?> cls = allowed.get(className);
+if (cls != null) { /* ... */ }
+```