Phase 1 (#33)

* chore: Exclude CLAUDE.md from Cargo.toml * feat: add callgraph module and integrate into main analysis flow * feat: enhance CLI with new severity filtering and analysis modes * feat: update CHANGELOG with recent enhancements and fixes to severity filtering and output handling * feat: implement state-model dataflow analysis for resource lifecycle and auth state * feat: enhance diagnostic output formatting and add evidence structure * feat: implement attack surface ranking for diagnostics with scoring and sorting * feat: add comprehensive documentation for installation, usage, and rules reference * feat: add multiple language support for command execution and evaluation endpoints * feat: implement inline suppression for findings using `nyx:ignore` comments * feat: add confidence levels to AST patterns and update output structure * feat: implement low-noise prioritization system with category filtering, rollup grouping, and configurable budgets * feat: bump version to 0.4.0 and update changelog with new features and improvements * feat: add dead code allowances to various functions in mod.rs and real_world_tests.rs
2026-06-21 20:18:06 +02:00 · 2026-02-25 21:16:36 -05:00 · 2026-02-25 21:16:36 -05:00 · 1bbe4b1cfb
commit 1bbe4b1cfb
parent 19b578c5c4
456 changed files with 25628 additions and 1228 deletions
--- a/src/lib.rs
+++ b/src/lib.rs
@ -1,19 +1,62 @@
-// Re-exports for benchmarks and integration tests.
-// The binary crate (main.rs) is the primary entry point; this lib target
-// exposes internals for criterion and other tooling.
+//! # Nyx Scanner
+//!
+//! A multi-language static vulnerability scanner. Nyx parses source files with
+//! [tree-sitter](https://tree-sitter.github.io/), builds intra-procedural
+//! control-flow graphs ([petgraph](https://docs.rs/petgraph)), and runs
+//! cross-file taint analysis with a capability-based sanitizer system.
+//!
+//! ## Architecture
+//!
+//! Nyx uses a **two-pass architecture**:
+//!
+//! 1. **Pass 1 — Summary extraction**: Parse each file, build a CFG per function,
+//!    and export a [`summary::FuncSummary`] capturing source/sanitizer/sink capabilities,
+//!    taint propagation behavior, and callee lists. Summaries are persisted to SQLite.
+//!
+//! 2. **Pass 2 — Analysis**: Load all summaries into a [`summary::GlobalSummaries`] map,
+//!    re-parse files, and run taint analysis with cross-file callee resolution. CFG
+//!    structural analysis checks for auth gaps, unguarded sinks, and resource leaks.
+//!
+//! ## Four Detector Families
+//!
+//! - **Taint** ([`taint`]) — Monotone forward dataflow tracking source-to-sink flows
+//! - **CFG Structural** ([`cfg_analysis`]) — Dominator-based guard and auth-gap detection
+//! - **State Model** ([`state`]) — Resource lifecycle and authentication state lattices
+//! - **AST Patterns** ([`patterns`]) — Tree-sitter structural queries per language
+//!
+//! ## Supported Languages
+//!
+//! Rust, C, C++, Java, Go, PHP, Python, Ruby, TypeScript, JavaScript.
+//!
+//! ## Entry Points
+//!
+//! - [`scan_no_index`] — Run a two-pass scan without indexing (for tests)
+//! - [`commands::scan::scan_filesystem`] — Filesystem scan with optional indexing
+//! - [`commands::scan::scan_with_index_parallel`] — Index-backed parallel scan
+//!
+//! ## Documentation
+//!
+//! See the [`docs/`](https://github.com/elicpeter/nyx/tree/master/docs) directory
+//! for user and contributor documentation.

 pub mod ast;
+pub mod callgraph;
 pub mod cfg;
 pub mod cfg_analysis;
 pub(crate) mod cli;
 pub mod commands;
 pub mod database;
 pub mod errors;
+pub mod evidence;
+pub mod fmt;
 pub mod interop;
 pub mod labels;
 pub mod output;
 pub mod patterns;
+pub mod rank;
+pub mod state;
 pub mod summary;
+pub mod suppress;
 pub mod symbol;
 pub mod taint;
 pub mod utils;