Phase 1 (#33)

* chore: Exclude CLAUDE.md from Cargo.toml * feat: add callgraph module and integrate into main analysis flow * feat: enhance CLI with new severity filtering and analysis modes * feat: update CHANGELOG with recent enhancements and fixes to severity filtering and output handling * feat: implement state-model dataflow analysis for resource lifecycle and auth state * feat: enhance diagnostic output formatting and add evidence structure * feat: implement attack surface ranking for diagnostics with scoring and sorting * feat: add comprehensive documentation for installation, usage, and rules reference * feat: add multiple language support for command execution and evaluation endpoints * feat: implement inline suppression for findings using `nyx:ignore` comments * feat: add confidence levels to AST patterns and update output structure * feat: implement low-noise prioritization system with category filtering, rollup grouping, and configurable budgets * feat: bump version to 0.4.0 and update changelog with new features and improvements * feat: add dead code allowances to various functions in mod.rs and real_world_tests.rs
2026-06-15 20:05:13 +02:00 · 2026-02-25 21:16:36 -05:00 · 2026-02-25 21:16:36 -05:00 · 1bbe4b1cfb
commit 1bbe4b1cfb
parent 19b578c5c4
456 changed files with 25628 additions and 1228 deletions
--- a/src/patterns/cpp.rs
+++ b/src/patterns/cpp.rs
@ -1,40 +1,106 @@
-use crate::patterns::{Pattern, Severity};
+use crate::evidence::Confidence;
+use crate::patterns::{Pattern, PatternCategory, PatternTier, Severity};

+/// C++ AST patterns.
+///
+/// Inherits C banned-function concerns plus C++-specific patterns like
+/// `reinterpret_cast` and `const_cast`.  Taint rules overlap with C rules
+/// for `system`/`sprintf`/`strcpy`/`strcat`.
 pub const PATTERNS: &[Pattern] = &[
+    // ── Tier A: Banned C functions (inherited) ─────────────────────────
    Pattern {
-        id: "strcpy_call",
-        description: "strcpy() usage",
-        query: "(call_expression function: (identifier) @id (#eq? @id \"strcpy\")) @vuln",
+        id: "cpp.memory.gets",
+        description: "gets() — no bounds checking, always exploitable",
+        query: r#"(call_expression function: (identifier) @id (#eq? @id "gets")) @vuln"#,
        severity: Severity::High,
+        tier: PatternTier::A,
+        category: PatternCategory::MemorySafety,
+        confidence: Confidence::High,
    },
    Pattern {
-        id: "strcat_call",
-        description: "strcat() usage",
-        query: "(call_expression function: (identifier) @id (#eq? @id \"strcat\")) @vuln",
+        id: "cpp.memory.strcpy",
+        description: "strcpy() — no bounds checking on destination buffer",
+        query: r#"(call_expression function: (identifier) @id (#eq? @id "strcpy")) @vuln"#,
        severity: Severity::High,
+        tier: PatternTier::A,
+        category: PatternCategory::MemorySafety,
+        confidence: Confidence::High,
    },
    Pattern {
-        id: "sprintf_call",
-        description: "sprintf() (no length limit)",
-        query: "(call_expression function: (identifier) @id (#eq? @id \"sprintf\")) @vuln",
+        id: "cpp.memory.strcat",
+        description: "strcat() — no bounds checking on destination buffer",
+        query: r#"(call_expression function: (identifier) @id (#eq? @id "strcat")) @vuln"#,
        severity: Severity::High,
+        tier: PatternTier::A,
+        category: PatternCategory::MemorySafety,
+        confidence: Confidence::High,
    },
    Pattern {
-        id: "gets_call",
-        description: "gets() usage",
-        query: "(call_expression function: (identifier) @id (#eq? @id \"gets\")) @vuln",
+        id: "cpp.memory.sprintf",
+        description: "sprintf() — no length limit on output buffer",
+        query: r#"(call_expression function: (identifier) @id (#eq? @id "sprintf")) @vuln"#,
        severity: Severity::High,
+        tier: PatternTier::A,
+        category: PatternCategory::MemorySafety,
+        confidence: Confidence::High,
+    },
+    // ── Tier A: Command execution ──────────────────────────────────────
+    Pattern {
+        id: "cpp.cmdi.system",
+        description: "system() — shell command execution",
+        query: r#"(call_expression function: (identifier) @id (#eq? @id "system")) @vuln"#,
+        severity: Severity::High,
+        tier: PatternTier::A,
+        category: PatternCategory::CommandExec,
+        confidence: Confidence::High,
    },
    Pattern {
-        id: "system_call",
-        description: "system() shell execution",
-        query: "(call_expression function: (identifier) @id (#eq? @id \"system\")) @vuln",
+        id: "cpp.cmdi.popen",
+        description: "popen() — shell command execution",
+        query: r#"(call_expression function: (identifier) @id (#eq? @id "popen")) @vuln"#,
+        severity: Severity::High,
+        tier: PatternTier::A,
+        category: PatternCategory::CommandExec,
+        confidence: Confidence::High,
+    },
+    // ── Tier A: Dangerous casts ────────────────────────────────────────
+    // C++ casts are parsed as call_expression with template_function
+    Pattern {
+        id: "cpp.memory.reinterpret_cast",
+        description: "reinterpret_cast — type-punning cast",
+        query: r#"(call_expression
+                     function: (template_function
+                       name: (identifier) @n (#eq? @n "reinterpret_cast")))
+                   @vuln"#,
        severity: Severity::Medium,
+        tier: PatternTier::A,
+        category: PatternCategory::MemorySafety,
+        confidence: Confidence::High,
    },
    Pattern {
-        id: "reinterpret_cast",
-        description: "reinterpret_cast usage",
-        query: "(reinterpret_cast_expression) @vuln",
+        id: "cpp.memory.const_cast",
+        description: "const_cast — removes const/volatile qualifier",
+        query: r#"(call_expression
+                     function: (template_function
+                       name: (identifier) @n (#eq? @n "const_cast")))
+                   @vuln"#,
        severity: Severity::Medium,
+        tier: PatternTier::A,
+        category: PatternCategory::MemorySafety,
+        confidence: Confidence::High,
+    },
+    // ── Tier B: Format-string (variable first arg) ─────────────────────
+    Pattern {
+        id: "cpp.memory.printf_no_fmt",
+        description: "printf(var) — format-string vulnerability when first arg is not literal",
+        query: r#"(call_expression
+                     function: (identifier) @id (#eq? @id "printf")
+                     arguments: (argument_list
+                       . (identifier) @arg))
+                   @vuln"#,
+        severity: Severity::High,
+        tier: PatternTier::B,
+        category: PatternCategory::MemorySafety,
+        confidence: Confidence::Medium,
    },
 ];