Phase 1 (#33)

* chore: Exclude CLAUDE.md from Cargo.toml * feat: add callgraph module and integrate into main analysis flow * feat: enhance CLI with new severity filtering and analysis modes * feat: update CHANGELOG with recent enhancements and fixes to severity filtering and output handling * feat: implement state-model dataflow analysis for resource lifecycle and auth state * feat: enhance diagnostic output formatting and add evidence structure * feat: implement attack surface ranking for diagnostics with scoring and sorting * feat: add comprehensive documentation for installation, usage, and rules reference * feat: add multiple language support for command execution and evaluation endpoints * feat: implement inline suppression for findings using `nyx:ignore` comments * feat: add confidence levels to AST patterns and update output structure * feat: implement low-noise prioritization system with category filtering, rollup grouping, and configurable budgets * feat: bump version to 0.4.0 and update changelog with new features and improvements * feat: add dead code allowances to various functions in mod.rs and real_world_tests.rs
2026-06-09 19:45:13 +02:00 · 2026-02-25 21:16:36 -05:00 · 2026-02-25 21:16:36 -05:00 · 1bbe4b1cfb
commit 1bbe4b1cfb
parent 19b578c5c4
456 changed files with 25628 additions and 1228 deletions
--- a/tests/fixtures/patterns/python/negative.py
+++ b/tests/fixtures/patterns/python/negative.py
@ -0,0 +1,23 @@
+# Negative fixture: none of these should trigger security patterns.
+
+import subprocess
+import hashlib
+
+def safe_subprocess():
+    # No shell=True
+    subprocess.run(["ls", "-la"])
+
+def safe_hash():
+    hashlib.sha256(b"data")
+
+def safe_literal_query(cursor):
+    cursor.execute("SELECT COUNT(*) FROM users")
+
+def safe_yaml_load(data):
+    import yaml
+    yaml.safe_load(data)
+
+def safe_string_ops():
+    x = "hello"
+    y = x.upper()
+    z = len(y)
--- a/tests/fixtures/patterns/python/positive.py
+++ b/tests/fixtures/patterns/python/positive.py
@ -0,0 +1,51 @@
+# Positive fixture: each snippet should trigger the named pattern.
+
+import os
+import subprocess
+import pickle
+import yaml
+import hashlib
+
+# py.code_exec.eval
+def trigger_eval(data):
+    result = eval(data)
+
+# py.code_exec.exec
+def trigger_exec(code):
+    exec(code)
+
+# py.code_exec.compile
+def trigger_compile(code):
+    co = compile(code, "<string>", "exec")
+
+# py.cmdi.os_system
+def trigger_os_system(cmd):
+    os.system(cmd)
+
+# py.cmdi.os_popen
+def trigger_os_popen(cmd):
+    os.popen(cmd)
+
+# py.cmdi.subprocess_shell
+def trigger_subprocess_shell(cmd):
+    subprocess.run(cmd, shell=True)
+
+# py.deser.pickle_loads
+def trigger_pickle(data):
+    obj = pickle.loads(data)
+
+# py.deser.yaml_load
+def trigger_yaml(data):
+    obj = yaml.load(data)
+
+# py.sqli.execute_format
+def trigger_sql_concat(cursor, user):
+    cursor.execute("SELECT * FROM users WHERE name = '" + user + "'")
+
+# py.crypto.md5
+def trigger_md5(data):
+    hashlib.md5(data)
+
+# py.crypto.sha1
+def trigger_sha1(data):
+    hashlib.sha1(data)