apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-18 20:15:14 +02:00
Code Issues Projects Releases Packages Wiki Activity

Phase 1 (#33)

Browse source 
* chore: Exclude CLAUDE.md from Cargo.toml

* feat: add callgraph module and integrate into main analysis flow

* feat: enhance CLI with new severity filtering and analysis modes

* feat: update CHANGELOG with recent enhancements and fixes to severity filtering and output handling

* feat: implement state-model dataflow analysis for resource lifecycle and auth state

* feat: enhance diagnostic output formatting and add evidence structure

* feat: implement attack surface ranking for diagnostics with scoring and sorting

* feat: add comprehensive documentation for installation, usage, and rules reference

* feat: add multiple language support for command execution and evaluation endpoints

* feat: implement inline suppression for findings using `nyx:ignore` comments

* feat: add confidence levels to AST patterns and update output structure

* feat: implement low-noise prioritization system with category filtering, rollup grouping, and configurable budgets

* feat: bump version to 0.4.0 and update changelog with new features and improvements

* feat: add dead code allowances to various functions in mod.rs and real_world_tests.rs
This commit is contained in:
Eli Peter 2026-02-25 21:16:36 -05:00 committed by GitHub
parent 19b578c5c4
commit 1bbe4b1cfb
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
456 changed files with 25628 additions and 1228 deletions
Download patch file Download diff file Expand all files Collapse all files

23
tests/fixtures/real_world/java/cfg/catch_finally.expect.json vendored Normal file
View file

@ -0,0 +1,23 @@
{
"description": "Finally-based safe close pattern vs exception-path resource leak",
"tags": [
"cfg",
"resource-leak"
],
"modes": [
"full"
],
"expected": [
{
"rule_id": "cfg-resource-leak",
"severity": null,
"must_match": false,
"line_range": [
20,
29
],
"evidence_contains": [],
"notes": "processLeaky throws on line 26 without closing fis \u2014 resource leaked on exception path"
}
]
}

30
tests/fixtures/real_world/java/cfg/catch_finally.java vendored Normal file
View file

@ -0,0 +1,30 @@
import java.io.*;
public class FileProcessor {
public void processWithFinally(String path) {
FileInputStream fis = null;
try {
fis = new FileInputStream(path);
byte[] data = new byte[1024];
fis.read(data);
} catch (IOException e) {
System.err.println("Error: " + e.getMessage());
} finally {
try {
if (fis != null) fis.close();
} catch (IOException e) {
// ignore
}
}
}
public void processLeaky(String path) throws IOException {
FileInputStream fis = new FileInputStream(path);
byte[] data = new byte[1024];
fis.read(data);
if (data[0] == 0) {
throw new IOException("bad data"); // fis leaked
}
fis.close();
}
}

37
tests/fixtures/real_world/java/cfg/lambda_streams.expect.json vendored Normal file
View file

@ -0,0 +1,37 @@
{
"description": "Stream operations with SQL concat in map and exec in forEach lambda",
"tags": [
"cfg",
"sqli",
"cmdi",
"lambda"
],
"modes": [
"full",
"ast"
],
"expected": [
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": false,
"line_range": [
10,
17
],
"evidence_contains": [],
"notes": "cmd parameter inside lambda flows to Runtime.exec \u2014 scanner may not track taint through lambda bodies"
},
{
"rule_id": "java.sqli.execute_concat",
"severity": null,
"must_match": false,
"line_range": [
6,
10
],
"evidence_contains": [],
"notes": "SQL string concatenation inside stream map lambda \u2014 AST pattern may not match inside lambda context"
}
]
}

21
tests/fixtures/real_world/java/cfg/lambda_streams.java vendored Normal file
View file

@ -0,0 +1,21 @@
import java.util.*;
import java.util.stream.*;
public class StreamProcessor {
public List<String> filterUnsafe(List<String> inputs) {
return inputs.stream()
.filter(s -> !s.isEmpty())
.map(s -> "SELECT * FROM users WHERE name = '" + s + "'")
.collect(Collectors.toList());
}
public void processCommands(List<String> commands) {
commands.forEach(cmd -> {
try {
Runtime.getRuntime().exec(cmd);
} catch (Exception e) {
e.printStackTrace();
}
});
}
}

34
tests/fixtures/real_world/java/cfg/switch_expressions.expect.json vendored Normal file
View file

@ -0,0 +1,34 @@
{
"description": "Switch dispatches to dangerous operations including exec and file write based on action string",
"tags": [
"cfg",
"cmdi"
],
"modes": [
"full"
],
"expected": [
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": false,
"line_range": [
2,
9
],
"evidence_contains": [],
"notes": "input parameter flows into Runtime.exec \u2014 depends on whether scanner models method params as taint sources"
},
{
"rule_id": "cfg-unguarded-sink",
"severity": null,
"must_match": false,
"line_range": [
4,
9
],
"evidence_contains": [],
"notes": "No validation of input before exec call in exec case"
}
]
}

19
tests/fixtures/real_world/java/cfg/switch_expressions.java vendored Normal file
View file

@ -0,0 +1,19 @@
import java.io.*;
public class ActionHandler {
public void handle(String action, String input) throws IOException {
switch (action) {
case "exec":
Runtime.getRuntime().exec(input);
break;
case "write":
FileWriter fw = new FileWriter(input);
fw.write("data");
fw.close();
break;
case "log":
System.out.println(input);
break;
}
}
}

23
tests/fixtures/real_world/java/cfg/try_with_resources.expect.json vendored Normal file
View file

@ -0,0 +1,23 @@
{
"description": "Try-with-resources safe pattern vs manual close with early return leak",
"tags": [
"cfg",
"resource-leak"
],
"modes": [
"full"
],
"expected": [
{
"rule_id": "cfg-resource-leak",
"severity": null,
"must_match": false,
"line_range": [
9,
17
],
"evidence_contains": [],
"notes": "readUnsafe returns early on line 14 without closing reader \u2014 resource leak on that path"
}
]
}

19
tests/fixtures/real_world/java/cfg/try_with_resources.java vendored Normal file
View file

@ -0,0 +1,19 @@
import java.io.*;
public class ResourceHandler {
public String readSafe(String path) throws IOException {
try (BufferedReader reader = new BufferedReader(new FileReader(path))) {
return reader.readLine();
}
}
public String readUnsafe(String path) throws IOException {
BufferedReader reader = new BufferedReader(new FileReader(path));
String line = reader.readLine();
if (line == null) {
return "empty"; // reader leaked
}
reader.close();
return line;
}
}

37
tests/fixtures/real_world/java/mixed/deser_cmdi.expect.json vendored Normal file
View file

@ -0,0 +1,37 @@
{
"description": "Deserialized object from HTTP input stream used directly as command argument to Runtime.exec",
"tags": [
"taint",
"deser",
"cmdi",
"servlet",
"mixed"
],
"modes": [
"full"
],
"expected": [
{
"rule_id": "java.deser.readobject",
"severity": null,
"must_match": true,
"line_range": [
5,
9
],
"evidence_contains": [],
"notes": "AST pattern detects new ObjectInputStream() construction"
},
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": true,
"line_range": [
5,
11
],
"evidence_contains": [],
"notes": "Deserialized command string from request input flows into Runtime.exec"
}
]
}

13
tests/fixtures/real_world/java/mixed/deser_cmdi.java vendored Normal file
View file

@ -0,0 +1,13 @@
import java.io.*;
import javax.servlet.http.*;
public class DeserCmdi extends HttpServlet {
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws IOException, ClassNotFoundException {
ObjectInputStream ois = new ObjectInputStream(request.getInputStream());
String command = (String) ois.readObject();
Runtime.getRuntime().exec(command);
response.getWriter().println("Done");
}
}

61
tests/fixtures/real_world/java/mixed/servlet_full.expect.json vendored Normal file
View file

@ -0,0 +1,61 @@
{
"description": "Servlet with multiple vuln types: command injection, SQL injection via concat, and file resource leak",
"tags": [
"taint",
"state",
"cmdi",
"sqli",
"resource-leak",
"servlet",
"mixed"
],
"modes": [
"full"
],
"expected": [
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": true,
"line_range": [
8,
16
],
"evidence_contains": [],
"notes": "request.getParameter(\"input\") flows into Runtime.getRuntime().exec(input)"
},
{
"rule_id": "java.sqli.execute_concat",
"severity": null,
"must_match": true,
"line_range": [
15,
19
],
"evidence_contains": [],
"notes": "AST pattern detects string concatenation inside executeQuery argument"
},
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": true,
"line_range": [
8,
19
],
"evidence_contains": [],
"notes": "request.getParameter(\"input\") concatenated into SQL query passed to executeQuery"
},
{
"rule_id": "state-resource-leak",
"severity": null,
"must_match": false,
"line_range": [
21,
29
],
"evidence_contains": [],
"notes": "FileInputStream opened on line 23 but never closed"
}
]
}

30
tests/fixtures/real_world/java/mixed/servlet_full.java vendored Normal file
View file

@ -0,0 +1,30 @@
import java.io.*;
import javax.servlet.http.*;
import java.sql.*;
public class FullServlet extends HttpServlet {
private Connection dbConn;
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws IOException, SQLException {
String action = request.getParameter("action");
String input = request.getParameter("input");
if ("exec".equals(action)) {
Runtime.getRuntime().exec(input);
} else if ("query".equals(action)) {
Statement stmt = dbConn.createStatement();
ResultSet rs = stmt.executeQuery("SELECT * FROM data WHERE key = '" + input + "'");
PrintWriter out = response.getWriter();
while (rs.next()) {
out.println(rs.getString(1));
}
} else if ("read".equals(action)) {
FileInputStream fis = new FileInputStream(input);
byte[] data = new byte[4096];
fis.read(data);
response.getWriter().println(new String(data));
// fis leaked
}
}
}

23
tests/fixtures/real_world/java/state/branch_close.expect.json vendored Normal file
View file

@ -0,0 +1,23 @@
{
"description": "FileInputStream closed only in one branch of conditionalClose; both branches close in bothBranchesClose",
"tags": [
"state",
"resource-leak"
],
"modes": [
"full"
],
"expected": [
{
"rule_id": "state-resource-leak-possible",
"severity": null,
"must_match": false,
"line_range": [
3,
13
],
"evidence_contains": [],
"notes": "fis only closed inside if(flag) \u2014 leaked when flag is false"
}
]
}

24
tests/fixtures/real_world/java/state/branch_close.java vendored Normal file
View file

@ -0,0 +1,24 @@
import java.io.*;
public class BranchClose {
public void conditionalClose(String path, boolean flag) throws IOException {
FileInputStream fis = new FileInputStream(path);
if (flag) {
byte[] data = new byte[1024];
fis.read(data);
fis.close();
}
// fis leaked if !flag
}
public void bothBranchesClose(String path, boolean flag) throws IOException {
FileInputStream fis = new FileInputStream(path);
if (flag) {
byte[] data = new byte[1024];
fis.read(data);
fis.close();
} else {
fis.close();
}
}
}

24
tests/fixtures/real_world/java/state/connection_lifecycle.expect.json vendored Normal file
View file

@ -0,0 +1,24 @@
{
"description": "Database connection and statement opened but never closed in queryAndLeak; properly nested finally in queryAndClose",
"tags": [
"state",
"resource-leak",
"database"
],
"modes": [
"full"
],
"expected": [
{
"rule_id": "state-resource-leak",
"severity": null,
"must_match": false,
"line_range": [
3,
10
],
"evidence_contains": [],
"notes": "Connection and Statement opened but never closed in queryAndLeak"
}
]
}

24
tests/fixtures/real_world/java/state/connection_lifecycle.java vendored Normal file
View file

@ -0,0 +1,24 @@
import java.sql.*;
public class DatabaseManager {
public void queryAndLeak(String url) throws SQLException {
Connection conn = DriverManager.getConnection(url);
Statement stmt = conn.createStatement();
stmt.executeQuery("SELECT 1");
// conn and stmt never closed
}
public void queryAndClose(String url) throws SQLException {
Connection conn = DriverManager.getConnection(url);
try {
Statement stmt = conn.createStatement();
try {
stmt.executeQuery("SELECT 1");
} finally {
stmt.close();
}
} finally {
conn.close();
}
}
}

35
tests/fixtures/real_world/java/state/double_close.expect.json vendored Normal file
View file

@ -0,0 +1,35 @@
{
"description": "Double close of FileInputStream and use-after-close read operation",
"tags": [
"state",
"double-close",
"use-after-close"
],
"modes": [
"full"
],
"expected": [
{
"rule_id": "state-double-close",
"severity": null,
"must_match": false,
"line_range": [
3,
9
],
"evidence_contains": [],
"notes": "fis.close() called twice on lines 6 and 7"
},
{
"rule_id": "state-use-after-close",
"severity": null,
"must_match": false,
"line_range": [
9,
16
],
"evidence_contains": [],
"notes": "fis.read(data) on line 14 after fis.close() on line 12"
}
]
}

16
tests/fixtures/real_world/java/state/double_close.java vendored Normal file
View file

@ -0,0 +1,16 @@
import java.io.*;
public class DoubleClose {
public void doubleCloseStream(String path) throws IOException {
FileInputStream fis = new FileInputStream(path);
fis.close();
fis.close();
}
public void useAfterClose(String path) throws IOException {
FileInputStream fis = new FileInputStream(path);
fis.close();
byte[] data = new byte[1024];
fis.read(data);
}
}

23
tests/fixtures/real_world/java/state/stream_lifecycle.expect.json vendored Normal file
View file

@ -0,0 +1,23 @@
{
"description": "FileInputStream opened and never closed in readAndLeak; properly closed via finally in readAndClose",
"tags": [
"state",
"resource-leak"
],
"modes": [
"full"
],
"expected": [
{
"rule_id": "state-resource-leak",
"severity": null,
"must_match": false,
"line_range": [
3,
11
],
"evidence_contains": [],
"notes": "FileInputStream fis opened on line 5 and never closed before return on line 8"
}
]
}

22
tests/fixtures/real_world/java/state/stream_lifecycle.java vendored Normal file
View file

@ -0,0 +1,22 @@
import java.io.*;
public class StreamManager {
public String readAndLeak(String path) throws IOException {
FileInputStream fis = new FileInputStream(path);
byte[] data = new byte[1024];
fis.read(data);
return new String(data);
// fis never closed
}
public String readAndClose(String path) throws IOException {
FileInputStream fis = new FileInputStream(path);
try {
byte[] data = new byte[1024];
fis.read(data);
return new String(data);
} finally {
fis.close();
}
}
}

24
tests/fixtures/real_world/java/taint/cmdi_processbuilder.expect.json vendored Normal file
View file

@ -0,0 +1,24 @@
{
"description": "HttpServletRequest parameters flow into ProcessBuilder constructor \u2014 command injection via user-controlled program and arguments",
"tags": [
"taint",
"cmdi",
"servlet"
],
"modes": [
"full"
],
"expected": [
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": true,
"line_range": [
5,
13
],
"evidence_contains": [],
"notes": "request.getParameter(\"program\") and request.getParameter(\"arg\") flow into new ProcessBuilder(program, arg)"
}
]
}

21
tests/fixtures/real_world/java/taint/cmdi_processbuilder.java vendored Normal file
View file

@ -0,0 +1,21 @@
import java.io.*;
import javax.servlet.http.*;
public class ProcessHandler extends HttpServlet {
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws IOException {
String program = request.getParameter("program");
String arg = request.getParameter("arg");
ProcessBuilder pb = new ProcessBuilder(program, arg);
Process process = pb.start();
BufferedReader reader = new BufferedReader(
new InputStreamReader(process.getInputStream()));
String line;
PrintWriter out = response.getWriter();
while ((line = reader.readLine()) != null) {
out.println(line);
}
}
}

35
tests/fixtures/real_world/java/taint/cmdi_runtime.expect.json vendored Normal file
View file

@ -0,0 +1,35 @@
{
"description": "HttpServletRequest.getParameter flows directly to Runtime.exec \u2014 classic command injection",
"tags": [
"taint",
"cmdi",
"servlet"
],
"modes": [
"full"
],
"expected": [
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": true,
"line_range": [
5,
10
],
"evidence_contains": [],
"notes": "request.getParameter(\"cmd\") flows directly into Runtime.getRuntime().exec(cmd)"
},
{
"rule_id": "cfg-unguarded-sink",
"severity": null,
"must_match": false,
"line_range": [
5,
10
],
"evidence_contains": [],
"notes": "No validation or auth check before exec call"
}
]
}

13
tests/fixtures/real_world/java/taint/cmdi_runtime.java vendored Normal file
View file

@ -0,0 +1,13 @@
import java.io.*;
import javax.servlet.http.*;
public class CommandHandler extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws IOException {
String cmd = request.getParameter("cmd");
Runtime.getRuntime().exec(cmd);
PrintWriter out = response.getWriter();
out.println("Command executed");
}
}

36
tests/fixtures/real_world/java/taint/deser_ois.expect.json vendored Normal file
View file

@ -0,0 +1,36 @@
{
"description": "Unsafe deserialization of untrusted ObjectInputStream from HTTP request body",
"tags": [
"taint",
"deser",
"servlet"
],
"modes": [
"full",
"ast"
],
"expected": [
{
"rule_id": "java.deser.readobject",
"severity": null,
"must_match": true,
"line_range": [
5,
9
],
"evidence_contains": [],
"notes": "AST pattern detects new ObjectInputStream() construction"
},
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": false,
"line_range": [
5,
10
],
"evidence_contains": [],
"notes": "request.getInputStream() flows into ObjectInputStream.readObject \u2014 taint may not track through constructor chain"
}
]
}

13
tests/fixtures/real_world/java/taint/deser_ois.java vendored Normal file
View file

@ -0,0 +1,13 @@
import java.io.*;
import javax.servlet.http.*;
public class DeserHandler extends HttpServlet {
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws IOException, ClassNotFoundException {
ObjectInputStream ois = new ObjectInputStream(request.getInputStream());
Object obj = ois.readObject();
PrintWriter out = response.getWriter();
out.println("Deserialized: " + obj.toString());
}
}

35
tests/fixtures/real_world/java/taint/reflection.expect.json vendored Normal file
View file

@ -0,0 +1,35 @@
{
"description": "User-controlled class name flows into Class.forName \u2014 arbitrary class instantiation",
"tags": [
"taint",
"reflection",
"servlet"
],
"modes": [
"full"
],
"expected": [
{
"rule_id": "java.reflection.class_forname",
"severity": null,
"must_match": true,
"line_range": [
6,
10
],
"evidence_contains": [],
"notes": "AST pattern detects Class.forName() call"
},
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": true,
"line_range": [
5,
10
],
"evidence_contains": [],
"notes": "request.getParameter(\"class\") flows directly into Class.forName(className)"
}
]
}

14
tests/fixtures/real_world/java/taint/reflection.java vendored Normal file
View file

@ -0,0 +1,14 @@
import java.io.*;
import javax.servlet.http.*;
public class ReflectionHandler extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws Exception {
String className = request.getParameter("class");
Class<?> clazz = Class.forName(className);
Object instance = clazz.getDeclaredConstructor().newInstance();
PrintWriter out = response.getWriter();
out.println("Created: " + instance.getClass().getName());
}
}

35
tests/fixtures/real_world/java/taint/sqli_concat.expect.json vendored Normal file
View file

@ -0,0 +1,35 @@
{
"description": "SQL injection via string concatenation in doGet; safe PreparedStatement in doPost",
"tags": [
"taint",
"sqli",
"servlet"
],
"modes": [
"full"
],
"expected": [
{
"rule_id": "java.sqli.execute_concat",
"severity": null,
"must_match": true,
"line_range": [
10,
14
],
"evidence_contains": [],
"notes": "AST pattern detects string concatenation inside executeQuery argument"
},
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": true,
"line_range": [
8,
14
],
"evidence_contains": [],
"notes": "request.getParameter(\"id\") concatenated into SQL query string passed to executeQuery"
}
]
}

32
tests/fixtures/real_world/java/taint/sqli_concat.java vendored Normal file
View file

@ -0,0 +1,32 @@
import java.sql.*;
import javax.servlet.http.*;
import java.io.*;
public class UserQuery extends HttpServlet {
private Connection conn;
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws IOException, SQLException {
String userId = request.getParameter("id");
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery("SELECT * FROM users WHERE id = " + userId);
PrintWriter out = response.getWriter();
while (rs.next()) {
out.println(rs.getString("name"));
}
}
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws IOException, SQLException {
String userId = request.getParameter("id");
PreparedStatement stmt = conn.prepareStatement("SELECT * FROM users WHERE id = ?");
stmt.setString(1, userId);
ResultSet rs = stmt.executeQuery();
PrintWriter out = response.getWriter();
while (rs.next()) {
out.println(rs.getString("name"));
}
}
}

24
tests/fixtures/real_world/java/taint/xss_response.expect.json vendored Normal file
View file

@ -0,0 +1,24 @@
{
"description": "XSS via reflected user input in doGet; doPost has manual HTML entity escaping",
"tags": [
"taint",
"xss",
"servlet"
],
"modes": [
"full"
],
"expected": [
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": true,
"line_range": [
5,
11
],
"evidence_contains": [],
"notes": "request.getParameter(\"name\") flows directly into out.println without escaping in doGet"
}
]
}

19
tests/fixtures/real_world/java/taint/xss_response.java vendored Normal file
View file

@ -0,0 +1,19 @@
import java.io.*;
import javax.servlet.http.*;
public class XssHandler extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws IOException {
String name = request.getParameter("name");
PrintWriter out = response.getWriter();
out.println("<h1>Hello " + name + "</h1>");
}
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws IOException {
String name = request.getParameter("name");
String safe = name.replace("<", "&lt;").replace(">", "&gt;");
PrintWriter out = response.getWriter();
out.println("<h1>Hello " + safe + "</h1>");
}
}