Phase 1 (#33)

* chore: Exclude CLAUDE.md from Cargo.toml * feat: add callgraph module and integrate into main analysis flow * feat: enhance CLI with new severity filtering and analysis modes * feat: update CHANGELOG with recent enhancements and fixes to severity filtering and output handling * feat: implement state-model dataflow analysis for resource lifecycle and auth state * feat: enhance diagnostic output formatting and add evidence structure * feat: implement attack surface ranking for diagnostics with scoring and sorting * feat: add comprehensive documentation for installation, usage, and rules reference * feat: add multiple language support for command execution and evaluation endpoints * feat: implement inline suppression for findings using `nyx:ignore` comments * feat: add confidence levels to AST patterns and update output structure * feat: implement low-noise prioritization system with category filtering, rollup grouping, and configurable budgets * feat: bump version to 0.4.0 and update changelog with new features and improvements * feat: add dead code allowances to various functions in mod.rs and real_world_tests.rs
2026-06-30 20:39:39 +02:00 · 2026-02-25 21:16:36 -05:00 · 2026-02-25 21:16:36 -05:00 · 1bbe4b1cfb
commit 1bbe4b1cfb
parent 19b578c5c4
456 changed files with 25628 additions and 1228 deletions
--- a/tests/fixtures/real_world/java/cfg/catch_finally.expect.json
+++ b/tests/fixtures/real_world/java/cfg/catch_finally.expect.json
@ -0,0 +1,23 @@
+{
+  "description": "Finally-based safe close pattern vs exception-path resource leak",
+  "tags": [
+    "cfg",
+    "resource-leak"
+  ],
+  "modes": [
+    "full"
+  ],
+  "expected": [
+    {
+      "rule_id": "cfg-resource-leak",
+      "severity": null,
+      "must_match": false,
+      "line_range": [
+        20,
+        29
+      ],
+      "evidence_contains": [],
+      "notes": "processLeaky throws on line 26 without closing fis \u2014 resource leaked on exception path"
+    }
+  ]
+}
--- a/tests/fixtures/real_world/java/cfg/catch_finally.java
+++ b/tests/fixtures/real_world/java/cfg/catch_finally.java
@ -0,0 +1,30 @@
+import java.io.*;
+
+public class FileProcessor {
+    public void processWithFinally(String path) {
+        FileInputStream fis = null;
+        try {
+            fis = new FileInputStream(path);
+            byte[] data = new byte[1024];
+            fis.read(data);
+        } catch (IOException e) {
+            System.err.println("Error: " + e.getMessage());
+        } finally {
+            try {
+                if (fis != null) fis.close();
+            } catch (IOException e) {
+                // ignore
+            }
+        }
+    }
+
+    public void processLeaky(String path) throws IOException {
+        FileInputStream fis = new FileInputStream(path);
+        byte[] data = new byte[1024];
+        fis.read(data);
+        if (data[0] == 0) {
+            throw new IOException("bad data");  // fis leaked
+        }
+        fis.close();
+    }
+}
--- a/tests/fixtures/real_world/java/cfg/lambda_streams.expect.json
+++ b/tests/fixtures/real_world/java/cfg/lambda_streams.expect.json
@ -0,0 +1,37 @@
+{
+  "description": "Stream operations with SQL concat in map and exec in forEach lambda",
+  "tags": [
+    "cfg",
+    "sqli",
+    "cmdi",
+    "lambda"
+  ],
+  "modes": [
+    "full",
+    "ast"
+  ],
+  "expected": [
+    {
+      "rule_id": "taint-unsanitised-flow",
+      "severity": null,
+      "must_match": false,
+      "line_range": [
+        10,
+        17
+      ],
+      "evidence_contains": [],
+      "notes": "cmd parameter inside lambda flows to Runtime.exec \u2014 scanner may not track taint through lambda bodies"
+    },
+    {
+      "rule_id": "java.sqli.execute_concat",
+      "severity": null,
+      "must_match": false,
+      "line_range": [
+        6,
+        10
+      ],
+      "evidence_contains": [],
+      "notes": "SQL string concatenation inside stream map lambda \u2014 AST pattern may not match inside lambda context"
+    }
+  ]
+}
--- a/tests/fixtures/real_world/java/cfg/lambda_streams.java
+++ b/tests/fixtures/real_world/java/cfg/lambda_streams.java
@ -0,0 +1,21 @@
+import java.util.*;
+import java.util.stream.*;
+
+public class StreamProcessor {
+    public List<String> filterUnsafe(List<String> inputs) {
+        return inputs.stream()
+            .filter(s -> !s.isEmpty())
+            .map(s -> "SELECT * FROM users WHERE name = '" + s + "'")
+            .collect(Collectors.toList());
+    }
+
+    public void processCommands(List<String> commands) {
+        commands.forEach(cmd -> {
+            try {
+                Runtime.getRuntime().exec(cmd);
+            } catch (Exception e) {
+                e.printStackTrace();
+            }
+        });
+    }
+}
--- a/tests/fixtures/real_world/java/cfg/switch_expressions.expect.json
+++ b/tests/fixtures/real_world/java/cfg/switch_expressions.expect.json
@ -0,0 +1,34 @@
+{
+  "description": "Switch dispatches to dangerous operations including exec and file write based on action string",
+  "tags": [
+    "cfg",
+    "cmdi"
+  ],
+  "modes": [
+    "full"
+  ],
+  "expected": [
+    {
+      "rule_id": "taint-unsanitised-flow",
+      "severity": null,
+      "must_match": false,
+      "line_range": [
+        2,
+        9
+      ],
+      "evidence_contains": [],
+      "notes": "input parameter flows into Runtime.exec \u2014 depends on whether scanner models method params as taint sources"
+    },
+    {
+      "rule_id": "cfg-unguarded-sink",
+      "severity": null,
+      "must_match": false,
+      "line_range": [
+        4,
+        9
+      ],
+      "evidence_contains": [],
+      "notes": "No validation of input before exec call in exec case"
+    }
+  ]
+}
--- a/tests/fixtures/real_world/java/cfg/switch_expressions.java
+++ b/tests/fixtures/real_world/java/cfg/switch_expressions.java
@ -0,0 +1,19 @@
+import java.io.*;
+
+public class ActionHandler {
+    public void handle(String action, String input) throws IOException {
+        switch (action) {
+            case "exec":
+                Runtime.getRuntime().exec(input);
+                break;
+            case "write":
+                FileWriter fw = new FileWriter(input);
+                fw.write("data");
+                fw.close();
+                break;
+            case "log":
+                System.out.println(input);
+                break;
+        }
+    }
+}
--- a/tests/fixtures/real_world/java/cfg/try_with_resources.expect.json
+++ b/tests/fixtures/real_world/java/cfg/try_with_resources.expect.json
@ -0,0 +1,23 @@
+{
+  "description": "Try-with-resources safe pattern vs manual close with early return leak",
+  "tags": [
+    "cfg",
+    "resource-leak"
+  ],
+  "modes": [
+    "full"
+  ],
+  "expected": [
+    {
+      "rule_id": "cfg-resource-leak",
+      "severity": null,
+      "must_match": false,
+      "line_range": [
+        9,
+        17
+      ],
+      "evidence_contains": [],
+      "notes": "readUnsafe returns early on line 14 without closing reader \u2014 resource leak on that path"
+    }
+  ]
+}
--- a/tests/fixtures/real_world/java/cfg/try_with_resources.java
+++ b/tests/fixtures/real_world/java/cfg/try_with_resources.java
@ -0,0 +1,19 @@
+import java.io.*;
+
+public class ResourceHandler {
+    public String readSafe(String path) throws IOException {
+        try (BufferedReader reader = new BufferedReader(new FileReader(path))) {
+            return reader.readLine();
+        }
+    }
+
+    public String readUnsafe(String path) throws IOException {
+        BufferedReader reader = new BufferedReader(new FileReader(path));
+        String line = reader.readLine();
+        if (line == null) {
+            return "empty";  // reader leaked
+        }
+        reader.close();
+        return line;
+    }
+}