Phase 1 (#33)

* chore: Exclude CLAUDE.md from Cargo.toml * feat: add callgraph module and integrate into main analysis flow * feat: enhance CLI with new severity filtering and analysis modes * feat: update CHANGELOG with recent enhancements and fixes to severity filtering and output handling * feat: implement state-model dataflow analysis for resource lifecycle and auth state * feat: enhance diagnostic output formatting and add evidence structure * feat: implement attack surface ranking for diagnostics with scoring and sorting * feat: add comprehensive documentation for installation, usage, and rules reference * feat: add multiple language support for command execution and evaluation endpoints * feat: implement inline suppression for findings using `nyx:ignore` comments * feat: add confidence levels to AST patterns and update output structure * feat: implement low-noise prioritization system with category filtering, rollup grouping, and configurable budgets * feat: bump version to 0.4.0 and update changelog with new features and improvements * feat: add dead code allowances to various functions in mod.rs and real_world_tests.rs
2026-06-24 20:28:06 +02:00 · 2026-02-25 21:16:36 -05:00 · 2026-02-25 21:16:36 -05:00 · 1bbe4b1cfb
commit 1bbe4b1cfb
parent 19b578c5c4
456 changed files with 25628 additions and 1228 deletions
--- a/tests/fixtures/real_world/java/mixed/deser_cmdi.expect.json
+++ b/tests/fixtures/real_world/java/mixed/deser_cmdi.expect.json
@ -0,0 +1,37 @@
+{
+  "description": "Deserialized object from HTTP input stream used directly as command argument to Runtime.exec",
+  "tags": [
+    "taint",
+    "deser",
+    "cmdi",
+    "servlet",
+    "mixed"
+  ],
+  "modes": [
+    "full"
+  ],
+  "expected": [
+    {
+      "rule_id": "java.deser.readobject",
+      "severity": null,
+      "must_match": true,
+      "line_range": [
+        5,
+        9
+      ],
+      "evidence_contains": [],
+      "notes": "AST pattern detects new ObjectInputStream() construction"
+    },
+    {
+      "rule_id": "taint-unsanitised-flow",
+      "severity": null,
+      "must_match": true,
+      "line_range": [
+        5,
+        11
+      ],
+      "evidence_contains": [],
+      "notes": "Deserialized command string from request input flows into Runtime.exec"
+    }
+  ]
+}
--- a/tests/fixtures/real_world/java/mixed/deser_cmdi.java
+++ b/tests/fixtures/real_world/java/mixed/deser_cmdi.java
@ -0,0 +1,13 @@
+import java.io.*;
+import javax.servlet.http.*;
+
+public class DeserCmdi extends HttpServlet {
+    protected void doPost(HttpServletRequest request, HttpServletResponse response)
+            throws IOException, ClassNotFoundException {
+        ObjectInputStream ois = new ObjectInputStream(request.getInputStream());
+        String command = (String) ois.readObject();
+        Runtime.getRuntime().exec(command);
+
+        response.getWriter().println("Done");
+    }
+}
--- a/tests/fixtures/real_world/java/mixed/servlet_full.expect.json
+++ b/tests/fixtures/real_world/java/mixed/servlet_full.expect.json
@ -0,0 +1,61 @@
+{
+  "description": "Servlet with multiple vuln types: command injection, SQL injection via concat, and file resource leak",
+  "tags": [
+    "taint",
+    "state",
+    "cmdi",
+    "sqli",
+    "resource-leak",
+    "servlet",
+    "mixed"
+  ],
+  "modes": [
+    "full"
+  ],
+  "expected": [
+    {
+      "rule_id": "taint-unsanitised-flow",
+      "severity": null,
+      "must_match": true,
+      "line_range": [
+        8,
+        16
+      ],
+      "evidence_contains": [],
+      "notes": "request.getParameter(\"input\") flows into Runtime.getRuntime().exec(input)"
+    },
+    {
+      "rule_id": "java.sqli.execute_concat",
+      "severity": null,
+      "must_match": true,
+      "line_range": [
+        15,
+        19
+      ],
+      "evidence_contains": [],
+      "notes": "AST pattern detects string concatenation inside executeQuery argument"
+    },
+    {
+      "rule_id": "taint-unsanitised-flow",
+      "severity": null,
+      "must_match": true,
+      "line_range": [
+        8,
+        19
+      ],
+      "evidence_contains": [],
+      "notes": "request.getParameter(\"input\") concatenated into SQL query passed to executeQuery"
+    },
+    {
+      "rule_id": "state-resource-leak",
+      "severity": null,
+      "must_match": false,
+      "line_range": [
+        21,
+        29
+      ],
+      "evidence_contains": [],
+      "notes": "FileInputStream opened on line 23 but never closed"
+    }
+  ]
+}
--- a/tests/fixtures/real_world/java/mixed/servlet_full.java
+++ b/tests/fixtures/real_world/java/mixed/servlet_full.java
@ -0,0 +1,30 @@
+import java.io.*;
+import javax.servlet.http.*;
+import java.sql.*;
+
+public class FullServlet extends HttpServlet {
+    private Connection dbConn;
+
+    protected void doGet(HttpServletRequest request, HttpServletResponse response)
+            throws IOException, SQLException {
+        String action = request.getParameter("action");
+        String input = request.getParameter("input");
+
+        if ("exec".equals(action)) {
+            Runtime.getRuntime().exec(input);
+        } else if ("query".equals(action)) {
+            Statement stmt = dbConn.createStatement();
+            ResultSet rs = stmt.executeQuery("SELECT * FROM data WHERE key = '" + input + "'");
+            PrintWriter out = response.getWriter();
+            while (rs.next()) {
+                out.println(rs.getString(1));
+            }
+        } else if ("read".equals(action)) {
+            FileInputStream fis = new FileInputStream(input);
+            byte[] data = new byte[4096];
+            fis.read(data);
+            response.getWriter().println(new String(data));
+            // fis leaked
+        }
+    }
+}