Phase 1 (#33)

* chore: Exclude CLAUDE.md from Cargo.toml * feat: add callgraph module and integrate into main analysis flow * feat: enhance CLI with new severity filtering and analysis modes * feat: update CHANGELOG with recent enhancements and fixes to severity filtering and output handling * feat: implement state-model dataflow analysis for resource lifecycle and auth state * feat: enhance diagnostic output formatting and add evidence structure * feat: implement attack surface ranking for diagnostics with scoring and sorting * feat: add comprehensive documentation for installation, usage, and rules reference * feat: add multiple language support for command execution and evaluation endpoints * feat: implement inline suppression for findings using `nyx:ignore` comments * feat: add confidence levels to AST patterns and update output structure * feat: implement low-noise prioritization system with category filtering, rollup grouping, and configurable budgets * feat: bump version to 0.4.0 and update changelog with new features and improvements * feat: add dead code allowances to various functions in mod.rs and real_world_tests.rs
2026-06-24 20:28:06 +02:00 · 2026-02-25 21:16:36 -05:00 · 2026-02-25 21:16:36 -05:00 · 1bbe4b1cfb
commit 1bbe4b1cfb
parent 19b578c5c4
456 changed files with 25628 additions and 1228 deletions
--- a/tests/fixtures/real_world/javascript/state/db_connection.expect.json
+++ b/tests/fixtures/real_world/javascript/state/db_connection.expect.json
@ -0,0 +1,25 @@
+{
+  "description": "Database connection leak: queryUnsafe creates a mysql connection without calling conn.end(). querySafe properly closes.",
+  "tags": [
+    "state",
+    "resource-leak",
+    "database",
+    "mysql"
+  ],
+  "modes": [
+    "full"
+  ],
+  "expected": [
+    {
+      "rule_id": "state-resource-leak",
+      "severity": null,
+      "must_match": false,
+      "line_range": [
+        2,
+        11
+      ],
+      "evidence_contains": [],
+      "notes": "mysql.createConnection without conn.end(); scanner may not track mysql connection lifecycle"
+    }
+  ]
+}
--- a/tests/fixtures/real_world/javascript/state/db_connection.js
+++ b/tests/fixtures/real_world/javascript/state/db_connection.js
@ -0,0 +1,19 @@
+var mysql = require('mysql');
+
+function queryUnsafe() {
+    var conn = mysql.createConnection({ host: 'localhost' });
+    conn.connect();
+    conn.query('SELECT 1', function(err, results) {
+        console.log(results);
+    });
+    // Missing conn.end()
+}
+
+function querySafe() {
+    var conn = mysql.createConnection({ host: 'localhost' });
+    conn.connect();
+    conn.query('SELECT 1', function(err, results) {
+        console.log(results);
+        conn.end();
+    });
+}
--- a/tests/fixtures/real_world/javascript/state/event_listener_leak.expect.json
+++ b/tests/fixtures/real_world/javascript/state/event_listener_leak.expect.json
@ -0,0 +1,25 @@
+{
+  "description": "Event listener leak: socket connections accumulate without cleanup handlers. Safe version registers close and error handlers.",
+  "tags": [
+    "state",
+    "resource-leak",
+    "event-listener",
+    "net"
+  ],
+  "modes": [
+    "full"
+  ],
+  "expected": [
+    {
+      "rule_id": "state-resource-leak",
+      "severity": null,
+      "must_match": false,
+      "line_range": [
+        3,
+        14
+      ],
+      "evidence_contains": [],
+      "notes": "Socket connections accumulate in array without close/error handlers; scanner likely cannot track event listener patterns"
+    }
+  ]
+}
--- a/tests/fixtures/real_world/javascript/state/event_listener_leak.js
+++ b/tests/fixtures/real_world/javascript/state/event_listener_leak.js
@ -0,0 +1,39 @@
+var net = require('net');
+
+function startServer() {
+    var connections = [];
+    var server = net.createServer(function(socket) {
+        connections.push(socket);
+        socket.on('data', function(data) {
+            handleData(socket, data);
+        });
+        // Missing: socket.on('close', ...) cleanup
+        // Missing: socket.on('error', ...) cleanup
+    });
+    server.listen(3000);
+}
+
+function startServerSafe() {
+    var connections = [];
+    var server = net.createServer(function(socket) {
+        connections.push(socket);
+        socket.on('data', function(data) {
+            handleData(socket, data);
+        });
+        socket.on('close', function() {
+            var idx = connections.indexOf(socket);
+            if (idx !== -1) {
+                connections.splice(idx, 1);
+            }
+        });
+        socket.on('error', function(err) {
+            console.error('Socket error:', err);
+            socket.destroy();
+        });
+    });
+    server.listen(3000);
+}
+
+function handleData(socket, data) {
+    socket.write('echo: ' + data.toString());
+}
--- a/tests/fixtures/real_world/javascript/state/fd_leak.expect.json
+++ b/tests/fixtures/real_world/javascript/state/fd_leak.expect.json
@ -0,0 +1,25 @@
+{
+  "description": "File descriptor leak in readAndProcess (missing closeSync). readAndClose properly closes the fd.",
+  "tags": [
+    "state",
+    "resource-leak",
+    "fd",
+    "fs"
+  ],
+  "modes": [
+    "full"
+  ],
+  "expected": [
+    {
+      "rule_id": "state-resource-leak",
+      "severity": null,
+      "must_match": false,
+      "line_range": [
+        2,
+        10
+      ],
+      "evidence_contains": [],
+      "notes": "fd from fs.openSync is never closed in readAndProcess; scanner may not track JS fd lifecycle"
+    }
+  ]
+}
--- a/tests/fixtures/real_world/javascript/state/fd_leak.js
+++ b/tests/fixtures/real_world/javascript/state/fd_leak.js
@ -0,0 +1,17 @@
+var fs = require('fs');
+
+function readAndProcess(path) {
+    var fd = fs.openSync(path, 'r');
+    var buf = Buffer.alloc(1024);
+    fs.readSync(fd, buf);
+    // Missing: fs.closeSync(fd)
+    return buf.toString();
+}
+
+function readAndClose(path) {
+    var fd = fs.openSync(path, 'r');
+    var buf = Buffer.alloc(1024);
+    fs.readSync(fd, buf);
+    fs.closeSync(fd);
+    return buf.toString();
+}
--- a/tests/fixtures/real_world/javascript/state/handle_reuse.expect.json
+++ b/tests/fixtures/real_world/javascript/state/handle_reuse.expect.json
@ -0,0 +1,37 @@
+{
+  "description": "Double-close and use-after-close patterns with file descriptors. Both are temporal safety violations.",
+  "tags": [
+    "state",
+    "double-close",
+    "use-after-close",
+    "fd",
+    "fs"
+  ],
+  "modes": [
+    "full"
+  ],
+  "expected": [
+    {
+      "rule_id": "state-double-close",
+      "severity": null,
+      "must_match": false,
+      "line_range": [
+        2,
+        8
+      ],
+      "evidence_contains": [],
+      "notes": "fd closed twice in doubleClose; scanner may not track JS fd state transitions"
+    },
+    {
+      "rule_id": "state-use-after-close",
+      "severity": null,
+      "must_match": false,
+      "line_range": [
+        8,
+        15
+      ],
+      "evidence_contains": [],
+      "notes": "fd used in readSync after closeSync in useAfterClose; scanner may not track JS fd state transitions"
+    }
+  ]
+}
--- a/tests/fixtures/real_world/javascript/state/handle_reuse.js
+++ b/tests/fixtures/real_world/javascript/state/handle_reuse.js
@ -0,0 +1,14 @@
+var fs = require('fs');
+
+function doubleClose(path) {
+    var fd = fs.openSync(path, 'r');
+    fs.closeSync(fd);
+    fs.closeSync(fd); // double close!
+}
+
+function useAfterClose(path) {
+    var fd = fs.openSync(path, 'r');
+    fs.closeSync(fd);
+    var buf = Buffer.alloc(1024);
+    fs.readSync(fd, buf); // use after close!
+}