apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-24 20:28:06 +02:00
Code Issues Projects Releases Packages Wiki Activity

Phase 1 (#33)

Browse source 
* chore: Exclude CLAUDE.md from Cargo.toml

* feat: add callgraph module and integrate into main analysis flow

* feat: enhance CLI with new severity filtering and analysis modes

* feat: update CHANGELOG with recent enhancements and fixes to severity filtering and output handling

* feat: implement state-model dataflow analysis for resource lifecycle and auth state

* feat: enhance diagnostic output formatting and add evidence structure

* feat: implement attack surface ranking for diagnostics with scoring and sorting

* feat: add comprehensive documentation for installation, usage, and rules reference

* feat: add multiple language support for command execution and evaluation endpoints

* feat: implement inline suppression for findings using `nyx:ignore` comments

* feat: add confidence levels to AST patterns and update output structure

* feat: implement low-noise prioritization system with category filtering, rollup grouping, and configurable budgets

* feat: bump version to 0.4.0 and update changelog with new features and improvements

* feat: add dead code allowances to various functions in mod.rs and real_world_tests.rs
This commit is contained in:
Eli Peter 2026-02-25 21:16:36 -05:00 committed by GitHub
parent 19b578c5c4
commit 1bbe4b1cfb
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
456 changed files with 25628 additions and 1228 deletions
Download patch file Download diff file Expand all files Collapse all files

25
tests/fixtures/real_world/python/cfg/context_manager.expect.json vendored Normal file
View file

@ -0,0 +1,25 @@
{
"description": "File handle resource management comparing manual open vs context manager",
"tags": [
"cfg",
"resource-leak",
"context-manager",
"file-io"
],
"modes": [
"full"
],
"expected": [
{
"rule_id": "cfg-resource-leak",
"severity": null,
"must_match": false,
"line_range": [
1,
7
],
"evidence_contains": [],
"notes": "read_file_unsafe opens file handle but never closes it"
}
]
}

15
tests/fixtures/real_world/python/cfg/context_manager.py vendored Normal file
View file

@ -0,0 +1,15 @@
def read_file_unsafe(path):
f = open(path, 'r')
data = f.read()
return data
# f never closed
def read_file_safe(path):
with open(path, 'r') as f:
data = f.read()
return data
def nested_context(path1, path2):
with open(path1, 'r') as f1:
with open(path2, 'w') as f2:
f2.write(f1.read())

36
tests/fixtures/real_world/python/cfg/early_return.expect.json vendored Normal file
View file

@ -0,0 +1,36 @@
{
"description": "Early return leaks file handle when header check fails",
"tags": [
"cfg",
"resource-leak",
"early-return",
"file-io"
],
"modes": [
"full"
],
"expected": [
{
"rule_id": "cfg-resource-leak",
"severity": null,
"must_match": false,
"line_range": [
1,
12
],
"evidence_contains": [],
"notes": "process_file leaks file handle on early return when header does not start with #"
},
{
"rule_id": "state-resource-leak-possible",
"severity": null,
"must_match": false,
"line_range": [
2,
9
],
"evidence_contains": [],
"notes": "File handle leaked on one branch of the conditional"
}
]
}

19
tests/fixtures/real_world/python/cfg/early_return.py vendored Normal file
View file

@ -0,0 +1,19 @@
import os
def process_file(path):
f = open(path, 'r')
header = f.readline()
if not header.startswith('#'):
return None # leak: f not closed
data = f.read()
f.close()
return data
def process_with_guard(path):
if not os.path.exists(path):
return None
f = open(path, 'r')
try:
return f.read()
finally:
f.close()

37
tests/fixtures/real_world/python/cfg/raise_terminator.expect.json vendored Normal file
View file

@ -0,0 +1,37 @@
{
"description": "Validator raises exception on invalid input, acting as a guard before subprocess",
"tags": [
"cfg",
"validation",
"raise",
"flask",
"subprocess"
],
"modes": [
"full"
],
"expected": [
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": false,
"line_range": [
14,
21
],
"evidence_contains": [],
"notes": "Validator raise acts as guard - ideally no taint finding since invalid input is rejected"
},
{
"rule_id": "cfg-unguarded-sink",
"severity": null,
"must_match": false,
"line_range": [
15,
20
],
"evidence_contains": [],
"notes": "Subprocess call is guarded by validate_cmd raise - should not trigger"
}
]
}

19
tests/fixtures/real_world/python/cfg/raise_terminator.py vendored Normal file
View file

@ -0,0 +1,19 @@
from flask import Flask, request
import subprocess
app = Flask(__name__)
class ValidationError(Exception):
pass
def validate_cmd(cmd):
if not cmd.isalnum():
raise ValidationError("Invalid command")
return cmd
@app.route('/exec')
def exec_cmd():
cmd = request.args.get('cmd')
validated = validate_cmd(cmd)
result = subprocess.run([validated], capture_output=True)
return result.stdout.decode()

25
tests/fixtures/real_world/python/cfg/try_except_resource.expect.json vendored Normal file
View file

@ -0,0 +1,25 @@
{
"description": "Database connection resource management with try/except/finally vs missing close",
"tags": [
"cfg",
"resource-leak",
"sqlite",
"try-finally"
],
"modes": [
"full"
],
"expected": [
{
"rule_id": "cfg-resource-leak",
"severity": null,
"must_match": false,
"line_range": [
14,
23
],
"evidence_contains": [],
"notes": "query_db_leak opens sqlite3 connection but never closes it"
}
]
}

21
tests/fixtures/real_world/python/cfg/try_except_resource.py vendored Normal file
View file

@ -0,0 +1,21 @@
import sqlite3
def query_db(path, sql):
conn = sqlite3.connect(path)
try:
cursor = conn.cursor()
cursor.execute(sql)
results = cursor.fetchall()
return results
except Exception as e:
print(f"Error: {e}")
finally:
conn.close()
def query_db_leak(path, sql):
conn = sqlite3.connect(path)
cursor = conn.cursor()
cursor.execute(sql)
results = cursor.fetchall()
return results
# conn never closed