Phase 1 (#33)

* chore: Exclude CLAUDE.md from Cargo.toml * feat: add callgraph module and integrate into main analysis flow * feat: enhance CLI with new severity filtering and analysis modes * feat: update CHANGELOG with recent enhancements and fixes to severity filtering and output handling * feat: implement state-model dataflow analysis for resource lifecycle and auth state * feat: enhance diagnostic output formatting and add evidence structure * feat: implement attack surface ranking for diagnostics with scoring and sorting * feat: add comprehensive documentation for installation, usage, and rules reference * feat: add multiple language support for command execution and evaluation endpoints * feat: implement inline suppression for findings using `nyx:ignore` comments * feat: add confidence levels to AST patterns and update output structure * feat: implement low-noise prioritization system with category filtering, rollup grouping, and configurable budgets * feat: bump version to 0.4.0 and update changelog with new features and improvements * feat: add dead code allowances to various functions in mod.rs and real_world_tests.rs
2026-06-21 20:18:06 +02:00 · 2026-02-25 21:16:36 -05:00 · 2026-02-25 21:16:36 -05:00 · 1bbe4b1cfb
commit 1bbe4b1cfb
parent 19b578c5c4
456 changed files with 25628 additions and 1228 deletions
--- a/tests/fixtures/real_world/python/mixed/flask_full_stack.expect.json
+++ b/tests/fixtures/real_world/python/mixed/flask_full_stack.expect.json
@ -0,0 +1,72 @@
+{
+  "description": "Flask app with multiple vulnerability types: cmdi, path traversal, eval, resource leak",
+  "tags": [
+    "taint",
+    "state",
+    "cmdi",
+    "path-traversal",
+    "eval",
+    "flask",
+    "mixed"
+  ],
+  "modes": [
+    "full"
+  ],
+  "expected": [
+    {
+      "rule_id": "taint-unsanitised-flow",
+      "severity": null,
+      "must_match": true,
+      "line_range": [
+        7,
+        13
+      ],
+      "evidence_contains": [],
+      "notes": "request.args.get('cmd') flows into subprocess.run with shell=True"
+    },
+    {
+      "rule_id": "taint-unsanitised-flow",
+      "severity": null,
+      "must_match": true,
+      "line_range": [
+        13,
+        20
+      ],
+      "evidence_contains": [],
+      "notes": "request.args.get('path') flows into open() - path traversal"
+    },
+    {
+      "rule_id": "taint-unsanitised-flow",
+      "severity": null,
+      "must_match": true,
+      "line_range": [
+        21,
+        26
+      ],
+      "evidence_contains": [],
+      "notes": "request.args.get('expr') flows into eval()"
+    },
+    {
+      "rule_id": "py.code_exec.eval",
+      "severity": null,
+      "must_match": true,
+      "line_range": [
+        22,
+        26
+      ],
+      "evidence_contains": [],
+      "notes": "eval() is a dangerous function - AST pattern match"
+    },
+    {
+      "rule_id": "state-resource-leak",
+      "severity": null,
+      "must_match": false,
+      "line_range": [
+        12,
+        21
+      ],
+      "evidence_contains": [],
+      "notes": "File handle opened in read_file but never closed"
+    }
+  ]
+}
--- a/tests/fixtures/real_world/python/mixed/flask_full_stack.py
+++ b/tests/fixtures/real_world/python/mixed/flask_full_stack.py
@ -0,0 +1,24 @@
+from flask import Flask, request
+import subprocess
+import os
+
+app = Flask(__name__)
+
+@app.route('/api/exec')
+def execute():
+    cmd = request.args.get('cmd')
+    result = subprocess.run(cmd, shell=True, capture_output=True)
+    return result.stdout.decode()
+
+@app.route('/api/read')
+def read_file():
+    path = request.args.get('path')
+    f = open(path, 'r')
+    data = f.read()
+    return data
+    # f leaked + path traversal taint
+
+@app.route('/api/eval')
+def eval_expr():
+    expr = request.args.get('expr')
+    return str(eval(expr))
--- a/tests/fixtures/real_world/python/mixed/taint_through_file.expect.json
+++ b/tests/fixtures/real_world/python/mixed/taint_through_file.expect.json
@ -0,0 +1,38 @@
+{
+  "description": "User-controlled filename in open() with resource leak on early return",
+  "tags": [
+    "taint",
+    "state",
+    "path-traversal",
+    "resource-leak",
+    "flask",
+    "mixed"
+  ],
+  "modes": [
+    "full"
+  ],
+  "expected": [
+    {
+      "rule_id": "taint-unsanitised-flow",
+      "severity": null,
+      "must_match": true,
+      "line_range": [
+        6,
+        13
+      ],
+      "evidence_contains": [],
+      "notes": "request.args.get('name') flows through os.path.join into open()"
+    },
+    {
+      "rule_id": "state-resource-leak-possible",
+      "severity": null,
+      "must_match": false,
+      "line_range": [
+        9,
+        18
+      ],
+      "evidence_contains": [],
+      "notes": "File handle leaked when early return triggered by data length check"
+    }
+  ]
+}
--- a/tests/fixtures/real_world/python/mixed/taint_through_file.py
+++ b/tests/fixtures/real_world/python/mixed/taint_through_file.py
@ -0,0 +1,17 @@
+from flask import Flask, request
+import os
+
+app = Flask(__name__)
+
+@app.route('/save')
+def save_data():
+    filename = request.args.get('name')
+    data = request.args.get('data')
+    filepath = os.path.join('/tmp', filename)
+    f = open(filepath, 'w')
+    f.write(data)
+    if len(data) > 10000:
+        return 'Too large', 413
+        # f leaks on early return
+    f.close()
+    return 'OK'