Added experimental control flow analysis and syntax classification for rust lang (#22)

* Introduce control flow graph (CFG) support:

- Added `cfg.rs` with CFG generation and analysis utilities.
- Integrated `petgraph` library for graph-based computations.
- Updated `ast.rs` to utilize CFG for function analysis.
- Modified `Cargo.toml` and `Cargo.lock` to include new dependencies.
- Improved static analysis with taint tracking through CFG paths.

* feat: enhance control flow analysis with taint tracking and node labeling

* feat: improve control flow graph with enhanced node handling and new tests

* Remove unnecessary reference marker in `byte_offset_to_point` comment.

* Remove unnecessary reference marker in `byte_offset_to_point` comment.

* Refactor `ast.rs` for performance and clarity; enhance `cfg.rs` with recursive CFG generation and improved classification logic for AST analysis.

* Refactor CFG and taint tracking logic:

- Enhanced `cfg.rs` with inline helper function `text_of` for cleaner UTF-8 handling in AST nodes.
- Expanded `labels.rs` rules with detailed `Sources`, `Sanitizers`, and `Sinks` for improved classification.
- Refined `push_node` to handle method call expressions with object-function pairing.
- Simplified code handling in trivia skipping and debug-only logic.

* Enhance `cfg.rs` with `first_call_ident` helper and improve identifier extraction logic in `push_node`.

* Add targeted CFG taint-tracking tests to enhance analysis coverage.

* Enhance CFG generation with loop expression handling and improve taint tracking logic. Add new sanitization example in `examples/sanitize/example.rs`.

* Update README with installation instructions for Cargo and GitHub releases.

* Expand taint-tracking with precise `def-use` computation and enhance `labels.rs` for detailed classification. Extend `examples/sanitize` with realistic scenarios demonstrating new rules.

* Refactor `labels.rs`:

- Removed redundant `LabelRule` entries for cleaner rule definitions.
- Adjusted matching logic to prioritize suffix and prefix matches effectively.

* Refactor `labels.rs`:

- Removed redundant `LabelRule` entries for cleaner rule definitions.
- Adjusted matching logic to prioritize suffix and prefix matches effectively.

* Add test for taint tracking with multiple sources in `cfg.rs`.

* Add `function_summaries` table and implement summary upsert/load methods. Refactor to handle summary storage and retrieval efficiently, with placeholder clean/drop logic.

* refactor: split `labels.rs` into modular structure with language-specific files

* refactor: split `labels.rs` into modular structure with language-specific files

* refactor: clean up SQL table definitions in `database.rs` for better readability

* refactor: simplify CFG structure by removing lifetime parameters and enhancing taint metadata handling

* refactor: update TODO comments in `cfg.rs` to clarify future enhancements for cap labels and function details

* refactor: remove redundant header from README.md for improved clarity

* feat: add PHF-based syntax classifiers and Kind enum for efficient syntax mapping across languages

* feat: introduce analysis modes for enhanced scanner configuration and diagnostics

* feat: define Kind enum for syntax classification in control flow analysis

* feat: bump version to 0.2.0-alpha and update CHANGELOG for new features and fixes

* refactor: clean up imports and formatting in AST and CFG modules for improved readability

* refactor: simplify function signatures and improve code readability in CFG and module files

* fix: correct rayon_thread_stack_size comment to reflect actual value of 8 MiB

* refactor: update string formatting in clean and project modules for consistency

* refactor: fix indentation in clean.rs for improved readability

---------

Co-authored-by: elipeter <eli.peter@es.fcm.travel>
This commit is contained in:
Eli Peter 2025-06-28 17:36:14 +02:00 committed by GitHub
parent fd65360818
commit 3c21efba75
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
21 changed files with 1585 additions and 79 deletions

View file

@ -1,13 +1,11 @@
<div align="center">
<img src="assets/logo.png" alt="nyx logo" width="300"/>
# Nyx
**Fast, cross-language cli vulnerability scanner.**
[![crates.io](https://img.shields.io/crates/v/nyx-scanner.svg)](https://crates.io/crates/nyx-scanner)
[![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0)
[![Rust](https://img.shields.io/badge/rust-1.70+-orange.svg)](https://www.rust-lang.org)
[![Rust 1.85+](https://img.shields.io/badge/rust-1.85%2B-orange)](https://www.rust-lang.org)
[![CI](https://img.shields.io/github/actions/workflow/status/ecpeter23/nyx/ci.yml?branch=master)](https://github.com/ecpeter23/nyx/actions)
</div>
@ -18,7 +16,7 @@
**Nyx** is a lightweight lightning-fast Rustnative commandline tool that detects potentially dangerous code patterns across several programming languages. It combines the accuracy of [`treesitter`](https://tree-sitter.github.io/) parsing with a curated rule set and an optional SQLitebacked index to deliver fast, repeatable scans on projects of any size.
> **Project status Alpha**
> Nyx is under active development. The public interface, rule set, and output formats may change without notice while we stabilize the core. Please pin exact versions in production environments.
> Nyx is under active development. The public interface, rule set, and output formats may change without notice while we stabilise the core. The new CFG + taint engine is experimental and Rust-only for now please report any crashes or false-positives. Pin exact versions in production environments
---
@ -50,17 +48,49 @@
## Installation
### Install crate
```bash
$ cargo install nyx-scanner
```
### Install Github release
1. Navigate to the [Releases](https://github.com/ecpeter23/nyx/releases) page of the repository.
2. Download the appropriate binary for your system:
```nyx-x86_64-unknown-linux-gnu.zip``` for Linux
```nyx-x86_64-pc-windows-msvc.zip``` for Windows
```nyx-x86_64-apple-darwin.zip``` or ```nyx-aarch64-apple-darwin.zip``` for macOS (Intel or Apple Silicon)
3. Unzip the file and move the executable to a directory in your system PATH:
```bash
# Example for Unix systems
unzip nyx-x86_64-unknown-linux-gnu.zip
chmod +x nyx
sudo mv nyx /usr/local/bin/
```
```bash
# Example for Windows in PowerShell
Expand-Archive -Path nyx-x86_64-pc-windows-msvc.zip -DestinationPath .
Move-Item -Path .\nyx.exe -Destination "C:\Program Files\Nyx\" # Add to PATH manually if needed
```
4. Verify the installation:
```bash
nyx --version
```
### Build from source
```bash
$ git clone https://github.com/<yourorg>/nyx.git
$ git clone https://github.com/ecpeter23/nyx.git
$ cd nyx
$ cargo build --release
# optional copy the binary into PATH
$ cargo install --path .
```
Nyx targets **stable Rust 1.78 or later**.
Nyx targets **stable Rust 1.85 or later**.
---
@ -142,18 +172,29 @@ A fully documented `nyx.conf` is generated automatically on first run.
## Roadmap
| Area | Planned Improvements |
|-----------------------|---------------------------------------------------------------------------|
| More language support | Plans to create rule sets for over 100 languages for maximum coverage |
| Controlflow analysis | Generation of CFGs for deeper reasoning about execution paths |
| Taint tracking | Intra / interprocedural tracing of untrusted data from sources to sinks |
| Output formats | Full SARIF 2.1.0, JUnit XML, HTML report generator |
| Rule updates | Remote rule feed with signature verification |
| Area | Planned Improvements |
|-----------------------|-------------------------------------------------------------------------------------------------------|
| More language support | Plans to create rule sets for over 100 languages for maximum coverage |
| Controlflow analysis | Interprocedural function summaries. Cap label propagation & bitflag checks. Loop/branch sensitivity |
| Taint tracking | Intra / interprocedural tracing of untrusted data from sources to sinks |
| Output formats | Full SARIF 2.1.0, JUnit XML, HTML report generator |
| Rule updates | Remote rule feed with signature verification |
| Performance & UX | Incremental CFG cache, progressbar UX, smart filewatch rescan |
Community feedback will help shape priorities; please open an issue to discuss proposed changes.
---
## Experimental Features & Feedback
The new Rust intraprocedural CFG + taint engine is not enabled.
Expect rough edges: slightly slower scans, occasional false positives, limited language coverage.
Please open an issue for every crash, panic, or suspicious result attach the minimal code snippet and mention the Nyx version.
---
## Contributing
Pull requests are welcome. To contribute: