Authorization analysis logic improvements (#61)

2026-06-15 20:05:13 +02:00 · 2026-05-02 16:44:49 -04:00 · 2026-05-02 16:44:49 -04:00 · 40995e45e7
commit 40995e45e7
parent 3c89bddbf2
55 changed files with 4193 additions and 134 deletions
--- a/src/cfg_analysis/resources.rs
+++ b/src/cfg_analysis/resources.rs
@ -3,6 +3,7 @@ use super::rules;
 use super::{AnalysisContext, CfgAnalysis, CfgFinding, Confidence};
 use crate::cfg::{EdgeKind, StmtKind};
 use crate::patterns::Severity;
+use crate::symbol::Lang;
 use petgraph::graph::NodeIndex;
 use petgraph::visit::EdgeRef;
 use std::collections::HashSet;
@ -423,6 +424,23 @@ impl CfgAnalysis for ResourceMisuse {
                if ctx.cfg[acquire].managed_resource {
                    continue;
                }
+                // SAFE-FOR-FIELD-LHS (Go only): skip member-expression
+                // LHS acquires.  `b.cpuprof = os.Create(...)` transfers
+                // ownership to the containing struct; closure
+                // responsibility belongs to a paired Stop()/Release()
+                // method on the struct's lifecycle.  Mirrors the gate
+                // in src/state/transfer.rs::apply_call.  Production
+                // trigger: prometheus
+                // cmd/promtool/tsdb.go::startProfiling cluster.
+                // Restricted to Go because TS/JS class-field acquires
+                // (`this.fd = fs.openSync(...)`) are still expected to
+                // be tracked — the leak fixtures rely on it.
+                if ctx.lang == Lang::Go
+                    && let Some(acquired_var) = ctx.cfg[acquire].taint.defines.as_deref()
+                    && acquired_var.contains('.')
+                {
+                    continue;
+                }
                // Suppress resources with a deferred release (Go `defer f.Close()`).
                // Defer guarantees cleanup on all exit paths including early returns.
                if let Some(acquired_var) = ctx.cfg[acquire].taint.defines.as_deref() {