apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-24 20:28:06 +02:00
Code Issues Projects Releases Packages Wiki Activity

Release/0.5.0 (#35)

Browse source 
* feat: Introduce function-scoped variable interning for state analysis with new tests and fixtures

* feat: Add Phase 26 symbolic execution enhancements with bitwise operator support, abstract interpretation refinements, and new taint analysis tests

* feat: Refine state analysis to handle factory-pattern resource returns with mixed-path tests and leak detection enhancements

* feat: Add Phase 27 debug views with symbolic execution, abstract interpretation, SSA, and call graph viewers; integrate with debug layout and styles

* feat: Add Phase 31 type-qualified symbolic resolution with receiver-based callee disambiguation and testing

* feat: Extend symbolic execution with state iteration, enhanced debug views, and debounced input handling

* feat: Add Phase 13 resource and auth pattern extensions with new tests and fixtures

* feat: Introduce CFG debug graph renderer with compact mode, toolbar, and DAG layout integration

* feat: Add Phase 28 encoding and decoding transform modeling with structural symex enhancements and new taint analysis tests

* feat: Extend abstract interpretation with type facts and constant value tracking in debug views and server logic

* feat: Add linear path handling and witness extraction to symbolic execution with Phase 28 transform mismatch detection

* feat: Refine Go auth and sanitizer handling with enhanced rules, state updates, and benchmark improvements

* feat: Enable auth-state analysis by default and update relevant tests in benchmark config

* test: Update state_tests to reflect default enablement of auth-state analysis and add auth suppression test

* docs: update CHANGELOG.md

* feat: Introduce per-index taint tracking in `HeapState` with `HeapSlot`, overflow handling, and revised SSA transfers

* feat: Introduce C/C++ language labels and refine heap state tracking in SSA transfers

* feat: Implement per-index array slot tracking in symbolic heap with overflow collapse

* feat: Add implicit definition handling for uninitialized declarations in SSA value allocation

* feat: Refactor function parameters and constants for improved clarity and maintainability

* refactor: Reorder module imports and improve formatting for consistency

* refactor: Fix formatting erorrs

* refactor: Fix clippy warnings

* refactor: Fix fmt warnings (again)

* chore: Update dependencies and improve feature configuration

* Add comprehensive tests for undertested modules (#36) (COPILOT)

* Add comprehensive tests for undertested modules

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083

* Add comprehensive tests for ext, project, walk, and errors modules

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* chore: Update dependencies and improve feature configuration

* fix: formatting errors in new tests

* chore: Update license list in about.toml

* chore: made functions input inline

* chore: updated cfg graph to take up the full page

* chore: add Prettier configuration and update code formatting

* Add frontend test suite with Vitest (111 tests) (#37)

* Add Vitest test suite for frontend - 111 tests across utils, components, hooks, and graph utilities

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/7cf0dba2-ecff-4740-ba4d-92717e74a0b7

* ci: add frontend test step to CI workflow

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/5bc0ac9f-0a32-4d03-9cb7-7a15aea53fca

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* chore: simplify array initialization in test files for consistency

* ran typecheck

* feat: add AnalysisWorkspace component and integrate it into CfgViewerPage

* feat: update routing in AppLayout and improve empty state message in ExplorerPage

* feat: enhance scan progress tracking with additional metrics and stages

* feat: update license information and add license check script

* feat: implement cross-file symbolic execution with callee body persistence

* feat: replace dagre graphs with Graphology + ELK + Sigma for more advanced call stack and cfg rendering

* feat: ensure CFG function view is scoped to the selected function, preventing bleed into sibling functions

* feat: enhance resource tracking with proxy method summaries and improve finding extraction

* feat: add terminal function exit detection for accurate resource leak analysis

* feat: add warnings for loops and functions without bodies to improve error recovery

* feat: update lambda expression handling to ensure proper function classification and control flow

* feat: remove bounded formatting/string ops and add JSON.parse sanitizer for improved data handling

* feat: add inline return taint analysis and regression tests for improved security checks

* feat: add engine version management and migration handling for database schema updates

* feat: enhance first_call_ident to skip nested function bodies and add regression tests

* feat: enhance callee name resolution with two-segment normalization and disambiguation

* feat: add cross-file context flags and debug assertions for taint analysis

* feat: refactor taint analysis structure to unify context handling and improve clarity

* feat: enhance dead code elimination to preserve Sink, Source, and Sanitizer labels with new tests

* docs: updated CHANGELOG.md

* fmt: formatting fixes

* fix: fixed frontend formatting and lint warnings

* fix: optimized ci

* fix: optimized ci

* Add comprehensive multi-file test coverage to Nyx (#38)

* Initial checklist for multi-file test suite expansion

Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* Add 12 new multi-file test fixtures with TP/TN/near-miss coverage

Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* deleted root repo

* rebuilt to test for regressions

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>

* feat: enhance import alias resolution and taint tracking

* feat: implement security hardening with CSRF protection and path validation

* feat: add support for import alias bindings in Python, PHP, and Rust

* feat: enhance CFG analysis modes and improve code readability

* feat: add detection for parameterized SQL queries to enhance security

* feat: add safe internal redirect handling and enhance session destroy validation

* feat: implement security improvements by addressing vulnerabilities in execAsync, session management, and file downloads

* feat: enhance taint detection by adding support for inline source member expressions in call arguments

* feat: implement pre-emission of Source nodes for inline source member expressions in call arguments

* feat: add support for Throw statement in control flow and error handling

* feat: add debug and echo endpoints with potential information leakage

* feat: implement internal redirect suppression and enhance taint detection

* feat: implement module alias tracking for dynamic dispatch in JS/TS

* feat: add authorization analysis module with Express support

* feat: add authorization analysis module with Express support

* feat: add tests for admin guard requirements and clean checks in authorization analysis

* feat: integrate Koa and Fastify frameworks into authorization analysis

* feat: add Flask and Django support to authorization analysis module

* feat: add support for Rails and Sinatra frameworks in authorization analysis

* feat: add support for Axum, ActixWeb, and Rocket frameworks in authorization analysis

* feat: add support for ActixWeb, Axum, and Rocket frameworks in authorization analysis

* feat: add support for Rails and Sinatra in authorization analysis

* chore: add .DS_Store to .gitignore

* refactor: simplify conditional checks and improve readability in multiple files

* refactor: update usage of Option methods for improved clarity and consistency

* refactor: improve code readability by simplifying conditional checks and formatting

* refactor: improve code formatting and readability by simplifying conditional checks

* refactor: simplify conditional checks and improve readability in multiple files

* refactor: simplify conditional checks in axum.rs for improved readability

* feat: add CodeQL analysis configuration for enhanced security scanning

* test: add comprehensive tests for `src/output.rs` SARIF builder (#39)

* chore: start test coverage improvement work

Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* test: add comprehensive tests for src/output.rs SARIF builder

Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* refactor: improve code formatting and readability in output.rs

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>

* refactor: improve code formatting and readability in output.rs

* Potential fix for code scanning alert no. 210: Uncontrolled data used in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 211: Uncontrolled data used in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* refactor: enhance triage file path handling with improved error management and validation

* refactor: updated func summaries for richer detail

* refactor: update SSA summary extraction to use canonical FuncKey for distinct entries

* refactor: enhance callee metadata structure to support arity, receiver, and qualifier for better overload resolution

* refactor: add support for keyword arguments in function calls and enhance receiver extraction for method-style calls

* refactor: implement new Flask routes for safe and unsafe shell command execution

* refactor: separate receiver handling in SSA operations and enhance taint propagation

* refactor: improve arity handling by using arg_uses for positional argument count and enhance witness scoring for tainted arguments

* refactor: implement auth decorator extraction and classification for multiple languages

* refactor: enhance Rust module path resolution and use map handling for cross-file disambiguation

* refactor: introduce CalleeQuery struct for structured callee resolution and enhance resolver logic

* refactor: implement same-file identity collision handling for `runTask` to ensure correct resolver behavior

* refactor: standardize default struct initialization across multiple files

* feat: add scripts for formatting checks and auto-fixes with test summaries

* refactor: simplify character splitting and enhance namespace qualifier handling

* refactor: improve documentation clarity and enhance code readability in resolver logic

* refactor: replace default struct initialization with explicit field assignments for clarity

* feat: enhance anonymous function naming by deriving context-based bindings

* refactor: streamline match expressions for improved readability and performance

* refactor: streamline match expressions for improved readability and performance

* refactor: replace loop with while let for improved clarity and performance

* feat: add SSA constant propagation support to analysis context for improved accuracy

* feat: add SSA constant propagation support to analysis context for improved accuracy

* feat: implement shell metacharacter validation and bounded-length checks in Rust analysis

* feat: add static map analysis for command injection suppression and type safety

* refactor: simplify match statements and reduce line breaks for improved readability

* feat(summary): phase 1/5 SinkSite data model for primary sink-location attribution

Introduce SinkSite (file_rel, line, col, snippet, cap) carrying the
primary sink source-location through function summaries. Swap
SsaFuncSummary.param_to_sink and FuncSummary.param_to_sink from a coarse
Cap map to a deduped SmallVec<[SinkSite; 1]> per parameter, with a
backward-compatible cap_sites() helper and serde defaults so pre-phase-1
on-disk rows continue to deserialise cleanly.

Extraction: SinkSiteLocator bundles the tree/bytes/file_rel needed by
extract_ssa_func_summary; ParsedFile::extract_ssa_artifacts wires the
locator in for the persisted pass-1 path, while pass-2 intra-file
transient summaries fall back to cap-only sites (behavior unchanged).
Merge: GlobalSummaries::insert now unions sink sites with
(file_rel, line, col, cap) dedup via shared union_param_sink_sites
helper.

Database: JSON-serialised summary columns carry the new shape
automatically; no schema change needed.

Phase 2 will consume SinkSite in build_taint_diag() to overwrite the
caller-site Finding.line with the callee's sink line when resolved via
summary. Phase 1 keeps behavior unchanged: scanning
tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs still produces the
same (wrong) line 10 finding.

Adds round-trip tests covering SinkSite solo, SsaFuncSummary with sink
sites, legacy-JSON default handling for both summary types, and merge
dedup.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* feat(taint): phase 2/5 thread SinkSite into SsaTaintEvent and Finding

Plumb Phase 1's SinkSite through the event pipeline into Findings,
no output change yet.  SsaTaintEvent gains `primary_sink_site:
Option<SinkSite>`; when the main or callback sink-emission path has
non-empty `param_to_sink_sites`, filter to sites whose
`(line != 0) && (cap ∩ sink_caps != ∅)` and emit one event per
distinct site — the multi-primary collapse keeps each downstream
Finding single-primary.

Resolution: ResolvedSummary and SinkInfo gain mirror
`param_to_sink_sites` fields, populated from `SsaFuncSummary.param_to_sink`
(SSA + callback paths) and `FuncSummary.param_to_sink` (global paths).
Label, local-summary, and interop resolution paths leave the field
empty — they only ever had cap-level info to begin with.

Finding: new `primary_location: Option<SinkLocation>` with
`file_rel/line/col`.  `ssa_events_to_findings` maps
`event.primary_sink_site` → `Finding.primary_location`, filtering
cap-only sites (`line == 0`) to `None` so the (0,0) sentinel never
leaks to formatters.  Dedup key extended with the primary location
so multi-site events aren't collapsed back together.

Invariants (debug_assert!):
* every SinkSite reaching emission has `line != 0 && cap ∩ sink_caps
  != ∅` — enforced by the pick_primary_sink_sites* filters;
* every populated Finding.primary_location has `line != 0` AND
  non-empty `file_rel` — the cap-only → None translation upstream
  guarantees this.

Deliberately independent of `uses_summary`: that flag tracks whether
the *taint chain* used a summary, whereas primary attribution
requires only that the *sink* itself was summary-resolved.  A local
source reaching a cross-file sink produces `uses_summary=false`
alongside a populated primary_location — documented on
Finding.primary_location, covered by
`cross_file_sink_finding_carries_primary_location`.

build_taint_diag, SARIF/JSON/explanation formatters, and the
benchmark scorer remain untouched: finding.line still comes from
`cfg_graph[finding.sink]`, so cmdi_indirect.rs still reports line 10
and the benchmark's rs-cmdi-003 row still shows FN in the LOC column.

Tests: `cross_file_sink_finding_carries_primary_location` (proves
plumbing via a synthetic FuncSummary carrying a SinkSite at 42:5) and
`cross_file_sink_cap_only_site_leaves_primary_location_none`
(regression guard against cap-only sites surfacing).  All 1566 lib
tests + integration tests pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(output): phase 3/5 consume primary sink location in diag + SARIF

When a finding's primary_location (populated in phase 2 from a callee
summary's SinkSite) names the dangerous instruction inside a callee
body, attribute the diagnostic line to that location instead of the
caller's call site. The call site is demoted to a Call step in
flow_steps, and a synthetic Sink step at the primary location is
appended so analysts still see the full trace.

Changes:
- Add scan_root parameter to build_taint_diag so file_rel can be
  resolved back to an absolute path via a shared resolve_file_rel
  helper. Empty file_rel (single-file scans where namespace == "")
  resolves to the file under analysis.
- Extend SinkLocation with snippet, carried from the upstream
  SinkSite so the formatter needs no second file read.
- Relax the ssa_events_to_findings debug_assert to allow empty
  file_rel, which is valid when scan root equals the file itself.
- SARIF: emit data-flow as codeFlows[0].threadFlows[0].locations[];
  locations[0] already reflects the primary sink position via the
  updated diag line/col.

Acceptance: scan on tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs
now reports line 5 (Command::new) as the primary sink, with the call
site at line 10 visible in flow_steps.

Two expect.json fixtures updated (must_match line_range widened):
- javascript/taint/context_sensitive_call: 12-14 -> 7-14 (line 8 is
  the real sink inside run()).
- rust/cfg/closure_async: 10-10 -> 10-11 (line 11 is Command::new
  inside the closure).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(bench): phase 4/5 validate primary sink attribution across corpus

Extend the benchmark scorer and ground truth to lock in phase 3's
primary-location behavior, and add fixtures that exercise the new
capability end-to-end.

Scorer (tests/benchmark_test.rs):
- Add optional `expected_call_site_lines: Option<Vec<[usize; 2]>>` on
  Case. When present, score_location_level additionally requires at
  least one flow_step in the finding's evidence trace to fall within
  ±2 of the call-site range. When absent, the check is skipped —
  fully forward-compatible with existing fixtures.
- Retain ±2 tolerance on expected_sink_lines (compared against the
  now-primary Diag.line post-phase-3).

Ground truth edits:
- rs-cmdi-cross-001: expected_sink_lines [8,8] -> [9,9]. Line 8 is the
  transform::wrap call site (a cross-file propagator, not a sink);
  line 9 is Command::new, the real sink. The ±2 tolerance happened to
  mask this stale attribution but it was semantically wrong — phase 4
  is the right time to correct it. Also adds expected_call_site_lines
  [8,8] so the new field is exercised on an existing cross-file case.
- rs-cmdi-003: adds expected_call_site_lines [10,10] (run_cmd call).
  This fixture's sink (Command::new inside run_cmd at line 5) was the
  motivating case for phases 1-3; adding the call-site assertion
  guards against regression to caller-line attribution.

New fixtures:
- rust/cmdi/cmdi_indirect_multisink.rs (rs-cmdi-009): helper run_both
  takes two tainted params and invokes two Command sinks on
  consecutive lines. Locks in that primary line lands inside the
  helper (lines 5-6), not at the caller (line 12). Notes document
  that SinkSite is currently one-per-callee so both findings today
  collapse onto the first sink; expected_sink_lines=[5,6] and
  expected_call_site_lines=[12,12] stay valid either way.
- python/cmdi/cross_indirect_sink/{app.py,helper.py} (py-cmdi-cross-
  004): sink os.system lives in helper.py (cross-file), caller in
  app.py reads env source and calls run_cmd. Verifies phase 3's
  cross-file primary attribution: Diag.path = helper.py, Diag.line =
  5, with app.py:7 recorded in flow_steps as a Call step.

Acceptance:
- `cargo test --test benchmark_test -- --ignored --nocapture` passes.
- rs-cmdi-003 is TP/TP/TP (the target flip FN->TP at LOC). All
  pre-existing TP/TP/TP fixtures remain TP/TP/TP; 2 new fixtures are
  TP/TP/TP.
- Aggregate rule-level: TP=158 FP=10 FN=1 TN=97, P=0.940 R=0.994
  F1=0.966 on the 266-case corpus (was TP=156 FP=10 FN=1 TN=97 on
  264 pre-phase-4, delta is the +2 new cases both resolving TP).
- Full `cargo test` green (1566 lib tests + all integration tests).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(taint): phase 5/5 lock Finding.primary_location contract via regression test

Add a regression test in src/taint/ssa_transfer.rs that wires up a synthetic
SsaFuncSummary with a SinkSite at other.rs:42:10 and drives the three
emission stages (pick_primary_sink_sites → emit_ssa_taint_events →
ssa_events_to_findings) against a minimal caller SSA body.  Asserts the
resulting Finding.primary_location is exactly that triple.

The existing integration tests in src/taint/tests.rs cover the coarse
FuncSummary path end-to-end through analyse_file.  This test locks in the
lower-level SSA-side plumbing so a future refactor that silently drops the
site between pick → emit → findings fails here rather than only at the
benchmark layer.

Also refreshes tests/benchmark/results/latest.json (timestamp only; rs-cmdi-003
remains TP/TP/TP and the aggregate P/R/F1 are unchanged from phase 4).

Closes the primary sink-location attribution feature (phases 1-5/5):
* Phase 1 — SinkSite data model on summaries.
* Phase 2 — SinkSite threaded into SsaTaintEvent and Finding.
* Phase 3 — diag + SARIF consume primary_location.
* Phase 4 — benchmark validates primary_call_site_lines across corpus.
* Phase 5 — regression test locks the event→finding contract.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* refactor: clean up formatting and improve readability in multiple files

* refactor: simplify type definition for deduplication key in findings

* test(harness): add must_not_match expectation for FP regression guards

Extends ExpectedFinding with must_not_match field that asserts a
diagnostic must NOT fire — presence is a hard failure. Non-consuming
scan so it coexists with must_match entries on the same rule_id.
Adds forbidden_violations accumulator and updates summary line.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(regression): update expectations to ensure must_not_match for various taint and resource leak rules

* feat: implement auto-seeding for JS/TS handler parameters to enhance taint tracking

* feat: update switch statement handling to improve control flow analysis

* feat: implement promisify alias handling for JS/TS to enhance taint tracking

* feat: enhance taint tracking by refining expectation handling and adding mode filtering

* feat: refine SQL handling in stream processing and enhance auto-seeding for handler parameters

* feat: update taint tracking rules to enforce full mode matching and improve flow analysis

* feat: enhance Ruby subshell handling to improve taint tracking and flow analysis

* feat: update xss_response expectations to refine taint flow analysis and enhance regression guarding

* feat: refine framework detection and update expectation handling for Echo and Sinatra

* feat: implement max_count for taint tracking expectations and deduplicate findings

* feat: add strict_unexpected handling for taint-unsanitised-flow in expectation files

* feat: enhance deduplication of taint-unsanitised-flow findings by collapsing based on line and severity

* feat: add strict_unexpected handling for taint-unsanitised-flow in multiple expectation files

* feat: add structural invariant checks for SSA bodies

* feat: ensure deterministic phi emission order using BTreeSet

* feat: enhance handling of terminators to ensure authoritative flow through successor edges

* feat: enhance Goto terminator handling to ensure all successors are marked executable

* feat: refactor code for improved readability and organization

* feat: simplify predicate checks and enhance readability in SSA handling

* feat: implement per-file parse timeout and enhance file size handling

* feat: migrate analysis engine toggles from environment variables to configuration file

* feat: remove unnecessary whitespace in hostile_input_tests.rs

* feat: remove unnecessary whitespace in hostile_input_tests.rs

* feat: update dependencies and enhance documentation on language maturity

* feat: enhance security headers and improve request body limits

* feat: implement sink capability bits for deduplication and enhance evidence tagging

* feat: implement dynamic activation handling for gated sinks and enhance validation logic

* feat: enhance configuration documentation and clarify inline analysis cache behavior

* feat: implement panic recovery during analysis to continue scans past errors

* feat: add expectations configuration for taint analysis and performance metrics

* feat: enhance error handling and logging during file reading and mutex locking

* feat: add cross-file body loading tests and plumbing for CF-1 phase

* feat: implement cross-file k=1 context-sensitive inline taint analysis with new tests and fixtures

* feat: implement indexed-scan parity in cross-file inline analysis with new dropdown and copy functionality

* feat: enhance classification span handling in CFG and AST for improved source attribution

* feat: add new Express routes for handling user input and telemetry data

* feat: implement ternary expression handling in CFG with diamond structure for JS/TS

* feat: implement Phase CF-3 abstract-domain transfer channels in summaries

* feat: add support for string-prefix transfer in cross-file calls and update tests

* docs: reduce RESULTS.md doc size

* feat: implement Phase CF-4 per-return-path summary decomposition with tests

* feat: update parameter handling in pass1 and refactor SsaFuncSummary initialization

* feat: implement Phase CF-5 for cross-file SCC joint fixed-point convergence with new flags and tests

* feat: implement Phase CF-6 with parameter-granularity points-to summaries and associated tests

* refactor: update comments and documentation for clarity and consistency

* style: format code for consistency and readability

* refactor: simplify verdict handling and improve edge checking logic

* refactor: optimize path and identifier collection by avoiding unnecessary cloning

* chore: update Cargo.toml for Rust version 1.85 and add ignored files; modify CHANGELOG and README for clarity on state analysis defaults

* refactor: update documentation and improve clarity in configuration files

* refactor: update documentation and improve clarity in configuration files

* feat: add JS/TS pass-2 convergence tests and expectations configuration

* feat: add Phase 5 regression tests for inline cache origin attribution and update related logic

* feat: implement Phase 7 deduplication and alternative path linking for taint findings

* feat: implement structural DFS index for anonymous functions and update naming conventions

* feat: add Phase 8 regression tests for container-element taint in JS and Python

* feat: add engine-depth profiles and explain-engine option for CLI

* feat: update expectations and add new README fixtures for multi-file scan regression

* feat: implement Phase 11 callback-alias and factory patterns with regression tests

* feat: implement Terminator::Switch for multi-way dispatch and add regression tests

* feat: add real-CVE benchmark fixtures for CVE-2023-48022, CVE-2019-14939, and CVE-2023-26159 with corresponding patched variants

* refactor: extract cfg and ssa_transfer to submodules

* refactor: cargo fmt

* refactor: remove unnecessary blank line in cfg_tests.rs

* refactor: remove unnecessary planning file

* chore: update Rust version to 1.88 and bump dependencies in Cargo files

* feat: enhance triage UI with new layout and controls, update README for clarity

* feat: enhance triage UI with new layout and controls, update README for clarity

* chore: remove outdated section from README for version 0.5.0

* docs: improve clarity and consistency in README content

* chore: add "GPL-3.0-or-later" to license options in about.toml

* chore: update license handling in about.toml and check-licenses.mjs

* style: format code for improved readability in TriagePage component

* style: format code for improved readability in TriagePage component

* chore: enhance license handling and improve body_id scoping in seed lookup

* feat: introduce owner and parent body IDs for enhanced seed scoping

* feat: implement direction-aware engine provenance with new CLI flag for strict CI gating

* feat: add Undef SSA operation for improved control-flow handling

* style: improve code formatting for consistency and readability in multiple files

* feat: add 16-function chain SCC across multiple files for enhanced analysis

* style: simplify code formatting for improved readability in multiple files

* fix: update CapHitReason default implementation and improve README clarity

* docs: enhance README with detailed explanations of taint analysis and limitations

* docs: refine README for clarity and consistency in taint analysis section

* style: improve code formatting for better readability in NewScanModal and scans

* fix: update cargo-about command to use --offline for deterministic license generation

* fix: update cargo-about command to use --offline for deterministic license generation

* ci: add step to prime cargo registry cache for deterministic license generation

* feat: add support for non-sink collections in authorization analysis

* feat: enhance authorization checks with row-level ownership equality and binding tracking

* feat: implement self-scoped user handling and enhance ownership checks

* refactor: simplify assertions and formatting in authorization analysis tests

* fix: normalize line endings in THIRDPARTY-LICENSES.html generation and update README with AI disclosure

* docs: update AI disclosure section for clarity and conciseness

* feat: add AI Contribution Policy and update contributing guidelines for AI assistance disclosure

* feat: enhance authorization analysis with SSA-derived variable type classification

* feat: implement auth_finding_to_diag function for enhanced security diagnostics

* feat: add args_value_refs to CallSite struct for enhanced argument tracking

* feat: add args_value_refs to CallSite struct for enhanced argument tracking

* feat: add direction-aware engine provenance with LossDirection classification and new CLI flag

* feat: simplify strip_cap_from_call_args call by removing unnecessary line breaks

* feat: enhance error message handling in cli_validation_tests for better Windows compatibility

* feat: optimize release profile settings in Cargo.toml and update CodeQL configuration

* feat: enhance release build process with SBOM generation and SLSA provenance

* feat: update actions/checkout and actions/setup-node to v6, enhance CLI options, and improve auth-check summaries

* feat: introduce PathFact handling for path safety checks and rejection logic

* feat: introduce PathFact handling for path safety checks and rejection logic

* feat: update benchmark data and enhance path sanitization logic with new safety checks

* feat: document AI assistance in frontend UI development and human review process

* feat: add return path facts for enhanced path safety checks and update documentation

* chore: update release date for version 0.5.0 in CHANGELOG.md

* chore: clean up ci.yml by removing outdated comments and clarifying steps

* feat: implement cross-language path sanitizers and validators for enhanced security

* feat: enhance SSA value usage tracking by including block terminators and improve path safety checks

* feat: enhance switch statement handling by adding per-case path constraints and support for exclusive cases

* refactor: simplify conditional formatting and improve code readability in executor and lower modules

* feat: add vulnerable examples for various languages demonstrating authentication and sanitization issues

* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers

* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers

* feat: add transform classifiers for Java, Go, and Ruby with corresponding tests

* refactor: clarify comments on reassign-to-constant idiom and sink behavior in guards.rs

---------

Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Eli Peter 2026-04-25 17:59:11 -04:00 committed by GitHub
parent c4ce08b452
commit 41128177d2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2144 changed files with 201812 additions and 8927 deletions
Download patch file Download diff file Expand all files Collapse all files

46
src/commands/config.rs
View file

@ -1,5 +1,5 @@
use crate::errors::NyxResult;
use crate::utils::config::{AnalysisRulesConfig, Config, ConfigLabelRule};
use crate::utils::config::{AnalysisRulesConfig, CapName, Config, ConfigLabelRule, RuleKind};
use console::style;
use std::fs;
use std::path::Path;
@ -26,20 +26,12 @@ pub fn add_rule(
kind: &str,
cap: &str,
) -> NyxResult<()> {
// Validate kind
if !["source", "sanitizer", "sink"].contains(&kind) {
return Err(
format!("Invalid kind '{kind}'. Must be one of: source, sanitizer, sink").into(),
);
}
// Validate cap
if crate::labels::parse_cap(cap).is_none() {
return Err(format!(
"Invalid cap '{cap}'. Must be one of: env_var, html_escape, shell_escape, url_encode, json_parse, file_io, all"
)
.into());
}
let rule_kind: RuleKind = kind
.parse()
.map_err(|e: String| crate::errors::NyxError::Msg(e))?;
let cap_name: CapName = cap
.parse()
.map_err(|e: String| crate::errors::NyxError::Msg(e))?;
let local_path = config_dir.join("nyx.local");
let mut config: Config = if local_path.exists() {
@ -57,8 +49,9 @@ pub fn add_rule(
let new_rule = ConfigLabelRule {
matchers: vec![matcher.to_string()],
kind: kind.to_string(),
cap: cap.to_string(),
kind: rule_kind,
cap: cap_name,
case_sensitive: false,
};
// Dedup
@ -66,7 +59,7 @@ pub fn add_rule(
lang_cfg.rules.push(new_rule);
}
write_local_config(&local_path, &config)?;
save_local_config(&local_path, &config)?;
println!(
"{}: Added {} rule for `{}` ({}) in {}",
@ -99,7 +92,7 @@ pub fn add_terminator(config_dir: &Path, lang: &str, name: &str) -> NyxResult<()
lang_cfg.terminators.push(name.to_string());
}
write_local_config(&local_path, &config)?;
save_local_config(&local_path, &config)?;
println!(
"{}: Added terminator `{}` for {}",
@ -111,11 +104,12 @@ pub fn add_terminator(config_dir: &Path, lang: &str, name: &str) -> NyxResult<()
}
/// Write only the non-default portions to nyx.local.
fn write_local_config(path: &Path, config: &Config) -> NyxResult<()> {
// Only write the analysis section to nyx.local to keep it minimal.
// Other settings keep their defaults unless previously customized.
pub(crate) fn save_local_config(path: &Path, config: &Config) -> NyxResult<()> {
// Write analysis + profiles + server settings to nyx.local.
let mut local = Config {
analysis: config.analysis.clone(),
profiles: config.profiles.clone(),
server: config.server.clone(),
..Config::default()
};
@ -124,8 +118,8 @@ fn write_local_config(path: &Path, config: &Config) -> NyxResult<()> {
!v.rules.is_empty() || !v.terminators.is_empty() || !v.event_handlers.is_empty()
});
// If no analysis rules, only write the analysis section
if local.analysis.languages.is_empty() {
// If no analysis rules and no disabled rules, clear the analysis section
if local.analysis.languages.is_empty() && local.analysis.disabled_rules.is_empty() {
local.analysis = AnalysisRulesConfig::default();
}
@ -156,8 +150,8 @@ mod tests {
let js = config.analysis.languages.get("javascript").unwrap();
assert_eq!(js.rules.len(), 1);
assert_eq!(js.rules[0].matchers, vec!["escapeHtml"]);
assert_eq!(js.rules[0].kind, "sanitizer");
assert_eq!(js.rules[0].cap, "html_escape");
assert_eq!(js.rules[0].kind, RuleKind::Sanitizer);
assert_eq!(js.rules[0].cap, CapName::HtmlEscape);
}
#[test]

205
src/commands/index.rs
View file

@ -2,6 +2,8 @@ use crate::cli::IndexAction;
use crate::database::index::{Indexer, IssueRow};
use crate::errors::NyxResult;
use crate::patterns::Severity;
use crate::server::progress::{ScanMetrics, ScanProgress, ScanStage};
use crate::server::scan_log::ScanLogCollector;
use crate::utils::Config;
use crate::utils::project::get_project_info;
use crate::walk::spawn_file_walker;
@ -13,6 +15,8 @@ use rayon::prelude::*;
use std::fs;
use std::path::PathBuf;
use std::process::exit;
use std::sync::Arc;
use std::sync::atomic::Ordering::Relaxed;
pub fn handle(
action: IndexAction,
@ -92,9 +96,39 @@ pub fn build_index(
config: &Config,
show_progress: bool,
) -> NyxResult<()> {
tracing::debug!("Building index for: {}", project_name);
fs::File::create(db_path)?;
build_index_with_observer(
project_name,
project_path,
db_path,
config,
show_progress,
None,
None,
None,
)
}
#[allow(clippy::too_many_arguments)]
pub fn build_index_with_observer(
project_name: &str,
project_path: &std::path::Path,
db_path: &std::path::Path,
config: &Config,
show_progress: bool,
progress: Option<&Arc<ScanProgress>>,
metrics: Option<&Arc<ScanMetrics>>,
logs: Option<&Arc<ScanLogCollector>>,
) -> NyxResult<()> {
// Pass 1 of the indexed scan reads persisted summaries produced here, so
// framework context must be populated at index-build time — otherwise
// framework-conditional label rules never contribute to the summaries
// and indexed scans diverge from non-indexed ones. Matches the
// auto-fill in scan_filesystem_with_observer /
// scan_with_index_parallel_observer.
let owned_cfg = crate::commands::scan::ensure_framework_ctx(project_path, config);
let config = owned_cfg.as_ref().unwrap_or(config);
tracing::debug!("Building index for: {}", project_name);
let pool = Indexer::init(db_path)?;
{
let idx = Indexer::from_pool(project_name, &pool)?;
@ -103,12 +137,45 @@ pub fn build_index(
tracing::debug!("Cleaned index for: {}", project_name);
if let Some(p) = progress {
p.set_stage(ScanStage::Discovering);
}
if let Some(l) = logs {
l.info(
format!("Rebuilding index for {}", project_path.display()),
None,
);
}
let walk_start = std::time::Instant::now();
let (rx, handle) = spawn_file_walker(project_path, config);
// Drain the channel BEFORE joining — the bounded channel will deadlock
// if we join first and the walker blocks on send.
let paths: Vec<PathBuf> = rx.into_iter().flatten().collect();
if let Err(err) = handle.join() {
tracing::error!("walker thread panicked: {:#?}", err);
if let Some(l) = logs {
l.error(
"Walker thread panicked during index rebuild",
None,
Some(format!("{err:#?}")),
);
}
}
if let Some(p) = progress {
p.record_walk_ms(walk_start.elapsed().as_millis() as u64);
p.set_files_discovered(paths.len() as u64);
p.set_stage(ScanStage::Indexing);
}
if let Some(l) = logs {
l.info(
format!(
"Index rebuild discovered {} files in {}ms",
paths.len(),
walk_start.elapsed().as_millis()
),
None,
);
}
let pb = if show_progress {
@ -126,6 +193,10 @@ pub fn build_index(
ProgressBar::hidden()
};
let progress = progress.cloned();
let metrics = metrics.cloned();
let logs = logs.cloned();
let pass1_start = std::time::Instant::now();
paths
.into_par_iter()
.try_for_each(|path| -> NyxResult<()> {
@ -137,12 +208,29 @@ pub fn build_index(
let bytes = std::fs::read(&path)?;
let hash = Indexer::digest_bytes(&bytes);
// Run AST-only rules (no taint yet — summaries come later in scan)
let issues =
crate::commands::scan::run_rules_on_bytes(&bytes, &path, config, None, None)?;
// Parse once and persist every artifact we can reuse later:
// findings, coarse summaries, and precise SSA summaries.
let fused = crate::commands::scan::analyse_file_fused(
&bytes,
&path,
config,
None,
Some(project_path),
)?;
if let Some(ref p) = progress {
p.inc_parsed(1);
p.set_current_file(&path.to_string_lossy());
if let Some(lang) = fused.summaries.first().map(|s| s.lang.as_str()) {
p.record_language(lang);
}
}
if let Some(ref m) = metrics {
m.cfg_nodes.fetch_add(fused.cfg_nodes as u64, Relaxed);
}
let file_id = idx.upsert_file_with_hash(&path, &hash)?;
let rows: Vec<IssueRow> = issues
let rows: Vec<IssueRow> = fused
.diags
.iter()
.map(|d| IssueRow {
rule_id: d.id.as_ref(),
@ -158,17 +246,72 @@ pub fn build_index(
idx.replace_issues(file_id, rows)?;
// Extract and persist function summaries for cross-file taint
let sums = crate::commands::scan::extract_summaries_from_bytes(&bytes, &path, config)
.unwrap_or_default();
if !sums.is_empty() {
idx.replace_summaries_for_file(&path, &hash, &sums)?;
if !fused.summaries.is_empty() {
idx.replace_summaries_for_file(&path, &hash, &fused.summaries)?;
}
if !fused.ssa_summaries.is_empty() {
let ssa_rows: Vec<_> = fused
.ssa_summaries
.into_iter()
.map(|(key, sum)| {
(
key.name,
key.arity.unwrap_or(0),
key.lang.as_str().to_string(),
key.namespace,
key.container,
key.disambig,
key.kind,
sum,
)
})
.collect();
idx.replace_ssa_summaries_for_file(&path, &hash, &ssa_rows)?;
}
// Persist SSA callee bodies at index-build time so CLI-initiated
// rebuilds (`--index rebuild`) populate the same
// `ssa_function_bodies` rows that `scan_with_index_parallel`
// would have written via its pass-1 branch. Without this,
// indexed scans load zero cross-file bodies and cross-file
// inline silently falls back to summary resolution.
if !fused.ssa_bodies.is_empty() {
let body_rows: Vec<_> = fused
.ssa_bodies
.into_iter()
.map(|(key, body)| {
(
key.name,
key.arity.unwrap_or(0),
key.lang.as_str().to_string(),
key.namespace,
key.container,
key.disambig,
key.kind,
body,
)
})
.collect();
idx.replace_ssa_bodies_for_file(&path, &hash, &body_rows)?;
}
pb.inc(1);
Ok(())
})?;
pb.finish_and_clear();
if let Some(p) = &progress {
p.record_pass1_ms(pass1_start.elapsed().as_millis() as u64);
}
if let Some(l) = &logs {
l.info(
format!(
"Index rebuild complete in {}ms",
pass1_start.elapsed().as_millis()
),
None,
);
}
{
let idx = Indexer::from_pool(project_name, &pool)?;
@ -204,3 +347,43 @@ fn build_index_creates_db_and_registers_files() {
assert_eq!(files.len(), 1, "exactly one file indexed");
assert_eq!(files[0], f_txt);
}
#[test]
fn build_index_persists_ssa_summaries() {
let mut cfg = Config::default();
cfg.performance.worker_threads = Some(1);
cfg.performance.channel_multiplier = 1;
cfg.performance.batch_size = 2;
let td = tempfile::tempdir().unwrap();
let project_dir = td.path().join("proj");
fs::create_dir(&project_dir).unwrap();
fs::write(
project_dir.join("app.js"),
r#"var express = require('express');
var app = express();
function cleanHtml(input) {
return DOMPurify.sanitize(input);
}
app.get('/safe', function(req, res) {
var name = req.query.name;
var safe = cleanHtml(name);
res.send(safe);
});
"#,
)
.unwrap();
let db_path = td.path().join("proj.sqlite");
build_index("proj", &project_dir, &db_path, &cfg, false).expect("index build should succeed");
let pool = Indexer::init(&db_path).unwrap();
let idx = Indexer::from_pool("proj", &pool).unwrap();
let ssa = idx.load_all_ssa_summaries().unwrap();
assert!(
!ssa.is_empty(),
"index build should persist SSA summaries for functions with non-trivial SSA effects"
);
}

279
src/commands/mod.rs
View file

@ -3,8 +3,10 @@ pub mod config;
pub mod index;
pub mod list;
pub mod scan;
#[cfg(feature = "serve")]
pub mod serve;
use crate::cli::{Commands, IndexMode, ScanMode};
use crate::cli::{Commands, EngineProfile, IndexMode, ScanMode};
use crate::errors::NyxResult;
use crate::patterns::{Severity, SeverityFilter};
use crate::utils::config::{AnalysisMode, Config};
@ -16,6 +18,22 @@ pub fn handle_command(
config_dir: &Path,
config: &mut Config,
) -> NyxResult<()> {
// Resolve engine options once for the whole process. Scan overlays CLI
// flags below; other subcommands use the config values verbatim. The
// install is a no-op after the first call, so Scan's overlay must happen
// before we reach this point for its own call path — we delay the install
// to the Scan arm and gate non-scan commands behind a fallback install of
// the bare config values.
let install_from_config = |config: &Config| {
if config.analysis.engine.parse_timeout_ms == 0 {
tracing::warn!(
"parse_timeout_ms = 0 disables tree-sitter parse timeout entirely; \
this is unsafe for untrusted input."
);
}
let _ = crate::utils::analysis_options::install(config.analysis.engine);
};
match command {
Commands::Scan {
path,
@ -23,10 +41,14 @@ pub fn handle_command(
format,
severity,
mode,
profile,
engine_profile,
explain_engine,
all_targets,
keep_nonprod_severity,
quiet,
fail_on,
no_state,
no_rank,
show_suppressed,
show_all,
@ -38,6 +60,27 @@ pub fn handle_command(
show_instances,
min_score,
min_confidence,
require_converged,
// Analysis engine toggles
constraint_solving,
no_constraint_solving,
abstract_interp,
no_abstract_interp,
context_sensitive,
no_context_sensitive,
symex,
no_symex,
cross_file_symex,
no_cross_file_symex,
symex_interproc,
no_symex_interproc,
smt,
no_smt,
backwards_analysis,
no_backwards_analysis,
parse_timeout_ms,
max_origins,
max_pointsto,
// Deprecated aliases
no_index,
rebuild_index,
@ -45,6 +88,11 @@ pub fn handle_command(
ast_only,
cfg_only,
} => {
// ── Apply profile first (CLI flags override after) ──────────
if let Some(ref name) = profile {
config.apply_profile(name)?;
}
// ── Resolve deprecated aliases ──────────────────────────────
// Index mode: explicit --index wins, then deprecated flags
@ -92,7 +140,8 @@ pub fn handle_command(
match effective_mode {
ScanMode::Full => config.scanner.mode = AnalysisMode::Full,
ScanMode::Ast => config.scanner.mode = AnalysisMode::Ast,
ScanMode::Cfg | ScanMode::Taint => config.scanner.mode = AnalysisMode::Taint,
ScanMode::Cfg => config.scanner.mode = AnalysisMode::Cfg,
ScanMode::Taint => config.scanner.mode = AnalysisMode::Taint,
}
if keep_nonprod_severity {
@ -103,6 +152,10 @@ pub fn handle_command(
config.output.quiet = true;
}
if no_state {
config.scanner.enable_state_analysis = false;
}
if no_rank {
config.output.attack_surface_ranking = false;
}
@ -120,6 +173,10 @@ pub fn handle_command(
})?);
}
if require_converged {
config.output.require_converged = true;
}
if show_all {
config.output.show_all = true;
}
@ -132,10 +189,100 @@ pub fn handle_command(
config.output.max_low_per_rule = max_low_per_rule;
config.output.rollup_examples = rollup_examples;
// ── Analysis engine toggles: resolve CLI → config ───────────
// Each pair is a tri-state (flag set ⇒ true, no-flag set ⇒ false,
// neither ⇒ inherit config default).
//
// Application order: profile first (wholesale reset), then
// individual flags layered on top so users can mix a profile
// with a targeted override (e.g. `--engine-profile fast
// --backwards-analysis`).
let mut engine = config.analysis.engine;
if let Some(ref prof) = engine_profile {
engine = prof.apply(engine);
}
if constraint_solving {
engine.constraint_solving = true;
}
if no_constraint_solving {
engine.constraint_solving = false;
}
if abstract_interp {
engine.abstract_interpretation = true;
}
if no_abstract_interp {
engine.abstract_interpretation = false;
}
if context_sensitive {
engine.context_sensitive = true;
}
if no_context_sensitive {
engine.context_sensitive = false;
}
if symex {
engine.symex.enabled = true;
}
if no_symex {
engine.symex.enabled = false;
}
if cross_file_symex {
engine.symex.cross_file = true;
}
if no_cross_file_symex {
engine.symex.cross_file = false;
}
if symex_interproc {
engine.symex.interprocedural = true;
}
if no_symex_interproc {
engine.symex.interprocedural = false;
}
if smt {
engine.symex.smt = true;
}
if no_smt {
engine.symex.smt = false;
}
if backwards_analysis {
engine.backwards_analysis = true;
}
if no_backwards_analysis {
engine.backwards_analysis = false;
}
if let Some(ms) = parse_timeout_ms {
engine.parse_timeout_ms = ms;
}
if let Some(n) = max_origins {
engine.max_origins = n.max(crate::utils::analysis_options::MIN_MAX_ORIGINS);
}
if let Some(n) = max_pointsto {
engine.max_pointsto = n.max(crate::utils::analysis_options::MIN_MAX_POINTSTO);
}
config.analysis.engine = engine;
if engine.parse_timeout_ms == 0 {
tracing::warn!(
"parse_timeout_ms = 0 disables tree-sitter parse timeout entirely; \
this is unsafe for untrusted input."
);
}
if !crate::utils::analysis_options::install(engine) {
tracing::warn!(
"analysis-engine runtime already installed; CLI engine flags ignored"
);
}
// ── --explain-engine: print resolved config and exit ────────
if explain_engine {
print_engine_explanation(config, engine_profile);
return Ok(());
}
let effective_format = format.unwrap_or(config.output.default_format);
scan::handle(
&path,
effective_index,
format,
effective_format,
severity_filter,
fail_on_sev,
show_suppressed,
@ -145,6 +292,7 @@ pub fn handle_command(
)?;
}
Commands::Index { action } => {
install_from_config(config);
index::handle(action, database_dir, config)?;
}
Commands::List { verbose } => {
@ -169,6 +317,131 @@ pub fn handle_command(
}
}
}
Commands::Serve {
path,
port,
host,
no_browser,
} => {
install_from_config(config);
#[cfg(feature = "serve")]
{
serve::handle(
&path,
port,
host.as_deref(),
no_browser,
config_dir,
database_dir,
config,
)?;
}
#[cfg(not(feature = "serve"))]
{
let _ = (path, port, host, no_browser);
return Err(crate::errors::NyxError::Msg(
"The `serve` feature is not enabled. Rebuild with `cargo build --features serve`.".into(),
));
}
}
}
Ok(())
}
/// Pretty-print the effective analysis-engine configuration for
/// `nyx scan --explain-engine`. Writes to stdout so it composes with
/// standard shell redirection and process substitution.
fn print_engine_explanation(config: &Config, engine_profile: Option<EngineProfile>) {
fn onoff(b: bool) -> &'static str {
if b { "on" } else { "off" }
}
let engine = config.analysis.engine;
let scanner = &config.scanner;
let profile_label = engine_profile
.map(|p| p.to_string())
.unwrap_or_else(|| "(none — using config defaults)".to_string());
let smt_compiled = cfg!(feature = "smt");
println!("Effective engine configuration:");
println!(" Engine profile: {profile_label}");
println!(" AST patterns: on");
println!(
" CFG construction: {}",
onoff(matches!(
config.scanner.mode,
AnalysisMode::Full | AnalysisMode::Cfg | AnalysisMode::Taint
))
);
println!(
" CFG analysis: {}",
onoff(matches!(
config.scanner.mode,
AnalysisMode::Full | AnalysisMode::Cfg | AnalysisMode::Taint
))
);
println!(
" Taint (SSA): {}",
onoff(matches!(
config.scanner.mode,
AnalysisMode::Full | AnalysisMode::Cfg | AnalysisMode::Taint
))
);
println!(
" Abstract interpretation: {} (--abstract-interp / NYX_ABSTRACT_INTERP)",
onoff(engine.abstract_interpretation)
);
println!(
" Context sensitivity: {} (--context-sensitive / NYX_CONTEXT_SENSITIVE, k=1)",
onoff(engine.context_sensitive)
);
println!(
" Constraint solving: {} (--constraint-solving / NYX_CONSTRAINT)",
onoff(engine.constraint_solving)
);
println!(
" Symbolic execution: {} (--symex / NYX_SYMEX)",
onoff(engine.symex.enabled)
);
println!(
" Cross-file symex: {} (--cross-file-symex / NYX_CROSS_FILE_SYMEX)",
onoff(engine.symex.cross_file)
);
println!(
" Interproc symex: {} (--symex-interproc / NYX_SYMEX_INTERPROC)",
onoff(engine.symex.interprocedural)
);
println!(
" Backwards taint: {} (--backwards-analysis / NYX_BACKWARDS)",
onoff(engine.backwards_analysis)
);
println!(
" SMT (Z3): {} (--smt{}; requires --features smt)",
onoff(engine.symex.smt && smt_compiled),
if smt_compiled {
""
} else {
", binary built WITHOUT smt feature"
}
);
println!(
" State analysis: {} (scanner.enable_state_analysis)",
onoff(scanner.enable_state_analysis)
);
println!(
" Auth analysis: {} (scanner.enable_auth_analysis)",
onoff(scanner.enable_auth_analysis)
);
println!(
" Parse timeout: {} ms (--parse-timeout-ms / NYX_PARSE_TIMEOUT_MS; 0 disables)",
engine.parse_timeout_ms
);
println!(
" Max taint origins: {} (--max-origins / NYX_MAX_ORIGINS; per-lattice-value cap)",
engine.max_origins
);
println!(
" Max points-to set: {} (--max-pointsto / NYX_MAX_POINTSTO; per-variable heap-object cap)",
engine.max_pointsto
);
}

2765
src/commands/scan.rs
View file

File diff suppressed because it is too large Load diff

159
src/commands/serve.rs Normal file
View file

@ -0,0 +1,159 @@
use crate::database::index::Indexer;
use crate::errors::NyxResult;
use crate::server::app::{AppState, build_router};
use crate::server::jobs::JobManager;
use crate::server::security::LocalServerSecurity;
use crate::utils::config::Config;
use crate::utils::project::get_project_info;
use console::style;
use parking_lot::RwLock;
use std::path::Path;
use std::sync::Arc;
pub fn handle(
path: &str,
port: Option<u16>,
host: Option<&str>,
no_browser: bool,
config_dir: &Path,
database_dir: &Path,
config: &Config,
) -> NyxResult<()> {
let scan_root = Path::new(path).canonicalize()?;
let requested_host = host
.map(String::from)
.unwrap_or_else(|| config.server.host.clone());
let host = normalize_loopback_host(&requested_host)?;
let port = port.unwrap_or(config.server.port);
let open_browser = !no_browser && config.server.open_browser;
let max_jobs = config.server.max_saved_runs as usize;
let rayon_stack_size = config.performance.rayon_thread_stack_size;
let (event_tx, _) = tokio::sync::broadcast::channel(64);
// Initialize DB pool for scan persistence
let db_pool = {
let (_, db_path) = get_project_info(&scan_root, database_dir)?;
match Indexer::init(&db_path) {
Ok(pool) => Some(pool),
Err(e) => {
tracing::warn!("Failed to initialize scan DB: {e}");
None
}
}
};
let addr = socket_addr(&host, port);
eprintln!(
"\n {} Nyx web UI at {}\n",
style("Serving").green().bold(),
style(format!("http://{addr}")).cyan().underlined(),
);
eprintln!(
" Scan root: {}\n Press {} to stop\n",
style(scan_root.display()).dim(),
style("Ctrl+C").bold(),
);
let rt = tokio::runtime::Builder::new_multi_thread()
.worker_threads(4)
.enable_all()
.build()
.map_err(|e| crate::errors::NyxError::Msg(format!("Failed to build tokio runtime: {e}")))?;
rt.block_on(async {
let listener = tokio::net::TcpListener::bind(&addr)
.await
.map_err(|e| crate::errors::NyxError::Msg(format!("Failed to bind {addr}: {e}")))?;
let local_addr = listener
.local_addr()
.map_err(|e| crate::errors::NyxError::Msg(format!("Failed to read local addr: {e}")))?;
let display_host = display_host(&host);
let url = format!("http://{}:{}", display_host, local_addr.port());
let security = LocalServerSecurity::new(local_addr.port());
let state = AppState {
scan_root: scan_root.clone(),
config_dir: config_dir.to_path_buf(),
database_dir: database_dir.to_path_buf(),
security,
config: Arc::new(RwLock::new(config.clone())),
job_manager: Arc::new(JobManager::new(max_jobs, rayon_stack_size)),
event_tx,
db_pool,
};
let router = build_router(state);
if open_browser {
open_browser_url(&url);
}
axum::serve(listener, router)
.with_graceful_shutdown(shutdown_signal())
.await
.map_err(|e| crate::errors::NyxError::Msg(format!("Server error: {e}")))?;
eprintln!("\n {} Server stopped.", style("Done.").green().bold());
Ok(())
})
}
fn normalize_loopback_host(host: &str) -> NyxResult<String> {
let normalized = host.trim().trim_matches(['[', ']']).to_ascii_lowercase();
match normalized.as_str() {
"localhost" | "127.0.0.1" | "::1" => Ok(normalized),
_ => Err(crate::errors::NyxError::Msg(format!(
"Nyx serve only binds to loopback addresses; refused host '{host}'"
))),
}
}
fn socket_addr(host: &str, port: u16) -> String {
if host.contains(':') {
format!("[{host}]:{port}")
} else {
format!("{host}:{port}")
}
}
fn display_host(host: &str) -> String {
if host.contains(':') {
format!("[{host}]")
} else {
host.to_string()
}
}
async fn shutdown_signal() {
tokio::signal::ctrl_c()
.await
.expect("failed to listen for Ctrl+C");
eprintln!("\n Shutting down...");
// SSE connections block graceful shutdown indefinitely.
// Use a raw OS thread to force exit — tokio tasks may not
// run reliably during shutdown.
std::thread::spawn(|| {
std::thread::sleep(std::time::Duration::from_millis(250));
std::process::exit(0);
});
}
fn open_browser_url(url: &str) {
#[cfg(target_os = "macos")]
{
let _ = std::process::Command::new("open").arg(url).spawn();
}
#[cfg(target_os = "linux")]
{
let _ = std::process::Command::new("xdg-open").arg(url).spawn();
}
#[cfg(target_os = "windows")]
{
let _ = std::process::Command::new("cmd")
.args(["/C", "start", url])
.spawn();
}
}