apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-15 20:05:13 +02:00
Code Issues Projects Releases Packages Wiki Activity

Release/0.5.0 (#35)

Browse source 
* feat: Introduce function-scoped variable interning for state analysis with new tests and fixtures

* feat: Add Phase 26 symbolic execution enhancements with bitwise operator support, abstract interpretation refinements, and new taint analysis tests

* feat: Refine state analysis to handle factory-pattern resource returns with mixed-path tests and leak detection enhancements

* feat: Add Phase 27 debug views with symbolic execution, abstract interpretation, SSA, and call graph viewers; integrate with debug layout and styles

* feat: Add Phase 31 type-qualified symbolic resolution with receiver-based callee disambiguation and testing

* feat: Extend symbolic execution with state iteration, enhanced debug views, and debounced input handling

* feat: Add Phase 13 resource and auth pattern extensions with new tests and fixtures

* feat: Introduce CFG debug graph renderer with compact mode, toolbar, and DAG layout integration

* feat: Add Phase 28 encoding and decoding transform modeling with structural symex enhancements and new taint analysis tests

* feat: Extend abstract interpretation with type facts and constant value tracking in debug views and server logic

* feat: Add linear path handling and witness extraction to symbolic execution with Phase 28 transform mismatch detection

* feat: Refine Go auth and sanitizer handling with enhanced rules, state updates, and benchmark improvements

* feat: Enable auth-state analysis by default and update relevant tests in benchmark config

* test: Update state_tests to reflect default enablement of auth-state analysis and add auth suppression test

* docs: update CHANGELOG.md

* feat: Introduce per-index taint tracking in `HeapState` with `HeapSlot`, overflow handling, and revised SSA transfers

* feat: Introduce C/C++ language labels and refine heap state tracking in SSA transfers

* feat: Implement per-index array slot tracking in symbolic heap with overflow collapse

* feat: Add implicit definition handling for uninitialized declarations in SSA value allocation

* feat: Refactor function parameters and constants for improved clarity and maintainability

* refactor: Reorder module imports and improve formatting for consistency

* refactor: Fix formatting erorrs

* refactor: Fix clippy warnings

* refactor: Fix fmt warnings (again)

* chore: Update dependencies and improve feature configuration

* Add comprehensive tests for undertested modules (#36) (COPILOT)

* Add comprehensive tests for undertested modules

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083

* Add comprehensive tests for ext, project, walk, and errors modules

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* chore: Update dependencies and improve feature configuration

* fix: formatting errors in new tests

* chore: Update license list in about.toml

* chore: made functions input inline

* chore: updated cfg graph to take up the full page

* chore: add Prettier configuration and update code formatting

* Add frontend test suite with Vitest (111 tests) (#37)

* Add Vitest test suite for frontend - 111 tests across utils, components, hooks, and graph utilities

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/7cf0dba2-ecff-4740-ba4d-92717e74a0b7

* ci: add frontend test step to CI workflow

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/5bc0ac9f-0a32-4d03-9cb7-7a15aea53fca

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* chore: simplify array initialization in test files for consistency

* ran typecheck

* feat: add AnalysisWorkspace component and integrate it into CfgViewerPage

* feat: update routing in AppLayout and improve empty state message in ExplorerPage

* feat: enhance scan progress tracking with additional metrics and stages

* feat: update license information and add license check script

* feat: implement cross-file symbolic execution with callee body persistence

* feat: replace dagre graphs with Graphology + ELK + Sigma for more advanced call stack and cfg rendering

* feat: ensure CFG function view is scoped to the selected function, preventing bleed into sibling functions

* feat: enhance resource tracking with proxy method summaries and improve finding extraction

* feat: add terminal function exit detection for accurate resource leak analysis

* feat: add warnings for loops and functions without bodies to improve error recovery

* feat: update lambda expression handling to ensure proper function classification and control flow

* feat: remove bounded formatting/string ops and add JSON.parse sanitizer for improved data handling

* feat: add inline return taint analysis and regression tests for improved security checks

* feat: add engine version management and migration handling for database schema updates

* feat: enhance first_call_ident to skip nested function bodies and add regression tests

* feat: enhance callee name resolution with two-segment normalization and disambiguation

* feat: add cross-file context flags and debug assertions for taint analysis

* feat: refactor taint analysis structure to unify context handling and improve clarity

* feat: enhance dead code elimination to preserve Sink, Source, and Sanitizer labels with new tests

* docs: updated CHANGELOG.md

* fmt: formatting fixes

* fix: fixed frontend formatting and lint warnings

* fix: optimized ci

* fix: optimized ci

* Add comprehensive multi-file test coverage to Nyx (#38)

* Initial checklist for multi-file test suite expansion

Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* Add 12 new multi-file test fixtures with TP/TN/near-miss coverage

Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* deleted root repo

* rebuilt to test for regressions

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>

* feat: enhance import alias resolution and taint tracking

* feat: implement security hardening with CSRF protection and path validation

* feat: add support for import alias bindings in Python, PHP, and Rust

* feat: enhance CFG analysis modes and improve code readability

* feat: add detection for parameterized SQL queries to enhance security

* feat: add safe internal redirect handling and enhance session destroy validation

* feat: implement security improvements by addressing vulnerabilities in execAsync, session management, and file downloads

* feat: enhance taint detection by adding support for inline source member expressions in call arguments

* feat: implement pre-emission of Source nodes for inline source member expressions in call arguments

* feat: add support for Throw statement in control flow and error handling

* feat: add debug and echo endpoints with potential information leakage

* feat: implement internal redirect suppression and enhance taint detection

* feat: implement module alias tracking for dynamic dispatch in JS/TS

* feat: add authorization analysis module with Express support

* feat: add authorization analysis module with Express support

* feat: add tests for admin guard requirements and clean checks in authorization analysis

* feat: integrate Koa and Fastify frameworks into authorization analysis

* feat: add Flask and Django support to authorization analysis module

* feat: add support for Rails and Sinatra frameworks in authorization analysis

* feat: add support for Axum, ActixWeb, and Rocket frameworks in authorization analysis

* feat: add support for ActixWeb, Axum, and Rocket frameworks in authorization analysis

* feat: add support for Rails and Sinatra in authorization analysis

* chore: add .DS_Store to .gitignore

* refactor: simplify conditional checks and improve readability in multiple files

* refactor: update usage of Option methods for improved clarity and consistency

* refactor: improve code readability by simplifying conditional checks and formatting

* refactor: improve code formatting and readability by simplifying conditional checks

* refactor: simplify conditional checks and improve readability in multiple files

* refactor: simplify conditional checks in axum.rs for improved readability

* feat: add CodeQL analysis configuration for enhanced security scanning

* test: add comprehensive tests for `src/output.rs` SARIF builder (#39)

* chore: start test coverage improvement work

Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* test: add comprehensive tests for src/output.rs SARIF builder

Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* refactor: improve code formatting and readability in output.rs

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>

* refactor: improve code formatting and readability in output.rs

* Potential fix for code scanning alert no. 210: Uncontrolled data used in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 211: Uncontrolled data used in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* refactor: enhance triage file path handling with improved error management and validation

* refactor: updated func summaries for richer detail

* refactor: update SSA summary extraction to use canonical FuncKey for distinct entries

* refactor: enhance callee metadata structure to support arity, receiver, and qualifier for better overload resolution

* refactor: add support for keyword arguments in function calls and enhance receiver extraction for method-style calls

* refactor: implement new Flask routes for safe and unsafe shell command execution

* refactor: separate receiver handling in SSA operations and enhance taint propagation

* refactor: improve arity handling by using arg_uses for positional argument count and enhance witness scoring for tainted arguments

* refactor: implement auth decorator extraction and classification for multiple languages

* refactor: enhance Rust module path resolution and use map handling for cross-file disambiguation

* refactor: introduce CalleeQuery struct for structured callee resolution and enhance resolver logic

* refactor: implement same-file identity collision handling for `runTask` to ensure correct resolver behavior

* refactor: standardize default struct initialization across multiple files

* feat: add scripts for formatting checks and auto-fixes with test summaries

* refactor: simplify character splitting and enhance namespace qualifier handling

* refactor: improve documentation clarity and enhance code readability in resolver logic

* refactor: replace default struct initialization with explicit field assignments for clarity

* feat: enhance anonymous function naming by deriving context-based bindings

* refactor: streamline match expressions for improved readability and performance

* refactor: streamline match expressions for improved readability and performance

* refactor: replace loop with while let for improved clarity and performance

* feat: add SSA constant propagation support to analysis context for improved accuracy

* feat: add SSA constant propagation support to analysis context for improved accuracy

* feat: implement shell metacharacter validation and bounded-length checks in Rust analysis

* feat: add static map analysis for command injection suppression and type safety

* refactor: simplify match statements and reduce line breaks for improved readability

* feat(summary): phase 1/5 SinkSite data model for primary sink-location attribution

Introduce SinkSite (file_rel, line, col, snippet, cap) carrying the
primary sink source-location through function summaries. Swap
SsaFuncSummary.param_to_sink and FuncSummary.param_to_sink from a coarse
Cap map to a deduped SmallVec<[SinkSite; 1]> per parameter, with a
backward-compatible cap_sites() helper and serde defaults so pre-phase-1
on-disk rows continue to deserialise cleanly.

Extraction: SinkSiteLocator bundles the tree/bytes/file_rel needed by
extract_ssa_func_summary; ParsedFile::extract_ssa_artifacts wires the
locator in for the persisted pass-1 path, while pass-2 intra-file
transient summaries fall back to cap-only sites (behavior unchanged).
Merge: GlobalSummaries::insert now unions sink sites with
(file_rel, line, col, cap) dedup via shared union_param_sink_sites
helper.

Database: JSON-serialised summary columns carry the new shape
automatically; no schema change needed.

Phase 2 will consume SinkSite in build_taint_diag() to overwrite the
caller-site Finding.line with the callee's sink line when resolved via
summary. Phase 1 keeps behavior unchanged: scanning
tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs still produces the
same (wrong) line 10 finding.

Adds round-trip tests covering SinkSite solo, SsaFuncSummary with sink
sites, legacy-JSON default handling for both summary types, and merge
dedup.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* feat(taint): phase 2/5 thread SinkSite into SsaTaintEvent and Finding

Plumb Phase 1's SinkSite through the event pipeline into Findings,
no output change yet.  SsaTaintEvent gains `primary_sink_site:
Option<SinkSite>`; when the main or callback sink-emission path has
non-empty `param_to_sink_sites`, filter to sites whose
`(line != 0) && (cap ∩ sink_caps != ∅)` and emit one event per
distinct site — the multi-primary collapse keeps each downstream
Finding single-primary.

Resolution: ResolvedSummary and SinkInfo gain mirror
`param_to_sink_sites` fields, populated from `SsaFuncSummary.param_to_sink`
(SSA + callback paths) and `FuncSummary.param_to_sink` (global paths).
Label, local-summary, and interop resolution paths leave the field
empty — they only ever had cap-level info to begin with.

Finding: new `primary_location: Option<SinkLocation>` with
`file_rel/line/col`.  `ssa_events_to_findings` maps
`event.primary_sink_site` → `Finding.primary_location`, filtering
cap-only sites (`line == 0`) to `None` so the (0,0) sentinel never
leaks to formatters.  Dedup key extended with the primary location
so multi-site events aren't collapsed back together.

Invariants (debug_assert!):
* every SinkSite reaching emission has `line != 0 && cap ∩ sink_caps
  != ∅` — enforced by the pick_primary_sink_sites* filters;
* every populated Finding.primary_location has `line != 0` AND
  non-empty `file_rel` — the cap-only → None translation upstream
  guarantees this.

Deliberately independent of `uses_summary`: that flag tracks whether
the *taint chain* used a summary, whereas primary attribution
requires only that the *sink* itself was summary-resolved.  A local
source reaching a cross-file sink produces `uses_summary=false`
alongside a populated primary_location — documented on
Finding.primary_location, covered by
`cross_file_sink_finding_carries_primary_location`.

build_taint_diag, SARIF/JSON/explanation formatters, and the
benchmark scorer remain untouched: finding.line still comes from
`cfg_graph[finding.sink]`, so cmdi_indirect.rs still reports line 10
and the benchmark's rs-cmdi-003 row still shows FN in the LOC column.

Tests: `cross_file_sink_finding_carries_primary_location` (proves
plumbing via a synthetic FuncSummary carrying a SinkSite at 42:5) and
`cross_file_sink_cap_only_site_leaves_primary_location_none`
(regression guard against cap-only sites surfacing).  All 1566 lib
tests + integration tests pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(output): phase 3/5 consume primary sink location in diag + SARIF

When a finding's primary_location (populated in phase 2 from a callee
summary's SinkSite) names the dangerous instruction inside a callee
body, attribute the diagnostic line to that location instead of the
caller's call site. The call site is demoted to a Call step in
flow_steps, and a synthetic Sink step at the primary location is
appended so analysts still see the full trace.

Changes:
- Add scan_root parameter to build_taint_diag so file_rel can be
  resolved back to an absolute path via a shared resolve_file_rel
  helper. Empty file_rel (single-file scans where namespace == "")
  resolves to the file under analysis.
- Extend SinkLocation with snippet, carried from the upstream
  SinkSite so the formatter needs no second file read.
- Relax the ssa_events_to_findings debug_assert to allow empty
  file_rel, which is valid when scan root equals the file itself.
- SARIF: emit data-flow as codeFlows[0].threadFlows[0].locations[];
  locations[0] already reflects the primary sink position via the
  updated diag line/col.

Acceptance: scan on tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs
now reports line 5 (Command::new) as the primary sink, with the call
site at line 10 visible in flow_steps.

Two expect.json fixtures updated (must_match line_range widened):
- javascript/taint/context_sensitive_call: 12-14 -> 7-14 (line 8 is
  the real sink inside run()).
- rust/cfg/closure_async: 10-10 -> 10-11 (line 11 is Command::new
  inside the closure).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(bench): phase 4/5 validate primary sink attribution across corpus

Extend the benchmark scorer and ground truth to lock in phase 3's
primary-location behavior, and add fixtures that exercise the new
capability end-to-end.

Scorer (tests/benchmark_test.rs):
- Add optional `expected_call_site_lines: Option<Vec<[usize; 2]>>` on
  Case. When present, score_location_level additionally requires at
  least one flow_step in the finding's evidence trace to fall within
  ±2 of the call-site range. When absent, the check is skipped —
  fully forward-compatible with existing fixtures.
- Retain ±2 tolerance on expected_sink_lines (compared against the
  now-primary Diag.line post-phase-3).

Ground truth edits:
- rs-cmdi-cross-001: expected_sink_lines [8,8] -> [9,9]. Line 8 is the
  transform::wrap call site (a cross-file propagator, not a sink);
  line 9 is Command::new, the real sink. The ±2 tolerance happened to
  mask this stale attribution but it was semantically wrong — phase 4
  is the right time to correct it. Also adds expected_call_site_lines
  [8,8] so the new field is exercised on an existing cross-file case.
- rs-cmdi-003: adds expected_call_site_lines [10,10] (run_cmd call).
  This fixture's sink (Command::new inside run_cmd at line 5) was the
  motivating case for phases 1-3; adding the call-site assertion
  guards against regression to caller-line attribution.

New fixtures:
- rust/cmdi/cmdi_indirect_multisink.rs (rs-cmdi-009): helper run_both
  takes two tainted params and invokes two Command sinks on
  consecutive lines. Locks in that primary line lands inside the
  helper (lines 5-6), not at the caller (line 12). Notes document
  that SinkSite is currently one-per-callee so both findings today
  collapse onto the first sink; expected_sink_lines=[5,6] and
  expected_call_site_lines=[12,12] stay valid either way.
- python/cmdi/cross_indirect_sink/{app.py,helper.py} (py-cmdi-cross-
  004): sink os.system lives in helper.py (cross-file), caller in
  app.py reads env source and calls run_cmd. Verifies phase 3's
  cross-file primary attribution: Diag.path = helper.py, Diag.line =
  5, with app.py:7 recorded in flow_steps as a Call step.

Acceptance:
- `cargo test --test benchmark_test -- --ignored --nocapture` passes.
- rs-cmdi-003 is TP/TP/TP (the target flip FN->TP at LOC). All
  pre-existing TP/TP/TP fixtures remain TP/TP/TP; 2 new fixtures are
  TP/TP/TP.
- Aggregate rule-level: TP=158 FP=10 FN=1 TN=97, P=0.940 R=0.994
  F1=0.966 on the 266-case corpus (was TP=156 FP=10 FN=1 TN=97 on
  264 pre-phase-4, delta is the +2 new cases both resolving TP).
- Full `cargo test` green (1566 lib tests + all integration tests).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(taint): phase 5/5 lock Finding.primary_location contract via regression test

Add a regression test in src/taint/ssa_transfer.rs that wires up a synthetic
SsaFuncSummary with a SinkSite at other.rs:42:10 and drives the three
emission stages (pick_primary_sink_sites → emit_ssa_taint_events →
ssa_events_to_findings) against a minimal caller SSA body.  Asserts the
resulting Finding.primary_location is exactly that triple.

The existing integration tests in src/taint/tests.rs cover the coarse
FuncSummary path end-to-end through analyse_file.  This test locks in the
lower-level SSA-side plumbing so a future refactor that silently drops the
site between pick → emit → findings fails here rather than only at the
benchmark layer.

Also refreshes tests/benchmark/results/latest.json (timestamp only; rs-cmdi-003
remains TP/TP/TP and the aggregate P/R/F1 are unchanged from phase 4).

Closes the primary sink-location attribution feature (phases 1-5/5):
* Phase 1 — SinkSite data model on summaries.
* Phase 2 — SinkSite threaded into SsaTaintEvent and Finding.
* Phase 3 — diag + SARIF consume primary_location.
* Phase 4 — benchmark validates primary_call_site_lines across corpus.
* Phase 5 — regression test locks the event→finding contract.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* refactor: clean up formatting and improve readability in multiple files

* refactor: simplify type definition for deduplication key in findings

* test(harness): add must_not_match expectation for FP regression guards

Extends ExpectedFinding with must_not_match field that asserts a
diagnostic must NOT fire — presence is a hard failure. Non-consuming
scan so it coexists with must_match entries on the same rule_id.
Adds forbidden_violations accumulator and updates summary line.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(regression): update expectations to ensure must_not_match for various taint and resource leak rules

* feat: implement auto-seeding for JS/TS handler parameters to enhance taint tracking

* feat: update switch statement handling to improve control flow analysis

* feat: implement promisify alias handling for JS/TS to enhance taint tracking

* feat: enhance taint tracking by refining expectation handling and adding mode filtering

* feat: refine SQL handling in stream processing and enhance auto-seeding for handler parameters

* feat: update taint tracking rules to enforce full mode matching and improve flow analysis

* feat: enhance Ruby subshell handling to improve taint tracking and flow analysis

* feat: update xss_response expectations to refine taint flow analysis and enhance regression guarding

* feat: refine framework detection and update expectation handling for Echo and Sinatra

* feat: implement max_count for taint tracking expectations and deduplicate findings

* feat: add strict_unexpected handling for taint-unsanitised-flow in expectation files

* feat: enhance deduplication of taint-unsanitised-flow findings by collapsing based on line and severity

* feat: add strict_unexpected handling for taint-unsanitised-flow in multiple expectation files

* feat: add structural invariant checks for SSA bodies

* feat: ensure deterministic phi emission order using BTreeSet

* feat: enhance handling of terminators to ensure authoritative flow through successor edges

* feat: enhance Goto terminator handling to ensure all successors are marked executable

* feat: refactor code for improved readability and organization

* feat: simplify predicate checks and enhance readability in SSA handling

* feat: implement per-file parse timeout and enhance file size handling

* feat: migrate analysis engine toggles from environment variables to configuration file

* feat: remove unnecessary whitespace in hostile_input_tests.rs

* feat: remove unnecessary whitespace in hostile_input_tests.rs

* feat: update dependencies and enhance documentation on language maturity

* feat: enhance security headers and improve request body limits

* feat: implement sink capability bits for deduplication and enhance evidence tagging

* feat: implement dynamic activation handling for gated sinks and enhance validation logic

* feat: enhance configuration documentation and clarify inline analysis cache behavior

* feat: implement panic recovery during analysis to continue scans past errors

* feat: add expectations configuration for taint analysis and performance metrics

* feat: enhance error handling and logging during file reading and mutex locking

* feat: add cross-file body loading tests and plumbing for CF-1 phase

* feat: implement cross-file k=1 context-sensitive inline taint analysis with new tests and fixtures

* feat: implement indexed-scan parity in cross-file inline analysis with new dropdown and copy functionality

* feat: enhance classification span handling in CFG and AST for improved source attribution

* feat: add new Express routes for handling user input and telemetry data

* feat: implement ternary expression handling in CFG with diamond structure for JS/TS

* feat: implement Phase CF-3 abstract-domain transfer channels in summaries

* feat: add support for string-prefix transfer in cross-file calls and update tests

* docs: reduce RESULTS.md doc size

* feat: implement Phase CF-4 per-return-path summary decomposition with tests

* feat: update parameter handling in pass1 and refactor SsaFuncSummary initialization

* feat: implement Phase CF-5 for cross-file SCC joint fixed-point convergence with new flags and tests

* feat: implement Phase CF-6 with parameter-granularity points-to summaries and associated tests

* refactor: update comments and documentation for clarity and consistency

* style: format code for consistency and readability

* refactor: simplify verdict handling and improve edge checking logic

* refactor: optimize path and identifier collection by avoiding unnecessary cloning

* chore: update Cargo.toml for Rust version 1.85 and add ignored files; modify CHANGELOG and README for clarity on state analysis defaults

* refactor: update documentation and improve clarity in configuration files

* refactor: update documentation and improve clarity in configuration files

* feat: add JS/TS pass-2 convergence tests and expectations configuration

* feat: add Phase 5 regression tests for inline cache origin attribution and update related logic

* feat: implement Phase 7 deduplication and alternative path linking for taint findings

* feat: implement structural DFS index for anonymous functions and update naming conventions

* feat: add Phase 8 regression tests for container-element taint in JS and Python

* feat: add engine-depth profiles and explain-engine option for CLI

* feat: update expectations and add new README fixtures for multi-file scan regression

* feat: implement Phase 11 callback-alias and factory patterns with regression tests

* feat: implement Terminator::Switch for multi-way dispatch and add regression tests

* feat: add real-CVE benchmark fixtures for CVE-2023-48022, CVE-2019-14939, and CVE-2023-26159 with corresponding patched variants

* refactor: extract cfg and ssa_transfer to submodules

* refactor: cargo fmt

* refactor: remove unnecessary blank line in cfg_tests.rs

* refactor: remove unnecessary planning file

* chore: update Rust version to 1.88 and bump dependencies in Cargo files

* feat: enhance triage UI with new layout and controls, update README for clarity

* feat: enhance triage UI with new layout and controls, update README for clarity

* chore: remove outdated section from README for version 0.5.0

* docs: improve clarity and consistency in README content

* chore: add "GPL-3.0-or-later" to license options in about.toml

* chore: update license handling in about.toml and check-licenses.mjs

* style: format code for improved readability in TriagePage component

* style: format code for improved readability in TriagePage component

* chore: enhance license handling and improve body_id scoping in seed lookup

* feat: introduce owner and parent body IDs for enhanced seed scoping

* feat: implement direction-aware engine provenance with new CLI flag for strict CI gating

* feat: add Undef SSA operation for improved control-flow handling

* style: improve code formatting for consistency and readability in multiple files

* feat: add 16-function chain SCC across multiple files for enhanced analysis

* style: simplify code formatting for improved readability in multiple files

* fix: update CapHitReason default implementation and improve README clarity

* docs: enhance README with detailed explanations of taint analysis and limitations

* docs: refine README for clarity and consistency in taint analysis section

* style: improve code formatting for better readability in NewScanModal and scans

* fix: update cargo-about command to use --offline for deterministic license generation

* fix: update cargo-about command to use --offline for deterministic license generation

* ci: add step to prime cargo registry cache for deterministic license generation

* feat: add support for non-sink collections in authorization analysis

* feat: enhance authorization checks with row-level ownership equality and binding tracking

* feat: implement self-scoped user handling and enhance ownership checks

* refactor: simplify assertions and formatting in authorization analysis tests

* fix: normalize line endings in THIRDPARTY-LICENSES.html generation and update README with AI disclosure

* docs: update AI disclosure section for clarity and conciseness

* feat: add AI Contribution Policy and update contributing guidelines for AI assistance disclosure

* feat: enhance authorization analysis with SSA-derived variable type classification

* feat: implement auth_finding_to_diag function for enhanced security diagnostics

* feat: add args_value_refs to CallSite struct for enhanced argument tracking

* feat: add args_value_refs to CallSite struct for enhanced argument tracking

* feat: add direction-aware engine provenance with LossDirection classification and new CLI flag

* feat: simplify strip_cap_from_call_args call by removing unnecessary line breaks

* feat: enhance error message handling in cli_validation_tests for better Windows compatibility

* feat: optimize release profile settings in Cargo.toml and update CodeQL configuration

* feat: enhance release build process with SBOM generation and SLSA provenance

* feat: update actions/checkout and actions/setup-node to v6, enhance CLI options, and improve auth-check summaries

* feat: introduce PathFact handling for path safety checks and rejection logic

* feat: introduce PathFact handling for path safety checks and rejection logic

* feat: update benchmark data and enhance path sanitization logic with new safety checks

* feat: document AI assistance in frontend UI development and human review process

* feat: add return path facts for enhanced path safety checks and update documentation

* chore: update release date for version 0.5.0 in CHANGELOG.md

* chore: clean up ci.yml by removing outdated comments and clarifying steps

* feat: implement cross-language path sanitizers and validators for enhanced security

* feat: enhance SSA value usage tracking by including block terminators and improve path safety checks

* feat: enhance switch statement handling by adding per-case path constraints and support for exclusive cases

* refactor: simplify conditional formatting and improve code readability in executor and lower modules

* feat: add vulnerable examples for various languages demonstrating authentication and sanitization issues

* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers

* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers

* feat: add transform classifiers for Java, Go, and Ruby with corresponding tests

* refactor: clarify comments on reassign-to-constant idiom and sink behavior in guards.rs

---------

Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Eli Peter 2026-04-25 17:59:11 -04:00 committed by GitHub
parent c4ce08b452
commit 41128177d2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2144 changed files with 201812 additions and 8927 deletions
Download patch file Download diff file Expand all files Collapse all files

324
src/server/app.rs Normal file
View file

@ -0,0 +1,324 @@
use crate::server::jobs::JobManager;
use crate::server::progress::TimingBreakdown;
use crate::server::routes;
use crate::server::security::LocalServerSecurity;
use crate::utils::config::Config;
use axum::Router;
use parking_lot::RwLock;
use r2d2::Pool;
use r2d2_sqlite::SqliteConnectionManager;
use std::path::PathBuf;
use std::sync::Arc;
use tokio::sync::broadcast;
/// Events broadcast over SSE to connected clients.
#[derive(Debug, Clone, serde::Serialize)]
#[serde(tag = "type", content = "data")]
pub enum ServerEvent {
ScanStarted {
job_id: String,
},
ScanCompleted {
job_id: String,
},
ScanFailed {
job_id: String,
error: String,
},
ScanProgress {
job_id: String,
stage: String,
files_discovered: u64,
files_parsed: u64,
files_analyzed: u64,
files_skipped: u64,
batches_total: u64,
batches_completed: u64,
current_file: String,
elapsed_ms: u64,
timing: TimingBreakdown,
},
ConfigChanged,
}
/// Shared application state accessible to all route handlers.
#[derive(Clone)]
pub struct AppState {
pub scan_root: PathBuf,
pub config_dir: PathBuf,
pub database_dir: PathBuf,
pub security: Arc<LocalServerSecurity>,
pub config: Arc<RwLock<Config>>,
pub job_manager: Arc<JobManager>,
pub event_tx: broadcast::Sender<ServerEvent>,
pub db_pool: Option<Arc<Pool<SqliteConnectionManager>>>,
}
/// 50 MiB cap on request bodies — generous for config uploads, tight
/// enough to prevent OOM from a rogue client.
const MAX_BODY_BYTES: usize = 50 * 1024 * 1024;
/// CSP allowing self-hosted scripts only; `'unsafe-inline'` on styles is
/// required by the Vite-built React bundle's inlined CSS.
const CSP: &str = "default-src 'self'; \
script-src 'self'; \
style-src 'self' 'unsafe-inline'; \
img-src 'self' data:; \
connect-src 'self'";
/// Build the main axum router with all API routes and static asset fallback.
pub fn build_router(state: AppState) -> Router {
use axum::extract::DefaultBodyLimit;
use axum::http::{HeaderName, HeaderValue, header};
use axum::middleware;
use tower_http::compression::CompressionLayer;
use tower_http::set_header::SetResponseHeaderLayer;
let security = Arc::clone(&state.security);
Router::new()
.nest("/api", routes::api_routes())
.fallback(crate::server::assets::static_handler)
.layer(middleware::from_fn_with_state(
security,
crate::server::security::guard_requests,
))
.layer(CompressionLayer::new())
.layer(SetResponseHeaderLayer::overriding(
HeaderName::from_static("x-frame-options"),
HeaderValue::from_static("DENY"),
))
.layer(SetResponseHeaderLayer::overriding(
header::X_CONTENT_TYPE_OPTIONS,
HeaderValue::from_static("nosniff"),
))
.layer(SetResponseHeaderLayer::overriding(
header::REFERRER_POLICY,
HeaderValue::from_static("no-referrer"),
))
.layer(SetResponseHeaderLayer::overriding(
header::CONTENT_SECURITY_POLICY,
HeaderValue::from_static(CSP),
))
.layer(DefaultBodyLimit::max(MAX_BODY_BYTES))
.with_state(state)
}
#[cfg(test)]
mod tests {
use super::*;
use axum::body::{Body, to_bytes};
use axum::http::{Request, StatusCode};
#[cfg(unix)]
use std::os::unix::fs::symlink;
use tower::util::ServiceExt;
fn test_state(scan_root: PathBuf, port: u16) -> AppState {
let (event_tx, _) = broadcast::channel(8);
AppState {
scan_root: scan_root.clone(),
config_dir: scan_root.clone(),
database_dir: scan_root.clone(),
security: LocalServerSecurity::new(port),
config: Arc::new(RwLock::new(Config::default())),
job_manager: Arc::new(JobManager::new(4, 8 * 1024 * 1024)),
event_tx,
db_pool: None,
}
}
async fn session_token(state: &AppState) -> String {
let response = build_router(state.clone())
.oneshot(
Request::builder()
.uri("/api/session")
.header("host", "localhost:9700")
.body(Body::empty())
.unwrap(),
)
.await
.unwrap();
assert_eq!(response.status(), StatusCode::OK);
let body = to_bytes(response.into_body(), 64 * 1024).await.unwrap();
let payload: serde_json::Value = serde_json::from_slice(&body).unwrap();
payload["csrf_token"].as_str().unwrap().to_string()
}
#[tokio::test]
async fn rejects_bad_host_headers() {
let dir = tempfile::tempdir().unwrap();
let app = build_router(test_state(dir.path().to_path_buf(), 9700));
let response = app
.oneshot(
Request::builder()
.uri("/api/health")
.header("host", "evil.example:9700")
.body(Body::empty())
.unwrap(),
)
.await
.unwrap();
assert_eq!(response.status(), StatusCode::BAD_REQUEST);
}
#[tokio::test]
async fn blocks_mutations_without_csrf_token() {
let dir = tempfile::tempdir().unwrap();
let app = build_router(test_state(dir.path().to_path_buf(), 9700));
let response = app
.oneshot(
Request::builder()
.method("POST")
.uri("/api/scans")
.header("host", "localhost:9700")
.body(Body::empty())
.unwrap(),
)
.await
.unwrap();
assert_eq!(response.status(), StatusCode::FORBIDDEN);
}
#[tokio::test]
async fn blocks_cross_origin_mutations_even_with_csrf_token() {
let dir = tempfile::tempdir().unwrap();
let state = test_state(dir.path().to_path_buf(), 9700);
let token = session_token(&state).await;
let app = build_router(state);
let response = app
.oneshot(
Request::builder()
.method("POST")
.uri("/api/scans")
.header("host", "localhost:9700")
.header("origin", "http://evil.example:9700")
.header("x-nyx-csrf", token)
.body(Body::empty())
.unwrap(),
)
.await
.unwrap();
assert_eq!(response.status(), StatusCode::FORBIDDEN);
}
#[tokio::test]
async fn rejects_traversal_in_file_route() {
let dir = tempfile::tempdir().unwrap();
let app = build_router(test_state(dir.path().to_path_buf(), 9700));
let response = app
.oneshot(
Request::builder()
.uri("/api/files?path=..%2Fsecret.txt")
.header("host", "localhost:9700")
.body(Body::empty())
.unwrap(),
)
.await
.unwrap();
assert_eq!(response.status(), StatusCode::FORBIDDEN);
}
#[tokio::test]
async fn security_headers_present_on_response() {
let dir = tempfile::tempdir().unwrap();
let app = build_router(test_state(dir.path().to_path_buf(), 9700));
let response = app
.oneshot(
Request::builder()
.uri("/api/health")
.header("host", "localhost:9700")
.body(Body::empty())
.unwrap(),
)
.await
.unwrap();
let headers = response.headers();
assert_eq!(
headers.get("x-frame-options").and_then(|v| v.to_str().ok()),
Some("DENY"),
);
assert_eq!(
headers
.get("x-content-type-options")
.and_then(|v| v.to_str().ok()),
Some("nosniff"),
);
assert_eq!(
headers.get("referrer-policy").and_then(|v| v.to_str().ok()),
Some("no-referrer"),
);
let csp = headers
.get("content-security-policy")
.and_then(|v| v.to_str().ok())
.unwrap_or("");
assert!(csp.contains("default-src 'self'"), "CSP was: {csp}");
assert!(csp.contains("script-src 'self'"), "CSP was: {csp}");
}
/// Panic inside a thread that holds a write guard on the shared config lock.
/// With `parking_lot::RwLock`, the lock must remain usable afterwards —
/// this is the poison-recovery contract we rely on in every route handler.
#[tokio::test]
async fn config_lock_survives_panic_in_write_guard() {
let dir = tempfile::tempdir().unwrap();
let state = test_state(dir.path().to_path_buf(), 9700);
let lock = Arc::clone(&state.config);
let join = std::thread::spawn(move || {
let _guard = lock.write();
panic!("simulated handler panic while holding write lock");
});
assert!(join.join().is_err(), "worker thread was expected to panic");
// A follow-up request that reads the config must still succeed.
let app = build_router(state);
let response = app
.oneshot(
Request::builder()
.uri("/api/config")
.header("host", "localhost:9700")
.body(Body::empty())
.unwrap(),
)
.await
.unwrap();
assert_eq!(response.status(), StatusCode::OK);
}
#[cfg(unix)]
#[tokio::test]
async fn explorer_tree_skips_symlink_escapes() {
let dir = tempfile::tempdir().unwrap();
let outside = tempfile::tempdir().unwrap();
let outside_file = outside.path().join("secret.rs");
std::fs::write(&outside_file, "fn leaked() {}").unwrap();
symlink(&outside_file, dir.path().join("escape.rs")).unwrap();
let response = build_router(test_state(dir.path().to_path_buf(), 9700))
.oneshot(
Request::builder()
.uri("/api/explorer/tree")
.header("host", "localhost:9700")
.body(Body::empty())
.unwrap(),
)
.await
.unwrap();
assert_eq!(response.status(), StatusCode::OK);
let body = to_bytes(response.into_body(), 64 * 1024).await.unwrap();
let payload: serde_json::Value = serde_json::from_slice(&body).unwrap();
let entries = payload.as_array().unwrap();
assert!(entries.iter().all(|entry| entry["name"] != "escape.rs"));
}
}

39
src/server/assets.rs Normal file
View file

@ -0,0 +1,39 @@
use axum::extract::Request;
use axum::http::{StatusCode, header};
use axum::response::{Html, IntoResponse, Response};
static INDEX_HTML: &str = include_str!("assets/dist/index.html");
static STYLE_CSS: &str = include_str!("assets/dist/style.css");
static APP_JS: &str = include_str!("assets/dist/app.js");
static FAVICON_SVG: &str = include_str!("assets/favicon.svg");
/// Serve embedded static files or fall back to the SPA shell.
pub async fn static_handler(req: Request) -> Response {
let path = req.uri().path();
match path {
"/style.css" => (
StatusCode::OK,
[(header::CONTENT_TYPE, "text/css; charset=utf-8")],
STYLE_CSS,
)
.into_response(),
"/app.js" => (
StatusCode::OK,
[(
header::CONTENT_TYPE,
"application/javascript; charset=utf-8",
)],
APP_JS,
)
.into_response(),
"/favicon.svg" => (
StatusCode::OK,
[(header::CONTENT_TYPE, "image/svg+xml")],
FAVICON_SVG,
)
.into_response(),
// SPA fallback: any non-API path serves index.html.
_ => Html(INDEX_HTML).into_response(),
}
}

4
src/server/assets/favicon.svg Normal file
View file

@ -0,0 +1,4 @@
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32">
<rect width="32" height="32" rx="6" fill="#1a1a2e"/>
<text x="16" y="23" font-family="system-ui" font-size="20" font-weight="bold" fill="#e94560" text-anchor="middle">N</text>
</svg>
Side by side

After

Width:  |  Height:  |  Size: 248 B

1376
src/server/debug.rs Normal file
View file

File diff suppressed because it is too large Load diff

642
src/server/jobs.rs Normal file
View file

@ -0,0 +1,642 @@
use crate::commands::scan::{self, Diag};
use crate::database::index::{Indexer, ScanRecord};
use crate::server::app::ServerEvent;
use crate::server::progress::{ScanMetrics, ScanProgress, TimingBreakdown};
use crate::server::scan_log::ScanLogCollector;
use crate::utils::config::Config;
use crate::utils::project::get_project_info;
use r2d2::Pool;
use r2d2_sqlite::SqliteConnectionManager;
use std::collections::HashMap;
use std::path::PathBuf;
use std::sync::{Arc, Mutex};
use std::time::Instant;
use tokio::sync::broadcast;
use uuid::Uuid;
/// Build a dedicated rayon thread pool for server-initiated scans.
/// Reserves at least 2 cores for the tokio HTTP server so the UI stays
/// responsive while a scan is running.
fn build_scan_pool(stack_size: usize) -> rayon::ThreadPool {
let total = num_cpus::get();
let scan_threads = total.saturating_sub(2).max(1);
rayon::ThreadPoolBuilder::new()
.num_threads(scan_threads)
.stack_size(stack_size)
.thread_name(|i| format!("nyx-scan-{i}"))
.build()
.expect("failed to build scan thread pool")
}
/// Status of a scan job.
#[derive(Debug, Clone, PartialEq, Eq, serde::Serialize)]
#[serde(rename_all = "lowercase")]
pub enum JobStatus {
Queued,
Running,
Completed,
Failed,
}
/// A single scan job with its state and results.
#[derive(Debug, Clone)]
pub struct ScanJob {
pub id: String,
pub status: JobStatus,
pub scan_root: PathBuf,
pub started_at: Option<chrono::DateTime<chrono::Utc>>,
pub finished_at: Option<chrono::DateTime<chrono::Utc>>,
pub duration_secs: Option<f64>,
pub findings: Option<Arc<Vec<Diag>>>,
pub error: Option<String>,
pub progress: Option<Arc<ScanProgress>>,
pub metrics: Option<Arc<ScanMetrics>>,
pub log_collector: Option<Arc<ScanLogCollector>>,
pub engine_version: Option<String>,
pub languages: Option<Vec<String>>,
pub files_scanned: Option<u64>,
pub timing: Option<TimingBreakdown>,
}
/// Manages scan jobs with single-scan policy.
pub struct JobManager {
jobs: Mutex<HashMap<String, ScanJob>>,
/// Insertion-order tracking for listing.
job_order: Mutex<Vec<String>>,
active_job_id: Mutex<Option<String>>,
max_jobs: usize,
/// Dedicated rayon pool for scans — keeps the global pool (and tokio
/// worker threads) free so the web UI stays responsive during a scan.
scan_pool: rayon::ThreadPool,
}
impl std::fmt::Debug for JobManager {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
f.debug_struct("JobManager")
.field("max_jobs", &self.max_jobs)
.finish()
}
}
impl JobManager {
pub fn new(max_jobs: usize, rayon_stack_size: usize) -> Self {
Self {
jobs: Mutex::new(HashMap::new()),
job_order: Mutex::new(Vec::new()),
active_job_id: Mutex::new(None),
max_jobs,
scan_pool: build_scan_pool(rayon_stack_size),
}
}
/// Start a new scan. Returns Err if a scan is already running.
pub fn start_scan(
self: &Arc<Self>,
scan_root: PathBuf,
mut config: Config,
event_tx: broadcast::Sender<ServerEvent>,
db_pool: Option<Arc<Pool<SqliteConnectionManager>>>,
database_dir: PathBuf,
) -> Result<String, &'static str> {
let mut active = self.active_job_id.lock().unwrap();
if active.is_some() {
return Err("A scan is already running");
}
let job_id = Uuid::new_v4().to_string();
let progress = Arc::new(ScanProgress::new());
let metrics = Arc::new(ScanMetrics::new());
let log_collector = Arc::new(ScanLogCollector::default());
let engine_version = env!("CARGO_PKG_VERSION").to_string();
let job = ScanJob {
id: job_id.clone(),
status: JobStatus::Running,
scan_root: scan_root.clone(),
started_at: Some(chrono::Utc::now()),
finished_at: None,
duration_secs: None,
findings: None,
error: None,
progress: Some(Arc::clone(&progress)),
metrics: Some(Arc::clone(&metrics)),
log_collector: Some(Arc::clone(&log_collector)),
engine_version: Some(engine_version.clone()),
languages: None,
files_scanned: None,
timing: None,
};
{
let mut jobs = self.jobs.lock().unwrap();
let mut order = self.job_order.lock().unwrap();
// Evict oldest if at capacity.
while order.len() >= self.max_jobs {
if let Some(oldest_id) = order.first().cloned() {
// Don't evict the active job.
if Some(&oldest_id) == active.as_ref() {
break;
}
jobs.remove(&oldest_id);
order.remove(0);
}
}
jobs.insert(job_id.clone(), job);
order.push(job_id.clone());
}
*active = Some(job_id.clone());
if config.framework_ctx.is_none() {
config.framework_ctx = Some(crate::utils::detect_frameworks(&scan_root));
}
let _ = event_tx.send(ServerEvent::ScanStarted {
job_id: job_id.clone(),
});
// Persist initial scan record to DB
if let Some(ref pool) = db_pool
&& let Ok(idx) = Indexer::from_pool("_scans", pool)
{
let _ = idx.insert_scan(&ScanRecord {
id: job_id.clone(),
status: "running".to_string(),
scan_root: scan_root.display().to_string(),
started_at: Some(chrono::Utc::now().to_rfc3339()),
finished_at: None,
duration_secs: None,
engine_version: Some(engine_version.clone()),
languages: None,
files_scanned: None,
files_skipped: None,
finding_count: None,
findings_json: None,
timing_json: None,
error: None,
});
}
// Spawn SSE progress emitter thread (polls every 500ms)
let progress_for_sse = Arc::clone(&progress);
let event_tx_sse = event_tx.clone();
let jid_sse = job_id.clone();
std::thread::spawn(move || {
loop {
std::thread::sleep(std::time::Duration::from_millis(500));
let snap = progress_for_sse.snapshot();
let is_complete = snap.stage == "complete";
let _ = event_tx_sse.send(ServerEvent::ScanProgress {
job_id: jid_sse.clone(),
stage: snap.stage,
files_discovered: snap.files_discovered,
files_parsed: snap.files_parsed,
files_analyzed: snap.files_analyzed,
files_skipped: snap.files_skipped,
batches_total: snap.batches_total,
batches_completed: snap.batches_completed,
current_file: snap.current_file,
elapsed_ms: snap.elapsed_ms,
timing: snap.timing,
});
if is_complete {
break;
}
}
});
// Spawn the main scan thread. All rayon parallelism inside the
// scan is routed through `scan_pool.install()` so it uses our
// dedicated (CPU-limited) pool, keeping tokio worker threads free.
let manager = Arc::clone(self);
let jid = job_id.clone();
std::thread::spawn(move || {
// Apply per-scan engine options (e.g. `engine_profile` from the
// start-scan request) to the process-wide runtime so every
// rayon worker that calls `analysis_options::current()` sees
// the resolved values. The JobManager's `active_job_id` mutex
// guarantees no other scan is concurrently reading these, so
// `reinstall` is race-free here.
crate::utils::analysis_options::reinstall(config.analysis.engine);
let start = Instant::now();
log_collector.info("Indexed scan started (rebuild enabled)", None);
let result = manager
.scan_pool
.install(|| -> crate::errors::NyxResult<Vec<Diag>> {
let (project_name, db_path) = get_project_info(&scan_root, &database_dir)?;
crate::commands::index::build_index_with_observer(
&project_name,
&scan_root,
&db_path,
&config,
false,
Some(&progress),
Some(&metrics),
Some(&log_collector),
)?;
let pool = Indexer::init(&db_path)?;
scan::scan_with_index_parallel_observer(
&project_name,
pool,
&config,
false,
&scan_root,
Some(&progress),
Some(&metrics),
Some(&log_collector),
None,
)
});
let elapsed = start.elapsed().as_secs_f64();
// Collect snapshots and do expensive work (post-processing,
// JSON serialization) BEFORE acquiring the jobs mutex.
let progress_snap = progress.snapshot();
let metrics_snap = metrics.snapshot();
let logs = log_collector.drain();
let languages: Vec<String> = progress_snap.languages.keys().cloned().collect();
let files_scanned = progress_snap.files_discovered;
let files_skipped = progress_snap.files_skipped;
let timing = progress_snap.timing.clone();
let finished_at = chrono::Utc::now();
// Prepare the final state outside the lock.
let (status, diags, error_str) = match result {
Ok(diags) => {
log_collector.info(format!("Scan completed: {} findings", diags.len()), None);
(JobStatus::Completed, Some(Arc::new(diags)), None)
}
Err(e) => {
let err_str = e.to_string();
log_collector.error(&err_str, None, None);
(JobStatus::Failed, None, Some(err_str))
}
};
let finding_count = diags.as_ref().map(|d| d.len());
// Pre-serialize findings JSON outside the lock (can be large).
let findings_json = diags
.as_ref()
.and_then(|f| serde_json::to_string(f.as_slice()).ok());
let timing_json = serde_json::to_string(&timing).ok();
let langs_json = serde_json::to_string(&languages).ok();
// Brief lock: just update in-memory job state.
{
let mut jobs = manager.jobs.lock().unwrap();
if let Some(job) = jobs.get_mut(&jid) {
job.finished_at = Some(finished_at);
job.duration_secs = Some(elapsed);
job.languages = Some(languages.clone());
job.files_scanned = Some(files_scanned);
job.timing = Some(timing.clone());
job.status = status.clone();
job.findings = diags;
job.error = error_str.clone();
}
}
// Clear active flag.
{
let mut active = manager.active_job_id.lock().unwrap();
if active.as_deref() == Some(&jid) {
*active = None;
}
}
// Broadcast event (no lock held).
match status {
JobStatus::Completed => {
let _ = event_tx.send(ServerEvent::ScanCompleted {
job_id: jid.clone(),
});
}
JobStatus::Failed => {
let _ = event_tx.send(ServerEvent::ScanFailed {
job_id: jid.clone(),
error: error_str.clone().unwrap_or_default(),
});
}
_ => {}
}
// Persist to DB (no lock held, can take time).
if let Some(ref pool) = db_pool
&& let Ok(idx) = Indexer::from_pool("_scans", pool)
{
let finished_str = finished_at.to_rfc3339();
let _ = idx.update_scan(
&jid,
if finding_count.is_some() {
"completed"
} else {
"failed"
},
Some(&finished_str),
Some(elapsed),
finding_count.map(|c| c as i64),
findings_json.as_deref(),
timing_json.as_deref(),
error_str.as_deref(),
Some(files_scanned as i64),
Some(files_skipped as i64),
langs_json.as_deref(),
);
let _ = idx.insert_scan_metrics(&jid, &metrics_snap);
let final_logs = log_collector.drain();
let all_logs: Vec<_> = logs.into_iter().chain(final_logs).collect();
if !all_logs.is_empty() {
let _ = idx.insert_scan_logs(&jid, &all_logs);
}
}
});
Ok(job_id)
}
/// Get a specific job.
pub fn get_job(&self, id: &str) -> Option<ScanJob> {
self.jobs.lock().unwrap().get(id).cloned()
}
/// List all jobs, most recent first.
pub fn list_jobs(&self) -> Vec<ScanJob> {
let jobs = self.jobs.lock().unwrap();
let order = self.job_order.lock().unwrap();
order
.iter()
.rev()
.filter_map(|id| jobs.get(id).cloned())
.collect()
}
/// Get the currently active (running) job.
pub fn active_job(&self) -> Option<ScanJob> {
let active = self.active_job_id.lock().unwrap();
active
.as_ref()
.and_then(|id| self.jobs.lock().unwrap().get(id).cloned())
}
/// Get the latest completed job.
pub fn get_latest_completed(&self) -> Option<ScanJob> {
let jobs = self.jobs.lock().unwrap();
let order = self.job_order.lock().unwrap();
order
.iter()
.rev()
.filter_map(|id| jobs.get(id))
.find(|j| j.status == JobStatus::Completed)
.cloned()
}
/// Remove a job from in-memory state. Rejects if the scan is currently running.
pub fn remove_job(&self, id: &str) -> Result<(), &'static str> {
let active = self.active_job_id.lock().unwrap();
if active.as_deref() == Some(id) {
return Err("Cannot delete a running scan");
}
drop(active);
let mut jobs = self.jobs.lock().unwrap();
if jobs.remove(id).is_none() {
return Err("Scan not found");
}
let mut order = self.job_order.lock().unwrap();
order.retain(|x| x != id);
Ok(())
}
/// Return findings from the latest completed scan, or empty if none.
pub fn latest_findings(&self) -> Vec<Diag> {
self.get_latest_completed()
.and_then(|j| j.findings)
.map(|arc| arc.as_ref().clone())
.unwrap_or_default()
}
}
#[cfg(test)]
mod tests {
use super::*;
use std::fs;
fn test_config() -> Config {
Config::default()
}
fn wait_for_job(manager: &Arc<JobManager>, job_id: &str) -> ScanJob {
for _ in 0..200 {
std::thread::sleep(std::time::Duration::from_millis(50));
if let Some(job) = manager.get_job(job_id)
&& job.status != JobStatus::Running
{
return job;
}
}
panic!("job {job_id} did not finish in time");
}
fn wait_for_scan_metrics(
idx: &Indexer,
job_id: &str,
) -> crate::server::progress::ScanMetricsSnapshot {
for _ in 0..100 {
if let Some(metrics) = idx.get_scan_metrics(job_id).unwrap() {
return metrics;
}
std::thread::sleep(std::time::Duration::from_millis(25));
}
panic!("scan metrics for {job_id} were not persisted in time");
}
fn wait_for_scan_record(idx: &Indexer, job_id: &str) -> ScanRecord {
for _ in 0..100 {
if let Some(record) = idx.get_scan(job_id).unwrap() {
return record;
}
std::thread::sleep(std::time::Duration::from_millis(25));
}
panic!("scan record for {job_id} was not persisted in time");
}
#[test]
fn single_scan_policy() {
let manager = Arc::new(JobManager::new(10, 8 * 1024 * 1024));
let (tx, _rx) = broadcast::channel(16);
let dir = tempfile::tempdir().unwrap();
let id = manager
.start_scan(
dir.path().to_path_buf(),
test_config(),
tx.clone(),
None,
dir.path().to_path_buf(),
)
.unwrap();
assert!(!id.is_empty());
// Second scan should fail while first is running.
let result = manager.start_scan(
dir.path().to_path_buf(),
test_config(),
tx,
None,
dir.path().to_path_buf(),
);
assert!(result.is_err());
}
#[test]
fn bounded_history() {
let manager = Arc::new(JobManager::new(2, 8 * 1024 * 1024));
let (tx, _rx) = broadcast::channel(16);
let dir = tempfile::tempdir().unwrap();
// Start scan and wait for it to finish.
let id1 = manager
.start_scan(
dir.path().to_path_buf(),
test_config(),
tx.clone(),
None,
dir.path().to_path_buf(),
)
.unwrap();
// Wait for scan to complete (it's scanning an empty dir so should be fast).
for _ in 0..100 {
std::thread::sleep(std::time::Duration::from_millis(50));
if let Some(j) = manager.get_job(&id1)
&& j.status != JobStatus::Running
{
break;
}
}
let id2 = manager
.start_scan(
dir.path().to_path_buf(),
test_config(),
tx.clone(),
None,
dir.path().to_path_buf(),
)
.unwrap();
for _ in 0..100 {
std::thread::sleep(std::time::Duration::from_millis(50));
if let Some(j) = manager.get_job(&id2)
&& j.status != JobStatus::Running
{
break;
}
}
// Third scan should evict the oldest.
let _id3 = manager
.start_scan(
dir.path().to_path_buf(),
test_config(),
tx,
None,
dir.path().to_path_buf(),
)
.unwrap();
for _ in 0..100 {
std::thread::sleep(std::time::Duration::from_millis(50));
if manager.active_job().is_none() {
break;
}
}
// First job should be evicted.
assert!(manager.get_job(&id1).is_none());
}
#[test]
fn start_scan_uses_indexed_rebuild_and_persists_scan_artifacts() {
let manager = Arc::new(JobManager::new(4, 8 * 1024 * 1024));
let (tx, _rx) = broadcast::channel(16);
let dir = tempfile::tempdir().unwrap();
let project_dir = dir.path().join("proj");
fs::create_dir(&project_dir).unwrap();
fs::write(
project_dir.join("app.js"),
r#"function cleanHtml(input) {
return DOMPurify.sanitize(input);
}
function handleRequest(req, res) {
const safe = cleanHtml(req.query.name);
res.send(safe);
}
handleRequest({ query: { name: '<b>x</b>' } }, { send() {} });
"#,
)
.unwrap();
let (_, db_path) =
crate::utils::project::get_project_info(&project_dir, dir.path()).unwrap();
let pool = Indexer::init(&db_path).unwrap();
let id = manager
.start_scan(
project_dir.clone(),
test_config(),
tx,
Some(Arc::clone(&pool)),
dir.path().to_path_buf(),
)
.unwrap();
let job = wait_for_job(&manager, &id);
assert_eq!(job.status, JobStatus::Completed);
let idx = Indexer::from_pool("proj", &pool).unwrap();
assert!(
!idx.load_all_summaries().unwrap().is_empty(),
"server scan should persist coarse summaries"
);
assert!(
!idx.load_all_ssa_summaries().unwrap().is_empty(),
"server scan should persist SSA summaries"
);
let scans_idx = Indexer::from_pool("_scans", &pool).unwrap();
let metrics = wait_for_scan_metrics(&scans_idx, &id);
assert!(
metrics.summaries_reused >= 1,
"rebuild-index server scan should reuse persisted summaries in indexed pass 1"
);
let mut logs = Vec::new();
for _ in 0..100 {
logs = scans_idx.get_scan_logs(&id, None).unwrap();
if !logs.is_empty() {
break;
}
std::thread::sleep(std::time::Duration::from_millis(25));
}
assert!(
logs.iter()
.any(|entry| entry.message.contains("Indexed scan started")),
"server scan should persist indexed-path logs"
);
let record = wait_for_scan_record(&scans_idx, &id);
assert_eq!(record.files_scanned, Some(1));
assert!(
record.files_skipped.unwrap_or_default() >= 1,
"scan record should capture indexed summary reuse"
);
}
}

12
src/server/mod.rs Normal file
View file

@ -0,0 +1,12 @@
pub mod app;
pub mod assets;
pub mod debug;
pub mod jobs;
pub mod models;
pub mod progress;
pub mod routes;
pub mod scan_log;
pub mod security;
pub mod triage_sync;
pub use app::{AppState, build_router};

727
src/server/models.rs Normal file
View file

@ -0,0 +1,727 @@
use crate::commands::scan::Diag;
use crate::evidence::{Confidence, Evidence};
use crate::patterns::{FindingCategory, Severity};
use crate::utils::path::{DEFAULT_UI_MAX_FILE_BYTES, open_repo_text_file};
use serde::Serialize;
use std::collections::{BTreeSet, HashMap};
use std::path::Path;
/// Compact related-finding reference for the detail panel.
#[derive(Debug, Clone, Serialize)]
pub struct RelatedFindingView {
pub index: usize,
pub rule_id: String,
pub path: String,
pub line: usize,
pub severity: Severity,
}
/// Valid triage states for findings.
pub const VALID_TRIAGE_STATES: &[&str] = &[
"open",
"investigating",
"false_positive",
"accepted_risk",
"suppressed",
"fixed",
];
/// Check if a string is a valid triage state.
pub fn is_valid_triage_state(s: &str) -> bool {
VALID_TRIAGE_STATES.contains(&s)
}
/// Serializable API representation of a Diag finding.
#[derive(Debug, Clone, Serialize)]
pub struct FindingView {
pub index: usize,
pub fingerprint: String,
#[serde(skip_serializing_if = "String::is_empty")]
pub portable_fingerprint: String,
pub path: String,
pub line: usize,
pub col: usize,
pub severity: Severity,
pub rule_id: String,
pub category: FindingCategory,
pub confidence: Option<Confidence>,
pub rank_score: Option<f64>,
pub message: Option<String>,
pub labels: Vec<(String, String)>,
pub path_validated: bool,
pub suppressed: bool,
pub language: Option<String>,
pub status: String,
pub triage_state: String,
#[serde(skip_serializing_if = "String::is_empty")]
pub triage_note: String,
#[serde(skip_serializing_if = "Option::is_none")]
pub code_context: Option<CodeContextView>,
#[serde(skip_serializing_if = "Option::is_none")]
pub evidence: Option<Evidence>,
#[serde(skip_serializing_if = "Option::is_none")]
pub guard_kind: Option<String>,
#[serde(skip_serializing_if = "Option::is_none")]
pub rank_reason: Option<Vec<(String, String)>>,
#[serde(skip_serializing_if = "Option::is_none")]
pub sanitizer_status: Option<String>,
#[serde(skip_serializing_if = "Vec::is_empty")]
pub related_findings: Vec<RelatedFindingView>,
}
/// Lines of source code around a finding for display.
#[derive(Debug, Clone, Serialize)]
pub struct CodeContextView {
pub start_line: usize,
pub lines: Vec<String>,
pub highlight_line: usize,
}
/// Aggregate statistics for a set of findings.
#[derive(Debug, Clone, Serialize, Default)]
pub struct FindingSummary {
pub total: usize,
pub by_severity: HashMap<String, usize>,
pub by_category: HashMap<String, usize>,
pub by_rule: HashMap<String, usize>,
pub by_file: HashMap<String, usize>,
}
/// A scan job as seen by the API.
#[derive(Debug, Clone, Serialize)]
pub struct ScanView {
pub id: String,
pub status: String,
pub scan_root: String,
pub started_at: Option<String>,
pub finished_at: Option<String>,
pub duration_secs: Option<f64>,
pub finding_count: Option<usize>,
pub error: Option<String>,
#[serde(skip_serializing_if = "Option::is_none")]
pub engine_version: Option<String>,
#[serde(skip_serializing_if = "Option::is_none")]
pub languages: Option<Vec<String>>,
#[serde(skip_serializing_if = "Option::is_none")]
pub files_scanned: Option<u64>,
#[serde(skip_serializing_if = "Option::is_none")]
pub timing: Option<crate::server::progress::TimingBreakdown>,
#[serde(skip_serializing_if = "Option::is_none")]
pub metrics: Option<crate::server::progress::ScanMetricsSnapshot>,
}
/// Custom rule view for the config API.
#[derive(Debug, Clone, Serialize, serde::Deserialize)]
pub struct RuleView {
pub lang: String,
pub matchers: Vec<String>,
pub kind: String,
pub cap: String,
}
/// Terminator view for the config API.
#[derive(Debug, Clone, Serialize, serde::Deserialize)]
pub struct TerminatorView {
pub lang: String,
pub name: String,
}
/// Rule list item for GET /api/rules (built-in + custom, with metadata).
#[derive(Debug, Clone, Serialize)]
pub struct RuleListItem {
pub id: String,
pub title: String,
pub language: String,
pub kind: String,
pub cap: String,
pub matchers: Vec<String>,
pub enabled: bool,
pub is_custom: bool,
pub is_gated: bool,
pub case_sensitive: bool,
pub finding_count: usize,
pub suppression_rate: f64,
}
/// Full rule detail for GET /api/rules/:id
#[derive(Debug, Clone, Serialize)]
pub struct RuleDetailView {
pub id: String,
pub title: String,
pub language: String,
pub kind: String,
pub cap: String,
pub matchers: Vec<String>,
pub case_sensitive: bool,
pub enabled: bool,
pub is_custom: bool,
pub is_gated: bool,
pub finding_count: usize,
pub suppression_rate: f64,
pub example_findings: Vec<RelatedFindingView>,
}
/// Label entry for sources/sinks/sanitizers listing.
///
/// `case_sensitive` and `is_builtin` default to `false` on deserialize so POST
/// bodies from the UI (which only supply `lang`, `matchers`, `cap`) succeed.
#[derive(Debug, Clone, Serialize, serde::Deserialize)]
pub struct LabelEntryView {
pub lang: String,
pub matchers: Vec<String>,
pub cap: String,
#[serde(default)]
pub case_sensitive: bool,
#[serde(default)]
pub is_builtin: bool,
}
/// Profile view for profile listing.
#[derive(Debug, Clone, Serialize)]
pub struct ProfileView {
pub name: String,
pub is_builtin: bool,
pub settings: serde_json::Value,
}
/// Distinct filter values available in a set of findings.
#[derive(Debug, Clone, Serialize, Default)]
pub struct FilterValues {
pub severities: Vec<String>,
pub categories: Vec<String>,
pub confidences: Vec<String>,
pub languages: Vec<String>,
pub rules: Vec<String>,
pub statuses: Vec<String>,
}
/// Collect distinct filter values from a slice of diagnostics.
pub fn collect_filter_values(findings: &[Diag]) -> FilterValues {
let mut severities = BTreeSet::new();
let mut categories = BTreeSet::new();
let mut confidences = BTreeSet::new();
let mut languages = BTreeSet::new();
let mut rules = BTreeSet::new();
let mut statuses = BTreeSet::new();
for d in findings {
severities.insert(d.severity.as_db_str().to_string());
categories.insert(d.category.to_string());
if let Some(c) = d.confidence {
confidences.insert(format!("{c:?}"));
}
if let Some(lang) = lang_for_finding_path(&d.path) {
languages.insert(lang);
}
rules.insert(d.id.clone());
statuses.insert(status_for_diag(d).to_string());
}
// Always include all valid triage states so the filter dropdown is complete
for s in VALID_TRIAGE_STATES {
statuses.insert(s.to_string());
}
FilterValues {
severities: severities.into_iter().collect(),
categories: categories.into_iter().collect(),
confidences: confidences.into_iter().collect(),
languages: languages.into_iter().collect(),
rules: rules.into_iter().collect(),
statuses: statuses.into_iter().collect(),
}
}
/// Map a finding file path extension to a human-readable language name.
pub fn lang_for_finding_path(path: &str) -> Option<String> {
let ext = path.rsplit('.').next()?;
match ext.to_ascii_lowercase().as_str() {
"rs" => Some("Rust".into()),
"c" => Some("C".into()),
"cpp" => Some("C++".into()),
"java" => Some("Java".into()),
"go" => Some("Go".into()),
"php" => Some("PHP".into()),
"py" => Some("Python".into()),
"ts" => Some("TypeScript".into()),
"js" => Some("JavaScript".into()),
"rb" => Some("Ruby".into()),
_ => None,
}
}
/// Compute the status string for a diagnostic.
fn status_for_diag(d: &Diag) -> &'static str {
if d.suppressed {
"suppressed"
} else if d.path_validated {
"validated"
} else {
"open"
}
}
/// Convert a Diag to a FindingView at a given index.
pub fn finding_from_diag(index: usize, d: &Diag) -> FindingView {
FindingView {
index,
fingerprint: compute_fingerprint(d),
portable_fingerprint: String::new(), // set by caller with scan_root
path: d.path.clone(),
line: d.line,
col: d.col,
severity: d.severity,
rule_id: d.id.clone(),
category: d.category,
confidence: d.confidence,
rank_score: d.rank_score,
message: d.message.clone(),
labels: d.labels.clone(),
path_validated: d.path_validated,
suppressed: d.suppressed,
language: lang_for_finding_path(&d.path),
status: status_for_diag(d).to_string(),
triage_state: "open".to_string(),
triage_note: String::new(),
code_context: None,
evidence: None,
guard_kind: None,
rank_reason: None,
sanitizer_status: None,
related_findings: vec![],
}
}
/// Convert a Diag to a FindingView with code context loaded from disk.
pub fn finding_from_diag_with_context(index: usize, d: &Diag, scan_root: &Path) -> FindingView {
let mut view = finding_from_diag(index, d);
view.code_context = load_code_context(&d.path, d.line, scan_root);
view
}
/// Convert a Diag to a FindingView with full detail (evidence, related findings).
pub fn finding_from_diag_with_detail(
index: usize,
d: &Diag,
scan_root: &Path,
all_findings: &[Diag],
) -> FindingView {
let mut view = finding_from_diag_with_context(index, d, scan_root);
// Evidence (pass through the core type directly)
view.evidence = d.evidence.clone();
view.guard_kind = d.guard_kind.clone();
view.rank_reason = d.rank_reason.clone();
// Sanitizer status
view.sanitizer_status = Some(compute_sanitizer_status(d));
// Related findings: same rule_id OR same file, excluding self, capped at 10
let mut related = Vec::new();
for (i, other) in all_findings.iter().enumerate() {
if i == index {
continue;
}
if other.id == d.id || other.path == d.path {
related.push(RelatedFindingView {
index: i,
rule_id: other.id.clone(),
path: other.path.clone(),
line: other.line,
severity: other.severity,
});
if related.len() >= 10 {
break;
}
}
}
view.related_findings = related;
view
}
/// Compute the sanitizer status for a diagnostic based on its evidence.
fn compute_sanitizer_status(d: &Diag) -> String {
match &d.evidence {
Some(ev) if !ev.sanitizers.is_empty() => {
if d.suppressed {
"applied".into()
} else {
"bypassed".into()
}
}
_ => "none".into(),
}
}
/// Load surrounding lines of code for a finding.
fn load_code_context(path: &str, line: usize, scan_root: &Path) -> Option<CodeContextView> {
let opened = open_repo_text_file(scan_root, path, DEFAULT_UI_MAX_FILE_BYTES).ok()?;
let content = opened.content;
let all_lines: Vec<&str> = content.lines().collect();
if line == 0 || line > all_lines.len() {
return None;
}
let context_radius = 5;
let start = line.saturating_sub(context_radius).max(1);
let end = (line + context_radius).min(all_lines.len());
let lines: Vec<String> = all_lines[start - 1..end]
.iter()
.map(|l| (*l).to_string())
.collect();
Some(CodeContextView {
start_line: start,
lines,
highlight_line: line,
})
}
// ── Scan Comparison Types ────────────────────────────────────────────────────
/// Full response from the scan comparison endpoint.
#[derive(Debug, Clone, Serialize)]
pub struct CompareResponse {
pub left_scan: CompareScanInfo,
pub right_scan: CompareScanInfo,
pub summary: CompareSummary,
pub new_findings: Vec<ComparedFinding>,
pub fixed_findings: Vec<ComparedFinding>,
pub changed_findings: Vec<ChangedFinding>,
pub unchanged_findings: Vec<ComparedFinding>,
}
/// Minimal scan metadata for comparison headers.
#[derive(Debug, Clone, Serialize)]
pub struct CompareScanInfo {
pub id: String,
pub started_at: Option<String>,
pub finding_count: usize,
}
/// Aggregate counts and severity deltas for a comparison.
#[derive(Debug, Clone, Serialize)]
pub struct CompareSummary {
pub new_count: usize,
pub fixed_count: usize,
pub changed_count: usize,
pub unchanged_count: usize,
pub severity_delta: HashMap<String, i64>,
}
/// A finding annotated with its fingerprint for comparison views.
#[derive(Debug, Clone, Serialize)]
pub struct ComparedFinding {
pub fingerprint: String,
#[serde(flatten)]
pub finding: FindingView,
}
/// A finding that exists in both scans but with changed properties.
#[derive(Debug, Clone, Serialize)]
pub struct ChangedFinding {
pub fingerprint: String,
#[serde(flatten)]
pub finding: FindingView,
pub changes: Vec<FieldChange>,
}
/// A single field that differs between two scans for the same fingerprint.
#[derive(Debug, Clone, Serialize)]
pub struct FieldChange {
pub field: String,
pub old_value: String,
pub new_value: String,
}
/// Compute a stable fingerprint for a finding based on identity fields.
///
/// The fingerprint is a blake3 hash of (rule_id, file_path, sink_snippet,
/// source_snippet, function_context). Line/col are intentionally excluded
/// so that fingerprints survive code movement.
pub fn compute_fingerprint(d: &Diag) -> String {
let sink_snippet = d
.evidence
.as_ref()
.and_then(|e| e.sink.as_ref())
.and_then(|s| s.snippet.as_deref())
.unwrap_or("");
let source_snippet = d
.evidence
.as_ref()
.and_then(|e| e.source.as_ref())
.and_then(|s| s.snippet.as_deref())
.unwrap_or("");
let func_ctx = d
.evidence
.as_ref()
.and_then(|e| e.flow_steps.iter().find_map(|s| s.function.as_deref()))
.unwrap_or("");
let input = format!(
"{}\0{}\0{}\0{}\0{}",
d.id, d.path, sink_snippet, source_snippet, func_ctx
);
blake3::hash(input.as_bytes()).to_hex().to_string()
}
/// Overlay triage states from the database onto a slice of FindingViews.
///
/// For each finding, first checks for an explicit triage state by fingerprint.
/// If none, checks suppression rules in order: fingerprint → rule → rule_in_file → file.
pub fn overlay_triage_states(
views: &mut [FindingView],
triage_map: &std::collections::HashMap<String, (String, String, String)>,
suppression_rules: &[crate::database::index::SuppressionRule],
) {
for view in views.iter_mut() {
if let Some((state, note, _)) = triage_map.get(&view.fingerprint) {
view.triage_state = state.clone();
view.triage_note = note.clone();
view.status = state.clone();
} else {
for rule in suppression_rules {
let matches = match rule.suppress_by.as_str() {
"fingerprint" => view.fingerprint == rule.match_value,
"rule" => view.rule_id == rule.match_value,
"rule_in_file" => {
let key = format!("{}:{}", view.rule_id, view.path);
key == rule.match_value
}
"file" => view.path == rule.match_value,
_ => false,
};
if matches {
view.triage_state = rule.state.clone();
view.triage_note = rule.note.clone();
view.status = rule.state.clone();
break;
}
}
}
}
}
/// Compute a portable fingerprint using a path relative to scan_root.
///
/// This fingerprint is stable across machines because it strips the absolute
/// path prefix. Used for `.nyx/triage.json` sync files that get committed to git.
pub fn compute_portable_fingerprint(d: &Diag, scan_root: &Path) -> String {
let rel_path = d
.path
.strip_prefix(scan_root.to_string_lossy().as_ref())
.unwrap_or(&d.path)
.trim_start_matches('/');
let sink_snippet = d
.evidence
.as_ref()
.and_then(|e| e.sink.as_ref())
.and_then(|s| s.snippet.as_deref())
.unwrap_or("");
let source_snippet = d
.evidence
.as_ref()
.and_then(|e| e.source.as_ref())
.and_then(|s| s.snippet.as_deref())
.unwrap_or("");
let func_ctx = d
.evidence
.as_ref()
.and_then(|e| e.flow_steps.iter().find_map(|s| s.function.as_deref()))
.unwrap_or("");
let input = format!(
"{}\0{}\0{}\0{}\0{}",
d.id, rel_path, sink_snippet, source_snippet, func_ctx
);
blake3::hash(input.as_bytes()).to_hex().to_string()
}
/// Build a summary from a slice of findings.
pub fn summarize_findings(findings: &[Diag]) -> FindingSummary {
let mut summary = FindingSummary {
total: findings.len(),
..Default::default()
};
for d in findings {
let sev_key = d.severity.as_db_str().to_string();
*summary.by_severity.entry(sev_key).or_insert(0) += 1;
*summary
.by_category
.entry(d.category.to_string())
.or_insert(0) += 1;
*summary.by_rule.entry(d.id.clone()).or_insert(0) += 1;
*summary.by_file.entry(d.path.clone()).or_insert(0) += 1;
}
summary
}
// ── Overview Types ───────────────────────────────────────────────────────────
/// Full response for GET /api/overview.
#[derive(Debug, Clone, Serialize)]
pub struct OverviewResponse {
pub state: String,
pub total_findings: usize,
pub new_since_last: usize,
pub fixed_since_last: usize,
pub high_confidence_rate: f64,
pub triage_coverage: f64,
pub latest_scan_duration_secs: Option<f64>,
pub latest_scan_id: Option<String>,
pub latest_scan_at: Option<String>,
pub by_severity: HashMap<String, usize>,
pub by_category: HashMap<String, usize>,
pub by_language: HashMap<String, usize>,
pub top_files: Vec<OverviewCount>,
pub top_directories: Vec<OverviewCount>,
pub top_rules: Vec<OverviewCount>,
pub noisy_rules: Vec<NoisyRule>,
pub recent_scans: Vec<ScanSummary>,
pub insights: Vec<Insight>,
}
/// A name + count pair for overview top-N lists.
#[derive(Debug, Clone, Serialize)]
pub struct OverviewCount {
pub name: String,
pub count: usize,
}
/// A rule that has high finding count + high suppression rate.
#[derive(Debug, Clone, Serialize)]
pub struct NoisyRule {
pub rule_id: String,
pub finding_count: usize,
pub suppression_rate: f64,
}
/// Compact scan info for the overview recent-scans list.
#[derive(Debug, Clone, Serialize)]
pub struct ScanSummary {
pub id: String,
pub status: String,
pub started_at: Option<String>,
pub duration_secs: Option<f64>,
pub finding_count: Option<i64>,
}
/// An actionable insight for the overview page.
#[derive(Debug, Clone, Serialize)]
pub struct Insight {
pub kind: String,
pub message: String,
pub severity: String,
#[serde(skip_serializing_if = "Option::is_none")]
pub action_url: Option<String>,
}
/// A single trend data point for GET /api/overview/trends.
#[derive(Debug, Clone, Serialize)]
pub struct TrendPoint {
pub scan_id: String,
pub timestamp: String,
pub total: usize,
pub by_severity: HashMap<String, usize>,
}
/// Count findings grouped by language.
pub fn by_language_from_findings(findings: &[Diag]) -> HashMap<String, usize> {
let mut map = HashMap::new();
for d in findings {
if let Some(lang) = lang_for_finding_path(&d.path) {
*map.entry(lang).or_insert(0) += 1;
}
}
map
}
/// Extract top N directories by finding count.
pub fn top_directories_from_findings(findings: &[Diag], limit: usize) -> Vec<OverviewCount> {
let mut dir_counts: HashMap<String, usize> = HashMap::new();
for d in findings {
let dir = match d.path.rfind('/') {
Some(i) => &d.path[..i],
None => ".",
};
*dir_counts.entry(dir.to_string()).or_insert(0) += 1;
}
let mut sorted: Vec<_> = dir_counts.into_iter().collect();
sorted.sort_by_key(|b| std::cmp::Reverse(b.1));
sorted.truncate(limit);
sorted
.into_iter()
.map(|(name, count)| OverviewCount { name, count })
.collect()
}
/// Sort a HashMap by value descending, take top N, return as OverviewCount.
pub fn top_n_from_map(map: &HashMap<String, usize>, limit: usize) -> Vec<OverviewCount> {
let mut sorted: Vec<_> = map.iter().collect();
sorted.sort_by(|a, b| b.1.cmp(a.1));
sorted
.into_iter()
.take(limit)
.map(|(name, &count)| OverviewCount {
name: name.clone(),
count,
})
.collect()
}
#[cfg(test)]
mod tests {
use super::*;
fn diag_for_path(path: String) -> Diag {
Diag {
path,
line: 1,
col: 1,
severity: Severity::Low,
id: "test.rule".to_string(),
category: FindingCategory::Security,
path_validated: false,
guard_kind: None,
message: None,
labels: Vec::new(),
confidence: None,
evidence: None,
rank_score: None,
rank_reason: None,
suppressed: false,
suppression: None,
rollup: None,
finding_id: String::new(),
alternative_finding_ids: Vec::new(),
}
}
#[test]
fn code_context_does_not_read_outside_repo_for_absolute_paths() {
let root = tempfile::tempdir().unwrap();
let outside = tempfile::NamedTempFile::new().unwrap();
std::fs::write(outside.path(), "secret").unwrap();
let diag = diag_for_path(outside.path().to_string_lossy().to_string());
let view = finding_from_diag_with_context(0, &diag, root.path());
assert!(view.code_context.is_none());
}
#[test]
fn code_context_reads_repo_files() {
let root = tempfile::tempdir().unwrap();
let file = root.path().join("src.rs");
std::fs::write(&file, "line1\nline2\n").unwrap();
let diag = diag_for_path(file.to_string_lossy().to_string());
let view = finding_from_diag_with_context(0, &diag, root.path());
assert!(view.code_context.is_some());
assert_eq!(view.code_context.unwrap().highlight_line, 1);
}
}

272
src/server/progress.rs Normal file
View file

@ -0,0 +1,272 @@
use serde::Serialize;
use std::collections::HashMap;
use std::sync::Mutex;
use std::sync::atomic::{AtomicU8, AtomicU64, Ordering::Relaxed};
use std::time::Instant;
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
#[repr(u8)]
pub enum ScanStage {
Queued = 0,
Discovering = 1,
Indexing = 2,
LoadingSummaries = 3,
BuildingCallGraph = 4,
Analyzing = 5,
PostProcessing = 6,
Complete = 7,
}
impl ScanStage {
fn as_str(self) -> &'static str {
match self {
Self::Queued => "queued",
Self::Discovering => "discovering",
Self::Indexing => "indexing",
Self::LoadingSummaries => "loading_summaries",
Self::BuildingCallGraph => "building_call_graph",
Self::Analyzing => "analyzing",
Self::PostProcessing => "post_processing",
Self::Complete => "complete",
}
}
}
/// Lock-free progress reporting from rayon workers during a scan.
#[derive(Debug)]
pub struct ScanProgress {
/// See [`ScanStage`].
stage: AtomicU8,
files_discovered: AtomicU64,
files_parsed: AtomicU64,
files_analyzed: AtomicU64,
files_skipped: AtomicU64,
batches_total: AtomicU64,
batches_completed: AtomicU64,
current_file: Mutex<String>,
started_at: Instant,
walk_ms: AtomicU64,
pass1_ms: AtomicU64,
call_graph_ms: AtomicU64,
pass2_ms: AtomicU64,
post_process_ms: AtomicU64,
languages: Mutex<HashMap<String, u64>>,
}
impl Default for ScanProgress {
fn default() -> Self {
Self::new()
}
}
impl ScanProgress {
pub fn new() -> Self {
Self {
stage: AtomicU8::new(ScanStage::Queued as u8),
files_discovered: AtomicU64::new(0),
files_parsed: AtomicU64::new(0),
files_analyzed: AtomicU64::new(0),
files_skipped: AtomicU64::new(0),
batches_total: AtomicU64::new(0),
batches_completed: AtomicU64::new(0),
current_file: Mutex::new(String::new()),
started_at: Instant::now(),
walk_ms: AtomicU64::new(0),
pass1_ms: AtomicU64::new(0),
call_graph_ms: AtomicU64::new(0),
pass2_ms: AtomicU64::new(0),
post_process_ms: AtomicU64::new(0),
languages: Mutex::new(HashMap::new()),
}
}
pub fn set_stage(&self, stage: ScanStage) {
self.stage.store(stage as u8, Relaxed);
}
pub fn set_files_discovered(&self, count: u64) {
self.files_discovered.store(count, Relaxed);
}
pub fn inc_parsed(&self, n: u64) {
self.files_parsed.fetch_add(n, Relaxed);
}
pub fn inc_analyzed(&self, n: u64) {
self.files_analyzed.fetch_add(n, Relaxed);
}
pub fn set_files_skipped(&self, count: u64) {
self.files_skipped.store(count, Relaxed);
}
pub fn inc_skipped(&self, n: u64) {
self.files_skipped.fetch_add(n, Relaxed);
}
pub fn set_batches_total(&self, count: u64) {
self.batches_total.store(count, Relaxed);
}
pub fn inc_batches_completed(&self, n: u64) {
self.batches_completed.fetch_add(n, Relaxed);
}
pub fn set_current_file(&self, path: &str) {
if let Ok(mut f) = self.current_file.try_lock() {
f.clear();
f.push_str(path);
}
}
pub fn elapsed_ms(&self) -> u64 {
self.started_at.elapsed().as_millis() as u64
}
pub fn record_walk_ms(&self, ms: u64) {
self.walk_ms.fetch_add(ms, Relaxed);
}
pub fn record_pass1_ms(&self, ms: u64) {
self.pass1_ms.fetch_add(ms, Relaxed);
}
pub fn record_call_graph_ms(&self, ms: u64) {
self.call_graph_ms.fetch_add(ms, Relaxed);
}
pub fn record_pass2_ms(&self, ms: u64) {
self.pass2_ms.fetch_add(ms, Relaxed);
}
pub fn record_post_process_ms(&self, ms: u64) {
self.post_process_ms.fetch_add(ms, Relaxed);
}
pub fn record_language(&self, lang: &str) {
if let Ok(mut langs) = self.languages.try_lock() {
*langs.entry(lang.to_string()).or_insert(0) += 1;
}
}
pub fn snapshot(&self) -> ScanProgressSnapshot {
let stage = match self.stage.load(Relaxed) {
x if x == ScanStage::Queued as u8 => ScanStage::Queued.as_str(),
x if x == ScanStage::Discovering as u8 => ScanStage::Discovering.as_str(),
x if x == ScanStage::Indexing as u8 => ScanStage::Indexing.as_str(),
x if x == ScanStage::LoadingSummaries as u8 => ScanStage::LoadingSummaries.as_str(),
x if x == ScanStage::BuildingCallGraph as u8 => ScanStage::BuildingCallGraph.as_str(),
x if x == ScanStage::Analyzing as u8 => ScanStage::Analyzing.as_str(),
x if x == ScanStage::PostProcessing as u8 => ScanStage::PostProcessing.as_str(),
x if x == ScanStage::Complete as u8 => ScanStage::Complete.as_str(),
_ => "unknown",
}
.to_string();
let current_file = self
.current_file
.try_lock()
.map(|f| f.clone())
.unwrap_or_default();
let languages = self
.languages
.try_lock()
.map(|l| l.clone())
.unwrap_or_default();
ScanProgressSnapshot {
stage,
files_discovered: self.files_discovered.load(Relaxed),
files_parsed: self.files_parsed.load(Relaxed),
files_analyzed: self.files_analyzed.load(Relaxed),
files_skipped: self.files_skipped.load(Relaxed),
batches_total: self.batches_total.load(Relaxed),
batches_completed: self.batches_completed.load(Relaxed),
current_file,
elapsed_ms: self.elapsed_ms(),
timing: TimingBreakdown {
walk_ms: self.walk_ms.load(Relaxed),
pass1_ms: self.pass1_ms.load(Relaxed),
call_graph_ms: self.call_graph_ms.load(Relaxed),
pass2_ms: self.pass2_ms.load(Relaxed),
post_process_ms: self.post_process_ms.load(Relaxed),
},
languages,
}
}
}
/// Serializable snapshot of scan progress.
#[derive(Debug, Clone, Serialize)]
pub struct ScanProgressSnapshot {
pub stage: String,
pub files_discovered: u64,
pub files_parsed: u64,
pub files_analyzed: u64,
pub files_skipped: u64,
pub batches_total: u64,
pub batches_completed: u64,
pub current_file: String,
pub elapsed_ms: u64,
pub timing: TimingBreakdown,
pub languages: HashMap<String, u64>,
}
/// Timing breakdown for each scan phase.
#[derive(Debug, Clone, Serialize, serde::Deserialize, Default)]
pub struct TimingBreakdown {
pub walk_ms: u64,
pub pass1_ms: u64,
pub call_graph_ms: u64,
pub pass2_ms: u64,
pub post_process_ms: u64,
}
/// Engine-level metrics collected during a scan.
#[derive(Debug)]
pub struct ScanMetrics {
pub cfg_nodes: AtomicU64,
pub call_edges: AtomicU64,
pub functions_analyzed: AtomicU64,
pub summaries_reused: AtomicU64,
pub unresolved_calls: AtomicU64,
}
impl Default for ScanMetrics {
fn default() -> Self {
Self::new()
}
}
impl ScanMetrics {
pub fn new() -> Self {
Self {
cfg_nodes: AtomicU64::new(0),
call_edges: AtomicU64::new(0),
functions_analyzed: AtomicU64::new(0),
summaries_reused: AtomicU64::new(0),
unresolved_calls: AtomicU64::new(0),
}
}
pub fn snapshot(&self) -> ScanMetricsSnapshot {
ScanMetricsSnapshot {
cfg_nodes: self.cfg_nodes.load(Relaxed),
call_edges: self.call_edges.load(Relaxed),
functions_analyzed: self.functions_analyzed.load(Relaxed),
summaries_reused: self.summaries_reused.load(Relaxed),
unresolved_calls: self.unresolved_calls.load(Relaxed),
}
}
}
/// Serializable snapshot of engine metrics.
#[derive(Debug, Clone, Serialize, Default)]
pub struct ScanMetricsSnapshot {
pub cfg_nodes: u64,
pub call_edges: u64,
pub functions_analyzed: u64,
pub summaries_reused: u64,
pub unresolved_calls: u64,
}

547
src/server/routes/config.rs Normal file
View file

@ -0,0 +1,547 @@
use crate::commands::config as config_cmd;
use crate::labels;
use crate::server::app::{AppState, ServerEvent};
use crate::server::models::{LabelEntryView, ProfileView, RuleView, TerminatorView};
use crate::utils::config::{CapName, RuleKind, ScanProfile};
use axum::extract::{Path, State};
use axum::http::StatusCode;
use axum::routing::get;
use axum::{Json, Router};
pub fn routes() -> Router<AppState> {
Router::new()
.route("/config", get(get_config))
.route(
"/config/rules",
get(list_rules).post(add_rule).delete(remove_rule),
)
.route(
"/config/terminators",
get(list_terminators)
.post(add_terminator)
.delete(remove_terminator),
)
// Sources/sinks/sanitizers split by kind
.route(
"/config/sources",
get(list_sources).post(add_source).delete(remove_source),
)
.route(
"/config/sinks",
get(list_sinks).post(add_sink).delete(remove_sink),
)
.route(
"/config/sanitizers",
get(list_sanitizers)
.post(add_sanitizer)
.delete(remove_sanitizer),
)
// Triage sync toggle
.route("/config/triage-sync", axum::routing::post(set_triage_sync))
// Profiles
.route("/config/profiles", get(list_profiles).post(save_profile))
.route(
"/config/profiles/{name}",
axum::routing::delete(delete_profile),
)
.route(
"/config/profiles/{name}/activate",
axum::routing::post(activate_profile),
)
}
async fn get_config(State(state): State<AppState>) -> Json<serde_json::Value> {
let config = state.config.read();
Json(serde_json::to_value(&*config).unwrap_or_default())
}
// ── Custom rules (existing endpoints) ────────────────────────────────────────
async fn list_rules(State(state): State<AppState>) -> Json<Vec<RuleView>> {
let config = state.config.read();
let mut rules = Vec::new();
for (lang, lang_cfg) in &config.analysis.languages {
for rule in &lang_cfg.rules {
rules.push(RuleView {
lang: lang.clone(),
matchers: rule.matchers.clone(),
kind: rule.kind.to_string(),
cap: format!("{:?}", rule.cap).to_ascii_lowercase(),
});
}
}
Json(rules)
}
async fn add_rule(
State(state): State<AppState>,
Json(rule): Json<RuleView>,
) -> Result<(StatusCode, Json<serde_json::Value>), (StatusCode, Json<serde_json::Value>)> {
let rule_kind: RuleKind = rule.kind.parse().map_err(|e: String| bad_request(&e))?;
let cap_name: CapName = rule.cap.parse().map_err(|e: String| bad_request(&e))?;
if let Err(e) = config_cmd::add_rule(
&state.config_dir,
&rule.lang,
&rule.matchers.join(","),
&rule.kind,
&rule.cap,
) {
return Err(bad_request(&e.to_string()));
}
{
let mut config = state.config.write();
let lang_cfg = config
.analysis
.languages
.entry(rule.lang.clone())
.or_default();
let new_rule = crate::utils::config::ConfigLabelRule {
matchers: rule.matchers.clone(),
kind: rule_kind,
cap: cap_name,
case_sensitive: false,
};
if !lang_cfg.rules.contains(&new_rule) {
lang_cfg.rules.push(new_rule);
}
}
let _ = state.event_tx.send(ServerEvent::ConfigChanged);
Ok((
StatusCode::CREATED,
Json(serde_json::json!({ "status": "ok" })),
))
}
async fn remove_rule(
State(state): State<AppState>,
Json(rule): Json<RuleView>,
) -> Result<Json<serde_json::Value>, (StatusCode, Json<serde_json::Value>)> {
let rule_kind: RuleKind = rule.kind.parse().map_err(|e: String| bad_request(&e))?;
let cap_name: CapName = rule.cap.parse().map_err(|e: String| bad_request(&e))?;
let removed = {
let mut config = state.config.write();
if let Some(lang_cfg) = config.analysis.languages.get_mut(&rule.lang) {
let before = lang_cfg.rules.len();
lang_cfg.rules.retain(|r| {
!(r.matchers == rule.matchers && r.kind == rule_kind && r.cap == cap_name)
});
lang_cfg.rules.len() < before
} else {
false
}
};
if removed {
let config = state.config.read();
let local_path = state.config_dir.join("nyx.local");
let _ = config_cmd::save_local_config(&local_path, &config);
let _ = state.event_tx.send(ServerEvent::ConfigChanged);
}
Ok(Json(serde_json::json!({ "removed": removed })))
}
// ── Terminators ──────────────────────────────────────────────────────────────
async fn list_terminators(State(state): State<AppState>) -> Json<Vec<TerminatorView>> {
let config = state.config.read();
let mut terminators = Vec::new();
for (lang, lang_cfg) in &config.analysis.languages {
for name in &lang_cfg.terminators {
terminators.push(TerminatorView {
lang: lang.clone(),
name: name.clone(),
});
}
}
Json(terminators)
}
async fn add_terminator(
State(state): State<AppState>,
Json(term): Json<TerminatorView>,
) -> Result<(StatusCode, Json<serde_json::Value>), (StatusCode, Json<serde_json::Value>)> {
if let Err(e) = config_cmd::add_terminator(&state.config_dir, &term.lang, &term.name) {
return Err(bad_request(&e.to_string()));
}
{
let mut config = state.config.write();
let lang_cfg = config
.analysis
.languages
.entry(term.lang.clone())
.or_default();
if !lang_cfg.terminators.contains(&term.name) {
lang_cfg.terminators.push(term.name.clone());
}
}
let _ = state.event_tx.send(ServerEvent::ConfigChanged);
Ok((
StatusCode::CREATED,
Json(serde_json::json!({ "status": "ok" })),
))
}
async fn remove_terminator(
State(state): State<AppState>,
Json(term): Json<TerminatorView>,
) -> Result<Json<serde_json::Value>, (StatusCode, Json<serde_json::Value>)> {
let removed = {
let mut config = state.config.write();
if let Some(lang_cfg) = config.analysis.languages.get_mut(&term.lang) {
let before = lang_cfg.terminators.len();
lang_cfg.terminators.retain(|n| n != &term.name);
lang_cfg.terminators.len() < before
} else {
false
}
};
if removed {
let config = state.config.read();
let local_path = state.config_dir.join("nyx.local");
let _ = config_cmd::save_local_config(&local_path, &config);
let _ = state.event_tx.send(ServerEvent::ConfigChanged);
}
Ok(Json(serde_json::json!({ "removed": removed })))
}
// ── Sources / Sinks / Sanitizers (by kind) ───────────────────────────────────
fn list_by_kind(state: &AppState, target_kind: &str) -> Vec<LabelEntryView> {
let builtins = labels::enumerate_builtin_rules();
let config = state.config.read();
let mut out: Vec<LabelEntryView> = builtins
.iter()
.filter(|r| r.kind == target_kind && !r.is_gated)
.map(|r| LabelEntryView {
lang: r.language.clone(),
matchers: r.matchers.clone(),
cap: r.cap.clone(),
case_sensitive: r.case_sensitive,
is_builtin: true,
})
.collect();
// Add custom rules of the target kind
let target_rule_kind = match target_kind {
"source" => RuleKind::Source,
"sanitizer" => RuleKind::Sanitizer,
"sink" => RuleKind::Sink,
_ => return out,
};
for (lang, lang_cfg) in &config.analysis.languages {
for cr in &lang_cfg.rules {
if cr.kind == target_rule_kind {
out.push(LabelEntryView {
lang: lang.clone(),
matchers: cr.matchers.clone(),
cap: cr.cap.to_string(),
case_sensitive: cr.case_sensitive,
is_builtin: false,
});
}
}
}
out
}
fn add_by_kind(
state: &AppState,
entry: LabelEntryView,
target_kind: RuleKind,
) -> Result<(), String> {
let cap_name: CapName = entry.cap.parse().map_err(|e: String| e)?;
if let Err(e) = config_cmd::add_rule(
&state.config_dir,
&entry.lang,
&entry.matchers.join(","),
&target_kind.to_string(),
&entry.cap,
) {
return Err(e.to_string());
}
{
let mut config = state.config.write();
let lang_cfg = config
.analysis
.languages
.entry(entry.lang.clone())
.or_default();
let new_rule = crate::utils::config::ConfigLabelRule {
matchers: entry.matchers,
kind: target_kind,
cap: cap_name,
case_sensitive: entry.case_sensitive,
};
if !lang_cfg.rules.contains(&new_rule) {
lang_cfg.rules.push(new_rule);
}
}
let _ = state.event_tx.send(ServerEvent::ConfigChanged);
Ok(())
}
fn remove_by_kind(state: &AppState, entry: LabelEntryView, target_kind: RuleKind) -> bool {
if entry.is_builtin {
return false; // cannot remove built-in rules
}
let cap_name: CapName = match entry.cap.parse() {
Ok(c) => c,
Err(_) => return false,
};
let removed = {
let mut config = state.config.write();
if let Some(lang_cfg) = config.analysis.languages.get_mut(&entry.lang) {
let before = lang_cfg.rules.len();
lang_cfg.rules.retain(|r| {
!(r.matchers == entry.matchers && r.kind == target_kind && r.cap == cap_name)
});
lang_cfg.rules.len() < before
} else {
false
}
};
if removed {
let config = state.config.read();
let local_path = state.config_dir.join("nyx.local");
let _ = config_cmd::save_local_config(&local_path, &config);
let _ = state.event_tx.send(ServerEvent::ConfigChanged);
}
removed
}
async fn list_sources(State(state): State<AppState>) -> Json<Vec<LabelEntryView>> {
Json(list_by_kind(&state, "source"))
}
async fn add_source(
State(state): State<AppState>,
Json(entry): Json<LabelEntryView>,
) -> Result<(StatusCode, Json<serde_json::Value>), (StatusCode, Json<serde_json::Value>)> {
add_by_kind(&state, entry, RuleKind::Source).map_err(|e| bad_request(&e))?;
Ok((
StatusCode::CREATED,
Json(serde_json::json!({ "status": "ok" })),
))
}
async fn remove_source(
State(state): State<AppState>,
Json(entry): Json<LabelEntryView>,
) -> Json<serde_json::Value> {
let removed = remove_by_kind(&state, entry, RuleKind::Source);
Json(serde_json::json!({ "removed": removed }))
}
async fn list_sinks(State(state): State<AppState>) -> Json<Vec<LabelEntryView>> {
Json(list_by_kind(&state, "sink"))
}
async fn add_sink(
State(state): State<AppState>,
Json(entry): Json<LabelEntryView>,
) -> Result<(StatusCode, Json<serde_json::Value>), (StatusCode, Json<serde_json::Value>)> {
add_by_kind(&state, entry, RuleKind::Sink).map_err(|e| bad_request(&e))?;
Ok((
StatusCode::CREATED,
Json(serde_json::json!({ "status": "ok" })),
))
}
async fn remove_sink(
State(state): State<AppState>,
Json(entry): Json<LabelEntryView>,
) -> Json<serde_json::Value> {
let removed = remove_by_kind(&state, entry, RuleKind::Sink);
Json(serde_json::json!({ "removed": removed }))
}
async fn list_sanitizers(State(state): State<AppState>) -> Json<Vec<LabelEntryView>> {
Json(list_by_kind(&state, "sanitizer"))
}
async fn add_sanitizer(
State(state): State<AppState>,
Json(entry): Json<LabelEntryView>,
) -> Result<(StatusCode, Json<serde_json::Value>), (StatusCode, Json<serde_json::Value>)> {
add_by_kind(&state, entry, RuleKind::Sanitizer).map_err(|e| bad_request(&e))?;
Ok((
StatusCode::CREATED,
Json(serde_json::json!({ "status": "ok" })),
))
}
async fn remove_sanitizer(
State(state): State<AppState>,
Json(entry): Json<LabelEntryView>,
) -> Json<serde_json::Value> {
let removed = remove_by_kind(&state, entry, RuleKind::Sanitizer);
Json(serde_json::json!({ "removed": removed }))
}
// ── Profiles ─────────────────────────────────────────────────────────────────
const BUILTIN_PROFILE_NAMES: &[&str] = &[
"quick",
"full",
"ci",
"taint_only",
"conservative_large_repo",
];
async fn list_profiles(State(state): State<AppState>) -> Json<Vec<ProfileView>> {
let config = state.config.read();
let mut profiles: Vec<ProfileView> = Vec::new();
// Built-in profiles
for &name in BUILTIN_PROFILE_NAMES {
if let Some(p) = config.resolve_profile(name) {
let is_user_override = config.profiles.contains_key(name);
profiles.push(ProfileView {
name: name.to_string(),
is_builtin: !is_user_override,
settings: serde_json::to_value(&p).unwrap_or_default(),
});
}
}
// User profiles not matching a built-in name
for (name, p) in &config.profiles {
if !BUILTIN_PROFILE_NAMES.contains(&name.as_str()) {
profiles.push(ProfileView {
name: name.clone(),
is_builtin: false,
settings: serde_json::to_value(p).unwrap_or_default(),
});
}
}
Json(profiles)
}
async fn save_profile(
State(state): State<AppState>,
Json(body): Json<serde_json::Value>,
) -> Result<(StatusCode, Json<serde_json::Value>), (StatusCode, Json<serde_json::Value>)> {
let name = body["name"]
.as_str()
.ok_or_else(|| bad_request("missing name"))?
.to_string();
let settings: ScanProfile =
serde_json::from_value(body.get("settings").cloned().unwrap_or_default())
.map_err(|e| bad_request(&e.to_string()))?;
{
let mut config = state.config.write();
config.profiles.insert(name.clone(), settings);
let local_path = state.config_dir.join("nyx.local");
config_cmd::save_local_config(&local_path, &config)
.map_err(|e| bad_request(&e.to_string()))?;
}
let _ = state.event_tx.send(ServerEvent::ConfigChanged);
Ok((
StatusCode::CREATED,
Json(serde_json::json!({ "status": "ok", "name": name })),
))
}
async fn delete_profile(
State(state): State<AppState>,
Path(name): Path<String>,
) -> Result<Json<serde_json::Value>, (StatusCode, Json<serde_json::Value>)> {
if BUILTIN_PROFILE_NAMES.contains(&name.as_str()) {
let config = state.config.read();
if !config.profiles.contains_key(&name) {
return Err(bad_request("cannot delete built-in profile"));
}
}
let removed = {
let mut config = state.config.write();
let existed = config.profiles.remove(&name).is_some();
if existed {
let local_path = state.config_dir.join("nyx.local");
let _ = config_cmd::save_local_config(&local_path, &config);
}
existed
};
if removed {
let _ = state.event_tx.send(ServerEvent::ConfigChanged);
}
Ok(Json(serde_json::json!({ "removed": removed })))
}
async fn activate_profile(
State(state): State<AppState>,
Path(name): Path<String>,
) -> Result<Json<serde_json::Value>, (StatusCode, Json<serde_json::Value>)> {
{
let mut config = state.config.write();
config
.apply_profile(&name)
.map_err(|e| bad_request(&e.to_string()))?;
}
let _ = state.event_tx.send(ServerEvent::ConfigChanged);
Ok(Json(serde_json::json!({ "status": "ok", "profile": name })))
}
// ── Triage Sync ──────────────────────────────────────────────────────────────
async fn set_triage_sync(
State(state): State<AppState>,
Json(body): Json<serde_json::Value>,
) -> Result<Json<serde_json::Value>, (StatusCode, Json<serde_json::Value>)> {
let enabled = body["enabled"]
.as_bool()
.ok_or_else(|| bad_request("missing enabled field"))?;
{
let mut config = state.config.write();
config.server.triage_sync = enabled;
// Note: triage_sync is in the server section, which save_local_config
// doesn't currently persist. We write the full config here.
let local_path = state.config_dir.join("nyx.local");
config_cmd::save_local_config(&local_path, &config)
.map_err(|e| bad_request(&e.to_string()))?;
}
let _ = state.event_tx.send(ServerEvent::ConfigChanged);
Ok(Json(
serde_json::json!({ "status": "ok", "triage_sync": enabled }),
))
}
fn bad_request(msg: &str) -> (StatusCode, Json<serde_json::Value>) {
(
StatusCode::BAD_REQUEST,
Json(serde_json::json!({ "error": msg })),
)
}

625
src/server/routes/debug.rs Normal file
View file

@ -0,0 +1,625 @@
//! Debug API route handlers.
//!
//! Provides endpoints for inspecting engine internals: CFG, SSA IR, taint
//! propagation, summaries, call graphs, abstract interpretation, and symbolic
//! execution.
use crate::server::app::AppState;
use crate::server::debug::{self, *};
use crate::utils::path::{DEFAULT_UI_MAX_FILE_BYTES, RepoPathError, resolve_repo_path};
use axum::extract::{Query, State};
use axum::http::StatusCode;
use axum::routing::get;
use axum::{Json, Router};
use r2d2::Pool;
use r2d2_sqlite::SqliteConnectionManager;
use serde::Deserialize;
use std::path::Path;
pub fn routes() -> Router<AppState> {
Router::new()
.route("/debug/functions", get(list_functions))
.route("/debug/cfg", get(get_cfg))
.route("/debug/ssa", get(get_ssa))
.route("/debug/taint", get(get_taint))
.route("/debug/summaries", get(get_summaries))
.route("/debug/call-graph", get(get_call_graph))
.route("/debug/abstract-interp", get(get_abstract_interp))
.route("/debug/symex", get(get_symex))
}
// ── Query params ─────────────────────────────────────────────────────────────
#[derive(Debug, Deserialize)]
struct FileQuery {
file: String,
}
#[derive(Debug, Deserialize)]
struct FileFunctionQuery {
file: String,
function: String,
}
#[derive(Debug, Deserialize)]
struct CallGraphQuery {
scope: Option<String>,
file: Option<String>,
}
#[derive(Debug, Deserialize)]
struct SummaryQuery {
function: Option<String>,
file: Option<String>,
}
// ── Path validation ──────────────────────────────────────────────────────────
fn validate_and_resolve(scan_root: &Path, file: &str) -> Result<std::path::PathBuf, StatusCode> {
let resolved = resolve_repo_path(scan_root, file).map_err(map_path_error)?;
let metadata = std::fs::metadata(&resolved.canonical).map_err(|_| StatusCode::NOT_FOUND)?;
if !metadata.file_type().is_file() {
return Err(StatusCode::BAD_REQUEST);
}
if metadata.len() > DEFAULT_UI_MAX_FILE_BYTES {
return Err(StatusCode::BAD_REQUEST);
}
Ok(resolved.canonical)
}
// ── Handlers ─────────────────────────────────────────────────────────────────
/// GET /api/debug/functions?file=<path>
/// List functions available for debug inspection in a file.
async fn list_functions(
State(state): State<AppState>,
Query(q): Query<FileQuery>,
) -> Result<Json<Vec<FunctionInfo>>, StatusCode> {
let path = validate_and_resolve(&state.scan_root, &q.file)?;
let config = state.config.read();
let analysis = debug::analyse_file(&path, &config)?;
Ok(Json(debug::function_list(&analysis)))
}
fn map_path_error(err: RepoPathError) -> StatusCode {
match err {
RepoPathError::InvalidPath | RepoPathError::OutsideRoot => StatusCode::FORBIDDEN,
RepoPathError::NotFound => StatusCode::NOT_FOUND,
RepoPathError::NotFile
| RepoPathError::NotDirectory
| RepoPathError::TooLarge
| RepoPathError::InvalidText => StatusCode::BAD_REQUEST,
RepoPathError::Io => StatusCode::INTERNAL_SERVER_ERROR,
}
}
/// GET /api/debug/cfg?file=<path>&function=<name>
/// Return the CFG for a specific function as a graph JSON.
async fn get_cfg(
State(state): State<AppState>,
Query(q): Query<FileFunctionQuery>,
) -> Result<Json<CfgGraphView>, StatusCode> {
let path = validate_and_resolve(&state.scan_root, &q.file)?;
let config = state.config.read();
let analysis = debug::analyse_file(&path, &config)?;
let view = CfgGraphView::from_cfg_function(&analysis.file_cfg, &q.function, &analysis.bytes)
.ok_or(StatusCode::NOT_FOUND)?;
Ok(Json(view))
}
/// GET /api/debug/ssa?file=<path>&function=<name>
/// Return the SSA IR for a specific function.
async fn get_ssa(
State(state): State<AppState>,
Query(q): Query<FileFunctionQuery>,
) -> Result<Json<SsaBodyView>, StatusCode> {
let path = validate_and_resolve(&state.scan_root, &q.file)?;
let config = state.config.read();
let analysis = debug::analyse_file(&path, &config)?;
let (ssa, _opt) = debug::analyse_function_ssa(&analysis, &q.function)?;
Ok(Json(SsaBodyView::from_ssa(&ssa, &analysis.bytes)))
}
/// GET /api/debug/taint?file=<path>&function=<name>
/// Return taint analysis results for a specific function.
async fn get_taint(
State(state): State<AppState>,
Query(q): Query<FileFunctionQuery>,
) -> Result<Json<TaintAnalysisView>, StatusCode> {
let path = validate_and_resolve(&state.scan_root, &q.file)?;
let config = state.config.read();
let analysis = debug::analyse_file(&path, &config)?;
let (ssa, opt) = debug::analyse_function_ssa(&analysis, &q.function)?;
// Try to load global summaries from DB for cross-file context
let global = load_global_summaries(&state);
let cross_file_context = global.as_ref().is_some_and(|g| !g.is_empty());
let ssa_summaries_available = global
.as_ref()
.is_some_and(|g| !g.snapshot_ssa().is_empty());
let (events, _entry_states, exit_states) = debug::analyse_function_taint(
&ssa,
analysis.cfg(),
analysis.lang,
analysis.summaries(),
global.as_ref(),
&opt,
);
// Show post-block state so single-block source→sink flows are visible in
// the debug UI instead of appearing empty at block entry.
Ok(Json(TaintAnalysisView::from_results(
&events,
&exit_states,
&ssa,
cross_file_context,
ssa_summaries_available,
)))
}
/// GET /api/debug/abstract-interp?file=<path>&function=<name>
/// Return abstract interpretation state for a specific function.
async fn get_abstract_interp(
State(state): State<AppState>,
Query(q): Query<FileFunctionQuery>,
) -> Result<Json<AbstractInterpView>, StatusCode> {
let path = validate_and_resolve(&state.scan_root, &q.file)?;
let config = state.config.read();
let analysis = debug::analyse_file(&path, &config)?;
let (ssa, opt) = debug::analyse_function_ssa(&analysis, &q.function)?;
let global = load_global_summaries(&state);
let (_events, block_states, _exit_states) = debug::analyse_function_taint(
&ssa,
analysis.cfg(),
analysis.lang,
analysis.summaries(),
global.as_ref(),
&opt,
);
Ok(Json(AbstractInterpView::from_taint_states(
&block_states,
&ssa,
&opt,
)))
}
/// GET /api/debug/summaries?file=<path>&function=<name>
/// Return interprocedural summaries.
async fn get_summaries(
State(state): State<AppState>,
Query(q): Query<SummaryQuery>,
) -> Result<Json<Vec<FuncSummaryView>>, StatusCode> {
// Try DB first; fall back to on-demand single-file analysis
let global = match load_global_summaries(&state) {
Some(g) if !g.is_empty() => g,
_ => {
if let Some(ref file) = q.file {
let path = validate_and_resolve(&state.scan_root, file)?;
let config = state.config.read();
debug::analyse_file_summaries(&path, &config)?
} else {
return Ok(Json(vec![]));
}
}
};
let views: Vec<FuncSummaryView> = global
.iter()
.filter(|(key, summary)| {
let name_matches = q.function.as_ref().map(|f| key.name == *f).unwrap_or(true);
let file_matches = q
.file
.as_ref()
.map(|f| summary.file_path.contains(f.as_str()))
.unwrap_or(true);
name_matches && file_matches
})
.map(|(key, summary)| {
let ssa_summary = global.get_ssa(key);
FuncSummaryView::from_global(key, summary, ssa_summary)
})
.collect();
Ok(Json(views))
}
/// GET /api/debug/call-graph?scope=file|project&file=<path>
/// Return the call graph.
async fn get_call_graph(
State(state): State<AppState>,
Query(q): Query<CallGraphQuery>,
) -> Result<Json<CallGraphView>, StatusCode> {
let scope = q.scope.as_deref().unwrap_or("project");
let global = if scope == "file" {
// On-demand: parse the specified file and extract summaries
let file = q.file.as_deref().ok_or(StatusCode::BAD_REQUEST)?;
let path = validate_and_resolve(&state.scan_root, file)?;
let config = state.config.read();
debug::analyse_file_summaries(&path, &config)?
} else {
// Project scope: try DB, fall back to empty graph
load_global_summaries(&state).unwrap_or_default()
};
let cg = crate::callgraph::build_call_graph(&global, &[]);
let analysis = crate::callgraph::analyse(&cg);
Ok(Json(CallGraphView::from_call_graph(&cg, &analysis)))
}
/// GET /api/debug/symex?file=<path>&function=<name>
/// Return symbolic execution state for a function.
async fn get_symex(
State(state): State<AppState>,
Query(q): Query<FileFunctionQuery>,
) -> Result<Json<SymexView>, StatusCode> {
let path = validate_and_resolve(&state.scan_root, &q.file)?;
let config = state.config.read();
let analysis = debug::analyse_file(&path, &config)?;
let (ssa, opt) = debug::analyse_function_ssa(&analysis, &q.function)?;
let global = load_global_summaries(&state);
let sym_state =
debug::analyse_function_symex(&ssa, analysis.cfg(), analysis.lang, &opt, global.as_ref());
Ok(Json(SymexView::from_symbolic_state(&sym_state, &ssa)))
}
// ── Helpers ──────────────────────────────────────────────────────────────────
/// Load global summaries from DB if available.
fn load_global_summaries(state: &AppState) -> Option<crate::summary::GlobalSummaries> {
let pool = state.db_pool.as_ref()?;
load_global_summaries_from_pool(&state.scan_root, pool)
}
fn load_global_summaries_from_pool(
scan_root: &Path,
pool: &Pool<SqliteConnectionManager>,
) -> Option<crate::summary::GlobalSummaries> {
let project = scan_root.file_name()?.to_str()?;
let root_str = scan_root.to_string_lossy();
let indexer = crate::database::index::Indexer::from_pool(project, pool).ok()?;
let func_summaries = indexer.load_all_summaries().ok()?;
let ssa_rows = indexer.load_all_ssa_summaries().ok()?;
let mut global = crate::summary::merge_summaries(func_summaries, Some(&root_str));
for (_file_path, name, lang_str, arity, namespace, container, disambig, kind, summary) in
ssa_rows
{
let lang = crate::symbol::Lang::from_slug(&lang_str).unwrap_or(crate::symbol::Lang::Rust);
let key = crate::symbol::FuncKey {
lang,
namespace: if namespace.is_empty() {
crate::symbol::normalize_namespace(&_file_path, Some(&root_str))
} else {
namespace
},
container,
name,
arity: if arity >= 0 {
Some(arity as usize)
} else {
None
},
disambig,
kind,
};
global.insert_ssa(key, summary);
}
Some(global)
}
#[cfg(test)]
mod tests {
use super::*;
use crate::database::index::Indexer;
use crate::labels::Cap;
use crate::summary::FuncSummary;
use crate::summary::ssa_summary::SsaFuncSummary;
use crate::symbol::{FuncKey, Lang};
/// Helper: create a DB pool with persisted summaries for a JS helper function.
fn setup_db_with_summaries(
dir: &std::path::Path,
scan_root: &std::path::Path,
) -> std::sync::Arc<r2d2::Pool<r2d2_sqlite::SqliteConnectionManager>> {
std::fs::create_dir_all(scan_root.join("src")).unwrap();
let file_path = scan_root.join("src/helper.js");
std::fs::write(
&file_path,
"function getInput() { return process.env.USER_INPUT; }\nmodule.exports = { getInput };",
)
.unwrap();
let db_path = dir.join("test.sqlite");
let pool = Indexer::init(&db_path).unwrap();
let mut indexer =
Indexer::from_pool(scan_root.file_name().unwrap().to_str().unwrap(), &pool).unwrap();
indexer
.replace_summaries_for_file(
&file_path,
b"hash",
&[FuncSummary {
name: "getInput".into(),
file_path: file_path.to_string_lossy().into_owned(),
lang: "javascript".into(),
param_count: 0,
param_names: vec![],
source_caps: Cap::all().bits(),
sanitizer_caps: 0,
sink_caps: 0,
propagating_params: vec![],
propagates_taint: false,
tainted_sink_params: vec![],
callees: vec![],
..Default::default()
}],
)
.unwrap();
indexer
.replace_ssa_summaries_for_file(
&file_path,
b"hash",
&[(
"getInput".into(),
0,
"javascript".into(),
"src/helper.js".into(),
String::new(),
None,
crate::symbol::FuncKind::Function,
SsaFuncSummary {
param_to_return: vec![],
param_to_sink: vec![],
source_caps: Cap::all(),
param_to_sink_param: vec![],
param_container_to_return: vec![],
param_to_container_store: vec![],
return_type: None,
return_abstract: None,
source_to_callback: vec![],
receiver_to_return: None,
receiver_to_sink: Cap::empty(),
abstract_transfer: vec![],
param_return_paths: vec![],
points_to: Default::default(),
return_path_facts: smallvec::SmallVec::new(),
},
)],
)
.unwrap();
pool
}
#[test]
fn taint_route_reports_cross_file_context_when_summaries_present() {
let dir = tempfile::tempdir().unwrap();
let scan_root = dir.path().join("myproject");
let pool = setup_db_with_summaries(dir.path(), &scan_root);
let global =
load_global_summaries_from_pool(&scan_root, &pool).expect("should load summaries");
let cross_file_context = !global.is_empty();
let ssa_summaries_available = !global.snapshot_ssa().is_empty();
assert!(
cross_file_context,
"cross_file_context should be true when DB has persisted summaries"
);
assert!(
ssa_summaries_available,
"ssa_summaries_available should be true when DB has SSA summaries"
);
}
#[test]
fn taint_route_reports_no_cross_file_context_when_db_empty() {
let dir = tempfile::tempdir().unwrap();
let scan_root = dir.path().join("emptyproject");
std::fs::create_dir_all(&scan_root).unwrap();
let db_path = dir.path().join("empty.sqlite");
let pool = Indexer::init(&db_path).unwrap();
let _indexer = Indexer::from_pool("emptyproject", &pool).unwrap();
let global = load_global_summaries_from_pool(&scan_root, &pool);
let cross_file_context = global.as_ref().is_some_and(|g| !g.is_empty());
let ssa_summaries_available = global
.as_ref()
.is_some_and(|g| !g.snapshot_ssa().is_empty());
assert!(
!cross_file_context,
"cross_file_context should be false when DB has no summaries"
);
assert!(
!ssa_summaries_available,
"ssa_summaries_available should be false when DB has no SSA summaries"
);
}
#[test]
fn taint_view_includes_context_flags_with_no_summaries() {
// Simulate the debug view construction with no cross-file context
let view = TaintAnalysisView::from_results(
&[],
&[],
&crate::ssa::ir::SsaBody {
blocks: vec![],
entry: crate::ssa::ir::BlockId(0),
value_defs: vec![],
cfg_node_map: std::collections::HashMap::new(),
exception_edges: vec![],
},
false,
false,
);
assert!(!view.cross_file_context);
assert!(!view.ssa_summaries_available);
}
#[test]
fn taint_view_includes_context_flags_with_summaries() {
let view = TaintAnalysisView::from_results(
&[],
&[],
&crate::ssa::ir::SsaBody {
blocks: vec![],
entry: crate::ssa::ir::BlockId(0),
value_defs: vec![],
cfg_node_map: std::collections::HashMap::new(),
exception_edges: vec![],
},
true,
true,
);
assert!(view.cross_file_context);
assert!(view.ssa_summaries_available);
}
#[test]
fn taint_view_serializes_context_fields() {
let view = TaintAnalysisView::from_results(
&[],
&[],
&crate::ssa::ir::SsaBody {
blocks: vec![],
entry: crate::ssa::ir::BlockId(0),
value_defs: vec![],
cfg_node_map: std::collections::HashMap::new(),
exception_edges: vec![],
},
true,
false,
);
let json = serde_json::to_value(&view).unwrap();
assert_eq!(json["cross_file_context"], true);
assert_eq!(json["ssa_summaries_available"], false);
}
#[test]
fn load_global_summaries_graceful_on_malformed_db() {
// A DB with no tables at all should not crash, just return None
let dir = tempfile::tempdir().unwrap();
let scan_root = dir.path().join("badproject");
std::fs::create_dir_all(&scan_root).unwrap();
let db_path = dir.path().join("bad.sqlite");
// Create a raw SQLite file without our schema
let manager = r2d2_sqlite::SqliteConnectionManager::file(&db_path);
let pool = r2d2::Pool::builder().max_size(1).build(manager).unwrap();
let result = load_global_summaries_from_pool(&scan_root, &pool);
// Should return None gracefully, not panic
assert!(
result.is_none(),
"malformed DB should return None, not crash"
);
}
#[test]
fn load_global_summaries_uses_scan_root_project_and_normalized_namespace() {
let dir = tempfile::tempdir().unwrap();
let scan_root = dir.path().join("Example Project");
std::fs::create_dir_all(scan_root.join("src")).unwrap();
let file_path = scan_root.join("src/lib.rs");
std::fs::write(&file_path, "fn helper() {}").unwrap();
let db_path = dir.path().join("example_project.sqlite");
let pool = Indexer::init(&db_path).unwrap();
let mut indexer = Indexer::from_pool("Example Project", &pool).unwrap();
indexer
.replace_summaries_for_file(
&file_path,
b"hash",
&[FuncSummary {
name: "helper".into(),
file_path: file_path.to_string_lossy().into_owned(),
lang: "rust".into(),
param_count: 0,
param_names: vec![],
source_caps: 0,
sanitizer_caps: 0,
sink_caps: 0,
propagating_params: vec![],
propagates_taint: false,
tainted_sink_params: vec![],
callees: vec![],
..Default::default()
}],
)
.unwrap();
indexer
.replace_ssa_summaries_for_file(
&file_path,
b"hash",
&[(
"helper".into(),
0,
"rust".into(),
"src/lib.rs".into(),
String::new(),
None,
crate::symbol::FuncKind::Function,
SsaFuncSummary {
param_to_return: vec![],
param_to_sink: vec![],
source_caps: Cap::ENV_VAR,
param_to_sink_param: vec![],
param_container_to_return: vec![],
param_to_container_store: vec![],
return_type: None,
return_abstract: None,
source_to_callback: vec![],
receiver_to_return: None,
receiver_to_sink: Cap::empty(),
abstract_transfer: vec![],
param_return_paths: vec![],
points_to: Default::default(),
return_path_facts: smallvec::SmallVec::new(),
},
)],
)
.unwrap();
let global = load_global_summaries_from_pool(&scan_root, &pool)
.expect("debug loader should recover project summaries");
let key = FuncKey {
lang: Lang::Rust,
namespace: "src/lib.rs".into(),
name: "helper".into(),
arity: Some(0),
..Default::default()
};
assert!(global.get(&key).is_some());
assert!(
global.get_ssa(&key).is_some(),
"SSA summaries should line up with the normalized function keys"
);
}
}

37
src/server/routes/events.rs Normal file
View file

@ -0,0 +1,37 @@
use crate::server::app::{AppState, ServerEvent};
use axum::Router;
use axum::extract::State;
use axum::response::sse::{Event, KeepAlive, Sse};
use axum::routing::get;
use tokio_stream::StreamExt;
use tokio_stream::wrappers::BroadcastStream;
pub fn routes() -> Router<AppState> {
Router::new().route("/events", get(event_stream))
}
async fn event_stream(
State(state): State<AppState>,
) -> Sse<impl tokio_stream::Stream<Item = Result<Event, std::convert::Infallible>>> {
let rx = state.event_tx.subscribe();
let stream = BroadcastStream::new(rx).filter_map(|result: Result<ServerEvent, _>| {
let event = result.ok()?;
let data = match serde_json::to_string(&event) {
Ok(s) => s,
Err(err) => {
tracing::warn!(error = %err, "failed to serialize server event; dropping");
return None;
}
};
let event_type = match &event {
ServerEvent::ScanStarted { .. } => "scan_started",
ServerEvent::ScanCompleted { .. } => "scan_completed",
ServerEvent::ScanFailed { .. } => "scan_failed",
ServerEvent::ScanProgress { .. } => "scan_progress",
ServerEvent::ConfigChanged => "config_changed",
};
Some(Ok(Event::default().event(event_type).data(data)))
});
Sse::new(stream).keep_alive(KeepAlive::default())
}

355
src/server/routes/explorer.rs Normal file
View file

@ -0,0 +1,355 @@
#![allow(clippy::collapsible_if)]
use crate::database::index::Indexer;
use crate::server::app::AppState;
use crate::server::models::lang_for_finding_path;
use crate::server::routes::findings::load_latest_findings;
use crate::utils::path::{RepoPathError, resolve_repo_dir, resolve_repo_path};
use axum::extract::{Query, State};
use axum::http::StatusCode;
use axum::routing::get;
use axum::{Json, Router};
use serde::{Deserialize, Serialize};
use std::collections::HashMap;
use std::fs;
use crate::patterns::Severity;
pub fn routes() -> Router<AppState> {
Router::new()
.route("/explorer/tree", get(get_tree))
.route("/explorer/symbols", get(get_symbols))
.route("/explorer/findings", get(get_findings))
}
// ── Query params ─────────────────────────────────────────────────────────────
#[derive(Debug, Deserialize)]
struct TreeQuery {
path: Option<String>,
}
#[derive(Debug, Deserialize)]
struct SymbolsQuery {
path: String,
}
#[derive(Debug, Deserialize)]
struct ExplorerFindingsQuery {
path: String,
}
// ── Response types ───────────────────────────────────────────────────────────
#[derive(Debug, Serialize)]
struct TreeEntry {
name: String,
entry_type: String,
path: String,
language: Option<String>,
finding_count: usize,
severity_max: Option<String>,
}
#[derive(Debug, Serialize)]
struct SymbolEntry {
name: String,
kind: String,
line: Option<usize>,
finding_count: usize,
namespace: Option<String>,
arity: Option<usize>,
}
#[derive(Debug, Serialize)]
struct ExplorerFinding {
index: usize,
line: usize,
col: usize,
severity: String,
rule_id: String,
category: String,
message: Option<String>,
confidence: Option<String>,
}
// ── Helpers ──────────────────────────────────────────────────────────────────
fn severity_rank(s: Severity) -> u8 {
match s {
Severity::High => 3,
Severity::Medium => 2,
Severity::Low => 1,
}
}
fn max_severity(a: Option<Severity>, b: Severity) -> Severity {
match a {
Some(existing) => {
if severity_rank(b) > severity_rank(existing) {
b
} else {
existing
}
}
None => b,
}
}
/// Normalize a Diag path to be relative to scan_root.
///
/// Diag.path is typically absolute (from the file walker). The explorer UI
/// works with relative paths, so we strip the scan_root prefix. If the path
/// is already relative (e.g. in tests), return it as-is.
fn relativize_path<'a>(diag_path: &'a str, scan_root_str: &str) -> &'a str {
diag_path
.strip_prefix(scan_root_str)
.unwrap_or(diag_path)
.trim_start_matches('/')
}
// ── GET /api/explorer/tree ───────────────────────────────────────────────────
async fn get_tree(
State(state): State<AppState>,
Query(query): Query<TreeQuery>,
) -> Result<Json<Vec<TreeEntry>>, StatusCode> {
let resolved =
resolve_repo_dir(&state.scan_root, query.path.as_deref()).map_err(map_path_error)?;
let canonical = resolved.canonical;
// Load findings and pre-compute per-file and per-directory aggregates
let findings = load_latest_findings(&state);
let canonical_root = resolved.root;
let root_str = canonical_root.to_string_lossy();
let mut file_counts: HashMap<String, (usize, Severity)> = HashMap::new();
let mut dir_counts: HashMap<String, (usize, Severity)> = HashMap::new();
for d in findings.iter() {
// Normalize Diag absolute path to relative
let rel = relativize_path(&d.path, &root_str);
if rel.is_empty() {
continue;
}
let entry = file_counts
.entry(rel.to_string())
.or_insert((0, Severity::Low));
entry.0 += 1;
entry.1 = max_severity(Some(entry.1), d.severity);
// Aggregate into all ancestor directories
let mut path = rel;
while let Some(i) = path.rfind('/') {
path = &path[..i];
let entry = dir_counts
.entry(path.to_string())
.or_insert((0, Severity::Low));
entry.0 += 1;
entry.1 = max_severity(Some(entry.1), d.severity);
}
}
let mut entries = Vec::new();
let read_dir = fs::read_dir(&canonical).map_err(|_| StatusCode::NOT_FOUND)?;
for entry in read_dir {
let entry = match entry {
Ok(e) => e,
Err(_) => continue,
};
let name = entry.file_name().to_string_lossy().to_string();
// Skip hidden files/directories
if name.starts_with('.') {
continue;
}
let entry_path = entry.path();
let is_dir = entry_path.is_dir();
// Compute relative path from scan_root
let canonical_entry = match fs::canonicalize(&entry_path) {
Ok(c) => c,
Err(_) => continue,
};
if !canonical_entry.starts_with(&canonical_root) {
continue;
}
let rel_path = canonical_entry
.strip_prefix(&canonical_root)
.unwrap_or(&canonical_entry)
.to_string_lossy()
.to_string();
let (finding_count, severity_max) = if is_dir {
match dir_counts.get(&rel_path) {
Some(&(count, sev)) => (count, Some(sev.as_db_str().to_string())),
None => (0, None),
}
} else {
match file_counts.get(&rel_path) {
Some(&(count, sev)) => (count, Some(sev.as_db_str().to_string())),
None => (0, None),
}
};
let language = if is_dir {
None
} else {
lang_for_finding_path(&rel_path)
};
entries.push(TreeEntry {
name,
entry_type: if is_dir {
"dir".to_string()
} else {
"file".to_string()
},
path: rel_path,
language,
finding_count,
severity_max,
});
}
// Sort: dirs first (alpha), then files (alpha)
entries.sort_by(|a, b| {
let a_is_dir = a.entry_type == "dir";
let b_is_dir = b.entry_type == "dir";
b_is_dir
.cmp(&a_is_dir)
.then_with(|| a.name.to_lowercase().cmp(&b.name.to_lowercase()))
});
Ok(Json(entries))
}
// ── GET /api/explorer/symbols ────────────────────────────────────────────────
async fn get_symbols(
State(state): State<AppState>,
Query(query): Query<SymbolsQuery>,
) -> Result<Json<Vec<SymbolEntry>>, StatusCode> {
let resolved = resolve_repo_path(&state.scan_root, &query.path).map_err(map_path_error)?;
let pool = match &state.db_pool {
Some(p) => p,
None => return Ok(Json(vec![])),
};
let idx = Indexer::from_pool("_scans", pool).map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
// Build absolute path for DB lookup (DB stores absolute paths)
let canonical_root = resolved.root;
let abs_path = resolved.canonical;
let abs_path_str = abs_path.to_string_lossy();
let root_str = canonical_root.to_string_lossy();
// Load findings for function-level finding count
let findings = load_latest_findings(&state);
let mut func_finding_counts: HashMap<String, usize> = HashMap::new();
for d in findings.iter() {
let rel = relativize_path(&d.path, &root_str);
if rel != resolved.relative {
continue;
}
// Try to get function name from evidence flow steps
if let Some(ref ev) = d.evidence {
for step in &ev.flow_steps {
if let Some(ref func) = step.function {
*func_finding_counts.entry(func.clone()).or_insert(0) += 1;
}
}
}
}
// Try absolute path first (production), then relative (tests)
let mut symbols = idx
.load_ssa_summaries_for_file(&abs_path_str)
.unwrap_or_default();
if symbols.is_empty() {
symbols = idx
.load_ssa_summaries_for_file(&query.path)
.unwrap_or_default();
}
let entries: Vec<SymbolEntry> = symbols
.into_iter()
.map(|(name, arity, _lang, namespace)| {
let kind = if !namespace.is_empty() && namespace != name {
"method".to_string()
} else {
"function".to_string()
};
let finding_count = func_finding_counts.get(&name).copied().unwrap_or(0);
SymbolEntry {
name,
kind,
line: None,
finding_count,
namespace: if namespace.is_empty() {
None
} else {
Some(namespace)
},
arity: if arity < 0 {
None
} else {
Some(arity as usize)
},
}
})
.collect();
Ok(Json(entries))
}
// ── GET /api/explorer/findings ───────────────────────────────────────────────
async fn get_findings(
State(state): State<AppState>,
Query(query): Query<ExplorerFindingsQuery>,
) -> Result<Json<Vec<ExplorerFinding>>, StatusCode> {
let resolved = resolve_repo_path(&state.scan_root, &query.path).map_err(map_path_error)?;
let findings = load_latest_findings(&state);
let root_str = resolved.root.to_string_lossy();
let mut results: Vec<ExplorerFinding> = findings
.iter()
.enumerate()
.filter(|(_, d)| {
let rel = relativize_path(&d.path, &root_str);
rel == resolved.relative
})
.map(|(i, d)| ExplorerFinding {
index: i,
line: d.line,
col: d.col,
severity: d.severity.as_db_str().to_string(),
rule_id: d.id.clone(),
category: d.category.to_string(),
message: d.message.clone(),
confidence: d.confidence.map(|c| c.to_string()),
})
.collect();
results.sort_by_key(|f| f.line);
Ok(Json(results))
}
fn map_path_error(err: RepoPathError) -> StatusCode {
match err {
RepoPathError::InvalidPath | RepoPathError::OutsideRoot => StatusCode::FORBIDDEN,
RepoPathError::NotFound => StatusCode::NOT_FOUND,
RepoPathError::NotDirectory => StatusCode::BAD_REQUEST,
RepoPathError::NotFile | RepoPathError::TooLarge | RepoPathError::InvalidText => {
StatusCode::BAD_REQUEST
}
RepoPathError::Io => StatusCode::INTERNAL_SERVER_ERROR,
}
}

77
src/server/routes/files.rs Normal file
View file

@ -0,0 +1,77 @@
use crate::server::app::AppState;
use crate::utils::path::{DEFAULT_UI_MAX_FILE_BYTES, RepoPathError, open_repo_text_file};
use axum::extract::{Query, State};
use axum::http::StatusCode;
use axum::routing::get;
use axum::{Json, Router};
use serde::{Deserialize, Serialize};
pub fn routes() -> Router<AppState> {
Router::new().route("/files", get(get_file))
}
#[derive(Debug, Deserialize)]
struct FileQuery {
path: String,
start_line: Option<usize>,
end_line: Option<usize>,
}
#[derive(Debug, Serialize)]
struct FileLine {
number: usize,
content: String,
}
#[derive(Debug, Serialize)]
struct FileResponse {
path: String,
lines: Vec<FileLine>,
total_lines: usize,
}
async fn get_file(
State(state): State<AppState>,
Query(query): Query<FileQuery>,
) -> Result<Json<FileResponse>, StatusCode> {
let opened = open_repo_text_file(&state.scan_root, &query.path, DEFAULT_UI_MAX_FILE_BYTES)
.map_err(map_path_error)?;
let content = opened.content;
let all_lines: Vec<&str> = content.lines().collect();
let total_lines = all_lines.len();
// Apply line range (1-indexed)
let start = query.start_line.unwrap_or(1).max(1);
let end = query.end_line.unwrap_or(total_lines).min(total_lines);
let lines: Vec<FileLine> = if start <= end && start <= total_lines {
all_lines[start - 1..end]
.iter()
.enumerate()
.map(|(i, l)| FileLine {
number: start + i,
content: (*l).to_string(),
})
.collect()
} else {
vec![]
};
Ok(Json(FileResponse {
path: opened.resolved.relative,
lines,
total_lines,
}))
}
fn map_path_error(err: RepoPathError) -> StatusCode {
match err {
RepoPathError::InvalidPath | RepoPathError::OutsideRoot => StatusCode::FORBIDDEN,
RepoPathError::NotFound => StatusCode::NOT_FOUND,
RepoPathError::TooLarge
| RepoPathError::InvalidText
| RepoPathError::NotFile
| RepoPathError::NotDirectory => StatusCode::BAD_REQUEST,
RepoPathError::Io => StatusCode::INTERNAL_SERVER_ERROR,
}
}

206
src/server/routes/findings.rs Normal file
View file

@ -0,0 +1,206 @@
#![allow(clippy::collapsible_if)]
use crate::commands::scan::Diag;
use crate::database::index::Indexer;
use crate::server::app::AppState;
use crate::server::models::{
FilterValues, FindingSummary, FindingView, collect_filter_values, finding_from_diag,
finding_from_diag_with_detail, overlay_triage_states, summarize_findings,
};
use axum::extract::{Path, Query, State};
use axum::http::StatusCode;
use axum::routing::get;
use axum::{Json, Router};
use serde::Deserialize;
use std::sync::Arc;
pub fn routes() -> Router<AppState> {
Router::new()
.route("/findings", get(list_findings))
.route("/findings/summary", get(findings_summary))
.route("/findings/filters", get(findings_filters))
.route("/findings/{index}", get(get_finding))
}
/// Load findings for the latest completed scan, falling back to DB if no
/// in-memory completed scan exists (e.g. after a server restart).
pub fn load_latest_findings(state: &AppState) -> Arc<Vec<Diag>> {
// In-memory first
if let Some(job) = state.job_manager.get_latest_completed() {
if let Some(ref findings) = job.findings {
return Arc::clone(findings);
}
}
// DB fallback — find the most recent completed scan with findings
if let Some(ref pool) = state.db_pool {
if let Ok(idx) = Indexer::from_pool("_scans", pool) {
if let Ok(scans) = idx.list_scans(20) {
for scan in scans {
if scan.status == "completed" {
if let Some(json) = scan.findings_json.as_deref() {
if let Ok(diags) = serde_json::from_str::<Vec<Diag>>(json) {
return Arc::new(diags);
}
}
}
}
}
}
}
Arc::new(Vec::new())
}
/// Load triage states and suppression rules from DB, apply to views.
fn apply_triage_overlay(state: &AppState, views: &mut [FindingView]) {
if let Some(ref pool) = state.db_pool {
if let Ok(idx) = Indexer::from_pool("_triage", pool) {
let triage_map = idx.get_all_triage_states().unwrap_or_default();
let rules = idx.get_suppression_rules().unwrap_or_default();
overlay_triage_states(views, &triage_map, &rules);
}
}
}
#[derive(Debug, Deserialize, Default)]
struct FindingsQuery {
severity: Option<String>,
category: Option<String>,
rule_id: Option<String>,
path: Option<String>,
search: Option<String>,
language: Option<String>,
confidence: Option<String>,
status: Option<String>,
sort_by: Option<String>,
sort_dir: Option<String>,
page: Option<usize>,
per_page: Option<usize>,
}
async fn list_findings(
State(state): State<AppState>,
Query(query): Query<FindingsQuery>,
) -> Result<Json<serde_json::Value>, StatusCode> {
let findings = load_latest_findings(&state);
let mut views: Vec<FindingView> = findings
.iter()
.enumerate()
.map(|(i, d)| finding_from_diag(i, d))
.collect();
// Overlay triage states from DB before filtering
apply_triage_overlay(&state, &mut views);
// Apply filters.
if let Some(ref sev) = query.severity {
let sev_upper = sev.to_ascii_uppercase();
views.retain(|f| f.severity.as_db_str() == sev_upper);
}
if let Some(ref cat) = query.category {
let cat_lower = cat.to_ascii_lowercase();
views.retain(|f| f.category.to_string().to_ascii_lowercase() == cat_lower);
}
if let Some(ref rule) = query.rule_id {
views.retain(|f| f.rule_id == *rule);
}
if let Some(ref path_prefix) = query.path {
views.retain(|f| f.path.starts_with(path_prefix.as_str()));
}
if let Some(ref lang) = query.language {
let lang_lower = lang.to_ascii_lowercase();
views.retain(|f| {
f.language
.as_ref()
.is_some_and(|l| l.to_ascii_lowercase() == lang_lower)
});
}
if let Some(ref conf) = query.confidence {
let conf_lower = conf.to_ascii_lowercase();
views.retain(|f| {
f.confidence
.as_ref()
.is_some_and(|c| format!("{c:?}").to_ascii_lowercase() == conf_lower)
});
}
if let Some(ref status) = query.status {
let status_lower = status.to_ascii_lowercase();
views.retain(|f| f.status.to_ascii_lowercase() == status_lower);
}
if let Some(ref search) = query.search {
let needle = search.to_ascii_lowercase();
views.retain(|f| {
f.path.to_ascii_lowercase().contains(&needle)
|| f.rule_id.to_ascii_lowercase().contains(&needle)
|| f.message
.as_ref()
.is_some_and(|m| m.to_ascii_lowercase().contains(&needle))
});
}
// Sort.
match query.sort_by.as_deref() {
Some("severity") => views.sort_by_key(|a| a.severity),
Some("path") | Some("file") => views.sort_by(|a, b| a.path.cmp(&b.path)),
Some("rule_id") => views.sort_by(|a, b| a.rule_id.cmp(&b.rule_id)),
Some("score") => views.sort_by(|a, b| {
b.rank_score
.unwrap_or(0.0)
.partial_cmp(&a.rank_score.unwrap_or(0.0))
.unwrap_or(std::cmp::Ordering::Equal)
}),
Some("confidence") => views.sort_by(|a, b| {
let ca = a.confidence.map(|c| c as u8).unwrap_or(0);
let cb = b.confidence.map(|c| c as u8).unwrap_or(0);
ca.cmp(&cb)
}),
Some("line") => views.sort_by_key(|a| a.line),
Some("language") => views.sort_by(|a, b| {
a.language
.as_deref()
.unwrap_or("")
.cmp(b.language.as_deref().unwrap_or(""))
}),
Some("status") => views.sort_by(|a, b| a.status.cmp(&b.status)),
Some("category") => views.sort_by_key(|a| a.category.to_string()),
_ => {} // default order (by index)
}
if query.sort_dir.as_deref() == Some("desc") {
views.reverse();
}
// Paginate.
let total = views.len();
let page = query.page.unwrap_or(1).max(1);
let per_page = query.per_page.unwrap_or(50).clamp(1, 10000);
let start = (page - 1) * per_page;
let page_views: Vec<_> = views.into_iter().skip(start).take(per_page).collect();
Ok(Json(serde_json::json!({
"findings": page_views,
"total": total,
"page": page,
"per_page": per_page,
})))
}
async fn findings_summary(State(state): State<AppState>) -> Json<FindingSummary> {
let findings = load_latest_findings(&state);
Json(summarize_findings(&findings))
}
async fn findings_filters(State(state): State<AppState>) -> Json<FilterValues> {
let findings = load_latest_findings(&state);
Json(collect_filter_values(&findings))
}
async fn get_finding(
State(state): State<AppState>,
Path(index): Path<usize>,
) -> Result<Json<FindingView>, StatusCode> {
let findings = load_latest_findings(&state);
let diag = findings.get(index).ok_or(StatusCode::NOT_FOUND)?;
let mut view = finding_from_diag_with_detail(index, diag, &state.scan_root, &findings);
apply_triage_overlay(&state, std::slice::from_mut(&mut view));
Ok(Json(view))
}

24
src/server/routes/health.rs Normal file
View file

@ -0,0 +1,24 @@
use crate::server::app::AppState;
use axum::extract::State;
use axum::routing::get;
use axum::{Json, Router};
pub fn routes() -> Router<AppState> {
Router::new()
.route("/health", get(health_check))
.route("/session", get(session_info))
}
async fn health_check(State(state): State<AppState>) -> Json<serde_json::Value> {
Json(serde_json::json!({
"status": "ok",
"version": env!("CARGO_PKG_VERSION"),
"scan_root": state.scan_root.display().to_string(),
}))
}
async fn session_info(State(state): State<AppState>) -> Json<serde_json::Value> {
Json(serde_json::json!({
"csrf_token": state.security.csrf_token(),
}))
}

30
src/server/routes/mod.rs Normal file
View file

@ -0,0 +1,30 @@
pub mod config;
pub mod debug;
pub mod events;
pub mod explorer;
pub mod files;
pub mod findings;
pub mod health;
pub mod overview;
pub mod rules;
pub mod scans;
pub mod triage;
use crate::server::app::AppState;
use axum::Router;
/// Build all API routes under /api.
pub fn api_routes() -> Router<AppState> {
Router::new()
.merge(health::routes())
.merge(findings::routes())
.merge(files::routes())
.merge(scans::routes())
.merge(config::routes())
.merge(rules::routes())
.merge(events::routes())
.merge(triage::routes())
.merge(overview::routes())
.merge(explorer::routes())
.merge(debug::routes())
}

437
src/server/routes/overview.rs Normal file
View file

@ -0,0 +1,437 @@
#![allow(clippy::collapsible_if)]
use crate::commands::scan::Diag;
use crate::database::index::{Indexer, ScanRecord};
use crate::evidence::Confidence;
use crate::server::app::AppState;
use crate::server::models::{
Insight, NoisyRule, OverviewResponse, ScanSummary, TrendPoint, by_language_from_findings,
compute_fingerprint, summarize_findings, top_directories_from_findings, top_n_from_map,
};
use axum::extract::State;
use axum::routing::get;
use axum::{Json, Router};
use std::collections::{HashMap, HashSet};
pub fn routes() -> Router<AppState> {
Router::new()
.route("/overview", get(overview))
.route("/overview/trends", get(overview_trends))
}
/// GET /api/overview — aggregated dashboard data.
async fn overview(State(state): State<AppState>) -> Json<OverviewResponse> {
// 1. Load latest findings (in-memory → DB fallback)
let findings = crate::server::routes::findings::load_latest_findings(&state);
// 2. Collect recent scans (in-memory + DB, deduped)
let recent_scans = collect_recent_scans(&state, 10);
// 3. Basic summary
let summary = summarize_findings(&findings);
let by_language = by_language_from_findings(&findings);
// 4. Find latest completed scan info
let latest_completed = recent_scans.iter().find(|s| s.status == "completed");
let latest_scan_id = latest_completed.map(|s| s.id.clone());
let latest_scan_at = latest_completed.and_then(|s| s.started_at.clone());
let latest_scan_duration = latest_completed.and_then(|s| s.duration_secs);
// 5. New/fixed since last scan
let (new_since_last, fixed_since_last) = compute_delta(&state, &findings);
// 6. High confidence rate
let high_confidence_rate = if findings.is_empty() {
0.0
} else {
let high_count = findings
.iter()
.filter(|d| d.confidence == Some(Confidence::High))
.count();
high_count as f64 / findings.len() as f64
};
// 7. Triage coverage
let triage_coverage = compute_triage_coverage(&state, &findings);
// 8. Top files, dirs, rules
let top_files = top_n_from_map(&summary.by_file, 10);
let top_directories = top_directories_from_findings(&findings, 10);
let top_rules = top_n_from_map(&summary.by_rule, 10);
// 9. Noisy rules
let noisy_rules = compute_noisy_rules(&state, &findings, &summary.by_rule);
// 10. Insights
let insights = generate_insights(
&summary,
new_since_last,
fixed_since_last,
triage_coverage,
&noisy_rules,
);
// 11. State
let state_str = if recent_scans.iter().all(|s| s.status != "completed") {
"empty".to_string()
} else if is_fresh_scan(latest_completed) {
"fresh".to_string()
} else {
"normal".to_string()
};
Json(OverviewResponse {
state: state_str,
total_findings: summary.total,
new_since_last,
fixed_since_last,
high_confidence_rate,
triage_coverage,
latest_scan_duration_secs: latest_scan_duration,
latest_scan_id,
latest_scan_at,
by_severity: summary.by_severity,
by_category: summary.by_category,
by_language,
top_files,
top_directories,
top_rules,
noisy_rules,
recent_scans: recent_scans.into_iter().take(10).collect(),
insights,
})
}
/// GET /api/overview/trends — scan-over-scan finding counts.
async fn overview_trends(State(state): State<AppState>) -> Json<Vec<TrendPoint>> {
let mut points = Vec::new();
if let Some(ref pool) = state.db_pool {
if let Ok(idx) = Indexer::from_pool("_scans", pool) {
if let Ok(scans) = idx.list_scans(20) {
let completed: Vec<&ScanRecord> =
scans.iter().filter(|s| s.status == "completed").collect();
// Cap at 10 for performance
for scan in completed.iter().rev().take(10) {
let total = scan.finding_count.unwrap_or(0) as usize;
let by_severity = scan
.findings_json
.as_deref()
.and_then(|json| serde_json::from_str::<Vec<Diag>>(json).ok())
.map(|diags| {
let mut sev: HashMap<String, usize> = HashMap::new();
for d in &diags {
*sev.entry(d.severity.as_db_str().to_string()).or_insert(0) += 1;
}
sev
})
.unwrap_or_default();
points.push(TrendPoint {
scan_id: scan.id.clone(),
timestamp: scan.started_at.clone().unwrap_or_default(),
total,
by_severity,
});
}
}
}
}
Json(points)
}
// ── Helpers ──────────────────────────────────────────────────────────────────
/// Collect recent scans from in-memory jobs + DB, deduped by ID.
fn collect_recent_scans(state: &AppState, limit: usize) -> Vec<ScanSummary> {
let mut seen = HashSet::new();
let mut scans = Vec::new();
// In-memory first
for job in state.job_manager.list_jobs() {
if seen.insert(job.id.clone()) {
scans.push(ScanSummary {
id: job.id.clone(),
status: format!("{:?}", job.status).to_ascii_lowercase(),
started_at: job.started_at.map(|t| t.to_rfc3339()),
duration_secs: job.duration_secs,
finding_count: job.findings.as_ref().map(|f| f.len() as i64),
});
}
}
// DB fallback
if let Some(ref pool) = state.db_pool {
if let Ok(idx) = Indexer::from_pool("_scans", pool) {
if let Ok(records) = idx.list_scans(limit as i64) {
for r in records {
if seen.insert(r.id.clone()) {
scans.push(ScanSummary {
id: r.id,
status: r.status,
started_at: r.started_at,
duration_secs: r.duration_secs,
finding_count: r.finding_count,
});
}
}
}
}
}
// Sort by started_at descending
scans.sort_by(|a, b| b.started_at.cmp(&a.started_at));
scans.truncate(limit);
scans
}
/// Compute new/fixed finding counts by comparing the two most recent completed scans.
fn compute_delta(state: &AppState, current_findings: &[Diag]) -> (usize, usize) {
if current_findings.is_empty() {
return (0, 0);
}
let current_fps: HashSet<String> = current_findings.iter().map(compute_fingerprint).collect();
// Find previous completed scan's findings
let previous_fps = load_previous_scan_fingerprints(state);
if previous_fps.is_empty() {
return (0, 0);
}
let new_count = current_fps.difference(&previous_fps).count();
let fixed_count = previous_fps.difference(&current_fps).count();
(new_count, fixed_count)
}
/// Load fingerprints from the second-most-recent completed scan.
fn load_previous_scan_fingerprints(state: &AppState) -> HashSet<String> {
if let Some(ref pool) = state.db_pool {
if let Ok(idx) = Indexer::from_pool("_scans", pool) {
if let Ok(scans) = idx.list_scans(10) {
let completed: Vec<&ScanRecord> = scans
.iter()
.filter(|s| s.status == "completed" && s.findings_json.is_some())
.collect();
// Skip the first (latest) completed scan — we want the previous one
if let Some(prev) = completed.get(1) {
if let Some(json) = prev.findings_json.as_deref() {
if let Ok(diags) = serde_json::from_str::<Vec<Diag>>(json) {
return diags.iter().map(compute_fingerprint).collect();
}
}
}
}
}
}
HashSet::new()
}
/// Compute triage coverage: fraction of findings with non-"open" triage state.
fn compute_triage_coverage(state: &AppState, findings: &[Diag]) -> f64 {
if findings.is_empty() {
return 0.0;
}
let Some(ref pool) = state.db_pool else {
return 0.0;
};
let Ok(idx) = Indexer::from_pool("_scans", pool) else {
return 0.0;
};
let triage_map = idx.get_all_triage_states().unwrap_or_default();
let suppression_rules = idx.get_suppression_rules().unwrap_or_default();
let mut non_open = 0usize;
for d in findings {
let fp = compute_fingerprint(d);
// Check explicit triage state
if let Some((triage_state, _, _)) = triage_map.get(&fp) {
if triage_state != "open" {
non_open += 1;
continue;
}
}
// Check suppression rules
let path = &d.path;
let rule_id = &d.id;
for rule in &suppression_rules {
let matches = match rule.suppress_by.as_str() {
"fingerprint" => fp == rule.match_value,
"rule" => *rule_id == rule.match_value,
"rule_in_file" => {
let key = format!("{rule_id}:{path}");
key == rule.match_value
}
"file" => *path == rule.match_value,
_ => false,
};
if matches {
non_open += 1;
break;
}
}
}
non_open as f64 / findings.len() as f64
}
/// Compute noisy rules: high finding count + high suppression rate.
fn compute_noisy_rules(
state: &AppState,
findings: &[Diag],
by_rule: &HashMap<String, usize>,
) -> Vec<NoisyRule> {
let Some(ref pool) = state.db_pool else {
return vec![];
};
let Ok(idx) = Indexer::from_pool("_scans", pool) else {
return vec![];
};
let triage_map = idx.get_all_triage_states().unwrap_or_default();
let suppression_rules = idx.get_suppression_rules().unwrap_or_default();
// Count suppressed findings per rule
let mut suppressed_per_rule: HashMap<String, usize> = HashMap::new();
for d in findings {
let fp = compute_fingerprint(d);
let is_suppressed = triage_map
.get(&fp)
.map(|(s, _, _)| s == "suppressed" || s == "false_positive")
.unwrap_or(false)
|| suppression_rules
.iter()
.any(|rule| match rule.suppress_by.as_str() {
"fingerprint" => fp == rule.match_value,
"rule" => d.id == rule.match_value,
"rule_in_file" => format!("{}:{}", d.id, d.path) == rule.match_value,
"file" => d.path == rule.match_value,
_ => false,
});
if is_suppressed {
*suppressed_per_rule.entry(d.id.clone()).or_insert(0) += 1;
}
}
let mut noisy: Vec<NoisyRule> = by_rule
.iter()
.filter_map(|(rule_id, &count)| {
if count < 3 {
return None;
}
let suppressed = suppressed_per_rule.get(rule_id).copied().unwrap_or(0);
let rate = suppressed as f64 / count as f64;
if rate >= 0.5 {
Some(NoisyRule {
rule_id: rule_id.clone(),
finding_count: count,
suppression_rate: rate,
})
} else {
None
}
})
.collect();
noisy.sort_by_key(|b| std::cmp::Reverse(b.finding_count));
noisy
}
/// Generate actionable insights from overview data.
fn generate_insights(
summary: &crate::server::models::FindingSummary,
new_since_last: usize,
fixed_since_last: usize,
triage_coverage: f64,
noisy_rules: &[NoisyRule],
) -> Vec<Insight> {
let mut insights = Vec::new();
// Untriaged high findings
let high_count = summary.by_severity.get("HIGH").copied().unwrap_or(0);
if high_count > 0 {
insights.push(Insight {
kind: "untriaged_high".into(),
message: format!(
"{high_count} High severity finding{} to review",
if high_count == 1 { "" } else { "s" }
),
severity: "warning".into(),
action_url: Some("/findings?severity=HIGH&status=open".into()),
});
}
// New findings since last scan
if new_since_last > 0 {
insights.push(Insight {
kind: "new_findings".into(),
message: format!(
"{new_since_last} new finding{} since last scan",
if new_since_last == 1 { "" } else { "s" }
),
severity: "warning".into(),
action_url: Some("/findings".into()),
});
}
// Fixed findings since last scan
if fixed_since_last > 0 {
insights.push(Insight {
kind: "fixed_findings".into(),
message: format!(
"{fixed_since_last} finding{} fixed since last scan",
if fixed_since_last == 1 { "" } else { "s" }
),
severity: "success".into(),
action_url: None,
});
}
// Noisy rules
for rule in noisy_rules.iter().take(3) {
insights.push(Insight {
kind: "noisy_rule".into(),
message: format!(
"Rule {} has {:.0}% suppression rate ({} findings)",
rule.rule_id,
rule.suppression_rate * 100.0,
rule.finding_count
),
severity: "info".into(),
action_url: Some("/rules".into()),
});
}
// Low triage coverage
if triage_coverage < 0.1 && summary.total > 20 {
insights.push(Insight {
kind: "low_triage".into(),
message: format!(
"Only {:.0}% of findings have been triaged",
triage_coverage * 100.0
),
severity: "info".into(),
action_url: Some("/triage".into()),
});
}
insights
}
/// Check if the latest scan completed within the last 5 minutes.
fn is_fresh_scan(scan: Option<&ScanSummary>) -> bool {
let Some(scan) = scan else { return false };
let Some(ref started_at) = scan.started_at else {
return false;
};
if let Ok(ts) = chrono::DateTime::parse_from_rfc3339(started_at) {
let elapsed = chrono::Utc::now() - ts.with_timezone(&chrono::Utc);
return elapsed.num_seconds() < 300;
}
false
}

316
src/server/routes/rules.rs Normal file
View file

@ -0,0 +1,316 @@
use crate::commands::config as config_cmd;
use crate::labels::{self, RuleInfo};
use crate::server::app::{AppState, ServerEvent};
use crate::server::models::{RelatedFindingView, RuleDetailView, RuleListItem};
use crate::utils::config::RuleKind;
use axum::extract::{Path, State};
use axum::http::StatusCode;
use axum::routing::{get, post};
use axum::{Json, Router};
pub fn routes() -> Router<AppState> {
Router::new()
.route("/rules", get(list_rules))
.route("/rules/{id}", get(get_rule))
.route("/rules/{id}/toggle", post(toggle_rule))
.route("/rules/clone", post(clone_rule))
}
/// Build the full list of rules: built-in + custom, with disabled state applied.
fn build_rule_list(state: &AppState) -> Vec<RuleInfo> {
let config = state.config.read();
let mut rules = labels::enumerate_builtin_rules();
// Mark disabled rules
for rule in &mut rules {
if config.analysis.disabled_rules.contains(&rule.id) {
rule.enabled = false;
}
}
// Add custom rules from config
for (lang, lang_cfg) in &config.analysis.languages {
let canonical = labels::canonical_lang(lang);
for cr in &lang_cfg.rules {
let kind_str = match cr.kind {
RuleKind::Source => "source",
RuleKind::Sanitizer => "sanitizer",
RuleKind::Sink => "sink",
};
let id = labels::custom_rule_id(canonical, kind_str, &cr.matchers);
let first = cr.matchers.first().map(|s| s.as_str()).unwrap_or("?");
let title = format!("{} (custom {})", first, kind_str);
let cap = cr.cap.to_cap();
let enabled = !config.analysis.disabled_rules.contains(&id);
rules.push(RuleInfo {
id,
title,
language: canonical.to_string(),
kind: kind_str.to_string(),
cap: labels::cap_to_name(cap).to_string(),
cap_bits: cap.bits(),
matchers: cr.matchers.clone(),
case_sensitive: cr.case_sensitive,
is_custom: true,
is_gated: false,
enabled,
});
}
}
rules
}
/// GET /api/rules — list all rules with finding counts.
async fn list_rules(State(state): State<AppState>) -> Json<Vec<RuleListItem>> {
let rules = build_rule_list(&state);
// Best-effort finding count: read latest findings from job manager
let findings = state.job_manager.latest_findings();
let finding_counts = compute_finding_counts(&rules, &findings);
let items: Vec<RuleListItem> = rules
.into_iter()
.enumerate()
.map(|(i, r)| {
let (count, suppressed) = finding_counts.get(i).copied().unwrap_or((0, 0));
let rate = if count > 0 {
suppressed as f64 / count as f64
} else {
0.0
};
RuleListItem {
id: r.id,
title: r.title,
language: r.language,
kind: r.kind,
cap: r.cap,
matchers: r.matchers,
enabled: r.enabled,
is_custom: r.is_custom,
is_gated: r.is_gated,
case_sensitive: r.case_sensitive,
finding_count: count,
suppression_rate: rate,
}
})
.collect();
Json(items)
}
/// GET /api/rules/:id — full detail for one rule.
async fn get_rule(
State(state): State<AppState>,
Path(id): Path<String>,
) -> Result<Json<RuleDetailView>, StatusCode> {
let rules = build_rule_list(&state);
let rule = rules
.iter()
.find(|r| r.id == id)
.ok_or(StatusCode::NOT_FOUND)?;
let findings = state.job_manager.latest_findings();
let examples = match_findings_for_rule(rule, &findings, 5);
let total = match_findings_for_rule(rule, &findings, usize::MAX).len();
let suppressed = examples
.iter()
.filter(|f| f.severity == crate::patterns::Severity::Low)
.count();
let rate = if total > 0 {
suppressed as f64 / total as f64
} else {
0.0
};
Ok(Json(RuleDetailView {
id: rule.id.clone(),
title: rule.title.clone(),
language: rule.language.clone(),
kind: rule.kind.clone(),
cap: rule.cap.clone(),
matchers: rule.matchers.clone(),
case_sensitive: rule.case_sensitive,
enabled: rule.enabled,
is_custom: rule.is_custom,
is_gated: rule.is_gated,
finding_count: total,
suppression_rate: rate,
example_findings: examples,
}))
}
/// POST /api/rules/:id/toggle — enable/disable a rule.
async fn toggle_rule(
State(state): State<AppState>,
Path(id): Path<String>,
) -> Result<Json<serde_json::Value>, (StatusCode, Json<serde_json::Value>)> {
{
let mut config = state.config.write();
if let Some(pos) = config.analysis.disabled_rules.iter().position(|r| r == &id) {
config.analysis.disabled_rules.remove(pos);
} else {
config.analysis.disabled_rules.push(id.clone());
}
let local_path = state.config_dir.join("nyx.local");
config_cmd::save_local_config(&local_path, &config)
.map_err(|e| bad_request(&e.to_string()))?;
}
let _ = state.event_tx.send(ServerEvent::ConfigChanged);
Ok(Json(serde_json::json!({ "status": "ok", "rule_id": id })))
}
/// POST /api/rules/clone — clone a built-in rule to custom.
async fn clone_rule(
State(state): State<AppState>,
Json(body): Json<serde_json::Value>,
) -> Result<(StatusCode, Json<serde_json::Value>), (StatusCode, Json<serde_json::Value>)> {
let rule_id_str = body["rule_id"]
.as_str()
.ok_or_else(|| bad_request("missing rule_id"))?;
// Find the built-in rule
let builtins = labels::enumerate_builtin_rules();
let source = builtins
.iter()
.find(|r| r.id == rule_id_str)
.ok_or_else(|| bad_request("rule not found or not built-in"))?;
// Convert to ConfigLabelRule and add to config
let kind: RuleKind = match source.kind.as_str() {
"source" => RuleKind::Source,
"sanitizer" => RuleKind::Sanitizer,
"sink" => RuleKind::Sink,
_ => return Err(bad_request("invalid kind")),
};
let cap_name: crate::utils::config::CapName =
source.cap.parse().map_err(|e: String| bad_request(&e))?;
let new_rule = crate::utils::config::ConfigLabelRule {
matchers: source.matchers.clone(),
kind,
cap: cap_name,
case_sensitive: source.case_sensitive,
};
let new_id;
{
let mut config = state.config.write();
let lang_cfg = config
.analysis
.languages
.entry(source.language.clone())
.or_default();
if !lang_cfg.rules.contains(&new_rule) {
lang_cfg.rules.push(new_rule);
}
new_id = labels::custom_rule_id(&source.language, &source.kind, &source.matchers);
let local_path = state.config_dir.join("nyx.local");
config_cmd::save_local_config(&local_path, &config)
.map_err(|e| bad_request(&e.to_string()))?;
}
let _ = state.event_tx.send(ServerEvent::ConfigChanged);
Ok((
StatusCode::CREATED,
Json(serde_json::json!({ "status": "ok", "new_id": new_id })),
))
}
/// Compute (finding_count, suppressed_count) for each rule by matching
/// finding evidence against rule matchers.
fn compute_finding_counts(
rules: &[RuleInfo],
findings: &[crate::commands::scan::Diag],
) -> Vec<(usize, usize)> {
let mut counts: Vec<(usize, usize)> = vec![(0, 0); rules.len()];
for d in findings {
// Try to match each finding against rules by checking if the finding's
// evidence sink/source snippet contains any of the rule's matchers
let sink_snippet = d
.evidence
.as_ref()
.and_then(|e| e.sink.as_ref())
.and_then(|s| s.snippet.as_deref())
.unwrap_or("");
let source_snippet = d
.evidence
.as_ref()
.and_then(|e| e.source.as_ref())
.and_then(|s| s.snippet.as_deref())
.unwrap_or("");
for (i, rule) in rules.iter().enumerate() {
let matched = rule
.matchers
.iter()
.any(|m| sink_snippet.contains(m.as_str()) || source_snippet.contains(m.as_str()));
if matched {
counts[i].0 += 1;
if d.suppressed {
counts[i].1 += 1;
}
}
}
}
counts
}
/// Find findings matching a rule's matchers, returning up to `limit` examples.
fn match_findings_for_rule(
rule: &RuleInfo,
findings: &[crate::commands::scan::Diag],
limit: usize,
) -> Vec<RelatedFindingView> {
let mut out = Vec::new();
for (i, d) in findings.iter().enumerate() {
if out.len() >= limit {
break;
}
let sink_snippet = d
.evidence
.as_ref()
.and_then(|e| e.sink.as_ref())
.and_then(|s| s.snippet.as_deref())
.unwrap_or("");
let source_snippet = d
.evidence
.as_ref()
.and_then(|e| e.source.as_ref())
.and_then(|s| s.snippet.as_deref())
.unwrap_or("");
let matched = rule
.matchers
.iter()
.any(|m| sink_snippet.contains(m.as_str()) || source_snippet.contains(m.as_str()));
if matched {
out.push(RelatedFindingView {
index: i,
rule_id: d.id.clone(),
path: d.path.clone(),
line: d.line,
severity: d.severity,
});
}
}
out
}
fn bad_request(msg: &str) -> (StatusCode, Json<serde_json::Value>) {
(
StatusCode::BAD_REQUEST,
Json(serde_json::json!({ "error": msg })),
)
}

658
src/server/routes/scans.rs Normal file
View file

@ -0,0 +1,658 @@
#![allow(clippy::collapsible_if, clippy::redundant_closure)]
use crate::commands::scan::Diag;
use crate::database::index::{Indexer, ScanRecord};
use crate::server::app::AppState;
use crate::server::models::{
self, ChangedFinding, CompareResponse, CompareScanInfo, CompareSummary, ComparedFinding,
FieldChange, FindingView, ScanView,
};
use crate::server::progress::ScanMetricsSnapshot;
use crate::server::scan_log::ScanLogEntry;
use axum::extract::{Query, State};
use axum::http::StatusCode;
use axum::routing::{get, post};
use axum::{Json, Router};
use std::collections::{HashMap, HashSet};
use std::path::{Path, PathBuf};
pub fn routes() -> Router<AppState> {
Router::new()
.route("/scans", post(start_scan).get(list_scans))
.route("/scans/active", get(active_scan))
.route("/scans/compare", get(compare_scans))
.route("/scans/{id}", get(get_scan).delete(delete_scan))
.route("/scans/{id}/findings", get(get_scan_findings))
.route("/scans/{id}/logs", get(get_scan_logs))
.route("/scans/{id}/metrics", get(get_scan_metrics))
}
#[derive(serde::Deserialize, Default)]
struct StartScanRequest {
scan_root: Option<String>,
/// Analysis mode: "full" | "ast" | "cfg" | "taint".
mode: Option<String>,
/// Engine-depth profile: "fast" | "balanced" | "deep".
engine_profile: Option<String>,
#[allow(dead_code)]
languages: Option<Vec<String>>,
#[allow(dead_code)]
include_paths: Option<Vec<String>>,
#[allow(dead_code)]
exclude_paths: Option<Vec<String>>,
}
fn apply_mode(
config: &mut crate::utils::config::Config,
mode: &str,
) -> Result<(), (StatusCode, Json<serde_json::Value>)> {
use crate::utils::config::AnalysisMode;
config.scanner.mode = match mode.to_ascii_lowercase().as_str() {
"full" => AnalysisMode::Full,
"ast" => AnalysisMode::Ast,
"cfg" => AnalysisMode::Cfg,
"taint" => AnalysisMode::Taint,
_ => {
return Err(bad_request("mode must be one of: full, ast, cfg, taint"));
}
};
Ok(())
}
fn apply_engine_profile(
config: &mut crate::utils::config::Config,
profile: &str,
) -> Result<(), (StatusCode, Json<serde_json::Value>)> {
use crate::cli::EngineProfile;
let prof = match profile.to_ascii_lowercase().as_str() {
"fast" => EngineProfile::Fast,
"balanced" => EngineProfile::Balanced,
"deep" => EngineProfile::Deep,
_ => {
return Err(bad_request(
"engine_profile must be one of: fast, balanced, deep",
));
}
};
config.analysis.engine = prof.apply(config.analysis.engine);
Ok(())
}
async fn start_scan(
State(state): State<AppState>,
body: Option<Json<StartScanRequest>>,
) -> Result<(StatusCode, Json<serde_json::Value>), (StatusCode, Json<serde_json::Value>)> {
let req = body.map(|b| b.0).unwrap_or_default();
let scan_root = resolve_requested_scan_root(req.scan_root.as_deref(), &state.scan_root)?;
let mut config = state.config.read().clone();
if let Some(ref mode) = req.mode {
apply_mode(&mut config, mode)?;
}
if let Some(ref profile) = req.engine_profile {
apply_engine_profile(&mut config, profile)?;
}
let event_tx = state.event_tx.clone();
let db_pool = state.db_pool.clone();
let database_dir = state.database_dir.clone();
match state
.job_manager
.start_scan(scan_root, config, event_tx, db_pool, database_dir)
{
Ok(job_id) => Ok((
StatusCode::ACCEPTED,
Json(serde_json::json!({ "job_id": job_id })),
)),
Err(msg) => Err((
StatusCode::CONFLICT,
Json(serde_json::json!({ "error": msg })),
)),
}
}
fn resolve_requested_scan_root(
requested_root: Option<&str>,
configured_root: &Path,
) -> Result<PathBuf, (StatusCode, Json<serde_json::Value>)> {
if let Some(root) = requested_root {
let requested = Path::new(root)
.canonicalize()
.map_err(|_| bad_request("invalid scan_root"))?;
if requested != configured_root {
return Err(bad_request(
"scan_root must match the repository passed to nyx serve",
));
}
}
// The request value is validation-only; scans always run against the
// canonical root configured when the server started.
Ok(configured_root.to_path_buf())
}
fn bad_request(message: &str) -> (StatusCode, Json<serde_json::Value>) {
(
StatusCode::BAD_REQUEST,
Json(serde_json::json!({ "error": message })),
)
}
async fn list_scans(State(state): State<AppState>) -> Json<Vec<ScanView>> {
let mut views: Vec<ScanView> = state
.job_manager
.list_jobs()
.iter()
.map(|j| job_to_view(j))
.collect();
// Merge historical scans from DB (deduplicate by ID)
if let Some(ref pool) = state.db_pool {
if let Ok(idx) = Indexer::from_pool("_scans", pool) {
if let Ok(records) = idx.list_scans(100) {
let in_memory_ids: HashSet<String> = views.iter().map(|v| v.id.clone()).collect();
for record in records {
if !in_memory_ids.contains(&record.id) {
views.push(scan_record_to_view(&record));
}
}
}
}
}
// Sort by started_at descending
views.sort_by(|a, b| b.started_at.cmp(&a.started_at));
Json(views)
}
async fn active_scan(State(state): State<AppState>) -> Result<Json<ScanView>, StatusCode> {
let job = state
.job_manager
.active_job()
.ok_or(StatusCode::NOT_FOUND)?;
Ok(Json(job_to_view(&job)))
}
async fn get_scan(
State(state): State<AppState>,
axum::extract::Path(id): axum::extract::Path<String>,
) -> Result<Json<ScanView>, StatusCode> {
// Check in-memory first
if let Some(job) = state.job_manager.get_job(&id) {
return Ok(Json(job_to_view(&job)));
}
// Fall back to DB
if let Some(ref pool) = state.db_pool {
if let Ok(idx) = Indexer::from_pool("_scans", pool) {
if let Ok(Some(record)) = idx.get_scan(&id) {
let mut view = scan_record_to_view(&record);
// Load metrics from DB
if let Ok(Some(metrics)) = idx.get_scan_metrics(&id) {
view.metrics = Some(metrics);
}
return Ok(Json(view));
}
}
}
Err(StatusCode::NOT_FOUND)
}
async fn delete_scan(
State(state): State<AppState>,
axum::extract::Path(id): axum::extract::Path<String>,
) -> Result<Json<serde_json::Value>, (StatusCode, Json<serde_json::Value>)> {
// Remove from in-memory jobs (rejects if running)
if let Err(msg) = state.job_manager.remove_job(&id) {
if msg.contains("running") {
return Err((
StatusCode::CONFLICT,
Json(serde_json::json!({ "error": msg })),
));
}
// "Scan not found" in memory is fine — may be DB-only
}
// Delete from DB (CASCADE handles metrics + logs)
if let Some(ref pool) = state.db_pool {
if let Ok(idx) = Indexer::from_pool("_scans", pool) {
let _ = idx.delete_scan(&id);
}
}
Ok(Json(serde_json::json!({ "status": "deleted", "id": id })))
}
#[derive(serde::Deserialize, Default)]
struct FindingsQuery {
page: Option<usize>,
per_page: Option<usize>,
severity: Option<String>,
category: Option<String>,
search: Option<String>,
}
/// Load findings for a scan by ID (in-memory first, then DB fallback).
fn load_scan_findings(state: &AppState, id: &str) -> Result<Vec<Diag>, StatusCode> {
if let Some(job) = state.job_manager.get_job(id) {
return Ok(job.findings.map(|f| (*f).clone()).unwrap_or_default());
}
if let Some(ref pool) = state.db_pool {
if let Ok(idx) = Indexer::from_pool("_scans", pool) {
if let Ok(Some(record)) = idx.get_scan(id) {
return Ok(record
.findings_json
.as_deref()
.and_then(|j| serde_json::from_str::<Vec<Diag>>(j).ok())
.unwrap_or_default());
}
}
}
Err(StatusCode::NOT_FOUND)
}
/// Load minimal scan info for comparison headers.
fn load_scan_info(state: &AppState, id: &str) -> Result<CompareScanInfo, StatusCode> {
if let Some(job) = state.job_manager.get_job(id) {
return Ok(CompareScanInfo {
id: job.id.clone(),
started_at: job.started_at.map(|t| t.to_rfc3339()),
finding_count: job.findings.as_ref().map(|f| f.len()).unwrap_or(0),
});
}
if let Some(ref pool) = state.db_pool {
if let Ok(idx) = Indexer::from_pool("_scans", pool) {
if let Ok(Some(record)) = idx.get_scan(id) {
return Ok(CompareScanInfo {
id: record.id.clone(),
started_at: record.started_at.clone(),
finding_count: record.finding_count.map(|c| c as usize).unwrap_or(0),
});
}
}
}
Err(StatusCode::NOT_FOUND)
}
async fn get_scan_findings(
State(state): State<AppState>,
axum::extract::Path(id): axum::extract::Path<String>,
Query(query): Query<FindingsQuery>,
) -> Result<Json<serde_json::Value>, StatusCode> {
let findings = load_scan_findings(&state, &id)?;
// Apply filters
let mut filtered: Vec<&Diag> = findings.iter().collect();
if let Some(ref sev) = query.severity {
filtered.retain(|d| d.severity.as_db_str().eq_ignore_ascii_case(sev));
}
if let Some(ref cat) = query.category {
filtered.retain(|d| d.category.to_string().eq_ignore_ascii_case(cat));
}
if let Some(ref search) = query.search {
let s = search.to_ascii_lowercase();
filtered.retain(|d| {
d.path.to_ascii_lowercase().contains(&s)
|| d.id.to_ascii_lowercase().contains(&s)
|| d.message
.as_deref()
.map(|m| m.to_ascii_lowercase().contains(&s))
.unwrap_or(false)
});
}
let total = filtered.len();
let page = query.page.unwrap_or(1).max(1);
let per_page = query.per_page.unwrap_or(50).min(200);
let start = (page - 1) * per_page;
let scan_root = state.scan_root.clone();
let page_findings: Vec<FindingView> = filtered
.into_iter()
.enumerate()
.skip(start)
.take(per_page)
.map(|(i, d)| models::finding_from_diag_with_context(i, d, &scan_root))
.collect();
Ok(Json(serde_json::json!({
"findings": page_findings,
"total": total,
"page": page,
"per_page": per_page,
})))
}
// ── Scan Comparison ─────────────────────────────────────────────────────────
#[derive(serde::Deserialize)]
struct CompareQuery {
left: String,
right: String,
}
async fn compare_scans(
State(state): State<AppState>,
Query(query): Query<CompareQuery>,
) -> Result<Json<CompareResponse>, StatusCode> {
let left_info = load_scan_info(&state, &query.left)?;
let right_info = load_scan_info(&state, &query.right)?;
let left_findings = load_scan_findings(&state, &query.left)?;
let right_findings = load_scan_findings(&state, &query.right)?;
// Build fingerprint → Vec<(index, diag)> multi-maps so duplicate
// fingerprints are preserved instead of silently dropped.
let mut left_map: HashMap<String, Vec<(usize, &Diag)>> = HashMap::new();
for (i, d) in left_findings.iter().enumerate() {
left_map
.entry(models::compute_fingerprint(d))
.or_default()
.push((i, d));
}
let mut right_map: HashMap<String, Vec<(usize, &Diag)>> = HashMap::new();
for (i, d) in right_findings.iter().enumerate() {
right_map
.entry(models::compute_fingerprint(d))
.or_default()
.push((i, d));
}
let scan_root = state.scan_root.clone();
let mut new_findings = Vec::new();
let mut fixed_findings = Vec::new();
let mut changed_findings = Vec::new();
let mut unchanged_findings = Vec::new();
// For each fingerprint that appears on the right side, match 1:1 with
// left-side findings sharing the same fingerprint. Excess right entries
// are "new"; excess left entries are "fixed".
for (fp, right_group) in &right_map {
if let Some(left_group) = left_map.get(fp) {
let matched = right_group.len().min(left_group.len());
// Matched pairs → unchanged or changed
for i in 0..matched {
let (idx, diag) = right_group[i];
let (_, left_diag) = left_group[i];
let view = models::finding_from_diag_with_context(idx, diag, &scan_root);
let changes = compute_field_changes(left_diag, diag);
if changes.is_empty() {
unchanged_findings.push(ComparedFinding {
fingerprint: fp.clone(),
finding: view,
});
} else {
changed_findings.push(ChangedFinding {
fingerprint: fp.clone(),
finding: view,
changes,
});
}
}
// Excess right entries → new
for &(idx, diag) in &right_group[matched..] {
new_findings.push(ComparedFinding {
fingerprint: fp.clone(),
finding: models::finding_from_diag_with_context(idx, diag, &scan_root),
});
}
} else {
// Entire group is new (fingerprint not in left)
for &(idx, diag) in right_group {
new_findings.push(ComparedFinding {
fingerprint: fp.clone(),
finding: models::finding_from_diag_with_context(idx, diag, &scan_root),
});
}
}
}
// Fixed findings: left-side entries whose fingerprint is missing from
// right, or excess left entries beyond the matched count.
for (fp, left_group) in &left_map {
let right_count = right_map.get(fp).map(|g| g.len()).unwrap_or(0);
let start = left_group.len().min(right_count);
for &(idx, diag) in &left_group[start..] {
fixed_findings.push(ComparedFinding {
fingerprint: fp.clone(),
finding: models::finding_from_diag_with_context(idx, diag, &scan_root),
});
}
}
// Compute severity delta: right counts - left counts
let mut severity_delta: HashMap<String, i64> = HashMap::new();
for d in &right_findings {
*severity_delta
.entry(d.severity.as_db_str().to_string())
.or_insert(0) += 1;
}
for d in &left_findings {
*severity_delta
.entry(d.severity.as_db_str().to_string())
.or_insert(0) -= 1;
}
let summary = CompareSummary {
new_count: new_findings.len(),
fixed_count: fixed_findings.len(),
changed_count: changed_findings.len(),
unchanged_count: unchanged_findings.len(),
severity_delta,
};
Ok(Json(CompareResponse {
left_scan: left_info,
right_scan: right_info,
summary,
new_findings,
fixed_findings,
changed_findings,
unchanged_findings,
}))
}
/// Compare two Diags with the same fingerprint and return field-level changes.
fn compute_field_changes(left: &Diag, right: &Diag) -> Vec<FieldChange> {
let mut changes = Vec::new();
if left.line != right.line {
changes.push(FieldChange {
field: "line".into(),
old_value: left.line.to_string(),
new_value: right.line.to_string(),
});
}
if left.col != right.col {
changes.push(FieldChange {
field: "col".into(),
old_value: left.col.to_string(),
new_value: right.col.to_string(),
});
}
if left.severity != right.severity {
changes.push(FieldChange {
field: "severity".into(),
old_value: left.severity.as_db_str().to_string(),
new_value: right.severity.as_db_str().to_string(),
});
}
if left.confidence != right.confidence {
changes.push(FieldChange {
field: "confidence".into(),
old_value: left
.confidence
.map(|c| format!("{c:?}"))
.unwrap_or_else(|| "-".into()),
new_value: right
.confidence
.map(|c| format!("{c:?}"))
.unwrap_or_else(|| "-".into()),
});
}
changes
}
#[derive(serde::Deserialize, Default)]
struct LogsQuery {
level: Option<String>,
}
async fn get_scan_logs(
State(state): State<AppState>,
axum::extract::Path(id): axum::extract::Path<String>,
Query(query): Query<LogsQuery>,
) -> Result<Json<Vec<ScanLogEntry>>, StatusCode> {
// Check in-memory (running scan)
if let Some(job) = state.job_manager.get_job(&id) {
if let Some(ref collector) = job.log_collector {
let mut logs = collector.snapshot();
if let Some(ref level) = query.level {
logs.retain(|l| l.level.to_string().eq_ignore_ascii_case(level));
}
return Ok(Json(logs));
}
}
// Fall back to DB
if let Some(ref pool) = state.db_pool {
if let Ok(idx) = Indexer::from_pool("_scans", pool) {
if let Ok(logs) = idx.get_scan_logs(&id, query.level.as_deref()) {
return Ok(Json(logs));
}
}
}
Ok(Json(vec![]))
}
async fn get_scan_metrics(
State(state): State<AppState>,
axum::extract::Path(id): axum::extract::Path<String>,
) -> Result<Json<ScanMetricsSnapshot>, StatusCode> {
// Check in-memory (running scan)
if let Some(job) = state.job_manager.get_job(&id) {
if let Some(ref metrics) = job.metrics {
return Ok(Json(metrics.snapshot()));
}
}
// Fall back to DB
if let Some(ref pool) = state.db_pool {
if let Ok(idx) = Indexer::from_pool("_scans", pool) {
if let Ok(Some(metrics)) = idx.get_scan_metrics(&id) {
return Ok(Json(metrics));
}
}
}
Err(StatusCode::NOT_FOUND)
}
fn job_to_view(job: &crate::server::jobs::ScanJob) -> ScanView {
let (timing, metrics_snap) = if let Some(ref progress) = job.progress {
let snap = progress.snapshot();
(
Some(snap.timing),
job.metrics.as_ref().map(|m| m.snapshot()),
)
} else {
(job.timing.clone(), None)
};
ScanView {
id: job.id.clone(),
status: format!("{:?}", job.status).to_ascii_lowercase(),
scan_root: job.scan_root.display().to_string(),
started_at: job.started_at.map(|t| t.to_rfc3339()),
finished_at: job.finished_at.map(|t| t.to_rfc3339()),
duration_secs: job.duration_secs,
finding_count: job.findings.as_ref().map(|f| f.len()),
error: job.error.clone(),
engine_version: job.engine_version.clone(),
languages: job.languages.clone(),
files_scanned: job.files_scanned,
timing,
metrics: metrics_snap,
}
}
fn scan_record_to_view(record: &ScanRecord) -> ScanView {
let timing: Option<crate::server::progress::TimingBreakdown> = record
.timing_json
.as_deref()
.and_then(|j| serde_json::from_str(j).ok());
let languages: Option<Vec<String>> = record
.languages
.as_deref()
.and_then(|j| serde_json::from_str(j).ok());
ScanView {
id: record.id.clone(),
status: record.status.clone(),
scan_root: record.scan_root.clone(),
started_at: record.started_at.clone(),
finished_at: record.finished_at.clone(),
duration_secs: record.duration_secs,
finding_count: record.finding_count.map(|c| c as usize),
error: record.error.clone(),
engine_version: record.engine_version.clone(),
languages,
files_scanned: record.files_scanned.map(|c| c as u64),
timing,
metrics: None,
}
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn resolve_requested_scan_root_defaults_to_configured_root() {
let dir = tempfile::tempdir().unwrap();
let configured = dir.path().canonicalize().unwrap();
let resolved = resolve_requested_scan_root(None, &configured).unwrap();
assert_eq!(resolved, configured);
}
#[test]
fn resolve_requested_scan_root_accepts_matching_root_but_uses_configured_path() {
let dir = tempfile::tempdir().unwrap();
let configured = dir.path().canonicalize().unwrap();
let requested = dir.path().join(".");
let resolved =
resolve_requested_scan_root(Some(requested.to_string_lossy().as_ref()), &configured)
.unwrap();
assert_eq!(resolved, configured);
}
#[test]
fn resolve_requested_scan_root_rejects_different_root() {
let configured_dir = tempfile::tempdir().unwrap();
let other_dir = tempfile::tempdir().unwrap();
let configured = configured_dir.path().canonicalize().unwrap();
let err = resolve_requested_scan_root(
Some(other_dir.path().to_string_lossy().as_ref()),
&configured,
)
.unwrap_err();
assert_eq!(err.0, StatusCode::BAD_REQUEST);
assert_eq!(
err.1.0["error"],
"scan_root must match the repository passed to nyx serve"
);
}
}

424
src/server/routes/triage.rs Normal file
View file

@ -0,0 +1,424 @@
use crate::database::index::Indexer;
use crate::server::app::AppState;
use crate::server::models::{compute_fingerprint, finding_from_diag, is_valid_triage_state};
use crate::server::routes::findings::load_latest_findings;
use axum::extract::{Query, State};
use axum::http::StatusCode;
use axum::routing::{get, post};
use axum::{Json, Router};
use serde::Deserialize;
pub fn routes() -> Router<AppState> {
Router::new()
.route("/triage", get(list_triage).post(set_triage))
.route("/triage/audit", get(get_audit_log))
.route(
"/triage/suppress",
get(list_suppressions)
.post(add_suppression)
.delete(remove_suppression),
)
.route("/triage/export", post(export_triage_file))
.route("/triage/import", post(import_triage_file))
.route("/triage/sync-status", get(get_sync_status))
}
// ── POST /api/triage ────────────────────────────────────────────────────────
#[derive(Debug, Deserialize)]
struct SetTriageRequest {
fingerprints: Vec<String>,
state: String,
#[serde(default)]
note: String,
}
async fn set_triage(
State(state): State<AppState>,
Json(body): Json<SetTriageRequest>,
) -> Result<Json<serde_json::Value>, (StatusCode, Json<serde_json::Value>)> {
if !is_valid_triage_state(&body.state) {
return Err((
StatusCode::BAD_REQUEST,
Json(serde_json::json!({ "error": format!("invalid state: {}", body.state) })),
));
}
if body.fingerprints.is_empty() {
return Err((
StatusCode::BAD_REQUEST,
Json(serde_json::json!({ "error": "fingerprints must not be empty" })),
));
}
let pool = state.db_pool.as_ref().ok_or((
StatusCode::SERVICE_UNAVAILABLE,
Json(serde_json::json!({ "error": "database not available" })),
))?;
let idx = Indexer::from_pool("_triage", pool).map_err(|e| {
(
StatusCode::INTERNAL_SERVER_ERROR,
Json(serde_json::json!({ "error": e.to_string() })),
)
})?;
let action = if body.fingerprints.len() > 1 {
"bulk_set_state"
} else {
"set_state"
};
let results = idx
.set_triage_states_bulk(&body.fingerprints, &body.state, &body.note, action)
.map_err(|e| {
(
StatusCode::INTERNAL_SERVER_ERROR,
Json(serde_json::json!({ "error": e.to_string() })),
)
})?;
// Auto-sync to .nyx/triage.json
auto_sync_to_file(&state);
Ok(Json(serde_json::json!({
"updated": results.len(),
"state": body.state,
})))
}
// ── GET /api/triage ─────────────────────────────────────────────────────────
#[derive(Debug, Deserialize, Default)]
struct ListTriageQuery {
state: Option<String>,
page: Option<usize>,
per_page: Option<usize>,
}
async fn list_triage(
State(state): State<AppState>,
Query(query): Query<ListTriageQuery>,
) -> Result<Json<serde_json::Value>, StatusCode> {
let pool = state
.db_pool
.as_ref()
.ok_or(StatusCode::SERVICE_UNAVAILABLE)?;
let idx = Indexer::from_pool("_triage", pool).map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
let page = query.page.unwrap_or(1).max(1);
let per_page = query.per_page.unwrap_or(50).clamp(1, 500);
let offset = ((page - 1) * per_page) as i64;
let (rows, total) = idx
.list_triage_states(query.state.as_deref(), per_page as i64, offset)
.map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
// Enrich with finding data if available
let findings = load_latest_findings(&state);
let mut enriched_views = Vec::new();
// Build fingerprint → diag index for lookup
let fp_map: std::collections::HashMap<String, usize> = findings
.iter()
.enumerate()
.map(|(i, d)| (compute_fingerprint(d), i))
.collect();
for (fp, ts_state, note, updated_at) in &rows {
let finding_info = fp_map.get(fp).map(|&i| {
let d = &findings[i];
serde_json::json!({
"index": i,
"rule_id": d.id,
"path": d.path,
"line": d.line,
"severity": d.severity.as_db_str(),
"category": d.category.to_string(),
})
});
enriched_views.push(serde_json::json!({
"fingerprint": fp,
"state": ts_state,
"note": note,
"updated_at": updated_at,
"finding": finding_info,
}));
}
Ok(Json(serde_json::json!({
"entries": enriched_views,
"total": total,
"page": page,
"per_page": per_page,
})))
}
// ── GET /api/triage/audit ───────────────────────────────────────────────────
#[derive(Debug, Deserialize, Default)]
struct AuditQuery {
fingerprint: Option<String>,
page: Option<usize>,
per_page: Option<usize>,
}
async fn get_audit_log(
State(state): State<AppState>,
Query(query): Query<AuditQuery>,
) -> Result<Json<serde_json::Value>, StatusCode> {
let pool = state
.db_pool
.as_ref()
.ok_or(StatusCode::SERVICE_UNAVAILABLE)?;
let idx = Indexer::from_pool("_triage", pool).map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
let page = query.page.unwrap_or(1).max(1);
let per_page = query.per_page.unwrap_or(50).clamp(1, 500);
let offset = ((page - 1) * per_page) as i64;
let (entries, total) = idx
.get_audit_log(query.fingerprint.as_deref(), per_page as i64, offset)
.map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
Ok(Json(serde_json::json!({
"entries": entries,
"total": total,
"page": page,
"per_page": per_page,
})))
}
// ── POST /api/triage/suppress ───────────────────────────────────────────────
#[derive(Debug, Deserialize)]
struct AddSuppressionRequest {
by: String,
value: String,
#[serde(default)]
note: String,
}
async fn add_suppression(
State(state): State<AppState>,
Json(body): Json<AddSuppressionRequest>,
) -> Result<Json<serde_json::Value>, (StatusCode, Json<serde_json::Value>)> {
let valid_by = ["fingerprint", "rule", "rule_in_file", "file"];
if !valid_by.contains(&body.by.as_str()) {
return Err((
StatusCode::BAD_REQUEST,
Json(serde_json::json!({ "error": format!("invalid 'by' value: {}", body.by) })),
));
}
let pool = state.db_pool.as_ref().ok_or((
StatusCode::SERVICE_UNAVAILABLE,
Json(serde_json::json!({ "error": "database not available" })),
))?;
let idx = Indexer::from_pool("_triage", pool).map_err(|e| {
(
StatusCode::INTERNAL_SERVER_ERROR,
Json(serde_json::json!({ "error": e.to_string() })),
)
})?;
let rule_id = idx
.add_suppression_rule(&body.by, &body.value, "suppressed", &body.note)
.map_err(|e| {
(
StatusCode::INTERNAL_SERVER_ERROR,
Json(serde_json::json!({ "error": e.to_string() })),
)
})?;
// Apply to current findings
let findings = load_latest_findings(&state);
let views: Vec<_> = findings
.iter()
.enumerate()
.map(|(i, d)| finding_from_diag(i, d))
.collect();
// Find matching fingerprints
let matching_fps: Vec<String> = views
.iter()
.filter(|v| match body.by.as_str() {
"fingerprint" => v.fingerprint == body.value,
"rule" => v.rule_id == body.value,
"rule_in_file" => {
let key = format!("{}:{}", v.rule_id, v.path);
key == body.value
}
"file" => v.path == body.value,
_ => false,
})
.map(|v| v.fingerprint.clone())
.collect();
let affected = matching_fps.len();
if !matching_fps.is_empty() {
let _ =
idx.set_triage_states_bulk(&matching_fps, "suppressed", &body.note, "suppress_pattern");
}
drop(views);
// Auto-sync to .nyx/triage.json
auto_sync_to_file(&state);
Ok(Json(serde_json::json!({
"rule_id": rule_id,
"findings_affected": affected,
})))
}
// ── GET /api/triage/suppress ────────────────────────────────────────────────
async fn list_suppressions(
State(state): State<AppState>,
) -> Result<Json<serde_json::Value>, StatusCode> {
let pool = state
.db_pool
.as_ref()
.ok_or(StatusCode::SERVICE_UNAVAILABLE)?;
let idx = Indexer::from_pool("_triage", pool).map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
let rules = idx
.get_suppression_rules()
.map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
Ok(Json(serde_json::json!({ "rules": rules })))
}
// ── DELETE /api/triage/suppress ─────────────────────────────────────────────
#[derive(Debug, Deserialize)]
struct DeleteSuppressionQuery {
id: i64,
}
async fn remove_suppression(
State(state): State<AppState>,
Query(query): Query<DeleteSuppressionQuery>,
) -> Result<Json<serde_json::Value>, StatusCode> {
let pool = state
.db_pool
.as_ref()
.ok_or(StatusCode::SERVICE_UNAVAILABLE)?;
let idx = Indexer::from_pool("_triage", pool).map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
let deleted = idx
.delete_suppression_rule(query.id)
.map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
// Auto-sync to .nyx/triage.json
auto_sync_to_file(&state);
Ok(Json(serde_json::json!({ "deleted": deleted })))
}
// ── Auto-sync helper ────────────────────────────────────────────────────────
fn auto_sync_to_file(state: &AppState) {
let sync_enabled = state.config.read().server.triage_sync;
if !sync_enabled {
return;
}
if let Some(ref pool) = state.db_pool {
let findings = load_latest_findings(state);
let _ = crate::server::triage_sync::sync_to_file(pool, &findings, &state.scan_root);
}
}
// ── POST /api/triage/export ─────────────────────────────────────────────────
async fn export_triage_file(
State(state): State<AppState>,
) -> Result<Json<serde_json::Value>, (StatusCode, Json<serde_json::Value>)> {
let pool = state.db_pool.as_ref().ok_or((
StatusCode::SERVICE_UNAVAILABLE,
Json(serde_json::json!({ "error": "database not available" })),
))?;
let findings = load_latest_findings(&state);
let file = crate::server::triage_sync::export_triage(pool, &findings, &state.scan_root)
.map_err(|e| {
(
StatusCode::INTERNAL_SERVER_ERROR,
Json(serde_json::json!({ "error": e })),
)
})?;
crate::server::triage_sync::save_triage_file(&state.scan_root, &file).map_err(|e| {
(
StatusCode::INTERNAL_SERVER_ERROR,
Json(serde_json::json!({ "error": e })),
)
})?;
let path = crate::server::triage_sync::triage_file_path(&state.scan_root).map_err(|e| {
(
StatusCode::INTERNAL_SERVER_ERROR,
Json(serde_json::json!({ "error": e })),
)
})?;
Ok(Json(serde_json::json!({
"exported": file.decisions.len(),
"suppression_rules": file.suppression_rules.len(),
"path": path.to_string_lossy(),
})))
}
// ── POST /api/triage/import ─────────────────────────────────────────────────
async fn import_triage_file(
State(state): State<AppState>,
) -> Result<Json<serde_json::Value>, (StatusCode, Json<serde_json::Value>)> {
let pool = state.db_pool.as_ref().ok_or((
StatusCode::SERVICE_UNAVAILABLE,
Json(serde_json::json!({ "error": "database not available" })),
))?;
let file = crate::server::triage_sync::load_triage_file_checked(&state.scan_root)
.map_err(|e| {
(
StatusCode::BAD_REQUEST,
Json(serde_json::json!({ "error": e })),
)
})?
.ok_or((
StatusCode::NOT_FOUND,
Json(serde_json::json!({ "error": ".nyx/triage.json not found" })),
))?;
let findings = load_latest_findings(&state);
let applied =
crate::server::triage_sync::import_triage(pool, &findings, &state.scan_root, &file)
.map_err(|e| {
(
StatusCode::INTERNAL_SERVER_ERROR,
Json(serde_json::json!({ "error": e })),
)
})?;
Ok(Json(serde_json::json!({
"imported": applied,
"total_in_file": file.decisions.len(),
"suppression_rules": file.suppression_rules.len(),
})))
}
// ── GET /api/triage/sync-status ─────────────────────────────────────────────
async fn get_sync_status(State(state): State<AppState>) -> Json<serde_json::Value> {
let path = crate::server::triage_sync::triage_file_path(&state.scan_root).ok();
let file = crate::server::triage_sync::load_triage_file(&state.scan_root);
let sync_enabled = state.config.read().server.triage_sync;
Json(serde_json::json!({
"file_path": path.as_ref().map(|p| p.to_string_lossy().to_string()),
"file_exists": path.as_ref().map(|p| p.exists()).unwrap_or(false),
"sync_enabled": sync_enabled,
"decisions": file.as_ref().map(|f| f.decisions.len()).unwrap_or(0),
"suppression_rules": file.as_ref().map(|f| f.suppression_rules.len()).unwrap_or(0),
}))
}

131
src/server/scan_log.rs Normal file
View file

@ -0,0 +1,131 @@
use chrono::{DateTime, Utc};
use serde::Serialize;
use std::str::FromStr;
use std::sync::Mutex;
/// Severity level for a scan log entry.
#[derive(Debug, Clone, Serialize, PartialEq, Eq)]
#[serde(rename_all = "lowercase")]
pub enum LogLevel {
Info,
Warn,
Error,
}
impl std::fmt::Display for LogLevel {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
match self {
LogLevel::Info => write!(f, "info"),
LogLevel::Warn => write!(f, "warn"),
LogLevel::Error => write!(f, "error"),
}
}
}
impl FromStr for LogLevel {
type Err = ();
fn from_str(s: &str) -> Result<Self, Self::Err> {
match s.to_ascii_lowercase().as_str() {
"info" => Ok(Self::Info),
"warn" => Ok(Self::Warn),
"error" => Ok(Self::Error),
_ => Err(()),
}
}
}
/// A single structured log entry from a scan.
#[derive(Debug, Clone, Serialize)]
pub struct ScanLogEntry {
pub timestamp: DateTime<Utc>,
pub level: LogLevel,
pub message: String,
#[serde(skip_serializing_if = "Option::is_none")]
pub file_path: Option<String>,
#[serde(skip_serializing_if = "Option::is_none")]
pub detail: Option<String>,
}
/// Thread-safe collector of structured log entries during a scan.
#[derive(Debug)]
pub struct ScanLogCollector {
entries: Mutex<Vec<ScanLogEntry>>,
max_entries: usize,
}
impl Default for ScanLogCollector {
fn default() -> Self {
Self::new(10_000)
}
}
impl ScanLogCollector {
pub fn new(max_entries: usize) -> Self {
Self {
entries: Mutex::new(Vec::new()),
max_entries,
}
}
fn push(&self, entry: ScanLogEntry) {
if let Ok(mut entries) = self.entries.lock()
&& entries.len() < self.max_entries
{
entries.push(entry);
}
}
pub fn info(&self, message: impl Into<String>, file_path: Option<String>) {
self.push(ScanLogEntry {
timestamp: Utc::now(),
level: LogLevel::Info,
message: message.into(),
file_path,
detail: None,
});
}
pub fn warn(
&self,
message: impl Into<String>,
file_path: Option<String>,
detail: Option<String>,
) {
self.push(ScanLogEntry {
timestamp: Utc::now(),
level: LogLevel::Warn,
message: message.into(),
file_path,
detail,
});
}
pub fn error(
&self,
message: impl Into<String>,
file_path: Option<String>,
detail: Option<String>,
) {
self.push(ScanLogEntry {
timestamp: Utc::now(),
level: LogLevel::Error,
message: message.into(),
file_path,
detail,
});
}
/// Clone all entries without clearing.
pub fn snapshot(&self) -> Vec<ScanLogEntry> {
self.entries.lock().map(|e| e.clone()).unwrap_or_default()
}
/// Take all entries, leaving the collector empty.
pub fn drain(&self) -> Vec<ScanLogEntry> {
self.entries
.lock()
.map(|mut e| std::mem::take(&mut *e))
.unwrap_or_default()
}
}

145
src/server/security.rs Normal file
View file

@ -0,0 +1,145 @@
use axum::extract::{Request, State};
use axum::http::header::{HOST, ORIGIN};
use axum::http::{Method, StatusCode};
use axum::middleware::Next;
use axum::response::{IntoResponse, Response};
use std::sync::Arc;
use uuid::Uuid;
const CSRF_HEADER: &str = "x-nyx-csrf";
#[derive(Debug)]
pub struct LocalServerSecurity {
port: u16,
csrf_token: String,
}
impl LocalServerSecurity {
pub fn new(port: u16) -> Arc<Self> {
Arc::new(Self {
port,
csrf_token: Uuid::new_v4().as_simple().to_string(),
})
}
pub fn csrf_token(&self) -> &str {
&self.csrf_token
}
fn host_allowed(&self, authority: &str) -> bool {
let Some((host, port)) = parse_host_like(authority) else {
return false;
};
matches!(host.as_str(), "localhost" | "127.0.0.1" | "::1")
&& port.is_none_or(|value| value == self.port)
}
fn origin_allowed(&self, origin: &str) -> bool {
let Some(rest) = origin.strip_prefix("http://") else {
return false;
};
let authority = rest.split('/').next().unwrap_or(rest);
self.host_allowed(authority)
}
}
pub async fn guard_requests(
State(security): State<Arc<LocalServerSecurity>>,
request: Request,
next: Next,
) -> Response {
let Some(host) = request
.headers()
.get(HOST)
.and_then(|value| value.to_str().ok())
else {
return (StatusCode::BAD_REQUEST, "missing Host header").into_response();
};
if !security.host_allowed(host) {
return (StatusCode::BAD_REQUEST, "invalid Host header").into_response();
}
if is_mutating_method(request.method()) {
if let Some(origin) = request
.headers()
.get(ORIGIN)
.and_then(|value| value.to_str().ok())
&& !security.origin_allowed(origin)
{
return (StatusCode::FORBIDDEN, "cross-origin mutation blocked").into_response();
}
let Some(token) = request
.headers()
.get(CSRF_HEADER)
.and_then(|value| value.to_str().ok())
else {
return (StatusCode::FORBIDDEN, "missing CSRF token").into_response();
};
if token != security.csrf_token() {
return (StatusCode::FORBIDDEN, "invalid CSRF token").into_response();
}
}
next.run(request).await
}
fn is_mutating_method(method: &Method) -> bool {
matches!(
*method,
Method::POST | Method::PUT | Method::PATCH | Method::DELETE
)
}
fn parse_host_like(value: &str) -> Option<(String, Option<u16>)> {
if value.is_empty() {
return None;
}
if let Some(rest) = value.strip_prefix('[') {
let end = rest.find(']')?;
let host = &rest[..end];
let port = rest[end + 1..]
.strip_prefix(':')
.and_then(|p| p.parse().ok());
return Some((host.to_ascii_lowercase(), port));
}
if value.matches(':').count() == 1 {
let (host, port) = value.rsplit_once(':')?;
return Some((host.to_ascii_lowercase(), port.parse().ok()));
}
Some((value.to_ascii_lowercase(), None))
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn host_check_accepts_loopback_names() {
let security = LocalServerSecurity::new(9700);
assert!(security.host_allowed("localhost:9700"));
assert!(security.host_allowed("127.0.0.1:9700"));
assert!(security.host_allowed("[::1]:9700"));
}
#[test]
fn host_check_rejects_non_loopback_names() {
let security = LocalServerSecurity::new(9700);
assert!(!security.host_allowed("evil.example:9700"));
assert!(!security.host_allowed("192.168.1.10:9700"));
}
#[test]
fn origin_check_requires_loopback_http_origin() {
let security = LocalServerSecurity::new(9700);
assert!(security.origin_allowed("http://localhost:9700"));
assert!(!security.origin_allowed("https://localhost:9700"));
assert!(!security.origin_allowed("http://evil.example:9700"));
}
}

388
src/server/triage_sync.rs Normal file
View file

@ -0,0 +1,388 @@
//! Triage sync: read/write `.nyx/triage.json` in the project root.
//!
//! This file is designed to be committed to version control so that triage
//! decisions travel with the code and are shared across team members.
//!
//! The file uses **portable fingerprints** — computed with paths relative to the
//! project root — so they match across machines regardless of where the repo is
//! checked out.
use crate::commands::scan::Diag;
use crate::database::index::Indexer;
use crate::server::models::compute_portable_fingerprint;
use r2d2::Pool;
use r2d2_sqlite::SqliteConnectionManager;
use serde::{Deserialize, Serialize};
use std::collections::HashMap;
use std::io::Read;
use std::path::{Path, PathBuf};
const MAX_TRIAGE_FILE_BYTES: u64 = 1024 * 1024;
/// On-disk format for `.nyx/triage.json`.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct TriageFile {
/// Schema version for forward compatibility.
#[serde(default = "default_version")]
pub version: u32,
/// Per-finding triage decisions keyed by portable fingerprint.
#[serde(default)]
pub decisions: Vec<TriageDecision>,
/// Pattern-based suppression rules.
#[serde(default)]
pub suppression_rules: Vec<TriageSuppressionRule>,
}
fn default_version() -> u32 {
1
}
/// A single triage decision.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct TriageDecision {
/// Portable fingerprint (blake3 of rule_id + relative_path + snippets).
pub fingerprint: String,
/// Triage state: open, investigating, false_positive, accepted_risk, suppressed, fixed.
pub state: String,
/// Optional note explaining the decision.
#[serde(default, skip_serializing_if = "String::is_empty")]
pub note: String,
/// Rule ID for human readability (not used for matching).
#[serde(default, skip_serializing_if = "String::is_empty")]
pub rule_id: String,
/// Relative file path for human readability (not used for matching).
#[serde(default, skip_serializing_if = "String::is_empty")]
pub path: String,
}
/// A pattern suppression rule in the sync file.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct TriageSuppressionRule {
/// "rule", "file", or "rule_in_file".
pub by: String,
/// The pattern value.
pub value: String,
/// Target state (usually "suppressed").
#[serde(default = "default_suppressed")]
pub state: String,
#[serde(default, skip_serializing_if = "String::is_empty")]
pub note: String,
}
fn default_suppressed() -> String {
"suppressed".to_string()
}
/// Path to the triage sync file for a given scan root.
pub fn triage_file_path(scan_root: &Path) -> Result<PathBuf, String> {
let root = canonical_scan_root(scan_root)?;
Ok(triage_file_path_for_root(&root))
}
fn canonical_scan_root(scan_root: &Path) -> Result<PathBuf, String> {
let canonical_root = scan_root
.canonicalize()
.map_err(|e| format!("failed to canonicalize scan root: {e}"))?;
let metadata =
std::fs::metadata(&canonical_root).map_err(|e| format!("failed to stat scan root: {e}"))?;
if !metadata.is_dir() {
return Err("scan root is not a directory".to_string());
}
Ok(canonical_root)
}
fn triage_file_path_for_root(root: &Path) -> PathBuf {
root.join(".nyx").join("triage.json")
}
fn validate_existing_path_within_root(path: &Path, root: &Path) -> Result<(), String> {
let canonical = path
.canonicalize()
.map_err(|e| format!("failed to canonicalize triage file path: {e}"))?;
if !canonical.starts_with(root) {
return Err("triage file path escapes scan root".to_string());
}
let metadata =
std::fs::metadata(&canonical).map_err(|e| format!("failed to stat triage file: {e}"))?;
if !metadata.is_file() {
return Err("triage file path is not a regular file".to_string());
}
Ok(())
}
/// Compute and validate the triage file path for a given scan root.
fn validated_triage_file_path(scan_root: &Path) -> Result<PathBuf, String> {
let root = canonical_scan_root(scan_root)?;
let path = triage_file_path_for_root(&root);
if let Some(parent) = path.parent()
&& parent.exists()
{
let canonical_parent = parent
.canonicalize()
.map_err(|e| format!("failed to canonicalize triage directory: {e}"))?;
if !canonical_parent.starts_with(&root) {
return Err("triage directory escapes scan root".to_string());
}
let metadata = std::fs::metadata(&canonical_parent)
.map_err(|e| format!("failed to stat triage directory: {e}"))?;
if !metadata.is_dir() {
return Err("triage directory is not a directory".to_string());
}
}
if path.exists() {
validate_existing_path_within_root(&path, &root)?;
}
Ok(path)
}
/// Load triage decisions from `.nyx/triage.json`.
pub fn load_triage_file(scan_root: &Path) -> Option<TriageFile> {
load_triage_file_checked(scan_root).ok().flatten()
}
pub fn load_triage_file_checked(scan_root: &Path) -> Result<Option<TriageFile>, String> {
let path = validated_triage_file_path(scan_root)?;
if !path.exists() {
return Ok(None);
}
let content = read_bounded_text_file(&path, MAX_TRIAGE_FILE_BYTES)?;
let parsed =
serde_json::from_str(&content).map_err(|e| format!("failed to parse triage file: {e}"))?;
Ok(Some(parsed))
}
/// Save triage decisions to `.nyx/triage.json`.
/// Creates the `.nyx` directory if it doesn't exist.
pub fn save_triage_file(scan_root: &Path, file: &TriageFile) -> Result<(), String> {
let path = validated_triage_file_path(scan_root)?;
if let Some(parent) = path.parent() {
std::fs::create_dir_all(parent)
.map_err(|e| format!("failed to create .nyx directory: {e}"))?;
}
let json = serde_json::to_string_pretty(file)
.map_err(|e| format!("failed to serialize triage file: {e}"))?;
std::fs::write(&path, json).map_err(|e| format!("failed to write triage file: {e}"))?;
Ok(())
}
fn read_bounded_text_file(path: &Path, max_bytes: u64) -> Result<String, String> {
let file = std::fs::File::open(path).map_err(|e| format!("failed to open file: {e}"))?;
let metadata = file
.metadata()
.map_err(|e| format!("failed to stat file: {e}"))?;
if metadata.len() > max_bytes {
return Err(format!(
"triage file exceeds {max_bytes} bytes and was rejected"
));
}
let mut reader = std::io::BufReader::new(file).take(max_bytes);
let mut content = String::new();
reader
.read_to_string(&mut content)
.map_err(|e| format!("failed to read triage file: {e}"))?;
Ok(content)
}
/// Export current DB triage state to a `TriageFile`.
///
/// Builds portable fingerprints from the latest scan findings, then maps
/// DB triage states (keyed by local fingerprint) onto portable fingerprints.
pub fn export_triage(
pool: &Pool<SqliteConnectionManager>,
findings: &[Diag],
scan_root: &Path,
) -> Result<TriageFile, String> {
let idx = Indexer::from_pool("_triage", pool).map_err(|e| e.to_string())?;
let triage_map = idx.get_all_triage_states().map_err(|e| e.to_string())?;
let suppression_rules = idx.get_suppression_rules().map_err(|e| e.to_string())?;
// Build local_fingerprint → portable_fingerprint + metadata
let mut decisions = Vec::new();
for d in findings {
let local_fp = crate::server::models::compute_fingerprint(d);
if let Some((state, note, _)) = triage_map.get(&local_fp) {
if state == "open" {
continue; // Don't export default state
}
let portable_fp = compute_portable_fingerprint(d, scan_root);
let rel_path = d
.path
.strip_prefix(scan_root.to_string_lossy().as_ref())
.unwrap_or(&d.path)
.trim_start_matches('/')
.to_string();
decisions.push(TriageDecision {
fingerprint: portable_fp,
state: state.clone(),
note: note.clone(),
rule_id: d.id.clone(),
path: rel_path,
});
}
}
// Export suppression rules (skip fingerprint-based ones since those are local)
let rules = suppression_rules
.iter()
.filter(|r| r.suppress_by != "fingerprint")
.map(|r| TriageSuppressionRule {
by: r.suppress_by.clone(),
value: r.match_value.clone(),
state: r.state.clone(),
note: r.note.clone(),
})
.collect();
Ok(TriageFile {
version: 1,
decisions,
suppression_rules: rules,
})
}
/// Import triage decisions from a `TriageFile` into the DB.
///
/// Matches portable fingerprints against current findings, then upserts
/// triage states for matches. Returns count of decisions applied.
pub fn import_triage(
pool: &Pool<SqliteConnectionManager>,
findings: &[Diag],
scan_root: &Path,
file: &TriageFile,
) -> Result<usize, String> {
let idx = Indexer::from_pool("_triage", pool).map_err(|e| e.to_string())?;
// Build portable_fingerprint → local_fingerprint map
let mut portable_to_local: HashMap<String, String> = HashMap::new();
for d in findings {
let portable_fp = compute_portable_fingerprint(d, scan_root);
let local_fp = crate::server::models::compute_fingerprint(d);
portable_to_local.insert(portable_fp, local_fp);
}
let mut applied = 0;
// Import decisions
for decision in &file.decisions {
if let Some(local_fp) = portable_to_local.get(&decision.fingerprint) {
let _ = idx.set_triage_state(local_fp, &decision.state, &decision.note, "import");
applied += 1;
}
}
// Import suppression rules
for rule in &file.suppression_rules {
let _ = idx.add_suppression_rule(&rule.by, &rule.value, &rule.state, &rule.note);
}
Ok(applied)
}
/// Sync: load `.nyx/triage.json` if it exists and import into DB.
/// Called on server startup and after scan completion.
#[allow(dead_code)]
pub fn sync_from_file(
pool: &Pool<SqliteConnectionManager>,
findings: &[Diag],
scan_root: &Path,
) -> Option<usize> {
let file = load_triage_file(scan_root)?;
import_triage(pool, findings, scan_root, &file).ok()
}
/// Sync: export current DB state to `.nyx/triage.json`.
/// Called after triage state changes.
pub fn sync_to_file(
pool: &Pool<SqliteConnectionManager>,
findings: &[Diag],
scan_root: &Path,
) -> Result<(), String> {
let file = export_triage(pool, findings, scan_root)?;
save_triage_file(scan_root, &file)
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn oversized_triage_files_are_rejected() {
let root = tempfile::tempdir().unwrap();
let path = triage_file_path(root.path()).unwrap();
std::fs::create_dir_all(path.parent().unwrap()).unwrap();
std::fs::write(&path, vec![b'a'; (MAX_TRIAGE_FILE_BYTES as usize) + 1]).unwrap();
let err = load_triage_file_checked(root.path()).unwrap_err();
assert!(err.contains("exceeds"));
}
#[test]
fn triage_file_path_uses_canonical_root() {
let root = tempfile::tempdir().unwrap();
let requested = root.path().join(".");
let path = triage_file_path(&requested).unwrap();
assert_eq!(
path,
root.path()
.canonicalize()
.unwrap()
.join(".nyx")
.join("triage.json")
);
}
#[cfg(unix)]
#[test]
fn load_triage_file_rejects_symlink_escape() {
use std::os::unix::fs::symlink;
let root = tempfile::tempdir().unwrap();
let outside = tempfile::tempdir().unwrap();
let escaped = outside.path().join("triage.json");
std::fs::write(
&escaped,
serde_json::to_string(&TriageFile {
version: 1,
decisions: vec![],
suppression_rules: vec![],
})
.unwrap(),
)
.unwrap();
symlink(outside.path(), root.path().join(".nyx")).unwrap();
let err = load_triage_file_checked(root.path()).unwrap_err();
assert!(err.contains("escapes scan root"));
}
#[cfg(unix)]
#[test]
fn save_triage_file_rejects_symlink_escape() {
use std::os::unix::fs::symlink;
let root = tempfile::tempdir().unwrap();
let outside = tempfile::tempdir().unwrap();
symlink(outside.path(), root.path().join(".nyx")).unwrap();
let err = save_triage_file(
root.path(),
&TriageFile {
version: 1,
decisions: vec![],
suppression_rules: vec![],
},
)
.unwrap_err();
assert!(err.contains("escapes scan root"));
}
}