apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-24 20:28:06 +02:00
Code Issues Projects Releases Packages Wiki Activity

Release/0.5.0 (#35)

Browse source 
* feat: Introduce function-scoped variable interning for state analysis with new tests and fixtures

* feat: Add Phase 26 symbolic execution enhancements with bitwise operator support, abstract interpretation refinements, and new taint analysis tests

* feat: Refine state analysis to handle factory-pattern resource returns with mixed-path tests and leak detection enhancements

* feat: Add Phase 27 debug views with symbolic execution, abstract interpretation, SSA, and call graph viewers; integrate with debug layout and styles

* feat: Add Phase 31 type-qualified symbolic resolution with receiver-based callee disambiguation and testing

* feat: Extend symbolic execution with state iteration, enhanced debug views, and debounced input handling

* feat: Add Phase 13 resource and auth pattern extensions with new tests and fixtures

* feat: Introduce CFG debug graph renderer with compact mode, toolbar, and DAG layout integration

* feat: Add Phase 28 encoding and decoding transform modeling with structural symex enhancements and new taint analysis tests

* feat: Extend abstract interpretation with type facts and constant value tracking in debug views and server logic

* feat: Add linear path handling and witness extraction to symbolic execution with Phase 28 transform mismatch detection

* feat: Refine Go auth and sanitizer handling with enhanced rules, state updates, and benchmark improvements

* feat: Enable auth-state analysis by default and update relevant tests in benchmark config

* test: Update state_tests to reflect default enablement of auth-state analysis and add auth suppression test

* docs: update CHANGELOG.md

* feat: Introduce per-index taint tracking in `HeapState` with `HeapSlot`, overflow handling, and revised SSA transfers

* feat: Introduce C/C++ language labels and refine heap state tracking in SSA transfers

* feat: Implement per-index array slot tracking in symbolic heap with overflow collapse

* feat: Add implicit definition handling for uninitialized declarations in SSA value allocation

* feat: Refactor function parameters and constants for improved clarity and maintainability

* refactor: Reorder module imports and improve formatting for consistency

* refactor: Fix formatting erorrs

* refactor: Fix clippy warnings

* refactor: Fix fmt warnings (again)

* chore: Update dependencies and improve feature configuration

* Add comprehensive tests for undertested modules (#36) (COPILOT)

* Add comprehensive tests for undertested modules

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083

* Add comprehensive tests for ext, project, walk, and errors modules

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* chore: Update dependencies and improve feature configuration

* fix: formatting errors in new tests

* chore: Update license list in about.toml

* chore: made functions input inline

* chore: updated cfg graph to take up the full page

* chore: add Prettier configuration and update code formatting

* Add frontend test suite with Vitest (111 tests) (#37)

* Add Vitest test suite for frontend - 111 tests across utils, components, hooks, and graph utilities

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/7cf0dba2-ecff-4740-ba4d-92717e74a0b7

* ci: add frontend test step to CI workflow

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/5bc0ac9f-0a32-4d03-9cb7-7a15aea53fca

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* chore: simplify array initialization in test files for consistency

* ran typecheck

* feat: add AnalysisWorkspace component and integrate it into CfgViewerPage

* feat: update routing in AppLayout and improve empty state message in ExplorerPage

* feat: enhance scan progress tracking with additional metrics and stages

* feat: update license information and add license check script

* feat: implement cross-file symbolic execution with callee body persistence

* feat: replace dagre graphs with Graphology + ELK + Sigma for more advanced call stack and cfg rendering

* feat: ensure CFG function view is scoped to the selected function, preventing bleed into sibling functions

* feat: enhance resource tracking with proxy method summaries and improve finding extraction

* feat: add terminal function exit detection for accurate resource leak analysis

* feat: add warnings for loops and functions without bodies to improve error recovery

* feat: update lambda expression handling to ensure proper function classification and control flow

* feat: remove bounded formatting/string ops and add JSON.parse sanitizer for improved data handling

* feat: add inline return taint analysis and regression tests for improved security checks

* feat: add engine version management and migration handling for database schema updates

* feat: enhance first_call_ident to skip nested function bodies and add regression tests

* feat: enhance callee name resolution with two-segment normalization and disambiguation

* feat: add cross-file context flags and debug assertions for taint analysis

* feat: refactor taint analysis structure to unify context handling and improve clarity

* feat: enhance dead code elimination to preserve Sink, Source, and Sanitizer labels with new tests

* docs: updated CHANGELOG.md

* fmt: formatting fixes

* fix: fixed frontend formatting and lint warnings

* fix: optimized ci

* fix: optimized ci

* Add comprehensive multi-file test coverage to Nyx (#38)

* Initial checklist for multi-file test suite expansion

Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* Add 12 new multi-file test fixtures with TP/TN/near-miss coverage

Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* deleted root repo

* rebuilt to test for regressions

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>

* feat: enhance import alias resolution and taint tracking

* feat: implement security hardening with CSRF protection and path validation

* feat: add support for import alias bindings in Python, PHP, and Rust

* feat: enhance CFG analysis modes and improve code readability

* feat: add detection for parameterized SQL queries to enhance security

* feat: add safe internal redirect handling and enhance session destroy validation

* feat: implement security improvements by addressing vulnerabilities in execAsync, session management, and file downloads

* feat: enhance taint detection by adding support for inline source member expressions in call arguments

* feat: implement pre-emission of Source nodes for inline source member expressions in call arguments

* feat: add support for Throw statement in control flow and error handling

* feat: add debug and echo endpoints with potential information leakage

* feat: implement internal redirect suppression and enhance taint detection

* feat: implement module alias tracking for dynamic dispatch in JS/TS

* feat: add authorization analysis module with Express support

* feat: add authorization analysis module with Express support

* feat: add tests for admin guard requirements and clean checks in authorization analysis

* feat: integrate Koa and Fastify frameworks into authorization analysis

* feat: add Flask and Django support to authorization analysis module

* feat: add support for Rails and Sinatra frameworks in authorization analysis

* feat: add support for Axum, ActixWeb, and Rocket frameworks in authorization analysis

* feat: add support for ActixWeb, Axum, and Rocket frameworks in authorization analysis

* feat: add support for Rails and Sinatra in authorization analysis

* chore: add .DS_Store to .gitignore

* refactor: simplify conditional checks and improve readability in multiple files

* refactor: update usage of Option methods for improved clarity and consistency

* refactor: improve code readability by simplifying conditional checks and formatting

* refactor: improve code formatting and readability by simplifying conditional checks

* refactor: simplify conditional checks and improve readability in multiple files

* refactor: simplify conditional checks in axum.rs for improved readability

* feat: add CodeQL analysis configuration for enhanced security scanning

* test: add comprehensive tests for `src/output.rs` SARIF builder (#39)

* chore: start test coverage improvement work

Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* test: add comprehensive tests for src/output.rs SARIF builder

Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* refactor: improve code formatting and readability in output.rs

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>

* refactor: improve code formatting and readability in output.rs

* Potential fix for code scanning alert no. 210: Uncontrolled data used in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 211: Uncontrolled data used in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* refactor: enhance triage file path handling with improved error management and validation

* refactor: updated func summaries for richer detail

* refactor: update SSA summary extraction to use canonical FuncKey for distinct entries

* refactor: enhance callee metadata structure to support arity, receiver, and qualifier for better overload resolution

* refactor: add support for keyword arguments in function calls and enhance receiver extraction for method-style calls

* refactor: implement new Flask routes for safe and unsafe shell command execution

* refactor: separate receiver handling in SSA operations and enhance taint propagation

* refactor: improve arity handling by using arg_uses for positional argument count and enhance witness scoring for tainted arguments

* refactor: implement auth decorator extraction and classification for multiple languages

* refactor: enhance Rust module path resolution and use map handling for cross-file disambiguation

* refactor: introduce CalleeQuery struct for structured callee resolution and enhance resolver logic

* refactor: implement same-file identity collision handling for `runTask` to ensure correct resolver behavior

* refactor: standardize default struct initialization across multiple files

* feat: add scripts for formatting checks and auto-fixes with test summaries

* refactor: simplify character splitting and enhance namespace qualifier handling

* refactor: improve documentation clarity and enhance code readability in resolver logic

* refactor: replace default struct initialization with explicit field assignments for clarity

* feat: enhance anonymous function naming by deriving context-based bindings

* refactor: streamline match expressions for improved readability and performance

* refactor: streamline match expressions for improved readability and performance

* refactor: replace loop with while let for improved clarity and performance

* feat: add SSA constant propagation support to analysis context for improved accuracy

* feat: add SSA constant propagation support to analysis context for improved accuracy

* feat: implement shell metacharacter validation and bounded-length checks in Rust analysis

* feat: add static map analysis for command injection suppression and type safety

* refactor: simplify match statements and reduce line breaks for improved readability

* feat(summary): phase 1/5 SinkSite data model for primary sink-location attribution

Introduce SinkSite (file_rel, line, col, snippet, cap) carrying the
primary sink source-location through function summaries. Swap
SsaFuncSummary.param_to_sink and FuncSummary.param_to_sink from a coarse
Cap map to a deduped SmallVec<[SinkSite; 1]> per parameter, with a
backward-compatible cap_sites() helper and serde defaults so pre-phase-1
on-disk rows continue to deserialise cleanly.

Extraction: SinkSiteLocator bundles the tree/bytes/file_rel needed by
extract_ssa_func_summary; ParsedFile::extract_ssa_artifacts wires the
locator in for the persisted pass-1 path, while pass-2 intra-file
transient summaries fall back to cap-only sites (behavior unchanged).
Merge: GlobalSummaries::insert now unions sink sites with
(file_rel, line, col, cap) dedup via shared union_param_sink_sites
helper.

Database: JSON-serialised summary columns carry the new shape
automatically; no schema change needed.

Phase 2 will consume SinkSite in build_taint_diag() to overwrite the
caller-site Finding.line with the callee's sink line when resolved via
summary. Phase 1 keeps behavior unchanged: scanning
tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs still produces the
same (wrong) line 10 finding.

Adds round-trip tests covering SinkSite solo, SsaFuncSummary with sink
sites, legacy-JSON default handling for both summary types, and merge
dedup.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* feat(taint): phase 2/5 thread SinkSite into SsaTaintEvent and Finding

Plumb Phase 1's SinkSite through the event pipeline into Findings,
no output change yet.  SsaTaintEvent gains `primary_sink_site:
Option<SinkSite>`; when the main or callback sink-emission path has
non-empty `param_to_sink_sites`, filter to sites whose
`(line != 0) && (cap ∩ sink_caps != ∅)` and emit one event per
distinct site — the multi-primary collapse keeps each downstream
Finding single-primary.

Resolution: ResolvedSummary and SinkInfo gain mirror
`param_to_sink_sites` fields, populated from `SsaFuncSummary.param_to_sink`
(SSA + callback paths) and `FuncSummary.param_to_sink` (global paths).
Label, local-summary, and interop resolution paths leave the field
empty — they only ever had cap-level info to begin with.

Finding: new `primary_location: Option<SinkLocation>` with
`file_rel/line/col`.  `ssa_events_to_findings` maps
`event.primary_sink_site` → `Finding.primary_location`, filtering
cap-only sites (`line == 0`) to `None` so the (0,0) sentinel never
leaks to formatters.  Dedup key extended with the primary location
so multi-site events aren't collapsed back together.

Invariants (debug_assert!):
* every SinkSite reaching emission has `line != 0 && cap ∩ sink_caps
  != ∅` — enforced by the pick_primary_sink_sites* filters;
* every populated Finding.primary_location has `line != 0` AND
  non-empty `file_rel` — the cap-only → None translation upstream
  guarantees this.

Deliberately independent of `uses_summary`: that flag tracks whether
the *taint chain* used a summary, whereas primary attribution
requires only that the *sink* itself was summary-resolved.  A local
source reaching a cross-file sink produces `uses_summary=false`
alongside a populated primary_location — documented on
Finding.primary_location, covered by
`cross_file_sink_finding_carries_primary_location`.

build_taint_diag, SARIF/JSON/explanation formatters, and the
benchmark scorer remain untouched: finding.line still comes from
`cfg_graph[finding.sink]`, so cmdi_indirect.rs still reports line 10
and the benchmark's rs-cmdi-003 row still shows FN in the LOC column.

Tests: `cross_file_sink_finding_carries_primary_location` (proves
plumbing via a synthetic FuncSummary carrying a SinkSite at 42:5) and
`cross_file_sink_cap_only_site_leaves_primary_location_none`
(regression guard against cap-only sites surfacing).  All 1566 lib
tests + integration tests pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(output): phase 3/5 consume primary sink location in diag + SARIF

When a finding's primary_location (populated in phase 2 from a callee
summary's SinkSite) names the dangerous instruction inside a callee
body, attribute the diagnostic line to that location instead of the
caller's call site. The call site is demoted to a Call step in
flow_steps, and a synthetic Sink step at the primary location is
appended so analysts still see the full trace.

Changes:
- Add scan_root parameter to build_taint_diag so file_rel can be
  resolved back to an absolute path via a shared resolve_file_rel
  helper. Empty file_rel (single-file scans where namespace == "")
  resolves to the file under analysis.
- Extend SinkLocation with snippet, carried from the upstream
  SinkSite so the formatter needs no second file read.
- Relax the ssa_events_to_findings debug_assert to allow empty
  file_rel, which is valid when scan root equals the file itself.
- SARIF: emit data-flow as codeFlows[0].threadFlows[0].locations[];
  locations[0] already reflects the primary sink position via the
  updated diag line/col.

Acceptance: scan on tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs
now reports line 5 (Command::new) as the primary sink, with the call
site at line 10 visible in flow_steps.

Two expect.json fixtures updated (must_match line_range widened):
- javascript/taint/context_sensitive_call: 12-14 -> 7-14 (line 8 is
  the real sink inside run()).
- rust/cfg/closure_async: 10-10 -> 10-11 (line 11 is Command::new
  inside the closure).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(bench): phase 4/5 validate primary sink attribution across corpus

Extend the benchmark scorer and ground truth to lock in phase 3's
primary-location behavior, and add fixtures that exercise the new
capability end-to-end.

Scorer (tests/benchmark_test.rs):
- Add optional `expected_call_site_lines: Option<Vec<[usize; 2]>>` on
  Case. When present, score_location_level additionally requires at
  least one flow_step in the finding's evidence trace to fall within
  ±2 of the call-site range. When absent, the check is skipped —
  fully forward-compatible with existing fixtures.
- Retain ±2 tolerance on expected_sink_lines (compared against the
  now-primary Diag.line post-phase-3).

Ground truth edits:
- rs-cmdi-cross-001: expected_sink_lines [8,8] -> [9,9]. Line 8 is the
  transform::wrap call site (a cross-file propagator, not a sink);
  line 9 is Command::new, the real sink. The ±2 tolerance happened to
  mask this stale attribution but it was semantically wrong — phase 4
  is the right time to correct it. Also adds expected_call_site_lines
  [8,8] so the new field is exercised on an existing cross-file case.
- rs-cmdi-003: adds expected_call_site_lines [10,10] (run_cmd call).
  This fixture's sink (Command::new inside run_cmd at line 5) was the
  motivating case for phases 1-3; adding the call-site assertion
  guards against regression to caller-line attribution.

New fixtures:
- rust/cmdi/cmdi_indirect_multisink.rs (rs-cmdi-009): helper run_both
  takes two tainted params and invokes two Command sinks on
  consecutive lines. Locks in that primary line lands inside the
  helper (lines 5-6), not at the caller (line 12). Notes document
  that SinkSite is currently one-per-callee so both findings today
  collapse onto the first sink; expected_sink_lines=[5,6] and
  expected_call_site_lines=[12,12] stay valid either way.
- python/cmdi/cross_indirect_sink/{app.py,helper.py} (py-cmdi-cross-
  004): sink os.system lives in helper.py (cross-file), caller in
  app.py reads env source and calls run_cmd. Verifies phase 3's
  cross-file primary attribution: Diag.path = helper.py, Diag.line =
  5, with app.py:7 recorded in flow_steps as a Call step.

Acceptance:
- `cargo test --test benchmark_test -- --ignored --nocapture` passes.
- rs-cmdi-003 is TP/TP/TP (the target flip FN->TP at LOC). All
  pre-existing TP/TP/TP fixtures remain TP/TP/TP; 2 new fixtures are
  TP/TP/TP.
- Aggregate rule-level: TP=158 FP=10 FN=1 TN=97, P=0.940 R=0.994
  F1=0.966 on the 266-case corpus (was TP=156 FP=10 FN=1 TN=97 on
  264 pre-phase-4, delta is the +2 new cases both resolving TP).
- Full `cargo test` green (1566 lib tests + all integration tests).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(taint): phase 5/5 lock Finding.primary_location contract via regression test

Add a regression test in src/taint/ssa_transfer.rs that wires up a synthetic
SsaFuncSummary with a SinkSite at other.rs:42:10 and drives the three
emission stages (pick_primary_sink_sites → emit_ssa_taint_events →
ssa_events_to_findings) against a minimal caller SSA body.  Asserts the
resulting Finding.primary_location is exactly that triple.

The existing integration tests in src/taint/tests.rs cover the coarse
FuncSummary path end-to-end through analyse_file.  This test locks in the
lower-level SSA-side plumbing so a future refactor that silently drops the
site between pick → emit → findings fails here rather than only at the
benchmark layer.

Also refreshes tests/benchmark/results/latest.json (timestamp only; rs-cmdi-003
remains TP/TP/TP and the aggregate P/R/F1 are unchanged from phase 4).

Closes the primary sink-location attribution feature (phases 1-5/5):
* Phase 1 — SinkSite data model on summaries.
* Phase 2 — SinkSite threaded into SsaTaintEvent and Finding.
* Phase 3 — diag + SARIF consume primary_location.
* Phase 4 — benchmark validates primary_call_site_lines across corpus.
* Phase 5 — regression test locks the event→finding contract.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* refactor: clean up formatting and improve readability in multiple files

* refactor: simplify type definition for deduplication key in findings

* test(harness): add must_not_match expectation for FP regression guards

Extends ExpectedFinding with must_not_match field that asserts a
diagnostic must NOT fire — presence is a hard failure. Non-consuming
scan so it coexists with must_match entries on the same rule_id.
Adds forbidden_violations accumulator and updates summary line.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(regression): update expectations to ensure must_not_match for various taint and resource leak rules

* feat: implement auto-seeding for JS/TS handler parameters to enhance taint tracking

* feat: update switch statement handling to improve control flow analysis

* feat: implement promisify alias handling for JS/TS to enhance taint tracking

* feat: enhance taint tracking by refining expectation handling and adding mode filtering

* feat: refine SQL handling in stream processing and enhance auto-seeding for handler parameters

* feat: update taint tracking rules to enforce full mode matching and improve flow analysis

* feat: enhance Ruby subshell handling to improve taint tracking and flow analysis

* feat: update xss_response expectations to refine taint flow analysis and enhance regression guarding

* feat: refine framework detection and update expectation handling for Echo and Sinatra

* feat: implement max_count for taint tracking expectations and deduplicate findings

* feat: add strict_unexpected handling for taint-unsanitised-flow in expectation files

* feat: enhance deduplication of taint-unsanitised-flow findings by collapsing based on line and severity

* feat: add strict_unexpected handling for taint-unsanitised-flow in multiple expectation files

* feat: add structural invariant checks for SSA bodies

* feat: ensure deterministic phi emission order using BTreeSet

* feat: enhance handling of terminators to ensure authoritative flow through successor edges

* feat: enhance Goto terminator handling to ensure all successors are marked executable

* feat: refactor code for improved readability and organization

* feat: simplify predicate checks and enhance readability in SSA handling

* feat: implement per-file parse timeout and enhance file size handling

* feat: migrate analysis engine toggles from environment variables to configuration file

* feat: remove unnecessary whitespace in hostile_input_tests.rs

* feat: remove unnecessary whitespace in hostile_input_tests.rs

* feat: update dependencies and enhance documentation on language maturity

* feat: enhance security headers and improve request body limits

* feat: implement sink capability bits for deduplication and enhance evidence tagging

* feat: implement dynamic activation handling for gated sinks and enhance validation logic

* feat: enhance configuration documentation and clarify inline analysis cache behavior

* feat: implement panic recovery during analysis to continue scans past errors

* feat: add expectations configuration for taint analysis and performance metrics

* feat: enhance error handling and logging during file reading and mutex locking

* feat: add cross-file body loading tests and plumbing for CF-1 phase

* feat: implement cross-file k=1 context-sensitive inline taint analysis with new tests and fixtures

* feat: implement indexed-scan parity in cross-file inline analysis with new dropdown and copy functionality

* feat: enhance classification span handling in CFG and AST for improved source attribution

* feat: add new Express routes for handling user input and telemetry data

* feat: implement ternary expression handling in CFG with diamond structure for JS/TS

* feat: implement Phase CF-3 abstract-domain transfer channels in summaries

* feat: add support for string-prefix transfer in cross-file calls and update tests

* docs: reduce RESULTS.md doc size

* feat: implement Phase CF-4 per-return-path summary decomposition with tests

* feat: update parameter handling in pass1 and refactor SsaFuncSummary initialization

* feat: implement Phase CF-5 for cross-file SCC joint fixed-point convergence with new flags and tests

* feat: implement Phase CF-6 with parameter-granularity points-to summaries and associated tests

* refactor: update comments and documentation for clarity and consistency

* style: format code for consistency and readability

* refactor: simplify verdict handling and improve edge checking logic

* refactor: optimize path and identifier collection by avoiding unnecessary cloning

* chore: update Cargo.toml for Rust version 1.85 and add ignored files; modify CHANGELOG and README for clarity on state analysis defaults

* refactor: update documentation and improve clarity in configuration files

* refactor: update documentation and improve clarity in configuration files

* feat: add JS/TS pass-2 convergence tests and expectations configuration

* feat: add Phase 5 regression tests for inline cache origin attribution and update related logic

* feat: implement Phase 7 deduplication and alternative path linking for taint findings

* feat: implement structural DFS index for anonymous functions and update naming conventions

* feat: add Phase 8 regression tests for container-element taint in JS and Python

* feat: add engine-depth profiles and explain-engine option for CLI

* feat: update expectations and add new README fixtures for multi-file scan regression

* feat: implement Phase 11 callback-alias and factory patterns with regression tests

* feat: implement Terminator::Switch for multi-way dispatch and add regression tests

* feat: add real-CVE benchmark fixtures for CVE-2023-48022, CVE-2019-14939, and CVE-2023-26159 with corresponding patched variants

* refactor: extract cfg and ssa_transfer to submodules

* refactor: cargo fmt

* refactor: remove unnecessary blank line in cfg_tests.rs

* refactor: remove unnecessary planning file

* chore: update Rust version to 1.88 and bump dependencies in Cargo files

* feat: enhance triage UI with new layout and controls, update README for clarity

* feat: enhance triage UI with new layout and controls, update README for clarity

* chore: remove outdated section from README for version 0.5.0

* docs: improve clarity and consistency in README content

* chore: add "GPL-3.0-or-later" to license options in about.toml

* chore: update license handling in about.toml and check-licenses.mjs

* style: format code for improved readability in TriagePage component

* style: format code for improved readability in TriagePage component

* chore: enhance license handling and improve body_id scoping in seed lookup

* feat: introduce owner and parent body IDs for enhanced seed scoping

* feat: implement direction-aware engine provenance with new CLI flag for strict CI gating

* feat: add Undef SSA operation for improved control-flow handling

* style: improve code formatting for consistency and readability in multiple files

* feat: add 16-function chain SCC across multiple files for enhanced analysis

* style: simplify code formatting for improved readability in multiple files

* fix: update CapHitReason default implementation and improve README clarity

* docs: enhance README with detailed explanations of taint analysis and limitations

* docs: refine README for clarity and consistency in taint analysis section

* style: improve code formatting for better readability in NewScanModal and scans

* fix: update cargo-about command to use --offline for deterministic license generation

* fix: update cargo-about command to use --offline for deterministic license generation

* ci: add step to prime cargo registry cache for deterministic license generation

* feat: add support for non-sink collections in authorization analysis

* feat: enhance authorization checks with row-level ownership equality and binding tracking

* feat: implement self-scoped user handling and enhance ownership checks

* refactor: simplify assertions and formatting in authorization analysis tests

* fix: normalize line endings in THIRDPARTY-LICENSES.html generation and update README with AI disclosure

* docs: update AI disclosure section for clarity and conciseness

* feat: add AI Contribution Policy and update contributing guidelines for AI assistance disclosure

* feat: enhance authorization analysis with SSA-derived variable type classification

* feat: implement auth_finding_to_diag function for enhanced security diagnostics

* feat: add args_value_refs to CallSite struct for enhanced argument tracking

* feat: add args_value_refs to CallSite struct for enhanced argument tracking

* feat: add direction-aware engine provenance with LossDirection classification and new CLI flag

* feat: simplify strip_cap_from_call_args call by removing unnecessary line breaks

* feat: enhance error message handling in cli_validation_tests for better Windows compatibility

* feat: optimize release profile settings in Cargo.toml and update CodeQL configuration

* feat: enhance release build process with SBOM generation and SLSA provenance

* feat: update actions/checkout and actions/setup-node to v6, enhance CLI options, and improve auth-check summaries

* feat: introduce PathFact handling for path safety checks and rejection logic

* feat: introduce PathFact handling for path safety checks and rejection logic

* feat: update benchmark data and enhance path sanitization logic with new safety checks

* feat: document AI assistance in frontend UI development and human review process

* feat: add return path facts for enhanced path safety checks and update documentation

* chore: update release date for version 0.5.0 in CHANGELOG.md

* chore: clean up ci.yml by removing outdated comments and clarifying steps

* feat: implement cross-language path sanitizers and validators for enhanced security

* feat: enhance SSA value usage tracking by including block terminators and improve path safety checks

* feat: enhance switch statement handling by adding per-case path constraints and support for exclusive cases

* refactor: simplify conditional formatting and improve code readability in executor and lower modules

* feat: add vulnerable examples for various languages demonstrating authentication and sanitization issues

* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers

* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers

* feat: add transform classifiers for Java, Go, and Ruby with corresponding tests

* refactor: clarify comments on reassign-to-constant idiom and sink behavior in guards.rs

---------

Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Eli Peter 2026-04-25 17:59:11 -04:00 committed by GitHub
parent c4ce08b452
commit 41128177d2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2144 changed files with 201812 additions and 8927 deletions
Download patch file Download diff file Expand all files Collapse all files

547
src/server/routes/config.rs Normal file
View file

@ -0,0 +1,547 @@
use crate::commands::config as config_cmd;
use crate::labels;
use crate::server::app::{AppState, ServerEvent};
use crate::server::models::{LabelEntryView, ProfileView, RuleView, TerminatorView};
use crate::utils::config::{CapName, RuleKind, ScanProfile};
use axum::extract::{Path, State};
use axum::http::StatusCode;
use axum::routing::get;
use axum::{Json, Router};
pub fn routes() -> Router<AppState> {
Router::new()
.route("/config", get(get_config))
.route(
"/config/rules",
get(list_rules).post(add_rule).delete(remove_rule),
)
.route(
"/config/terminators",
get(list_terminators)
.post(add_terminator)
.delete(remove_terminator),
)
// Sources/sinks/sanitizers split by kind
.route(
"/config/sources",
get(list_sources).post(add_source).delete(remove_source),
)
.route(
"/config/sinks",
get(list_sinks).post(add_sink).delete(remove_sink),
)
.route(
"/config/sanitizers",
get(list_sanitizers)
.post(add_sanitizer)
.delete(remove_sanitizer),
)
// Triage sync toggle
.route("/config/triage-sync", axum::routing::post(set_triage_sync))
// Profiles
.route("/config/profiles", get(list_profiles).post(save_profile))
.route(
"/config/profiles/{name}",
axum::routing::delete(delete_profile),
)
.route(
"/config/profiles/{name}/activate",
axum::routing::post(activate_profile),
)
}
async fn get_config(State(state): State<AppState>) -> Json<serde_json::Value> {
let config = state.config.read();
Json(serde_json::to_value(&*config).unwrap_or_default())
}
// ── Custom rules (existing endpoints) ────────────────────────────────────────
async fn list_rules(State(state): State<AppState>) -> Json<Vec<RuleView>> {
let config = state.config.read();
let mut rules = Vec::new();
for (lang, lang_cfg) in &config.analysis.languages {
for rule in &lang_cfg.rules {
rules.push(RuleView {
lang: lang.clone(),
matchers: rule.matchers.clone(),
kind: rule.kind.to_string(),
cap: format!("{:?}", rule.cap).to_ascii_lowercase(),
});
}
}
Json(rules)
}
async fn add_rule(
State(state): State<AppState>,
Json(rule): Json<RuleView>,
) -> Result<(StatusCode, Json<serde_json::Value>), (StatusCode, Json<serde_json::Value>)> {
let rule_kind: RuleKind = rule.kind.parse().map_err(|e: String| bad_request(&e))?;
let cap_name: CapName = rule.cap.parse().map_err(|e: String| bad_request(&e))?;
if let Err(e) = config_cmd::add_rule(
&state.config_dir,
&rule.lang,
&rule.matchers.join(","),
&rule.kind,
&rule.cap,
) {
return Err(bad_request(&e.to_string()));
}
{
let mut config = state.config.write();
let lang_cfg = config
.analysis
.languages
.entry(rule.lang.clone())
.or_default();
let new_rule = crate::utils::config::ConfigLabelRule {
matchers: rule.matchers.clone(),
kind: rule_kind,
cap: cap_name,
case_sensitive: false,
};
if !lang_cfg.rules.contains(&new_rule) {
lang_cfg.rules.push(new_rule);
}
}
let _ = state.event_tx.send(ServerEvent::ConfigChanged);
Ok((
StatusCode::CREATED,
Json(serde_json::json!({ "status": "ok" })),
))
}
async fn remove_rule(
State(state): State<AppState>,
Json(rule): Json<RuleView>,
) -> Result<Json<serde_json::Value>, (StatusCode, Json<serde_json::Value>)> {
let rule_kind: RuleKind = rule.kind.parse().map_err(|e: String| bad_request(&e))?;
let cap_name: CapName = rule.cap.parse().map_err(|e: String| bad_request(&e))?;
let removed = {
let mut config = state.config.write();
if let Some(lang_cfg) = config.analysis.languages.get_mut(&rule.lang) {
let before = lang_cfg.rules.len();
lang_cfg.rules.retain(|r| {
!(r.matchers == rule.matchers && r.kind == rule_kind && r.cap == cap_name)
});
lang_cfg.rules.len() < before
} else {
false
}
};
if removed {
let config = state.config.read();
let local_path = state.config_dir.join("nyx.local");
let _ = config_cmd::save_local_config(&local_path, &config);
let _ = state.event_tx.send(ServerEvent::ConfigChanged);
}
Ok(Json(serde_json::json!({ "removed": removed })))
}
// ── Terminators ──────────────────────────────────────────────────────────────
async fn list_terminators(State(state): State<AppState>) -> Json<Vec<TerminatorView>> {
let config = state.config.read();
let mut terminators = Vec::new();
for (lang, lang_cfg) in &config.analysis.languages {
for name in &lang_cfg.terminators {
terminators.push(TerminatorView {
lang: lang.clone(),
name: name.clone(),
});
}
}
Json(terminators)
}
async fn add_terminator(
State(state): State<AppState>,
Json(term): Json<TerminatorView>,
) -> Result<(StatusCode, Json<serde_json::Value>), (StatusCode, Json<serde_json::Value>)> {
if let Err(e) = config_cmd::add_terminator(&state.config_dir, &term.lang, &term.name) {
return Err(bad_request(&e.to_string()));
}
{
let mut config = state.config.write();
let lang_cfg = config
.analysis
.languages
.entry(term.lang.clone())
.or_default();
if !lang_cfg.terminators.contains(&term.name) {
lang_cfg.terminators.push(term.name.clone());
}
}
let _ = state.event_tx.send(ServerEvent::ConfigChanged);
Ok((
StatusCode::CREATED,
Json(serde_json::json!({ "status": "ok" })),
))
}
async fn remove_terminator(
State(state): State<AppState>,
Json(term): Json<TerminatorView>,
) -> Result<Json<serde_json::Value>, (StatusCode, Json<serde_json::Value>)> {
let removed = {
let mut config = state.config.write();
if let Some(lang_cfg) = config.analysis.languages.get_mut(&term.lang) {
let before = lang_cfg.terminators.len();
lang_cfg.terminators.retain(|n| n != &term.name);
lang_cfg.terminators.len() < before
} else {
false
}
};
if removed {
let config = state.config.read();
let local_path = state.config_dir.join("nyx.local");
let _ = config_cmd::save_local_config(&local_path, &config);
let _ = state.event_tx.send(ServerEvent::ConfigChanged);
}
Ok(Json(serde_json::json!({ "removed": removed })))
}
// ── Sources / Sinks / Sanitizers (by kind) ───────────────────────────────────
fn list_by_kind(state: &AppState, target_kind: &str) -> Vec<LabelEntryView> {
let builtins = labels::enumerate_builtin_rules();
let config = state.config.read();
let mut out: Vec<LabelEntryView> = builtins
.iter()
.filter(|r| r.kind == target_kind && !r.is_gated)
.map(|r| LabelEntryView {
lang: r.language.clone(),
matchers: r.matchers.clone(),
cap: r.cap.clone(),
case_sensitive: r.case_sensitive,
is_builtin: true,
})
.collect();
// Add custom rules of the target kind
let target_rule_kind = match target_kind {
"source" => RuleKind::Source,
"sanitizer" => RuleKind::Sanitizer,
"sink" => RuleKind::Sink,
_ => return out,
};
for (lang, lang_cfg) in &config.analysis.languages {
for cr in &lang_cfg.rules {
if cr.kind == target_rule_kind {
out.push(LabelEntryView {
lang: lang.clone(),
matchers: cr.matchers.clone(),
cap: cr.cap.to_string(),
case_sensitive: cr.case_sensitive,
is_builtin: false,
});
}
}
}
out
}
fn add_by_kind(
state: &AppState,
entry: LabelEntryView,
target_kind: RuleKind,
) -> Result<(), String> {
let cap_name: CapName = entry.cap.parse().map_err(|e: String| e)?;
if let Err(e) = config_cmd::add_rule(
&state.config_dir,
&entry.lang,
&entry.matchers.join(","),
&target_kind.to_string(),
&entry.cap,
) {
return Err(e.to_string());
}
{
let mut config = state.config.write();
let lang_cfg = config
.analysis
.languages
.entry(entry.lang.clone())
.or_default();
let new_rule = crate::utils::config::ConfigLabelRule {
matchers: entry.matchers,
kind: target_kind,
cap: cap_name,
case_sensitive: entry.case_sensitive,
};
if !lang_cfg.rules.contains(&new_rule) {
lang_cfg.rules.push(new_rule);
}
}
let _ = state.event_tx.send(ServerEvent::ConfigChanged);
Ok(())
}
fn remove_by_kind(state: &AppState, entry: LabelEntryView, target_kind: RuleKind) -> bool {
if entry.is_builtin {
return false; // cannot remove built-in rules
}
let cap_name: CapName = match entry.cap.parse() {
Ok(c) => c,
Err(_) => return false,
};
let removed = {
let mut config = state.config.write();
if let Some(lang_cfg) = config.analysis.languages.get_mut(&entry.lang) {
let before = lang_cfg.rules.len();
lang_cfg.rules.retain(|r| {
!(r.matchers == entry.matchers && r.kind == target_kind && r.cap == cap_name)
});
lang_cfg.rules.len() < before
} else {
false
}
};
if removed {
let config = state.config.read();
let local_path = state.config_dir.join("nyx.local");
let _ = config_cmd::save_local_config(&local_path, &config);
let _ = state.event_tx.send(ServerEvent::ConfigChanged);
}
removed
}
async fn list_sources(State(state): State<AppState>) -> Json<Vec<LabelEntryView>> {
Json(list_by_kind(&state, "source"))
}
async fn add_source(
State(state): State<AppState>,
Json(entry): Json<LabelEntryView>,
) -> Result<(StatusCode, Json<serde_json::Value>), (StatusCode, Json<serde_json::Value>)> {
add_by_kind(&state, entry, RuleKind::Source).map_err(|e| bad_request(&e))?;
Ok((
StatusCode::CREATED,
Json(serde_json::json!({ "status": "ok" })),
))
}
async fn remove_source(
State(state): State<AppState>,
Json(entry): Json<LabelEntryView>,
) -> Json<serde_json::Value> {
let removed = remove_by_kind(&state, entry, RuleKind::Source);
Json(serde_json::json!({ "removed": removed }))
}
async fn list_sinks(State(state): State<AppState>) -> Json<Vec<LabelEntryView>> {
Json(list_by_kind(&state, "sink"))
}
async fn add_sink(
State(state): State<AppState>,
Json(entry): Json<LabelEntryView>,
) -> Result<(StatusCode, Json<serde_json::Value>), (StatusCode, Json<serde_json::Value>)> {
add_by_kind(&state, entry, RuleKind::Sink).map_err(|e| bad_request(&e))?;
Ok((
StatusCode::CREATED,
Json(serde_json::json!({ "status": "ok" })),
))
}
async fn remove_sink(
State(state): State<AppState>,
Json(entry): Json<LabelEntryView>,
) -> Json<serde_json::Value> {
let removed = remove_by_kind(&state, entry, RuleKind::Sink);
Json(serde_json::json!({ "removed": removed }))
}
async fn list_sanitizers(State(state): State<AppState>) -> Json<Vec<LabelEntryView>> {
Json(list_by_kind(&state, "sanitizer"))
}
async fn add_sanitizer(
State(state): State<AppState>,
Json(entry): Json<LabelEntryView>,
) -> Result<(StatusCode, Json<serde_json::Value>), (StatusCode, Json<serde_json::Value>)> {
add_by_kind(&state, entry, RuleKind::Sanitizer).map_err(|e| bad_request(&e))?;
Ok((
StatusCode::CREATED,
Json(serde_json::json!({ "status": "ok" })),
))
}
async fn remove_sanitizer(
State(state): State<AppState>,
Json(entry): Json<LabelEntryView>,
) -> Json<serde_json::Value> {
let removed = remove_by_kind(&state, entry, RuleKind::Sanitizer);
Json(serde_json::json!({ "removed": removed }))
}
// ── Profiles ─────────────────────────────────────────────────────────────────
const BUILTIN_PROFILE_NAMES: &[&str] = &[
"quick",
"full",
"ci",
"taint_only",
"conservative_large_repo",
];
async fn list_profiles(State(state): State<AppState>) -> Json<Vec<ProfileView>> {
let config = state.config.read();
let mut profiles: Vec<ProfileView> = Vec::new();
// Built-in profiles
for &name in BUILTIN_PROFILE_NAMES {
if let Some(p) = config.resolve_profile(name) {
let is_user_override = config.profiles.contains_key(name);
profiles.push(ProfileView {
name: name.to_string(),
is_builtin: !is_user_override,
settings: serde_json::to_value(&p).unwrap_or_default(),
});
}
}
// User profiles not matching a built-in name
for (name, p) in &config.profiles {
if !BUILTIN_PROFILE_NAMES.contains(&name.as_str()) {
profiles.push(ProfileView {
name: name.clone(),
is_builtin: false,
settings: serde_json::to_value(p).unwrap_or_default(),
});
}
}
Json(profiles)
}
async fn save_profile(
State(state): State<AppState>,
Json(body): Json<serde_json::Value>,
) -> Result<(StatusCode, Json<serde_json::Value>), (StatusCode, Json<serde_json::Value>)> {
let name = body["name"]
.as_str()
.ok_or_else(|| bad_request("missing name"))?
.to_string();
let settings: ScanProfile =
serde_json::from_value(body.get("settings").cloned().unwrap_or_default())
.map_err(|e| bad_request(&e.to_string()))?;
{
let mut config = state.config.write();
config.profiles.insert(name.clone(), settings);
let local_path = state.config_dir.join("nyx.local");
config_cmd::save_local_config(&local_path, &config)
.map_err(|e| bad_request(&e.to_string()))?;
}
let _ = state.event_tx.send(ServerEvent::ConfigChanged);
Ok((
StatusCode::CREATED,
Json(serde_json::json!({ "status": "ok", "name": name })),
))
}
async fn delete_profile(
State(state): State<AppState>,
Path(name): Path<String>,
) -> Result<Json<serde_json::Value>, (StatusCode, Json<serde_json::Value>)> {
if BUILTIN_PROFILE_NAMES.contains(&name.as_str()) {
let config = state.config.read();
if !config.profiles.contains_key(&name) {
return Err(bad_request("cannot delete built-in profile"));
}
}
let removed = {
let mut config = state.config.write();
let existed = config.profiles.remove(&name).is_some();
if existed {
let local_path = state.config_dir.join("nyx.local");
let _ = config_cmd::save_local_config(&local_path, &config);
}
existed
};
if removed {
let _ = state.event_tx.send(ServerEvent::ConfigChanged);
}
Ok(Json(serde_json::json!({ "removed": removed })))
}
async fn activate_profile(
State(state): State<AppState>,
Path(name): Path<String>,
) -> Result<Json<serde_json::Value>, (StatusCode, Json<serde_json::Value>)> {
{
let mut config = state.config.write();
config
.apply_profile(&name)
.map_err(|e| bad_request(&e.to_string()))?;
}
let _ = state.event_tx.send(ServerEvent::ConfigChanged);
Ok(Json(serde_json::json!({ "status": "ok", "profile": name })))
}
// ── Triage Sync ──────────────────────────────────────────────────────────────
async fn set_triage_sync(
State(state): State<AppState>,
Json(body): Json<serde_json::Value>,
) -> Result<Json<serde_json::Value>, (StatusCode, Json<serde_json::Value>)> {
let enabled = body["enabled"]
.as_bool()
.ok_or_else(|| bad_request("missing enabled field"))?;
{
let mut config = state.config.write();
config.server.triage_sync = enabled;
// Note: triage_sync is in the server section, which save_local_config
// doesn't currently persist. We write the full config here.
let local_path = state.config_dir.join("nyx.local");
config_cmd::save_local_config(&local_path, &config)
.map_err(|e| bad_request(&e.to_string()))?;
}
let _ = state.event_tx.send(ServerEvent::ConfigChanged);
Ok(Json(
serde_json::json!({ "status": "ok", "triage_sync": enabled }),
))
}
fn bad_request(msg: &str) -> (StatusCode, Json<serde_json::Value>) {
(
StatusCode::BAD_REQUEST,
Json(serde_json::json!({ "error": msg })),
)
}

625
src/server/routes/debug.rs Normal file
View file

@ -0,0 +1,625 @@
//! Debug API route handlers.
//!
//! Provides endpoints for inspecting engine internals: CFG, SSA IR, taint
//! propagation, summaries, call graphs, abstract interpretation, and symbolic
//! execution.
use crate::server::app::AppState;
use crate::server::debug::{self, *};
use crate::utils::path::{DEFAULT_UI_MAX_FILE_BYTES, RepoPathError, resolve_repo_path};
use axum::extract::{Query, State};
use axum::http::StatusCode;
use axum::routing::get;
use axum::{Json, Router};
use r2d2::Pool;
use r2d2_sqlite::SqliteConnectionManager;
use serde::Deserialize;
use std::path::Path;
pub fn routes() -> Router<AppState> {
Router::new()
.route("/debug/functions", get(list_functions))
.route("/debug/cfg", get(get_cfg))
.route("/debug/ssa", get(get_ssa))
.route("/debug/taint", get(get_taint))
.route("/debug/summaries", get(get_summaries))
.route("/debug/call-graph", get(get_call_graph))
.route("/debug/abstract-interp", get(get_abstract_interp))
.route("/debug/symex", get(get_symex))
}
// ── Query params ─────────────────────────────────────────────────────────────
#[derive(Debug, Deserialize)]
struct FileQuery {
file: String,
}
#[derive(Debug, Deserialize)]
struct FileFunctionQuery {
file: String,
function: String,
}
#[derive(Debug, Deserialize)]
struct CallGraphQuery {
scope: Option<String>,
file: Option<String>,
}
#[derive(Debug, Deserialize)]
struct SummaryQuery {
function: Option<String>,
file: Option<String>,
}
// ── Path validation ──────────────────────────────────────────────────────────
fn validate_and_resolve(scan_root: &Path, file: &str) -> Result<std::path::PathBuf, StatusCode> {
let resolved = resolve_repo_path(scan_root, file).map_err(map_path_error)?;
let metadata = std::fs::metadata(&resolved.canonical).map_err(|_| StatusCode::NOT_FOUND)?;
if !metadata.file_type().is_file() {
return Err(StatusCode::BAD_REQUEST);
}
if metadata.len() > DEFAULT_UI_MAX_FILE_BYTES {
return Err(StatusCode::BAD_REQUEST);
}
Ok(resolved.canonical)
}
// ── Handlers ─────────────────────────────────────────────────────────────────
/// GET /api/debug/functions?file=<path>
/// List functions available for debug inspection in a file.
async fn list_functions(
State(state): State<AppState>,
Query(q): Query<FileQuery>,
) -> Result<Json<Vec<FunctionInfo>>, StatusCode> {
let path = validate_and_resolve(&state.scan_root, &q.file)?;
let config = state.config.read();
let analysis = debug::analyse_file(&path, &config)?;
Ok(Json(debug::function_list(&analysis)))
}
fn map_path_error(err: RepoPathError) -> StatusCode {
match err {
RepoPathError::InvalidPath | RepoPathError::OutsideRoot => StatusCode::FORBIDDEN,
RepoPathError::NotFound => StatusCode::NOT_FOUND,
RepoPathError::NotFile
| RepoPathError::NotDirectory
| RepoPathError::TooLarge
| RepoPathError::InvalidText => StatusCode::BAD_REQUEST,
RepoPathError::Io => StatusCode::INTERNAL_SERVER_ERROR,
}
}
/// GET /api/debug/cfg?file=<path>&function=<name>
/// Return the CFG for a specific function as a graph JSON.
async fn get_cfg(
State(state): State<AppState>,
Query(q): Query<FileFunctionQuery>,
) -> Result<Json<CfgGraphView>, StatusCode> {
let path = validate_and_resolve(&state.scan_root, &q.file)?;
let config = state.config.read();
let analysis = debug::analyse_file(&path, &config)?;
let view = CfgGraphView::from_cfg_function(&analysis.file_cfg, &q.function, &analysis.bytes)
.ok_or(StatusCode::NOT_FOUND)?;
Ok(Json(view))
}
/// GET /api/debug/ssa?file=<path>&function=<name>
/// Return the SSA IR for a specific function.
async fn get_ssa(
State(state): State<AppState>,
Query(q): Query<FileFunctionQuery>,
) -> Result<Json<SsaBodyView>, StatusCode> {
let path = validate_and_resolve(&state.scan_root, &q.file)?;
let config = state.config.read();
let analysis = debug::analyse_file(&path, &config)?;
let (ssa, _opt) = debug::analyse_function_ssa(&analysis, &q.function)?;
Ok(Json(SsaBodyView::from_ssa(&ssa, &analysis.bytes)))
}
/// GET /api/debug/taint?file=<path>&function=<name>
/// Return taint analysis results for a specific function.
async fn get_taint(
State(state): State<AppState>,
Query(q): Query<FileFunctionQuery>,
) -> Result<Json<TaintAnalysisView>, StatusCode> {
let path = validate_and_resolve(&state.scan_root, &q.file)?;
let config = state.config.read();
let analysis = debug::analyse_file(&path, &config)?;
let (ssa, opt) = debug::analyse_function_ssa(&analysis, &q.function)?;
// Try to load global summaries from DB for cross-file context
let global = load_global_summaries(&state);
let cross_file_context = global.as_ref().is_some_and(|g| !g.is_empty());
let ssa_summaries_available = global
.as_ref()
.is_some_and(|g| !g.snapshot_ssa().is_empty());
let (events, _entry_states, exit_states) = debug::analyse_function_taint(
&ssa,
analysis.cfg(),
analysis.lang,
analysis.summaries(),
global.as_ref(),
&opt,
);
// Show post-block state so single-block source→sink flows are visible in
// the debug UI instead of appearing empty at block entry.
Ok(Json(TaintAnalysisView::from_results(
&events,
&exit_states,
&ssa,
cross_file_context,
ssa_summaries_available,
)))
}
/// GET /api/debug/abstract-interp?file=<path>&function=<name>
/// Return abstract interpretation state for a specific function.
async fn get_abstract_interp(
State(state): State<AppState>,
Query(q): Query<FileFunctionQuery>,
) -> Result<Json<AbstractInterpView>, StatusCode> {
let path = validate_and_resolve(&state.scan_root, &q.file)?;
let config = state.config.read();
let analysis = debug::analyse_file(&path, &config)?;
let (ssa, opt) = debug::analyse_function_ssa(&analysis, &q.function)?;
let global = load_global_summaries(&state);
let (_events, block_states, _exit_states) = debug::analyse_function_taint(
&ssa,
analysis.cfg(),
analysis.lang,
analysis.summaries(),
global.as_ref(),
&opt,
);
Ok(Json(AbstractInterpView::from_taint_states(
&block_states,
&ssa,
&opt,
)))
}
/// GET /api/debug/summaries?file=<path>&function=<name>
/// Return interprocedural summaries.
async fn get_summaries(
State(state): State<AppState>,
Query(q): Query<SummaryQuery>,
) -> Result<Json<Vec<FuncSummaryView>>, StatusCode> {
// Try DB first; fall back to on-demand single-file analysis
let global = match load_global_summaries(&state) {
Some(g) if !g.is_empty() => g,
_ => {
if let Some(ref file) = q.file {
let path = validate_and_resolve(&state.scan_root, file)?;
let config = state.config.read();
debug::analyse_file_summaries(&path, &config)?
} else {
return Ok(Json(vec![]));
}
}
};
let views: Vec<FuncSummaryView> = global
.iter()
.filter(|(key, summary)| {
let name_matches = q.function.as_ref().map(|f| key.name == *f).unwrap_or(true);
let file_matches = q
.file
.as_ref()
.map(|f| summary.file_path.contains(f.as_str()))
.unwrap_or(true);
name_matches && file_matches
})
.map(|(key, summary)| {
let ssa_summary = global.get_ssa(key);
FuncSummaryView::from_global(key, summary, ssa_summary)
})
.collect();
Ok(Json(views))
}
/// GET /api/debug/call-graph?scope=file|project&file=<path>
/// Return the call graph.
async fn get_call_graph(
State(state): State<AppState>,
Query(q): Query<CallGraphQuery>,
) -> Result<Json<CallGraphView>, StatusCode> {
let scope = q.scope.as_deref().unwrap_or("project");
let global = if scope == "file" {
// On-demand: parse the specified file and extract summaries
let file = q.file.as_deref().ok_or(StatusCode::BAD_REQUEST)?;
let path = validate_and_resolve(&state.scan_root, file)?;
let config = state.config.read();
debug::analyse_file_summaries(&path, &config)?
} else {
// Project scope: try DB, fall back to empty graph
load_global_summaries(&state).unwrap_or_default()
};
let cg = crate::callgraph::build_call_graph(&global, &[]);
let analysis = crate::callgraph::analyse(&cg);
Ok(Json(CallGraphView::from_call_graph(&cg, &analysis)))
}
/// GET /api/debug/symex?file=<path>&function=<name>
/// Return symbolic execution state for a function.
async fn get_symex(
State(state): State<AppState>,
Query(q): Query<FileFunctionQuery>,
) -> Result<Json<SymexView>, StatusCode> {
let path = validate_and_resolve(&state.scan_root, &q.file)?;
let config = state.config.read();
let analysis = debug::analyse_file(&path, &config)?;
let (ssa, opt) = debug::analyse_function_ssa(&analysis, &q.function)?;
let global = load_global_summaries(&state);
let sym_state =
debug::analyse_function_symex(&ssa, analysis.cfg(), analysis.lang, &opt, global.as_ref());
Ok(Json(SymexView::from_symbolic_state(&sym_state, &ssa)))
}
// ── Helpers ──────────────────────────────────────────────────────────────────
/// Load global summaries from DB if available.
fn load_global_summaries(state: &AppState) -> Option<crate::summary::GlobalSummaries> {
let pool = state.db_pool.as_ref()?;
load_global_summaries_from_pool(&state.scan_root, pool)
}
fn load_global_summaries_from_pool(
scan_root: &Path,
pool: &Pool<SqliteConnectionManager>,
) -> Option<crate::summary::GlobalSummaries> {
let project = scan_root.file_name()?.to_str()?;
let root_str = scan_root.to_string_lossy();
let indexer = crate::database::index::Indexer::from_pool(project, pool).ok()?;
let func_summaries = indexer.load_all_summaries().ok()?;
let ssa_rows = indexer.load_all_ssa_summaries().ok()?;
let mut global = crate::summary::merge_summaries(func_summaries, Some(&root_str));
for (_file_path, name, lang_str, arity, namespace, container, disambig, kind, summary) in
ssa_rows
{
let lang = crate::symbol::Lang::from_slug(&lang_str).unwrap_or(crate::symbol::Lang::Rust);
let key = crate::symbol::FuncKey {
lang,
namespace: if namespace.is_empty() {
crate::symbol::normalize_namespace(&_file_path, Some(&root_str))
} else {
namespace
},
container,
name,
arity: if arity >= 0 {
Some(arity as usize)
} else {
None
},
disambig,
kind,
};
global.insert_ssa(key, summary);
}
Some(global)
}
#[cfg(test)]
mod tests {
use super::*;
use crate::database::index::Indexer;
use crate::labels::Cap;
use crate::summary::FuncSummary;
use crate::summary::ssa_summary::SsaFuncSummary;
use crate::symbol::{FuncKey, Lang};
/// Helper: create a DB pool with persisted summaries for a JS helper function.
fn setup_db_with_summaries(
dir: &std::path::Path,
scan_root: &std::path::Path,
) -> std::sync::Arc<r2d2::Pool<r2d2_sqlite::SqliteConnectionManager>> {
std::fs::create_dir_all(scan_root.join("src")).unwrap();
let file_path = scan_root.join("src/helper.js");
std::fs::write(
&file_path,
"function getInput() { return process.env.USER_INPUT; }\nmodule.exports = { getInput };",
)
.unwrap();
let db_path = dir.join("test.sqlite");
let pool = Indexer::init(&db_path).unwrap();
let mut indexer =
Indexer::from_pool(scan_root.file_name().unwrap().to_str().unwrap(), &pool).unwrap();
indexer
.replace_summaries_for_file(
&file_path,
b"hash",
&[FuncSummary {
name: "getInput".into(),
file_path: file_path.to_string_lossy().into_owned(),
lang: "javascript".into(),
param_count: 0,
param_names: vec![],
source_caps: Cap::all().bits(),
sanitizer_caps: 0,
sink_caps: 0,
propagating_params: vec![],
propagates_taint: false,
tainted_sink_params: vec![],
callees: vec![],
..Default::default()
}],
)
.unwrap();
indexer
.replace_ssa_summaries_for_file(
&file_path,
b"hash",
&[(
"getInput".into(),
0,
"javascript".into(),
"src/helper.js".into(),
String::new(),
None,
crate::symbol::FuncKind::Function,
SsaFuncSummary {
param_to_return: vec![],
param_to_sink: vec![],
source_caps: Cap::all(),
param_to_sink_param: vec![],
param_container_to_return: vec![],
param_to_container_store: vec![],
return_type: None,
return_abstract: None,
source_to_callback: vec![],
receiver_to_return: None,
receiver_to_sink: Cap::empty(),
abstract_transfer: vec![],
param_return_paths: vec![],
points_to: Default::default(),
return_path_facts: smallvec::SmallVec::new(),
},
)],
)
.unwrap();
pool
}
#[test]
fn taint_route_reports_cross_file_context_when_summaries_present() {
let dir = tempfile::tempdir().unwrap();
let scan_root = dir.path().join("myproject");
let pool = setup_db_with_summaries(dir.path(), &scan_root);
let global =
load_global_summaries_from_pool(&scan_root, &pool).expect("should load summaries");
let cross_file_context = !global.is_empty();
let ssa_summaries_available = !global.snapshot_ssa().is_empty();
assert!(
cross_file_context,
"cross_file_context should be true when DB has persisted summaries"
);
assert!(
ssa_summaries_available,
"ssa_summaries_available should be true when DB has SSA summaries"
);
}
#[test]
fn taint_route_reports_no_cross_file_context_when_db_empty() {
let dir = tempfile::tempdir().unwrap();
let scan_root = dir.path().join("emptyproject");
std::fs::create_dir_all(&scan_root).unwrap();
let db_path = dir.path().join("empty.sqlite");
let pool = Indexer::init(&db_path).unwrap();
let _indexer = Indexer::from_pool("emptyproject", &pool).unwrap();
let global = load_global_summaries_from_pool(&scan_root, &pool);
let cross_file_context = global.as_ref().is_some_and(|g| !g.is_empty());
let ssa_summaries_available = global
.as_ref()
.is_some_and(|g| !g.snapshot_ssa().is_empty());
assert!(
!cross_file_context,
"cross_file_context should be false when DB has no summaries"
);
assert!(
!ssa_summaries_available,
"ssa_summaries_available should be false when DB has no SSA summaries"
);
}
#[test]
fn taint_view_includes_context_flags_with_no_summaries() {
// Simulate the debug view construction with no cross-file context
let view = TaintAnalysisView::from_results(
&[],
&[],
&crate::ssa::ir::SsaBody {
blocks: vec![],
entry: crate::ssa::ir::BlockId(0),
value_defs: vec![],
cfg_node_map: std::collections::HashMap::new(),
exception_edges: vec![],
},
false,
false,
);
assert!(!view.cross_file_context);
assert!(!view.ssa_summaries_available);
}
#[test]
fn taint_view_includes_context_flags_with_summaries() {
let view = TaintAnalysisView::from_results(
&[],
&[],
&crate::ssa::ir::SsaBody {
blocks: vec![],
entry: crate::ssa::ir::BlockId(0),
value_defs: vec![],
cfg_node_map: std::collections::HashMap::new(),
exception_edges: vec![],
},
true,
true,
);
assert!(view.cross_file_context);
assert!(view.ssa_summaries_available);
}
#[test]
fn taint_view_serializes_context_fields() {
let view = TaintAnalysisView::from_results(
&[],
&[],
&crate::ssa::ir::SsaBody {
blocks: vec![],
entry: crate::ssa::ir::BlockId(0),
value_defs: vec![],
cfg_node_map: std::collections::HashMap::new(),
exception_edges: vec![],
},
true,
false,
);
let json = serde_json::to_value(&view).unwrap();
assert_eq!(json["cross_file_context"], true);
assert_eq!(json["ssa_summaries_available"], false);
}
#[test]
fn load_global_summaries_graceful_on_malformed_db() {
// A DB with no tables at all should not crash, just return None
let dir = tempfile::tempdir().unwrap();
let scan_root = dir.path().join("badproject");
std::fs::create_dir_all(&scan_root).unwrap();
let db_path = dir.path().join("bad.sqlite");
// Create a raw SQLite file without our schema
let manager = r2d2_sqlite::SqliteConnectionManager::file(&db_path);
let pool = r2d2::Pool::builder().max_size(1).build(manager).unwrap();
let result = load_global_summaries_from_pool(&scan_root, &pool);
// Should return None gracefully, not panic
assert!(
result.is_none(),
"malformed DB should return None, not crash"
);
}
#[test]
fn load_global_summaries_uses_scan_root_project_and_normalized_namespace() {
let dir = tempfile::tempdir().unwrap();
let scan_root = dir.path().join("Example Project");
std::fs::create_dir_all(scan_root.join("src")).unwrap();
let file_path = scan_root.join("src/lib.rs");
std::fs::write(&file_path, "fn helper() {}").unwrap();
let db_path = dir.path().join("example_project.sqlite");
let pool = Indexer::init(&db_path).unwrap();
let mut indexer = Indexer::from_pool("Example Project", &pool).unwrap();
indexer
.replace_summaries_for_file(
&file_path,
b"hash",
&[FuncSummary {
name: "helper".into(),
file_path: file_path.to_string_lossy().into_owned(),
lang: "rust".into(),
param_count: 0,
param_names: vec![],
source_caps: 0,
sanitizer_caps: 0,
sink_caps: 0,
propagating_params: vec![],
propagates_taint: false,
tainted_sink_params: vec![],
callees: vec![],
..Default::default()
}],
)
.unwrap();
indexer
.replace_ssa_summaries_for_file(
&file_path,
b"hash",
&[(
"helper".into(),
0,
"rust".into(),
"src/lib.rs".into(),
String::new(),
None,
crate::symbol::FuncKind::Function,
SsaFuncSummary {
param_to_return: vec![],
param_to_sink: vec![],
source_caps: Cap::ENV_VAR,
param_to_sink_param: vec![],
param_container_to_return: vec![],
param_to_container_store: vec![],
return_type: None,
return_abstract: None,
source_to_callback: vec![],
receiver_to_return: None,
receiver_to_sink: Cap::empty(),
abstract_transfer: vec![],
param_return_paths: vec![],
points_to: Default::default(),
return_path_facts: smallvec::SmallVec::new(),
},
)],
)
.unwrap();
let global = load_global_summaries_from_pool(&scan_root, &pool)
.expect("debug loader should recover project summaries");
let key = FuncKey {
lang: Lang::Rust,
namespace: "src/lib.rs".into(),
name: "helper".into(),
arity: Some(0),
..Default::default()
};
assert!(global.get(&key).is_some());
assert!(
global.get_ssa(&key).is_some(),
"SSA summaries should line up with the normalized function keys"
);
}
}

37
src/server/routes/events.rs Normal file
View file

@ -0,0 +1,37 @@
use crate::server::app::{AppState, ServerEvent};
use axum::Router;
use axum::extract::State;
use axum::response::sse::{Event, KeepAlive, Sse};
use axum::routing::get;
use tokio_stream::StreamExt;
use tokio_stream::wrappers::BroadcastStream;
pub fn routes() -> Router<AppState> {
Router::new().route("/events", get(event_stream))
}
async fn event_stream(
State(state): State<AppState>,
) -> Sse<impl tokio_stream::Stream<Item = Result<Event, std::convert::Infallible>>> {
let rx = state.event_tx.subscribe();
let stream = BroadcastStream::new(rx).filter_map(|result: Result<ServerEvent, _>| {
let event = result.ok()?;
let data = match serde_json::to_string(&event) {
Ok(s) => s,
Err(err) => {
tracing::warn!(error = %err, "failed to serialize server event; dropping");
return None;
}
};
let event_type = match &event {
ServerEvent::ScanStarted { .. } => "scan_started",
ServerEvent::ScanCompleted { .. } => "scan_completed",
ServerEvent::ScanFailed { .. } => "scan_failed",
ServerEvent::ScanProgress { .. } => "scan_progress",
ServerEvent::ConfigChanged => "config_changed",
};
Some(Ok(Event::default().event(event_type).data(data)))
});
Sse::new(stream).keep_alive(KeepAlive::default())
}

355
src/server/routes/explorer.rs Normal file
View file

@ -0,0 +1,355 @@
#![allow(clippy::collapsible_if)]
use crate::database::index::Indexer;
use crate::server::app::AppState;
use crate::server::models::lang_for_finding_path;
use crate::server::routes::findings::load_latest_findings;
use crate::utils::path::{RepoPathError, resolve_repo_dir, resolve_repo_path};
use axum::extract::{Query, State};
use axum::http::StatusCode;
use axum::routing::get;
use axum::{Json, Router};
use serde::{Deserialize, Serialize};
use std::collections::HashMap;
use std::fs;
use crate::patterns::Severity;
pub fn routes() -> Router<AppState> {
Router::new()
.route("/explorer/tree", get(get_tree))
.route("/explorer/symbols", get(get_symbols))
.route("/explorer/findings", get(get_findings))
}
// ── Query params ─────────────────────────────────────────────────────────────
#[derive(Debug, Deserialize)]
struct TreeQuery {
path: Option<String>,
}
#[derive(Debug, Deserialize)]
struct SymbolsQuery {
path: String,
}
#[derive(Debug, Deserialize)]
struct ExplorerFindingsQuery {
path: String,
}
// ── Response types ───────────────────────────────────────────────────────────
#[derive(Debug, Serialize)]
struct TreeEntry {
name: String,
entry_type: String,
path: String,
language: Option<String>,
finding_count: usize,
severity_max: Option<String>,
}
#[derive(Debug, Serialize)]
struct SymbolEntry {
name: String,
kind: String,
line: Option<usize>,
finding_count: usize,
namespace: Option<String>,
arity: Option<usize>,
}
#[derive(Debug, Serialize)]
struct ExplorerFinding {
index: usize,
line: usize,
col: usize,
severity: String,
rule_id: String,
category: String,
message: Option<String>,
confidence: Option<String>,
}
// ── Helpers ──────────────────────────────────────────────────────────────────
fn severity_rank(s: Severity) -> u8 {
match s {
Severity::High => 3,
Severity::Medium => 2,
Severity::Low => 1,
}
}
fn max_severity(a: Option<Severity>, b: Severity) -> Severity {
match a {
Some(existing) => {
if severity_rank(b) > severity_rank(existing) {
b
} else {
existing
}
}
None => b,
}
}
/// Normalize a Diag path to be relative to scan_root.
///
/// Diag.path is typically absolute (from the file walker). The explorer UI
/// works with relative paths, so we strip the scan_root prefix. If the path
/// is already relative (e.g. in tests), return it as-is.
fn relativize_path<'a>(diag_path: &'a str, scan_root_str: &str) -> &'a str {
diag_path
.strip_prefix(scan_root_str)
.unwrap_or(diag_path)
.trim_start_matches('/')
}
// ── GET /api/explorer/tree ───────────────────────────────────────────────────
async fn get_tree(
State(state): State<AppState>,
Query(query): Query<TreeQuery>,
) -> Result<Json<Vec<TreeEntry>>, StatusCode> {
let resolved =
resolve_repo_dir(&state.scan_root, query.path.as_deref()).map_err(map_path_error)?;
let canonical = resolved.canonical;
// Load findings and pre-compute per-file and per-directory aggregates
let findings = load_latest_findings(&state);
let canonical_root = resolved.root;
let root_str = canonical_root.to_string_lossy();
let mut file_counts: HashMap<String, (usize, Severity)> = HashMap::new();
let mut dir_counts: HashMap<String, (usize, Severity)> = HashMap::new();
for d in findings.iter() {
// Normalize Diag absolute path to relative
let rel = relativize_path(&d.path, &root_str);
if rel.is_empty() {
continue;
}
let entry = file_counts
.entry(rel.to_string())
.or_insert((0, Severity::Low));
entry.0 += 1;
entry.1 = max_severity(Some(entry.1), d.severity);
// Aggregate into all ancestor directories
let mut path = rel;
while let Some(i) = path.rfind('/') {
path = &path[..i];
let entry = dir_counts
.entry(path.to_string())
.or_insert((0, Severity::Low));
entry.0 += 1;
entry.1 = max_severity(Some(entry.1), d.severity);
}
}
let mut entries = Vec::new();
let read_dir = fs::read_dir(&canonical).map_err(|_| StatusCode::NOT_FOUND)?;
for entry in read_dir {
let entry = match entry {
Ok(e) => e,
Err(_) => continue,
};
let name = entry.file_name().to_string_lossy().to_string();
// Skip hidden files/directories
if name.starts_with('.') {
continue;
}
let entry_path = entry.path();
let is_dir = entry_path.is_dir();
// Compute relative path from scan_root
let canonical_entry = match fs::canonicalize(&entry_path) {
Ok(c) => c,
Err(_) => continue,
};
if !canonical_entry.starts_with(&canonical_root) {
continue;
}
let rel_path = canonical_entry
.strip_prefix(&canonical_root)
.unwrap_or(&canonical_entry)
.to_string_lossy()
.to_string();
let (finding_count, severity_max) = if is_dir {
match dir_counts.get(&rel_path) {
Some(&(count, sev)) => (count, Some(sev.as_db_str().to_string())),
None => (0, None),
}
} else {
match file_counts.get(&rel_path) {
Some(&(count, sev)) => (count, Some(sev.as_db_str().to_string())),
None => (0, None),
}
};
let language = if is_dir {
None
} else {
lang_for_finding_path(&rel_path)
};
entries.push(TreeEntry {
name,
entry_type: if is_dir {
"dir".to_string()
} else {
"file".to_string()
},
path: rel_path,
language,
finding_count,
severity_max,
});
}
// Sort: dirs first (alpha), then files (alpha)
entries.sort_by(|a, b| {
let a_is_dir = a.entry_type == "dir";
let b_is_dir = b.entry_type == "dir";
b_is_dir
.cmp(&a_is_dir)
.then_with(|| a.name.to_lowercase().cmp(&b.name.to_lowercase()))
});
Ok(Json(entries))
}
// ── GET /api/explorer/symbols ────────────────────────────────────────────────
async fn get_symbols(
State(state): State<AppState>,
Query(query): Query<SymbolsQuery>,
) -> Result<Json<Vec<SymbolEntry>>, StatusCode> {
let resolved = resolve_repo_path(&state.scan_root, &query.path).map_err(map_path_error)?;
let pool = match &state.db_pool {
Some(p) => p,
None => return Ok(Json(vec![])),
};
let idx = Indexer::from_pool("_scans", pool).map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
// Build absolute path for DB lookup (DB stores absolute paths)
let canonical_root = resolved.root;
let abs_path = resolved.canonical;
let abs_path_str = abs_path.to_string_lossy();
let root_str = canonical_root.to_string_lossy();
// Load findings for function-level finding count
let findings = load_latest_findings(&state);
let mut func_finding_counts: HashMap<String, usize> = HashMap::new();
for d in findings.iter() {
let rel = relativize_path(&d.path, &root_str);
if rel != resolved.relative {
continue;
}
// Try to get function name from evidence flow steps
if let Some(ref ev) = d.evidence {
for step in &ev.flow_steps {
if let Some(ref func) = step.function {
*func_finding_counts.entry(func.clone()).or_insert(0) += 1;
}
}
}
}
// Try absolute path first (production), then relative (tests)
let mut symbols = idx
.load_ssa_summaries_for_file(&abs_path_str)
.unwrap_or_default();
if symbols.is_empty() {
symbols = idx
.load_ssa_summaries_for_file(&query.path)
.unwrap_or_default();
}
let entries: Vec<SymbolEntry> = symbols
.into_iter()
.map(|(name, arity, _lang, namespace)| {
let kind = if !namespace.is_empty() && namespace != name {
"method".to_string()
} else {
"function".to_string()
};
let finding_count = func_finding_counts.get(&name).copied().unwrap_or(0);
SymbolEntry {
name,
kind,
line: None,
finding_count,
namespace: if namespace.is_empty() {
None
} else {
Some(namespace)
},
arity: if arity < 0 {
None
} else {
Some(arity as usize)
},
}
})
.collect();
Ok(Json(entries))
}
// ── GET /api/explorer/findings ───────────────────────────────────────────────
async fn get_findings(
State(state): State<AppState>,
Query(query): Query<ExplorerFindingsQuery>,
) -> Result<Json<Vec<ExplorerFinding>>, StatusCode> {
let resolved = resolve_repo_path(&state.scan_root, &query.path).map_err(map_path_error)?;
let findings = load_latest_findings(&state);
let root_str = resolved.root.to_string_lossy();
let mut results: Vec<ExplorerFinding> = findings
.iter()
.enumerate()
.filter(|(_, d)| {
let rel = relativize_path(&d.path, &root_str);
rel == resolved.relative
})
.map(|(i, d)| ExplorerFinding {
index: i,
line: d.line,
col: d.col,
severity: d.severity.as_db_str().to_string(),
rule_id: d.id.clone(),
category: d.category.to_string(),
message: d.message.clone(),
confidence: d.confidence.map(|c| c.to_string()),
})
.collect();
results.sort_by_key(|f| f.line);
Ok(Json(results))
}
fn map_path_error(err: RepoPathError) -> StatusCode {
match err {
RepoPathError::InvalidPath | RepoPathError::OutsideRoot => StatusCode::FORBIDDEN,
RepoPathError::NotFound => StatusCode::NOT_FOUND,
RepoPathError::NotDirectory => StatusCode::BAD_REQUEST,
RepoPathError::NotFile | RepoPathError::TooLarge | RepoPathError::InvalidText => {
StatusCode::BAD_REQUEST
}
RepoPathError::Io => StatusCode::INTERNAL_SERVER_ERROR,
}
}

77
src/server/routes/files.rs Normal file
View file

@ -0,0 +1,77 @@
use crate::server::app::AppState;
use crate::utils::path::{DEFAULT_UI_MAX_FILE_BYTES, RepoPathError, open_repo_text_file};
use axum::extract::{Query, State};
use axum::http::StatusCode;
use axum::routing::get;
use axum::{Json, Router};
use serde::{Deserialize, Serialize};
pub fn routes() -> Router<AppState> {
Router::new().route("/files", get(get_file))
}
#[derive(Debug, Deserialize)]
struct FileQuery {
path: String,
start_line: Option<usize>,
end_line: Option<usize>,
}
#[derive(Debug, Serialize)]
struct FileLine {
number: usize,
content: String,
}
#[derive(Debug, Serialize)]
struct FileResponse {
path: String,
lines: Vec<FileLine>,
total_lines: usize,
}
async fn get_file(
State(state): State<AppState>,
Query(query): Query<FileQuery>,
) -> Result<Json<FileResponse>, StatusCode> {
let opened = open_repo_text_file(&state.scan_root, &query.path, DEFAULT_UI_MAX_FILE_BYTES)
.map_err(map_path_error)?;
let content = opened.content;
let all_lines: Vec<&str> = content.lines().collect();
let total_lines = all_lines.len();
// Apply line range (1-indexed)
let start = query.start_line.unwrap_or(1).max(1);
let end = query.end_line.unwrap_or(total_lines).min(total_lines);
let lines: Vec<FileLine> = if start <= end && start <= total_lines {
all_lines[start - 1..end]
.iter()
.enumerate()
.map(|(i, l)| FileLine {
number: start + i,
content: (*l).to_string(),
})
.collect()
} else {
vec![]
};
Ok(Json(FileResponse {
path: opened.resolved.relative,
lines,
total_lines,
}))
}
fn map_path_error(err: RepoPathError) -> StatusCode {
match err {
RepoPathError::InvalidPath | RepoPathError::OutsideRoot => StatusCode::FORBIDDEN,
RepoPathError::NotFound => StatusCode::NOT_FOUND,
RepoPathError::TooLarge
| RepoPathError::InvalidText
| RepoPathError::NotFile
| RepoPathError::NotDirectory => StatusCode::BAD_REQUEST,
RepoPathError::Io => StatusCode::INTERNAL_SERVER_ERROR,
}
}

206
src/server/routes/findings.rs Normal file
View file

@ -0,0 +1,206 @@
#![allow(clippy::collapsible_if)]
use crate::commands::scan::Diag;
use crate::database::index::Indexer;
use crate::server::app::AppState;
use crate::server::models::{
FilterValues, FindingSummary, FindingView, collect_filter_values, finding_from_diag,
finding_from_diag_with_detail, overlay_triage_states, summarize_findings,
};
use axum::extract::{Path, Query, State};
use axum::http::StatusCode;
use axum::routing::get;
use axum::{Json, Router};
use serde::Deserialize;
use std::sync::Arc;
pub fn routes() -> Router<AppState> {
Router::new()
.route("/findings", get(list_findings))
.route("/findings/summary", get(findings_summary))
.route("/findings/filters", get(findings_filters))
.route("/findings/{index}", get(get_finding))
}
/// Load findings for the latest completed scan, falling back to DB if no
/// in-memory completed scan exists (e.g. after a server restart).
pub fn load_latest_findings(state: &AppState) -> Arc<Vec<Diag>> {
// In-memory first
if let Some(job) = state.job_manager.get_latest_completed() {
if let Some(ref findings) = job.findings {
return Arc::clone(findings);
}
}
// DB fallback — find the most recent completed scan with findings
if let Some(ref pool) = state.db_pool {
if let Ok(idx) = Indexer::from_pool("_scans", pool) {
if let Ok(scans) = idx.list_scans(20) {
for scan in scans {
if scan.status == "completed" {
if let Some(json) = scan.findings_json.as_deref() {
if let Ok(diags) = serde_json::from_str::<Vec<Diag>>(json) {
return Arc::new(diags);
}
}
}
}
}
}
}
Arc::new(Vec::new())
}
/// Load triage states and suppression rules from DB, apply to views.
fn apply_triage_overlay(state: &AppState, views: &mut [FindingView]) {
if let Some(ref pool) = state.db_pool {
if let Ok(idx) = Indexer::from_pool("_triage", pool) {
let triage_map = idx.get_all_triage_states().unwrap_or_default();
let rules = idx.get_suppression_rules().unwrap_or_default();
overlay_triage_states(views, &triage_map, &rules);
}
}
}
#[derive(Debug, Deserialize, Default)]
struct FindingsQuery {
severity: Option<String>,
category: Option<String>,
rule_id: Option<String>,
path: Option<String>,
search: Option<String>,
language: Option<String>,
confidence: Option<String>,
status: Option<String>,
sort_by: Option<String>,
sort_dir: Option<String>,
page: Option<usize>,
per_page: Option<usize>,
}
async fn list_findings(
State(state): State<AppState>,
Query(query): Query<FindingsQuery>,
) -> Result<Json<serde_json::Value>, StatusCode> {
let findings = load_latest_findings(&state);
let mut views: Vec<FindingView> = findings
.iter()
.enumerate()
.map(|(i, d)| finding_from_diag(i, d))
.collect();
// Overlay triage states from DB before filtering
apply_triage_overlay(&state, &mut views);
// Apply filters.
if let Some(ref sev) = query.severity {
let sev_upper = sev.to_ascii_uppercase();
views.retain(|f| f.severity.as_db_str() == sev_upper);
}
if let Some(ref cat) = query.category {
let cat_lower = cat.to_ascii_lowercase();
views.retain(|f| f.category.to_string().to_ascii_lowercase() == cat_lower);
}
if let Some(ref rule) = query.rule_id {
views.retain(|f| f.rule_id == *rule);
}
if let Some(ref path_prefix) = query.path {
views.retain(|f| f.path.starts_with(path_prefix.as_str()));
}
if let Some(ref lang) = query.language {
let lang_lower = lang.to_ascii_lowercase();
views.retain(|f| {
f.language
.as_ref()
.is_some_and(|l| l.to_ascii_lowercase() == lang_lower)
});
}
if let Some(ref conf) = query.confidence {
let conf_lower = conf.to_ascii_lowercase();
views.retain(|f| {
f.confidence
.as_ref()
.is_some_and(|c| format!("{c:?}").to_ascii_lowercase() == conf_lower)
});
}
if let Some(ref status) = query.status {
let status_lower = status.to_ascii_lowercase();
views.retain(|f| f.status.to_ascii_lowercase() == status_lower);
}
if let Some(ref search) = query.search {
let needle = search.to_ascii_lowercase();
views.retain(|f| {
f.path.to_ascii_lowercase().contains(&needle)
|| f.rule_id.to_ascii_lowercase().contains(&needle)
|| f.message
.as_ref()
.is_some_and(|m| m.to_ascii_lowercase().contains(&needle))
});
}
// Sort.
match query.sort_by.as_deref() {
Some("severity") => views.sort_by_key(|a| a.severity),
Some("path") | Some("file") => views.sort_by(|a, b| a.path.cmp(&b.path)),
Some("rule_id") => views.sort_by(|a, b| a.rule_id.cmp(&b.rule_id)),
Some("score") => views.sort_by(|a, b| {
b.rank_score
.unwrap_or(0.0)
.partial_cmp(&a.rank_score.unwrap_or(0.0))
.unwrap_or(std::cmp::Ordering::Equal)
}),
Some("confidence") => views.sort_by(|a, b| {
let ca = a.confidence.map(|c| c as u8).unwrap_or(0);
let cb = b.confidence.map(|c| c as u8).unwrap_or(0);
ca.cmp(&cb)
}),
Some("line") => views.sort_by_key(|a| a.line),
Some("language") => views.sort_by(|a, b| {
a.language
.as_deref()
.unwrap_or("")
.cmp(b.language.as_deref().unwrap_or(""))
}),
Some("status") => views.sort_by(|a, b| a.status.cmp(&b.status)),
Some("category") => views.sort_by_key(|a| a.category.to_string()),
_ => {} // default order (by index)
}
if query.sort_dir.as_deref() == Some("desc") {
views.reverse();
}
// Paginate.
let total = views.len();
let page = query.page.unwrap_or(1).max(1);
let per_page = query.per_page.unwrap_or(50).clamp(1, 10000);
let start = (page - 1) * per_page;
let page_views: Vec<_> = views.into_iter().skip(start).take(per_page).collect();
Ok(Json(serde_json::json!({
"findings": page_views,
"total": total,
"page": page,
"per_page": per_page,
})))
}
async fn findings_summary(State(state): State<AppState>) -> Json<FindingSummary> {
let findings = load_latest_findings(&state);
Json(summarize_findings(&findings))
}
async fn findings_filters(State(state): State<AppState>) -> Json<FilterValues> {
let findings = load_latest_findings(&state);
Json(collect_filter_values(&findings))
}
async fn get_finding(
State(state): State<AppState>,
Path(index): Path<usize>,
) -> Result<Json<FindingView>, StatusCode> {
let findings = load_latest_findings(&state);
let diag = findings.get(index).ok_or(StatusCode::NOT_FOUND)?;
let mut view = finding_from_diag_with_detail(index, diag, &state.scan_root, &findings);
apply_triage_overlay(&state, std::slice::from_mut(&mut view));
Ok(Json(view))
}

24
src/server/routes/health.rs Normal file
View file

@ -0,0 +1,24 @@
use crate::server::app::AppState;
use axum::extract::State;
use axum::routing::get;
use axum::{Json, Router};
pub fn routes() -> Router<AppState> {
Router::new()
.route("/health", get(health_check))
.route("/session", get(session_info))
}
async fn health_check(State(state): State<AppState>) -> Json<serde_json::Value> {
Json(serde_json::json!({
"status": "ok",
"version": env!("CARGO_PKG_VERSION"),
"scan_root": state.scan_root.display().to_string(),
}))
}
async fn session_info(State(state): State<AppState>) -> Json<serde_json::Value> {
Json(serde_json::json!({
"csrf_token": state.security.csrf_token(),
}))
}

30
src/server/routes/mod.rs Normal file
View file

@ -0,0 +1,30 @@
pub mod config;
pub mod debug;
pub mod events;
pub mod explorer;
pub mod files;
pub mod findings;
pub mod health;
pub mod overview;
pub mod rules;
pub mod scans;
pub mod triage;
use crate::server::app::AppState;
use axum::Router;
/// Build all API routes under /api.
pub fn api_routes() -> Router<AppState> {
Router::new()
.merge(health::routes())
.merge(findings::routes())
.merge(files::routes())
.merge(scans::routes())
.merge(config::routes())
.merge(rules::routes())
.merge(events::routes())
.merge(triage::routes())
.merge(overview::routes())
.merge(explorer::routes())
.merge(debug::routes())
}

437
src/server/routes/overview.rs Normal file
View file

@ -0,0 +1,437 @@
#![allow(clippy::collapsible_if)]
use crate::commands::scan::Diag;
use crate::database::index::{Indexer, ScanRecord};
use crate::evidence::Confidence;
use crate::server::app::AppState;
use crate::server::models::{
Insight, NoisyRule, OverviewResponse, ScanSummary, TrendPoint, by_language_from_findings,
compute_fingerprint, summarize_findings, top_directories_from_findings, top_n_from_map,
};
use axum::extract::State;
use axum::routing::get;
use axum::{Json, Router};
use std::collections::{HashMap, HashSet};
pub fn routes() -> Router<AppState> {
Router::new()
.route("/overview", get(overview))
.route("/overview/trends", get(overview_trends))
}
/// GET /api/overview — aggregated dashboard data.
async fn overview(State(state): State<AppState>) -> Json<OverviewResponse> {
// 1. Load latest findings (in-memory → DB fallback)
let findings = crate::server::routes::findings::load_latest_findings(&state);
// 2. Collect recent scans (in-memory + DB, deduped)
let recent_scans = collect_recent_scans(&state, 10);
// 3. Basic summary
let summary = summarize_findings(&findings);
let by_language = by_language_from_findings(&findings);
// 4. Find latest completed scan info
let latest_completed = recent_scans.iter().find(|s| s.status == "completed");
let latest_scan_id = latest_completed.map(|s| s.id.clone());
let latest_scan_at = latest_completed.and_then(|s| s.started_at.clone());
let latest_scan_duration = latest_completed.and_then(|s| s.duration_secs);
// 5. New/fixed since last scan
let (new_since_last, fixed_since_last) = compute_delta(&state, &findings);
// 6. High confidence rate
let high_confidence_rate = if findings.is_empty() {
0.0
} else {
let high_count = findings
.iter()
.filter(|d| d.confidence == Some(Confidence::High))
.count();
high_count as f64 / findings.len() as f64
};
// 7. Triage coverage
let triage_coverage = compute_triage_coverage(&state, &findings);
// 8. Top files, dirs, rules
let top_files = top_n_from_map(&summary.by_file, 10);
let top_directories = top_directories_from_findings(&findings, 10);
let top_rules = top_n_from_map(&summary.by_rule, 10);
// 9. Noisy rules
let noisy_rules = compute_noisy_rules(&state, &findings, &summary.by_rule);
// 10. Insights
let insights = generate_insights(
&summary,
new_since_last,
fixed_since_last,
triage_coverage,
&noisy_rules,
);
// 11. State
let state_str = if recent_scans.iter().all(|s| s.status != "completed") {
"empty".to_string()
} else if is_fresh_scan(latest_completed) {
"fresh".to_string()
} else {
"normal".to_string()
};
Json(OverviewResponse {
state: state_str,
total_findings: summary.total,
new_since_last,
fixed_since_last,
high_confidence_rate,
triage_coverage,
latest_scan_duration_secs: latest_scan_duration,
latest_scan_id,
latest_scan_at,
by_severity: summary.by_severity,
by_category: summary.by_category,
by_language,
top_files,
top_directories,
top_rules,
noisy_rules,
recent_scans: recent_scans.into_iter().take(10).collect(),
insights,
})
}
/// GET /api/overview/trends — scan-over-scan finding counts.
async fn overview_trends(State(state): State<AppState>) -> Json<Vec<TrendPoint>> {
let mut points = Vec::new();
if let Some(ref pool) = state.db_pool {
if let Ok(idx) = Indexer::from_pool("_scans", pool) {
if let Ok(scans) = idx.list_scans(20) {
let completed: Vec<&ScanRecord> =
scans.iter().filter(|s| s.status == "completed").collect();
// Cap at 10 for performance
for scan in completed.iter().rev().take(10) {
let total = scan.finding_count.unwrap_or(0) as usize;
let by_severity = scan
.findings_json
.as_deref()
.and_then(|json| serde_json::from_str::<Vec<Diag>>(json).ok())
.map(|diags| {
let mut sev: HashMap<String, usize> = HashMap::new();
for d in &diags {
*sev.entry(d.severity.as_db_str().to_string()).or_insert(0) += 1;
}
sev
})
.unwrap_or_default();
points.push(TrendPoint {
scan_id: scan.id.clone(),
timestamp: scan.started_at.clone().unwrap_or_default(),
total,
by_severity,
});
}
}
}
}
Json(points)
}
// ── Helpers ──────────────────────────────────────────────────────────────────
/// Collect recent scans from in-memory jobs + DB, deduped by ID.
fn collect_recent_scans(state: &AppState, limit: usize) -> Vec<ScanSummary> {
let mut seen = HashSet::new();
let mut scans = Vec::new();
// In-memory first
for job in state.job_manager.list_jobs() {
if seen.insert(job.id.clone()) {
scans.push(ScanSummary {
id: job.id.clone(),
status: format!("{:?}", job.status).to_ascii_lowercase(),
started_at: job.started_at.map(|t| t.to_rfc3339()),
duration_secs: job.duration_secs,
finding_count: job.findings.as_ref().map(|f| f.len() as i64),
});
}
}
// DB fallback
if let Some(ref pool) = state.db_pool {
if let Ok(idx) = Indexer::from_pool("_scans", pool) {
if let Ok(records) = idx.list_scans(limit as i64) {
for r in records {
if seen.insert(r.id.clone()) {
scans.push(ScanSummary {
id: r.id,
status: r.status,
started_at: r.started_at,
duration_secs: r.duration_secs,
finding_count: r.finding_count,
});
}
}
}
}
}
// Sort by started_at descending
scans.sort_by(|a, b| b.started_at.cmp(&a.started_at));
scans.truncate(limit);
scans
}
/// Compute new/fixed finding counts by comparing the two most recent completed scans.
fn compute_delta(state: &AppState, current_findings: &[Diag]) -> (usize, usize) {
if current_findings.is_empty() {
return (0, 0);
}
let current_fps: HashSet<String> = current_findings.iter().map(compute_fingerprint).collect();
// Find previous completed scan's findings
let previous_fps = load_previous_scan_fingerprints(state);
if previous_fps.is_empty() {
return (0, 0);
}
let new_count = current_fps.difference(&previous_fps).count();
let fixed_count = previous_fps.difference(&current_fps).count();
(new_count, fixed_count)
}
/// Load fingerprints from the second-most-recent completed scan.
fn load_previous_scan_fingerprints(state: &AppState) -> HashSet<String> {
if let Some(ref pool) = state.db_pool {
if let Ok(idx) = Indexer::from_pool("_scans", pool) {
if let Ok(scans) = idx.list_scans(10) {
let completed: Vec<&ScanRecord> = scans
.iter()
.filter(|s| s.status == "completed" && s.findings_json.is_some())
.collect();
// Skip the first (latest) completed scan — we want the previous one
if let Some(prev) = completed.get(1) {
if let Some(json) = prev.findings_json.as_deref() {
if let Ok(diags) = serde_json::from_str::<Vec<Diag>>(json) {
return diags.iter().map(compute_fingerprint).collect();
}
}
}
}
}
}
HashSet::new()
}
/// Compute triage coverage: fraction of findings with non-"open" triage state.
fn compute_triage_coverage(state: &AppState, findings: &[Diag]) -> f64 {
if findings.is_empty() {
return 0.0;
}
let Some(ref pool) = state.db_pool else {
return 0.0;
};
let Ok(idx) = Indexer::from_pool("_scans", pool) else {
return 0.0;
};
let triage_map = idx.get_all_triage_states().unwrap_or_default();
let suppression_rules = idx.get_suppression_rules().unwrap_or_default();
let mut non_open = 0usize;
for d in findings {
let fp = compute_fingerprint(d);
// Check explicit triage state
if let Some((triage_state, _, _)) = triage_map.get(&fp) {
if triage_state != "open" {
non_open += 1;
continue;
}
}
// Check suppression rules
let path = &d.path;
let rule_id = &d.id;
for rule in &suppression_rules {
let matches = match rule.suppress_by.as_str() {
"fingerprint" => fp == rule.match_value,
"rule" => *rule_id == rule.match_value,
"rule_in_file" => {
let key = format!("{rule_id}:{path}");
key == rule.match_value
}
"file" => *path == rule.match_value,
_ => false,
};
if matches {
non_open += 1;
break;
}
}
}
non_open as f64 / findings.len() as f64
}
/// Compute noisy rules: high finding count + high suppression rate.
fn compute_noisy_rules(
state: &AppState,
findings: &[Diag],
by_rule: &HashMap<String, usize>,
) -> Vec<NoisyRule> {
let Some(ref pool) = state.db_pool else {
return vec![];
};
let Ok(idx) = Indexer::from_pool("_scans", pool) else {
return vec![];
};
let triage_map = idx.get_all_triage_states().unwrap_or_default();
let suppression_rules = idx.get_suppression_rules().unwrap_or_default();
// Count suppressed findings per rule
let mut suppressed_per_rule: HashMap<String, usize> = HashMap::new();
for d in findings {
let fp = compute_fingerprint(d);
let is_suppressed = triage_map
.get(&fp)
.map(|(s, _, _)| s == "suppressed" || s == "false_positive")
.unwrap_or(false)
|| suppression_rules
.iter()
.any(|rule| match rule.suppress_by.as_str() {
"fingerprint" => fp == rule.match_value,
"rule" => d.id == rule.match_value,
"rule_in_file" => format!("{}:{}", d.id, d.path) == rule.match_value,
"file" => d.path == rule.match_value,
_ => false,
});
if is_suppressed {
*suppressed_per_rule.entry(d.id.clone()).or_insert(0) += 1;
}
}
let mut noisy: Vec<NoisyRule> = by_rule
.iter()
.filter_map(|(rule_id, &count)| {
if count < 3 {
return None;
}
let suppressed = suppressed_per_rule.get(rule_id).copied().unwrap_or(0);
let rate = suppressed as f64 / count as f64;
if rate >= 0.5 {
Some(NoisyRule {
rule_id: rule_id.clone(),
finding_count: count,
suppression_rate: rate,
})
} else {
None
}
})
.collect();
noisy.sort_by_key(|b| std::cmp::Reverse(b.finding_count));
noisy
}
/// Generate actionable insights from overview data.
fn generate_insights(
summary: &crate::server::models::FindingSummary,
new_since_last: usize,
fixed_since_last: usize,
triage_coverage: f64,
noisy_rules: &[NoisyRule],
) -> Vec<Insight> {
let mut insights = Vec::new();
// Untriaged high findings
let high_count = summary.by_severity.get("HIGH").copied().unwrap_or(0);
if high_count > 0 {
insights.push(Insight {
kind: "untriaged_high".into(),
message: format!(
"{high_count} High severity finding{} to review",
if high_count == 1 { "" } else { "s" }
),
severity: "warning".into(),
action_url: Some("/findings?severity=HIGH&status=open".into()),
});
}
// New findings since last scan
if new_since_last > 0 {
insights.push(Insight {
kind: "new_findings".into(),
message: format!(
"{new_since_last} new finding{} since last scan",
if new_since_last == 1 { "" } else { "s" }
),
severity: "warning".into(),
action_url: Some("/findings".into()),
});
}
// Fixed findings since last scan
if fixed_since_last > 0 {
insights.push(Insight {
kind: "fixed_findings".into(),
message: format!(
"{fixed_since_last} finding{} fixed since last scan",
if fixed_since_last == 1 { "" } else { "s" }
),
severity: "success".into(),
action_url: None,
});
}
// Noisy rules
for rule in noisy_rules.iter().take(3) {
insights.push(Insight {
kind: "noisy_rule".into(),
message: format!(
"Rule {} has {:.0}% suppression rate ({} findings)",
rule.rule_id,
rule.suppression_rate * 100.0,
rule.finding_count
),
severity: "info".into(),
action_url: Some("/rules".into()),
});
}
// Low triage coverage
if triage_coverage < 0.1 && summary.total > 20 {
insights.push(Insight {
kind: "low_triage".into(),
message: format!(
"Only {:.0}% of findings have been triaged",
triage_coverage * 100.0
),
severity: "info".into(),
action_url: Some("/triage".into()),
});
}
insights
}
/// Check if the latest scan completed within the last 5 minutes.
fn is_fresh_scan(scan: Option<&ScanSummary>) -> bool {
let Some(scan) = scan else { return false };
let Some(ref started_at) = scan.started_at else {
return false;
};
if let Ok(ts) = chrono::DateTime::parse_from_rfc3339(started_at) {
let elapsed = chrono::Utc::now() - ts.with_timezone(&chrono::Utc);
return elapsed.num_seconds() < 300;
}
false
}

316
src/server/routes/rules.rs Normal file
View file

@ -0,0 +1,316 @@
use crate::commands::config as config_cmd;
use crate::labels::{self, RuleInfo};
use crate::server::app::{AppState, ServerEvent};
use crate::server::models::{RelatedFindingView, RuleDetailView, RuleListItem};
use crate::utils::config::RuleKind;
use axum::extract::{Path, State};
use axum::http::StatusCode;
use axum::routing::{get, post};
use axum::{Json, Router};
pub fn routes() -> Router<AppState> {
Router::new()
.route("/rules", get(list_rules))
.route("/rules/{id}", get(get_rule))
.route("/rules/{id}/toggle", post(toggle_rule))
.route("/rules/clone", post(clone_rule))
}
/// Build the full list of rules: built-in + custom, with disabled state applied.
fn build_rule_list(state: &AppState) -> Vec<RuleInfo> {
let config = state.config.read();
let mut rules = labels::enumerate_builtin_rules();
// Mark disabled rules
for rule in &mut rules {
if config.analysis.disabled_rules.contains(&rule.id) {
rule.enabled = false;
}
}
// Add custom rules from config
for (lang, lang_cfg) in &config.analysis.languages {
let canonical = labels::canonical_lang(lang);
for cr in &lang_cfg.rules {
let kind_str = match cr.kind {
RuleKind::Source => "source",
RuleKind::Sanitizer => "sanitizer",
RuleKind::Sink => "sink",
};
let id = labels::custom_rule_id(canonical, kind_str, &cr.matchers);
let first = cr.matchers.first().map(|s| s.as_str()).unwrap_or("?");
let title = format!("{} (custom {})", first, kind_str);
let cap = cr.cap.to_cap();
let enabled = !config.analysis.disabled_rules.contains(&id);
rules.push(RuleInfo {
id,
title,
language: canonical.to_string(),
kind: kind_str.to_string(),
cap: labels::cap_to_name(cap).to_string(),
cap_bits: cap.bits(),
matchers: cr.matchers.clone(),
case_sensitive: cr.case_sensitive,
is_custom: true,
is_gated: false,
enabled,
});
}
}
rules
}
/// GET /api/rules — list all rules with finding counts.
async fn list_rules(State(state): State<AppState>) -> Json<Vec<RuleListItem>> {
let rules = build_rule_list(&state);
// Best-effort finding count: read latest findings from job manager
let findings = state.job_manager.latest_findings();
let finding_counts = compute_finding_counts(&rules, &findings);
let items: Vec<RuleListItem> = rules
.into_iter()
.enumerate()
.map(|(i, r)| {
let (count, suppressed) = finding_counts.get(i).copied().unwrap_or((0, 0));
let rate = if count > 0 {
suppressed as f64 / count as f64
} else {
0.0
};
RuleListItem {
id: r.id,
title: r.title,
language: r.language,
kind: r.kind,
cap: r.cap,
matchers: r.matchers,
enabled: r.enabled,
is_custom: r.is_custom,
is_gated: r.is_gated,
case_sensitive: r.case_sensitive,
finding_count: count,
suppression_rate: rate,
}
})
.collect();
Json(items)
}
/// GET /api/rules/:id — full detail for one rule.
async fn get_rule(
State(state): State<AppState>,
Path(id): Path<String>,
) -> Result<Json<RuleDetailView>, StatusCode> {
let rules = build_rule_list(&state);
let rule = rules
.iter()
.find(|r| r.id == id)
.ok_or(StatusCode::NOT_FOUND)?;
let findings = state.job_manager.latest_findings();
let examples = match_findings_for_rule(rule, &findings, 5);
let total = match_findings_for_rule(rule, &findings, usize::MAX).len();
let suppressed = examples
.iter()
.filter(|f| f.severity == crate::patterns::Severity::Low)
.count();
let rate = if total > 0 {
suppressed as f64 / total as f64
} else {
0.0
};
Ok(Json(RuleDetailView {
id: rule.id.clone(),
title: rule.title.clone(),
language: rule.language.clone(),
kind: rule.kind.clone(),
cap: rule.cap.clone(),
matchers: rule.matchers.clone(),
case_sensitive: rule.case_sensitive,
enabled: rule.enabled,
is_custom: rule.is_custom,
is_gated: rule.is_gated,
finding_count: total,
suppression_rate: rate,
example_findings: examples,
}))
}
/// POST /api/rules/:id/toggle — enable/disable a rule.
async fn toggle_rule(
State(state): State<AppState>,
Path(id): Path<String>,
) -> Result<Json<serde_json::Value>, (StatusCode, Json<serde_json::Value>)> {
{
let mut config = state.config.write();
if let Some(pos) = config.analysis.disabled_rules.iter().position(|r| r == &id) {
config.analysis.disabled_rules.remove(pos);
} else {
config.analysis.disabled_rules.push(id.clone());
}
let local_path = state.config_dir.join("nyx.local");
config_cmd::save_local_config(&local_path, &config)
.map_err(|e| bad_request(&e.to_string()))?;
}
let _ = state.event_tx.send(ServerEvent::ConfigChanged);
Ok(Json(serde_json::json!({ "status": "ok", "rule_id": id })))
}
/// POST /api/rules/clone — clone a built-in rule to custom.
async fn clone_rule(
State(state): State<AppState>,
Json(body): Json<serde_json::Value>,
) -> Result<(StatusCode, Json<serde_json::Value>), (StatusCode, Json<serde_json::Value>)> {
let rule_id_str = body["rule_id"]
.as_str()
.ok_or_else(|| bad_request("missing rule_id"))?;
// Find the built-in rule
let builtins = labels::enumerate_builtin_rules();
let source = builtins
.iter()
.find(|r| r.id == rule_id_str)
.ok_or_else(|| bad_request("rule not found or not built-in"))?;
// Convert to ConfigLabelRule and add to config
let kind: RuleKind = match source.kind.as_str() {
"source" => RuleKind::Source,
"sanitizer" => RuleKind::Sanitizer,
"sink" => RuleKind::Sink,
_ => return Err(bad_request("invalid kind")),
};
let cap_name: crate::utils::config::CapName =
source.cap.parse().map_err(|e: String| bad_request(&e))?;
let new_rule = crate::utils::config::ConfigLabelRule {
matchers: source.matchers.clone(),
kind,
cap: cap_name,
case_sensitive: source.case_sensitive,
};
let new_id;
{
let mut config = state.config.write();
let lang_cfg = config
.analysis
.languages
.entry(source.language.clone())
.or_default();
if !lang_cfg.rules.contains(&new_rule) {
lang_cfg.rules.push(new_rule);
}
new_id = labels::custom_rule_id(&source.language, &source.kind, &source.matchers);
let local_path = state.config_dir.join("nyx.local");
config_cmd::save_local_config(&local_path, &config)
.map_err(|e| bad_request(&e.to_string()))?;
}
let _ = state.event_tx.send(ServerEvent::ConfigChanged);
Ok((
StatusCode::CREATED,
Json(serde_json::json!({ "status": "ok", "new_id": new_id })),
))
}
/// Compute (finding_count, suppressed_count) for each rule by matching
/// finding evidence against rule matchers.
fn compute_finding_counts(
rules: &[RuleInfo],
findings: &[crate::commands::scan::Diag],
) -> Vec<(usize, usize)> {
let mut counts: Vec<(usize, usize)> = vec![(0, 0); rules.len()];
for d in findings {
// Try to match each finding against rules by checking if the finding's
// evidence sink/source snippet contains any of the rule's matchers
let sink_snippet = d
.evidence
.as_ref()
.and_then(|e| e.sink.as_ref())
.and_then(|s| s.snippet.as_deref())
.unwrap_or("");
let source_snippet = d
.evidence
.as_ref()
.and_then(|e| e.source.as_ref())
.and_then(|s| s.snippet.as_deref())
.unwrap_or("");
for (i, rule) in rules.iter().enumerate() {
let matched = rule
.matchers
.iter()
.any(|m| sink_snippet.contains(m.as_str()) || source_snippet.contains(m.as_str()));
if matched {
counts[i].0 += 1;
if d.suppressed {
counts[i].1 += 1;
}
}
}
}
counts
}
/// Find findings matching a rule's matchers, returning up to `limit` examples.
fn match_findings_for_rule(
rule: &RuleInfo,
findings: &[crate::commands::scan::Diag],
limit: usize,
) -> Vec<RelatedFindingView> {
let mut out = Vec::new();
for (i, d) in findings.iter().enumerate() {
if out.len() >= limit {
break;
}
let sink_snippet = d
.evidence
.as_ref()
.and_then(|e| e.sink.as_ref())
.and_then(|s| s.snippet.as_deref())
.unwrap_or("");
let source_snippet = d
.evidence
.as_ref()
.and_then(|e| e.source.as_ref())
.and_then(|s| s.snippet.as_deref())
.unwrap_or("");
let matched = rule
.matchers
.iter()
.any(|m| sink_snippet.contains(m.as_str()) || source_snippet.contains(m.as_str()));
if matched {
out.push(RelatedFindingView {
index: i,
rule_id: d.id.clone(),
path: d.path.clone(),
line: d.line,
severity: d.severity,
});
}
}
out
}
fn bad_request(msg: &str) -> (StatusCode, Json<serde_json::Value>) {
(
StatusCode::BAD_REQUEST,
Json(serde_json::json!({ "error": msg })),
)
}

658
src/server/routes/scans.rs Normal file
View file

@ -0,0 +1,658 @@
#![allow(clippy::collapsible_if, clippy::redundant_closure)]
use crate::commands::scan::Diag;
use crate::database::index::{Indexer, ScanRecord};
use crate::server::app::AppState;
use crate::server::models::{
self, ChangedFinding, CompareResponse, CompareScanInfo, CompareSummary, ComparedFinding,
FieldChange, FindingView, ScanView,
};
use crate::server::progress::ScanMetricsSnapshot;
use crate::server::scan_log::ScanLogEntry;
use axum::extract::{Query, State};
use axum::http::StatusCode;
use axum::routing::{get, post};
use axum::{Json, Router};
use std::collections::{HashMap, HashSet};
use std::path::{Path, PathBuf};
pub fn routes() -> Router<AppState> {
Router::new()
.route("/scans", post(start_scan).get(list_scans))
.route("/scans/active", get(active_scan))
.route("/scans/compare", get(compare_scans))
.route("/scans/{id}", get(get_scan).delete(delete_scan))
.route("/scans/{id}/findings", get(get_scan_findings))
.route("/scans/{id}/logs", get(get_scan_logs))
.route("/scans/{id}/metrics", get(get_scan_metrics))
}
#[derive(serde::Deserialize, Default)]
struct StartScanRequest {
scan_root: Option<String>,
/// Analysis mode: "full" | "ast" | "cfg" | "taint".
mode: Option<String>,
/// Engine-depth profile: "fast" | "balanced" | "deep".
engine_profile: Option<String>,
#[allow(dead_code)]
languages: Option<Vec<String>>,
#[allow(dead_code)]
include_paths: Option<Vec<String>>,
#[allow(dead_code)]
exclude_paths: Option<Vec<String>>,
}
fn apply_mode(
config: &mut crate::utils::config::Config,
mode: &str,
) -> Result<(), (StatusCode, Json<serde_json::Value>)> {
use crate::utils::config::AnalysisMode;
config.scanner.mode = match mode.to_ascii_lowercase().as_str() {
"full" => AnalysisMode::Full,
"ast" => AnalysisMode::Ast,
"cfg" => AnalysisMode::Cfg,
"taint" => AnalysisMode::Taint,
_ => {
return Err(bad_request("mode must be one of: full, ast, cfg, taint"));
}
};
Ok(())
}
fn apply_engine_profile(
config: &mut crate::utils::config::Config,
profile: &str,
) -> Result<(), (StatusCode, Json<serde_json::Value>)> {
use crate::cli::EngineProfile;
let prof = match profile.to_ascii_lowercase().as_str() {
"fast" => EngineProfile::Fast,
"balanced" => EngineProfile::Balanced,
"deep" => EngineProfile::Deep,
_ => {
return Err(bad_request(
"engine_profile must be one of: fast, balanced, deep",
));
}
};
config.analysis.engine = prof.apply(config.analysis.engine);
Ok(())
}
async fn start_scan(
State(state): State<AppState>,
body: Option<Json<StartScanRequest>>,
) -> Result<(StatusCode, Json<serde_json::Value>), (StatusCode, Json<serde_json::Value>)> {
let req = body.map(|b| b.0).unwrap_or_default();
let scan_root = resolve_requested_scan_root(req.scan_root.as_deref(), &state.scan_root)?;
let mut config = state.config.read().clone();
if let Some(ref mode) = req.mode {
apply_mode(&mut config, mode)?;
}
if let Some(ref profile) = req.engine_profile {
apply_engine_profile(&mut config, profile)?;
}
let event_tx = state.event_tx.clone();
let db_pool = state.db_pool.clone();
let database_dir = state.database_dir.clone();
match state
.job_manager
.start_scan(scan_root, config, event_tx, db_pool, database_dir)
{
Ok(job_id) => Ok((
StatusCode::ACCEPTED,
Json(serde_json::json!({ "job_id": job_id })),
)),
Err(msg) => Err((
StatusCode::CONFLICT,
Json(serde_json::json!({ "error": msg })),
)),
}
}
fn resolve_requested_scan_root(
requested_root: Option<&str>,
configured_root: &Path,
) -> Result<PathBuf, (StatusCode, Json<serde_json::Value>)> {
if let Some(root) = requested_root {
let requested = Path::new(root)
.canonicalize()
.map_err(|_| bad_request("invalid scan_root"))?;
if requested != configured_root {
return Err(bad_request(
"scan_root must match the repository passed to nyx serve",
));
}
}
// The request value is validation-only; scans always run against the
// canonical root configured when the server started.
Ok(configured_root.to_path_buf())
}
fn bad_request(message: &str) -> (StatusCode, Json<serde_json::Value>) {
(
StatusCode::BAD_REQUEST,
Json(serde_json::json!({ "error": message })),
)
}
async fn list_scans(State(state): State<AppState>) -> Json<Vec<ScanView>> {
let mut views: Vec<ScanView> = state
.job_manager
.list_jobs()
.iter()
.map(|j| job_to_view(j))
.collect();
// Merge historical scans from DB (deduplicate by ID)
if let Some(ref pool) = state.db_pool {
if let Ok(idx) = Indexer::from_pool("_scans", pool) {
if let Ok(records) = idx.list_scans(100) {
let in_memory_ids: HashSet<String> = views.iter().map(|v| v.id.clone()).collect();
for record in records {
if !in_memory_ids.contains(&record.id) {
views.push(scan_record_to_view(&record));
}
}
}
}
}
// Sort by started_at descending
views.sort_by(|a, b| b.started_at.cmp(&a.started_at));
Json(views)
}
async fn active_scan(State(state): State<AppState>) -> Result<Json<ScanView>, StatusCode> {
let job = state
.job_manager
.active_job()
.ok_or(StatusCode::NOT_FOUND)?;
Ok(Json(job_to_view(&job)))
}
async fn get_scan(
State(state): State<AppState>,
axum::extract::Path(id): axum::extract::Path<String>,
) -> Result<Json<ScanView>, StatusCode> {
// Check in-memory first
if let Some(job) = state.job_manager.get_job(&id) {
return Ok(Json(job_to_view(&job)));
}
// Fall back to DB
if let Some(ref pool) = state.db_pool {
if let Ok(idx) = Indexer::from_pool("_scans", pool) {
if let Ok(Some(record)) = idx.get_scan(&id) {
let mut view = scan_record_to_view(&record);
// Load metrics from DB
if let Ok(Some(metrics)) = idx.get_scan_metrics(&id) {
view.metrics = Some(metrics);
}
return Ok(Json(view));
}
}
}
Err(StatusCode::NOT_FOUND)
}
async fn delete_scan(
State(state): State<AppState>,
axum::extract::Path(id): axum::extract::Path<String>,
) -> Result<Json<serde_json::Value>, (StatusCode, Json<serde_json::Value>)> {
// Remove from in-memory jobs (rejects if running)
if let Err(msg) = state.job_manager.remove_job(&id) {
if msg.contains("running") {
return Err((
StatusCode::CONFLICT,
Json(serde_json::json!({ "error": msg })),
));
}
// "Scan not found" in memory is fine — may be DB-only
}
// Delete from DB (CASCADE handles metrics + logs)
if let Some(ref pool) = state.db_pool {
if let Ok(idx) = Indexer::from_pool("_scans", pool) {
let _ = idx.delete_scan(&id);
}
}
Ok(Json(serde_json::json!({ "status": "deleted", "id": id })))
}
#[derive(serde::Deserialize, Default)]
struct FindingsQuery {
page: Option<usize>,
per_page: Option<usize>,
severity: Option<String>,
category: Option<String>,
search: Option<String>,
}
/// Load findings for a scan by ID (in-memory first, then DB fallback).
fn load_scan_findings(state: &AppState, id: &str) -> Result<Vec<Diag>, StatusCode> {
if let Some(job) = state.job_manager.get_job(id) {
return Ok(job.findings.map(|f| (*f).clone()).unwrap_or_default());
}
if let Some(ref pool) = state.db_pool {
if let Ok(idx) = Indexer::from_pool("_scans", pool) {
if let Ok(Some(record)) = idx.get_scan(id) {
return Ok(record
.findings_json
.as_deref()
.and_then(|j| serde_json::from_str::<Vec<Diag>>(j).ok())
.unwrap_or_default());
}
}
}
Err(StatusCode::NOT_FOUND)
}
/// Load minimal scan info for comparison headers.
fn load_scan_info(state: &AppState, id: &str) -> Result<CompareScanInfo, StatusCode> {
if let Some(job) = state.job_manager.get_job(id) {
return Ok(CompareScanInfo {
id: job.id.clone(),
started_at: job.started_at.map(|t| t.to_rfc3339()),
finding_count: job.findings.as_ref().map(|f| f.len()).unwrap_or(0),
});
}
if let Some(ref pool) = state.db_pool {
if let Ok(idx) = Indexer::from_pool("_scans", pool) {
if let Ok(Some(record)) = idx.get_scan(id) {
return Ok(CompareScanInfo {
id: record.id.clone(),
started_at: record.started_at.clone(),
finding_count: record.finding_count.map(|c| c as usize).unwrap_or(0),
});
}
}
}
Err(StatusCode::NOT_FOUND)
}
async fn get_scan_findings(
State(state): State<AppState>,
axum::extract::Path(id): axum::extract::Path<String>,
Query(query): Query<FindingsQuery>,
) -> Result<Json<serde_json::Value>, StatusCode> {
let findings = load_scan_findings(&state, &id)?;
// Apply filters
let mut filtered: Vec<&Diag> = findings.iter().collect();
if let Some(ref sev) = query.severity {
filtered.retain(|d| d.severity.as_db_str().eq_ignore_ascii_case(sev));
}
if let Some(ref cat) = query.category {
filtered.retain(|d| d.category.to_string().eq_ignore_ascii_case(cat));
}
if let Some(ref search) = query.search {
let s = search.to_ascii_lowercase();
filtered.retain(|d| {
d.path.to_ascii_lowercase().contains(&s)
|| d.id.to_ascii_lowercase().contains(&s)
|| d.message
.as_deref()
.map(|m| m.to_ascii_lowercase().contains(&s))
.unwrap_or(false)
});
}
let total = filtered.len();
let page = query.page.unwrap_or(1).max(1);
let per_page = query.per_page.unwrap_or(50).min(200);
let start = (page - 1) * per_page;
let scan_root = state.scan_root.clone();
let page_findings: Vec<FindingView> = filtered
.into_iter()
.enumerate()
.skip(start)
.take(per_page)
.map(|(i, d)| models::finding_from_diag_with_context(i, d, &scan_root))
.collect();
Ok(Json(serde_json::json!({
"findings": page_findings,
"total": total,
"page": page,
"per_page": per_page,
})))
}
// ── Scan Comparison ─────────────────────────────────────────────────────────
#[derive(serde::Deserialize)]
struct CompareQuery {
left: String,
right: String,
}
async fn compare_scans(
State(state): State<AppState>,
Query(query): Query<CompareQuery>,
) -> Result<Json<CompareResponse>, StatusCode> {
let left_info = load_scan_info(&state, &query.left)?;
let right_info = load_scan_info(&state, &query.right)?;
let left_findings = load_scan_findings(&state, &query.left)?;
let right_findings = load_scan_findings(&state, &query.right)?;
// Build fingerprint → Vec<(index, diag)> multi-maps so duplicate
// fingerprints are preserved instead of silently dropped.
let mut left_map: HashMap<String, Vec<(usize, &Diag)>> = HashMap::new();
for (i, d) in left_findings.iter().enumerate() {
left_map
.entry(models::compute_fingerprint(d))
.or_default()
.push((i, d));
}
let mut right_map: HashMap<String, Vec<(usize, &Diag)>> = HashMap::new();
for (i, d) in right_findings.iter().enumerate() {
right_map
.entry(models::compute_fingerprint(d))
.or_default()
.push((i, d));
}
let scan_root = state.scan_root.clone();
let mut new_findings = Vec::new();
let mut fixed_findings = Vec::new();
let mut changed_findings = Vec::new();
let mut unchanged_findings = Vec::new();
// For each fingerprint that appears on the right side, match 1:1 with
// left-side findings sharing the same fingerprint. Excess right entries
// are "new"; excess left entries are "fixed".
for (fp, right_group) in &right_map {
if let Some(left_group) = left_map.get(fp) {
let matched = right_group.len().min(left_group.len());
// Matched pairs → unchanged or changed
for i in 0..matched {
let (idx, diag) = right_group[i];
let (_, left_diag) = left_group[i];
let view = models::finding_from_diag_with_context(idx, diag, &scan_root);
let changes = compute_field_changes(left_diag, diag);
if changes.is_empty() {
unchanged_findings.push(ComparedFinding {
fingerprint: fp.clone(),
finding: view,
});
} else {
changed_findings.push(ChangedFinding {
fingerprint: fp.clone(),
finding: view,
changes,
});
}
}
// Excess right entries → new
for &(idx, diag) in &right_group[matched..] {
new_findings.push(ComparedFinding {
fingerprint: fp.clone(),
finding: models::finding_from_diag_with_context(idx, diag, &scan_root),
});
}
} else {
// Entire group is new (fingerprint not in left)
for &(idx, diag) in right_group {
new_findings.push(ComparedFinding {
fingerprint: fp.clone(),
finding: models::finding_from_diag_with_context(idx, diag, &scan_root),
});
}
}
}
// Fixed findings: left-side entries whose fingerprint is missing from
// right, or excess left entries beyond the matched count.
for (fp, left_group) in &left_map {
let right_count = right_map.get(fp).map(|g| g.len()).unwrap_or(0);
let start = left_group.len().min(right_count);
for &(idx, diag) in &left_group[start..] {
fixed_findings.push(ComparedFinding {
fingerprint: fp.clone(),
finding: models::finding_from_diag_with_context(idx, diag, &scan_root),
});
}
}
// Compute severity delta: right counts - left counts
let mut severity_delta: HashMap<String, i64> = HashMap::new();
for d in &right_findings {
*severity_delta
.entry(d.severity.as_db_str().to_string())
.or_insert(0) += 1;
}
for d in &left_findings {
*severity_delta
.entry(d.severity.as_db_str().to_string())
.or_insert(0) -= 1;
}
let summary = CompareSummary {
new_count: new_findings.len(),
fixed_count: fixed_findings.len(),
changed_count: changed_findings.len(),
unchanged_count: unchanged_findings.len(),
severity_delta,
};
Ok(Json(CompareResponse {
left_scan: left_info,
right_scan: right_info,
summary,
new_findings,
fixed_findings,
changed_findings,
unchanged_findings,
}))
}
/// Compare two Diags with the same fingerprint and return field-level changes.
fn compute_field_changes(left: &Diag, right: &Diag) -> Vec<FieldChange> {
let mut changes = Vec::new();
if left.line != right.line {
changes.push(FieldChange {
field: "line".into(),
old_value: left.line.to_string(),
new_value: right.line.to_string(),
});
}
if left.col != right.col {
changes.push(FieldChange {
field: "col".into(),
old_value: left.col.to_string(),
new_value: right.col.to_string(),
});
}
if left.severity != right.severity {
changes.push(FieldChange {
field: "severity".into(),
old_value: left.severity.as_db_str().to_string(),
new_value: right.severity.as_db_str().to_string(),
});
}
if left.confidence != right.confidence {
changes.push(FieldChange {
field: "confidence".into(),
old_value: left
.confidence
.map(|c| format!("{c:?}"))
.unwrap_or_else(|| "-".into()),
new_value: right
.confidence
.map(|c| format!("{c:?}"))
.unwrap_or_else(|| "-".into()),
});
}
changes
}
#[derive(serde::Deserialize, Default)]
struct LogsQuery {
level: Option<String>,
}
async fn get_scan_logs(
State(state): State<AppState>,
axum::extract::Path(id): axum::extract::Path<String>,
Query(query): Query<LogsQuery>,
) -> Result<Json<Vec<ScanLogEntry>>, StatusCode> {
// Check in-memory (running scan)
if let Some(job) = state.job_manager.get_job(&id) {
if let Some(ref collector) = job.log_collector {
let mut logs = collector.snapshot();
if let Some(ref level) = query.level {
logs.retain(|l| l.level.to_string().eq_ignore_ascii_case(level));
}
return Ok(Json(logs));
}
}
// Fall back to DB
if let Some(ref pool) = state.db_pool {
if let Ok(idx) = Indexer::from_pool("_scans", pool) {
if let Ok(logs) = idx.get_scan_logs(&id, query.level.as_deref()) {
return Ok(Json(logs));
}
}
}
Ok(Json(vec![]))
}
async fn get_scan_metrics(
State(state): State<AppState>,
axum::extract::Path(id): axum::extract::Path<String>,
) -> Result<Json<ScanMetricsSnapshot>, StatusCode> {
// Check in-memory (running scan)
if let Some(job) = state.job_manager.get_job(&id) {
if let Some(ref metrics) = job.metrics {
return Ok(Json(metrics.snapshot()));
}
}
// Fall back to DB
if let Some(ref pool) = state.db_pool {
if let Ok(idx) = Indexer::from_pool("_scans", pool) {
if let Ok(Some(metrics)) = idx.get_scan_metrics(&id) {
return Ok(Json(metrics));
}
}
}
Err(StatusCode::NOT_FOUND)
}
fn job_to_view(job: &crate::server::jobs::ScanJob) -> ScanView {
let (timing, metrics_snap) = if let Some(ref progress) = job.progress {
let snap = progress.snapshot();
(
Some(snap.timing),
job.metrics.as_ref().map(|m| m.snapshot()),
)
} else {
(job.timing.clone(), None)
};
ScanView {
id: job.id.clone(),
status: format!("{:?}", job.status).to_ascii_lowercase(),
scan_root: job.scan_root.display().to_string(),
started_at: job.started_at.map(|t| t.to_rfc3339()),
finished_at: job.finished_at.map(|t| t.to_rfc3339()),
duration_secs: job.duration_secs,
finding_count: job.findings.as_ref().map(|f| f.len()),
error: job.error.clone(),
engine_version: job.engine_version.clone(),
languages: job.languages.clone(),
files_scanned: job.files_scanned,
timing,
metrics: metrics_snap,
}
}
fn scan_record_to_view(record: &ScanRecord) -> ScanView {
let timing: Option<crate::server::progress::TimingBreakdown> = record
.timing_json
.as_deref()
.and_then(|j| serde_json::from_str(j).ok());
let languages: Option<Vec<String>> = record
.languages
.as_deref()
.and_then(|j| serde_json::from_str(j).ok());
ScanView {
id: record.id.clone(),
status: record.status.clone(),
scan_root: record.scan_root.clone(),
started_at: record.started_at.clone(),
finished_at: record.finished_at.clone(),
duration_secs: record.duration_secs,
finding_count: record.finding_count.map(|c| c as usize),
error: record.error.clone(),
engine_version: record.engine_version.clone(),
languages,
files_scanned: record.files_scanned.map(|c| c as u64),
timing,
metrics: None,
}
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn resolve_requested_scan_root_defaults_to_configured_root() {
let dir = tempfile::tempdir().unwrap();
let configured = dir.path().canonicalize().unwrap();
let resolved = resolve_requested_scan_root(None, &configured).unwrap();
assert_eq!(resolved, configured);
}
#[test]
fn resolve_requested_scan_root_accepts_matching_root_but_uses_configured_path() {
let dir = tempfile::tempdir().unwrap();
let configured = dir.path().canonicalize().unwrap();
let requested = dir.path().join(".");
let resolved =
resolve_requested_scan_root(Some(requested.to_string_lossy().as_ref()), &configured)
.unwrap();
assert_eq!(resolved, configured);
}
#[test]
fn resolve_requested_scan_root_rejects_different_root() {
let configured_dir = tempfile::tempdir().unwrap();
let other_dir = tempfile::tempdir().unwrap();
let configured = configured_dir.path().canonicalize().unwrap();
let err = resolve_requested_scan_root(
Some(other_dir.path().to_string_lossy().as_ref()),
&configured,
)
.unwrap_err();
assert_eq!(err.0, StatusCode::BAD_REQUEST);
assert_eq!(
err.1.0["error"],
"scan_root must match the repository passed to nyx serve"
);
}
}

424
src/server/routes/triage.rs Normal file
View file

@ -0,0 +1,424 @@
use crate::database::index::Indexer;
use crate::server::app::AppState;
use crate::server::models::{compute_fingerprint, finding_from_diag, is_valid_triage_state};
use crate::server::routes::findings::load_latest_findings;
use axum::extract::{Query, State};
use axum::http::StatusCode;
use axum::routing::{get, post};
use axum::{Json, Router};
use serde::Deserialize;
pub fn routes() -> Router<AppState> {
Router::new()
.route("/triage", get(list_triage).post(set_triage))
.route("/triage/audit", get(get_audit_log))
.route(
"/triage/suppress",
get(list_suppressions)
.post(add_suppression)
.delete(remove_suppression),
)
.route("/triage/export", post(export_triage_file))
.route("/triage/import", post(import_triage_file))
.route("/triage/sync-status", get(get_sync_status))
}
// ── POST /api/triage ────────────────────────────────────────────────────────
#[derive(Debug, Deserialize)]
struct SetTriageRequest {
fingerprints: Vec<String>,
state: String,
#[serde(default)]
note: String,
}
async fn set_triage(
State(state): State<AppState>,
Json(body): Json<SetTriageRequest>,
) -> Result<Json<serde_json::Value>, (StatusCode, Json<serde_json::Value>)> {
if !is_valid_triage_state(&body.state) {
return Err((
StatusCode::BAD_REQUEST,
Json(serde_json::json!({ "error": format!("invalid state: {}", body.state) })),
));
}
if body.fingerprints.is_empty() {
return Err((
StatusCode::BAD_REQUEST,
Json(serde_json::json!({ "error": "fingerprints must not be empty" })),
));
}
let pool = state.db_pool.as_ref().ok_or((
StatusCode::SERVICE_UNAVAILABLE,
Json(serde_json::json!({ "error": "database not available" })),
))?;
let idx = Indexer::from_pool("_triage", pool).map_err(|e| {
(
StatusCode::INTERNAL_SERVER_ERROR,
Json(serde_json::json!({ "error": e.to_string() })),
)
})?;
let action = if body.fingerprints.len() > 1 {
"bulk_set_state"
} else {
"set_state"
};
let results = idx
.set_triage_states_bulk(&body.fingerprints, &body.state, &body.note, action)
.map_err(|e| {
(
StatusCode::INTERNAL_SERVER_ERROR,
Json(serde_json::json!({ "error": e.to_string() })),
)
})?;
// Auto-sync to .nyx/triage.json
auto_sync_to_file(&state);
Ok(Json(serde_json::json!({
"updated": results.len(),
"state": body.state,
})))
}
// ── GET /api/triage ─────────────────────────────────────────────────────────
#[derive(Debug, Deserialize, Default)]
struct ListTriageQuery {
state: Option<String>,
page: Option<usize>,
per_page: Option<usize>,
}
async fn list_triage(
State(state): State<AppState>,
Query(query): Query<ListTriageQuery>,
) -> Result<Json<serde_json::Value>, StatusCode> {
let pool = state
.db_pool
.as_ref()
.ok_or(StatusCode::SERVICE_UNAVAILABLE)?;
let idx = Indexer::from_pool("_triage", pool).map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
let page = query.page.unwrap_or(1).max(1);
let per_page = query.per_page.unwrap_or(50).clamp(1, 500);
let offset = ((page - 1) * per_page) as i64;
let (rows, total) = idx
.list_triage_states(query.state.as_deref(), per_page as i64, offset)
.map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
// Enrich with finding data if available
let findings = load_latest_findings(&state);
let mut enriched_views = Vec::new();
// Build fingerprint → diag index for lookup
let fp_map: std::collections::HashMap<String, usize> = findings
.iter()
.enumerate()
.map(|(i, d)| (compute_fingerprint(d), i))
.collect();
for (fp, ts_state, note, updated_at) in &rows {
let finding_info = fp_map.get(fp).map(|&i| {
let d = &findings[i];
serde_json::json!({
"index": i,
"rule_id": d.id,
"path": d.path,
"line": d.line,
"severity": d.severity.as_db_str(),
"category": d.category.to_string(),
})
});
enriched_views.push(serde_json::json!({
"fingerprint": fp,
"state": ts_state,
"note": note,
"updated_at": updated_at,
"finding": finding_info,
}));
}
Ok(Json(serde_json::json!({
"entries": enriched_views,
"total": total,
"page": page,
"per_page": per_page,
})))
}
// ── GET /api/triage/audit ───────────────────────────────────────────────────
#[derive(Debug, Deserialize, Default)]
struct AuditQuery {
fingerprint: Option<String>,
page: Option<usize>,
per_page: Option<usize>,
}
async fn get_audit_log(
State(state): State<AppState>,
Query(query): Query<AuditQuery>,
) -> Result<Json<serde_json::Value>, StatusCode> {
let pool = state
.db_pool
.as_ref()
.ok_or(StatusCode::SERVICE_UNAVAILABLE)?;
let idx = Indexer::from_pool("_triage", pool).map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
let page = query.page.unwrap_or(1).max(1);
let per_page = query.per_page.unwrap_or(50).clamp(1, 500);
let offset = ((page - 1) * per_page) as i64;
let (entries, total) = idx
.get_audit_log(query.fingerprint.as_deref(), per_page as i64, offset)
.map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
Ok(Json(serde_json::json!({
"entries": entries,
"total": total,
"page": page,
"per_page": per_page,
})))
}
// ── POST /api/triage/suppress ───────────────────────────────────────────────
#[derive(Debug, Deserialize)]
struct AddSuppressionRequest {
by: String,
value: String,
#[serde(default)]
note: String,
}
async fn add_suppression(
State(state): State<AppState>,
Json(body): Json<AddSuppressionRequest>,
) -> Result<Json<serde_json::Value>, (StatusCode, Json<serde_json::Value>)> {
let valid_by = ["fingerprint", "rule", "rule_in_file", "file"];
if !valid_by.contains(&body.by.as_str()) {
return Err((
StatusCode::BAD_REQUEST,
Json(serde_json::json!({ "error": format!("invalid 'by' value: {}", body.by) })),
));
}
let pool = state.db_pool.as_ref().ok_or((
StatusCode::SERVICE_UNAVAILABLE,
Json(serde_json::json!({ "error": "database not available" })),
))?;
let idx = Indexer::from_pool("_triage", pool).map_err(|e| {
(
StatusCode::INTERNAL_SERVER_ERROR,
Json(serde_json::json!({ "error": e.to_string() })),
)
})?;
let rule_id = idx
.add_suppression_rule(&body.by, &body.value, "suppressed", &body.note)
.map_err(|e| {
(
StatusCode::INTERNAL_SERVER_ERROR,
Json(serde_json::json!({ "error": e.to_string() })),
)
})?;
// Apply to current findings
let findings = load_latest_findings(&state);
let views: Vec<_> = findings
.iter()
.enumerate()
.map(|(i, d)| finding_from_diag(i, d))
.collect();
// Find matching fingerprints
let matching_fps: Vec<String> = views
.iter()
.filter(|v| match body.by.as_str() {
"fingerprint" => v.fingerprint == body.value,
"rule" => v.rule_id == body.value,
"rule_in_file" => {
let key = format!("{}:{}", v.rule_id, v.path);
key == body.value
}
"file" => v.path == body.value,
_ => false,
})
.map(|v| v.fingerprint.clone())
.collect();
let affected = matching_fps.len();
if !matching_fps.is_empty() {
let _ =
idx.set_triage_states_bulk(&matching_fps, "suppressed", &body.note, "suppress_pattern");
}
drop(views);
// Auto-sync to .nyx/triage.json
auto_sync_to_file(&state);
Ok(Json(serde_json::json!({
"rule_id": rule_id,
"findings_affected": affected,
})))
}
// ── GET /api/triage/suppress ────────────────────────────────────────────────
async fn list_suppressions(
State(state): State<AppState>,
) -> Result<Json<serde_json::Value>, StatusCode> {
let pool = state
.db_pool
.as_ref()
.ok_or(StatusCode::SERVICE_UNAVAILABLE)?;
let idx = Indexer::from_pool("_triage", pool).map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
let rules = idx
.get_suppression_rules()
.map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
Ok(Json(serde_json::json!({ "rules": rules })))
}
// ── DELETE /api/triage/suppress ─────────────────────────────────────────────
#[derive(Debug, Deserialize)]
struct DeleteSuppressionQuery {
id: i64,
}
async fn remove_suppression(
State(state): State<AppState>,
Query(query): Query<DeleteSuppressionQuery>,
) -> Result<Json<serde_json::Value>, StatusCode> {
let pool = state
.db_pool
.as_ref()
.ok_or(StatusCode::SERVICE_UNAVAILABLE)?;
let idx = Indexer::from_pool("_triage", pool).map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
let deleted = idx
.delete_suppression_rule(query.id)
.map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
// Auto-sync to .nyx/triage.json
auto_sync_to_file(&state);
Ok(Json(serde_json::json!({ "deleted": deleted })))
}
// ── Auto-sync helper ────────────────────────────────────────────────────────
fn auto_sync_to_file(state: &AppState) {
let sync_enabled = state.config.read().server.triage_sync;
if !sync_enabled {
return;
}
if let Some(ref pool) = state.db_pool {
let findings = load_latest_findings(state);
let _ = crate::server::triage_sync::sync_to_file(pool, &findings, &state.scan_root);
}
}
// ── POST /api/triage/export ─────────────────────────────────────────────────
async fn export_triage_file(
State(state): State<AppState>,
) -> Result<Json<serde_json::Value>, (StatusCode, Json<serde_json::Value>)> {
let pool = state.db_pool.as_ref().ok_or((
StatusCode::SERVICE_UNAVAILABLE,
Json(serde_json::json!({ "error": "database not available" })),
))?;
let findings = load_latest_findings(&state);
let file = crate::server::triage_sync::export_triage(pool, &findings, &state.scan_root)
.map_err(|e| {
(
StatusCode::INTERNAL_SERVER_ERROR,
Json(serde_json::json!({ "error": e })),
)
})?;
crate::server::triage_sync::save_triage_file(&state.scan_root, &file).map_err(|e| {
(
StatusCode::INTERNAL_SERVER_ERROR,
Json(serde_json::json!({ "error": e })),
)
})?;
let path = crate::server::triage_sync::triage_file_path(&state.scan_root).map_err(|e| {
(
StatusCode::INTERNAL_SERVER_ERROR,
Json(serde_json::json!({ "error": e })),
)
})?;
Ok(Json(serde_json::json!({
"exported": file.decisions.len(),
"suppression_rules": file.suppression_rules.len(),
"path": path.to_string_lossy(),
})))
}
// ── POST /api/triage/import ─────────────────────────────────────────────────
async fn import_triage_file(
State(state): State<AppState>,
) -> Result<Json<serde_json::Value>, (StatusCode, Json<serde_json::Value>)> {
let pool = state.db_pool.as_ref().ok_or((
StatusCode::SERVICE_UNAVAILABLE,
Json(serde_json::json!({ "error": "database not available" })),
))?;
let file = crate::server::triage_sync::load_triage_file_checked(&state.scan_root)
.map_err(|e| {
(
StatusCode::BAD_REQUEST,
Json(serde_json::json!({ "error": e })),
)
})?
.ok_or((
StatusCode::NOT_FOUND,
Json(serde_json::json!({ "error": ".nyx/triage.json not found" })),
))?;
let findings = load_latest_findings(&state);
let applied =
crate::server::triage_sync::import_triage(pool, &findings, &state.scan_root, &file)
.map_err(|e| {
(
StatusCode::INTERNAL_SERVER_ERROR,
Json(serde_json::json!({ "error": e })),
)
})?;
Ok(Json(serde_json::json!({
"imported": applied,
"total_in_file": file.decisions.len(),
"suppression_rules": file.suppression_rules.len(),
})))
}
// ── GET /api/triage/sync-status ─────────────────────────────────────────────
async fn get_sync_status(State(state): State<AppState>) -> Json<serde_json::Value> {
let path = crate::server::triage_sync::triage_file_path(&state.scan_root).ok();
let file = crate::server::triage_sync::load_triage_file(&state.scan_root);
let sync_enabled = state.config.read().server.triage_sync;
Json(serde_json::json!({
"file_path": path.as_ref().map(|p| p.to_string_lossy().to_string()),
"file_exists": path.as_ref().map(|p| p.exists()).unwrap_or(false),
"sync_enabled": sync_enabled,
"decisions": file.as_ref().map(|f| f.decisions.len()).unwrap_or(0),
"suppression_rules": file.as_ref().map(|f| f.suppression_rules.len()).unwrap_or(0),
}))
}