apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-09 19:45:13 +02:00
Code Issues Projects Releases Packages Wiki Activity

Prerelease cleanup (#46)

Browse source 
* feat: Add const_bound_vars tracking to prevent false positives in ownership checks

* feat: Introduce field interner and typed bounded vars for enhanced type tracking

* feat: Add typed_call_receivers and typed_bounded_dto_fields for enhanced type tracking

* feat: Centralize method name extraction with bare_method_name helper

* feat: Implement Phase-6 hierarchy fan-out for runtime virtual dispatch

* feat: Enhance C++ taint tracking with additional container operations and inline method resolution

* feat: Introduce field-sensitive points-to analysis for enhanced resource tracking

* feat: Implement Pointer-Phase 6 subscript handling for enhanced container analysis

* test: Add comprehensive tests for JavaScript control flow constructs and lattice operations

* docs: Update advanced analysis documentation with field-sensitive points-to and hierarchy fan-out details

* test: Add comprehensive tests for lattice algebra laws and SSA edge cases

* feat: Add destructured session user handling and safe user ID access patterns

* feat: Implement row-population reverse-walk for enhanced authorization checks

* feat: Enhance authorization checks with local alias chain for self-actor types

* feat: Introduce ActiveRecord query safety checks and enhance snippet extraction

* feat: Implement chained method call inner-gate rebinding for SSRF prevention

* feat: Add observability and error modules, enhance debug functionality, and implement theme context

* feat: Remove Auth Analysis page and update navigation to redirect to Explorer

* feat: Optimize SSA lowering by sharing results between taint engine and artifact extractor

* feat: Optimize SSA lowering by sharing results between taint engine and artifact extractor

* feat: Reset path-safe-suppressed spans before lowering to maintain analysis integrity

* fix(ssa): ungate debug_assert_bfs_ordering for release-tests build

The helper at src/ssa/lower.rs was gated `#[cfg(debug_assertions)]` while
the unit test at the bottom of the file was gated only `#[cfg(test)]`.
Since `cfg(test)` is set in release builds with `--tests` but
`cfg(debug_assertions)` is not, `cargo build --release --tests` failed
with E0425. Removing the gate fixes the build; the body is `debug_assert!`
only, so the helper is free in release. Also drop the gate at the call
site to avoid a `dead_code` warning when the lib is built without
`--tests`.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(closure-capture): flip JS/TS fixtures to required-finding

The JS and TS closure-capture fixtures pinned the old broken behaviour
via `forbidden_findings: [{ "id_prefix": "taint-" }]`. The engine now
correctly traces taint through the closure boundary (env source captured
by an arrow function, sunk via `child_process.exec` inside the body), so
the formerly-forbidden finding is a true positive.

Match the Python sibling's shape — `required_findings` with
`id_prefix` + `min_count` plus a small `noise_budget` — and rewrite the
companion READMEs and the phase8_fragility_tests doc-comments from
"known gap" to "regression guard".

Verified:
- cargo test --release --test phase8_fragility_tests → 8/8 pass
- cargo test --release --lib bfs_assertion → pass
- corpus benchmark F1 = 0.9976 (TP=205, FP=1, FN=0) — unchanged

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat: Add OWASP mapping and baseline mutation hooks for enhanced security analysis

* feat: Introduce health module and enhance health score computation with calibration tests

* feat: Add expectations configuration and cleanup .gitignore for log files

* feat: Implement theme selection and enhance settings panel for triage sync

* feat: Suppress false positives for strcpy calls with literal sources in AST

* feat: Update analyse_function_ssa to return body CFG for accurate analysis

* feat: Add bug report and feature request templates for improved issue tracking

* feat: removed dev scripts

* feat: update README.md for clarity and consistency in fixture descriptions

* feat: removed dev docs

* feat: clean up error handling and UI elements for improved user experience

* feat: adjust button sizes in HeaderBar for better UI consistency

* feat: enhance taint analysis with additional context for sanitizer and taint findings

* cargo fmt

* prettier

* refactor: simplify conditional checks and improve code readability in AST and screenshot capture scripts

* feat: add script to frame PNG screenshots with brand gradient

* feat: add fuzzing support with new targets and CI workflows

* refactor: streamline match expressions and improve formatting in CLI and output handling

* feat: enhance configuration display with detailed output options

* feat: stage demo configuration for improved CLI screenshot output

* feat: expose merge_configs function for user-configurable settings

* refactor: simplify code structure and improve readability in config handling

* refactor: improve descriptions for vulnerability patterns in various languages

* feat: update MIT License section with additional usage details and copyright information

* feat: update screenshots

* refactor: update build process and paths for frontend assets

* feat: add cross-file taint fuzzing target and supporting dictionary

* refactor: clean up formatting and comments in fuzz configuration and example files

* refactor: remove outdated comments and clean up CI configuration files

* chore: update changelog dates and improve formatting in documentation

* refactor: update Cargo.toml and CI configuration for improved packaging and build process

* refactor: enhance quote-stripping logic to prevent panics and add regression tests

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Eli Peter 2026-04-29 00:58:38 -04:00 committed by GitHub
parent 79c29b394d
commit 82f18184b1
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
348 changed files with 48731 additions and 2925 deletions
Download patch file Download diff file Expand all files Collapse all files

65
.github/workflows/ci.yml vendored
View file

@ -50,6 +50,10 @@ jobs:
working-directory: frontend
run: npm test
- name: Frontend build
working-directory: frontend
run: npm run build
rustfmt:
name: rustfmt
runs-on: ubuntu-latest
@ -96,6 +100,14 @@ jobs:
- name: License & advisory checks
run: cargo deny check advisories licenses bans sources
unused-deps:
name: unused-deps
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: bnjbvr/cargo-machete@v0.9.2
third-party-licenses:
name: third-party-licenses
runs-on: ubuntu-latest
@ -155,6 +167,20 @@ jobs:
- name: Beta compile compatibility check
run: cargo check --all-features --tests
msrv:
name: msrv
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions-rust-lang/setup-rust-toolchain@v1
with:
toolchain: "1.88"
cache: true
- name: Compile check at MSRV
run: cargo check --all-features --tests
rust-stable-test:
name: rust-stable-test
runs-on: ubuntu-latest
@ -210,10 +236,44 @@ jobs:
- name: Rust tests (beta)
run: cargo nextest run --all-features
cargo-package:
name: cargo-package
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/setup-node@v6
with:
node-version: 20
cache: npm
cache-dependency-path: frontend/package-lock.json
- uses: actions-rust-lang/setup-rust-toolchain@v1
with:
toolchain: stable
cache: true
- name: Build frontend
working-directory: frontend
run: |
npm ci
npm run build
- name: Verify dist embedded in package
run: |
for f in src/server/assets/dist/index.html src/server/assets/dist/app.js src/server/assets/dist/style.css src/server/assets/favicon.svg default-nyx.conf build.rs; do
if ! cargo package --list --allow-dirty | grep -qx "$f"; then
echo "::error::missing from cargo package: $f"
exit 1
fi
done
- name: cargo package (verify build)
run: cargo package --allow-dirty
benchmark-gate:
name: benchmark-gate
runs-on: ubuntu-latest
timeout-minutes: 25
steps:
- uses: actions/checkout@v6
@ -223,6 +283,9 @@ jobs:
cache: true
cache-key: benchmark-gate-release
- name: Build benchmark + perf test binaries
run: cargo test --release --all-features --test benchmark_test --test perf_tests --no-run
- name: Accuracy regression gate (P/R/F1)
run: cargo test --release --all-features --test benchmark_test -- --ignored --nocapture benchmark_evaluation

2
.github/workflows/codeql.yml vendored
View file

@ -6,7 +6,7 @@ on:
pull_request:
branches: ["master"]
schedule:
- cron: "28 20 * * 2"
- cron: "0 9 * * 2"
jobs:
analyze:

30
.github/workflows/dependabot-auto-merge.yml vendored Normal file
View file

@ -0,0 +1,30 @@
name: Dependabot auto-merge
on: pull_request
permissions:
contents: write
pull-requests: write
jobs:
auto-merge:
runs-on: ubuntu-latest
# Skip fork PRs entirely (the merge would fail anyway, but no need to run).
if: >-
github.event.pull_request.user.login == 'dependabot[bot]' &&
github.event.pull_request.head.repo.full_name == github.repository
steps:
- name: Fetch Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@v3
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Enable auto-merge for patch and minor updates
if: >-
steps.metadata.outputs.update-type == 'version-update:semver-patch' ||
steps.metadata.outputs.update-type == 'version-update:semver-minor'
run: gh pr merge --auto --squash "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

8
.github/workflows/docs.yml vendored
View file

@ -27,7 +27,7 @@ jobs:
- name: Cache mdbook
id: cache-mdbook
uses: actions/cache@v4
uses: actions/cache@v5
with:
path: ~/.cargo/bin/mdbook
key: mdbook-0.5.2-${{ runner.os }}
@ -36,15 +36,13 @@ jobs:
if: steps.cache-mdbook.outputs.cache-hit != 'true'
run: cargo install mdbook --version 0.5.2 --locked
# mdbook follows the committed docs/assets symlink (→ ../assets) so
# image references in docs resolve both in `mdbook serve` and in CI.
- name: Build
run: mdbook build
- name: Upload artifact
uses: actions/upload-pages-artifact@v4
uses: actions/upload-pages-artifact@v5
with:
path: book
- name: Deploy to GitHub Pages
uses: actions/deploy-pages@v4
uses: actions/deploy-pages@v5

148
.github/workflows/fuzz.yml vendored Normal file
View file

@ -0,0 +1,148 @@
name: Fuzz
on:
pull_request:
branches: ["master"]
paths:
- "src/**"
- "fuzz/**"
- "Cargo.toml"
- "Cargo.lock"
- ".github/workflows/fuzz.yml"
schedule:
# Long-form weekly run, Sundays at 06:00 UTC.
- cron: "0 6 * * 0"
workflow_dispatch:
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
fuzz:
name: fuzz-${{ matrix.target }}
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
target: [scan_bytes, extract_summaries, cross_file_taint]
steps:
- uses: actions/checkout@v6
# cargo-fuzz needs nightly for the libFuzzer codegen flags.
- uses: actions-rust-lang/setup-rust-toolchain@v1
with:
toolchain: nightly
cache: true
cache-workspaces: |
.
fuzz
- uses: taiki-e/install-action@v2
with:
tool: cargo-fuzz
- uses: actions/setup-node@v6
with:
node-version: 20
cache: npm
cache-dependency-path: frontend/package-lock.json
- name: Build frontend
working-directory: frontend
run: |
npm ci
npm run build
- name: Restore fuzz corpus
uses: actions/cache@v5
with:
path: fuzz/corpus/${{ matrix.target }}
key: fuzz-corpus-${{ matrix.target }}-${{ github.sha }}
restore-keys: |
fuzz-corpus-${{ matrix.target }}-
# The harness reads inputs as <lang_idx_byte><source>, so we prefix
# each seed with its language index here at stage time. Files in
# fuzz/seed_corpus/ are committed as plain source without the byte
# because some IDEs strip 0x00 on save.
- name: Layer seed corpus
run: |
set -euo pipefail
target=${{ matrix.target }}
dest="fuzz/corpus/$target"
mkdir -p "$dest"
ext_to_idx() {
case "$1" in
rs) echo 0 ;;
js) echo 1 ;;
ts) echo 2 ;;
py) echo 3 ;;
go) echo 4 ;;
java) echo 5 ;;
rb) echo 6 ;;
php) echo 7 ;;
c) echo 8 ;;
cpp) echo 9 ;;
*) return 1 ;;
esac
}
stage() {
src="$1"
ext="${src##*.}"
idx=$(ext_to_idx "$ext") || return 0
hash=$(sha256sum "$src" | cut -c1-16)
out="$dest/seed-${ext}-${hash}"
[ -e "$out" ] && return 0
printf '%b' "$(printf '\\%03o' "$idx")" > "$out"
cat "$src" >> "$out"
}
for f in benches/fixtures/sample.*; do
[ -e "$f" ] && stage "$f"
done
while IFS= read -r f; do
stage "$f"
done < <(find tests/benchmark/corpus -type f \( \
-name '*.rs' -o -name '*.js' -o -name '*.ts' \
-o -name '*.py' -o -name '*.go' -o -name '*.java' \
-o -name '*.rb' -o -name '*.php' -o -name '*.c' \
-o -name '*.cpp' \))
if [ -d "fuzz/seed_corpus/$target" ]; then
while IFS= read -r f; do
stage "$f"
done < <(find "fuzz/seed_corpus/$target" -type f \( \
-name '*.rs' -o -name '*.js' -o -name '*.ts' \
-o -name '*.py' -o -name '*.go' -o -name '*.java' \
-o -name '*.rb' -o -name '*.php' -o -name '*.c' \
-o -name '*.cpp' \))
fi
echo "Corpus dir: $(ls "$dest" | wc -l) files"
- name: Choose fuzz duration
id: budget
run: |
if [ "${{ github.event_name }}" = "schedule" ] || [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
echo "seconds=18000" >> "$GITHUB_OUTPUT"
else
echo "seconds=600" >> "$GITHUB_OUTPUT"
fi
- name: Run fuzz target
run: |
cargo fuzz run --target x86_64-unknown-linux-gnu ${{ matrix.target }} -- \
-max_total_time=${{ steps.budget.outputs.seconds }} \
-max_len=65536 \
-timeout=60 \
-dict=fuzz/dict/all.dict
- name: Upload crash artifacts
if: failure()
uses: actions/upload-artifact@v7
with:
name: fuzz-artifacts-${{ matrix.target }}-${{ github.run_id }}
path: fuzz/artifacts/${{ matrix.target }}/
if-no-files-found: ignore
retention-days: 14

130
.github/workflows/release-build.yml vendored
View file

@ -11,7 +11,37 @@ env:
BIN_NAME: nyx
jobs:
frontend:
name: build-frontend
runs-on: ubuntu-latest
steps:
- name: Check out sources
uses: actions/checkout@v6
- uses: actions/setup-node@v6
with:
node-version: 20
cache: npm
cache-dependency-path: frontend/package-lock.json
- name: Install frontend dependencies
working-directory: frontend
run: npm ci
- name: Build frontend
working-directory: frontend
run: npm run build
- name: Upload frontend dist
uses: actions/upload-artifact@v7
with:
name: frontend-dist
path: src/server/assets/dist/
if-no-files-found: error
retention-days: 1
build:
needs: frontend
strategy:
matrix:
include:
@ -31,6 +61,12 @@ jobs:
- name: Check out sources
uses: actions/checkout@v6
- name: Download prebuilt frontend dist
uses: actions/download-artifact@v8
with:
name: frontend-dist
path: src/server/assets/dist/
- name: Install Rust toolchain
uses: actions-rust-lang/setup-rust-toolchain@v1
with:
@ -52,12 +88,6 @@ jobs:
- name: Build
run: cargo build --release --bin ${{ env.BIN_NAME }} --target ${{ matrix.target }}
# THIRDPARTY-LICENSES.html is committed at the repo root and kept in
# sync with the dependency graph by the `third-party-licenses` CI
# job. Release builds ship the committed copy directly — no
# regeneration (and no per-runner cargo-about install) on the
# release hot path.
- name: Package (Linux & macOS)
if: runner.os != 'Windows'
shell: bash
@ -83,7 +113,6 @@ jobs:
New-Item -ItemType Directory -Path dist -Force | Out-Null
$Archive = "$Bin-$Target.zip"
# PowerShells native ZIP
Compress-Archive `
-Path $BinPath, 'THIRDPARTY-LICENSES.html', 'LICENSE*', 'COPYING*' `
-DestinationPath "dist/$Archive" `
@ -100,18 +129,20 @@ jobs:
retention-days: 1
reproducibility:
# Supply-chain smoke test: build the release binary twice with pinned
# SOURCE_DATE_EPOCH and path remapping, then diff the SHA256 hashes.
# Gates `publish` so non-reproducible builds cannot ship. Scoped to
# x86_64-linux — the most tractable target for byte-for-byte
# determinism; failures on other targets would be investigated
# separately.
name: reproducibility-check
needs: frontend
runs-on: ubuntu-latest
continue-on-error: true
steps:
- name: Check out sources
uses: actions/checkout@v6
- name: Download prebuilt frontend dist
uses: actions/download-artifact@v8
with:
name: frontend-dist
path: src/server/assets/dist/
- name: Install Rust toolchain
uses: actions-rust-lang/setup-rust-toolchain@v1
with:
@ -151,28 +182,17 @@ jobs:
echo "::notice::Reproducible build verified (sha256=$HASH1)"
publish:
# Collect all matrix build outputs, generate a single SHA256SUMS file,
# then push everything to the GitHub release in one shot. Doing this
# centrally (rather than per-matrix job) is the only way to produce a
# checksum file that covers every published artifact.
name: publish-release
runs-on: ubuntu-latest
needs: [build, reproducibility]
needs: [build]
permissions:
contents: write
id-token: write
attestations: write
env:
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
steps:
- name: Check out sources
uses: actions/checkout@v6
# Generate the SBOM from the source tree BEFORE downloading
# artifacts. Syft scans `path: .` recursively; if release-artifacts/
# exists at scan time, it would walk into the zipped binaries and
# produce a polluted manifest.
- name: Generate CycloneDX SBOM
uses: anchore/sbom-action@v0
with:
@ -197,36 +217,35 @@ jobs:
sha256sum *.zip > SHA256SUMS
cat SHA256SUMS
- name: Import GPG signing key
if: env.GPG_PRIVATE_KEY != ''
# Sigstore keyless signing. Verify with:
# cosign verify-blob --certificate <file>.pem \
# --signature <file>.sig \
# --certificate-identity-regexp 'https://github.com/elicpeter/nyx/.*' \
# --certificate-oidc-issuer https://token.actions.githubusercontent.com \
# <file>
- name: Install cosign
uses: sigstore/cosign-installer@v4.1.1
- name: Cosign keyless sign release artifacts
shell: bash
run: |
set -euo pipefail
printf '%s' "$GPG_PRIVATE_KEY" | gpg --batch --import
gpg --list-secret-keys --keyid-format=long
SBOM="nyx-${{ github.event.release.tag_name }}.cdx.json"
(
cd release-artifacts
for f in *.zip SHA256SUMS; do
cosign sign-blob --yes \
--output-signature "$f.sig" \
--output-certificate "$f.pem" \
"$f"
done
)
cosign sign-blob --yes \
--output-signature "$SBOM.sig" \
--output-certificate "$SBOM.pem" \
"$SBOM"
- name: Sign SHA256SUMS
if: env.GPG_PRIVATE_KEY != ''
run: |
set -euo pipefail
cd release-artifacts
if [ -n "${GPG_PASSPHRASE:-}" ]; then
printf '%s' "$GPG_PASSPHRASE" \
| gpg --batch --yes --pinentry-mode loopback \
--passphrase-fd 0 --armor --detach-sign SHA256SUMS
else
gpg --batch --yes --armor --detach-sign SHA256SUMS
fi
ls -l SHA256SUMS.asc
- name: Warn if GPG signing was skipped
if: env.GPG_PRIVATE_KEY == ''
run: |
echo "::warning::GPG_PRIVATE_KEY secret not configured; SHA256SUMS will ship unsigned. Add GPG_PRIVATE_KEY (ASCII-armored) and optional GPG_PASSPHRASE to repository secrets to enable signed checksums."
# SLSA v1 build provenance: signed attestation that these exact
# bytes were produced by this workflow run from this commit.
# Attestations are stored in the GitHub attestations API and can
# be verified with `gh attestation verify <file> --repo <repo>`.
# SLSA v1 provenance. Verify with `gh attestation verify <file> --repo <repo>`.
- name: Generate SLSA build provenance
uses: actions/attest-build-provenance@v4
with:
@ -240,8 +259,13 @@ jobs:
with:
files: |
release-artifacts/*.zip
release-artifacts/*.zip.sig
release-artifacts/*.zip.pem
release-artifacts/SHA256SUMS
release-artifacts/SHA256SUMS.asc
release-artifacts/SHA256SUMS.sig
release-artifacts/SHA256SUMS.pem
nyx-${{ github.event.release.tag_name }}.cdx.json
nyx-${{ github.event.release.tag_name }}.cdx.json.sig
nyx-${{ github.event.release.tag_name }}.cdx.json.pem
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

45
.github/workflows/scorecard.yml vendored Normal file
View file

@ -0,0 +1,45 @@
name: OSSF Scorecard
on:
branch_protection_rule:
schedule:
- cron: "0 7 * * 1"
push:
branches: ["master"]
workflow_dispatch:
permissions: read-all
jobs:
analysis:
name: scorecard
runs-on: ubuntu-latest
permissions:
security-events: write
id-token: write
contents: read
steps:
- uses: actions/checkout@v6
with:
persist-credentials: false
- name: Run analysis
uses: ossf/scorecard-action@v2.4.3
with:
results_file: results.sarif
results_format: sarif
# Flip to true once we're happy with the score and want the badge.
publish_results: false
- name: Upload SARIF artifact
uses: actions/upload-artifact@v7
with:
name: scorecard-sarif
path: results.sarif
retention-days: 14
- name: Upload SARIF to Security tab
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: results.sarif