Python fp and docs updtes (#58)

* refactor: Update comments for clarity and add expectations.json files for performance metrics * feat: Implement FP guard for JS/TS local-collection receivers to suppress missing ownership checks * feat: Enhance Rust parameter handling to classify local collections and prevent false ownership checks * refactor: Simplify code formatting for better readability in multiple files * refactor: Improve UTF-8 sequence length handling and enhance clarity in loop iteration * feat: Update Java and Python patterns to include new security rules * refactor: Improve comment clarity and consistency across multiple Rust files * refactor: Simplify code formatting for improved readability in integration tests and module files * refactor: Improve comment formatting and enhance clarity in assertions across multiple files
2026-06-27 20:29:39 +02:00 · 2026-04-29 19:53:34 -04:00 · 2026-04-29 19:53:34 -04:00 · a438886217
commit a438886217
parent 4db0805de6
291 changed files with 9485 additions and 3851 deletions
--- a/src/lib.rs
+++ b/src/lib.rs
@ -1,43 +1,14 @@
-//! # Nyx Scanner
+//! Multi-language static vulnerability scanner. Tree-sitter parsing, petgraph
+//! CFGs, SSA-based dataflow, and cross-file taint analysis with a
+//! capability-based sanitizer system. Supports Rust, C, C++, Java, Go, PHP,
+//! Python, Ruby, TypeScript, and JavaScript.
 //!
-//! A multi-language static vulnerability scanner. Nyx parses source files with
-//! [tree-sitter](https://tree-sitter.github.io/), builds intra-procedural
-//! control-flow graphs ([petgraph](https://docs.rs/petgraph)), and runs
-//! cross-file taint analysis with a capability-based sanitizer system.
-//!
-//! ## Architecture
-//!
-//! Nyx uses a **two-pass architecture**:
-//!
-//! 1. **Pass 1 — Summary extraction**: Parse each file, build a CFG per function,
-//!    and export a [`summary::FuncSummary`] capturing source/sanitizer/sink capabilities,
-//!    taint propagation behavior, and callee lists. Summaries are persisted to SQLite.
-//!
-//! 2. **Pass 2 — Analysis**: Load all summaries into a [`summary::GlobalSummaries`] map,
-//!    re-parse files, and run taint analysis with cross-file callee resolution. CFG
-//!    structural analysis checks for auth gaps, unguarded sinks, and resource leaks.
-//!
-//! ## Four Detector Families
-//!
-//! - **Taint** ([`taint`]) — Monotone forward dataflow tracking source-to-sink flows
-//! - **CFG Structural** ([`cfg_analysis`]) — Dominator-based guard and auth-gap detection
-//! - **State Model** ([`state`]) — Resource lifecycle and authentication state lattices
-//! - **AST Patterns** ([`patterns`]) — Tree-sitter structural queries per language
-//!
-//! ## Supported Languages
-//!
-//! Rust, C, C++, Java, Go, PHP, Python, Ruby, TypeScript, JavaScript.
-//!
-//! ## Entry Points
-//!
-//! - [`scan_no_index`] — Run a two-pass scan without indexing (for tests)
-//! - [`commands::scan::scan_filesystem`] — Filesystem scan with optional indexing
-//! - [`commands::scan::scan_with_index_parallel`] — Index-backed parallel scan
-//!
-//! ## Documentation
-//!
-//! See the [`docs/`](https://github.com/elicpeter/nyx/tree/master/docs) directory
-//! for user and contributor documentation.
+//! The handbook below is embedded verbatim from
+//! [`docs/how-it-works.md`](https://github.com/elicpeter/nyx/blob/master/docs/how-it-works.md).
+//! Per-detector documentation lives on the [`taint`], [`cfg_analysis`],
+//! [`state`], [`patterns`], and [`auth_analysis`] modules. The primary
+//! library entry point for tests and embedders is [`scan_no_index`].
+#![doc = include_str!(concat!(env!("OUT_DIR"), "/lib_intro.md"))]

 pub mod abstract_interp;
 pub mod ast;