Switch read_to_string to read in scan.rs and simplify Python patterns

- Updated `scan.rs` to use `std::fs::read` for handling files as bytes instead of strings. - Simplified Python patterns by removing redundant or low-priority vulnerability checks.
2026-06-06 19:35:13 +02:00 · 2025-06-17 18:36:46 +02:00 · 2025-06-17 18:36:46 +02:00 · d7b8833ec6
commit d7b8833ec6
parent a2fc38f2c4
2 changed files with 5 additions and 22 deletions
--- a/src/commands/scan.rs
+++ b/src/commands/scan.rs
@ -129,7 +129,8 @@ pub(crate) fn run_rules_on_file(
    path: &Path,
    cfg: &Config,
 ) -> Result<Vec<Diag>, Box<dyn std::error::Error>> {
-    let source = std::fs::read_to_string(path)?;
+    let bytes = std::fs::read(path)?;
+
    let mut parser = Parser::new();

    let lang_key = match path
@ -153,7 +154,7 @@ pub(crate) fn run_rules_on_file(
    let (ts_lang, lang_name) = lang_key;

    parser.set_language(&ts_lang)?;
-    let tree = parser.parse(&source, None).ok_or("tree‑sitter failed")?;
+    let tree = parser.parse(&*bytes, None).ok_or("tree‑sitter failed")?;
    let root = tree.root_node();

    let compiled = query_cache::for_lang(lang_name, ts_lang);
@ -164,7 +165,7 @@ pub(crate) fn run_rules_on_file(
        if cfg.scanner.min_severity > cq.meta.severity {
            continue;
        }
-        let mut matches = cursor.matches(&cq.query, root, source.as_bytes());
+        let mut matches = cursor.matches(&cq.query, root, &*bytes);
        while let Some(m) = matches.next() {
            for cap in m.captures.iter().filter(|c| c.index == 0) {
                let point = cap.node.start_position();
--- a/src/patterns/python.rs
+++ b/src/patterns/python.rs
@ -13,28 +13,10 @@ pub const PATTERNS: &[Pattern] = &[
    query: "(call function: (identifier) @id (#eq? @id \"exec\")) @vuln",
    severity: Severity::High,
  },
-  Pattern {
-    id: "pickle_load",
-    description: "pickle.load / loads – unsafe deserialization",
-    query: "(call function: (attribute attribute: (identifier) @attr (#match? @attr \"load(s)?\") object: (identifier) @pkg (#eq? @pkg \"pickle\"))) @vuln",
-    severity: Severity::High,
-  },
  Pattern {
    id: "subprocess_shell_true",
    description: "subprocess.* with shell=True",
    query: "(call function: (attribute object: (identifier) @pkg (#eq? @pkg \"subprocess\")) arguments: (argument_list . (keyword_argument name: (identifier) @k (#eq? @k \"shell\")) (true) @val)) @vuln",
    severity: Severity::Medium,
-  },
-  Pattern {
-    id: "random_random",
-    description: "random.random() for security-sensitive randomness",
-    query: "(call function: (attribute attribute: (identifier) @attr (#eq? @attr \"random\") object: (identifier) @pkg (#eq? @pkg \"random\"))) @vuln",
-    severity: Severity::Low,
-  },
-  Pattern {
-    id: "sql_concat",
-    description: "SQL query built via f-string or +-concat",
-    query: "(call function: (attribute attribute: (identifier) @m (#match? @m \"execute|executemany\")) arguments: (argument_list (f_string) @fstr)) @vuln",
-    severity: Severity::Medium,
-  },
+  }
 ];