mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-06 19:35:13 +02:00
f96a89e7c1
* feat: Enhance control flow analysis with function summaries and taint analysis * feat: Update taint analysis to utilize function summaries for enhanced tracking * Refactor `walk.rs` batch processing and override handling: - Renamed `Batcher` to `BatchSender` for clarity. - Added `BatchSender::new` constructor for cleaner initialization. - Simplified batch size management in `BatchSender`. - Extracted `build_overrides` function for reusable override construction. - Improved error handling and validation in override building. - Enhanced performance with directory and file type filtering in `walk`. * Improve logging and streamline directory walk process: - Added detailed `tracing` logs for debugging batch flushes, override construction, and walk initialization/completion. - Optimized and simplified `filter_entry` logic for directory and file type filters. - Improved metadata checks and max file size enforcement during the scan. * Refactor and optimize taint tracking, label rules, and directory walk process: - Replaced `DefaultHasher` with `blake3::Hasher` for improved taint hashing. - Enhanced sorting and hashing logic in `taint.rs` for consistency and efficiency. - Removed unused `set_hash` function and redundant imports across files. - Improved batch sender logic in `walk.rs`, renaming key components for clarity. - Unified `spawn_senders` and `spawn_file_walker` with thread handling and channel tuple return. - Expanded label rules with additional matchers for sources, sanitizers, and sinks. - Deprecated `dump_cfg` and specific logging utilities in `cfg.rs` for code cleanup. * fix: fixed let chains error in walk.rs * fix: updated dependencies * fix: updated dependencies * chore: Remove standard error in scan.rs * feat: Introduce function summaries for enhanced taint and control flow analysis * feat: Enhance taint analysis with interop support and function summaries * feat: Add configuration analysis module and enhance matcher rules * feat: Add arity column to function_summaries and handle schema migration * fix: fixed clippy &PathBuf warnings * chore: Update dependencies and versioning in Cargo files * docs: Update README to enhance clarity and detail on features and analysis modes * chore: Update CHANGELOG for version 0.2.0 with new features, changes, and fixes * docs: Update SECURITY.md to clarify version support status --------- Co-authored-by: elipeter <eli.peter@es.fcm.travel>
178 lines
5.4 KiB
Rust
178 lines
5.4 KiB
Rust
mod common;
|
|
|
|
use common::{assert_no_findings, scan_fixture_dir, validate_expectations};
|
|
use nyx_scanner::utils::config::AnalysisMode;
|
|
use std::collections::HashSet;
|
|
use std::path::PathBuf;
|
|
|
|
fn fixture_path(name: &str) -> PathBuf {
|
|
PathBuf::from(env!("CARGO_MANIFEST_DIR"))
|
|
.join("tests")
|
|
.join("fixtures")
|
|
.join(name)
|
|
}
|
|
|
|
// ── Per-fixture tests ──────────────────────────────────────────────────────
|
|
|
|
#[test]
|
|
fn rust_web_app() {
|
|
let dir = fixture_path("rust_web_app");
|
|
let diags = scan_fixture_dir(&dir, AnalysisMode::Full);
|
|
validate_expectations(&diags, &dir);
|
|
}
|
|
|
|
#[test]
|
|
fn express_app() {
|
|
let dir = fixture_path("express_app");
|
|
let diags = scan_fixture_dir(&dir, AnalysisMode::Full);
|
|
validate_expectations(&diags, &dir);
|
|
}
|
|
|
|
#[test]
|
|
fn flask_app() {
|
|
let dir = fixture_path("flask_app");
|
|
let diags = scan_fixture_dir(&dir, AnalysisMode::Full);
|
|
validate_expectations(&diags, &dir);
|
|
}
|
|
|
|
#[test]
|
|
fn go_server() {
|
|
let dir = fixture_path("go_server");
|
|
let diags = scan_fixture_dir(&dir, AnalysisMode::Full);
|
|
validate_expectations(&diags, &dir);
|
|
}
|
|
|
|
#[test]
|
|
fn c_utils() {
|
|
let dir = fixture_path("c_utils");
|
|
let diags = scan_fixture_dir(&dir, AnalysisMode::Full);
|
|
validate_expectations(&diags, &dir);
|
|
}
|
|
|
|
#[test]
|
|
fn java_service() {
|
|
let dir = fixture_path("java_service");
|
|
let diags = scan_fixture_dir(&dir, AnalysisMode::Full);
|
|
validate_expectations(&diags, &dir);
|
|
}
|
|
|
|
#[test]
|
|
fn mixed_project() {
|
|
let dir = fixture_path("mixed_project");
|
|
let diags = scan_fixture_dir(&dir, AnalysisMode::Full);
|
|
validate_expectations(&diags, &dir);
|
|
}
|
|
|
|
// ── Cross-cutting tests ───────────────────────────────────────────────────
|
|
|
|
#[test]
|
|
fn ast_only_mode_excludes_taint() {
|
|
let dir = fixture_path("rust_web_app");
|
|
let diags = scan_fixture_dir(&dir, AnalysisMode::Ast);
|
|
|
|
assert_no_findings(&diags, "taint-");
|
|
assert_no_findings(&diags, "cfg-");
|
|
}
|
|
|
|
#[test]
|
|
fn taint_only_mode_excludes_ast() {
|
|
let dir = fixture_path("rust_web_app");
|
|
let diags = scan_fixture_dir(&dir, AnalysisMode::Taint);
|
|
|
|
// Taint mode should not produce AST-only pattern findings
|
|
assert_no_findings(&diags, "unwrap_call");
|
|
assert_no_findings(&diags, "expect_call");
|
|
}
|
|
|
|
#[test]
|
|
fn dedup_no_double_report() {
|
|
let dir = fixture_path("rust_web_app");
|
|
let diags = scan_fixture_dir(&dir, AnalysisMode::Full);
|
|
|
|
// The same (path, line, col, rule_id) tuple should never appear twice.
|
|
// Different rule IDs at the same location are fine (e.g., taint + cfg-auth-gap).
|
|
let mut seen: HashSet<(String, usize, usize, String)> = HashSet::new();
|
|
let mut exact_dupes = Vec::new();
|
|
for d in &diags {
|
|
let key = (d.path.clone(), d.line, d.col, d.id.clone());
|
|
if !seen.insert(key) {
|
|
exact_dupes.push(format!("{}:{}:{} {}", d.path, d.line, d.col, d.id));
|
|
}
|
|
}
|
|
assert!(
|
|
exact_dupes.is_empty(),
|
|
"Exact duplicate findings (same location + rule ID) found ({}):\n {}",
|
|
exact_dupes.len(),
|
|
exact_dupes.join("\n ")
|
|
);
|
|
}
|
|
|
|
#[test]
|
|
fn mixed_project_multi_language() {
|
|
let dir = fixture_path("mixed_project");
|
|
let diags = scan_fixture_dir(&dir, AnalysisMode::Full);
|
|
|
|
// Findings should span at least 2 different file extensions
|
|
let extensions: HashSet<&str> = diags
|
|
.iter()
|
|
.filter_map(|d| {
|
|
std::path::Path::new(&d.path)
|
|
.extension()
|
|
.and_then(|e| e.to_str())
|
|
})
|
|
.collect();
|
|
|
|
assert!(
|
|
extensions.len() >= 2,
|
|
"Expected findings from >= 2 language file extensions, got: {:?}",
|
|
extensions
|
|
);
|
|
|
|
// Total findings >= 3 across languages
|
|
assert!(
|
|
diags.len() >= 3,
|
|
"Expected >= 3 total findings in mixed project, got {}",
|
|
diags.len()
|
|
);
|
|
}
|
|
|
|
// ── Binary smoke test ──────────────────────────────────────────────────────
|
|
|
|
#[test]
|
|
fn binary_json_output() {
|
|
let fixture = fixture_path("rust_web_app");
|
|
#[allow(deprecated)]
|
|
let cmd = assert_cmd::Command::cargo_bin("nyx")
|
|
.expect("nyx binary should exist")
|
|
.arg("scan")
|
|
.arg(fixture.to_str().unwrap())
|
|
.arg("--no-index")
|
|
.arg("--format")
|
|
.arg("json")
|
|
.output()
|
|
.expect("failed to execute nyx binary");
|
|
|
|
assert!(
|
|
cmd.status.success(),
|
|
"nyx scan exited with non-zero status: {:?}\nstderr: {}",
|
|
cmd.status,
|
|
String::from_utf8_lossy(&cmd.stderr)
|
|
);
|
|
|
|
let stdout = String::from_utf8_lossy(&cmd.stdout);
|
|
// Find the JSON array line in stdout (config notes and "Finished" surround it)
|
|
let json_start = stdout.find('[').expect("Expected JSON array in stdout");
|
|
let json_end = stdout[json_start..]
|
|
.find(']')
|
|
.expect("Expected closing bracket in JSON")
|
|
+ json_start
|
|
+ 1;
|
|
let json_str = &stdout[json_start..json_end];
|
|
let parsed: Vec<serde_json::Value> =
|
|
serde_json::from_str(json_str).expect("stdout should contain valid JSON array");
|
|
|
|
assert!(
|
|
!parsed.is_empty(),
|
|
"Expected at least 1 finding in JSON output"
|
|
);
|
|
}
|