mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-06 19:35:13 +02:00
1bbe4b1cfb
* chore: Exclude CLAUDE.md from Cargo.toml * feat: add callgraph module and integrate into main analysis flow * feat: enhance CLI with new severity filtering and analysis modes * feat: update CHANGELOG with recent enhancements and fixes to severity filtering and output handling * feat: implement state-model dataflow analysis for resource lifecycle and auth state * feat: enhance diagnostic output formatting and add evidence structure * feat: implement attack surface ranking for diagnostics with scoring and sorting * feat: add comprehensive documentation for installation, usage, and rules reference * feat: add multiple language support for command execution and evaluation endpoints * feat: implement inline suppression for findings using `nyx:ignore` comments * feat: add confidence levels to AST patterns and update output structure * feat: implement low-noise prioritization system with category filtering, rollup grouping, and configurable budgets * feat: bump version to 0.4.0 and update changelog with new features and improvements * feat: add dead code allowances to various functions in mod.rs and real_world_tests.rs
66 lines
1.8 KiB
Markdown
66 lines
1.8 KiB
Markdown
# C++ Rules
|
|
|
|
C++ rules inherit C banned-function concerns and add C++-specific patterns like dangerous casts.
|
|
|
|
## Taint Labels
|
|
|
|
C++ shares taint labels with C. See [C Rules](c.md) for the full source/sink/sanitizer listing.
|
|
|
|
---
|
|
|
|
## AST Pattern Rules
|
|
|
|
### Memory Safety
|
|
|
|
| Rule ID | Severity | Tier | Description |
|
|
|---------|----------|------|-------------|
|
|
| `cpp.memory.gets` | High | A | `gets()` — no bounds checking, always exploitable |
|
|
| `cpp.memory.strcpy` | High | A | `strcpy()` — no bounds checking on destination |
|
|
| `cpp.memory.strcat` | High | A | `strcat()` — no bounds checking on destination |
|
|
| `cpp.memory.sprintf` | High | A | `sprintf()` — no length limit on output |
|
|
| `cpp.memory.reinterpret_cast` | Medium | A | `reinterpret_cast` — type-punning cast |
|
|
| `cpp.memory.const_cast` | Medium | A | `const_cast` — removes const/volatile qualifier |
|
|
| `cpp.memory.printf_no_fmt` | High | B | `printf(var)` — format-string vulnerability |
|
|
|
|
### Command Execution
|
|
|
|
| Rule ID | Severity | Tier | Description |
|
|
|---------|----------|------|-------------|
|
|
| `cpp.cmdi.system` | High | A | `system()` — shell command execution |
|
|
| `cpp.cmdi.popen` | High | A | `popen()` — shell command execution |
|
|
|
|
---
|
|
|
|
## Examples
|
|
|
|
### `cpp.memory.reinterpret_cast` — Type-punning cast
|
|
|
|
**Flagged:**
|
|
```cpp
|
|
int x = 42;
|
|
float* fp = reinterpret_cast<float*>(&x); // Type-punning, may violate strict aliasing
|
|
```
|
|
|
|
**Safe alternative:**
|
|
```cpp
|
|
int x = 42;
|
|
float f;
|
|
std::memcpy(&f, &x, sizeof(f)); // Well-defined type punning
|
|
```
|
|
|
|
### `cpp.memory.const_cast` — Removing const
|
|
|
|
**Flagged:**
|
|
```cpp
|
|
void process(const std::string& s) {
|
|
char* p = const_cast<char*>(s.c_str()); // Removes const
|
|
p[0] = 'X'; // Undefined behavior
|
|
}
|
|
```
|
|
|
|
**Safe alternative:**
|
|
```cpp
|
|
void process(std::string s) { // Take by value
|
|
s[0] = 'X';
|
|
}
|
|
```
|