mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-06 19:35:13 +02:00
1bbe4b1cfb
* chore: Exclude CLAUDE.md from Cargo.toml * feat: add callgraph module and integrate into main analysis flow * feat: enhance CLI with new severity filtering and analysis modes * feat: update CHANGELOG with recent enhancements and fixes to severity filtering and output handling * feat: implement state-model dataflow analysis for resource lifecycle and auth state * feat: enhance diagnostic output formatting and add evidence structure * feat: implement attack surface ranking for diagnostics with scoring and sorting * feat: add comprehensive documentation for installation, usage, and rules reference * feat: add multiple language support for command execution and evaluation endpoints * feat: implement inline suppression for findings using `nyx:ignore` comments * feat: add confidence levels to AST patterns and update output structure * feat: implement low-noise prioritization system with category filtering, rollup grouping, and configurable budgets * feat: bump version to 0.4.0 and update changelog with new features and improvements * feat: add dead code allowances to various functions in mod.rs and real_world_tests.rs
3.8 KiB
3.8 KiB
Rule Reference
This section lists every detection rule in Nyx, organized by language.
Rule ID Format
| Prefix | Detector Family | Example |
|---|---|---|
taint-* |
Taint analysis | taint-unsanitised-flow (source 5:11) |
cfg-* |
CFG structural | cfg-unguarded-sink, cfg-auth-gap |
state-* |
State model | state-use-after-close, state-resource-leak |
<lang>.*.* |
AST patterns | rs.memory.transmute, js.code_exec.eval |
Cross-Language Rules
These rules apply to all supported languages:
Taint Rules
| Rule ID | Severity | Description |
|---|---|---|
taint-unsanitised-flow (source L:C) |
Varies by source kind | Unsanitized data flows from source to sink |
CFG Structural Rules
| Rule ID | Severity | Description |
|---|---|---|
cfg-unguarded-sink |
High/Medium | Sink without dominating guard |
cfg-auth-gap |
High | Web handler reaches privileged sink without auth |
cfg-unreachable-sink |
Medium | Dangerous function in unreachable code |
cfg-unreachable-sanitizer |
Low | Sanitizer in unreachable code |
cfg-unreachable-source |
Low | Source in unreachable code |
cfg-error-fallthrough |
High/Medium | Error path doesn't terminate before dangerous code |
cfg-resource-leak |
Medium | Resource not released on all exit paths |
cfg-lock-not-released |
Medium | Lock not released on all exit paths |
State Model Rules
| Rule ID | Severity | Description |
|---|---|---|
state-use-after-close |
High | Variable used after being closed |
state-double-close |
Medium | Resource closed twice |
state-resource-leak |
Medium | Resource never closed (definite) |
state-resource-leak-possible |
Low | Resource may not close on all paths |
state-unauthed-access |
High | Privileged operation without authentication |
Per-Language AST Pattern Rules
Each language page lists all AST pattern rules with examples:
- Rust — 12 rules (memory safety, code quality)
- C — 8 rules (banned functions, command execution, format strings)
- C++ — 9 rules (banned functions, dangerous casts, command execution)
- Java — 8 rules (deserialization, command execution, reflection, SQL, crypto, XSS)
- Go — 8 rules (command execution, unsafe pointer, TLS, crypto, SQL, secrets, deserialization)
- JavaScript — 12 rules (code execution, XSS, prototype pollution, crypto, transport)
- TypeScript — 10 rules (mirrors JS + type-safety escapes)
- Python — 12 rules (code execution, command execution, deserialization, SQL, crypto, XSS)
- PHP — 11 rules (code execution, command execution, deserialization, SQL, path traversal, crypto)
- Ruby — 10 rules (code execution, command execution, deserialization, reflection, SSRF, crypto)
Taint Label Coverage
Taint analysis uses language-specific source/sink/sanitizer labels. Coverage varies by language:
| Language | Sources | Sinks | Sanitizers | Coverage |
|---|---|---|---|---|
| Rust | Complete | Complete | Complete | Full |
| JavaScript | Complete | Complete | Partial | Full |
| TypeScript | Partial | Partial | Partial | Moderate |
| Python | Partial | Complete | Partial | Moderate |
| C | Partial | Complete | Minimal | Moderate |
| C++ | Partial | Complete | Minimal | Moderate |
| Java | Partial | Partial | Partial | Moderate |
| Go | Complete | Complete | Partial | Full |
| PHP | Complete | Complete | Partial | Full |
| Ruby | Partial | Partial | Partial | Moderate |
"Starter" coverage means basic rules exist but many common library functions are not yet labeled. Contributions welcome.