apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-06 19:35:13 +02:00
Code Issues Projects Releases Packages Wiki Activity
nyx/docs/rules/cpp.md
Eli Peter 1bbe4b1cfb
Phase 1 (#33) 
* chore: Exclude CLAUDE.md from Cargo.toml

* feat: add callgraph module and integrate into main analysis flow

* feat: enhance CLI with new severity filtering and analysis modes

* feat: update CHANGELOG with recent enhancements and fixes to severity filtering and output handling

* feat: implement state-model dataflow analysis for resource lifecycle and auth state

* feat: enhance diagnostic output formatting and add evidence structure

* feat: implement attack surface ranking for diagnostics with scoring and sorting

* feat: add comprehensive documentation for installation, usage, and rules reference

* feat: add multiple language support for command execution and evaluation endpoints

* feat: implement inline suppression for findings using `nyx:ignore` comments

* feat: add confidence levels to AST patterns and update output structure

* feat: implement low-noise prioritization system with category filtering, rollup grouping, and configurable budgets

* feat: bump version to 0.4.0 and update changelog with new features and improvements

* feat: add dead code allowances to various functions in mod.rs and real_world_tests.rs
2026-02-25 21:16:36 -05:00

1.8 KiB
Raw Blame History

C++ Rules

C++ rules inherit C banned-function concerns and add C++-specific patterns like dangerous casts.

Taint Labels

C++ shares taint labels with C. See C Rules for the full source/sink/sanitizer listing.

AST Pattern Rules

Memory Safety

Rule ID Severity Tier Description
cpp.memory.gets High A gets() — no bounds checking, always exploitable
cpp.memory.strcpy High A strcpy() — no bounds checking on destination
cpp.memory.strcat High A strcat() — no bounds checking on destination
cpp.memory.sprintf High A sprintf() — no length limit on output
cpp.memory.reinterpret_cast Medium A reinterpret_cast — type-punning cast
cpp.memory.const_cast Medium A const_cast — removes const/volatile qualifier
cpp.memory.printf_no_fmt High B printf(var) — format-string vulnerability

Command Execution

Rule ID Severity Tier Description
cpp.cmdi.system High A system() — shell command execution
cpp.cmdi.popen High A popen() — shell command execution

Examples

cpp.memory.reinterpret_cast — Type-punning cast

Flagged:

int x = 42;
float* fp = reinterpret_cast<float*>(&x);  // Type-punning, may violate strict aliasing

Safe alternative:

int x = 42;
float f;
std::memcpy(&f, &x, sizeof(f));  // Well-defined type punning

cpp.memory.const_cast — Removing const

Flagged:

void process(const std::string& s) {
    char* p = const_cast<char*>(s.c_str());  // Removes const
    p[0] = 'X';  // Undefined behavior
}

Safe alternative:

void process(std::string s) {  // Take by value
    s[0] = 'X';
}