apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-06 19:35:13 +02:00
Code Issues Projects Releases Packages Wiki Activity
nyx/default-nyx.conf
Eli Peter 3c21efba75
Added experimental control flow analysis and syntax classification for rust lang (#22) 
* Introduce control flow graph (CFG) support:

- Added `cfg.rs` with CFG generation and analysis utilities.
- Integrated `petgraph` library for graph-based computations.
- Updated `ast.rs` to utilize CFG for function analysis.
- Modified `Cargo.toml` and `Cargo.lock` to include new dependencies.
- Improved static analysis with taint tracking through CFG paths.

* feat: enhance control flow analysis with taint tracking and node labeling

* feat: improve control flow graph with enhanced node handling and new tests

* Remove unnecessary reference marker in `byte_offset_to_point` comment.

* Remove unnecessary reference marker in `byte_offset_to_point` comment.

* Refactor `ast.rs` for performance and clarity; enhance `cfg.rs` with recursive CFG generation and improved classification logic for AST analysis.

* Refactor CFG and taint tracking logic:

- Enhanced `cfg.rs` with inline helper function `text_of` for cleaner UTF-8 handling in AST nodes.
- Expanded `labels.rs` rules with detailed `Sources`, `Sanitizers`, and `Sinks` for improved classification.
- Refined `push_node` to handle method call expressions with object-function pairing.
- Simplified code handling in trivia skipping and debug-only logic.

* Enhance `cfg.rs` with `first_call_ident` helper and improve identifier extraction logic in `push_node`.

* Add targeted CFG taint-tracking tests to enhance analysis coverage.

* Enhance CFG generation with loop expression handling and improve taint tracking logic. Add new sanitization example in `examples/sanitize/example.rs`.

* Update README with installation instructions for Cargo and GitHub releases.

* Expand taint-tracking with precise `def-use` computation and enhance `labels.rs` for detailed classification. Extend `examples/sanitize` with realistic scenarios demonstrating new rules.

* Refactor `labels.rs`:

- Removed redundant `LabelRule` entries for cleaner rule definitions.
- Adjusted matching logic to prioritize suffix and prefix matches effectively.

* Refactor `labels.rs`:

- Removed redundant `LabelRule` entries for cleaner rule definitions.
- Adjusted matching logic to prioritize suffix and prefix matches effectively.

* Add test for taint tracking with multiple sources in `cfg.rs`.

* Add `function_summaries` table and implement summary upsert/load methods. Refactor to handle summary storage and retrieval efficiently, with placeholder clean/drop logic.

* refactor: split `labels.rs` into modular structure with language-specific files

* refactor: split `labels.rs` into modular structure with language-specific files

* refactor: clean up SQL table definitions in `database.rs` for better readability

* refactor: simplify CFG structure by removing lifetime parameters and enhancing taint metadata handling

* refactor: update TODO comments in `cfg.rs` to clarify future enhancements for cap labels and function details

* refactor: remove redundant header from README.md for improved clarity

* feat: add PHF-based syntax classifiers and Kind enum for efficient syntax mapping across languages

* feat: introduce analysis modes for enhanced scanner configuration and diagnostics

* feat: define Kind enum for syntax classification in control flow analysis

* feat: bump version to 0.2.0-alpha and update CHANGELOG for new features and fixes

* refactor: clean up imports and formatting in AST and CFG modules for improved readability

* refactor: simplify function signatures and improve code readability in CFG and module files

* fix: correct rayon_thread_stack_size comment to reflect actual value of 8 MiB

* refactor: update string formatting in clean and project modules for consistency

* refactor: fix indentation in clean.rs for improved readability

---------

Co-authored-by: elipeter <eli.peter@es.fcm.travel>
2025-06-28 17:36:14 +02:00

110 lines
2.8 KiB
Text
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# --------------------------------------------------------------------
# nyx Vulnerability Scanner — DEFAULT CONFIGURATION
#
# Copy this file to `nyx.local` in the same directory and override
# only the keys you need. Anything you omit inherits the defaults
# shown here.
# --------------------------------------------------------------------
[scanner]
## If full uses both ast patterns and cfg taint analysis,
## Possible values: full | ast | cfg
mode = "full"
## Minimum severity level to include in the report
## Possible values: Low | Medium | High | Critical
min_severity = "Low"
## Maximum file size to scan (MiB); null = unlimited
max_file_size_mb = null
## File extensions to ignore completely
excluded_extensions = [
"jpg", "png", "gif", "mp4", "avi", "mkv",
"zip", "tar", "gz", "exe", "dll", "so",
]
## Directories to ignore completely
excluded_directories = [
"node_modules", ".git", "target", ".vscode",
".idea", "build", "dist",
]
## Individual files to ignore completely
excluded_files = []
## Honour global ignore file (e.g. ~/.config/nyx/ignore)
read_global_ignore = false
## Honour .gitignore / .hgignore, etc.
read_vcsignore = true
## Require a .git directory to read gitignore files
require_git_to_read_vcsignore = true
## Limit search to the starting file system only
one_file_system = false
## Follow symlinks when scanning
follow_symlinks = false
## Scan hidden files (dot-files)
scan_hidden_files = false
[database]
## Where to store the SQLite database (empty = default path)
path = ""
## Number of days to keep database files; 0 = no cleanup (UNIMPLEMENTED)
auto_cleanup_days = 30
## Maximum database size in MiB; 0 = no limit (UNIMPLEMENTED)
max_db_size_mb = 1024
## Run VACUUM on startup (UNIMPLEMENTED)
vacuum_on_startup = false
[output]
## Output format — only "console" exists for now
default_format = "console"
## Suppress all console output (UNIMPLEMENTED)
quiet = false
## Cap the number of issues shown; null = unlimited
max_results = null
[performance]
## Maximum search depth; null = unlimited (UNIMPLEMENTED)
max_depth = null
## Minimum depth for reported entries; null = none (UNIMPLEMENTED)
min_depth = null
## Stop traversing into matching directories
prune = false
## Worker threads; null or 0 = auto
worker_threads = null
## Number of entries to index in a single chunk
batch_size = 100
## Channel capacity multiplier (capacity = threads × this)
channel_multiplier = 4
## Maximum stack size for Rayon threads (bytes)
rayon_thread_stack_size = 8 * 1024 * 1024 # 8 MiB
## Timeout on individual files (seconds); null = none (UNIMPLEMENTED)
scan_timeout_secs = null
## Maximum memory to use in MiB; 0 = no limit (UNIMPLEMENTED)
memory_limit_mb = 512
Reference in a new issue View git blame Copy permalink