refactor(#38): merge the yaml-runtime into the analysis framework

analysis/language.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
 
 	sitter "github.com/smacker/go-tree-sitter"
 
@@ -83,6 +84,66 @@ const (
 	LangSwift
 )
 
+func DecodeLanguage(language string) Language {
+	language = strings.ToLower(language)
+	switch language {
+	case "javascript", "js":
+		return LangJs
+	case "typescript", "ts":
+		return LangTs
+	case "jsx", "tsx":
+		return LangTsx
+	case "python", "py":
+		return LangPy
+	case "ocaml", "ml":
+		return LangOCaml
+	case "docker", "dockerfile":
+		return LangDockerfile
+	case "java":
+		return LangJava
+	case "kotlin", "kt":
+		return LangKotlin
+	case "rust", "rs":
+		return LangRust
+	case "ruby", "rb":
+		return LangRuby
+	case "lua":
+		return LangLua
+	case "yaml", "yml":
+		return LangYaml
+	case "sql":
+		return LangSql
+	case "css", "css3":
+		return LangCss
+	case "markdown", "md":
+		return LangMarkdown
+	case "sh", "bash":
+		return LangBash
+	case "csharp", "cs":
+		return LangCsharp
+	case "elixir", "ex":
+		return LangElixir
+	case "elm":
+		return LangElm
+	case "go":
+		return LangGo
+	case "groovy":
+		return LangGroovy
+	case "hcl", "tf":
+		return LangHcl
+	case "html":
+		return LangHtml
+	case "php":
+		return LangPhp
+	case "scala":
+		return LangScala
+	case "swift":
+		return LangSwift
+	default:
+		return LangUnknown
+	}
+}
+
 // tsGrammarForLang returns the tree-sitter grammar for the given language.
 // May return `nil` when `lang` is `LangUnkown`.
 func (lang Language) Grammar() *sitter.Language {
@@ -169,7 +230,7 @@ func LanguageFromFilePath(path string) Language {
 		return LangYaml
 	case ".css":
 		return LangCss
-	case ".dockerfile":
+	case ".dockerfile", ".Dockerfile":
 		return LangDockerfile
 	case ".md":
 		return LangMarkdown

analysis/scope.go

@@ -147,9 +147,9 @@ func buildScopeTree(
 	if builder.NodeCreatesScope(node) {
 		nextScope = NewScope(scope)
 		scopeOfNode[node] = nextScope
-		scope.AstNode = node
 		if scope != nil {
 			scope.Children = append(scope.Children, nextScope)
+			scope.AstNode = node
 		} else {
 			scope = nextScope // root
 		}

analysis/testdata/mock-checker.yml

@@ -0,0 +1,11 @@
+language: javascript
+name: mock-checker
+message: "This is just a mock checker"
+category: style
+severity: info
+pattern: 
+  (call_expression) @mock-checker
+description: |
+  This is a mock checker.
+
+

analysis/testdata/mock-wrong-checker.yml

@@ -0,0 +1,10 @@
+language: javascript
+name: mock-checker
+category: style
+severity: info
+pattern: 
+  (call_expression) @mock-checker
+description: |
+  This is a mock checker.
+
+

analysis/testdata/node-filter-checker.yml

@@ -0,0 +1,9 @@
+language: javascript
+name: node-filter-checker
+message: "Variable @var found inside function"
+category: style
+severity: info
+pattern: (variable_declarator) @var @node-filter-checker
+filters:
+  - pattern-inside: (function_declaration)
+description: "Check for variables declared inside functions"

analysis/testdata/node-filter-test-checker.test.js

@@ -0,0 +1,10 @@
+console.log("Hello, world!");
+
+function foo(){
+    // <expect-error>
+    console.log("This should be detected");
+
+    /*
+    console.log("This Should not be detected");
+    */
+}

analysis/testdata/node-filter-test-checker.yml

@@ -0,0 +1,15 @@
+language: javascript
+name: node-filter-test-checker
+message: "Variable @var found inside function"
+category: style
+severity: info
+pattern: >
+  (call_expression
+    function: (member_expression
+      object: (identifier) @obj
+      property: (property_identifier) @method
+      (#eq? @obj "console"))) @node-filter-test-checker
+filters:
+  - pattern-inside: (function_declaration)
+  - pattern-not-inside: (comment)
+description: "Check for variables declared inside functions"

analysis/testdata/yaml_tests/fail/test_fail.test.js

@@ -0,0 +1,4 @@
+log();
+
+
+

analysis/testdata/yaml_tests/fail/test_fail.yml

@@ -0,0 +1,11 @@
+language: javascript
+name: test_fail
+message: "Checker test_fail"
+category: style
+severity: info
+pattern: >
+  (call_expression
+    function: (identifier) @func
+    (#eq? @func "log")
+    arguments: (arguments))@test_fail
+description: "Test checker test_fail"

analysis/testdata/yaml_tests/fail/test_fail_again.test.js

@@ -0,0 +1,3 @@
+alert();
+
+// <expect-error> alert in production

analysis/testdata/yaml_tests/fail/test_fail_again.yml

@@ -0,0 +1,11 @@
+language: javascript
+name: test_fail_again
+message: "Checker test_fail"
+category: style
+severity: info
+pattern: >
+  (call_expression
+    function: (identifier) @func
+    (#eq? @func "alert")
+    arguments: (arguments))@test_fail_again
+description: "Test checker test_fail"

analysis/testdata/yaml_tests/pass/yaml_test.test.js

@@ -0,0 +1,2 @@
+// <expect-error> checking for errors
+let a = 1;

analysis/testdata/yaml_tests/pass/yaml_test.yml

@@ -0,0 +1,8 @@
+language: javascript
+name: yaml_test
+message: "Checker yaml_test"
+category: style
+severity: info
+pattern: >
+  (lexical_declaration) @yaml_test
+description: "Test checker yaml_test"

analysis/testdata/yaml_tests/path_filters/malformed_path.yml

@@ -0,0 +1,24 @@
+language: java
+name: malformed_path
+message: "Testing"
+category: security
+severity: critical
+
+pattern: >
+  (method_invocation
+    object: (identifier) @cipherClass
+    name: (identifier) @instanceMethod
+    arguments: (argument_list
+      (string_literal
+        (string_fragment) @str))
+    (#match? @str ".*CBC.*PKCS5Padding")
+    (#eq? @cipherClass "Cipher")
+    (#eq? @instanceMethod "getInstance")) @cbc-padding-oracle
+
+
+exclude:
+  - "file[.js"
+
+description: >
+  test
+

analysis/testdata/yaml_tests/path_filters/malformed_path_include.yml

@@ -0,0 +1,24 @@
+language: java
+name: malformed_path_include
+message: "Testing"
+category: security
+severity: critical
+
+pattern: >
+  (method_invocation
+    object: (identifier) @cipherClass
+    name: (identifier) @instanceMethod
+    arguments: (argument_list
+      (string_literal
+        (string_fragment) @str))
+    (#match? @str ".*CBC.*PKCS5Padding")
+    (#eq? @cipherClass "Cipher")
+    (#eq? @instanceMethod "getInstance")) @cbc-padding-oracle
+
+
+include:
+  - "file[.js"
+
+description: >
+  test
+

analysis/testdata/yaml_tests/path_filters/valid_path.yml

@@ -0,0 +1,29 @@
+language: java
+name: cbc-padding-oracle
+message: "Using CBC mode with PKCS5Padding can cause padding oracle attacks"
+category: security
+severity: critical
+
+pattern: >
+  (method_invocation
+    object: (identifier) @cipherClass
+    name: (identifier) @instanceMethod
+    arguments: (argument_list
+      (string_literal
+        (string_fragment) @str))
+    (#match? @str ".*CBC.*PKCS5Padding")
+    (#eq? @cipherClass "Cipher")
+    (#eq? @instanceMethod "getInstance")) @cbc-padding-oracle
+
+
+exclude:
+  - "tests/**"
+  - "vendor/**"
+  - "**/Test_*.java"
+  - "**/*Test.java"
+
+include:
+  - "*.java"
+
+description: >
+  Java applications using CBC mode with PKCS5Padding for encryption are vulnerable to padding oracle attacks, where attackers can distinguish between valid and invalid padding to potentially decrypt sensitive data without knowing the encryption key. This vulnerability is compounded by CBC mode's lack of built-in integrity checks. The recommended approach is using AES/GCM/NoPadding instead, which provides both confidentiality and integrity protection through authenticated encryption.

analysis/testdata/yaml_tests/patterns/invalid-patterns.yml

@@ -0,0 +1,11 @@
+language: javascript
+name: invalid-pattern
+message: "Checking precense of invalid patterns" 
+category: style
+severity: info
+patterns:
+  - >
+    (call_expression)
+  - >
+    "hello"
+description: "Test checker invalid-pattern"

analysis/testdata/yaml_tests/patterns/multi-pattern.yml

@@ -0,0 +1,11 @@
+language: javascript
+name: multi-pattern
+message: "Checking precense of multiple patterns"
+category: style
+severity: info
+patterns:
+  - >
+    (call_expression)
+  - >
+    (function_declaration)
+description: "Test checker no-pattern"

analysis/testdata/yaml_tests/patterns/no-pattern.yml

@@ -0,0 +1,7 @@
+language: javascript
+name: no-pattern
+message: "Checking absence of Patterns"
+category: style
+severity: info
+pattern: 
+description: "Test checker no-pattern"

analysis/testdata/yaml_tests/patterns/single-multiple.yml

@@ -0,0 +1,12 @@
+language: javascript
+name: single-multiple
+message: "Checking precense of multiple patterns and single pattern"
+category: style
+severity: info
+pattern: (call_expression)
+patterns:
+  - >
+    (call_expression)
+  - >
+    (function_declaration)
+description: "Test checker no-pattern"

analysis/testdata/yaml_tests/patterns/wrong-pattern.yml

@@ -0,0 +1,7 @@
+language: javascript
+name: wrong-pattern
+message: "Checking wrong pattern presence"
+category: style
+severity: info
+pattern: "hello world"
+description: "Test checker no-pattern"