Merge pull request #159 from syncable-dev/develop

Develop

Author: Alex793x

Cargo.toml

@@ -86,4 +86,4 @@ path = "examples/check_vulnerabilities.rs"
 
 [[example]]
 name = "security_analysis"
-path = "examples/security_analysis.rs"
+path = "examples/security_analysis.rs"

src/analyzer/frameworks/javascript.rs

@@ -84,7 +84,8 @@ impl FrameworkDetectionUtils {
                 let pattern_confidence = matches as f32 / total_patterns as f32;
                 // Use additive approach instead of multiplicative to avoid extremely low scores
                 // Base confidence provides a floor, pattern confidence provides the scaling
-                let final_confidence = (rule.confidence * pattern_confidence + base_confidence * 0.1).min(1.0);
+                // Cap dependency-based confidence at 0.95 to ensure file-based detection (1.0) takes precedence
+                let final_confidence = (rule.confidence * pattern_confidence + base_confidence * 0.1).min(0.95);
 
                 // Debug logging for Tanstack Start detection
                 if rule.name.contains("Tanstack") {
@@ -123,7 +124,9 @@ impl FrameworkDetectionUtils {
                 dependency.contains(&pattern.replace('*', ""))
             }
         } else {
-            dependency == pattern || dependency.contains(pattern)
+            // For dependency detection, use exact matching to avoid false positives
+            // Only match if the dependency is exactly the pattern or starts with the pattern followed by a version specifier
+            dependency == pattern || dependency.starts_with(&(pattern.to_string() + "@")) || dependency.starts_with(&(pattern.to_string() + "/"))
         }
     }
 

src/analyzer/frameworks/mod.rs

@@ -9,6 +9,7 @@ use log::{debug, info};
 pub struct ToolStatus {
     pub available: bool,
     pub path: Option<PathBuf>,
+    pub execution_path: Option<PathBuf>, // Path to use for execution
     pub version: Option<String>,
     pub installation_source: InstallationSource,
     pub last_checked: SystemTime,
@@ -162,6 +163,7 @@ impl ToolDetector {
         let not_found = ToolStatus {
             available: false,
             path: None,
+            execution_path: None,
             version: None,
             installation_source: InstallationSource::NotFound,
             last_checked: SystemTime::now(),
@@ -183,6 +185,7 @@ impl ToolDetector {
             return ToolStatus {
                 available: true,
                 path: Some(path),
+                execution_path: None, // Execute by name when in PATH
                 version,
                 installation_source: InstallationSource::SystemPath,
                 last_checked: SystemTime::now(),
@@ -204,7 +207,8 @@ impl ToolDetector {
                           tool_name, tool_path, version, source);
                     return ToolStatus {
                         available: true,
-                        path: Some(tool_path),
+                        path: Some(tool_path.clone()),
+                        execution_path: Some(tool_path), // Use full path for execution
                         version: Some(version),
                         installation_source: source,
                         last_checked: SystemTime::now(),
@@ -222,6 +226,7 @@ impl ToolDetector {
                         return ToolStatus {
                             available: true,
                             path: Some(tool_path_exe),
+                            execution_path: Some(tool_path_exe), // Use full path for execution
                             version,
                             installation_source: source,
                             last_checked: SystemTime::now(),
@@ -236,6 +241,7 @@ impl ToolDetector {
         ToolStatus {
             available: false,
             path: None,
+            execution_path: None,
             version: None,
             installation_source: InstallationSource::NotFound,
             last_checked: SystemTime::now(),

src/analyzer/tool_management/detector.rs

@@ -23,7 +23,7 @@ pub fn install_govulncheck(
     if success {
         info!("✅ govulncheck installed successfully");
         installed_tools.insert("govulncheck".to_string(), true);
-        tool_detector.clear_cache();
+        tool_detector.clear_cache(); // Clear cache to force fresh detection
         info!("💡 Note: Make sure ~/go/bin is in your PATH to use govulncheck");
     } else {
         warn!("❌ Failed to install govulncheck");

src/analyzer/tool_management/installers/go.rs

@@ -31,15 +31,38 @@ impl GoVulnerabilityChecker {
 
         info!("Executing govulncheck in {}", project_path.display());
 
-        // Execute govulncheck -json
-        let output = Command::new("govulncheck")
+        // Execute govulncheck using the full path if available
+        let mut command = if let Some(exec_path) = &govulncheck_status.execution_path {
+            // Use the full path when tool is not in PATH
+            Command::new(exec_path)
+        } else {
+            // Use tool name directly when in PATH
+            Command::new("govulncheck")
+        };
+
+        let output = command
             .args(&["-json", "./..."])
             .current_dir(project_path)
             .output()
             .map_err(|e| VulnerabilityError::CommandError(
                 format!("Failed to run govulncheck: {}", e)
             ))?;
 
+        // Log debug information about the command output
+        info!("govulncheck stdout length: {}, stderr length: {}", 
+              output.stdout.len(), output.stderr.len());
+        info!("govulncheck exit code: {:?}", output.status.code());
+        
+        if !output.stderr.is_empty() {
+            let stderr_str = String::from_utf8_lossy(&output.stderr);
+            info!("govulncheck stderr: {}", stderr_str);
+        }
+        
+        // Log first few lines of stdout for debugging
+        let stdout_str = String::from_utf8_lossy(&output.stdout);
+        let stdout_lines: Vec<&str> = stdout_str.lines().take(20).collect();
+        info!("govulncheck stdout first 20 lines: {:?}", stdout_lines);
+        
         // govulncheck returns 0 even when vulnerabilities are found
         // Non-zero exit code indicates an actual error
         if !output.status.success() && output.stdout.is_empty() {
@@ -50,11 +73,12 @@ impl GoVulnerabilityChecker {
             ));
         }
 
+        // Parse govulncheck output
         if output.stdout.is_empty() {
+            info!("govulncheck returned empty output, no vulnerabilities found");
             return Ok(None);
         }
 
-        // Parse govulncheck output
         self.parse_govulncheck_output(&output.stdout, dependencies)
     }
 
@@ -65,73 +89,98 @@ impl GoVulnerabilityChecker {
     ) -> Result<Option<Vec<VulnerableDependency>>, VulnerabilityError> {
         let mut vulnerable_deps: Vec<VulnerableDependency> = Vec::new();
 
-        // Split output by lines and parse each JSON object
+        // Convert output to string
         let output_str = String::from_utf8_lossy(output);
-        for line in output_str.lines() {
-            if line.trim().is_empty() {
+        
+        // Check if output is empty or only whitespace
+        if output_str.trim().is_empty() {
+            info!("govulncheck output is empty, no vulnerabilities found");
+            return Ok(None);
+        }
+        
+        // Govulncheck outputs a stream of JSON objects separated by newlines
+        // Process each line and only parse lines that look like complete JSON objects
+        for (line_num, line) in output_str.lines().enumerate() {
+            let trimmed_line = line.trim();
+            if trimmed_line.is_empty() {
                 continue;
             }
 
-            let audit_data: serde_json::Value = serde_json::from_str(line)
-                .map_err(|e| VulnerabilityError::ParseError(
-                    format!("Failed to parse govulncheck output line: {}", e)
-                ))?;
+            // Only try to parse lines that look like JSON objects (start with { and end with })
+            if !trimmed_line.starts_with('{') || !trimmed_line.ends_with('}') {
+                continue;
+            }
 
-            // Govulncheck JSON structure parsing
-            if audit_data.get("finding").is_some() {
-                if let Some(finding) = audit_data.get("finding").and_then(|f| f.as_object()) {
-                    let package_name = finding.get("package").and_then(|p| p.as_str())
-                        .unwrap_or("").to_string();
-                    let module = finding.get("module").and_then(|m| m.as_str())
-                        .unwrap_or("").to_string();
-                    
-                    // Find matching dependency
-                    if let Some(dep) = dependencies.iter().find(|d| 
-                        d.name == package_name || d.name == module || 
-                        package_name.starts_with(&format!("{}/", d.name)) ||
-                        module.starts_with(&format!("{}/", d.name))) {
-                        
-                        let vuln_id = finding.get("osv").and_then(|o| o.as_str())
-                            .unwrap_or("unknown").to_string();
-                        let title = finding.get("summary").and_then(|s| s.as_str())
-                            .unwrap_or("Unknown vulnerability").to_string();
-                        let description = finding.get("details").and_then(|d| d.as_str())
-                            .unwrap_or("").to_string();
-                        let severity = VulnerabilitySeverity::Medium; // Govulncheck doesn't provide severity directly
-                        let fixed_version = finding.get("fixed_version").and_then(|v| v.as_str())
-                            .map(|s| s.to_string());
-                        
-                        let vuln_info = VulnerabilityInfo {
-                            id: vuln_id,
-                            vuln_type: "security".to_string(),  // Security vulnerability
-                            severity,
-                            title,
-                            description,
-                            cve: None, // Govulncheck uses OSV IDs
-                            ghsa: None, // Govulncheck uses OSV IDs
-                            affected_versions: "*".to_string(), // Govulncheck doesn't provide this directly
-                            patched_versions: fixed_version,
-                            published_date: None,
-                            references: Vec::new(), // Govulncheck doesn't provide references in this format
-                        };
-                        
-                        // Check if we already have this dependency
-                        if let Some(existing) = vulnerable_deps.iter_mut()
-                            .find(|vuln_dep| vuln_dep.name == dep.name)
-                        {
-                            // Avoid duplicate vulnerabilities
-                            if !existing.vulnerabilities.iter().any(|v| v.id == vuln_info.id) {
-                                existing.vulnerabilities.push(vuln_info);
+            // Try to parse as JSON, but handle errors gracefully
+            match serde_json::from_str::<serde_json::Value>(trimmed_line) {
+                Ok(audit_data) => {
+                    // Govulncheck JSON structure parsing
+                    if audit_data.get("finding").is_some() {
+                        if let Some(finding) = audit_data.get("finding").and_then(|f| f.as_object()) {
+                            let package_name = finding.get("package").and_then(|p| p.as_str())
+                                .unwrap_or("").to_string();
+                            let module = finding.get("module").and_then(|m| m.as_str())
+                                .unwrap_or("").to_string();
+                            
+                            // Find matching dependency
+                            if let Some(dep) = dependencies.iter().find(|d| 
+                                d.name == package_name || d.name == module || 
+                                package_name.starts_with(&format!("{}/", d.name)) ||
+                                module.starts_with(&format!("{}/", d.name))) {
+                                
+                                let vuln_id = finding.get("osv").and_then(|o| o.as_str())
+                                    .unwrap_or("unknown").to_string();
+                                let title = finding.get("summary").and_then(|s| s.as_str())
+                                    .unwrap_or("Unknown vulnerability").to_string();
+                                let description = finding.get("details").and_then(|d| d.as_str())
+                                    .unwrap_or("").to_string();
+                                let severity = VulnerabilitySeverity::Medium; // Govulncheck doesn't provide severity directly
+                                let fixed_version = finding.get("fixed_version").and_then(|v| v.as_str())
+                                    .map(|s| s.to_string());
+                                
+                                let vuln_info = VulnerabilityInfo {
+                                    id: vuln_id,
+                                    vuln_type: "security".to_string(),  // Security vulnerability
+                                    severity,
+                                    title,
+                                    description,
+                                    cve: None, // Govulncheck uses OSV IDs
+                                    ghsa: None, // Govulncheck uses OSV IDs
+                                    affected_versions: "*".to_string(), // Govulncheck doesn't provide this directly
+                                    patched_versions: fixed_version,
+                                    published_date: None,
+                                    references: Vec::new(), // Govulncheck doesn't provide references in this format
+                                };
+                                
+                                // Check if we already have this dependency
+                                if let Some(existing) = vulnerable_deps.iter_mut()
+                                    .find(|vuln_dep| vuln_dep.name == dep.name)
+                                {
+                                    // Avoid duplicate vulnerabilities
+                                    if !existing.vulnerabilities.iter().any(|v| v.id == vuln_info.id) {
+                                        existing.vulnerabilities.push(vuln_info);
+                                    }
+                                } else {
+                                    vulnerable_deps.push(VulnerableDependency {
+                                        name: dep.name.clone(),
+                                        version: dep.version.clone(),
+                                        language: crate::analyzer::dependency_parser::Language::Go,
+                                        vulnerabilities: vec![vuln_info],
+                                    });
+                                }
                             }
-                        } else {
-                            vulnerable_deps.push(VulnerableDependency {
-                                name: dep.name.clone(),
-                                version: dep.version.clone(),
-                                language: crate::analyzer::dependency_parser::Language::Go,
-                                vulnerabilities: vec![vuln_info],
-                            });
                         }
                     }
+                },
+                Err(e) => {
+                    // Log the error but continue processing other lines
+                    // Only log detailed errors for lines that look like they should be valid JSON
+                    if trimmed_line.starts_with('{') && trimmed_line.ends_with('}') {
+                        warn!("Failed to parse govulncheck output line {}: {}. Line content: {}", 
+                              line_num + 1, e, trimmed_line);
+                    }
+                    // Continue with next line instead of failing completely
+                    continue;
                 }
             }
         }