diffsense 2.2.12__py3-none-any.whl

rules/go_rules.py

@@ -0,0 +1,401 @@
+"""
+Go Language Rules for DiffSense
+
+These rules are Go-specific implementations following the same patterns
+as the Java rules but adapted for Go language constructs.
+"""
+
+import re
+from typing import Dict, Any, List, Optional
+from sdk.rule import BaseRule
+from sdk.signal import Signal
+
+
+class GoGoroutineLeakRule(BaseRule):
+    """检测 goroutine 泄漏风险（未正确退出的 goroutine）"""
+    
+    def __init__(self):
+        self._goroutine_pattern = re.compile(r'^\+.*\bgo\s+\w+\.?\w*\s*\(')
+        self._context_pattern = re.compile(r'(?:context\.Context|ctx|done\s*chan)')
+        self._select_pattern = re.compile(r'\bselect\s*{')
+        self._defer_pattern = re.compile(r'\bdefer\s+')
+        
+    @property
+    def id(self) -> str:
+        return "resource.goroutine_leak"
+
+    @property
+    def severity(self) -> str:
+        return "high"
+
+    @property
+    def impact(self) -> str:
+        return "runtime"
+
+    @property
+    def rationale(self) -> str:
+        return "Goroutine started without proper exit mechanism (context, channel, or defer)"
+
+    @property
+    def language(self) -> str:
+        return "go"
+
+    @property
+    def rule_type(self) -> str:
+        return "absolute"
+
+    def evaluate(self, diff_data: Dict[str, Any], signals: List[Signal]) -> Optional[Dict[str, Any]]:
+        raw_diff = diff_data.get('raw_diff', "")
+        
+        # 检查是否创建了 goroutine
+        if self._goroutine_pattern.search(raw_diff):
+            added_lines = [line for line in raw_diff.split('\n') if line.startswith('+')]
+            
+            for line in added_lines:
+                if self._goroutine_pattern.search(line):
+                    # 检查是否有 context 或 channel 用于退出
+                    has_context = bool(self._context_pattern.search(line))
+                    has_select = any(self._select_pattern.search(l) for l in added_lines)
+                    has_defer = any(self._defer_pattern.search(l) for l in added_lines)
+                    
+                    if not (has_context or has_select or has_defer):
+                        files = diff_data.get('files', [])
+                        return {"file": files[0] if files else "unknown", "goroutine": line.strip()}
+        
+        return None
+
+
+class GoChannelLeakRule(BaseRule):
+    """检测 channel 使用问题（未关闭、缓冲通道泄漏等）"""
+    
+    def __init__(self):
+        self._chan_pattern = re.compile(r'^\+.*(?:make\s*\(\s*chan|chan\s+\w+\s*=)')
+        self._close_pattern = re.compile(r'\bclose\s*\(')
+        self._buffered_chan = re.compile(r'make\s*\(\s*chan\s+\w+\s*,\s*[1-9]\d*\s*\)')
+        
+    @property
+    def id(self) -> str:
+        return "resource.channel_leak"
+
+    @property
+    def severity(self) -> str:
+        return "high"
+
+    @property
+    def impact(self) -> str:
+        return "runtime"
+
+    @property
+    def rationale(self) -> str:
+        return "Channel created without close or with large buffer, may cause goroutine hang"
+
+    @property
+    def language(self) -> str:
+        return "go"
+
+    @property
+    def rule_type(self) -> str:
+        return "absolute"
+
+    def evaluate(self, diff_data: Dict[str, Any], signals: List[Signal]) -> Optional[Dict[str, Any]]:
+        raw_diff = diff_data.get('raw_diff', "")
+        
+        if self._chan_pattern.search(raw_diff):
+            # 检查是否有 close 调用
+            if not self._close_pattern.search(raw_diff):
+                files = diff_data.get('files', [])
+                return {"file": files[0] if files else "unknown"}
+        
+        # 检查大的缓冲通道
+        buffered_matches = self._buffered_chan.findall(raw_diff)
+        if buffered_matches:
+            files = diff_data.get('files', [])
+            return {"file": files[0] if files else "unknown", "buffered_channels": buffered_matches}
+        
+        return None
+
+
+class GoDeferMisuseRule(BaseRule):
+    """检测 defer 误用（循环中 defer、defer 参数问题）"""
+    
+    def __init__(self):
+        self._defer_in_loop = re.compile(r'(?:for\s+|range\s+)\s*{[^}]*defer\s+', re.DOTALL)
+        self._defer_pattern = re.compile(r'^\+.*\bdefer\s+')
+        self._defer_with_args = re.compile(r'defer\s+\w+\s*\(\s*\w+\s*[+\-*/]')
+        
+    @property
+    def id(self) -> str:
+        return "resource.defer_misuse"
+
+    @property
+    def severity(self) -> str:
+        return "medium"
+
+    @property
+    def impact(self) -> str:
+        return "runtime"
+
+    @property
+    def rationale(self) -> str:
+        return "Defer used in loop or with evaluated arguments, may cause resource leak"
+
+    @property
+    def language(self) -> str:
+        return "go"
+
+    @property
+    def rule_type(self) -> str:
+        return "absolute"
+
+    def evaluate(self, diff_data: Dict[str, Any], signals: List[Signal]) -> Optional[Dict[str, Any]]:
+        raw_diff = diff_data.get('raw_diff', "")
+        
+        # 检查循环中的 defer
+        if self._defer_in_loop.search(raw_diff):
+            files = diff_data.get('files', [])
+            return {"file": files[0] if files else "unknown", "issue": "defer_in_loop"}
+        
+        # 检查 defer 参数立即求值
+        added_lines = [line for line in raw_diff.split('\n') if line.startswith('+')]
+        for line in added_lines:
+            if self._defer_with_args.search(line):
+                files = diff_data.get('files', [])
+                return {"file": files[0] if files else "unknown", "issue": "defer_args_evaluated"}
+        
+        return None
+
+
+class GoUnsafeUsageRule(BaseRule):
+    """检测 unsafe 包的使用（类型转换、指针运算）"""
+    
+    def __init__(self):
+        self._unsafe_pattern = re.compile(r'^\+.*\bunsafe\.(?:Pointer|Sizeof|Alignof|Offsetof)\s*\(')
+        self._type_assertion = re.compile(r'\(\*\w+\)\(unsafe\.Pointer')
+        
+    @property
+    def id(self) -> str:
+        return "security.unsafe_usage"
+
+    @property
+    def severity(self) -> str:
+        return "high"
+
+    @property
+    def impact(self) -> str:
+        return "security"
+
+    @property
+    def rationale(self) -> str:
+        return "Unsafe package usage may cause memory safety issues"
+
+    @property
+    def language(self) -> str:
+        return "go"
+
+    @property
+    def rule_type(self) -> str:
+        return "absolute"
+
+    def evaluate(self, diff_data: Dict[str, Any], signals: List[Signal]) -> Optional[Dict[str, Any]]:
+        raw_diff = diff_data.get('raw_diff', "")
+        
+        if self._unsafe_pattern.search(raw_diff):
+            files = diff_data.get('files', [])
+            return {"file": files[0] if files else "unknown"}
+        
+        return None
+
+
+class GoErrorHandlingRule(BaseRule):
+    """检测错误处理不当（忽略 error 返回值）"""
+    
+    def __init__(self):
+        self._ignore_error = re.compile(r'_\s*=\s*\w+\s*\([^)]*\)')
+        self._error_return = re.compile(r'\w+\s*,\s*err\s*:=')
+        self._no_error_check = re.compile(r'if\s+err\s*(?:!=|==)\s*nil')
+        
+    @property
+    def id(self) -> str:
+        return "exception.error_ignored"
+
+    @property
+    def severity(self) -> str:
+        return "medium"
+
+    @property
+    def impact(self) -> str:
+        return "maintenance"
+
+    @property
+    def rationale(self) -> str:
+        return "Error return value ignored, may hide failures"
+
+    @property
+    def language(self) -> str:
+        return "go"
+
+    @property
+    def rule_type(self) -> str:
+        return "absolute"
+
+    def evaluate(self, diff_data: Dict[str, Any], signals: List[Signal]) -> Optional[Dict[str, Any]]:
+        raw_diff = diff_data.get('raw_diff', "")
+        
+        added_lines = [line for line in raw_diff.split('\n') if line.startswith('+')]
+        for line in added_lines:
+            # 检查忽略错误
+            if self._ignore_error.search(line):
+                files = diff_data.get('files', [])
+                return {"file": files[0] if files else "unknown", "issue": "error_ignored"}
+            
+            # 检查有 error 返回但未检查
+            if self._error_return.search(line):
+                # 在后续几行查找错误检查
+                context = '\n'.join(added_lines[added_lines.index(line):added_lines.index(line)+5])
+                if not self._no_error_check.search(context):
+                    files = diff_data.get('files', [])
+                    return {"file": files[0] if files else "unknown", "issue": "error_not_checked"}
+        
+        return None
+
+
+class GoNilPointerRule(BaseRule):
+    """检测 nil 指针解引用风险"""
+    
+    def __init__(self):
+        self._method_call = re.compile(r'^\+.*\w+\s*\.\s*\w+\s*\(')
+        self._nil_check = re.compile(r'(?:if\s+\w+\s*==\s*nil|if\s+\w+\s*!=\s*nil|\w+\s*==\s*nil\s*\?|nil\s*check)')
+        
+    @property
+    def id(self) -> str:
+        return "null.nil_dereference"
+
+    @property
+    def severity(self) -> str:
+        return "high"
+
+    @property
+    def impact(self) -> str:
+        return "runtime"
+
+    @property
+    def rationale(self) -> str:
+        return "Method call on potentially nil pointer without nil check"
+
+    @property
+    def language(self) -> str:
+        return "go"
+
+    @property
+    def rule_type(self) -> str:
+        return "absolute"
+
+    def evaluate(self, diff_data: Dict[str, Any], signals: List[Signal]) -> Optional[Dict[str, Any]]:
+        raw_diff = diff_data.get('raw_diff', "")
+        
+        added_lines = raw_diff.split('\n')
+        for i, line in enumerate(added_lines):
+            if line.startswith('+') and self._method_call.search(line):
+                # 检查前后是否有 nil 检查
+                context = '\n'.join(added_lines[max(0,i-3):i+4])
+                if not self._nil_check.search(context):
+                    files = diff_data.get('files', [])
+                    return {"file": files[0] if files else "unknown", "call": line.strip()}
+        
+        return None
+
+
+class GoRaceConditionRule(BaseRule):
+    """检测竞态条件风险（共享变量无锁保护）"""
+    
+    def __init__(self):
+        self._shared_var = re.compile(r'^\+.*(?:var\s+\w+\s+|:=\s*\w+\s*=).*(?:map|slice|chan)')
+        self._mutex_pattern = re.compile(r'(?:sync\.(?:Mutex|RWMutex)|\.Lock\(\)|\.Unlock\(\))')
+        self._atomic_pattern = re.compile(r'atomic\.(?:Load|Store|Add|Swap|CompareAndSwap)')
+        
+    @property
+    def id(self) -> str:
+        return "runtime.race_condition"
+
+    @property
+    def severity(self) -> str:
+        return "high"
+
+    @property
+    def impact(self) -> str:
+        return "runtime"
+
+    @property
+    def rationale(self) -> str:
+        return "Shared variable access without synchronization, potential race condition"
+
+    @property
+    def language(self) -> str:
+        return "go"
+
+    @property
+    def rule_type(self) -> str:
+        return "absolute"
+
+    def evaluate(self, diff_data: Dict[str, Any], signals: List[Signal]) -> Optional[Dict[str, Any]]:
+        raw_diff = diff_data.get('raw_diff', "")
+        
+        if self._shared_var.search(raw_diff):
+            # 检查是否有同步机制
+            has_mutex = bool(self._mutex_pattern.search(raw_diff))
+            has_atomic = bool(self._atomic_pattern.search(raw_diff))
+            
+            if not (has_mutex or has_atomic):
+                files = diff_data.get('files', [])
+                return {"file": files[0] if files else "unknown"}
+        
+        return None
+
+
+class GoHTTPSecurityRule(BaseRule):
+    """检测 HTTP 安全问题（路径遍历、未验证输入等）"""
+    
+    def __init__(self):
+        self._http_pattern = re.compile(r'^\+.*http\.(?:Get|Post|HandleFunc|Handle)\s*\(')
+        self._path_traversal = re.compile(r'http\.(?:Get|Post)\s*\([^)]*\+[^)]*\)')
+        self._no_auth = re.compile(r'http\.ListenAndServe\s*\(\s*"[^"]*"', re.IGNORECASE)
+        
+    @property
+    def id(self) -> str:
+        return "security.http_vulnerability"
+
+    @property
+    def severity(self) -> str:
+        return "high"
+
+    @property
+    def impact(self) -> str:
+        return "security"
+
+    @property
+    def rationale(self) -> str:
+        return "HTTP handler with potential security issues (path traversal, no auth)"
+
+    @property
+    def language(self) -> str:
+        return "go"
+
+    @property
+    def rule_type(self) -> str:
+        return "absolute"
+
+    def evaluate(self, diff_data: Dict[str, Any], signals: List[Signal]) -> Optional[Dict[str, Any]]:
+        raw_diff = diff_data.get('raw_diff', "")
+        
+        if self._http_pattern.search(raw_diff):
+            # 检查路径遍历风险
+            if self._path_traversal.search(raw_diff):
+                files = diff_data.get('files', [])
+                return {"file": files[0] if files else "unknown", "issue": "path_traversal"}
+            
+            # 检查无认证的 HTTP 服务
+            if self._no_auth.search(raw_diff):
+                files = diff_data.get('files', [])
+                return {"file": files[0] if files else "unknown", "issue": "no_authentication"}
+        
+        return None

rules/null_safety.py

@@ -0,0 +1,301 @@
+import re
+from typing import Dict, Any, List, Optional
+from sdk.rule import BaseRule
+from sdk.signal import Signal
+
+
+class NullReturnIgnoredRule(BaseRule):
+    """检测可能返回 null 的方法调用未进行空值检查 - 降低误报，只在高风险场景触发"""
+
+    def __init__(self):
+        # 只检查真正危险的方法调用（来自 Map/Collection 的 get）
+        self._null_return_methods = [
+            r'\.get\s*\([^)]+\)',     # Map.get(key) - 有参数的
+        ]
+        self._added_call = re.compile(r'^\+.*(' + '|'.join(self._null_return_methods) + r')')
+        # 扩展 null 检查模式
+        self._null_check = re.compile(
+            r'(?:if\s*\([^)]*(?:==|!=|isNull|nonNull|Objects\.|Optional)|Optional\.|orElse|orElseGet)',
+            re.IGNORECASE
+        )
+
+    @property
+    def id(self) -> str:
+        return "null.return_ignored"
+
+    @property
+    def severity(self) -> str:
+        # 降级为 LOW，因为 .get() 调用后不检查 null 是非常常见的模式
+        return "low"
+
+    @property
+    def impact(self) -> str:
+        return "runtime"
+
+    @property
+    def rationale(self) -> str:
+        return "Map.get() without null check may cause NPE"
+
+    @property
+    def rule_type(self) -> str:
+        return "absolute"
+
+    def evaluate(self, diff_data: Dict[str, Any], signals: List[Signal]) -> Optional[Dict[str, Any]]:
+        raw_diff = diff_data.get('raw_diff', "")
+
+        added_lines = raw_diff.split('\n')
+        for i, line in enumerate(added_lines):
+            if line.startswith('+') and self._added_call.search(line):
+                # 只在没有 orElse/orElseGet 等安全写法时触发
+                if not self._null_check.search(line):
+                    # 额外检查：只对关键路径触发
+                    files = diff_data.get('files', [])
+                    return {"file": files[0] if files else "unknown", "method": line.strip()}
+
+        return None
+
+
+class OptionalUnwrapRule(BaseRule):
+    """检测 Optional 未正确解包 - 排除安全的 orElse 用法"""
+
+    def __init__(self):
+        self._dangerous_get = re.compile(
+            r'^\+.*(?<!\.)\.get\s*\(\s*\)',  # Optional.get() without check
+            re.MULTILINE
+        )
+        # 扩展安全模式：包含 orElseGet
+        self._optional_safe = re.compile(
+            r'\.orElse(?:Get)?\s*\(',
+            re.MULTILINE
+        )
+
+    @property
+    def id(self) -> str:
+        return "null.optional_unsafe_get"
+
+    @property
+    def severity(self) -> str:
+        # 降级为 LOW，因为 Optional.get() 在很多场景是合理的
+        return "low"
+
+    @property
+    def impact(self) -> str:
+        return "runtime"
+
+    @property
+    def rationale(self) -> str:
+        return "Optional.get() without isPresent() check - ensure null is handled"
+
+    @property
+    def rule_type(self) -> str:
+        return "absolute"
+
+    def evaluate(self, diff_data: Dict[str, Any], signals: List[Signal]) -> Optional[Dict[str, Any]]:
+        raw_diff = diff_data.get('raw_diff', "")
+
+        # 查找所有 .get() 调用
+        import re as re_module
+        get_matches = re.findall(r'[^\n]*\.get\s*\(\s*\)[^\n]*', raw_diff)
+
+        for match in get_matches:
+            # 跳过已经使用 orElse/orElseGet 的代码
+            if self._optional_safe.search(match):
+                continue
+
+            # 跳过注释
+            if '//' in match or '/*' in match:
+                continue
+
+            files = diff_data.get('files', [])
+            return {"file": files[0] if files else "unknown"}
+
+        return None
+        
+        dangerous = self._dangerous_get.findall(raw_diff)
+        if dangerous:
+            # 检查是否有 orElse 等安全用法
+            if not self._optional_or_else.search(raw_diff):
+                files = diff_data.get('files', [])
+                return {"file": files[0] if files else "unknown"}
+        
+        return None
+
+
+class AutoboxingNPERule(BaseRule):
+    """检测自动拆箱可能导致的 NPE"""
+    
+    def __init__(self):
+        self._wrapper_types = ['Integer', 'Long', 'Double', 'Float', 'Boolean', 'Character', 'Short', 'Byte']
+        self._unbox_pattern = re.compile(
+            r'^\+.*(?:' + '|'.join(self._wrapper_types) + r')\s*\w+\s*=\s*(?!new\s+(?:' + '|'.join(self._wrapper_types) + r'))'
+        )
+        self._method_return_wrapper = re.compile(
+            r'^\+.*\.(?:get|getValue|getOrDefault)\s*\([^)]*\)\s*(?:[+\-*/]|compareTo)',
+            re.MULTILINE
+        )
+        
+    @property
+    def id(self) -> str:
+        return "null.autoboxing_npe"
+
+    @property
+    def severity(self) -> str:
+        return "high"
+
+    @property
+    def impact(self) -> str:
+        return "runtime"
+
+    @property
+    def rationale(self) -> str:
+        return "Wrapper type auto-unboxed to primitive, NPE if null"
+
+    @property
+    def rule_type(self) -> str:
+        return "absolute"
+
+    def evaluate(self, diff_data: Dict[str, Any], signals: List[Signal]) -> Optional[Dict[str, Any]]:
+        raw_diff = diff_data.get('raw_diff', "")
+        
+        if self._unbox_pattern.search(raw_diff) or self._method_return_wrapper.search(raw_diff):
+            files = diff_data.get('files', [])
+            return {"file": files[0] if files else "unknown"}
+        
+        return None
+
+
+class ChainedMethodCallNPERule(BaseRule):
+    """检测链式调用的 NPE 风险 - 仅在高风险场景触发"""
+
+    def __init__(self):
+        # 更严格的链式调用模式：必须是方法调用链，不能是简单的属性访问
+        self._chained_call = re.compile(
+            r'^\+.*\w+\s*\.\s*\w+\s*\([^)]*\)\s*\.\s*\w+\s*\(',
+            re.MULTILINE
+        )
+        self._null_safe = re.compile(
+            r'(?:Objects\.(?:requireNonNull|firstNonNull)|Optional\.ofNullable|\.map\s*\(|\?\.)',
+            re.IGNORECASE
+        )
+        # 高风险场景：DTO/Entity/Model 的 getter 链式调用
+        self._high_risk_patterns = [
+            r'/dto/',
+            r'/entity/',
+            r'/model/',
+            r'/vo/',
+            r'/bo/',
+            r'/domain/'
+        ]
+
+    @property
+    def id(self) -> str:
+        return "null.chained_call_unsafe"
+
+    @property
+    def severity(self) -> str:
+        # 降级为 LOW，因为大多数业务代码的链式调用是安全的
+        return "low"
+
+    @property
+    def impact(self) -> str:
+        return "runtime"
+
+    @property
+    def rationale(self) -> str:
+        return "Chained method calls in DTO/Entity without null safety"
+
+    @property
+    def rule_type(self) -> str:
+        return "absolute"
+
+    def evaluate(self, diff_data: Dict[str, Any], signals: List[Signal]) -> Optional[Dict[str, Any]]:
+        raw_diff = diff_data.get('raw_diff', "")
+        files = diff_data.get('files', [])
+
+        added_lines = [line for line in raw_diff.split('\n') if line.startswith('+')]
+        for line in added_lines:
+            if self._chained_call.search(line):
+                if not self._null_safe.search(line):
+                    # 只在 DTO/Entity/Model 相关的文件中触发
+                    for f in files:
+                        if any(re.search(p, f, re.IGNORECASE) for p in self._high_risk_patterns):
+                            return {"file": f, "chain": line.strip()}
+
+        return None
+
+
+class ArrayIndexOutOfBoundsRule(BaseRule):
+    """检测数组/集合索引越界风险"""
+    
+    def __init__(self):
+        self._direct_access = re.compile(
+            r'^\+.*\w+\s*\[\s*(?:0|[1-9]\d*)\s*\]',
+            re.MULTILINE
+        )
+        self._size_dependent = re.compile(
+            r'^\+.*\w+\s*\[\s*\w+\.(?:size|length)\s*[-+]\s*[1-9]',
+            re.MULTILINE
+        )
+        
+    @property
+    def id(self) -> str:
+        return "null.array_index_unsafe"
+
+    @property
+    def severity(self) -> str:
+        return "medium"
+
+    @property
+    def impact(self) -> str:
+        return "runtime"
+
+    @property
+    def rationale(self) -> str:
+        return "Direct array access with hardcoded index or size-based calculation, bounds not checked"
+
+    @property
+    def rule_type(self) -> str:
+        return "absolute"
+
+    def evaluate(self, diff_data: Dict[str, Any], signals: List[Signal]) -> Optional[Dict[str, Any]]:
+        raw_diff = diff_data.get('raw_diff', "")
+        
+        if self._size_dependent.search(raw_diff):
+            files = diff_data.get('files', [])
+            return {"file": files[0] if files else "unknown"}
+        
+        return None
+
+
+class StringConcatNPERule(BaseRule):
+    """检测字符串拼接的 NPE 风险 - 关闭，因为太容易误报"""
+
+    def __init__(self):
+        # 禁用此规则：字符串拼接 "str" + var 是非常常见的模式
+        # 即使 var 可能为 null，Java 也不会抛 NPE，而是输出 "null" 字符串
+        pass
+
+    @property
+    def id(self) -> str:
+        return "null.string_concat_unsafe"
+
+    @property
+    def severity(self) -> str:
+        return "low"
+
+    @property
+    def impact(self) -> str:
+        return "maintenance"
+
+    @property
+    def rationale(self) -> str:
+        # 修改为更准确的描述
+        return "Disabled: Java string concatenation handles null gracefully"
+
+    @property
+    def rule_type(self) -> str:
+        return "absolute"
+
+    def evaluate(self, diff_data: Dict[str, Any], signals: List[Signal]) -> Optional[Dict[str, Any]]:
+        # 禁用规则：总是返回 None
+        return None