diffsense 2.2.12__py3-none-any.whl

rules/resource_management.py

@@ -0,0 +1,222 @@
+import re
+from typing import Dict, Any, List, Optional
+from sdk.rule import BaseRule
+from sdk.signal import Signal
+
+
+class CloseableResourceLeakRule(BaseRule):
+    """检测未正确关闭的资源（Stream, Connection 等）"""
+    
+    def __init__(self):
+        self._closeable_types = [
+            'InputStream', 'OutputStream', 'Reader', 'Writer',
+            'Socket', 'ServerSocket', 'Connection', 'Statement', 
+            'ResultSet', 'BufferedReader', 'BufferedWriter'
+        ]
+        self._added_pattern = re.compile(r'^\+.*\b(new\s+\w+(?:' + '|'.join(self._closeable_types) + r')\s*\()')
+        self._try_with_resources = re.compile(r'^\+.*try\s*\([^)]*(?:' + '|'.join(self._closeable_types) + r')')
+        self._finally_close = re.compile(r'^\+.*\.close\(\)')
+        
+    @property
+    def id(self) -> str:
+        return "resource.closeable_leak"
+
+    @property
+    def severity(self) -> str:
+        return "high"
+
+    @property
+    def impact(self) -> str:
+        return "runtime"
+
+    @property
+    def rationale(self) -> str:
+        return "Closeable resources opened but not closed in try-with-resources or finally block"
+
+    @property
+    def rule_type(self) -> str:
+        return "absolute"
+
+    def evaluate(self, diff_data: Dict[str, Any], signals: List[Signal]) -> Optional[Dict[str, Any]]:
+        raw_diff = diff_data.get('raw_diff', "")
+        
+        # 检查是否添加了可关闭资源
+        added_resources = self._added_pattern.findall(raw_diff)
+        if not added_resources:
+            return None
+        
+        # 检查是否有 try-with-resources 或 finally 中关闭
+        has_try_resources = bool(self._try_with_resources.search(raw_diff))
+        has_finally_close = bool(self._finally_close.search(raw_diff))
+        
+        # 如果既没有 try-with-resources 也没有 finally close，则报告
+        if not has_try_resources and not has_finally_close:
+            files = diff_data.get('files', [])
+            return {"file": files[0] if files else "unknown", "resources": added_resources}
+        
+        return None
+
+
+class DatabaseConnectionLeakRule(BaseRule):
+    """检测数据库连接泄漏风险"""
+    
+    def __init__(self):
+        self._conn_patterns = [
+            r'DriverManager\.getConnection',
+            r'DataSource\.getConnection',
+            r'new\s+HikariDataSource',
+            r'new\s+BasicDataSource'
+        ]
+        self._added_conn = re.compile(r'^\+.*(' + '|'.join(self._conn_patterns) + r')')
+        self._conn_close = re.compile(r'^\+.*(?:connection|conn)\.close\(\)', re.IGNORECASE)
+        
+    @property
+    def id(self) -> str:
+        return "resource.database_connection_leak"
+
+    @property
+    def severity(self) -> str:
+        return "critical"
+
+    @property
+    def impact(self) -> str:
+        return "runtime"
+
+    @property
+    def rationale(self) -> str:
+        return "Database connection opened without proper close, may cause connection pool exhaustion"
+
+    @property
+    def rule_type(self) -> str:
+        return "absolute"
+
+    def evaluate(self, diff_data: Dict[str, Any], signals: List[Signal]) -> Optional[Dict[str, Any]]:
+        raw_diff = diff_data.get('raw_diff', "")
+        
+        if self._added_conn.search(raw_diff):
+            if not self._conn_close.search(raw_diff):
+                files = diff_data.get('files', [])
+                return {"file": files[0] if files else "unknown"}
+        
+        return None
+
+
+class StreamWrapperRule(BaseRule):
+    """检测流包装时未指定编码"""
+    
+    def __init__(self):
+        self._unencoded_patterns = [
+            r'new\s+InputStreamReader\s*\(\s*(?!.*Charset|charset|StandardCharsets)',
+            r'new\s+OutputStreamWriter\s*\(\s*(?!.*Charset|charset|StandardCharsets)',
+            r'new\s+FileReader\s*\(',
+            r'new\s+FileWriter\s*\('
+        ]
+        self._added_stream = re.compile(r'^\+.*(' + '|'.join(self._unencoded_patterns) + r')')
+        
+    @property
+    def id(self) -> str:
+        return "resource.stream_encoding_missing"
+
+    @property
+    def severity(self) -> str:
+        return "medium"
+
+    @property
+    def impact(self) -> str:
+        return "maintenance"
+
+    @property
+    def rationale(self) -> str:
+        return "Stream reader/writer created without explicit charset, uses platform default encoding"
+
+    @property
+    def rule_type(self) -> str:
+        return "absolute"
+
+    def evaluate(self, diff_data: Dict[str, Any], signals: List[Signal]) -> Optional[Dict[str, Any]]:
+        raw_diff = diff_data.get('raw_diff', "")
+        
+        matches = self._added_stream.findall(raw_diff)
+        if matches:
+            files = diff_data.get('files', [])
+            return {"file": files[0] if files else "unknown", "patterns": matches}
+        
+        return None
+
+
+class IOStreamChainingRule(BaseRule):
+    """检测 IO 流链接调用中的资源泄漏"""
+    
+    def __init__(self):
+        self._chaining_pattern = re.compile(
+            r'^\+.*new\s+\w+(?:InputStream|OutputStream|Reader|Writer)\s*\([^)]*\.get\s*\w*\s*\(\s*\)'
+        )
+        
+    @property
+    def id(self) -> str:
+        return "resource.stream_chaining_leak"
+
+    @property
+    def severity(self) -> str:
+        return "high"
+
+    @property
+    def impact(self) -> str:
+        return "runtime"
+
+    @property
+    def rationale(self) -> str:
+        return "IO stream created from method call result, intermediate stream may leak"
+
+    @property
+    def rule_type(self) -> str:
+        return "absolute"
+
+    def evaluate(self, diff_data: Dict[str, Any], signals: List[Signal]) -> Optional[Dict[str, Any]]:
+        raw_diff = diff_data.get('raw_diff', "")
+        
+        if self._chaining_pattern.search(raw_diff):
+            files = diff_data.get('files', [])
+            return {"file": files[0] if files else "unknown"}
+        
+        return None
+
+
+class ExecutorServiceShutdownRule(BaseRule):
+    """检测线程池未正确关闭"""
+    
+    def __init__(self):
+        self._executor_creation = re.compile(
+            r'^\+.*(?:Executors\.(newFixedThreadPool|newCachedThreadPool|newSingleThreadExecutor)|new\s+ThreadPoolExecutor)\s*\('
+        )
+        self._executor_shutdown = re.compile(r'^\+.*\.shutdown\s*\(\s*\)')
+        
+    @property
+    def id(self) -> str:
+        return "resource.executor_shutdown_missing"
+
+    @property
+    def severity(self) -> str:
+        return "high"
+
+    @property
+    def impact(self) -> str:
+        return "runtime"
+
+    @property
+    def rationale(self) -> str:
+        return "ExecutorService created without shutdown, threads may not terminate"
+
+    @property
+    def rule_type(self) -> str:
+        return "absolute"
+
+    def evaluate(self, diff_data: Dict[str, Any], signals: List[Signal]) -> Optional[Dict[str, Any]]:
+        raw_diff = diff_data.get('raw_diff', "")
+        
+        if self._executor_creation.search(raw_diff):
+            if not self._executor_shutdown.search(raw_diff):
+                files = diff_data.get('files', [])
+                return {"file": files[0] if files else "unknown"}
+        
+        return None

rules/yaml_adapter.py

@@ -0,0 +1,195 @@
+import re
+import fnmatch
+import os
+from typing import Dict, Any, List, Optional
+from core.rule_base import Rule
+
+def _match_file_pattern(filename: str, pattern: str) -> bool:
+    """Match file against pattern, supporting ** for recursive matching."""
+    if pattern == '**' or pattern == '*':
+        return True
+    
+    # Handle **/*.py style patterns (ends with extension)
+    if pattern.startswith('**/') and '*' not in pattern[3:]:
+        # Convert **/*.py to *.py
+        pattern = pattern[3:]
+    
+    # Handle **/auth/** style patterns (match directory in path)
+    if pattern.startswith('**/') and pattern.endswith('/**'):
+        # Extract the directory name and check if it's in the path
+        dir_name = pattern[3:-2]  # Remove **/ and /**
+        return dir_name in filename
+    
+    return fnmatch.fnmatch(filename, pattern)
+
+class YamlRule(Rule):
+    """
+    Adapter to treat legacy YAML rules as first-class Plugins.
+    Supports full rule metadata: category, confidence, tags, enabled, language, scope.
+    """
+    def __init__(self, rule_dict: Dict[str, Any]):
+        self._rule_dict = rule_dict
+        self._file_pattern = self._rule_dict.get('file')
+        self._compiled_match = None
+        content_regex = self._rule_dict.get('match')
+        if content_regex:
+            flags = re.MULTILINE
+            if self._rule_dict.get('case_insensitive', False):
+                flags |= re.IGNORECASE
+            try:
+                self._compiled_match = re.compile(content_regex, flags)
+            except re.error:
+                self._compiled_match = None
+
+    @property
+    def id(self) -> str:
+        return self._rule_dict.get('id', 'unknown')
+
+    @property
+    def severity(self) -> str:
+        return self._rule_dict.get('severity', 'low')
+
+    @property
+    def impact(self) -> str:
+        return self._rule_dict.get('impact', 'general')
+
+    @property
+    def rationale(self) -> str:
+        return self._rule_dict.get('rationale', '')
+
+    @property
+    def title(self) -> str:
+        return self._rule_dict.get('title', self.id)
+
+    @property
+    def category(self) -> str:
+        return self._rule_dict.get('category', 'general')
+
+    @property
+    def confidence(self) -> float:
+        v = self._rule_dict.get('confidence', 1.0)
+        if isinstance(v, (int, float)):
+            return float(v)
+        return 1.0
+
+    @property
+    def tags(self) -> List[str]:
+        t = self._rule_dict.get('tags', [])
+        return list(t) if isinstance(t, (list, tuple)) else []
+
+    @property
+    def enabled(self) -> bool:
+        return self._rule_dict.get('enabled', True) is True
+
+    @property
+    def language(self) -> str:
+        return self._rule_dict.get('language', '*')
+
+    @property
+    def scope(self) -> str:
+        return self._rule_dict.get('scope', self._rule_dict.get('file', '**'))
+
+    @property
+    def package(self) -> Optional[Dict[str, Any]]:
+        """CVE 规则：package.ecosystem + package.name 用于与 dependency_versions 精确匹配。"""
+        return self._rule_dict.get('package')
+
+    @property
+    def versions(self) -> Optional[Dict[str, Any]]:
+        """CVE 规则：versions.introduced / versions.fixed 定义受影响版本区间。"""
+        return self._rule_dict.get('versions')
+
+    @property
+    def status(self) -> str:
+        return str(self._rule_dict.get('status', 'stable')).lower()
+
+    @property
+    def is_blocking(self) -> bool:
+        # Default to True for 'critical' absolute rules, or if explicitly set
+        explicit = self._rule_dict.get('is_blocking')
+        if explicit is not None:
+            return bool(explicit)
+        
+        # Absolute critical rules are blocking by default
+        if self.rule_type == 'absolute' and self.severity == 'critical':
+            return True
+        return False
+
+    @property
+    def rule_type(self) -> str:
+        """
+        Determines if the rule is 'regression' or 'absolute'.
+        Defaults to 'regression' if action is 'removed' or 'changed'.
+        """
+        explicit = self._rule_dict.get('rule_type')
+        if explicit:
+            return str(explicit)
+        
+        action = self._rule_dict.get('action', '').lower()
+        if action in ['removed', 'deleted', 'changed', 'modified']:
+            return 'regression'
+        
+        return 'absolute'
+
+    def evaluate(self, diff_data: Dict[str, Any], ast_signals: List[Any]) -> Optional[Dict[str, Any]]:
+        # Logic extracted from old RuleEngine._match_rule
+        
+        # 0. Check AST Signals (New First-Class Check)
+        target_signal = self._rule_dict.get('signal')
+        if target_signal:
+            # Look for this signal in ast_signals
+            for sig in ast_signals:
+                if sig.id == target_signal:
+                    # Signal Matched!
+                    
+                    # Check action constraint if present in rule
+                    rule_action = self._rule_dict.get('action')
+                    if rule_action and rule_action != sig.action:
+                         continue # Action mismatch
+                    
+                    # Check if there are other constraints (like file)
+                    # We match file pattern against the signal's file
+                    rule_file_pattern = self._rule_dict.get('file')
+                    if rule_file_pattern:
+                        # Use _match_file_pattern to check if sig.file matches pattern
+                        if rule_file_pattern != "**" and not _match_file_pattern(sig.file, rule_file_pattern):
+                            continue
+
+                    return {"file": sig.file}
+            
+            # If we are looking for a signal but didn't find it, rule fails
+            return None
+
+        # Fallback to old regex/file matching logic
+        
+        # 1. Check File Pattern
+        matched_files = []
+        if self._file_pattern:
+            pattern = self._file_pattern
+            for f in diff_data.get('files', []):
+                if _match_file_pattern(f, pattern):
+                    matched_files.append(f)
+
+            if not matched_files:
+                return None # File pattern constraint failed
+        else:
+            # If no file pattern, consider all files
+            matched_files = diff_data.get('files', [])
+
+        # 2. Check Content Match (Regex)
+        if self._rule_dict.get('match'):
+            # Get raw diff from file_patches or raw_diff field
+            raw_diff = diff_data.get('raw_diff', '')
+            if not raw_diff:
+                file_patches = diff_data.get('file_patches', [])
+                for fp in file_patches:
+                    raw_diff += fp.get('patch', '')
+            
+            if not self._compiled_match:
+                return None
+            if not self._compiled_match.search(raw_diff):
+                return None
+
+        # Return the first matched file for reporting purposes
+        file_report = matched_files[0] if matched_files else "unknown"
+        return {"file": file_report}