diffsense 2.2.12__py3-none-any.whl

config/rules.yaml

@@ -0,0 +1,371 @@
+# 全局配置
+config:
+  # 跳过非业务代码文件（支持通配符）
+  skip_paths:
+    - "**/test/**"
+    - "**/tests/**"
+    - "**/*Test*.java"
+    - "**/spec/**"
+    - "**/__tests__/**"
+    - "**/*_test.py"
+    - "**/test_*.py"
+    - "**/docs/**"
+    - "**/*.md"
+    - "**/*.rst"
+    - "**/*.txt"
+    - "**/*.log"
+    - "**/CHANGELOG*"
+    - "**/.github/**"
+    - "**/.gitlab/**"
+    - "**/.vscode/**"
+
+rules:
+  - id: runtime.concurrency_risk
+    # Use AST Signal instead of regex match
+    signal: "runtime.concurrency.synchronized"
+    # match: "(?i)(thread|async|lock|synchronized)"  <-- Removed regex
+    action: "added"
+    file: "**/core/**"
+    impact: runtime
+    severity: high
+    rationale: "Concurrency changes (synchronized) in core modules pose high stability risk"
+
+  - id: runtime.concurrency_synchronized_removed_critical
+    signal: "runtime.concurrency.synchronized"
+    action: "removed"
+    file: "**"
+    impact: runtime
+    severity: critical
+    rationale: "CRITICAL: Removal of synchronized block/keyword detected! This is a major stability risk."
+
+  - id: runtime.concurrency_lock_risk
+    signal: "runtime.concurrency.lock"
+    action: "added"
+    file: "**/core/**"
+    impact: runtime
+    severity: high
+    rationale: "Explicit lock usage in core modules"
+
+  - id: runtime.concurrency_lock_removed_critical
+    signal: "runtime.concurrency.lock"
+    action: "removed"
+    file: "**"
+    impact: runtime
+    severity: critical
+    rationale: "CRITICAL: Removal of lock/concurrency protection detected! This may lead to race conditions."
+
+  - id: runtime.concurrency_volatile_risk
+    signal: "runtime.concurrency.volatile"
+    action: "added"
+    file: "**/core/**"
+    impact: runtime
+    severity: high
+    rationale: "Volatile field usage in core modules"
+
+  - id: runtime.concurrency_volatile_removed_risk
+    signal: "runtime.concurrency.volatile"
+    action: "removed"
+    file: "**"
+    impact: runtime
+    severity: critical
+    rationale: "CRITICAL: Removal of volatile keyword detected! This may cause visibility issues across threads."
+
+  - id: runtime.concurrency_map_removed_risk
+    signal: "runtime.concurrency.concurrent_map"
+    action: "removed"
+    file: "**"
+    impact: runtime
+    severity: high
+    rationale: "Removal of ConcurrentHashMap detected. Ensure it is not replaced by a non-thread-safe collection."
+
+  - id: runtime.concurrency.thread_safety_downgrade
+    signal: "runtime.concurrency.thread_safety_downgrade"
+    action: "downgrade"
+    file: "**"
+    impact: runtime
+    severity: critical
+    rationale: "CRITICAL: Detected downgrade from ThreadSafe type to Non-ThreadSafe type (e.g., ConcurrentHashMap -> HashMap). High risk of race conditions!"
+
+  - id: runtime.concurrency.static_unsafe_collection
+    signal: "runtime.concurrency.static_unsafe_collection"
+    action: "added"
+    file: "**"
+    impact: runtime
+    severity: high
+    rationale: "Usage of static non-thread-safe collection detected. This is a common cause of race conditions in multi-threaded environments."
+
+  - id: runtime.performance.sleep_added
+    signal: "runtime.performance.sleep_added"
+    action: "added"
+    file: "**"
+    impact: performance
+    severity: medium
+    rationale: "Thread.sleep() introduced. This may indicate poor concurrency handling or debug code left in production."
+
+  - id: runtime.concurrency.executors_factory_risk
+    signal: "runtime.concurrency.executors_factory_risk"
+    action: "added"
+    file: "**"
+    impact: runtime
+    severity: critical
+    rationale: "CRITICAL: Use of Executors.newFixedThreadPool/newCachedThreadPool detected. These methods have unbounded queues or thread creation, which can lead to OOM in high-load scenarios. Use ThreadPoolExecutor manually."
+
+  - id: runtime.concurrency.future_get_without_timeout
+    signal: "runtime.concurrency.future_get_without_timeout"
+    action: "added"
+    file: "**"
+    impact: runtime
+    severity: critical
+    rationale: "CRITICAL: Future.get() called without timeout. This can cause thread blocking and cascading failures (Avalanche Effect). Always use get(timeout, unit)."
+
+  - id: runtime.concurrency.threadpool_creation
+    signal: "runtime.concurrency.threadpool_creation"
+    action: "added"
+    file: "**"
+    impact: runtime
+    severity: high
+    rationale: "ThreadPoolExecutor creation detected. Ensure corePoolSize, maxPoolSize, and queueCapacity are configured correctly to avoid OOM or thread explosion."
+
+  - id: runtime.service_layer
+    # 优化：只在 service 层修改了方法签名或新增业务逻辑时触发
+    # 仅文件路径匹配不再触发，必须有实际的方法签名变化
+    signal: "api.method_signature_changed"
+    file: "**/service/**"
+    impact: runtime
+    severity: medium
+    rationale: "Service layer method signature changes may affect API contract"
+
+  - id: data.destructive_schema
+    match: "ALTER TABLE|DROP TABLE"
+    file: "**/migrations/**"
+    impact: data
+    severity: high
+    rationale: "Destructive schema changes require careful review"
+
+  - id: data.query_change
+    # 优化：只在 SQL 查询语句本身变化时触发，避免 DTO/Entity 修改误报
+    match: "^\\s*(SELECT|INSERT|UPDATE|DELETE)\\s+"
+    action: "changed"
+    impact: data
+    severity: medium
+    rationale: "SQL query modifications in SQL files or MyBatis mapper files"
+
+  - id: architecture.dependency_change
+    file: "**/package.json"
+    impact: architecture
+    severity: high
+    rationale: "Dependency changes affect build and security"
+
+  - id: architecture.dependency_change_python
+    file: "**/requirements.txt"
+    impact: architecture
+    severity: high
+    rationale: "Dependency changes affect build and security"
+
+  # --- Semantic Regression Rules (Added by Request) ---
+
+  - id: runtime.input_normalization_removed
+    signal: "runtime.input_normalization_removed"
+    action: "removed"
+    file: "**"
+    impact: runtime
+    severity: high
+    rationale: "CRITICAL: Removal of input normalization/validation call (encode/decode/validate/check). High risk of data integrity or security issues."
+
+  - id: data.pagination_semantic_change
+    # 优化：只在分页参数的实际语义变化时触发（如 limit 变为 limit+1）
+    signal: "data.pagination_semantic_change"
+    action: "changed"
+    file: "**"
+    impact: data
+    severity: high
+    rationale: "Changes to pagination logic (pageNo/pageSize/start/limit) detected in diff. Verify if pagination semantics changed."
+
+  - id: runtime.collection_mutation_inside_loop
+    signal: "runtime.collection_mutation_inside_loop"
+    action: "added"
+    file: "**"
+    impact: runtime
+    severity: high
+    rationale: "Collection modification (remove) detected inside a loop. This often leads to ConcurrentModificationException or undefined behavior."
+
+  - id: security.behavior_change_auth
+    file: "**/auth/**"
+    impact: security
+    severity: high
+    rationale: "Changes in authentication modules detected. Requires careful security review."
+
+  - id: security.behavior_change_security
+    file: "**/security/**"
+    impact: security
+    severity: high
+    rationale: "Changes in security modules detected. Requires careful security review."
+
+  - id: runtime.validation_removed
+    # This overlaps with input_normalization_removed, but we can add a specific one if needed.
+    # The user asked for it as a separate category, but we covered it with the signal above.
+    # Let's add a placeholder or duplicate if distinct signal is available.
+    # For now, relying on input_normalization_removed covers 'validate/check' calls.
+    # But let's add a rule that watches for 'validation' in filename or package.
+    file: "**/validation/**"
+    match: ".*" # Match any change
+    impact: runtime
+    severity: high
+    rationale: "Changes in validation logic modules."
+
+  # --- New Semantic Signal Rules (P0/P1/P2) ---
+
+  - id: runtime.concurrency.lock_removed
+    signal: "runtime.concurrency.lock_removed"
+    action: "removed"
+    file: "**"
+    impact: runtime
+    severity: critical
+    rationale: "CRITICAL: Removal of Lock/Synchronized detected! This is a P0 stability risk (TOP1 accident cause)."
+
+  - id: runtime.concurrency.volatile_removed
+    signal: "runtime.concurrency.volatile_removed"
+    action: "removed"
+    file: "**"
+    impact: runtime
+    severity: critical
+    rationale: "CRITICAL: Removal of volatile keyword detected! This causes visibility issues."
+
+  - id: runtime.concurrency.final_removed
+    signal: "runtime.concurrency.final_removed"
+    action: "removed"
+    file: "**"
+    impact: runtime
+    severity: critical
+    rationale: "CRITICAL: Removal of final modifier detected! Immutable object might become mutable (thread-safety risk)."
+
+  - id: runtime.concurrency.atomic_to_non_atomic_write
+    signal: "runtime.concurrency.atomic_to_non_atomic_write"
+    action: "removed"
+    file: "**"
+    impact: runtime
+    severity: critical
+    rationale: "CRITICAL: Atomic write operation removed/replaced. This is a semantic downgrade."
+
+  - id: runtime.concurrency.threadpool_param_change
+    signal: "runtime.concurrency.threadpool_param_change"
+    action: "changed"
+    file: "**"
+    impact: runtime
+    severity: high
+    rationale: "ThreadPoolExecutor parameters changed. Verify corePoolSize/maxQueue/timeout logic."
+
+  - id: runtime.concurrency.threadpool_unbounded_queue
+    signal: "runtime.concurrency.threadpool_unbounded_queue"
+    action: "added"
+    file: "**"
+    impact: runtime
+    severity: critical
+    rationale: "CRITICAL: Unbounded queue (LinkedBlockingQueue without capacity) detected in ThreadPool. Risk of OOM."
+
+  - id: runtime.concurrency.busy_wait_added
+    signal: "runtime.concurrency.busy_wait_added"
+    action: "added"
+    file: "**"
+    impact: performance
+    severity: critical
+    rationale: "CRITICAL: Busy wait loop (while(true)) detected. High CPU usage risk."
+
+  - id: runtime.resource.try_with_resource_removed
+    signal: "runtime.resource.try_with_resource_removed"
+    action: "removed"
+    file: "**"
+    impact: runtime
+    severity: high
+    rationale: "Try-with-resources block removed. Verify resource closing logic to prevent leaks."
+
+  - id: runtime.resource.cache_eviction_removed
+    signal: "runtime.resource.cache_eviction_removed"
+    action: "removed"
+    file: "**"
+    impact: runtime
+    severity: high
+    rationale: "Cache eviction/TTL logic removed. Risk of memory leak/cache explosion."
+
+  - id: runtime.network.timeout_removed
+    signal: "runtime.network.timeout_removed"
+    action: "removed"
+    file: "**"
+    impact: runtime
+    severity: high
+    rationale: "Timeout setting removed. Risk of thread hanging/cascading failure."
+
+  - id: runtime.data.null_check_removed
+    signal: "runtime.data.null_check_removed"
+    action: "removed"
+    file: "**"
+    impact: runtime
+    severity: medium
+    rationale: "Null check removed. Potential NPE risk."
+
+  - id: runtime.data.equals_to_reference_compare
+    signal: "runtime.data.equals_to_reference_compare"
+    action: "changed"
+    file: "**"
+    impact: runtime
+    severity: high
+    rationale: "Semantic change: equals() replaced by == reference comparison."
+
+  # ==============================================
+  # Security Rules (Ported from SonarQube Core)
+  # These detect risks via Diff only - no full AST required
+  # ==============================================
+
+  # P0: Hardcoded Secrets
+  - id: security.hardcoded_secret
+    signal: "security.hardcoded_secret"
+    action: "added"
+    file: "**"
+    impact: security
+    severity: critical
+    rationale: "CRITICAL: Hardcoded password, secret, or API key detected. This is a major security risk - secrets should be in environment variables or secure vaults."
+    tags: ["security", "secret", "credentials"]
+    is_blocking: true
+
+  # P0: SQL Injection
+  - id: security.sql_injection
+    signal: "security.sql_injection"
+    action: "added"
+    file: "**"
+    impact: security
+    severity: critical
+    rationale: "CRITICAL: SQL string concatenation detected. High risk of SQL injection. Use parameterized queries (PreparedStatement) or ORM instead."
+    tags: ["security", "sql", "injection"]
+    is_blocking: true
+    scan_mode: incremental
+
+  # P1: Weak Cryptography
+  - id: security.weak_crypto
+    signal: "security.weak_crypto"
+    action: "added"
+    file: "**"
+    impact: security
+    severity: high
+    rationale: "Weak cryptographic algorithm detected (DES, MD5, SHA1, RC4). These are cryptographically broken and should not be used."
+    tags: ["security", "crypto", "encryption"]
+
+  # P1: Command Injection
+  - id: security.command_injection
+    signal: "security.command_injection"
+    action: "added"
+    file: "**"
+    impact: security
+    severity: critical
+    rationale: "CRITICAL: Command execution (Runtime.exec, ProcessBuilder) detected. Ensure input is sanitized to prevent command injection."
+    tags: ["security", "command", "injection"]
+    is_blocking: true
+
+  # P2: Secret Removed (Regression)
+  - id: security.hardcoded_secret_removed
+    signal: "security.hardcoded_secret_removed"
+    action: "removed"
+    file: "**"
+    impact: security
+    severity: medium
+    rationale: "Hardcoded secret was removed. Verify this is intentional and not a security regression."
+    tags: ["security", "secret"]

core/__init__.py

@@ -0,0 +1,235 @@
+# Core version for cache invalidation
+# Increment this whenever the parser logic, AST detection logic, or data structures change.
+CACHE_VERSION = "v2.2.0-rev1"
+
+import os
+import json
+import time
+from typing import Dict, Any, List, Optional, Tuple
+
+
+def get_cache_max_age_seconds() -> int:
+    """Return cache TTL in seconds; 0 means no expiry. From env DIFFSENSE_CACHE_MAX_AGE_DAYS."""
+    try:
+        days = os.environ.get("DIFFSENSE_CACHE_MAX_AGE_DAYS", "")
+        if not days:
+            return 0
+        return max(0, int(float(days) * 86400))
+    except (ValueError, TypeError):
+        return 0
+
+
+def analyze_diff(
+    diff_content: str,
+    rules_path: str = "config",
+    profile: Optional[str] = None,
+    quality_config: Optional[Dict[str, Any]] = None,
+    pro_rules_path: Optional[str] = None,
+    experimental: bool = False,
+    experimental_report_only: bool = True,
+    baseline_file: Optional[str] = None,
+    since_baseline: bool = False,
+) -> Dict[str, Any]:
+    """
+    核心分析函数 - 纯函数式接口，输入 diff 内容，返回结构化审计结果。
+    
+    Args:
+        diff_content: Git unified diff 内容
+        rules_path: 规则配置文件或目录路径
+        profile: 规则 profile (strict, lightweight, 或 None)
+        quality_config: 规则质量配置
+        pro_rules_path: 高级规则路径
+        experimental: 是否启用实验性规则
+        experimental_report_only: 实验性规则是否仅报告
+        baseline_file: baseline 文件路径
+        since_baseline: 是否只报告 baseline 之后的增量
+    
+    Returns:
+        包含 review_level, details, _metrics 等字段的审计结果字典
+    """
+    from .parser import DiffParser
+    from .ast_detector import ASTDetector
+    from .rules import RuleEngine
+    from .evaluator import ImpactEvaluator
+    from .composer import DecisionComposer
+    
+    # 1. Parse Diff
+    diff_parser = DiffParser()
+    diff_data = diff_parser.parse(diff_content)
+    
+    # 2. Detect AST Signals
+    ast_detector = ASTDetector()
+    ast_signals = ast_detector.detect_signals(diff_data)
+    
+    # 3. Init Engine & Evaluator
+    if quality_config is None:
+        quality_config = {
+            "auto_tune": False,
+            "disable_threshold": 0.3,
+            "degrade_threshold": 0.5,
+            "min_samples": 30
+        }
+    
+    engine_config = {
+        "rule_quality": quality_config,
+        "experimental": {"enabled": experimental, "report_only": experimental_report_only},
+    }
+    
+    # Try to load dependency_versions from run_config
+    try:
+        from .run_config import get_run_config
+        run_cfg = get_run_config(os.getcwd())
+        if run_cfg.get("dependency_versions"):
+            engine_config["dependency_versions"] = run_cfg["dependency_versions"]
+    except Exception:
+        pass
+    
+    # Resolve pro_rules_path if not provided
+    if pro_rules_path is None:
+        try:
+            from .run_config import get_pro_rules_path
+            pro_rules_path = get_pro_rules_path(os.getcwd())
+        except Exception:
+            pass
+    
+    rule_engine = RuleEngine(
+        rules_path,
+        profile=profile,
+        config=engine_config,
+        pro_rules_path=pro_rules_path,
+    )
+    evaluator = ImpactEvaluator(rule_engine)
+    
+    # 4. Evaluate Impact
+    triggered_rules = evaluator.evaluate(diff_data, ast_signals)
+    
+    # 5. Baseline filtering
+    if baseline_file and since_baseline:
+        baseline_data = _load_baseline(baseline_file)
+        baseline_keys = _baseline_set(baseline_data)
+        triggered_rules = [r for r in triggered_rules if _baseline_key(r) not in baseline_keys]
+    
+    # 6. Compose Decision
+    composer = DecisionComposer()
+    result = composer.compose(triggered_rules, diff_data.get('files', []))
+    
+    # 7. Add Metrics
+    result['_metrics'] = dict(rule_engine.get_metrics())
+    result['_metrics']['cache'] = {
+        "diff": diff_parser.metrics,
+        "ast": ast_detector.metrics
+    }
+    result['_metrics']['rule_stats'] = rule_engine.get_rule_stats()
+    result['_rule_quality'] = rule_engine.get_rule_quality_metrics()
+    result['_quality_warnings'] = rule_engine.get_quality_warnings()
+    
+    # 8. Performance metrics
+    result["_performance"] = {
+        "cache_hit_rate_pct": _calc_cache_hit_rate(diff_parser.metrics, ast_detector.metrics),
+        "rules_executed_pct": _calc_rules_executed_pct(rule_engine.get_rule_stats()),
+    }
+    
+    return result
+
+
+def _calc_cache_hit_rate(diff_metrics: Dict, ast_metrics: Dict) -> float:
+    d_total = diff_metrics.get("hits", 0) + diff_metrics.get("misses", 0)
+    a_total = ast_metrics.get("hits", 0) + ast_metrics.get("misses", 0)
+    total = d_total + a_total
+    if total == 0:
+        return 0.0
+    hits = diff_metrics.get("hits", 0) + ast_metrics.get("hits", 0)
+    return round(hits / total * 100, 2)
+
+
+def _calc_rules_executed_pct(rule_stats: Dict) -> float:
+    total = rule_stats.get("total_rules", 0)
+    executed = rule_stats.get("executed_count", 0)
+    if total == 0:
+        return 0.0
+    return round(executed / total * 100, 2)
+
+
+def _baseline_key(rule: Dict[str, Any]) -> str:
+    return f"{rule.get('id', '')}::{rule.get('matched_file', '')}"
+
+
+def _load_baseline(path: str) -> Dict[str, Any]:
+    if not os.path.exists(path):
+        return {"items": []}
+    try:
+        with open(path, "r", encoding="utf-8") as f:
+            data = json.load(f)
+            if isinstance(data, dict) and isinstance(data.get("items"), list):
+                return data
+    except Exception:
+        pass
+    return {"items": []}
+
+
+def _baseline_set(data: Dict[str, Any]) -> set:
+    items = data.get("items", [])
+    return {f"{i.get('rule_id', '')}::{i.get('file', '')}" for i in items}
+
+
+def build_inline_comments(triggered_rules: List[Dict[str, Any]], diff_data: Dict[str, Any]) -> List[Dict[str, Any]]:
+    """
+    构建内联评论（用于 AI Agent 场景）
+    
+    Args:
+        triggered_rules: 触发的规则列表
+        diff_data: 解析后的 diff 数据
+    
+    Returns:
+        内联评论列表，每条包含 path, line, body, rule_id
+    """
+    import re
+    
+    patches = {p.get("file"): p.get("patch", "") for p in diff_data.get("file_patches", [])}
+    comments = []
+    
+    for r in triggered_rules:
+        path = r.get("matched_file", "")
+        patch_text = patches.get(path, "")
+        if not patch_text and diff_data.get("file_patches"):
+            for p in diff_data.get("file_patches", []):
+                if p.get("file"):
+                    path = p.get("file")
+                    patch_text = p.get("patch", "")
+                    break
+        
+        position, line = _first_added_position(patch_text) if patch_text else (1, 1)
+        body = f"{r.get('severity', '').upper()} {r.get('id', '')}: {r.get('rationale', '')}"
+        comments.append({
+            "path": path,
+            "position": position,
+            "line": line,
+            "body": body,
+            "rule_id": r.get("id", "")
+        })
+    return comments
+
+
+def _first_added_position(patch_text: str) -> Tuple[int, int]:
+    lines = patch_text.splitlines()
+    position = 1
+    new_line = None
+    for i, line in enumerate(lines, start=1):
+        if line.startswith("@@"):
+            m = re.search(r"\+(\d+)", line)
+            if m:
+                try:
+                    new_line = int(m.group(1))
+                except Exception:
+                    new_line = None
+            position = i
+            continue
+        if line.startswith("+") and not line.startswith("+++"):
+            if new_line is None:
+                new_line = 1
+            return i, new_line
+        if line.startswith("-") and not line.startswith("---"):
+            continue
+        if new_line is not None:
+            new_line += 1
+    return position, new_line or 1