skylos 2.2.4__py3-none-any.whl → 2.4.0__py3-none-any.whl

skylos/__init__.py

@@ -1,4 +1,4 @@
-__version__ = "2.2.4"
+__version__ = "2.4.0"
 
 def analyze(*args, **kwargs):
     from .analyzer import analyze as _analyze

skylos/analyzer.py

@@ -9,7 +9,7 @@ from skylos.visitor import Visitor
 from skylos.constants import ( PENALTIES, AUTO_CALLED )
 from skylos.visitors.test_aware import TestAwareVisitor
 from skylos.rules.secrets import scan_ctx as _secrets_scan_ctx
-from skylos.rules.dangerous import scan_ctx as scan_dangerous
+from skylos.rules.danger.danger import scan_ctx as scan_danger
 import os
 import traceback
 from skylos.visitors.framework_aware import FrameworkAwareVisitor, detect_framework_usage
@@ -239,7 +239,7 @@ class Skylos:
                     if method.simple_name == "format" and cls.endswith("Formatter"):
                         method.references += 1
 
-    def analyze(self, path, thr=60, exclude_folders= None, enable_secrets = False, enable_dangerous = False):
+    def analyze(self, path, thr=60, exclude_folders= None, enable_secrets = False, enable_danger = False):
         files, root = self._get_python_files(path, exclude_folders)
         
         if not files:
@@ -288,13 +288,15 @@ class Skylos:
                 except Exception:
                     pass
             
-            if enable_dangerous and scan_dangerous is not None:
+            if enable_danger and scan_danger is not None:
                 try:
-                    findings = scan_dangerous(root, [file])
+                    findings = scan_danger(root, [file])
                     if findings:
                         all_dangers.extend(findings)
-                except Exception:
-                    pass
+                except Exception as e:
+                    logger.error(f"Error scanning {file} for dangerous code: {e}")
+                    if os.getenv("SKYLOS_DEBUG"):
+                        logger.error(traceback.format_exc())
 
         self._mark_refs()
         self._apply_heuristics() 
@@ -331,9 +333,9 @@ class Skylos:
             result["secrets"] = all_secrets
             result["analysis_summary"]["secrets_count"] = len(all_secrets)
         
-        if enable_dangerous and all_dangers:
-            result["dangerous"] = all_dangers
-            result["analysis_summary"]["dangerous_count"] = len(all_dangers)
+        if enable_danger and all_dangers:
+            result["danger"] = all_dangers
+            result["analysis_summary"]["danger_count"] = len(all_dangers)
 
         for u in unused:
             if u["type"] in ("function", "method"):
@@ -386,75 +388,104 @@ def proc_file(file_or_args, mod=None):
 
         return [], [], set(), set(), dummy_visitor, dummy_framework_visitor
 
-def analyze(path, conf=60, exclude_folders=None, enable_secrets=False, enable_dangerous=False):
-    return Skylos().analyze(path,conf, exclude_folders, enable_secrets, enable_dangerous)
+def analyze(path, conf=60, exclude_folders=None, enable_secrets=False, enable_danger=False):
+    return Skylos().analyze(path,conf, exclude_folders, enable_secrets, enable_danger)
 
 if __name__ == "__main__":
-    if len(sys.argv)>1:
-        p = sys.argv[1]
-        
-        if len(sys.argv) > 2:
-            confidence = int(sys.argv[2])
-        else:
-            confidence = 60
+    enable_secrets = ("--secrets" in sys.argv)
+    enable_danger  = ("--danger"  in sys.argv)
 
-        result = analyze(p,confidence)
-        
-        data = json.loads(result)
-        print("\n Python Static Analysis Results")
-        print("===================================\n")
-        
-        total_items = 0
-        for key, items in data.items():
-            if key.startswith("unused_") and isinstance(items, list):
-                total_items += len(items)
-        
-        print("Summary:")
-        if data["unused_functions"]:
-            print(f" * Unreachable functions: {len(data['unused_functions'])}")
-        if data["unused_imports"]:
-            print(f" * Unused imports: {len(data['unused_imports'])}")
-        if data["unused_classes"]:
-            print(f" * Unused classes: {len(data['unused_classes'])}")
-        if data["unused_variables"]:
-            print(f" * Unused variables: {len(data['unused_variables'])}")
-        
-        if data["unused_functions"]:
-            print("\n - Unreachable Functions")
-            print("=======================")
-            for i, func in enumerate(data["unused_functions"], 1):
-                print(f" {i}. {func['name']}")
-                print(f"    └─ {func['file']}:{func['line']}")
-        
-        if data["unused_imports"]:
-            print("\n - Unused Imports")
-            print("================")
-            for i, imp in enumerate(data["unused_imports"], 1):
-                print(f" {i}. {imp['simple_name']}")
-                print(f"    └─ {imp['file']}:{imp['line']}")
-        
-        if data["unused_classes"]:
-            print("\n - Unused Classes")
-            print("=================")
-            for i, cls in enumerate(data["unused_classes"], 1):
-                print(f" {i}. {cls['name']}")
-                print(f"    └─ {cls['file']}:{cls['line']}")
-                
-        if data["unused_variables"]:
-            print("\n - Unused Variables")
-            print("==================")
-            for i, var in enumerate(data["unused_variables"], 1):
-                print(f" {i}. {var['name']}")
-                print(f"    └─ {var['file']}:{var['line']}")
-        
-        print("\n" + "─" * 50)
-        print(f"Found {total_items} dead code items. Add this badge to your README:")
-        print(f"```markdown")
-        print(f"![Dead Code: {total_items}](https://img.shields.io/badge/Dead_Code-{total_items}_detected-orange?logo=codacy&logoColor=red)")
-        print(f"```")
+    positional = [a for a in sys.argv[1:] if not a.startswith("--")]
+
+    if not positional:
+        print("Usage: python Skylos.py <path> [confidence_threshold] [--secrets] [--danger]")
+        sys.exit(2)
+
+    p = positional[0]
+    confidence = int(positional[1]) if len(positional) > 1 else 60
+
+    result = analyze(p, confidence, enable_secrets=enable_secrets, enable_danger=enable_danger)
         
-        print("\nNext steps:")
-        print("  * Use --interactive to select specific items to remove")
-        print("  * Use --dry-run to preview changes before applying them")
+    data = json.loads(result)
+    print("\n Python Static Analysis Results")
+    print("===================================\n")
+    
+    total_dead = 0
+    for key, items in data.items():
+        if key.startswith("unused_") and isinstance(items, list):
+            total_dead += len(items)
+
+    danger_count = data.get("analysis_summary", {}).get("danger_count", 0) if enable_danger else 0
+    secrets_count = data.get("analysis_summary", {}).get("secrets_count", 0) if enable_secrets else 0
+    
+    print("Summary:")
+    if data["unused_functions"]:
+        print(f" * Unreachable functions: {len(data['unused_functions'])}")
+    if data["unused_imports"]:
+        print(f" * Unused imports: {len(data['unused_imports'])}")
+    if data["unused_classes"]:
+        print(f" * Unused classes: {len(data['unused_classes'])}")
+    if data["unused_variables"]:
+        print(f" * Unused variables: {len(data['unused_variables'])}")
+    if enable_danger:
+        print(f" * Security issues: {danger_count}")
+    if enable_secrets:
+        print(f" * Secrets found: {secrets_count}")
+
+    if data["unused_functions"]:
+        print("\n - Unreachable Functions")
+        print("=======================")
+        for i, func in enumerate(data["unused_functions"], 1):
+            print(f" {i}. {func['name']}")
+            print(f"    └─ {func['file']}:{func['line']}")
+    
+    if data["unused_imports"]:
+        print("\n - Unused Imports")
+        print("================")
+        for i, imp in enumerate(data["unused_imports"], 1):
+            print(f" {i}. {imp['simple_name']}")
+            print(f"    └─ {imp['file']}:{imp['line']}")
+    
+    if data["unused_classes"]:
+        print("\n - Unused Classes")
+        print("=================")
+        for i, cls in enumerate(data["unused_classes"], 1):
+            print(f" {i}. {cls['name']}")
+            print(f"    └─ {cls['file']}:{cls['line']}")
+            
+    if data["unused_variables"]:
+        print("\n - Unused Variables")
+        print("==================")
+        for i, var in enumerate(data["unused_variables"], 1):
+            print(f" {i}. {var['name']}")
+            print(f"    └─ {var['file']}:{var['line']}")
+
+    if enable_danger and data.get("danger"):
+        print("\n - Security Issues")
+        print("================")
+        for i, f in enumerate(data["danger"], 1):
+            print(f" {i}. {f['message']} [{f['rule_id']}] ({f['file']}:{f['line']}) Severity: {f['severity']}")
+
+    if enable_secrets and data.get("secrets"):
+        print("\n - Secrets")
+        print("==========")
+        for i, s in enumerate(data["secrets"], 1):
+            rid = s.get("rule_id", "SECRET")
+            msg = s.get("message", "Potential secret")
+            file = s.get("file")
+            line = s.get("line", 1)
+            sev = s.get("severity", "HIGH")
+            print(f" {i}. {msg} [{rid}] ({file}:{line}) Severity: {sev}")
+    
+    print("\n" + "─" * 50)
+    if enable_danger:
+        print(f"Found {total_dead} dead code items and {danger_count} security flaws. Add this badge to your README:")
     else:
-        print("Usage: python Skylos.py <path> [confidence_threshold]")
+        print(f"Found {total_dead} dead code items. Add this badge to your README:")
+    print("```markdown")
+    print(f"![Dead Code: {total_dead}](https://img.shields.io/badge/Dead_Code-{total_dead}_detected-orange?logo=codacy&logoColor=red)")
+    print("```")
+    
+    print("\nNext steps:")
+    print("  * Use --interactive to select specific items to remove")
+    print("  * Use --dry-run to preview changes before applying them")

skylos/cli.py

@@ -159,19 +159,25 @@ def interactive_selection(logger, unused_functions, unused_imports):
     
     return selected_functions, selected_imports
 
-def print_badge(dead_code_count: int, logger):
+def print_badge(dead_code_count, logger, *, danger_enabled = False, danger_count = 0):
     logger.info(f"\n{Colors.GRAY}{'─' * 50}{Colors.RESET}")
     
-    if dead_code_count == 0:
-        logger.info(f" Your code is 100% dead code free! Add this badge to your README:")
+    if dead_code_count == 0 and (not danger_enabled or danger_count == 0):
+        logger.info(" Your code is 100% dead code free! Add this badge to your README:")
         logger.info("```markdown")
         logger.info("![Dead Code Free](https://img.shields.io/badge/Dead_Code-Free-brightgreen?logo=moleculer&logoColor=white)")
         logger.info("```")
+        return
+
+    if danger_enabled:
+        logger.info(f"Found {dead_code_count} dead code items and {danger_count} security flaws. Add this badge to your README:")
     else:
         logger.info(f"Found {dead_code_count} dead code items. Add this badge to your README:")
-        logger.info("```markdown")  
-        logger.info(f"![Dead Code: {dead_code_count}](https://img.shields.io/badge/Dead_Code-{dead_code_count}_detected-orange?logo=codacy&logoColor=red)")
-        logger.info("```")
+
+    logger.info("```markdown")  
+    logger.info(f"![Dead Code: {dead_code_count}](https://img.shields.io/badge/Dead_Code-{dead_code_count}_detected-orange?logo=codacy&logoColor=red)")
+    logger.info("```")
+
 
 def main():
     if len(sys.argv) > 1 and sys.argv[1] == 'run':
@@ -188,6 +194,12 @@ def main():
     )
     parser.add_argument("path", help="Path to the Python project")
 
+    parser.add_argument(
+        "--table",
+        action="store_true",
+        help="Show findings in table"
+    )
+
     parser.add_argument(
         "--version",
         action="version", 
@@ -307,7 +319,8 @@ def main():
             logger.info(f"{Colors.GREEN}📁 No folders excluded{Colors.RESET}")
 
     try:
-        result_json = run_analyze(args.path, conf=args.confidence, enable_secrets=bool(args.secrets), exclude_folders=list(final_exclude_folders))
+        result_json = run_analyze(args.path, conf=args.confidence, enable_secrets=bool(args.secrets), 
+                                  enable_danger=bool(args.danger), exclude_folders=list(final_exclude_folders))
 
         if args.json:
             print(result_json)
@@ -318,6 +331,121 @@ def main():
     except Exception as e:
         logger.error(f"Error during analysis: {e}")
         sys.exit(1)
+    
+    if args.table:
+        ELLIPSIS = "…"
+
+        def clip(text, max_length):
+            if not text:
+                text = ""
+            
+            if len(text) <= max_length:
+                return text
+            
+            truncated_end = max(0, max_length - 1)
+            return text[:truncated_end] + ELLIPSIS
+
+        def severity_color(severity):
+            severity_upper = (severity or "").upper()
+            
+            if severity_upper in ("HIGH", "CRITICAL"):
+                return Colors.RED
+            elif severity_upper == "MEDIUM":
+                return Colors.YELLOW
+            else:
+                return Colors.GRAY
+
+        print(f"\n{Colors.CYAN}{Colors.BOLD}Unused {Colors.RESET}")
+        print(f"{Colors.CYAN}{'='*18}{Colors.RESET}")
+
+        print(f"{Colors.BOLD}{'kind':9} {'name':28} {'where'}{Colors.RESET}")
+        print(f"{'-'*9} {'-'*28} {'-'*36}")
+        
+        unused_categories = [
+            ("unused_functions", "function"),
+            ("unused_imports", "import"),
+            ("unused_classes", "class"),
+            ("unused_variables", "variable"),
+            ("unused_parameters", "parameter"),
+        ]
+
+        for bucket, kind in unused_categories:
+            items = result.get(bucket, [])
+            for item in items:
+                name = item.get("name") or item.get("simple_name") or ""
+                file_path = item.get('file', '?')
+                line_num = item.get('line', item.get('lineno', '?'))
+                where = f"{file_path}:{line_num}"
+                
+                clipped_name = clip(name, 28)
+                clipped_where = clip(where, 36)
+                print(f"{kind:9} {clipped_name:28} {clipped_where}")
+
+        secrets = result.get("secrets", []) or []
+        if secrets:
+            print(f"\n{Colors.RED}{Colors.BOLD}Secrets{Colors.RESET}")
+            print(f"{Colors.RED}{'=' * 7}{Colors.RESET}")
+            print(f"{Colors.BOLD}{'provider':12} {'message':22} {'preview':24} {'where'}{Colors.RESET}")
+            print(f"{'-' * 12} {'-' * 22} {'-' * 24} {'-' * 36}")
+            
+            for secret in secrets[:100]:
+                provider = clip(secret.get("provider") or "generic", 12)
+                message = clip(secret.get("message") or "Secret detected", 22)
+                preview = clip(secret.get("preview") or "****", 24)
+                
+                file_path = secret.get('file', '?')
+                line_num = secret.get('line', '?')
+                location = f"{file_path}:{line_num}"
+                clipped_location = clip(location, 36)
+                
+                print(f"{Colors.MAGENTA}{provider:12}{Colors.RESET} {message:22} {preview:24} {clipped_location}")
+
+            
+        security_issues = result.get("danger", [])
+        if security_issues:
+            print(f"\n{Colors.RED}{Colors.BOLD}Security issues{Colors.RESET}")
+            print(f"{Colors.RED}{'=' * 15}{Colors.RESET}")
+            print(f"{Colors.BOLD}{'rule_id':10} {'sev':5} {'message':38} {'where'}{Colors.RESET}")
+            print(f"{'-' * 10} {'-' * 5} {'-' * 38} {'-' * 36}")
+            
+            for issue in security_issues[:100]:
+                rule_id = clip(issue.get("rule_id") or "", 10)
+                severity = (issue.get("severity") or "").upper()
+                message = clip(issue.get("message") or "", 38)
+                
+                file_path = issue.get('file', '?')
+                line_num = issue.get('line', '?')
+                location = f"{file_path}:{line_num}"
+                clipped_location = clip(location, 36)
+                
+                severity_color_code = severity_color(severity)
+                clipped_severity = clip(severity, 5)
+                
+                print(f"{rule_id:10} {severity_color_code}{clipped_severity:5}{Colors.RESET} {message:38} {clipped_location}")
+
+        summ = result.get("analysis_summary", {})
+        unused_keys = [
+            "unused_functions",
+            "unused_imports", 
+            "unused_classes",
+            "unused_variables",
+            "unused_parameters"
+        ]
+
+        total_unused = 0
+        for k in unused_keys:
+            total_unused += len(result.get(k, []))
+  
+        print(f"\n{Colors.BOLD}Summary{Colors.RESET}")
+
+        print("=======")
+        print(f"files analyzed : {summ.get('total_files','?')}")
+        print(f"unused items   : {total_unused}")
+        if "secrets_count" in summ:
+            print(f"secrets        : {summ['secrets_count']}")
+        if "danger_count" in summ:
+            print(f"security issues: {summ['danger_count']}")
+        return
 
     if args.json:
         lg = logging.getLogger('skylos')
@@ -335,6 +463,7 @@ def main():
     unused_variables = result.get("unused_variables", [])
     unused_classes = result.get("unused_classes", [])
     secrets_findings = result.get("secrets", [])
+    danger_findings = result.get("danger", [])
     
     logger.info(f"{Colors.CYAN}{Colors.BOLD} Python Static Analysis Results{Colors.RESET}")
     logger.info(f"{Colors.CYAN}{'=' * 35}{Colors.RESET}")
@@ -347,6 +476,8 @@ def main():
     logger.info(f" * Unused classes: {Colors.YELLOW}{len(unused_classes)}{Colors.RESET}")
     if secrets_findings:
         logger.info(f" * Secrets: {Colors.RED}{len(secrets_findings)}{Colors.RESET}")
+    if danger_findings:
+        logger.info(f" * Security issues: {Colors.RED}{len(danger_findings)}{Colors.RESET}")
 
     if args.interactive and (unused_functions or unused_imports):
         logger.info(f"\n{Colors.BOLD}Interactive Mode:{Colors.RESET}")
@@ -477,10 +608,27 @@ def main():
                 prev = s.get("preview", "****")
                 msg = s.get("message", "Secret detected")
                 logger.info(f"{Colors.GRAY}{i:2d}. {Colors.RESET}{msg} [{provider}] {Colors.GRAY}({where}){Colors.RESET} -> {prev}")
+        
+        if danger_findings:
+            logger.info(f"\n{Colors.RED}{Colors.BOLD} - Security Issues{Colors.RESET}")
+            logger.info(f"{Colors.RED}{'=' * 16}{Colors.RESET}")
+            for i, d in enumerate(danger_findings[:20], 1):
+                rule_id = d.get("rule_id", "unknown_rule")
+                severity = d.get("severity", "UNKNOWN").upper()
+                message = d.get("message", "Issue detected")
+                file = d.get("file", "?")
+                line = d.get("line", "?")
+                logger.info(f"{Colors.GRAY}{i:2d}. {Colors.RESET}{message} [{rule_id}] {Colors.GRAY}({file}:{line}){Colors.RESET} Severity: {severity}")
 
         dead_code_count = len(unused_functions) + len(unused_imports) + len(unused_variables) + len(unused_classes) + len(unused_parameters)
 
-        print_badge(dead_code_count, logger)
+        danger_count = len(danger_findings) if args.danger else 0
+        print_badge(
+            dead_code_count,
+            logger,
+            danger_enabled=bool(args.danger),
+            danger_count=danger_count,
+        )
 
         if unused_functions or unused_imports:
             logger.info(f"\n{Colors.BOLD}Next steps:{Colors.RESET}")

skylos/rules/danger/danger.py

@@ -0,0 +1,141 @@
+from __future__ import annotations
+import ast
+import sys
+from pathlib import Path
+from .danger_sql.sql_flow import scan as scan_sql
+from .danger_cmd.cmd_flow import scan as scan_cmd
+from .danger_sql.sql_raw_flow import scan as scan_sql_raw
+from .danger_net.ssrf_flow import scan as scan_ssrf
+from .danger_fs.path_flow import scan as scan_path
+from .danger_web.xss_flow import scan as scan_xss
+
+ALLOWED_SUFFIXES = (".py", ".pyi", ".pyw")
+
+DANGEROUS_CALLS = {
+    "eval": ("SKY-D201", "HIGH", "Use of eval()"),
+    "exec": ("SKY-D202", "HIGH", "Use of exec()"),
+    "pickle.load": ("SKY-D203", "CRITICAL", "Untrusted deserialization via pickle.load"),
+    "pickle.loads": ("SKY-D204", "CRITICAL", "Untrusted deserialization via pickle.loads"),
+    "yaml.load": ("SKY-D205", "HIGH", "yaml.load without SafeLoader"),
+    "hashlib.md5": ("SKY-D206", "MEDIUM", "Weak hash (MD5)"),
+    "hashlib.sha1": ("SKY-D207", "MEDIUM", "Weak hash (SHA1)"),
+    "requests.*": ("SKY-D208", "HIGH", "requests call with verify=False",
+                   {"kw_equals": {"verify": False}}),
+}
+
+def _matches_rule(name, rule_key):
+    if not name:
+        return False
+    if rule_key.endswith(".*"):
+        return name.startswith(rule_key[:-2] + ".")
+    return name == rule_key
+
+def _kw_equals(node: ast.Call, requirements):
+    if not requirements:
+        return True
+    kw_map = {}
+    for kw in (node.keywords or []):
+        if kw.arg:
+            kw_map[kw.arg] = kw.value
+            
+    for key, expected in requirements.items():
+        val = kw_map.get(key)
+        if not isinstance(val, ast.Constant):
+            return False
+        if val.value != expected:
+            return False
+    return True
+
+def qualified_name_from_call(node: ast.Call):
+    func = node.func
+    parts = []
+    while isinstance(func, ast.Attribute):
+        parts.append(func.attr)
+        func = func.value
+    if isinstance(func, ast.Name):
+        parts.append(func.id)
+        parts.reverse()
+        return ".".join(parts)
+    return None
+
+def _yaml_load_without_safeloader(node: ast.Call):
+    name = qualified_name_from_call(node)
+    if name != "yaml.load":
+        return False
+    
+    for kw in (node.keywords or []):
+        if kw.arg == "Loader":
+            text = ast.unparse(kw.value)
+            return "SafeLoader" not in text
+    return True
+
+def _add_finding(findings,
+                 file_path: Path,
+                 node: ast.AST,
+                 rule_id,
+                 severity,
+                 message):
+    findings.append({
+        "rule_id": rule_id,
+        "severity": severity,
+        "message": message,
+        "file": str(file_path),
+        "line": getattr(node, "lineno", 1),
+        "col": getattr(node, "col_offset", 0),
+    })
+
+def _scan_file(file_path: Path, findings):
+    src = file_path.read_text(encoding="utf-8", errors="ignore")
+    tree = ast.parse(src)
+    
+    scan_sql(tree, file_path, findings)
+    scan_cmd(tree, file_path, findings)
+    scan_sql_raw(tree, file_path, findings)
+    scan_ssrf(tree, file_path, findings)
+    scan_path(tree, file_path, findings)
+    scan_xss(tree, file_path, findings)
+    
+    for node in ast.walk(tree):
+        if not isinstance(node, ast.Call):
+            continue
+
+        name = qualified_name_from_call(node)
+        if not name:
+            continue
+
+        for rule_key, tup in DANGEROUS_CALLS.items():
+            rule_id = tup[0]
+            severity = tup[1]
+            message = tup[2]
+
+            if len(tup) > 3:
+                opts = tup[3]
+            else:
+                opts = None
+
+            if not _matches_rule(name, rule_key):
+                continue
+                                    
+            if rule_key == "yaml.load":
+                if not _yaml_load_without_safeloader(node):
+                    continue
+            if opts and "kw_equals" in opts:
+                if not _kw_equals(node, opts["kw_equals"]):
+                    continue
+
+            _add_finding(findings, file_path, node, rule_id, severity, message)
+            break
+
+def scan_ctx( _, files):
+    findings = []
+
+    for file_path in files:
+        if file_path.suffix.lower() not in ALLOWED_SUFFIXES:
+            continue
+        
+        try:
+            _scan_file(file_path, findings)
+        except Exception as e:
+            print(f"Scan failed for {file_path}: {e}", file=sys.stderr)
+            
+    return findings