feat: add Requires field to the Analyzer struct (#184)

Also add a scope tree checker that uses the `Requires` field to pass data to another checker. This new checker detects unused imports in JS files.

Author: sourya-deepsource

analysis/analyzer.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"reflect"
 	"slices"
 
 	sitter "github.com/smacker/go-tree-sitter"
@@ -50,14 +51,19 @@ type Analyzer struct {
 	Category    Category
 	Severity    Severity
 	Language    Language
-	Run         func(*Pass) (interface{}, error)
+	Requires    []*Analyzer
+	Run         func(*Pass) (any, error)
+	ResultType  reflect.Type
 }
 
 type Pass struct {
 	Analyzer    *Analyzer
 	FileContext *ParseResult
 	Files       []*ParseResult
+	ResultOf    map[*Analyzer]any
 	Report      func(*Pass, *sitter.Node, string)
+	// TODO (opt): the cache should ideally not be stored in-memory
+	ResultCache map[*Analyzer]map[*ParseResult]any
 }
 
 func walkTree(node *sitter.Node, f func(*sitter.Node)) {
@@ -88,11 +94,21 @@ var defaultIgnoreDirs = []string{
 	".vitepress",
 }
 
+func findAnalyzers(analyzer *Analyzer) []*Analyzer {
+	analyzers := []*Analyzer{}
+	for _, req := range analyzer.Requires {
+		analyzers = append(analyzers, findAnalyzers(req)...)
+	}
+	analyzers = append(analyzers, analyzer)
+	return analyzers
+}
+
 func RunAnalyzers(path string, analyzers []*Analyzer, fileFilter func(string) bool) ([]*Issue, error) {
 	raisedIssues := []*Issue{}
 	langAnalyzerMap := make(map[Language][]*Analyzer)
+
 	for _, analyzer := range analyzers {
-		langAnalyzerMap[analyzer.Language] = append(langAnalyzerMap[analyzer.Language], analyzer)
+		langAnalyzerMap[analyzer.Language] = append(langAnalyzerMap[analyzer.Language], findAnalyzers(analyzer)...)
 	}
 
 	trees := make(map[Language][]*ParseResult)
@@ -138,24 +154,32 @@ func RunAnalyzers(path string, analyzers []*Analyzer, fileFilter func(string) bo
 	}
 
 	for lang, analyzers := range langAnalyzerMap {
-		for _, analyzer := range analyzers {
-			allFiles := trees[lang]
-			if len(allFiles) == 0 {
-				continue
-			}
+		pass := &Pass{
+			Files:       trees[lang],
+			Report:      reportFunc,
+			ResultOf:    make(map[*Analyzer]any),
+			ResultCache: make(map[*Analyzer]map[*ParseResult]any),
+		}
+
+		for _, file := range pass.Files {
+			pass.FileContext = file
+			for _, analyzer := range analyzers {
+				pass.Analyzer = analyzer
 
-			for _, file := range allFiles {
-				pass := &Pass{
-					Analyzer:    analyzer,
-					FileContext: file,
-					Files:       trees[lang],
-					Report:      reportFunc,
+				if len(pass.Files) == 0 {
+					continue
 				}
 
-				_, err := analyzer.Run(pass)
+				result, err := analyzer.Run(pass)
 				if err != nil {
 					return raisedIssues, err
 				}
+
+				pass.ResultOf[analyzer] = result
+				if _, ok := pass.ResultCache[analyzer]; !ok {
+					pass.ResultCache[analyzer] = make(map[*ParseResult]any)
+				}
+				pass.ResultCache[analyzer][file] = result
 			}
 		}
 	}

analysis/scope_ts.go analysis/ts_scope.goanalysis/scope_ts.go renamed to analysis/ts_scope.go

@@ -30,6 +30,7 @@ var ScopeNodes = []string{
 	"for_statement",
 	"for_in_statement",
 	"for_of_statement",
+	"program",
 }
 
 func (ts *TsScopeBuilder) NodeCreatesScope(node *sitter.Node) bool {

analysis/scope_ts_test.go analysis/ts_scope_test.goanalysis/scope_ts_test.go renamed to analysis/ts_scope_test.go

@@ -1,10 +1,10 @@
-package main
+package golang
 
 import (
 	// <expect-error> usage of cgi package
-	"net/http/cgi"
 	"fmt"
 	"net/http"
+	"net/http/cgi"
 )
 
 func cgi_test() {

checkers/go/cgi_import.test.go

@@ -1,31 +1,24 @@
-// <expect-error>
-fmt.Print()
-
-// <expect-error>
-fmt.Println()
-
-
-package main
+package golang
 
 import (
 	"fmt"
-	"logger"
+	"log"
 )
 
-func main() {
+func testFmtInProd() {
 	// <expect-error>
-    fmt.Print("Hello, ")
+	fmt.Print("Hello, ")
 	// <expect-error>
-    fmt.Print("World!")
+	fmt.Print("World!")
 	// <expect-error>
-	fmt.Println("Hello, World!") 
+	fmt.Println("Hello, World!")
 	// <expect-error>
-    fmt.Println("Line 1")
+	fmt.Println("Line 1")
 	// <expect-error>
 	fmt.Printf("Name: %s, Age: %d\n", name, age)
 
 	// Safe
-	logger.Info("Hello, World!")
+	log.Println("Hello, World!")
 	//Safe
-	logger.Debug("Hello, World!")
+	log.Println("Hello, World!")
 }

checkers/go/fmt_print_in_prod.test.go

@@ -1,4 +1,4 @@
-package main
+package golang
 
 import (
 	"log"

checkers/go/http_file_server.test.go

@@ -1,11 +1,11 @@
-package main
+package golang
 
 import (
 	"fmt"
 	"os"
 	"time"
 
-	"github.com/golang-jwt/jwt/v5"
+	"jwt"
 )
 
 // CustomClaims defines the JWT claims structure.
@@ -14,7 +14,7 @@ type CustomClaims struct {
 	jwt.RegisteredClaims
 }
 
-func main() {
+func test() {
 	// Create claims with username and expiration time
 	claims := CustomClaims{
 		Username: "example_user",

checkers/go/jwt_none_algorithm.test.go

@@ -1,11 +1,12 @@
-package main
+package golang
 
 import (
 	"crypto/rand"
 	"fmt"
-	// <expect-error> import "math/rand"
-	"math/rand"
+
 	"math/big"
+	// <expect-error> import "math/rand"
+	mathrand "math/rand"
 	"time"
 )
 
@@ -15,7 +16,7 @@ func unsafeRandomExample(n int) {
 	// -------------------------
 	// Weak random number generator
 	mathrand.Seed(time.Now().UnixNano())
-	randomNumber := rand.Intn(n)     // Not suitable for cryptographic purposes
+	randomNumber := mathrand.Intn(n) // Not suitable for cryptographic purposes
 	fmt.Printf("Unsafe random number (math/rand): %d\n", randomNumber)
 }
 

checkers/go/math_rand.test.go

@@ -1,4 +1,4 @@
-package main
+package golang
 
 import (
 	"crypto/sha1"   // Insecure: Weak hash function (SHA-1)
@@ -7,7 +7,7 @@ import (
 	"fmt"
 )
 
-func main() {
+func testSha1WeakHash() {
 	data := "sensitive_data"
 
 	// Insecure: Using SHA-1 (considered broken and vulnerable to collision attacks)
@@ -43,6 +43,6 @@ func hashWithSHA256(data string) []byte {
 // More Secure: SHA-512 hashing (for higher security needs)
 func hashWithSHA512(data string) []byte {
 	hasher := sha512.New()
-	 hashBytes := hasher.Write([]byte(data))
-	return hashBytes
-}
+	_, _ = hasher.Write([]byte(data))
+	return hasher.Sum([]byte{})
+}

checkers/go/sha1_weak_hash.test.go

@@ -0,0 +1,21 @@
+// scope resolution implementation for JS and TS files
+package javascript
+
+import (
+	"reflect"
+
+	"globstar.dev/analysis"
+)
+
+var ScopeAnalyzer = &analysis.Analyzer{
+	Name:       "js-scope",
+	ResultType: reflect.TypeOf(&analysis.ScopeTree{}),
+	Run:        buildScopeTree,
+	Language:   analysis.LangJs,
+}
+
+func buildScopeTree(pass *analysis.Pass) (any, error) {
+	// Create scope builder for JavaScript
+	scope := analysis.MakeScopeTree(pass.Analyzer.Language, pass.FileContext.Ast, pass.FileContext.Source)
+	return scope, nil
+}