Checkpoint before follow-up message

cursoragent · script3r · cursoragent · commit 46592a144f90 · 2025-09-20T01:15:24.000Z
Co-authored-by: script3r &lt;script3r@gmail.com&gt;
diff --git a/crates/cli/src/main.rs b/crates/cli/src/main.rs
@@ -1,10 +1,9 @@
 use anyhow::{Context, Result};
 use clap::{ArgAction, Parser};
 use indicatif::{ProgressBar, ProgressStyle};
-use scanner_core::{Config, Detector, Language, AstBasedDetector, Scanner, CryptoFindings};
+use scanner_core::{Config, Detector, Language, AstBasedDetector, AstDetector, Scanner, CryptoFindings};
 use std::fs;
 use std::path::PathBuf;
-use std::sync::Arc;
 
 #[derive(Parser, Debug)]
 #[command(name = "cipherscope")]
@@ -41,6 +40,10 @@ struct Args {
     /// Output file for JSONL results (default: stdout)
     #[arg(long, value_name = "FILE")]
     output: Option<PathBuf>,
+
+    /// Path to patterns file
+    #[arg(long, value_name = "FILE", default_value = "patterns.toml")]
+    patterns: PathBuf,
 }
 
 fn main() -> Result<()> {
@@ -52,31 +55,41 @@ fn main() -> Result<()> {
             .ok();
     }
 
+    // Load patterns from file
+    let patterns = AstDetector::load_patterns_from_file(args.patterns.to_str().unwrap())
+        .with_context(|| format!("Failed to load patterns from {}", args.patterns.display()))?;
+
     // Prepare AST-based detectors for each language
     let dets: Vec<Box<dyn Detector>> = vec![
-        Box::new(AstBasedDetector::new(
+        Box::new(AstBasedDetector::with_patterns(
             "ast-detector-c",
             &[Language::C],
+            patterns.clone(),
         ).with_context(|| "Failed to create C AST detector")?),
-        Box::new(AstBasedDetector::new(
+        Box::new(AstBasedDetector::with_patterns(
             "ast-detector-cpp",
             &[Language::Cpp],
+            patterns.clone(),
         ).with_context(|| "Failed to create C++ AST detector")?),
-        Box::new(AstBasedDetector::new(
+        Box::new(AstBasedDetector::with_patterns(
             "ast-detector-rust",
             &[Language::Rust],
+            patterns.clone(),
         ).with_context(|| "Failed to create Rust AST detector")?),
-        Box::new(AstBasedDetector::new(
+        Box::new(AstBasedDetector::with_patterns(
             "ast-detector-python",
             &[Language::Python],
+            patterns.clone(),
         ).with_context(|| "Failed to create Python AST detector")?),
-        Box::new(AstBasedDetector::new(
+        Box::new(AstBasedDetector::with_patterns(
             "ast-detector-java",
             &[Language::Java],
+            patterns.clone(),
         ).with_context(|| "Failed to create Java AST detector")?),
-        Box::new(AstBasedDetector::new(
+        Box::new(AstBasedDetector::with_patterns(
             "ast-detector-go",
             &[Language::Go],
+            patterns.clone(),
         ).with_context(|| "Failed to create Go AST detector")?),
     ];
 
diff --git a/crates/scanner-core/Cargo.toml b/crates/scanner-core/Cargo.toml
@@ -8,6 +8,7 @@ license = "Apache-2.0"
 anyhow = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
+toml = { workspace = true }
 rayon = { workspace = true }
 ignore = { workspace = true }
 globset = { workspace = true }
diff --git a/crates/scanner-core/src/ast.rs b/crates/scanner-core/src/ast.rs
@@ -70,6 +70,19 @@ impl AstDetector {
         Ok(parser)
     }
     
+    /// Load AST patterns from patterns.toml or use defaults
+    pub fn load_patterns_from_file(patterns_file: &str) -> Result<Vec<AstPattern>> {
+        let patterns_content = std::fs::read_to_string(patterns_file)?;
+        Self::load_patterns_from_toml(&patterns_content)
+    }
+    
+    /// Load AST patterns from TOML content
+    pub fn load_patterns_from_toml(toml_content: &str) -> Result<Vec<AstPattern>> {
+        // For now, return default patterns - this can be expanded to parse the TOML
+        // and convert the library definitions into AST patterns
+        Ok(Self::default_patterns())
+    }
+    
     /// Default AST patterns for common cryptographic libraries and algorithms
     fn default_patterns() -> Vec<AstPattern> {
         vec![
diff --git a/patterns.toml b/patterns.toml
@@ -0,0 +1,100 @@
+[version]
+schema = "1"
+updated = "2025-01-19"
+
+# =========================
+# AST-based Pattern Definitions
+# =========================
+# These patterns define what cryptographic libraries and algorithms to detect
+# using AST queries instead of regex patterns
+
+# C/C++ OpenSSL
+[[library]]
+name = "OpenSSL"
+languages = ["C", "C++"]
+[library.patterns]
+# AST queries for detecting OpenSSL includes
+include_patterns = [
+  "(preproc_include path: (system_lib_string) @path (#match? @path \"openssl/.*\"))"
+]
+# AST queries for detecting OpenSSL API calls
+api_patterns = [
+  "(call_expression function: (identifier) @func (#match? @func \"EVP_.*\"))",
+  "(call_expression function: (identifier) @func (#match? @func \"RSA_.*\"))",
+  "(call_expression function: (identifier) @func (#match? @func \"AES_.*\"))"
+]
+
+[[library.algorithms]]
+name = "RSA"
+primitive = "signature"
+nistQuantumSecurityLevel = 0
+# AST patterns for RSA algorithm detection
+symbol_patterns = [
+  "(call_expression function: (identifier) @func (#match? @func \"RSA_.*\"))",
+  "(identifier) @id (#eq? @id \"EVP_PKEY_RSA\")"
+]
+
+[[library.algorithms]]
+name = "AES"
+primitive = "aead" 
+nistQuantumSecurityLevel = 3
+symbol_patterns = [
+  "(call_expression function: (identifier) @func (#match? @func \"EVP_aes_.*\"))",
+  "(call_expression function: (identifier) @func (#match? @func \"AES_.*\"))"
+]
+
+# Python cryptography library
+[[library]]
+name = "cryptography"
+languages = ["Python"]
+[library.patterns]
+import_patterns = [
+  "(import_from_statement module_name: (dotted_name) @name (#match? @name \"cryptography.*\"))",
+  "(import_statement name: (dotted_name) @name (#match? @name \"cryptography.*\"))"
+]
+api_patterns = [
+  "(call function: (attribute object: (identifier) @obj attribute: (identifier) @attr (#eq? @obj \"algorithms\") (#eq? @attr \"AES\")))"
+]
+
+[[library.algorithms]]
+name = "AES"
+primitive = "aead"
+nistQuantumSecurityLevel = 3
+symbol_patterns = [
+  "(call function: (attribute object: (identifier) @obj attribute: (identifier) @attr (#eq? @obj \"algorithms\") (#eq? @attr \"AES\")))"
+]
+
+# Java JCA
+[[library]]
+name = "JCA"
+languages = ["Java"]
+[library.patterns]
+import_patterns = [
+  "(import_declaration (scoped_identifier scope: (scoped_identifier scope: (identifier) @javax name: (identifier) @crypto (#eq? @javax \"javax\") (#eq? @crypto \"crypto\"))))"
+]
+
+# Go standard crypto
+[[library]]
+name = "std-crypto"
+languages = ["Go"]
+[library.patterns]
+import_patterns = [
+  "(import_spec path: (interpreted_string_literal) @path (#match? @path \"\\\"crypto/.*\\\"\"))"
+]
+
+# Rust ring crate
+[[library]]
+name = "ring"
+languages = ["Rust"]
+[library.patterns]
+import_patterns = [
+  "(use_declaration argument: (scoped_identifier path: (identifier) @crate (#eq? @crate \"ring\")))"
+]
+
+[[library.algorithms]]
+name = "AES-GCM"
+primitive = "aead"
+nistQuantumSecurityLevel = 3
+symbol_patterns = [
+  "(identifier) @id (#match? @id \"AES_.*_GCM\")"
+]
