debtmap 0.16.4

Code complexity and technical debt analyzer
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102

/// Test suite that documents the false positive bugs
/// These tests serve as documentation and will help verify when the bugs are fixed

#[test]
fn test_gap_security_module_bypasses_context_aware() {
    // ISSUE: The security module (src/security/mod.rs) has its own detectors
    // that don't go through the context-aware wrapper

    // The call chain is:
    // 1. main.rs calls analyze with --context-aware flag
    // 2. This sets DEBTMAP_CONTEXT_AWARE=true
    // 3. analyze_single_file in analysis_utils.rs checks this env var
    // 4. It creates a context-aware analyzer wrapper
    // 5. BUT: The security module's detect_security_vulnerabilities is called separately
    // 6. It doesn't check the context-aware flag or filter test functions

    // This test documents the architectural issue
    // TODO: Security module needs to be integrated with context-aware system
}

#[test]
fn test_gap_input_validation_detector_ignores_test_functions() {
    // ISSUE: input_validation_detector.rs doesn't check if a function is a test

    // The detector looks for patterns like:
    // - Variables named 'input', 'param', 'arg'
    // - Methods like 'read', 'parse', 'from'
    // - Lack of validation methods

    // But it doesn't check:
    // - If the function has #[test] attribute
    // - If it's in a #[cfg(test)] module
    // - If the function name starts with 'test_'

    // TODO: Input validation detector needs test function awareness
}

#[test]
fn test_gap_priority_module_may_add_issues() {
    // ISSUE: The priority module might be adding or modifying debt items

    // When the user runs with --lcov, the priority module processes debt items
    // It's possible that Input Validation issues are being added or modified
    // during the priority scoring phase

    // TODO: Priority module interaction needs investigation
}

#[test]
fn test_gap_no_integration_tests_for_cli_flags() {
    // ISSUE: We had unit tests but no integration tests for the full CLI flow

    // Unit tests tested individual components:
    // - ContextDetector
    // - ContextAwareAnalyzer
    // - Rule evaluation

    // But we didn't test:
    // - The full CLI command with --context-aware
    // - Security module integration
    // - Priority scoring with context-aware

    // TODO: Need comprehensive integration tests for CLI flags
}

#[test]
fn test_expected_behavior_documentation() {
    // When --context-aware is enabled, the system should:

    // 1. Filter out security issues in test functions
    //    - Functions with #[test] attribute
    //    - Functions in #[cfg(test)] modules
    //    - Functions whose names start with 'test_'

    // 2. Allow certain patterns in appropriate contexts:
    //    - Blocking I/O in main() functions
    //    - Blocking I/O in config loaders
    //    - Input validation issues in test code

    // 3. Reduce false positives by 60%+ as per spec 43

    // This documents the expected behavior
}

#[test]
fn test_affected_files_documentation() {
    // Files that need to be fixed:

    // 1. src/security/input_validation_detector.rs
    //    - Add test function detection
    //    - Check context-aware flag

    // 2. src/security/mod.rs
    //    - Integrate with context-aware system
    //    - Pass context information to detectors

    // 3. src/priority/mod.rs (maybe)
    //    - Investigate if it's adding issues
    //    - Ensure it respects context-aware filtering

    // This documents the files that need changes
}