sqc 0.4.13

Software Code Quality - CERT C compliance checker
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101

# Analyze Module

This module contains the core analysis engine that orchestrates the security scanning process and manages violation suppression.

## Components

### `mod.rs` - Analysis Orchestration
The main analysis module that coordinates:
- File discovery and filtering
- C code parsing with tree-sitter
- Rule execution across the AST
- Violation aggregation and deduplication
- Integration with suppression system

### `suppression.rs` - Violation Suppression System
Implements SHA-256 based suppression management:
- Generation of unique hashes for violations
- Loading and saving suppression files (`.sqc-suppress.toml`)
- Filtering of suppressed violations from results
- Audit trail for suppression reasons

## Analysis Pipeline

1. **Project Initialization**
   - Load manifest configuration
   - Discover C source files (.c, .h)
   - Filter based on gitignore rules

2. **File Processing**
   - Parse each C file into an AST using tree-sitter
   - Walk the AST nodes recursively

3. **Rule Application**
   - Apply each enabled CERT rule to AST nodes
   - Collect violations with context information
   - Calculate severity based on rule configuration

4. **Suppression Filtering**
   - Load suppression file if exists
   - Generate SHA-256 hash for each violation
   - Filter out matching suppressed violations

5. **Result Aggregation**
   - Deduplicate violations
   - Sort by severity and location
   - Prepare for UI display or export

## Key Functions

### `analyze_project()`
Main entry point that:
- Accepts project path and manifest
- Returns vector of violations
- Handles errors gracefully with context

### `handle_generate_suppression()`
Creates suppression file by:
- Running full analysis
- Generating hashes for all violations
- Writing `.sqc-suppress.toml` file

### `apply_suppressions()`
Filters violations by:
- Computing SHA-256 hash from violation data
- Matching against suppression database
- Preserving non-suppressed violations

## Suppression File Format

```toml
[[suppressions]]
file = "src/example.c"
rule = "ARR30-C"
line = 42
column = 15
hash = "a1b2c3d4e5f6..."
reason = "Bounds check performed in calling function"
timestamp = "2024-01-15T10:30:00Z"
```

## Performance Considerations

- Tree-sitter provides incremental parsing for efficiency
- Rules are applied in a single AST traversal
- Suppression lookup uses HashMap for O(1) access
- File I/O is minimized through caching

## Error Handling

The module uses `anyhow::Result` for error propagation with contextual information:
- File access errors
- Parse failures
- Rule execution errors
- Suppression file corruption

## Integration Points

- **Parser Module** - For C code AST generation
- **Rules Module** - For CERT rule execution
- **Manifest Module** - For configuration loading
- **Files Module** - For source file discovery