Skip to content

Commit 8e9bc6a

Browse files
tob-scott-aalexander-heinrichdependabot[bot]
authored
Prepare v0.5.0 release features (#67)
* fix(csharp): attribute declarations under file-scoped namespaces correctly The C# grammar represents a file-scoped namespace (namespace X;) as file_scoped_namespace_declaration, a distinct node type from namespace_declaration with no body field: every top-level declaration after it belongs to that namespace. _visit_top_level only matched namespace_declaration, so types under a file-scoped namespace were silently attributed to the module instead - no NAMESPACE CodeUnit, no CONTAINS edge from the namespace. Track the active file-scoped namespace while walking the top level in _visit_module and route subsequent declarations through _visit_ns_child, mirroring what _extract_namespace does with a braced body. Factor the shared CodeUnit/CONTAINS-edge creation into _create_namespace_unit. If the namespace node has no extractable name, later declarations keep falling back to module attribution. * build(deps): bump the all group across 1 directory with 6 updates Bumps the all group with 6 updates in the / directory: | Package | From | To | | --- | --- | --- | | [actions/checkout](https://github.com/actions/checkout) | `6.0.3` | `7.0.0` | | [astral-sh/ruff-action](https://github.com/astral-sh/ruff-action) | `4.0.0` | `4.1.0` | | [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) | `8.2.0` | `8.3.1` | | [actions/setup-python](https://github.com/actions/setup-python) | `6.2.0` | `6.3.0` | | [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) | `4.1.0` | `4.1.1` | | [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action) | `0.5.6` | `0.5.7` | Updates `actions/checkout` from 6.0.3 to 7.0.0 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@df4cb1c...9c091bb) Updates `astral-sh/ruff-action` from 4.0.0 to 4.1.0 - [Release notes](https://github.com/astral-sh/ruff-action/releases) - [Commits](astral-sh/ruff-action@0ce1b0b...278981a) Updates `astral-sh/setup-uv` from 8.2.0 to 8.3.1 - [Release notes](https://github.com/astral-sh/setup-uv/releases) - [Commits](astral-sh/setup-uv@fac544c...f98e069) Updates `actions/setup-python` from 6.2.0 to 6.3.0 - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@a309ff8...ece7cb0) Updates `actions/attest-build-provenance` from 4.1.0 to 4.1.1 - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](actions/attest-build-provenance@a2bbfa2...0f67c3f) Updates `zizmorcore/zizmor-action` from 0.5.6 to 0.5.7 - [Release notes](https://github.com/zizmorcore/zizmor-action/releases) - [Commits](zizmorcore/zizmor-action@5f14fd0...192e21d) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: all - dependency-name: astral-sh/ruff-action dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all - dependency-name: astral-sh/setup-uv dependency-version: 8.3.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all - dependency-name: actions/setup-python dependency-version: 6.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all - dependency-name: actions/attest-build-provenance dependency-version: 4.1.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: zizmorcore/zizmor-action dependency-version: 0.5.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all ... Signed-off-by: dependabot[bot] <support@github.com> * feat: prepare v0.5.0 release features --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Alexander Heinrich <hallo@alexanderheinrich.de> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
1 parent b880671 commit 8e9bc6a

35 files changed

Lines changed: 1426 additions & 77 deletions

.github/workflows/ci.yml

Lines changed: 25 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -18,29 +18,29 @@ jobs:
1818
name: Lint
1919
runs-on: ubuntu-latest
2020
steps:
21-
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
21+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
2222
with:
2323
persist-credentials: false
2424

25-
- uses: astral-sh/ruff-action@0ce1b0bf8b818ef400413f810f8a11cdbda0034b # v4.0.0
25+
- uses: astral-sh/ruff-action@278981a28ce3188b1e39527901f38254bf3aac89 # v4.1.0
2626
with:
2727
args: check src/ tests/
2828

29-
- uses: astral-sh/ruff-action@0ce1b0bf8b818ef400413f810f8a11cdbda0034b # v4.0.0
29+
- uses: astral-sh/ruff-action@278981a28ce3188b1e39527901f38254bf3aac89 # v4.1.0
3030
with:
3131
args: format --check src/ tests/
3232

3333
type-check:
3434
name: Type Check
3535
runs-on: ubuntu-latest
3636
steps:
37-
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
37+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
3838
with:
3939
persist-credentials: false
4040

41-
- uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
41+
- uses: astral-sh/setup-uv@f98e06938123ccabd21905ea5d0069192241f9f1 # v8.3.1
4242

43-
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
43+
- uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
4444
with:
4545
python-version: "3.13"
4646

@@ -55,16 +55,32 @@ jobs:
5555
matrix:
5656
python-version: ["3.12", "3.13", "3.14"]
5757
steps:
58-
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
58+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
5959
with:
6060
persist-credentials: false
6161

62-
- uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
62+
- uses: astral-sh/setup-uv@f98e06938123ccabd21905ea5d0069192241f9f1 # v8.3.1
6363

64-
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
64+
- uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
6565
with:
6666
python-version: ${{ matrix.python-version }}
6767

6868
- run: uv sync --all-groups
6969

7070
- run: uv run pytest -q tests/
71+
72+
package:
73+
name: Package Smoke Test
74+
runs-on: ubuntu-latest
75+
steps:
76+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
77+
with:
78+
persist-credentials: false
79+
80+
- uses: astral-sh/setup-uv@f98e06938123ccabd21905ea5d0069192241f9f1 # v8.3.1
81+
82+
- run: uv build
83+
- run: uv venv /tmp/trailmark-wheel && uv pip install --python /tmp/trailmark-wheel dist/*.whl
84+
- run: /tmp/trailmark-wheel/bin/python tests/package_smoke.py tests/fixtures/kat
85+
- run: uv venv /tmp/trailmark-sdist && uv pip install --python /tmp/trailmark-sdist dist/*.tar.gz
86+
- run: /tmp/trailmark-sdist/bin/python tests/package_smoke.py tests/fixtures/kat

.github/workflows/mutation.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -18,13 +18,13 @@ jobs:
1818
name: Mutation Testing
1919
runs-on: ubuntu-latest
2020
steps:
21-
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
21+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
2222
with:
2323
persist-credentials: false
2424

25-
- uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
25+
- uses: astral-sh/setup-uv@f98e06938123ccabd21905ea5d0069192241f9f1 # v8.3.1
2626

27-
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
27+
- uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
2828
with:
2929
python-version: "3.13"
3030

.github/workflows/publish.yml

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -13,20 +13,24 @@ jobs:
1313
permissions:
1414
contents: read
1515
steps:
16-
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
16+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
1717
with:
1818
persist-credentials: false
1919

20-
- uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
20+
- uses: astral-sh/setup-uv@f98e06938123ccabd21905ea5d0069192241f9f1 # v8.3.1
2121
with:
2222
enable-cache: false
2323

24-
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
24+
- uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
2525
with:
2626
python-version: "3.13"
2727

2828
- run: uv build
2929

30+
- run: uv venv /tmp/trailmark-release && uv pip install --python /tmp/trailmark-release dist/*.whl
31+
32+
- run: /tmp/trailmark-release/bin/python tests/package_smoke.py tests/fixtures/kat
33+
3034
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
3135
with:
3236
name: dist
@@ -47,7 +51,7 @@ jobs:
4751
name: dist
4852
path: dist/
4953

50-
- uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
54+
- uses: actions/attest-build-provenance@0f67c3f4856b2e3261c31976d6725780e5e4c373 # v4.1.1
5155
with:
5256
subject-path: "dist/*"
5357

.github/workflows/semgrep.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -18,11 +18,11 @@ jobs:
1818
name: Semgrep Scan
1919
runs-on: ubuntu-latest
2020
steps:
21-
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
21+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
2222
with:
2323
persist-credentials: false
2424

25-
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
25+
- uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
2626
with:
2727
python-version: "3.13"
2828

.github/workflows/zizmor.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -23,11 +23,11 @@ jobs:
2323
name: Workflow Security Audit
2424
runs-on: ubuntu-latest
2525
steps:
26-
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
26+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
2727
with:
2828
persist-credentials: false
2929

30-
- uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
30+
- uses: zizmorcore/zizmor-action@192e21d79ab29983730a13d1382995c2307fbcaa # v0.5.7
3131
with:
3232
version: latest
3333
advanced-security: false

CHANGELOG.md

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
# Changelog
2+
3+
## 0.5.0
4+
5+
- Pin `tree-sitter` to the compatible 0.25 series, with large-file native-crash
6+
regressions for Go, Rust, Solidity, and TypeScript (#61, #62).
7+
- Detect Solidity entrypoints from parser metadata, exclude interfaces, suppress
8+
overridden base implementations, and expose visibility/mutability (#57).
9+
- Resolve straightforward constructed TypeScript interface receivers and
10+
document call-reachability versus taint limitations (#30).
11+
- Add PostgreSQL-oriented SQL schema, table, view, function, procedure, and
12+
dependency extraction (#59).
13+
- Add stable `.trailmark/links.toml` configuration for cross-language, FFI, RPC,
14+
and external/binary graph links (#58).
15+
- Support C# file-scoped namespaces (#63).
16+
- Document grammar caching and TLS-inspection/offline installation (#39).
17+
- Add wheel/sdist installed-package smoke tests across all supported languages.
18+
19+
New `NodeKind` members are additive. `.trailmark/links.toml` is a new stable
20+
configuration interface. Dynamic dispatch, full SQL query semantics, and true
21+
interprocedural taint analysis remain out of scope for this release.

CONTRIBUTING.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
## Setup
44

5-
Requires Python >= 3.13 and [uv](https://docs.astral.sh/uv/).
5+
Requires Python >= 3.12 and [uv](https://docs.astral.sh/uv/).
66

77
```bash
88
uv sync --all-groups

README.md

Lines changed: 59 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -71,6 +71,7 @@ A language-specific parser walks the directory, parses each file into a tree-sit
7171
| Proto | `.proto` | services, RPCs, messages, fields, enums |
7272
| Thrift | `.thrift` | services, functions, structs, fields, enums |
7373
| GraphQL | `.graphql`, `.gql` | object types, root operations, fields, enums |
74+
| SQL | `.sql` | schemas, tables, views, functions, procedures |
7475

7576
```mermaid
7677
flowchart TD
@@ -117,7 +118,7 @@ The `QueryEngine` provides a high-level API over the indexed graph:
117118
| `paths_between(src, dst)` | All simple call paths between two nodes |
118119
| `connect_subgraphs(source, target)` | Paths connecting two named subgraphs |
119120
| `entrypoint_paths_to(name)` | Paths from any detected entrypoint to the target |
120-
| `attack_surface()` | Entrypoints tagged with trust level and asset value |
121+
| `attack_surface()` | Entrypoints tagged with trust level, asset value, and parser attributes when present |
121122
| `complexity_hotspots(n)` | Functions with cyclomatic complexity &ge; n |
122123
| `functions_that_raise(exc)` | Functions whose parser-detected exception list includes `exc` |
123124
| `generic_parameters(name)` | Generic type parameters declared by a node |
@@ -261,6 +262,14 @@ uv sync --all-groups
261262

262263
Requires Python &ge; 3.12.
263264

265+
Trailmark uses `tree-sitter-language-pack` for most grammars. Current releases
266+
use the platform certificate store for grammar downloads. In TLS-inspected or
267+
offline environments, pre-populate the package cache with
268+
`python -c "import tree_sitter_language_pack as p; p.download_all()"` on a
269+
matching platform, then copy the resulting `tree-sitter-language-pack` cache
270+
directory to the target machine. `HTTPS_PROXY` is also honored. The SQL grammar
271+
ships as the `tree-sitter-sql` wheel dependency and does not use that cache.
272+
264273
## Usage
265274

266275
```bash
@@ -392,6 +401,52 @@ Later entries override earlier ones when two rules tag the same node, so place b
392401

393402
See [docs/entrypoint-patterns.md](docs/entrypoint-patterns.md) for the full reference, including frameworks not yet implemented (Express / Koa / Fastify, Laravel, Cobra, axum, warp, clap, and others) with grep-ready patterns contributors can use to add new detectors.
394403

404+
Solidity detection uses parser metadata rather than signature regexes. Interface
405+
declarations are excluded and a derived override suppresses the matching base
406+
implementation. Concrete `public` and `external` functions remain entrypoints,
407+
including `view` and `pure` functions; their `solidity_visibility` and
408+
`solidity_mutability` attributes are returned by `attack_surface()` so callers
409+
can distinguish read-only exposure. `attack_surface()` includes parser-specific
410+
entrypoint attributes when they are attached to the underlying graph node.
411+
412+
### Cross-language and external links
413+
414+
Polyglot parsing merges language graphs, but many RPC, FFI, subprocess, and
415+
host/contract relationships are not visible in source syntax. Declare these
416+
deterministically in `.trailmark/links.toml`:
417+
418+
```toml
419+
[[link]]
420+
source = "backend:submit"
421+
target = "contract:Verifier.verify"
422+
kind = "calls" # defaults to calls
423+
confidence = "certain" # defaults to inferred
424+
description = "JSON-RPC eth_call"
425+
426+
[[link]]
427+
source = "backend:notify"
428+
target = "payments-webhook"
429+
external = true # required when either endpoint is unresolved
430+
```
431+
432+
References may be exact node IDs or unique names/suffixes. Ambiguous references,
433+
unknown internal endpoints, invalid enum values, and malformed TOML raise
434+
`ValueError`. Setting `external = true` explicitly permits unresolved endpoints
435+
and creates proxy nodes. This file is a stable public configuration interface.
436+
437+
### Analysis limitations
438+
439+
- `entrypoint_paths_to()` reports call-graph reachability, not attacker-controlled
440+
data flow. Use preanalysis taint results as a coarse separate signal; Trailmark
441+
does not yet perform interprocedural taint analysis.
442+
- TypeScript resolves direct calls and straightforward receivers assigned with
443+
`new ConcreteClass()`. Interface dispatch through manifests, computed property
444+
names, dependency-injection containers, and other dynamic mechanisms remains
445+
best-effort.
446+
- SQL support is PostgreSQL-oriented and extracts schemas, tables, views,
447+
functions, procedures, and routine/view dependencies. It is not a complete
448+
SQL dialect validator or query-semantic analyzer.
449+
395450
### Programmatic API
396451

397452
```python
@@ -456,6 +511,9 @@ engine.augment_sarif("results.sarif")
456511
engine.augment_weaudit("findings.json")
457512
```
458513

514+
`NodeKind.SCHEMA`, `TABLE`, `VIEW`, and `PROCEDURE` are additive in v0.5.0;
515+
consumers that exhaustively match enum values should add cases for them.
516+
459517
## Development
460518

461519
```bash

pyproject.toml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
44

55
[project]
66
name = "trailmark"
7-
version = "0.4.0"
7+
version = "0.5.0"
88
description = "Parse source code into a queryable graph of functions, classes, calls, and semantic annotations"
99
readme = "README.md"
1010
requires-python = ">=3.12"
@@ -14,7 +14,8 @@ authors = [
1414
]
1515
dependencies = [
1616
"tree-sitter~=0.25.0",
17-
"tree-sitter-language-pack>=1.8,<2.0",
17+
"tree-sitter-language-pack>=1.9,<2.0",
18+
"tree-sitter-sql>=0.3.11,<0.4",
1819
"rustworkx>=0.17,<1.0",
1920
]
2021

src/trailmark/__init__.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,4 +13,4 @@
1313
"parse_file",
1414
"supported_languages",
1515
]
16-
__version__ = "0.4.0"
16+
__version__ = "0.5.0"

0 commit comments

Comments
 (0)