feat(aegis-core): Layer 2 Go import alias resolution (PR #17)#17
Merged
Conversation
Closes the last gap from PR #10's Go SEC010 dispatch. Previously `import myrand "math/rand"` parsed as a single import with module "math/rand" and no alias; resolve_receiver("myrand") missed because last-segment of "math/rand" is "rand", not "myrand". SEC010 then silently passed `myrand.Intn(...)` even though it's the same weak RNG. Two changes: 1. **`Import.alias: Option<String>`** — new field on the Import struct in `ast::imports`. Populated when the captured path's parent `import_spec` node has a `name` field (Go's syntax for import renaming). Other languages return None for now. Filters out Go's `_` (blank import for side-effects) and `.` (dot import) so resolve_receiver doesn't try to match those. 2. **`ParsedFile::resolve_receiver` two-pass lookup**: - Pass 1: explicit alias match. Aliased imports always win (`myrand` resolves to `math/rand`). - Pass 2: last-segment / module-name match, but **skips aliased imports** so `rand` no longer falsely resolves to a `math/rand` that was imported as `myrand`. Tests: 5 new — Go aliased import captures alias, Go unaliased returns None, blank/dot imports skipped, alias preferred over last-segment, mixed aliased+unaliased in same file. Plus 2 SEC010 end-to-end tests: - `myrand.Intn` (aliased math/rand) → fires - `crand.Read` (aliased crypto/rand) → does NOT fire Total: 167 → 174 tests pass. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes the last gap from PR #10's Go SEC010 dispatch. Previously
`import myrand "math/rand"` parsed as a single import with module
`"math/rand"` and no alias; `resolve_receiver("myrand")`
missed because the last-segment of "math/rand" is "rand", not
"myrand". SEC010 then silently passed `myrand.Intn(...)` even
though it's the same weak RNG.
Two changes
`Import` struct in `ast::imports`. Populated when the
captured path's parent `import_spec` node has a `name`
field (Go's import-renaming syntax). Filters out `_` (blank
import) and `.` (dot import) since neither is a usable
receiver name.
aliased imports — so `rand` no longer falsely resolves
to a `math/rand` imported as `myrand`.
Tests
Go aliased / unaliased / blank+dot / alias-preferred /
mixed-aliased-and-unaliased in same file
`myrand.Intn` (aliased math/rand) → fires
`crand.Read` (aliased crypto/rand) → does NOT fire
`cargo test --workspace`: 174 / 174 (was 167).
Test plan
preserved for non-aliased case)
🤖 Generated with Claude Code