feat: improved analyzer from false positives of voltagen and expo issues

Author: Alex Holmberg

Cargo.toml

@@ -86,4 +86,4 @@ path = "examples/check_vulnerabilities.rs"
 
 [[example]]
 name = "security_analysis"
-path = "examples/security_analysis.rs"
+path = "examples/security_analysis.rs"

debug_expo_test.rs

@@ -0,0 +1,49 @@
+use syncable_cli::analyzer::{
+    framework_detector::detect_frameworks,
+    AnalysisConfig, DetectedLanguage, TechnologyCategory
+};
+use std::path::Path;
+
+fn main() {
+    // Test Expo React Native detection that should NOT detect Next.js
+    let language = DetectedLanguage {
+        name: "TypeScript".to_string(),
+        version: Some("4.0.0".to_string()),
+        confidence: 0.95,
+        files: vec![
+            std::path::PathBuf::from("app.json"),
+            std::path::PathBuf::from("App.tsx"),
+            std::path::PathBuf::from("android/build.gradle"),
+            std::path::PathBuf::from("ios/Podfile"),
+        ],
+        main_dependencies: vec![
+            "expo".to_string(),
+            "react-native".to_string(),
+            "react".to_string(),
+            "next".to_string(), // This dependency should not cause Next.js to be detected
+        ],
+        dev_dependencies: vec![],
+        package_manager: Some("npm".to_string()),
+    };
+    
+    let config = AnalysisConfig::default();
+    let project_root = Path::new(".");
+    
+    let technologies = detect_frameworks(project_root, &[language], &config).unwrap();
+    
+    println!("Detected technologies:");
+    for tech in &technologies {
+        println!("  - {} (confidence: {}, primary: {})", tech.name, tech.confidence, tech.is_primary);
+    }
+    
+    // Should detect Expo as primary, not Next.js
+    let expo = technologies.iter().find(|t| t.name == "Expo");
+    let nextjs = technologies.iter().find(|t| t.name == "Next.js");
+    
+    println!("Expo detected: {:?}", expo.is_some());
+    println!("Next.js detected: {:?}", nextjs.is_some());
+    
+    if let Some(expo_tech) = expo {
+        println!("Expo is primary: {}", expo_tech.is_primary);
+    }
+}

debug_false_positive

@@ -0,0 +1,54 @@
+use syncable_cli::analyzer::{
+    framework_detector::detect_frameworks,
+    AnalysisConfig, DetectedLanguage
+};
+use std::path::Path;
+
+fn main() {
+    // Test Expo React Native detection that should NOT detect Next.js
+    let language = DetectedLanguage {
+        name: "TypeScript".to_string(),
+        version: Some("4.0.0".to_string()),
+        confidence: 0.95,
+        files: vec![
+            std::path::PathBuf::from("app.json"),
+            std::path::PathBuf::from("App.tsx"),
+            std::path::PathBuf::from("android/build.gradle"),
+            std::path::PathBuf::from("ios/Podfile"),
+        ],
+        main_dependencies: vec![
+            "expo".to_string(),
+            "react-native".to_string(),
+            "react".to_string(),
+            "next".to_string(), // This dependency should not cause Next.js to be detected
+        ],
+        dev_dependencies: vec![],
+        package_manager: Some("npm".to_string()),
+    };
+    
+    let config = AnalysisConfig::default();
+    let project_root = Path::new(".");
+    
+    match detect_frameworks(project_root, &[language], &config) {
+        Ok(technologies) => {
+            println!("Detected technologies:");
+            for tech in &technologies {
+                println!("  - {} (confidence: {:.2}, primary: {})", tech.name, tech.confidence, tech.is_primary);
+            }
+            
+            // Should detect Expo as primary, not Next.js
+            let expo = technologies.iter().find(|t| t.name == "Expo");
+            let nextjs = technologies.iter().find(|t| t.name == "Next.js");
+            
+            println!("Expo detected: {:?}", expo.is_some());
+            println!("Next.js detected: {:?}", nextjs.is_some());
+            
+            if let Some(expo_tech) = expo {
+                println!("Expo is primary: {}", expo_tech.is_primary);
+            }
+        }
+        Err(e) => {
+            println!("Error: {}", e);
+        }
+    }
+}

debug_test

@@ -84,7 +84,8 @@ impl FrameworkDetectionUtils {
                 let pattern_confidence = matches as f32 / total_patterns as f32;
                 // Use additive approach instead of multiplicative to avoid extremely low scores
                 // Base confidence provides a floor, pattern confidence provides the scaling
-                let final_confidence = (rule.confidence * pattern_confidence + base_confidence * 0.1).min(1.0);
+                // Cap dependency-based confidence at 0.95 to ensure file-based detection (1.0) takes precedence
+                let final_confidence = (rule.confidence * pattern_confidence + base_confidence * 0.1).min(0.95);
 
                 // Debug logging for Tanstack Start detection
                 if rule.name.contains("Tanstack") {
@@ -123,7 +124,9 @@ impl FrameworkDetectionUtils {
                 dependency.contains(&pattern.replace('*', ""))
             }
         } else {
-            dependency == pattern || dependency.contains(pattern)
+            // For dependency detection, use exact matching to avoid false positives
+            // Only match if the dependency is exactly the pattern or starts with the pattern followed by a version specifier
+            dependency == pattern || dependency.starts_with(&(pattern.to_string() + "@")) || dependency.starts_with(&(pattern.to_string() + "/"))
         }
     }
 

debug_test.rs

@@ -9,6 +9,7 @@ use log::{debug, info};
 pub struct ToolStatus {
     pub available: bool,
     pub path: Option<PathBuf>,
+    pub execution_path: Option<PathBuf>, // Path to use for execution
     pub version: Option<String>,
     pub installation_source: InstallationSource,
     pub last_checked: SystemTime,
@@ -162,6 +163,7 @@ impl ToolDetector {
         let not_found = ToolStatus {
             available: false,
             path: None,
+            execution_path: None,
             version: None,
             installation_source: InstallationSource::NotFound,
             last_checked: SystemTime::now(),
@@ -183,6 +185,7 @@ impl ToolDetector {
             return ToolStatus {
                 available: true,
                 path: Some(path),
+                execution_path: None, // Execute by name when in PATH
                 version,
                 installation_source: InstallationSource::SystemPath,
                 last_checked: SystemTime::now(),
@@ -204,7 +207,8 @@ impl ToolDetector {
                           tool_name, tool_path, version, source);
                     return ToolStatus {
                         available: true,
-                        path: Some(tool_path),
+                        path: Some(tool_path.clone()),
+                        execution_path: Some(tool_path), // Use full path for execution
                         version: Some(version),
                         installation_source: source,
                         last_checked: SystemTime::now(),
@@ -222,6 +226,7 @@ impl ToolDetector {
                         return ToolStatus {
                             available: true,
                             path: Some(tool_path_exe),
+                            execution_path: Some(tool_path_exe), // Use full path for execution
                             version,
                             installation_source: source,
                             last_checked: SystemTime::now(),
@@ -236,6 +241,7 @@ impl ToolDetector {
         ToolStatus {
             available: false,
             path: None,
+            execution_path: None,
             version: None,
             installation_source: InstallationSource::NotFound,
             last_checked: SystemTime::now(),

src/analyzer/frameworks/javascript.rs

@@ -23,7 +23,7 @@ pub fn install_govulncheck(
     if success {
         info!("✅ govulncheck installed successfully");
         installed_tools.insert("govulncheck".to_string(), true);
-        tool_detector.clear_cache();
+        tool_detector.clear_cache(); // Clear cache to force fresh detection
         info!("💡 Note: Make sure ~/go/bin is in your PATH to use govulncheck");
     } else {
         warn!("❌ Failed to install govulncheck");