Skip to content

taint: exclude test files from sink scanning by default #67

Description

@mdavistffhrtporg

Surfaced during the 0.2.0 real-world validation run against `bluesky-social/atproto`.

Observed

The lite taint analyzer (#45) surfaced clean 2-hop hits against production DB modules (great signal), but it also produced three false-positive 0-hop `exec` hits inside `packages/bsky/tests/etcd.test.ts` — integration-test scaffolding that spawns etcd. Those are not runtime code; they should not appear in the finding list.

Sample output:

```
GET /service/a → exec @ packages/bsky/tests/etcd.test.ts:238 (0 hop)
GET /service/b → exec @ packages/bsky/tests/etcd.test.ts:238 (0 hop)
GET /service/c → exec @ packages/bsky/tests/etcd.test.ts:238 (0 hop)
```

Proposal

Add a default exclusion list to `_index_repo` in `src/attackmap/taint.py`:

  • Directories: any path segment named `tests`, `test`, `tests`, `spec`.
  • Files: names matching `.test.`, `.spec.`, `test_*.py`, `conftest.py`.

These already sit outside runtime call paths in ~every ecosystem's convention. Add a scanner-level opt-in flag (e.g. `--taint-include-tests`) so users doing supply-chain-quality reviews can still opt in.

Sizing

Small. One tuple addition + a couple of skip predicates in `_index_repo`, plus a test that asserts no taint chain is emitted from a fixture with a `tests/` directory holding a matching sink.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions