Business logic analysis using Metastatic analyzers.

Provides unified access to 33 language-agnostic business logic analyzers that detect common anti-patterns, security vulnerabilities, and issues across multiple languages.

Semantic Analysis with OpKind

Many analyzers leverage Metastatic's OpKind semantic metadata system for accurate detection. OpKind tags function calls with their semantic meaning:

• Domain: :db, :http, :auth, :cache, :queue, :file, :external_api
• Operation: :retrieve, :create, :update, :delete, :query, etc.
• Framework: :ecto, :django, :activerecord, :requests, etc.

Location Information

Note: Business logic analyzers operate at the MetaAST (M2) abstraction level, which intentionally abstracts away language-specific details like line numbers. This is what makes them language-agnostic. As a result, precise line/column location information is typically not available. Issues will include file paths and function context when available.

Analyzers

Tier 1: Pure MetaAST (Language-Agnostic)

• CallbackHell - Detects deeply nested conditionals (M2.1 Core)
• MissingErrorHandling - Pattern matching without error case (M2.2 Extended)
• SilentErrorCase - Conditionals with only success path (M2.1 Core)
• SwallowingException - Exception handling without logging (M2.2 Extended)
• HardcodedValue - Hardcoded URLs/IPs in literals (M2.1 Core)
• NPlusOneQuery - DB queries in collection operations (M2.2 Extended)
• InefficientFilter - Fetch-all then filter pattern (M2.2 Extended)
• UnmanagedTask - Unsupervised async operations (M2.2 Extended)
• TelemetryInRecursiveFunction - Metrics in recursive functions (M2.1 Core)

Tier 2: Function Name Heuristics

• MissingTelemetryForExternalHttp - HTTP calls without telemetry
• SyncOverAsync - Blocking operations in async contexts
• DirectStructUpdate - Struct updates bypassing validation
• MissingHandleAsync - Unmonitored async operations

Tier 3: Naming Conventions

• BlockingInPlug - Blocking I/O in middleware
• MissingTelemetryInAuthPlug - Auth checks without audit logging
• MissingTelemetryInLiveviewMount - Component lifecycle without metrics
• MissingTelemetryInObanWorker - Background jobs without telemetry

Tier 4: Content Analysis

• MissingPreload - Database queries without eager loading
• InlineJavascript - Inline scripts in strings (XSS risk)
• MissingThrottle - Expensive operations without rate limiting

Tier 5: Security (CWE-based)

• SQLInjection - SQL query string concatenation (CWE-89)
• XSSVulnerability - Cross-site scripting risks (CWE-79)
• SSRFVulnerability - Server-side request forgery (CWE-918)
• PathTraversal - Directory traversal attacks (CWE-22)
• InsecureDirectObjectReference - IDOR vulnerabilities (CWE-639)
• MissingAuthentication - Unprotected endpoints (CWE-306)
• MissingAuthorization - Missing access control (CWE-862)
• IncorrectAuthorization - Flawed access control (CWE-863)
• MissingCSRFProtection - CSRF vulnerabilities (CWE-352)
• SensitiveDataExposure - Data leaks in logs/responses (CWE-200)
• UnrestrictedFileUpload - Unsafe file uploads (CWE-434)
• ImproperInputValidation - Input validation issues (CWE-20)

Tier 6: Race Conditions

• TOCTOU - Time-of-check-time-of-use vulnerabilities (CWE-367)

Usage

alias Ragex.Analysis.BusinessLogic

# Analyze single file
{:ok, result} = BusinessLogic.analyze_file("lib/my_module.ex")

# Check for issues
result.has_issues?     # => true/false
result.total_issues    # => 5
result.critical_count  # => 1

# Analyze directory
{:ok, results} = BusinessLogic.analyze_directory("lib/")

# Run specific analyzers
{:ok, result} = BusinessLogic.analyze_file("lib/my_module.ex",
  analyzers: [:callback_hell, :missing_error_handling])

# Filter by severity
{:ok, results} = BusinessLogic.analyze_directory("lib/",
  min_severity: :high)

# Generate report
report = BusinessLogic.audit_report(results)