Skip to content

Add tree-sitter C/C++ reachability review#199

Open
asotic04 wants to merge 37 commits into
arm:mainfrom
asotic04:reachability-initial-testing
Open

Add tree-sitter C/C++ reachability review#199
asotic04 wants to merge 37 commits into
arm:mainfrom
asotic04:reachability-initial-testing

Conversation

@asotic04
Copy link
Copy Markdown

@asotic04 asotic04 commented May 12, 2026

Summary

This PR adds tree-sitter based C/C++ reachability review support to Metis.

The new pipeline builds a C/C++ function/call graph with tree-sitter, then traces source-rooted paths, and uses that graph to drive focused LLM review.

Initially, the idea was to build the graph using LLM, and then continue with the process of scanning paths that included a source. This worked well, but the creation of the graph was expensive in tokens, and it was not as deterministic as the tree-sitter method. Also, when I had the LLM creating graphs, I was also prompting it to take notes on the file, including any potentially vulnerable patterns found there. Later LLM calls, which had sole task of finding security issues, took these notes as ground truth and that resulted in overreporting of issues that the graph creation worker flagged in passing.

Changes

  • Added modular C/C++ reachability services for graph construction, path tracing, file-focused context, supplementary audits, finding annotation, and deduplication.
  • Integrated reachability into review_code, review_file, and reachability.
  • Preserved legacy/plugin review for non-C/C++ files, so mixed-language repositories still review Python and other supported languages. The idea is to add a similar tree-sitter reachability analysis to other languages soon.
  • Updated reachability review output to match the existing SaaS review schema, including numeric confidence values.
  • Preserved reachability-specific metadata in findings, including path, primary file/function/line, analysis type, canonical key, and connected-function reasoning.

C/C++ reachability flow

For C/C++ files, Metis now uses tree-sitter to extract functions, callsites, globals, source-like entry points, and sink-like operations. It resolves calls where possible, traces paths through the resulting graph, and runs focused confirmation and supplementary semantic passes over graph-selected code context.

For review_code, C/C++ reachability runs first. If the repository also contains non-C/C++ files, those continue through the existing plugin review path.

For review_file, C/C++ files use scoped reachability context around the reviewed file, including inbound, outbound, shared, lifecycle, and callback-related context.

asotic04 added 30 commits May 12, 2026 13:10
@asotic04
initial testing for reachability graph analysis
279df54
@asotic04
refactoring for single file review
2416b19
@asotic04
emit a self-path when a source function is also a sink
3f124bf
@asotic04
refactoring for single file review
8600dfe
@asotic04
making single file review independent from full graph
5b9119d
@asotic04
new independent approach to single file testing
ffba541
@asotic04
aggressive approach test
f0d0cf5
@asotic04
add gpu relevant tests
1fa0847
@asotic04
add separate mechanism from final vulnerability_type
70d2cf1
@asotic04
make sure the output file is written even in failure
1222f6b
@asotic04
partial reachability for single file reviews
c98941d
@asotic04
refactor partial context for the benchmark
a3c1ada
@asotic04
add gated detectors
b70df72
@asotic04
enriched SymbolIndex with cheap lexical facts
83c084b
@asotic04
cover benchmark families better
a742285
@asotic04
fix enable mismatch
13ef4e7
@asotic04
add more families and passes
117880d
@asotic04
add exact detector families
40683bd
@asotic04
add new mmu detectors
4dc713e
@asotic04
remove mmu families for testing
9220ea4
@asotic04
first implemention of submodule for partial reachability scanning
1e3ecde
@asotic04
treesitter in full reachability and file reachability
2782faa
@asotic04
enable override to write keys into metis.yaml
c8dd8ae
@asotic04
make files not in paths a part of a review
1b51c83
@asotic04
always write review_file output for missing files
2ada21f
@asotic04
ensure noninteractive review output is written
caefbfb
@asotic04
fix commit
47ce986
@asotic04
write review output placeholder before analysis
14a1cf4
@asotic04
defer noninteractive review output fallback
6357898
@asotic04
diagnose missing noninteractive review output
1125207
stevep-arm
stevep-arm reviewed May 12, 2026
View reviewed changes
Comment thread src/metis/cli/entry.py Outdated
Comment on lines +522 to +527
parser.add_argument(
"--reachability-extraction-model",
type=str,
default=None,
help="Deprecated; graph extraction now uses deterministic tree-sitter.",
)
Copy link
Copy Markdown
Contributor

@stevep-arm stevep-arm May 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds like this option can be removed as I think it was added and deprecated only in this branch.

Copy link
Copy Markdown
Author

@asotic04 asotic04 May 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stevep-arm stevep-arm stevep-arm left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@asotic04 @stevep-arm