core: per-rule CWE field + CWE-aware cross-rule dedup

setup.py

@@ -30,6 +30,7 @@
         RustExtension(
             "pyspector._rust_core",
             path=cargo_toml_path,
+            debug=False,
         )
     ],
     python_requires=">=3.8",

src/pyspector/_rust_core/src/analysis/ast_analysis.rs

@@ -44,6 +44,7 @@ fn walk_ast(node: &AstNode, file_path: &str, content: &str, rules: &[&Rule], iss
                     rule.severity.clone(),
                     rule.confidence.clone(),
                     rule.remediation.clone(),
+                    rule.cwe.clone(),
                 ));
             }
         }

src/pyspector/_rust_core/src/analysis/config_analysis.rs

@@ -47,6 +47,7 @@ pub fn scan_file(file_path: &str, content: &str, ruleset: &RuleSet) -> Vec<Issue
                         rule.severity.clone(),
                         rule.confidence.clone(),
                         rule.remediation.clone(),
+                        rule.cwe.clone(),
                     ));
                 }
             }

src/pyspector/_rust_core/src/analysis/mod.rs

@@ -1,13 +1,24 @@
 use crate::ast_parser::PythonFile;
 use crate::graph::call_graph_builder;
-use crate::issues::Issue;
+use crate::issues::{Issue, Severity};
 use crate::rules::RuleSet;
 use rayon::prelude::*;
-use std::collections::HashSet;
+use std::collections::{HashMap, HashSet};
 use std::fs;
 use std::path::Path;
 use walkdir::WalkDir;
 
+/// Numeric ordering of severities so we can pick the "worse" of two findings
+/// that fire at the same code location. Critical > High > Medium > Low.
+fn severity_rank(s: &Severity) -> u8 {
+    match s {
+        Severity::Critical => 4,
+        Severity::High => 3,
+        Severity::Medium => 2,
+        Severity::Low => 1,
+    }
+}
+
 mod ast_analysis;
 mod config_analysis;
 mod taint_analysis;
@@ -99,11 +110,47 @@ pub fn run_analysis(mut context: AnalysisContext) -> Vec<Issue> {
     println!("[+] Found {} issues from taint analysis", taint_issues.len());
     issues.extend(taint_issues);
 
-    // Remove duplicates
     let mut seen = HashSet::new();
     issues.retain(|issue| seen.insert(issue.get_fingerprint()));
 
-    println!("[*] Total issues after deduplication: {}", issues.len());
+    // Cross-rule dedup by CWE: at the same (file, line), rules sharing a CWE
+    // describe one vulnerability — keep the highest severity. Distinct CWEs
+    // stay distinct so `os.system(eval(x))` reports both CWE-78 and CWE-94.
+    let mut by_cwe_loc: HashMap<(String, usize, String), Issue> = HashMap::new();
+    let mut uncategorized: Vec<Issue> = Vec::new();
+    for issue in issues {
+        match &issue.cwe {
+            Some(cwe) => {
+                let key = (issue.file_path.clone(), issue.line_number, cwe.clone());
+                match by_cwe_loc.get(&key) {
+                    Some(existing) => {
+                        let new_rank = severity_rank(&issue.severity);
+                        let old_rank = severity_rank(&existing.severity);
+                        if new_rank > old_rank
+                            || (new_rank == old_rank && issue.rule_id < existing.rule_id)
+                        {
+                            by_cwe_loc.insert(key, issue);
+                        }
+                    }
+                    None => { by_cwe_loc.insert(key, issue); }
+                }
+            }
+            None => uncategorized.push(issue),
+        }
+    }
+    let merged = by_cwe_loc.len();
+    let mut issues: Vec<Issue> = by_cwe_loc.into_values().collect();
+    issues.extend(uncategorized);
+
+    let untagged = issues.len() - merged;
+    if untagged > 0 {
+        println!(
+            "[*] Total issues after deduplication: {} (CWE-tagged: {}, untagged: {})",
+            issues.len(), merged, untagged
+        );
+    } else {
+        println!("[*] Total issues after deduplication: {}", issues.len());
+    }
     issues
 }
 

src/pyspector/_rust_core/src/analysis/taint_analysis.rs

@@ -205,22 +205,11 @@ pub fn analyze_program_for_taint(call_graph: &CallGraph, ruleset: &RuleSet) -> V
         iterations += 1;
         let mut summaries_changed = false;
         let mut current_pass_issues: Vec<Issue> = Vec::new();
-        
+
         // Analyze functions IN PARALLEL using Rayon.
         // Each function reads global_ctx (immutable snapshot of this iteration's state)
         // and returns (func_id, summary, call_sites, class_attrs).
         // Results are merged serially after all parallel analyses complete.
-        //
-        // Correctness: with parallel analysis, function B doesn't see call_site_taints
-        // produced by function A in the SAME iteration — it sees them in the NEXT
-        // iteration. This may require one extra iteration vs sequential but is safe.
-        //
-        // Lazy filter: iterations 2+ skip functions with no taint to propagate.
-        // A function has taint to propagate if:
-        //   (a) it's an HTTP/CLI entry point (has tainted params)
-        //   (b) it was called with tainted arguments (call_site_taint)
-        //   (c) it's in a file where class attributes have been tainted (class_attr_taint)
-        //       — e.g., self.output_dir set in __init__ propagates to all same-file methods
         let files_with_class_attr_taints: std::collections::HashSet<&str> = global_ctx.class_attr_taints
             .keys()
             .filter(|(_, _)| true)
@@ -288,8 +277,6 @@ pub fn analyze_program_for_taint(call_graph: &CallGraph, ruleset: &RuleSet) -> V
                     summaries_changed = true;
                 }
             }
-
-            // Issues from convergence loop are discarded — collected in final pass.
         }
 
         println!("[*] Iteration {} done in {:.2}s", iterations, t_iter.elapsed().as_secs_f64());
@@ -1928,6 +1915,7 @@ fn report_issue(ruleset: &RuleSet, vuln_id: &str, file_path: &str, stmt: &AstNod
             vuln_rule.severity.clone(),
             vuln_rule.confidence.clone(),
             vuln_rule.remediation.clone(),
+            vuln_rule.cwe.clone(),
         ));
     }
 }

src/pyspector/_rust_core/src/issues.rs

@@ -30,12 +30,17 @@ pub struct Issue {
     pub confidence: String,
     #[pyo3(get)]
     pub remediation: String,
+    /// CWE identifier inherited from the rule (e.g. "CWE-502"). Used for
+    /// cross-rule dedup and downstream SARIF/JSON output.
+    #[pyo3(get)]
+    pub cwe: Option<String>,
 }
 
 // This new block exposes methods to Python
 #[pymethods]
 impl Issue {
     #[new] // This is the constructor exposed to Python
+    #[pyo3(signature = (rule_id, description, file_path, line_number, code, severity, confidence, remediation, cwe=None))]
     pub fn new(
         rule_id: String,
         description: String,
@@ -45,6 +50,7 @@ impl Issue {
         severity: Severity,
         confidence: String,
         remediation: String,
+        cwe: Option<String>,
     ) -> Self {
         Self {
             rule_id,
@@ -55,6 +61,7 @@ impl Issue {
             severity,
             confidence,
             remediation,
+            cwe,
         }
     }
 

src/pyspector/_rust_core/src/rules.rs

@@ -43,6 +43,13 @@ pub struct Rule {
     /// Example: file_content_exclude = "from ruamel\\.yaml|import ruamel"
     #[serde(with = "serde_regex", default)]
     pub file_content_exclude: Option<regex::Regex>,
+    /// CWE identifier (e.g. "CWE-78" for command injection). Used for
+    /// cross-rule dedup: findings at the same (file, line) sharing the same
+    /// CWE collapse to the highest-severity one. Rules without a CWE set
+    /// keep the legacy per-rule dedup behaviour. Also surfaced in JSON/SARIF
+    /// output for downstream tooling.
+    #[serde(default)]
+    pub cwe: Option<String>,
 }
 
 impl Rule {

src/pyspector/cli.py

@@ -276,7 +276,7 @@ def get_python_file_asts(
                     ast_json = json.dumps(parsed_ast, cls=AstEncoder)
                     results.append(
                         {
-                            "file_path": str(display_path),
+                            "file_path": str(py_file.resolve()),
                             "content": content,
                             "ast_json": ast_json,
                         }

src/pyspector/reporting.py

@@ -128,6 +128,7 @@ def to_json(self) -> str:
             "issues": [
                 {
                     "rule_id": issue.rule_id,
+                    "cwe": issue.cwe,
                     "description": issue.description,
                     "file_path": issue.file_path,
                     "line_number": issue.line_number,
@@ -177,6 +178,7 @@ def to_sarif(self) -> str:
                         "warning",
                     )
                 ),
+                properties={"tags": [f"external/cwe/{issue.cwe.lower()}"]} if issue.cwe else None,
             )
 
             rule_index_map[issue.rule_id] = len(rules)