Callee Coverage
Noir can attach best-effort 1-hop handler callees to endpoints. A callee is a function, method, or framework call observed directly inside the route handler body. It helps AI SAST tools and code reviewers decide where to inspect next.
Use --include callee to show callees in plain output:
noir scan . --include callee
Model-based formats such as JSON, JSONL, YAML, TOML, and plain model serialization include the callees field through the endpoint model. OpenAPI 2.0 and 3.0 expose callees as the operation-level x-noir-callees extension, SARIF stores them in result.properties.noir.callees, and Postman collections add a human-readable list to the item description. Purpose-specific command and filter outputs such as cURL, HTTPie, PowerShell, only-url, and only-param omit callees to keep their primary output stable.
The path and line values are best-effort locations. Most analyzers report the call site; analyzers with definition resolution report the callee definition when reachable, and keep the call-site location otherwise.
Coverage Matrix
This matrix lists frameworks where Noir supports per-endpoint callee extraction. It is generated from Noir's tech metadata — the same source as the framework callee chips and noir list techs — so it stays in sync with the analyzers. Endpoint detection can still work for frameworks not listed here, but treat their callee output as unavailable.
| Language | Frameworks with callee coverage |
|---|---|
| C# | ASP.NET Core MVC, ASP.NET Core Minimal API, ASP.NET MVC, Carter, FastEndpoints |
| C++ | Crow, Drogon, cpp-httplib, oat++ |
| Clojure | Compojure, Pedestal, Reitit |
| Crystal | Amber, Grip, Kemal, Lucky, Marten |
| Dart | Alfred, Angel3, Dart Frog, GetServer, Serverpod, Shelf |
| Elixir | Bandit, Phoenix, Plug |
| F# | Giraffe |
| Go | Beego, Chi, Echo, Fiber, Gin, GoFrame, Gorilla Mux, Goyave, Hertz, Huma, Iris, PocketBase, fasthttp, go-restful, go-zero, httprouter |
| Groovy | Grails |
| Haskell | Scotty, Servant, Yesod |
| Java | Apache Struts 2, Apache Wicket, Armeria, Dropwizard, JAX-RS, Javalin, Micronaut, Play Framework, Quarkus, Spark Java, Spring, Vert.x |
| JavaScript | AdonisJS, Apollo Server, Astro, Elysia, Express, Fastify, Fresh, Hapi, Hono, Koa, NestJS, Next.js, Nitro, NuxtJS, Remix, Restify, SvelteKit |
| Kotlin | Ktor, Spring, http4k |
| Lua | Lapis, lor |
| PHP | CakePHP, CodeIgniter, Hyperf, Laminas, Laravel, Lumen, Pure, Slim, Symfony, ThinkPHP, Yii2 |
| Perl | Catalyst, Dancer2, Mojolicious |
| Python | Bottle, Django, Falcon, FastAPI, Flask, Litestar, Pyramid, Quart, Robyn, Sanic, Starlette, Tornado, aiohttp |
| Ruby | Grape, Hanami, Rails, Roda, Sinatra |
| Rust | Actix Web, Axum, Gotham, Loco, Poem, RWF, Rocket, Salvo, Tide, Warp |
| Scala | Akka HTTP, Play Framework, Scalatra, Tapir, ZIO HTTP, http4s |
| Swift | Hummingbird, Kitura, Vapor |
| TypeScript | NestJS, TanStack Router, tRPC |
| Zig | Jetzig, Tokamak, Zap, httpz |
Completeness Notes
- Callees are 1-hop only. Noir does not build a transitive call graph.
- Dynamic dispatch, middleware chains, decorators, macro expansion, generated code, and reflection can hide calls from static extraction.
- Named handler frameworks usually have better callee coverage than heavily dynamic or inline callback-heavy frameworks.
- Definition resolution is incremental and currently analyzer-specific.
- Calls are deduplicated and capped per endpoint to keep output compact for downstream tools.
- Framework helpers such as renderers and request accessors are intentionally kept because they describe how the endpoint handles input and output.