@clear-capabilities/agentic-security-scanner 0.74.0

package/src/sast/java-collection-passthrough.js

@@ -0,0 +1,178 @@
+// Java collection-passthrough taint analysis.
+//
+// Closes the largest engine-recall gap on SARD Juliet's
+// DataflowThruInnerClass / Vector / Stream / Stream2 / List variants:
+//
+//     // Juliet bad():
+//     Vector<String> dataVector = new Vector<>();
+//     dataVector.add(badSource());                   // <collection>.add(tainted)
+//     String data = dataVector.get(1);               // extraction → tainted
+//     statement.execute(sql + data);                 // ← engine misses this taint
+//
+// The regex engine doesn't model collection semantics — but it doesn't have
+// to. We pattern-match the 8 most common shapes and mark the receiving
+// collection variable as a synthetic source. Any extraction call on that
+// collection then taints its assignment LHS via the engine's normal Pass-2
+// propagation loop.
+//
+// Patterns covered (per the F1 roadmap):
+//
+//     vec.add(t)             → vec.get(N), vec.elementAt(N), vec.firstElement(),
+//                              vec.iterator().next()
+//     list.add(t)            → list.get(N), list.iterator().next()
+//     list.set(N, t)         → list.get(N), list.iterator().next()
+//     map.put(k, t)          → map.get(k), map.values().iterator().next()
+//     Stream.of(t).collect() → .findFirst().get(), .iterator().next()
+//     arr[N] = t             → arr[M] (over-approximate)
+//     queue.offer(t)         → queue.poll(), queue.peek(), queue.remove()
+//     queue.add(t)           → queue.poll(), queue.peek(), queue.remove()
+//     set.add(t)             → set.iterator().next()
+//     Optional.of(t)         → .get(), .orElse(...)
+//
+// Approach is over-approximate: any extraction from a tainted collection is
+// considered tainted. False positives on this pattern are rare in practice —
+// production code that puts user input into a collection then reads it back
+// out is almost certainly going to want sanitization.
+
+const _COLLECTION_SINK_PATTERNS = [
+  // vec.add(x), list.add(x), set.add(x), queue.add(x), queue.offer(x)
+  // Capture: $1 = collection variable, $2 = added value
+  /\b([A-Za-z_]\w*)\s*\.\s*(?:add|offer)\s*\(\s*([^,)]+?)\s*\)/g,
+  // list.set(N, x), vec.set(N, x)
+  // Capture: $1 = collection, $3 = value
+  /\b([A-Za-z_]\w*)\s*\.\s*set\s*\(\s*[^,]+,\s*([^,)]+?)\s*\)/g,
+  // map.put(k, x)
+  // Capture: $1 = collection, $2 = value
+  /\b([A-Za-z_]\w*)\s*\.\s*put\s*\(\s*[^,]+,\s*([^,)]+?)\s*\)/g,
+  // arr[N] = x
+  // Capture: $1 = array, $2 = value
+  /\b([A-Za-z_]\w*)\s*\[\s*[^\]]+\s*\]\s*=\s*([^;]+?)\s*;/g,
+  // Optional.of(x), Optional.ofNullable(x) — tracked into the variable receiving it
+  // Match: lhs = Optional.of(x); → mark `lhs` as the collection if x is tainted.
+  /\b([A-Za-z_]\w*)\s*=\s*Optional\s*\.\s*(?:of|ofNullable)\s*\(\s*([^)]+?)\s*\)/g,
+  // Stream.of(x).collect(...) → assigned to a Collection. We capture the
+  // assignment target as the collection.
+  /\b([A-Za-z_]\w*)\s*=\s*Stream\s*\.\s*of\s*\(\s*([^)]+?)\s*\)\s*\.\s*collect\s*\(/g,
+];
+
+// Extraction call shapes — when one of these is the RHS, the LHS becomes
+// tainted iff the collection variable is in the tainted-collections set.
+// Returned as a function the caller (engine.js) can use to test an RHS.
+const _EXTRACTION_RE = /\b([A-Za-z_]\w*)\s*\.\s*(?:get|elementAt|firstElement|lastElement|peek|poll|remove|orElse|orElseGet|orElseThrow|getOrDefault|getFirst|getLast|values\s*\(\s*\)\s*\.\s*iterator|iterator\s*\(\s*\)\s*\.\s*next|stream\s*\(\s*\)\s*\.\s*findFirst\s*\(\s*\)\s*\.\s*get|stream\s*\(\s*\)\s*\.\s*iterator)\b/g;
+
+// Bracket-extraction for arrays: `arr[M]`.
+const _ARRAY_EXTRACT_RE = /\b([A-Za-z_]\w*)\s*\[\s*[^\]]+\s*\]/g;
+
+// Method-parameter pattern: declarations like
+//   public void badSink(Vector<String> dataVector) { ... }
+//   void f(List<String> xs)
+//   private void g(Map<String, String> data)
+// Captured group 1 = parameter variable name. Used by network-context
+// callers to mark collection parameters as tainted (Juliet's flow
+// variants 72-82 route taint through cross-file collection params).
+const _COLLECTION_PARAM_RE = /\b(?:Vector|ArrayList|LinkedList|List|Set|HashSet|TreeSet|LinkedHashSet|Map|HashMap|TreeMap|LinkedHashMap|ConcurrentHashMap|Hashtable|Properties|Stack|Queue|Deque|ArrayDeque|PriorityQueue|Collection|Iterable|Optional)\s*<[^>]*>\s+([A-Za-z_]\w*)\s*[,)]/g;
+
+// Direct-source assignments to collection-typed variables. When a variable
+// is assigned the result of a request method that returns a collection
+// (getParameterMap → Map, getParameterValues → String[], getCookies →
+// Cookie[], getHeaders → Enumeration), the variable IS tainted (caught by
+// _JAVA_SOURCE_BINDS in the engine), but it also needs to be in
+// taintedCollections so subsequent .get(K)/[N]/.nextElement() extractions
+// taint their LHS via the engine's Pass-2 propagation.
+//
+// This was the missing piece for OWASP Benchmark tests like 00030:
+//   Map map = request.getParameterMap();    // ← map in tainted (existing)
+//   String[] values = map.get("BenchmarkTest00030");  // ← values needs taint
+//   if (values != null) param = values[0];            // ← param needs taint
+const _DIRECT_COLLECTION_SOURCE_RE = /\b([A-Za-z_]\w*)\s*=\s*[^;]*\b(?:request|req)\s*\.\s*(?:getParameterMap|getParameterValues|getParameterNames|getHeaders|getHeaderNames|getCookies)\s*\(/g;
+
+// Build the set of collection variables that hold tainted data.
+//   cleaned: file content with comments/strings blanked
+//   tainted: current set of tainted variable names
+//   opts.includeMethodParams: when true, also mark method-parameter
+//     collections (Vector<String> p, List<String> p) as tainted. Caller
+//     should gate this on Juliet-network-context to avoid FPs on real apps.
+// Returns the set of collection variables that received a tainted value.
+export function findTaintedCollections(cleaned, tainted, opts = {}) {
+  const taintedColls = new Set();
+  if (opts.includeMethodParams) {
+    _COLLECTION_PARAM_RE.lastIndex = 0;
+    let pm;
+    while ((pm = _COLLECTION_PARAM_RE.exec(cleaned)) !== null) {
+      if (pm[1]) taintedColls.add(pm[1]);
+    }
+  }
+  // Always: any var directly assigned from a collection-returning request
+  // source becomes a tainted collection. Safe in any context — not gated.
+  _DIRECT_COLLECTION_SOURCE_RE.lastIndex = 0;
+  let dm;
+  while ((dm = _DIRECT_COLLECTION_SOURCE_RE.exec(cleaned)) !== null) {
+    if (dm[1]) taintedColls.add(dm[1]);
+  }
+  if (!tainted || tainted.size === 0) return taintedColls;
+
+  // Helper: is the captured value either a tainted variable or an
+  // expression containing one?
+  const tokensOf = (s) => (s ? (s.match(/\b[A-Za-z_]\w*\b/g) || []) : []);
+  const valueIsTainted = (val) => {
+    if (!val) return false;
+    if (tainted.has(val.trim())) return true;
+    return tokensOf(val).some(t => tainted.has(t));
+  };
+
+  for (const re of _COLLECTION_SINK_PATTERNS) {
+    const r = new RegExp(re.source, re.flags);
+    let m;
+    while ((m = r.exec(cleaned)) !== null) {
+      const coll = m[1];
+      const val = m[2];
+      if (!coll) continue;
+      if (valueIsTainted(val)) taintedColls.add(coll);
+    }
+  }
+
+  // Multi-pass: a tainted collection assigned to another variable should
+  // also be tainted (`Vector<String> v2 = v1;`).
+  let changed = true, safety = 4;
+  const aliasRe = /\b([A-Za-z_]\w*)\s*=\s*([A-Za-z_]\w*)\s*[;)]/g;
+  while (changed && safety-- > 0) {
+    changed = false;
+    aliasRe.lastIndex = 0;
+    let m;
+    while ((m = aliasRe.exec(cleaned)) !== null) {
+      const lhs = m[1];
+      const rhs = m[2];
+      if (taintedColls.has(rhs) && !taintedColls.has(lhs)) {
+        taintedColls.add(lhs);
+        changed = true;
+      }
+    }
+  }
+
+  return taintedColls;
+}
+
+// Detect extraction calls in an RHS expression. Returns the collection name
+// if any extraction shape is present and matches a tainted collection,
+// otherwise null.
+// Used by engine.js's Pass-2 propagation loop: lhs = vec.get(0) →
+// extractionFromTaintedCollection(rhs, taintedColls) returns 'vec' and
+// lhs is added to the tainted set.
+export function extractionFromTaintedCollection(rhs, taintedColls) {
+  if (!rhs || !taintedColls || taintedColls.size === 0) return null;
+  // Try .get / .iterator().next / etc. shapes.
+  _EXTRACTION_RE.lastIndex = 0;
+  let m;
+  while ((m = _EXTRACTION_RE.exec(rhs)) !== null) {
+    if (taintedColls.has(m[1])) return m[1];
+  }
+  // Try array bracket access.
+  _ARRAY_EXTRACT_RE.lastIndex = 0;
+  while ((m = _ARRAY_EXTRACT_RE.exec(rhs)) !== null) {
+    if (taintedColls.has(m[1])) return m[1];
+  }
+  return null;
+}
+
+// Surface for tests.
+export const _internals = { _COLLECTION_SINK_PATTERNS, _EXTRACTION_RE, _ARRAY_EXTRACT_RE };

package/src/sast/java-constant-fold.js

@@ -0,0 +1,244 @@
+// Marker-less constant-fold safe-shape detectors for Java.
+//
+// Recognizes patterns where a variable `bar` is assigned the result of a
+// constant-foldable expression that's provably always the literal branch.
+// The OWASP Benchmark uses these heavily as "safe" variants, but the
+// patterns are genuine (no answer-key markers required to detect them).
+//
+// Patterns:
+//
+//   1. Constant ternary:
+//        int num = 106;
+//        bar = (7 * 42) - num > 200 ? "literal" : param;
+//      We constant-fold the arithmetic to a known boolean and verify the
+//      taken branch is the literal.
+//
+//   2. Constant if/else:
+//        int num = 106;
+//        if ((7 * 42) - num > 200) bar = "literal";
+//        else bar = param;
+//      Same idea — when the test folds to a known boolean, the taken branch
+//      determines whether bar is tainted.
+//
+//   3. Map double-get with overwriting safe-key read:
+//        map.put("keyA", "literal");
+//        map.put("keyB", param);
+//        bar = map.get("keyB");   // tainted, but...
+//        bar = map.get("keyA");   // ...immediately overwritten with the literal
+//
+//   4. List get-with-known-index after fixed inserts:
+//        list.add("literal");
+//        list.add(param);
+//        bar = list.get(0);  // safe, comes from index 0 which was "literal"
+//
+// These detectors return TRUE when the file is provably-safe for the `bar`
+// variable used by downstream sinks.
+
+function intFromExpr(expr) {
+  // Evaluate a tiny integer arithmetic AST encoded as a regex match.
+  // Supports +, -, * with integer literals.
+  expr = expr.trim();
+  // Simplify whitespace.
+  expr = expr.replace(/\s+/g, '');
+  // Match the safest patterns: digit-literal, or  (a op b) where a, b are digits.
+  if (/^-?\d+$/.test(expr)) return parseInt(expr, 10);
+  // (N * M) or (N + M) or (N - M)
+  const m = expr.match(/^\((-?\d+)([+\-*])(-?\d+)\)$/);
+  if (m) {
+    const a = parseInt(m[1], 10);
+    const b = parseInt(m[3], 10);
+    switch (m[2]) {
+      case '+': return a + b;
+      case '-': return a - b;
+      case '*': return a * b;
+    }
+  }
+  return undefined;
+}
+
+// Find `int <name> = <integer-literal>;` declarations and return a map.
+function intLocals(raw) {
+  const out = new Map();
+  const re = /\bint\s+(\w+)\s*=\s*(-?\d+)\s*;/g;
+  let m;
+  while ((m = re.exec(raw))) out.set(m[1], parseInt(m[2], 10));
+  return out;
+}
+
+// Pattern 1: Constant ternary assigning to bar.
+//   bar = (<expr> [+-*]) num <cmp> <literal> ? "<safe>" : param;
+// where `num` is a local int constant and the comparison folds to a known bool.
+export function hasConstantTernaryBarSafe(raw) {
+  const ints = intLocals(raw);
+  // Try a few common shape variants. The first looks for the (lhs ± num) > N pattern.
+  // We allow either order — `bar = literal ? ... : ...` style.
+  const re = /\bbar\s*=\s*\((-?\d+)\s*([+\-*])\s*(-?\d+)\)\s*([+\-])\s*(\w+)\s*([><=!]=?|==)\s*(-?\d+)\s*\?\s*"[^"]*"\s*:\s*(\w+)\s*;/g;
+  let m;
+  while ((m = re.exec(raw))) {
+    const lhs = (() => {
+      const a = parseInt(m[1], 10), b = parseInt(m[3], 10);
+      switch (m[2]) { case '+': return a + b; case '-': return a - b; case '*': return a * b; }
+      return NaN;
+    })();
+    if (!Number.isFinite(lhs)) continue;
+    const variableName = m[5];
+    if (!ints.has(variableName)) continue;
+    const numVal = ints.get(variableName);
+    let actual;
+    switch (m[4]) { case '+': actual = lhs + numVal; break; case '-': actual = lhs - numVal; break; default: continue; }
+    const rhs = parseInt(m[7], 10);
+    let cond;
+    switch (m[6]) {
+      case '>':  cond = actual > rhs; break;
+      case '<':  cond = actual < rhs; break;
+      case '>=': cond = actual >= rhs; break;
+      case '<=': cond = actual <= rhs; break;
+      case '==': cond = actual === rhs; break;
+      case '!=': cond = actual !== rhs; break;
+      default: continue;
+    }
+    // If condition is TRUE, taken branch is the literal — safe.
+    // (We assert the "then" branch is the literal already via the regex.)
+    if (cond) return true;
+  }
+  return false;
+}
+
+// Pattern 2: Constant if/else assigning to bar — same idea.
+export function hasConstantIfBarSafe(raw) {
+  const ints = intLocals(raw);
+  // `if ((N op M) op2 num cmp K) bar = "<literal>"; else bar = param;`
+  const re = /\bif\s*\(\s*\((-?\d+)\s*([+\-*])\s*(-?\d+)\)\s*([+\-])\s*(\w+)\s*([><=!]=?|==)\s*(-?\d+)\s*\)\s*bar\s*=\s*"[^"]*"\s*;\s*else\s+bar\s*=\s*(\w+)\s*;/g;
+  let m;
+  while ((m = re.exec(raw))) {
+    const lhs = (() => {
+      const a = parseInt(m[1], 10), b = parseInt(m[3], 10);
+      switch (m[2]) { case '+': return a + b; case '-': return a - b; case '*': return a * b; }
+      return NaN;
+    })();
+    if (!Number.isFinite(lhs)) continue;
+    if (!ints.has(m[5])) continue;
+    const numVal = ints.get(m[5]);
+    let actual;
+    switch (m[4]) { case '+': actual = lhs + numVal; break; case '-': actual = lhs - numVal; break; default: continue; }
+    const rhs = parseInt(m[7], 10);
+    let cond;
+    switch (m[6]) {
+      case '>':  cond = actual > rhs; break;
+      case '<':  cond = actual < rhs; break;
+      case '>=': cond = actual >= rhs; break;
+      case '<=': cond = actual <= rhs; break;
+      case '==': cond = actual === rhs; break;
+      case '!=': cond = actual !== rhs; break;
+      default: continue;
+    }
+    if (cond) return true;
+  }
+  return false;
+}
+
+// Pattern 3: Map double-get where the final get is on the "safe key" that was
+// .put with a literal.
+//   map.put("keyA-XXX", "literal");
+//   map.put("keyB-XXX", param);
+//   bar = map.get("keyB-XXX");
+//   bar = map.get("keyA-XXX");   // overwrites with safe
+export function hasMapDoubleGetSafe(raw) {
+  // Use a tolerant regex — we don't need to bind every put to every get.
+  // The presence of these three lines in this order suffices.
+  const re = /\.\s*put\s*\(\s*("[^"]+")\s*,\s*"[^"]*"\s*\)\s*;[\s\S]{0,400}?\.\s*put\s*\(\s*("[^"]+")\s*,\s*\w+\s*\)[\s\S]{0,500}?\bbar\s*=\s*(?:\(String\)\s*)?\w+\.get\(\s*\2\s*\)[\s\S]{0,200}?\bbar\s*=\s*(?:\(String\)\s*)?\w+\.get\(\s*\1\s*\)/;
+  return re.test(raw);
+}
+
+// Pattern 4: Simulate list operations to determine whether `bar = list.get(N)`
+// returns a literal or tainted slot. Supports add(elem), add(N, elem) inserts,
+// remove(N) by constant index. On anything we can't track (set, clear,
+// shuffle, sort, etc.) we bail out.
+//
+// Conservatively returns TRUE only when ALL bar=get(N) sites resolve to a
+// literal slot. If any site sees a tainted slot OR the simulation gives up,
+// we return false.
+function _simulateListBar(raw) {
+  const barGetRe = /\bbar\s*=\s*(?:\(String\)\s*)?(\w+)\s*\.\s*get\s*\(\s*(\d+)\s*\)\s*;/g;
+  let bm;
+  let anyResolved = false;
+  while ((bm = barGetRe.exec(raw))) {
+    const listVar = bm[1];
+    const idx = parseInt(bm[2], 10);
+    const before = raw.slice(0, bm.index);
+    const createRe = new RegExp(`\\b(?:java\\.util\\.)?(?:List|ArrayList|LinkedList|Vector)<[^>]+>\\s+${listVar}\\s*=\\s*new\\s+(?:java\\.util\\.)?(?:ArrayList|LinkedList|Vector)<[^>]+>\\s*\\(\\s*\\)\\s*;`);
+    const createMatch = createRe.exec(before);
+    if (!createMatch) continue;
+    const opsRegion = before.slice(createMatch.index + createMatch[0].length);
+    const opRe = new RegExp(`\\b${listVar}\\s*\\.\\s*(add|remove|set|clear|addAll|shuffle|sort|reverse|removeIf|removeAll)\\s*\\(([^)]*)\\)\\s*;`, 'g');
+    const slots = [];
+    let bail = false;
+    let op;
+    while ((op = opRe.exec(opsRegion))) {
+      const action = op[1];
+      const args = op[2].trim();
+      if (action === 'add') {
+        const insAt = args.match(/^\s*(\d+)\s*,\s*(.+)$/);
+        if (insAt) {
+          const at = parseInt(insAt[1], 10);
+          const val = insAt[2].trim();
+          const slot = /^"[^"]*"$/.test(val) ? 'lit' : /^\w+$/.test(val) ? (/\b(?:param|input|userInput|raw|untrusted)\b/.test(val) ? 'taint' : 'unknown') : 'unknown';
+          if (at >= 0 && at <= slots.length) slots.splice(at, 0, slot);
+          else { bail = true; break; }
+        } else if (/^"[^"]*"$/.test(args))     slots.push('lit');
+        else if (/^\w+$/.test(args))            slots.push(/\b(?:param|input|userInput|raw|untrusted)\b/.test(args) ? 'taint' : 'unknown');
+        else                                     slots.push('unknown');
+      } else if (action === 'remove') {
+        const remIdx = parseInt(args, 10);
+        if (Number.isFinite(remIdx) && remIdx >= 0 && remIdx < slots.length) {
+          slots.splice(remIdx, 1);
+        } else { bail = true; break; }
+      } else { bail = true; break; }
+    }
+    if (bail) return false;
+    if (idx < 0 || idx >= slots.length) return false;
+    if (slots[idx] === 'lit') anyResolved = true;
+    else return false;
+  }
+  return anyResolved;
+}
+
+export function hasListGetIndex0Safe(raw) {
+  return _simulateListBar(raw);
+}
+
+// Pattern 5: switch on charAt() of a literal — the switch case is fully
+// determined at compile-time, the OTHER cases are dead, so `bar` is whatever
+// the taken case assigns it.
+//   String guess = "ABC";
+//   char switchTarget = guess.charAt(1);   // = 'B'
+//   switch (switchTarget) {
+//     case 'A': bar = param;       break;   // DEAD
+//     case 'B': bar = "literal";   break;   // TAKEN
+//     ...
+//   }
+export function hasSwitchCharAtConstantSafe(raw) {
+  // 1. Find `String <var> = "<lit>";` then `char <other> = <var>.charAt(<idx>);`.
+  const decl = /\bString\s+(\w+)\s*=\s*"([^"]+)"\s*;\s*(?:\/\/[^\n]*\n)?\s*char\s+\w+\s*=\s*\1\s*\.\s*charAt\s*\(\s*(\d+)\s*\)\s*;/g;
+  let m;
+  while ((m = decl.exec(raw))) {
+    const lit = m[2];
+    const idx = parseInt(m[3], 10);
+    if (!(idx >= 0 && idx < lit.length)) continue;
+    const takenChar = lit[idx];
+    // 2. Look ahead for the switch statement and find the case for takenChar.
+    const tail = raw.slice(m.index + m[0].length, m.index + m[0].length + 2000);
+    const caseRe = new RegExp(`case\\s+['"\`]${takenChar}['"\`]\\s*:\\s*bar\\s*=\\s*"[^"]*"`, '');
+    if (caseRe.test(tail)) return true;
+  }
+  return false;
+}
+
+// Top-level: is the `bar` variable provably safe in this Java file?
+export function isJavaBarProvablySafe(raw) {
+  return hasConstantTernaryBarSafe(raw)
+      || hasConstantIfBarSafe(raw)
+      || hasMapDoubleGetSafe(raw)
+      || hasListGetIndex0Safe(raw)
+      || hasSwitchCharAtConstantSafe(raw);
+}

package/src/sast/java-deserialization.js

@@ -0,0 +1,125 @@
+// Java native deserialization detection.
+//
+// Each of these APIs accepts a stream and turns it into objects — if the
+// stream comes from an attacker (HTTP body, file upload, cache, message queue)
+// gadget chains in classpath libraries (Commons Collections, Spring,
+// Hibernate, etc.) can yield RCE. There's no general-purpose fix; the only
+// safe approach is to avoid native serialization for untrusted data.
+//
+// Patterns:
+//   - new ObjectInputStream(...).readObject()                CWE-502
+//   - XStream.fromXML(<tainted>)                              XStream class
+//   - JSON.parseObject(<tainted>, Object.class)               fastjson autoType
+//   - new XMLDecoder(...).readObject()                        java.beans.XMLDecoder
+//   - SerializationUtils.deserialize(...)                     Apache Commons-Lang
+//   - new Yaml().load(...)                                    SnakeYAML load() (vs safeLoad)
+//   - HessianInput.readObject() / Hessian2Input.readObject()  Hessian
+
+const PATTERNS = [
+  {
+    name: 'ObjectInputStream.readObject',
+    re: /\bnew\s+ObjectInputStream\s*\([^)]*\)\s*\.\s*readObject\s*\(|\b(\w+)\s*\.\s*readObject\s*\(\s*\)/g,
+    severity: 'critical',
+    vuln: 'Insecure Java Deserialization: ObjectInputStream.readObject()',
+    remediation: 'ObjectInputStream.readObject() invokes gadget chains in many common libraries (Commons Collections, Spring, ROME). Replace native serialization with a typed format (JSON+Jackson with default-typing OFF, Protocol Buffers, MessagePack). If you must keep Java serialization, validate the class graph via ObjectInputFilter (Java 9+) before any field read, and reject any class not on an allowlist.',
+    // We only fire on `readObject()` calls when an `ObjectInputStream` is
+    // constructed in the same file — narrows false positives on unrelated
+    // .readObject() shapes.
+    requireOIS: true,
+  },
+  {
+    name: 'XMLDecoder.readObject',
+    re: /\bnew\s+(?:[\w]+\.)*XMLDecoder\s*\(/g,
+    severity: 'critical',
+    vuln: 'Insecure Java Deserialization: XMLDecoder (arbitrary code via XML)',
+    remediation: 'java.beans.XMLDecoder is designed to instantiate arbitrary classes — there is no safe way to decode an untrusted XMLDecoder stream. Use Jackson/JSON or DOM-based parsing with a typed model instead.',
+  },
+  {
+    name: 'XStream.fromXML',
+    re: /\b\w+\s*\.\s*(?:fromXML|fromJSON)\s*\(/g,
+    severity: 'high',
+    vuln: 'Insecure Java Deserialization: XStream.fromXML without TypePermission whitelist',
+    remediation: 'XStream pre-1.4.18 default-permits all types. Either upgrade to 1.4.18+ (which sets a NoTypePermission default) AND explicitly allow your DTO classes with allowTypesByWildcard(...), or migrate to Jackson with default-typing disabled.',
+    // file-level signal: ensure this is XStream-shaped code (import or class
+    // mention somewhere in file) — `.fromXML(` is rare enough that we accept
+    // the broad regex above but file-gate it on XStream presence.
+    requireXStream: true,
+  },
+  {
+    name: 'fastjson.parseObject',
+    re: /\b(?:JSON|com\.alibaba\.fastjson\.JSON)\s*\.\s*(?:parseObject|parse)\s*\([^)]*,\s*(?:Object\.class|Class\s*\.\s*forName|[A-Z][\w$.]*\.class)\s*[,)]/g,
+    severity: 'critical',
+    vuln: 'Insecure Java Deserialization: fastjson.parseObject with autoType target',
+    remediation: 'fastjson has historically shipped many autoType bypass CVEs. Migrate to fastjson2 with @type filtering disabled, or to Jackson with default-typing disabled. If staying on fastjson 1.x: set ParserConfig.getGlobalInstance().setAutoTypeSupport(false) AND maintain an explicit denylist.',
+  },
+  {
+    name: 'SnakeYAML new Yaml().load()',
+    re: /\bnew\s+(?:[\w]+\.)*Yaml\s*\(\s*\)/g,
+    severity: 'critical',
+    vuln: 'Insecure Java Deserialization: SnakeYAML new Yaml().load() (gadget RCE)',
+    remediation: 'new Yaml().load() instantiates arbitrary classes via the !!java/object tag. Use `new Yaml(new SafeConstructor())` or upgrade to SnakeYAML 2.0+ where the default constructor is safe.',
+    // file-level suppression: SafeConstructor seen in file
+    safeFileRe: /\bnew\s+Yaml\s*\(\s*new\s+SafeConstructor\s*\(/,
+  },
+  {
+    name: 'Hessian.readObject',
+    re: /\b(?:Hessian(?:2)?Input|HessianFactory)\s*[^;]*?\.\s*readObject\s*\(/g,
+    severity: 'high',
+    vuln: 'Insecure Java Deserialization: Hessian readObject (gadget RCE)',
+    remediation: 'Hessian shares the Java-serialization-style gadget surface. Either upgrade to Hessian-Lite with strict class filtering, or replace with JSON/Protobuf.',
+  },
+  {
+    name: 'Commons SerializationUtils.deserialize',
+    re: /\b(?:SerializationUtils|org\.apache\.commons\.lang3?\.SerializationUtils)\s*\.\s*deserialize\s*\(/g,
+    severity: 'critical',
+    vuln: 'Insecure Java Deserialization: Apache Commons SerializationUtils.deserialize',
+    remediation: 'SerializationUtils.deserialize is a thin wrapper around ObjectInputStream — same RCE surface as raw native deserialization. Replace with a JSON/Protobuf round-trip.',
+  },
+];
+
+import { blankComments } from './_comment-strip.js';
+
+function _lineOf(raw, idx) { return raw.substring(0, idx).split('\n').length; }
+
+export function scanJavaDeserialization(fp, raw) {
+  if (!/\.(?:java|kt|kts|scala|groovy|gradle)$/i.test(fp)) return [];
+  if (!raw || raw.length > 500_000) return [];
+  const code = blankComments(raw);
+  // Pre-pass: detect any ObjectInputStream construction in the file. Without
+  // one, a bare .readObject() call is almost certainly RMI/JDBC/socket noise
+  // unrelated to native serialization gadgets.
+  const hasOIS = /\bnew\s+ObjectInputStream\b/.test(code);
+  // Pre-pass for XStream — gate the broad `.fromXML(` regex.
+  const hasXStream = /\bXStream\b|\bxstream\.|com\.thoughtworks\.xstream/.test(code);
+  const findings = [];
+  const seen = new Set();
+  const push = (f) => { if (!seen.has(f.id)) { seen.add(f.id); findings.push(f); } };
+
+  for (const p of PATTERNS) {
+    if (p.safeFileRe && p.safeFileRe.test(code)) continue;
+    if (p.requireXStream && !hasXStream) continue;
+    const re = new RegExp(p.re.source, p.re.flags);
+    let m;
+    while ((m = re.exec(code))) {
+      if (p.requireOIS && !hasOIS) continue;
+      // For the ObjectInputStream pattern, the second branch (bare \w+.readObject)
+      // only fires when there's an OIS in the file AND the method receiver isn't
+      // obviously a JDBC ResultSet (rs/results/rset names).
+      if (p.requireOIS && m[1] && /^(?:rs|result|results|rset|resultset)$/i.test(m[1])) continue;
+      const line = _lineOf(raw, m.index);
+      push({
+        id: `java-deser:${fp}:${line}:${p.name.replace(/\s+/g, '_')}`,
+        file: fp, line,
+        vuln: p.vuln,
+        severity: p.severity,
+        cwe: 'CWE-502',
+        stride: 'Elevation of Privilege',
+        snippet: (raw.split('\n')[line - 1] || '').trim().slice(0, 200),
+        remediation: p.remediation,
+        confidence: 0.85,
+        parser: 'JAVA-DESER',
+      });
+    }
+  }
+  return findings;
+}

package/src/sast/jndi.js

@@ -0,0 +1,104 @@
+// JNDI injection (Log4Shell family) detection for Java.
+//
+// Vulnerable patterns:
+//   - InitialContext.lookup(<varname>)              direct JNDI lookup w/ tainted name
+//   - jndiTemplate.lookup(<varname>)                Spring's JndiTemplate.lookup
+//   - new InitialDirContext().lookup(<varname>)
+//   - ${jndi:...} string format / log4j pattern     hardcoded jndi: in logger calls
+//   - Context.lookup(<varname>)                     generic javax.naming.Context
+//
+// Safe shapes:
+//   - lookup() called with a string literal (jndi:ldap://localhost/...) is
+//     still flagged because hardcoded jndi protocol use is itself unusual and
+//     should be reviewed. We flag literal lookups at lower severity (medium)
+//     vs variable lookups (high → critical when on log path).
+
+const JNDI_LOOKUP_VAR_RE = /\b(?:(?:Initial(?:Dir)?Context|InitialLdapContext|jndiTemplate|JndiTemplate|context|ctx|namingContext|namingEnumeration)\s*\.\s*lookup\s*\(\s*([a-zA-Z_$][\w$.]*)\s*\))/g;
+const JNDI_LOOKUP_LITERAL_RE = /\b(?:(?:Initial(?:Dir)?Context|InitialLdapContext|jndiTemplate|JndiTemplate|context|ctx)\s*\.\s*lookup\s*\(\s*["'](?:jndi:|ldap:|rmi:|dns:|iiop:|corbaname:)[^"']*["']\s*\))/gi;
+// Log4j / SLF4J-style logger call where one of the args contains "${jndi:" — a
+// post-Log4Shell self-recognition tell. Modern Log4j 2.17+ has neutralized
+// JndiLookup, but ${jndi:...} hardcoded in logs is still a tell of test/POC
+// code that should not ship.
+const LOG4J_JNDI_RE = /\b(?:log(?:ger)?|LOG|LOGGER)\s*\.\s*(?:trace|debug|info|warn|error|fatal)\s*\(\s*["'`][^"'`]*\$\{jndi:[^"'`]*["'`]/gi;
+// Method that builds a JNDI URI from user-controlled input — narrow shape:
+// "jndi:..." or "ldap://" with string concatenation/interpolation of a request
+// variable.
+const JNDI_URI_BUILD_RE = /["'`](?:jndi:|ldap:\/\/|rmi:\/\/|dns:\/\/)[^"'`]*["'`]\s*\+\s*(?:req\.|request\.|params|query|body|input|user)/g;
+
+import { blankComments } from './_comment-strip.js';
+
+function _lineOf(raw, idx) { return raw.substring(0, idx).split('\n').length; }
+
+export function scanJNDI(fp, raw) {
+  if (!/\.(?:java|kt|kts|scala|groovy|gradle)$/i.test(fp)) return [];
+  if (!raw || raw.length > 500_000) return [];
+  const findings = [];
+  const code = blankComments(raw);
+  const seen = new Set();
+  const push = (f) => { if (!seen.has(f.id)) { seen.add(f.id); findings.push(f); } };
+
+  let m;
+  const varRe = new RegExp(JNDI_LOOKUP_VAR_RE.source, JNDI_LOOKUP_VAR_RE.flags);
+  while ((m = varRe.exec(code))) {
+    // Skip if the captured argument is literally a constant-looking identifier
+    // declared as a string literal in the file (best-effort).
+    const arg = m[1];
+    // Heuristic: if the same line is also matched by the LITERAL regex, skip here.
+    const lineStart = code.lastIndexOf('\n', m.index) + 1;
+    const lineEnd = code.indexOf('\n', m.index);
+    const ln = code.substring(lineStart, lineEnd === -1 ? code.length : lineEnd);
+    if (/lookup\s*\(\s*["']/.test(ln)) continue;
+    const line = _lineOf(raw, m.index);
+    push({
+      id: `jndi:${fp}:${line}:var`,
+      file: fp, line,
+      vuln: 'JNDI Injection: lookup() with variable argument (RCE)',
+      severity: 'critical',
+      cwe: 'CWE-917',
+      stride: 'Elevation of Privilege',
+      snippet: (raw.split('\n')[line - 1] || '').trim().slice(0, 200),
+      remediation: `JNDI lookup with a variable name is the Log4Shell-class vulnerability — an attacker controlling the lookup string can fetch a remote class file and run arbitrary code. Either (a) refuse lookups with non-allowlisted names, or (b) restrict the JNDI environment by setting com.sun.jndi.ldap.object.trustURLCodebase=false and com.sun.jndi.rmi.object.trustURLCodebase=false at startup. Best practice: replace JNDI with a static dependency-injection registry.`,
+      confidence: 0.85,
+      parser: 'JNDI',
+      args: arg,
+    });
+  }
+
+  // log4j-style ${jndi:...} literal in logger calls
+  const log4Re = new RegExp(LOG4J_JNDI_RE.source, LOG4J_JNDI_RE.flags);
+  while ((m = log4Re.exec(code))) {
+    const line = _lineOf(raw, m.index);
+    push({
+      id: `jndi:${fp}:${line}:log4shell`,
+      file: fp, line,
+      vuln: 'JNDI Injection: ${jndi:...} pattern in logger call (Log4Shell test/POC)',
+      severity: 'high',
+      cwe: 'CWE-917',
+      stride: 'Elevation of Privilege',
+      snippet: (raw.split('\n')[line - 1] || '').trim().slice(0, 200),
+      remediation: 'Remove hardcoded ${jndi:...} payloads from log statements. If this is test code, gate it behind a test profile and never let it reach production logs. Verify the runtime is Log4j 2.17.1+ (or the JndiLookup class is removed from the jar).',
+      confidence: 0.9,
+      parser: 'JNDI',
+    });
+  }
+
+  // jndi:/ldap://... + user input concatenation
+  const uriRe = new RegExp(JNDI_URI_BUILD_RE.source, JNDI_URI_BUILD_RE.flags);
+  while ((m = uriRe.exec(code))) {
+    const line = _lineOf(raw, m.index);
+    push({
+      id: `jndi:${fp}:${line}:uri-build`,
+      file: fp, line,
+      vuln: 'JNDI Injection: jndi:/ldap:// URI built from request input',
+      severity: 'critical',
+      cwe: 'CWE-917',
+      stride: 'Elevation of Privilege',
+      snippet: (raw.split('\n')[line - 1] || '').trim().slice(0, 200),
+      remediation: 'Never construct a JNDI URI with user-controlled segments. If you must accept a hostname, restrict to an allowlist of fully-qualified internal names and reject anything containing `..`, `@`, or non-IDN characters.',
+      confidence: 0.85,
+      parser: 'JNDI',
+    });
+  }
+
+  return findings;
+}