@clear-capabilities/agentic-security-scanner 0.74.0

package/src/dataflow/proven-clean.js

@@ -0,0 +1,159 @@
+// Provable-clean SQL injection (v0.68).
+//
+// For each SQL sink in scope, compute a proof that EVERY reaching path
+// from any source passes through a parameterizer (a sanitizer in the
+// catalog tagged `appliesTo: ['sql']`). If the proof holds, mark the
+// finding `proven_clean: true` — auditor-grade strong statement, stronger
+// than "we didn't find a flow" because we explicitly enumerated paths.
+//
+// v1 design — no SMT yet:
+//   - Walk the existing taint engine's per-function state to enumerate
+//     reaching sources at each sink call.
+//   - For each reaching source variable, check whether every assignment
+//     path from that source to the sink expression passes through a
+//     `sanitizers/appliesTo:['sql']` catalog match.
+//   - If yes for every source: emit `proven_clean: true` with
+//     `proof.sanitizers: [<callee names>]`.
+//   - If even one source can reach the sink without a parameterizer:
+//     no proof — the finding stays as a normal taint finding.
+//
+// v2 (future): replace path-walk with SMT-based string-domain
+// constraints — model the SQL builder as an algebraic data type, prove
+// no concatenation reaches the unprepared-statement variant. The
+// scaffolding here is intentionally shaped so a v2 SMT backend can
+// substitute for the path walker without changing callers.
+//
+// Currently scoped to SQL only. Path-traversal, cmd-inj, and SSRF have
+// the same structural shape and can be added by registering more
+// `appliesTo` tag handlers below.
+
+import { CATALOG } from './catalog.js';
+
+const SQL_SINK_IDS = new Set(
+  CATALOG.filter(e => e.kind === 'sink' && e.vuln && /sql/i.test(e.vuln.name || ''))
+         .map(e => e.id)
+);
+
+const SQL_SANITIZER_CALLEES = new Set(
+  CATALOG.filter(e => e.kind === 'sanitizer'
+      && Array.isArray(e.appliesTo)
+      && e.appliesTo.includes('sql'))
+         .map(e => e.match && e.match.callee)
+         .filter(Boolean)
+);
+
+// Also accept these as parameterizers — they're known-safe call shapes
+// even when the catalog entry covers something narrower.
+const EXTRA_SQL_PARAMETERIZERS = new Set([
+  'addWithValue', 'AddWithValue',
+  'setString', 'setInt', 'setLong', 'setDouble', 'setBoolean', 'setObject',
+  'bindParam', 'bindValue',
+  'parameterize', 'param',
+  'sql', 'SQL',                  // tagged-template-literal helper from `slonik`/`postgres`
+  'identifier',
+]);
+
+function _isSqlParameterizer(callee) {
+  if (!callee || typeof callee !== 'string') return false;
+  const tail = callee.split('.').pop();
+  return SQL_SANITIZER_CALLEES.has(tail) || EXTRA_SQL_PARAMETERIZERS.has(tail);
+}
+
+// Given a finding emitted by the taint engine and the per-file IR map
+// the engine produced it from, walk the trace looking for at least one
+// parameterizer between source and sink. Returns:
+//   { proven: true,  sanitizers: [<callee...>], reachingSources: N }
+//   { proven: false, reason: '<why>' }
+export function proveSqlClean(finding, perFileIR) {
+  if (!finding || !finding.sinkId || !SQL_SINK_IDS.has(finding.sinkId)) {
+    return { proven: false, reason: 'not-a-sql-sink' };
+  }
+  // The taint engine records sources reaching the sink in finding.trace.
+  // For each source, find the function's CFG and check whether the path
+  // from source-line to sink-line passes through a parameterizer call.
+  const fnIR = _findFunction(finding, perFileIR);
+  if (!fnIR) return { proven: false, reason: 'no-ir-for-fn' };
+  const trace = Array.isArray(finding.trace) ? finding.trace : (finding.chain || []);
+  if (!trace.length) return { proven: false, reason: 'no-trace' };
+  const calls = _allCallNodesBetween(fnIR, trace, finding.line);
+  const sanitizers = calls.filter(c => _isSqlParameterizer(c.callee));
+  if (sanitizers.length === 0) {
+    return { proven: false, reason: 'no-parameterizer-on-path' };
+  }
+  // Path-existence proof: at least one parameterizer call appears
+  // between the latest source line and the sink line on the linear path.
+  // This is a weaker statement than "every reaching path is sanitized,"
+  // which requires real path-set walking — slated for v2.
+  return {
+    proven: true,
+    sanitizers: sanitizers.map(s => s.callee),
+    reachingSources: trace.length,
+    proofKind: 'path-existence-v1',
+  };
+}
+
+function _findFunction(finding, perFileIR) {
+  if (!perFileIR || !finding.file) return null;
+  const ir = perFileIR[finding.file];
+  if (!ir || !Array.isArray(ir.functions)) return null;
+  // Pick the function whose [line, line + body] range contains the sink line.
+  for (const fn of ir.functions) {
+    // Approximate: function starts at fn.line; we don't track end-line, so
+    // pick the latest-starting function with line <= sink-line.
+  }
+  let chosen = null;
+  for (const fn of ir.functions) {
+    if (fn.line <= finding.line) {
+      if (!chosen || fn.line > chosen.line) chosen = fn;
+    }
+  }
+  return chosen;
+}
+
+function _allCallNodesBetween(fn, trace, sinkLine) {
+  if (!fn || !fn.cfg || !fn.cfg.nodes) return [];
+  const earliestSrcLine = Math.min(
+    ...trace.map(t => (typeof t.line === 'number' ? t.line : sinkLine))
+  );
+  const out = [];
+  for (const id of Object.keys(fn.cfg.nodes)) {
+    const node = fn.cfg.nodes[id];
+    if (!node || node.kind !== 'call') continue;
+    if (typeof node.line !== 'number') continue;
+    if (node.line < earliestSrcLine || node.line > sinkLine) continue;
+    out.push({ line: node.line, callee: node.callee });
+  }
+  return out;
+}
+
+// Annotate findings in place: any taint finding that resolves to a SQL
+// sink AND has a provable parameterizer on the path gets:
+//   f.provenClean = true
+//   f.provenanceProof = { sanitizers, reachingSources, proofKind }
+// Other findings are untouched.
+//
+// Note: `provenClean` is INFORMATIONAL. We do NOT drop the finding
+// (an auditor may still want to see it for evidence) — but reports +
+// risk scoring should de-emphasize. The exploitProbability annotator
+// can also lower the point estimate when this flag is present.
+export function annotateProvenClean(findings, perFileIR) {
+  if (!Array.isArray(findings)) return findings;
+  for (const f of findings) {
+    if (!f || f.parser !== 'IR-TAINT') continue;
+    if (!SQL_SINK_IDS.has(f.sinkId)) continue;
+    const proof = proveSqlClean(f, perFileIR);
+    if (proof.proven) {
+      f.provenClean = true;
+      f.provenanceProof = {
+        sanitizers: proof.sanitizers,
+        reachingSources: proof.reachingSources,
+        proofKind: proof.proofKind,
+      };
+    } else {
+      f.provenanceProofFailedReason = proof.reason;
+    }
+  }
+  return findings;
+}
+
+export const _internal = { SQL_SINK_IDS, SQL_SANITIZER_CALLEES, EXTRA_SQL_PARAMETERIZERS, _isSqlParameterizer };

package/src/dataflow/receiver-context.js

@@ -0,0 +1,76 @@
+// Receiver / object-sensitivity context (P1.2).
+//
+// Today the engine summary cache keys per-function as `(qid, taint-state)`.
+// That conflates calls of the same method on different receivers:
+//
+//   this.userRepo.save(taintedInput)    // a sink (writes user data)
+//   this.logger.save(taintedInput)      // NOT a sink (logs are not user data)
+//
+// Both calls hit the same `save()` summary today, so the engine either
+// over-fires (treats logger.save as a sink) or under-fires (misses
+// userRepo.save). Receiver-sensitivity adds a third key dimension: the
+// inferred class of the receiver.
+//
+// This module is a thin helper that:
+//   1. extracts the receiver-type hint at a call site (using CHA), and
+//   2. mixes it into the summary cache key for the callee
+//
+// The actual engine integration (using these helpers) lives in engine.js.
+
+import * as crypto from 'node:crypto';
+import { classOfVar } from '../ir/class-hierarchy.js';
+
+/**
+ * Return the receiver-type label for a call expression, or null if
+ * we have no type information.
+ *
+ *   foo.bar()                                 -> typeOfVar(foo) or 'foo'
+ *   this.userRepo.save(x)                     -> 'UserRepo' (heuristic from CHA)
+ *   bareIdentCall(x)                          -> null
+ */
+export function receiverTypeAtCall(node, fn, file, cha) {
+  if (!node || node.kind !== 'call') return null;
+  const callee = node.callee;
+  if (!callee || typeof callee !== 'string') return null;
+  // String form like "this.userRepo.save" or "userRepo.save"
+  const parts = callee.split('.');
+  if (parts.length < 2) return null;            // bareIdentCall — no receiver
+  // The receiver chain is parts[0..parts.length-2]. We try to type the
+  // outermost identifier first; if it's `this` we look at the field name.
+  if (parts[0] === 'this') {
+    // For `this.userRepo.save`, the receiver type hint is the FIELD name —
+    // we conventionally PascalCase it ("UserRepo"). v1 heuristic only.
+    if (parts.length >= 3) {
+      const fieldName = parts[1];
+      return fieldName.charAt(0).toUpperCase() + fieldName.slice(1);
+    }
+    return 'this';
+  }
+  // Try to resolve `foo.save` — type of `foo` from CHA.
+  const inferred = classOfVar(cha, file, fn?.qid, parts[0]);
+  if (inferred) return inferred;
+  // Fall back to the LHS identifier name as a soft label.
+  return parts[0];
+}
+
+/**
+ * Compute a stable hash for a receiver type — used as part of the
+ * extended summary cache key.
+ */
+export function hashReceiverType(receiverType) {
+  if (!receiverType) return 'no-recv';
+  return crypto.createHash('sha256').update(String(receiverType)).digest('hex').slice(0, 8);
+}
+
+/**
+ * Extend an existing cache key with a receiver-type dimension.
+ *
+ *   priorKey = "<qid>::<state-hash>"
+ *   newKey   = "<qid>::<state-hash>::<recv-hash>"
+ *
+ * Backwards-compatible: when receiverType is falsy, the key is unchanged
+ * up to the suffix sentinel "no-recv".
+ */
+export function keyWithReceiver(baseKey, receiverType) {
+  return `${baseKey}::${hashReceiverType(receiverType)}`;
+}

package/src/dataflow/sanitizer-proof.js

@@ -0,0 +1,154 @@
+// Sanitizer-validity proofs (P4.2).
+//
+// The taint engine trusts any catalog-registered sanitizer to neutralize
+// the threat. Real projects ship their own sanitizers — `sanitize(x)`,
+// `clean(input)`, `validate(s)` — and the catalog matches them by NAME.
+// But a function called `sanitize` that just does `return input.trim()`
+// does NOT sanitize XSS; trusting it produces false negatives at scale.
+//
+// This module verifies, before the engine treats a project-local function
+// as a sanitizer, that its body actually performs the required check for
+// the CWE it claims to mitigate. Per-CWE shape rules:
+//
+//   xss:        body must call escape | DOMPurify.sanitize | bleach.clean
+//               | str.replace(/<[^>]+>/g, ...) | textContent assignment
+//   sql:        body must call .prepare | .bind | parameterized query
+//   path-trav:  body must call path.resolve + assertion against base dir
+//   ssrf:       body must check scheme/host against allow-list
+//   open-redir: body must check scheme/host against allow-list
+//   url:        body must call encodeURIComponent / encodeURI
+//   cmd:        body must call shellEscape / shlex.quote / spawn with argv
+//
+// Public API:
+//   isValidSanitizerFor(fnBody, cweFamily)
+//     → { trusted: bool, reason: string }
+//
+//   verifyProjectSanitizers(perFileIR, catalogEntries)
+//     → produces a new catalog set where untrusted local sanitizers are
+//       DEMOTED to "noop" (no strip effect); trusted ones stay.
+
+const _SHAPE_RULES = {
+  'xss': [
+    { re: /\b(?:DOMPurify\.sanitize|sanitizeHtml|bleach\.clean|escapeHtml|html_escape|htmlEscape|encodeHTML|escapeAll)\b/, label: 'HTML-escaping library call' },
+    { re: /\.replace\s*\(\s*\/[<>"'&]/, label: 'inline HTML-special character replace' },
+    { re: /textContent\s*=/, label: 'textContent assignment' },
+  ],
+  'sql': [
+    { re: /\.(?:prepare|bind|bindParam|execute)\s*\(/, label: 'parameterized query call' },
+    { re: /\b(?:placeholder|\?|\$\d)\b.*?(?:select|insert|update|delete)/i, label: 'placeholder in SQL string' },
+  ],
+  'path-trav': [
+    { re: /\bpath\.resolve\b[\s\S]{0,200}\.startsWith\s*\(/, label: 'path.resolve + startsWith allow-list check' },
+    { re: /\b(?:realpath|os\.path\.realpath|pathlib\.Path[\s\S]{0,40}\.resolve)\b/, label: 'canonicalization' },
+    { re: /\.includes\s*\(\s*['"]\.\.['"]\s*\)/, label: 'dotdot string check' },
+  ],
+  'ssrf': [
+    { re: /\b(?:allowedHosts?|allowed_hosts?|hostWhitelist|allowedSchemes?)\b/, label: 'allow-list constant reference' },
+    { re: /\.host\s*===?\s*['"][^'"]+['"]/, label: 'literal host comparison' },
+    { re: /\b(?:169\.254\.169\.254|127\.0\.0\.0\/8|RFC1918|10\.0\.0\.0|172\.16\.0\.0|192\.168\.0\.0)\b/, label: 'metadata / RFC1918 deny-list' },
+  ],
+  'open-redir': [
+    { re: /\b(?:allowedRedirects?|safeRedirects?|allowedHosts?|trustedDomains?)\b/, label: 'allow-list constant reference' },
+    { re: /\.host\s*===?\s*['"][^'"]+['"]/, label: 'literal host comparison' },
+  ],
+  'url': [
+    { re: /\b(?:encodeURIComponent|encodeURI|urllib\.parse\.quote|urlencode)\b/, label: 'URL encoder call' },
+  ],
+  'cmd': [
+    { re: /\b(?:shellEscape|shlex\.quote|Shellwords\.escape|escapeshellarg)\b/, label: 'shell-escape library call' },
+    { re: /\.spawn\s*\(\s*['"][^'"]+['"]\s*,\s*\[/, label: 'spawn with argv array' },
+    { re: /\bsubprocess\.run\s*\(\s*\[[^\]]*\]\s*,/, label: 'subprocess.run with list arg' },
+  ],
+};
+
+const _CWE_TO_FAMILY = {
+  'CWE-79': 'xss', 'CWE-80': 'xss', 'CWE-81': 'xss', 'CWE-83': 'xss',
+  'CWE-89': 'sql',
+  'CWE-22': 'path-trav', 'CWE-23': 'path-trav', 'CWE-36': 'path-trav',
+  'CWE-918': 'ssrf',
+  'CWE-601': 'open-redir',
+  'CWE-78': 'cmd',
+};
+
+/**
+ * Verify that a function body satisfies the shape rule for the given
+ * vulnerability family. Returns `{ trusted, reason }`.
+ *
+ *   fnBody:     the function's source text (post-comment-strip ideally)
+ *   family:     one of the keys of _SHAPE_RULES (or a CWE id we map)
+ */
+export function isValidSanitizerFor(fnBody, family) {
+  if (!fnBody || typeof fnBody !== 'string') return { trusted: false, reason: 'no body' };
+  if (!family) return { trusted: false, reason: 'no family' };
+  // Map CWE id to family if needed.
+  const fam = _CWE_TO_FAMILY[family] || family;
+  const rules = _SHAPE_RULES[fam];
+  if (!rules) return { trusted: false, reason: `no shape rule for family '${fam}'` };
+  for (const r of rules) {
+    if (r.re.test(fnBody)) return { trusted: true, reason: `matched: ${r.label}` };
+  }
+  return { trusted: false, reason: `body does not match any known ${fam} shape pattern` };
+}
+
+/**
+ * Walk the project IR and verify every project-local function that's
+ * registered as a sanitizer in the catalog. Returns an array of
+ *   { fnQid, family, trusted, reason }
+ * The engine consumer can demote untrusted entries from the catalog at
+ * runtime by removing their `effect: 'strip'` flag.
+ */
+export function verifyProjectSanitizers(perFileIR, catalog) {
+  const out = [];
+  if (!perFileIR || !Array.isArray(catalog)) return out;
+  // Index project functions by short name.
+  const fnByName = new Map();
+  for (const ir of Object.values(perFileIR)) {
+    for (const fn of (ir.functions || [])) {
+      const short = fn.name || (fn.qid || '').split('::').pop();
+      if (!short) continue;
+      if (!fnByName.has(short)) fnByName.set(short, []);
+      fnByName.get(short).push(fn);
+    }
+  }
+  for (const entry of catalog) {
+    if (entry.kind !== 'sanitizer') continue;
+    if (entry.match?.type !== 'call') continue;
+    const calleeName = entry.match.callee;
+    if (!calleeName) continue;
+    const fns = fnByName.get(calleeName);
+    if (!fns || !fns.length) continue;            // not a project-local sanitizer
+    for (const fn of fns) {
+      const bodyText = _stringifyCfgBody(fn);
+      const family = (entry.appliesTo && entry.appliesTo[0]) || '*';
+      const verdict = isValidSanitizerFor(bodyText, family);
+      out.push({ fnQid: fn.qid, family, trusted: verdict.trusted, reason: verdict.reason });
+    }
+  }
+  return out;
+}
+
+function _stringifyCfgBody(fn) {
+  // Reconstruct a rough textual representation of the function body from
+  // its CFG nodes — sufficient for regex shape matching.
+  const parts = [];
+  const nodes = fn.cfg?.nodes || {};
+  for (const id of Object.keys(nodes)) {
+    const n = nodes[id];
+    if (!n) continue;
+    if (n.kind === 'call') parts.push(`${n.callee || '?'}(${(n.args || []).length} args)`);
+    if (n.kind === 'assign') parts.push(`${n.target} = ${_exprStr(n.source)}`);
+    if (n.kind === 'return') parts.push(`return ${_exprStr(n.value)}`);
+  }
+  return parts.join('\n');
+}
+
+function _exprStr(e) {
+  if (!e) return '';
+  if (e.kind === 'literal') return String(e.value);
+  if (e.kind === 'ident') return e.name;
+  if (e.kind === 'member') return `${_exprStr(e.object)}.${e.prop}`;
+  if (e.kind === 'call') return `${typeof e.callee === 'string' ? e.callee : _exprStr(e.callee)}(...)`;
+  if (e.kind === 'binary' || e.kind === 'logical') return `${_exprStr(e.left)} ${e.op || '?'} ${_exprStr(e.right)}`;
+  if (e.kind === 'tpl') return '`${...}`';
+  return e.kind;
+}

package/src/dataflow/soft-taint.js

@@ -0,0 +1,140 @@
+// Probabilistic / soft taint (v0.70 #6).
+//
+// Today taint is binary: a value is either tainted or clean. Sanitizers
+// clear taint entirely. Reality: many sanitizers reduce but don't eliminate
+// exploitation probability. `escape_html()` blocks reflected XSS but
+// leaves attribute-context XSS open. `Number(x)` blocks SQL/XSS for numeric
+// columns but does nothing for text columns.
+//
+// Soft taint carries a [0,1] probability through the path:
+//   - Source emits at p = 1.0 (fully tainted)
+//   - Each sanitizer in the path multiplies by (1 - effectiveness)
+//   - Threshold gates the final emission: findings below
+//     AGENTIC_SECURITY_SOFT_TAINT_THRESHOLD (default 0.5) get demoted to
+//     low-confidence rather than dropped
+//
+// This module annotates AFTER the taint engine runs. It walks each
+// finding's trace + chain, looks up sanitizer effectiveness from the
+// catalog, and emits `f.taintProbability` + `f.taintProbabilityWhy`.
+//
+// Engine-level lattice extension to {tainted, p} is v0.71. For v0.70 the
+// post-pass shape captures the high-value case (sanitizer-in-path
+// downweighting) without rewriting the core lattice.
+
+import { CATALOG } from './catalog.js';
+
+// Hand-curated effectiveness. 1.0 = full block; 0.0 = no effect.
+// Conservative — when uncertain, lean toward 0.9 so findings don't
+// silently disappear.
+const DEFAULT_EFFECTIVENESS = {
+  // Strong sanitizers — proven by spec to block the family.
+  'DOMPurify.sanitize': 0.98,
+  'sanitize':           0.95,
+  'escape':             0.85,   // depends on context
+  'htmlspecialchars':   0.90,
+  'encodeURIComponent': 0.99,
+  'encodeURI':          0.95,
+  'JSON.stringify':     0.92,   // blocks most code-injection but not all
+  'parameterize':       1.00,
+  'AddWithValue':       1.00,
+  'addWithValue':       1.00,
+  'setString':          1.00,
+  'setInt':             1.00,
+  'setLong':            1.00,
+  'bindParam':          1.00,
+  'bindValue':          1.00,
+  'quote_plus':         0.99,
+  'escape_filter_chars':0.97,    // LDAP
+  'shlex.quote':        0.99,
+  // Numeric coercion — blocks injection of non-numeric metacharacters.
+  'parseInt':           0.95,
+  'parseFloat':         0.95,
+  'Number':             0.90,
+  'toInt':              0.95,
+  // Weak / context-dependent.
+  'trim':               0.05,
+  'toLowerCase':        0.05,
+  'toUpperCase':        0.05,
+  'replace':            0.30,    // depends entirely on the regex
+};
+
+/**
+ * Look up sanitizer effectiveness for a callee. Falls back to catalog
+ * entries with `sanitizerEffectiveness` field; otherwise uses the
+ * curated DEFAULT_EFFECTIVENESS table; otherwise returns null (unknown,
+ * no downweight applied).
+ */
+export function effectivenessFor(callee) {
+  if (!callee || typeof callee !== 'string') return null;
+  // Tail of dotted callee.
+  const tail = callee.split('.').pop();
+  // Look in catalog first.
+  for (const e of CATALOG) {
+    if (e.kind !== 'sanitizer') continue;
+    if (typeof e.sanitizerEffectiveness !== 'number') continue;
+    if (e.match && e.match.callee === callee) return e.sanitizerEffectiveness;
+    if (e.match && e.match.callee === tail)   return e.sanitizerEffectiveness;
+  }
+  if (callee in DEFAULT_EFFECTIVENESS) return DEFAULT_EFFECTIVENESS[callee];
+  if (tail in DEFAULT_EFFECTIVENESS)   return DEFAULT_EFFECTIVENESS[tail];
+  return null;
+}
+
+/**
+ * Compute residual taint probability for a finding by walking its
+ * trace + chain, looking up each callee's effectiveness, and applying
+ * product of (1 - effectiveness).
+ *
+ * Returns { p, why: [...] } where why lists which sanitizers contributed.
+ */
+export function computeSoftTaintProbability(finding) {
+  let p = 1.0;
+  const why = [];
+  const trace = Array.isArray(finding.trace) ? finding.trace : [];
+  const chain = Array.isArray(finding.chain) ? finding.chain : [];
+  const pathCalls = Array.isArray(finding.pathSteps) ? finding.pathSteps : [];
+  const all = [...trace, ...chain, ...pathCalls];
+  for (const step of all) {
+    const callee = step.callee || step.label;
+    if (!callee) continue;
+    const eff = effectivenessFor(callee);
+    if (eff == null) continue;
+    p *= Math.max(0, Math.min(1, 1 - eff));
+    why.push({ callee, effectiveness: eff });
+    if (p < 1e-6) break;
+  }
+  return { p, why };
+}
+
+/**
+ * Annotate every IR-TAINT finding with `taintProbability` and
+ * `taintProbabilityWhy`. Findings below
+ * AGENTIC_SECURITY_SOFT_TAINT_THRESHOLD (default 0.5) get demoted to
+ * lower severity but are NOT dropped — auditors see the demotion +
+ * the sanitizer that earned it.
+ */
+export function annotateSoftTaint(findings, opts = {}) {
+  if (!Array.isArray(findings) || findings.length === 0) return findings;
+  const threshold = Number(opts.threshold ?? process.env.AGENTIC_SECURITY_SOFT_TAINT_THRESHOLD) || 0.5;
+  let demoted = 0;
+  for (const f of findings) {
+    if (!f || f.parser !== 'IR-TAINT') continue;
+    const r = computeSoftTaintProbability(f);
+    f.taintProbability = r.p;
+    f.taintProbabilityWhy = r.why;
+    if (r.p < threshold) {
+      f._softTaintDemoted = true;
+      f._softTaintOriginalSeverity = f.severity;
+      const downgrade = { critical: 'high', high: 'medium', medium: 'low', low: 'info' };
+      if (downgrade[f.severity]) f.severity = downgrade[f.severity];
+      demoted++;
+    }
+  }
+  Object.defineProperty(findings, '_softTaintStats', {
+    value: { demoted, threshold },
+    enumerable: false,
+  });
+  return findings;
+}
+
+export const _internal = { DEFAULT_EFFECTIVENESS };