@nahisaho/musubix-security 2.0.1 → 2.1.1

package/dist/analysis/interprocedural/taint-propagator.d.ts

@@ -0,0 +1,250 @@
+/**
+ * @fileoverview Taint Propagator - Track taint flow across function boundaries
+ * @module @nahisaho/musubix-security/analysis/interprocedural/taint-propagator
+ * @trace REQ-SEC-001 (EARS: WHEN tainted data flows through function calls, THE system SHALL track it)
+ */
+import type { CallGraph, CallGraphEdge } from './call-graph-builder.js';
+import type { TaintSinkCategory } from '../../types/taint.js';
+import type { SourceDefinition } from '../sources/types.js';
+import type { SinkDefinition } from '../sinks/types.js';
+import type { SanitizerDefinition } from '../sanitizers/types.js';
+/**
+ * Simplified source info for findings
+ */
+export interface TaintSourceInfo {
+    id: string;
+    name: string;
+    location: {
+        file: string;
+        line: number;
+        column: number;
+    };
+    type: string;
+    confidence: number;
+}
+/**
+ * Simplified sink info for findings
+ */
+export interface TaintSinkInfo {
+    id: string;
+    name: string;
+    location: {
+        file: string;
+        line: number;
+        column: number;
+    };
+    category: TaintSinkCategory;
+    confidence: number;
+}
+/**
+ * Taint state for a variable/parameter
+ */
+export interface TaintState {
+    /** Whether the value is tainted */
+    isTainted: boolean;
+    /** Source of taint (if tainted) */
+    source?: TaintSourceInfo;
+    /** Confidence level (0-1) */
+    confidence: number;
+    /** Sanitizers applied */
+    sanitizers: string[];
+    /** Categories this taint affects */
+    affectedCategories: TaintSinkCategory[];
+}
+/**
+ * Taint context within a function
+ */
+export interface FunctionTaintContext {
+    /** Node ID */
+    nodeId: string;
+    /** Parameter taint states (by index) */
+    parameterTaints: Map<number, TaintState>;
+    /** Local variable taint states */
+    localTaints: Map<string, TaintState>;
+    /** Return value taint state */
+    returnTaint?: TaintState;
+    /** Whether function has side effects */
+    hasSideEffects: boolean;
+}
+/**
+ * Taint flow edge - represents taint flowing from one location to another
+ */
+export interface TaintFlowEdge {
+    /** Unique ID */
+    id: string;
+    /** Source location */
+    from: TaintLocation;
+    /** Destination location */
+    to: TaintLocation;
+    /** Type of flow */
+    flowType: TaintFlowType;
+    /** Associated call edge (if interprocedural) */
+    callEdge?: CallGraphEdge;
+    /** Sanitizers in path */
+    sanitizersApplied: string[];
+    /** Confidence (0-1) */
+    confidence: number;
+}
+/**
+ * Location of taint
+ */
+export interface TaintLocation {
+    /** Function node ID */
+    nodeId: string;
+    /** Variable name or parameter index */
+    identifier: string;
+    /** Line number */
+    line: number;
+    /** Column number */
+    column: number;
+    /** File path */
+    filePath: string;
+}
+/**
+ * Type of taint flow
+ */
+export type TaintFlowType = 'assignment' | 'parameter' | 'return' | 'property-access' | 'method-call' | 'callback' | 'implicit';
+/**
+ * Taint finding - vulnerability detected
+ */
+export interface TaintFinding {
+    /** Unique ID */
+    id: string;
+    /** Severity level */
+    severity: 'critical' | 'high' | 'medium' | 'low' | 'info';
+    /** Vulnerability title */
+    title: string;
+    /** Description */
+    description: string;
+    /** CWE ID */
+    cwe?: string;
+    /** Source of taint */
+    source: TaintSourceInfo;
+    /** Sink where taint flows */
+    sink: TaintSinkInfo;
+    /** Complete taint flow path */
+    flowPath: TaintFlowEdge[];
+    /** Sanitizers in path (may be incomplete) */
+    sanitizersInPath: string[];
+    /** Whether sanitization is complete */
+    sanitizationComplete: boolean;
+    /** Confidence (0-1) */
+    confidence: number;
+    /** Suggested remediation */
+    remediation?: string;
+}
+/**
+ * Summary of taint analysis results
+ */
+export interface TaintSummary {
+    /** Node ID */
+    nodeId: string;
+    /** Parameters that propagate taint to return */
+    taintPropagatingParams: number[];
+    /** Whether function sanitizes input */
+    isSanitizer: boolean;
+    /** Categories sanitized */
+    sanitizesCategories: TaintSinkCategory[];
+    /** Whether function is a sink */
+    isSink: boolean;
+    /** Sink category if applicable */
+    sinkCategory?: TaintSinkCategory;
+    /** Whether function is a source */
+    isSource: boolean;
+    /** Source type if applicable */
+    sourceType?: string;
+}
+/**
+ * Options for taint propagation
+ */
+export interface TaintPropagatorOptions {
+    /** Maximum call depth to analyze */
+    maxDepth?: number;
+    /** Track implicit flows (control dependencies) */
+    trackImplicitFlows?: boolean;
+    /** Minimum confidence threshold */
+    minConfidence?: number;
+    /** Custom sources */
+    customSources?: SourceDefinition[];
+    /** Custom sinks */
+    customSinks?: SinkDefinition[];
+    /** Custom sanitizers */
+    customSanitizers?: SanitizerDefinition[];
+}
+/**
+ * Taint Propagator - Performs interprocedural taint analysis
+ * @trace REQ-SEC-001
+ */
+export declare class TaintPropagator {
+    private options;
+    private functionSummaries;
+    private sources;
+    private sinks;
+    private sanitizers;
+    constructor(sources: SourceDefinition[], sinks: SinkDefinition[], sanitizers: SanitizerDefinition[], options?: TaintPropagatorOptions);
+    /**
+     * Analyze a call graph for taint vulnerabilities
+     */
+    analyze(callGraph: CallGraph, sourceLocations: TaintLocation[], functionContexts?: Map<string, FunctionTaintContext>): TaintFinding[];
+    /**
+     * Build summaries of each function's taint behavior
+     */
+    private buildFunctionSummaries;
+    /**
+     * Analyze a single function's taint behavior
+     */
+    private analyzeFunctionTaint;
+    /**
+     * Trace taint flow from a source location
+     */
+    private traceTaintFlow;
+    /**
+     * Find if a tainted value is passed as an argument
+     */
+    private findTaintedArgument;
+    /**
+     * Check if a flow path represents a vulnerability
+     */
+    private checkForVulnerability;
+    /**
+     * Check if sanitization is complete for a category
+     */
+    private checkSanitizationComplete;
+    /**
+     * Calculate severity based on sink category and sanitization
+     */
+    private calculateSeverity;
+    /**
+     * Generate vulnerability description
+     */
+    private generateDescription;
+    /**
+     * Generate remediation suggestion
+     */
+    private generateRemediation;
+    /**
+     * Deduplicate findings with same source and sink
+     */
+    private deduplicateFindings;
+    /**
+     * Match function name against pattern
+     */
+    private matchesFunctionName;
+    /**
+     * Get function summary by node ID
+     */
+    getFunctionSummary(nodeId: string): TaintSummary | undefined;
+    /**
+     * Get all source functions
+     */
+    getSourceFunctions(): TaintSummary[];
+    /**
+     * Get all sink functions
+     */
+    getSinkFunctions(): TaintSummary[];
+    /**
+     * Get all sanitizer functions
+     */
+    getSanitizerFunctions(): TaintSummary[];
+}
+//# sourceMappingURL=taint-propagator.d.ts.map

package/dist/analysis/interprocedural/taint-propagator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"taint-propagator.d.ts","sourceRoot":"","sources":["../../../src/analysis/interprocedural/taint-propagator.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,SAAS,EAET,aAAa,EACd,MAAM,yBAAyB,CAAC;AACjC,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AAC9D,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAC5D,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACxD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAElE;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE;QACR,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;QACb,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC;IACF,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE;QACR,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;QACb,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC;IACF,QAAQ,EAAE,iBAAiB,CAAC;IAC5B,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,mCAAmC;IACnC,SAAS,EAAE,OAAO,CAAC;IACnB,mCAAmC;IACnC,MAAM,CAAC,EAAE,eAAe,CAAC;IACzB,6BAA6B;IAC7B,UAAU,EAAE,MAAM,CAAC;IACnB,yBAAyB;IACzB,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,oCAAoC;IACpC,kBAAkB,EAAE,iBAAiB,EAAE,CAAC;CACzC;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,cAAc;IACd,MAAM,EAAE,MAAM,CAAC;IACf,wCAAwC;IACxC,eAAe,EAAE,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;IACzC,kCAAkC;IAClC,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;IACrC,+BAA+B;IAC/B,WAAW,CAAC,EAAE,UAAU,CAAC;IACzB,wCAAwC;IACxC,cAAc,EAAE,OAAO,CAAC;CACzB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,gBAAgB;IAChB,EAAE,EAAE,MAAM,CAAC;IACX,sBAAsB;IACtB,IAAI,EAAE,aAAa,CAAC;IACpB,2BAA2B;IAC3B,EAAE,EAAE,aAAa,CAAC;IAClB,mBAAmB;IACnB,QAAQ,EAAE,aAAa,CAAC;IACxB,gDAAgD;IAChD,QAAQ,CAAC,EAAE,aAAa,CAAC;IACzB,yBAAyB;IACzB,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B,uBAAuB;IACvB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,uBAAuB;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,uCAAuC;IACvC,UAAU,EAAE,MAAM,CAAC;IACnB,kBAAkB;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,oBAAoB;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,gBAAgB;IAChB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,MAAM,aAAa,GACrB,YAAY,GACZ,WAAW,GACX,QAAQ,GACR,iBAAiB,GACjB,aAAa,GACb,UAAU,GACV,UAAU,CAAC;AAEf;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,gBAAgB;IAChB,EAAE,EAAE,MAAM,CAAC;IACX,qBAAqB;IACrB,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;IAC1D,0BAA0B;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,kBAAkB;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,sBAAsB;IACtB,MAAM,EAAE,eAAe,CAAC;IACxB,6BAA6B;IAC7B,IAAI,EAAE,aAAa,CAAC;IACpB,+BAA+B;IAC/B,QAAQ,EAAE,aAAa,EAAE,CAAC;IAC1B,6CAA6C;IAC7C,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,uCAAuC;IACvC,oBAAoB,EAAE,OAAO,CAAC;IAC9B,uBAAuB;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,4BAA4B;IAC5B,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,cAAc;IACd,MAAM,EAAE,MAAM,CAAC;IACf,gDAAgD;IAChD,sBAAsB,EAAE,MAAM,EAAE,CAAC;IACjC,uCAAuC;IACvC,WAAW,EAAE,OAAO,CAAC;IACrB,2BAA2B;IAC3B,mBAAmB,EAAE,iBAAiB,EAAE,CAAC;IACzC,iCAAiC;IACjC,MAAM,EAAE,OAAO,CAAC;IAChB,kCAAkC;IAClC,YAAY,CAAC,EAAE,iBAAiB,CAAC;IACjC,mCAAmC;IACnC,QAAQ,EAAE,OAAO,CAAC;IAClB,gCAAgC;IAChC,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,oCAAoC;IACpC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,kDAAkD;IAClD,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,mCAAmC;IACnC,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,qBAAqB;IACrB,aAAa,CAAC,EAAE,gBAAgB,EAAE,CAAC;IACnC,mBAAmB;IACnB,WAAW,CAAC,EAAE,cAAc,EAAE,CAAC;IAC/B,wBAAwB;IACxB,gBAAgB,CAAC,EAAE,mBAAmB,EAAE,CAAC;CAC1C;AAED;;;GAGG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,OAAO,CAAmC;IAClD,OAAO,CAAC,iBAAiB,CAAwC;IACjE,OAAO,CAAC,OAAO,CAAqB;IACpC,OAAO,CAAC,KAAK,CAAmB;IAChC,OAAO,CAAC,UAAU,CAAwB;gBAGxC,OAAO,EAAE,gBAAgB,EAAE,EAC3B,KAAK,EAAE,cAAc,EAAE,EACvB,UAAU,EAAE,mBAAmB,EAAE,EACjC,OAAO,GAAE,sBAA2B;IAoBtC;;OAEG;IACH,OAAO,CACL,SAAS,EAAE,SAAS,EACpB,eAAe,EAAE,aAAa,EAAE,EAChC,gBAAgB,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,oBAAoB,CAAC,GACnD,YAAY,EAAE;IA6BjB;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAU9B;;OAEG;IACH,OAAO,CAAC,oBAAoB;IAoE5B;;OAEG;IACH,OAAO,CAAC,cAAc;IA8ItB;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAa3B;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAkE7B;;OAEG;IACH,OAAO,CAAC,yBAAyB;IAiBjC;;OAEG;IACH,OAAO,CAAC,iBAAiB;IA+BzB;;OAEG;IACH,OAAO,CAAC,mBAAmB;IA+B3B;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAmB3B;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAe3B;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAY3B;;OAEG;IACH,kBAAkB,CAAC,MAAM,EAAE,MAAM,GAAG,YAAY,GAAG,SAAS;IAI5D;;OAEG;IACH,kBAAkB,IAAI,YAAY,EAAE;IAIpC;;OAEG;IACH,gBAAgB,IAAI,YAAY,EAAE;IAIlC;;OAEG;IACH,qBAAqB,IAAI,YAAY,EAAE;CAGxC"}

package/dist/analysis/interprocedural/taint-propagator.js

@@ -0,0 +1,435 @@
+/**
+ * @fileoverview Taint Propagator - Track taint flow across function boundaries
+ * @module @nahisaho/musubix-security/analysis/interprocedural/taint-propagator
+ * @trace REQ-SEC-001 (EARS: WHEN tainted data flows through function calls, THE system SHALL track it)
+ */
+/**
+ * Taint Propagator - Performs interprocedural taint analysis
+ * @trace REQ-SEC-001
+ */
+export class TaintPropagator {
+    options;
+    functionSummaries = new Map();
+    sources;
+    sinks;
+    sanitizers;
+    constructor(sources, sinks, sanitizers, options = {}) {
+        this.sources = sources;
+        this.sinks = sinks;
+        this.sanitizers = sanitizers;
+        this.options = {
+            maxDepth: options.maxDepth ?? 10,
+            trackImplicitFlows: options.trackImplicitFlows ?? false,
+            minConfidence: options.minConfidence ?? 0.5,
+            customSources: options.customSources ?? [],
+            customSinks: options.customSinks ?? [],
+            customSanitizers: options.customSanitizers ?? [],
+        };
+        // Merge custom definitions
+        this.sources = [...this.sources, ...this.options.customSources];
+        this.sinks = [...this.sinks, ...this.options.customSinks];
+        this.sanitizers = [...this.sanitizers, ...this.options.customSanitizers];
+    }
+    /**
+     * Analyze a call graph for taint vulnerabilities
+     */
+    analyze(callGraph, sourceLocations, functionContexts) {
+        const findings = [];
+        // Build function summaries
+        this.buildFunctionSummaries(callGraph, functionContexts);
+        // For each source, trace taint flow to potential sinks
+        for (const sourceLocation of sourceLocations) {
+            const taintFlows = this.traceTaintFlow(callGraph, sourceLocation, new Set(), [], 1.0, 0);
+            // Check each flow for sink vulnerabilities
+            for (const flow of taintFlows) {
+                const finding = this.checkForVulnerability(flow, sourceLocation);
+                if (finding && finding.confidence >= this.options.minConfidence) {
+                    findings.push(finding);
+                }
+            }
+        }
+        return this.deduplicateFindings(findings);
+    }
+    /**
+     * Build summaries of each function's taint behavior
+     */
+    buildFunctionSummaries(callGraph, functionContexts) {
+        for (const [nodeId, node] of callGraph.nodes) {
+            const summary = this.analyzeFunctionTaint(node, callGraph, functionContexts?.get(nodeId));
+            this.functionSummaries.set(nodeId, summary);
+        }
+    }
+    /**
+     * Analyze a single function's taint behavior
+     */
+    analyzeFunctionTaint(node, _callGraph, context) {
+        const summary = {
+            nodeId: node.id,
+            taintPropagatingParams: [],
+            isSanitizer: false,
+            sanitizesCategories: [],
+            isSink: false,
+            isSource: false,
+        };
+        // Check if function is a known source
+        const matchedSource = this.sources.find((s) => this.matchesFunctionName(node.name, s.name));
+        if (matchedSource) {
+            summary.isSource = true;
+            summary.sourceType = matchedSource.id;
+        }
+        // Check if function is a known sink
+        for (const sink of this.sinks) {
+            for (const pattern of sink.patterns) {
+                const methods = pattern.method
+                    ? Array.isArray(pattern.method) ? pattern.method : [pattern.method]
+                    : [];
+                const properties = pattern.property
+                    ? Array.isArray(pattern.property) ? pattern.property : [pattern.property]
+                    : [];
+                const matchesMethod = methods.some((m) => this.matchesFunctionName(node.name, m));
+                const matchesProperty = properties.some((p) => this.matchesFunctionName(node.name, p));
+                if (matchesMethod || matchesProperty) {
+                    summary.isSink = true;
+                    summary.sinkCategory = sink.category;
+                    break;
+                }
+            }
+        }
+        // Check if function is a known sanitizer
+        const matchedSanitizer = this.sanitizers.find((s) => this.matchesFunctionName(node.name, s.name, s.aliases, s.namePattern));
+        if (matchedSanitizer) {
+            summary.isSanitizer = true;
+            summary.sanitizesCategories = matchedSanitizer.protects;
+        }
+        // If we have context, analyze parameter propagation
+        if (context) {
+            for (const [paramIdx, taintState] of context.parameterTaints) {
+                if (context.returnTaint?.isTainted && taintState.isTainted) {
+                    summary.taintPropagatingParams.push(paramIdx);
+                }
+            }
+        }
+        else {
+            // Without context, assume all parameters can propagate to return
+            summary.taintPropagatingParams = node.parameters.map((_, i) => i);
+        }
+        return summary;
+    }
+    /**
+     * Trace taint flow from a source location
+     */
+    traceTaintFlow(callGraph, currentLocation, visited, path, confidence, depth) {
+        if (depth >= this.options.maxDepth) {
+            return [path];
+        }
+        const visitKey = `${currentLocation.nodeId}:${currentLocation.identifier}`;
+        if (visited.has(visitKey)) {
+            return [path];
+        }
+        visited.add(visitKey);
+        const results = [];
+        const summary = this.functionSummaries.get(currentLocation.nodeId);
+        // If current location is a sink, record the path
+        if (summary?.isSink) {
+            results.push(path);
+        }
+        // Check outgoing calls from this function
+        const outgoingEdges = callGraph.outgoingEdges.get(currentLocation.nodeId) ?? [];
+        for (const edge of outgoingEdges) {
+            // Check if tainted value is passed as argument
+            const argIndex = this.findTaintedArgument(edge, currentLocation);
+            if (argIndex === -1)
+                continue;
+            const calleeNode = callGraph.nodes.get(edge.calleeId);
+            const calleeSummary = this.functionSummaries.get(edge.calleeId);
+            if (!calleeNode || !calleeSummary)
+                continue;
+            // Create flow edge for parameter passing
+            const paramFlowEdge = {
+                id: `flow_${path.length}`,
+                from: currentLocation,
+                to: {
+                    nodeId: edge.calleeId,
+                    identifier: `param_${argIndex}`,
+                    line: edge.line,
+                    column: edge.column,
+                    filePath: edge.filePath,
+                },
+                flowType: 'parameter',
+                callEdge: edge,
+                sanitizersApplied: [],
+                confidence: confidence * (edge.isConditional ? 0.8 : 1.0),
+            };
+            // Check for sanitization
+            if (calleeSummary.isSanitizer) {
+                paramFlowEdge.sanitizersApplied.push(calleeNode.name);
+            }
+            const newPath = [...path, paramFlowEdge];
+            // If callee is a sink, record finding
+            if (calleeSummary.isSink) {
+                results.push(newPath);
+            }
+            // If callee propagates taint to return, continue tracing
+            if (calleeSummary.taintPropagatingParams.includes(argIndex)) {
+                const returnLocation = {
+                    nodeId: edge.calleeId,
+                    identifier: 'return',
+                    line: edge.line,
+                    column: edge.column,
+                    filePath: edge.filePath,
+                };
+                const returnFlowEdge = {
+                    id: `flow_${newPath.length}`,
+                    from: paramFlowEdge.to,
+                    to: returnLocation,
+                    flowType: 'return',
+                    sanitizersApplied: calleeSummary.isSanitizer ? [calleeNode.name] : [],
+                    confidence: paramFlowEdge.confidence,
+                };
+                const recursiveFlows = this.traceTaintFlow(callGraph, returnLocation, new Set(visited), [...newPath, returnFlowEdge], returnFlowEdge.confidence, depth + 1);
+                results.push(...recursiveFlows);
+            }
+        }
+        // Also trace to callers if taint is in return value
+        if (currentLocation.identifier === 'return') {
+            const incomingEdges = callGraph.incomingEdges.get(currentLocation.nodeId) ?? [];
+            for (const edge of incomingEdges) {
+                const callerLocation = {
+                    nodeId: edge.callerId,
+                    identifier: `call_result_${edge.line}`,
+                    line: edge.line,
+                    column: edge.column,
+                    filePath: edge.filePath,
+                };
+                const callResultEdge = {
+                    id: `flow_${path.length}`,
+                    from: currentLocation,
+                    to: callerLocation,
+                    flowType: 'method-call',
+                    callEdge: edge,
+                    sanitizersApplied: [],
+                    confidence: confidence * 0.9,
+                };
+                const recursiveFlows = this.traceTaintFlow(callGraph, callerLocation, new Set(visited), [...path, callResultEdge], callResultEdge.confidence, depth + 1);
+                results.push(...recursiveFlows);
+            }
+        }
+        if (results.length === 0) {
+            results.push(path);
+        }
+        return results;
+    }
+    /**
+     * Find if a tainted value is passed as an argument
+     */
+    findTaintedArgument(edge, taintedLocation) {
+        // Simple heuristic: check if any argument matches the tainted identifier
+        for (let i = 0; i < edge.arguments.length; i++) {
+            if (edge.arguments[i].includes(taintedLocation.identifier)) {
+                return i;
+            }
+        }
+        return -1;
+    }
+    /**
+     * Check if a flow path represents a vulnerability
+     */
+    checkForVulnerability(flowPath, sourceLocation) {
+        if (flowPath.length === 0)
+            return null;
+        const lastEdge = flowPath[flowPath.length - 1];
+        const summary = this.functionSummaries.get(lastEdge.to.nodeId);
+        if (!summary?.isSink)
+            return null;
+        // Collect all sanitizers in path
+        const sanitizersInPath = [];
+        for (const edge of flowPath) {
+            sanitizersInPath.push(...edge.sanitizersApplied);
+        }
+        // Check if sanitization is complete for this sink category
+        const sinkCategory = summary.sinkCategory;
+        const sanitizationComplete = this.checkSanitizationComplete(sanitizersInPath, sinkCategory);
+        // Calculate overall confidence
+        const confidence = flowPath.reduce((conf, edge) => conf * edge.confidence, 1.0);
+        // Don't report if properly sanitized
+        if (sanitizationComplete && confidence < 0.3)
+            return null;
+        const node = this.functionSummaries.get(lastEdge.to.nodeId);
+        const sink = this.sinks.find((s) => s.category === sinkCategory);
+        return {
+            id: `finding_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`,
+            severity: this.calculateSeverity(sinkCategory, sanitizationComplete, confidence),
+            title: `Potential ${sinkCategory} vulnerability`,
+            description: this.generateDescription(sinkCategory, flowPath, sanitizersInPath),
+            cwe: sink?.relatedCWE?.[0],
+            source: {
+                id: `src_${sourceLocation.nodeId}`,
+                name: sourceLocation.identifier,
+                location: {
+                    file: sourceLocation.filePath,
+                    line: sourceLocation.line,
+                    column: sourceLocation.column,
+                },
+                type: 'user-input',
+                confidence: 1.0,
+            },
+            sink: {
+                id: `sink_${lastEdge.to.nodeId}`,
+                name: node?.nodeId ?? 'unknown',
+                location: {
+                    file: lastEdge.to.filePath,
+                    line: lastEdge.to.line,
+                    column: lastEdge.to.column,
+                },
+                category: sinkCategory,
+                confidence,
+            },
+            flowPath,
+            sanitizersInPath,
+            sanitizationComplete,
+            confidence,
+            remediation: this.generateRemediation(sinkCategory),
+        };
+    }
+    /**
+     * Check if sanitization is complete for a category
+     */
+    checkSanitizationComplete(sanitizersApplied, sinkCategory) {
+        for (const sanitizerName of sanitizersApplied) {
+            const sanitizer = this.sanitizers.find((s) => s.name === sanitizerName ||
+                s.aliases?.includes(sanitizerName));
+            if (sanitizer?.protects.includes(sinkCategory) && sanitizer.completeness === 'complete') {
+                return true;
+            }
+        }
+        return false;
+    }
+    /**
+     * Calculate severity based on sink category and sanitization
+     */
+    calculateSeverity(category, sanitized, confidence) {
+        const baseSeverity = {
+            'sql-query': 5,
+            'nosql-query': 4,
+            'command-exec': 5,
+            'file-write': 4,
+            'file-read': 3,
+            'html-output': 3,
+            'redirect': 2,
+            'eval': 5,
+            'deserialization': 4,
+            'ldap-query': 4,
+            'xpath-query': 3,
+            'http-request': 3,
+        };
+        let score = baseSeverity[category] ?? 3;
+        if (sanitized)
+            score -= 2;
+        score = score * confidence;
+        if (score >= 4.5)
+            return 'critical';
+        if (score >= 3.5)
+            return 'high';
+        if (score >= 2.5)
+            return 'medium';
+        if (score >= 1.5)
+            return 'low';
+        return 'info';
+    }
+    /**
+     * Generate vulnerability description
+     */
+    generateDescription(category, flowPath, sanitizers) {
+        const descriptions = {
+            'sql-query': 'User-controlled data flows to SQL query without proper sanitization',
+            'nosql-query': 'User-controlled data flows to NoSQL query without proper sanitization',
+            'command-exec': 'User-controlled data flows to OS command execution',
+            'file-write': 'User-controlled data used in file path (potential path traversal)',
+            'file-read': 'User-controlled data used in file path for reading (path traversal)',
+            'html-output': 'User-controlled data rendered without escaping (XSS)',
+            'redirect': 'User-controlled data used in redirect URL (open redirect)',
+            'eval': 'User-controlled data flows to code evaluation (code injection)',
+            'deserialization': 'User-controlled data passed to deserializer (RCE risk)',
+            'ldap-query': 'User-controlled data flows to LDAP query (LDAP injection)',
+            'xpath-query': 'User-controlled data flows to XPath query (XPath injection)',
+            'http-request': 'User-controlled data used in outbound request URL (SSRF)',
+        };
+        let description = descriptions[category] ?? 'Potential security vulnerability detected';
+        if (sanitizers.length > 0) {
+            description += `. Partial sanitization applied: ${sanitizers.join(', ')}`;
+        }
+        description += `. Flow path length: ${flowPath.length} steps.`;
+        return description;
+    }
+    /**
+     * Generate remediation suggestion
+     */
+    generateRemediation(category) {
+        const remediations = {
+            'sql-query': 'Use parameterized queries or prepared statements instead of string concatenation',
+            'nosql-query': 'Use parameterized queries and validate input types',
+            'command-exec': 'Avoid shell commands with user input. If necessary, use allowlists and escape properly',
+            'file-write': 'Validate and sanitize file paths. Use path.resolve() and check against allowed base directory',
+            'file-read': 'Validate file paths against allowlist. Use path.basename() to prevent traversal',
+            'html-output': 'Escape HTML entities or use framework auto-escaping. Consider DOMPurify for rich content',
+            'redirect': 'Validate redirect URLs against allowlist of trusted domains',
+            'eval': 'Avoid eval/Function with user input. Use safer alternatives like JSON.parse()',
+            'deserialization': 'Avoid deserializing untrusted data. Use safe parsers and validate structure',
+            'ldap-query': 'Escape LDAP special characters and use parameterized queries',
+            'xpath-query': 'Escape XPath special characters or use parameterized queries',
+            'http-request': 'Validate URLs against allowlist. Block internal IPs and private networks',
+        };
+        return remediations[category] ?? 'Review and sanitize user input before use';
+    }
+    /**
+     * Deduplicate findings with same source and sink
+     */
+    deduplicateFindings(findings) {
+        const seen = new Map();
+        for (const finding of findings) {
+            const key = `${finding.source.location.file}:${finding.source.location.line}:${finding.sink.location.file}:${finding.sink.location.line}`;
+            const existing = seen.get(key);
+            if (!existing || finding.confidence > existing.confidence) {
+                seen.set(key, finding);
+            }
+        }
+        return Array.from(seen.values());
+    }
+    /**
+     * Match function name against pattern
+     */
+    matchesFunctionName(actual, expected, aliases, pattern) {
+        if (actual === expected)
+            return true;
+        if (aliases?.includes(actual))
+            return true;
+        if (pattern && new RegExp(pattern).test(actual))
+            return true;
+        return false;
+    }
+    /**
+     * Get function summary by node ID
+     */
+    getFunctionSummary(nodeId) {
+        return this.functionSummaries.get(nodeId);
+    }
+    /**
+     * Get all source functions
+     */
+    getSourceFunctions() {
+        return Array.from(this.functionSummaries.values()).filter((s) => s.isSource);
+    }
+    /**
+     * Get all sink functions
+     */
+    getSinkFunctions() {
+        return Array.from(this.functionSummaries.values()).filter((s) => s.isSink);
+    }
+    /**
+     * Get all sanitizer functions
+     */
+    getSanitizerFunctions() {
+        return Array.from(this.functionSummaries.values()).filter((s) => s.isSanitizer);
+    }
+}
+//# sourceMappingURL=taint-propagator.js.map