circle-ir-ai 1.1.0

package/dist/project/two-phase-analyzer.js

@@ -0,0 +1,646 @@
+/**
+ * Two-Phase Project Analyzer
+ *
+ * Phase 1: Per-file analysis (parallelizable)
+ *   - Static analysis (circle-ir)
+ *   - LLM enrichment (sources, sinks, roles)
+ *   - CFG/DFG extraction
+ *
+ * Phase 2: Cross-file LLM analysis
+ *   - Sees ALL enriched IRs
+ *   - Cross-file taint path detection
+ *   - Virtual dispatch resolution across files
+ *   - Final vulnerability verification
+ */
+import { analyze, initAnalyzer, isAnalyzerInitialized, createWithJdkTypes, SymbolTable, CrossFileResolver, } from 'circle-ir';
+import { buildTypeHierarchy } from './type-hierarchy.js';
+import { buildCrossFileCalls } from './call-graph.js';
+import { findTaintPaths } from './taint-paths.js';
+import { runSecurityAnalysis } from '../agents/security-agent.js';
+import { getAxLLMClient } from '../llm/ax-client.js';
+// ============================================================================
+// Phase 1: Per-File Analysis
+// ============================================================================
+async function analyzeFilePhase1(file, options) {
+    const startTime = Date.now();
+    // Detect language
+    const language = detectLanguage(file.path);
+    // Static analysis with circle-ir
+    const staticAnalysis = await analyze(file.content, file.path, language);
+    // Prepare result
+    const result = {
+        file: file.path,
+        staticAnalysis,
+        allSources: [...staticAnalysis.taint.sources],
+        allSinks: [...staticAnalysis.taint.sinks],
+        intraFileFlows: [],
+        analysisTimeMs: 0,
+    };
+    // LLM enrichment (if enabled)
+    if (options.enableEnrichment !== false) {
+        const enrichmentStart = Date.now();
+        // Reset circuit breaker per file so one file's LLM failures
+        // don't disable LLM for the rest of the project
+        try {
+            getAxLLMClient().resetCircuitBreaker();
+        }
+        catch { /* client not initialized */ }
+        try {
+            const securityOutput = await runSecurityAnalysis({
+                filePath: file.path,
+                sourceCode: file.content,
+                language,
+                options: {
+                    enableEnrichment: true,
+                    enableVerification: false, // Phase 2 handles verification
+                    confidenceThreshold: options.enrichmentConfidence ?? 0.7,
+                },
+            }, staticAnalysis.taint.sources, staticAnalysis.taint.sinks, staticAnalysis.types, staticAnalysis.imports.map(i => i.from_package || ''));
+            // Extract enrichment results
+            result.enrichment = {
+                role: securityOutput.context.enrichmentResult?.role,
+                additionalSources: securityOutput.context.enrichmentResult?.additionalSources ?? [],
+                additionalSinks: securityOutput.context.enrichmentResult?.additionalSinks ?? [],
+                framework: securityOutput.context.enrichmentResult?.framework,
+            };
+            // Merge enriched sources/sinks
+            const minConfidence = options.enrichmentConfidence ?? 0.7;
+            for (const src of result.enrichment.additionalSources) {
+                if (src.confidence >= minConfidence) {
+                    result.allSources.push({
+                        line: src.line,
+                        location: `${src.variable} in ${file.path}`,
+                        type: src.type,
+                        severity: 'medium', // Default severity for LLM-discovered sources
+                        confidence: src.confidence,
+                    });
+                }
+            }
+            for (const sink of result.enrichment.additionalSinks) {
+                if (sink.confidence >= minConfidence) {
+                    result.allSinks.push({
+                        line: sink.line,
+                        location: `${sink.method} in ${file.path}`,
+                        type: sink.type,
+                        cwe: sink.cwe,
+                        confidence: sink.confidence,
+                    });
+                }
+            }
+            result.enrichmentTimeMs = Date.now() - enrichmentStart;
+        }
+        catch (error) {
+            console.warn(`[Phase1] Enrichment failed for ${file.path}:`, error);
+        }
+    }
+    // Extract intra-file flows from static analysis
+    if (staticAnalysis.taint.flows) {
+        for (const flow of staticAnalysis.taint.flows) {
+            const sourceIndex = result.allSources.findIndex(s => s.line === flow.source_line);
+            const sinkIndex = result.allSinks.findIndex(s => s.line === flow.sink_line);
+            if (sourceIndex >= 0 && sinkIndex >= 0) {
+                result.intraFileFlows.push({
+                    sourceIndex,
+                    sinkIndex,
+                    confidence: flow.confidence,
+                    sanitized: flow.sanitized,
+                });
+            }
+        }
+    }
+    result.analysisTimeMs = Date.now() - startTime;
+    return result;
+}
+/**
+ * Run Phase 1 on all files (with optional parallelization)
+ */
+async function runPhase1(files, options) {
+    const results = [];
+    if (options.parallelPhase1 !== false) {
+        // Parallel execution
+        const maxConcurrency = options.maxConcurrency ?? 10;
+        const queue = [...files];
+        let index = 0;
+        const workers = [];
+        for (let i = 0; i < Math.min(maxConcurrency, files.length); i++) {
+            workers.push((async () => {
+                while (queue.length > 0) {
+                    const file = queue.shift();
+                    if (!file)
+                        break;
+                    const currentIndex = index++;
+                    options.onFileStart?.(file.path, currentIndex, files.length);
+                    const result = await analyzeFilePhase1(file, options);
+                    results[currentIndex] = result;
+                    options.onFileComplete?.(file.path, currentIndex, files.length);
+                }
+            })());
+        }
+        await Promise.all(workers);
+    }
+    else {
+        // Sequential execution
+        for (let i = 0; i < files.length; i++) {
+            const file = files[i];
+            options.onFileStart?.(file.path, i, files.length);
+            const result = await analyzeFilePhase1(file, options);
+            results.push(result);
+            options.onFileComplete?.(file.path, i, files.length);
+        }
+    }
+    return results;
+}
+// ============================================================================
+// Aggregation: Build Project Context
+// ============================================================================
+function buildProjectContext(files, typeHierarchy, crossFileCalls) {
+    // Collect all sources and sinks with file info
+    const allSources = [];
+    const allSinks = [];
+    let totalLoc = 0;
+    for (const fileAnalysis of files) {
+        totalLoc += fileAnalysis.staticAnalysis.meta.loc;
+        for (const source of fileAnalysis.allSources) {
+            allSources.push({ ...source, file: fileAnalysis.file });
+        }
+        for (const sink of fileAnalysis.allSinks) {
+            allSinks.push({ ...sink, file: fileAnalysis.file });
+        }
+    }
+    // Find candidate cross-file paths
+    const candidatePaths = [];
+    // Look for sources in one file that could reach sinks in another file
+    // via the cross-file call graph
+    for (const source of allSources) {
+        for (const sink of allSinks) {
+            if (source.file === sink.file)
+                continue; // Intra-file handled separately
+            // Check if there's a call path from source file to sink file
+            const pathExists = crossFileCalls.some(call => call.from.file === source.file && call.to.file === sink.file);
+            if (pathExists) {
+                candidatePaths.push({
+                    id: `candidate-${source.file}:${source.line}-${sink.file}:${sink.line}`,
+                    source: {
+                        file: source.file,
+                        line: source.line,
+                        type: source.type,
+                        code: source.location,
+                    },
+                    sink: {
+                        file: sink.file,
+                        line: sink.line,
+                        type: sink.type,
+                        cwe: sink.cwe || 'CWE-unknown',
+                        code: sink.location,
+                    },
+                    hops: [],
+                    path_exists: true,
+                    sanitizers_in_path: [],
+                    confidence: 0.5, // Will be updated by Phase 2
+                });
+            }
+        }
+    }
+    // Detect framework from enrichment results
+    let framework;
+    for (const fileAnalysis of files) {
+        const confidence = fileAnalysis.enrichment?.framework?.confidence;
+        if (confidence !== undefined && confidence > 0.8) {
+            framework = fileAnalysis.enrichment?.framework?.name;
+            break;
+        }
+    }
+    return {
+        files,
+        typeHierarchy,
+        crossFileCalls,
+        allSources,
+        allSinks,
+        candidatePaths,
+        meta: {
+            totalFiles: files.length,
+            totalLoc,
+            totalSources: allSources.length,
+            totalSinks: allSinks.length,
+            framework,
+        },
+    };
+}
+// ============================================================================
+// Phase 2: Cross-File LLM Analysis
+// ============================================================================
+/**
+ * Extract keywords from a symbol description for fuzzy matching.
+ * E.g., "request.getParameter(\"id\") in getUser" -> ["getParameter", "getUser", "id"]
+ */
+function extractKeywords(symbol) {
+    const keywords = [];
+    // Extract method names (e.g., getParameter, findById)
+    const methodMatches = symbol.match(/\b[a-z][a-zA-Z0-9]*\(/g);
+    if (methodMatches) {
+        keywords.push(...methodMatches.map(m => m.slice(0, -1))); // Remove trailing (
+    }
+    // Extract identifiers after "in" (e.g., "in getUser" -> "getUser")
+    const inMatch = symbol.match(/\bin\s+(\w+)/);
+    if (inMatch) {
+        keywords.push(inMatch[1]);
+    }
+    // Extract identifiers that look like variable/param names
+    const identifiers = symbol.match(/\b[a-z][a-zA-Z0-9]*\b/g);
+    if (identifiers) {
+        // Filter out common words
+        const commonWords = ['in', 'the', 'to', 'from', 'with', 'for', 'and', 'or', 'of'];
+        keywords.push(...identifiers.filter(id => !commonWords.includes(id) && id.length > 2));
+    }
+    // Remove duplicates and return
+    return [...new Set(keywords)];
+}
+async function runPhase2(context, files, options) {
+    if (options.enablePhase2 === false) {
+        return [];
+    }
+    if (context.candidatePaths.length === 0) {
+        return [];
+    }
+    const crossFileFlows = [];
+    try {
+        const client = getAxLLMClient();
+        // Group candidate paths by source-target file pairs
+        const filePairs = new Map();
+        for (const path of context.candidatePaths) {
+            const key = `${path.source.file}::${path.sink.file}`;
+            if (!filePairs.has(key)) {
+                filePairs.set(key, []);
+            }
+            filePairs.get(key).push(path);
+        }
+        // Call LLM for each file pair
+        for (const [pairKey, paths] of filePairs) {
+            const [sourceFilePath, targetFilePath] = pairKey.split('::');
+            const sourceFile = files.find(f => f.path === sourceFilePath);
+            const targetFile = files.find(f => f.path === targetFilePath);
+            if (!sourceFile || !targetFile)
+                continue;
+            // Extract exported taint from source file
+            const sourceAnalysis = context.files.find(f => f.file === sourceFilePath);
+            const exportedTaint = sourceAnalysis?.allSources.map(s => ({
+                symbol: s.location,
+                type: s.type,
+                line: s.line,
+            })) || [];
+            // Extract imported symbols in target file
+            const targetAnalysis = context.files.find(f => f.file === targetFilePath);
+            const importedSymbols = targetAnalysis?.staticAnalysis.imports
+                .map(i => i.imported_name) || [];
+            // Build code context around candidate source/sink locations for this file pair
+            const sourceLines = sourceFile.content.split('\n');
+            const targetLines = targetFile.content.split('\n');
+            const candidateContext = paths.slice(0, 10).map(p => {
+                const srcCtx = sourceLines.slice(Math.max(0, p.source.line - 5), p.source.line + 5).join('\n');
+                const sinkCtx = targetLines.slice(Math.max(0, p.sink.line - 5), p.sink.line + 5).join('\n');
+                return `Path: ${p.source.type}@${p.source.file}:${p.source.line} -> ${p.sink.type}@${p.sink.file}:${p.sink.line}\nSource context:\n${srcCtx}\nSink context:\n${sinkCtx}`;
+            }).join('\n---\n');
+            try {
+                const response = await client.analyzeCrossFileTaint({
+                    sourceFile: sourceFilePath,
+                    sourceCode: sourceFile.content,
+                    targetFile: targetFilePath,
+                    targetCode: targetFile.content,
+                    exportedTaint,
+                    importedSymbols,
+                    candidateContext,
+                });
+                // Process LLM response into CrossFileTaintFlow objects
+                for (const flow of response.taintFlows) {
+                    // Find matching candidate paths with fuzzy matching
+                    // Extract key parts from symbols (method names, variable names)
+                    const sourceKeywords = extractKeywords(flow.sourceSymbol);
+                    const targetKeywords = extractKeywords(flow.targetSymbol);
+                    const candidatePath = paths.find(p => {
+                        const sourceMatches = sourceKeywords.some(kw => p.source.code.toLowerCase().includes(kw.toLowerCase()));
+                        const sinkMatches = targetKeywords.some(kw => p.sink.code.toLowerCase().includes(kw.toLowerCase()));
+                        // Match if source keywords match source OR target keywords match sink
+                        return sourceMatches || sinkMatches;
+                    });
+                    if (candidatePath) {
+                        crossFileFlows.push({
+                            id: candidatePath.id,
+                            source: {
+                                file: candidatePath.source.file,
+                                line: candidatePath.source.line,
+                                type: candidatePath.source.type,
+                                code: candidatePath.source.code,
+                            },
+                            sink: {
+                                file: candidatePath.sink.file,
+                                line: candidatePath.sink.line,
+                                type: candidatePath.sink.type,
+                                cwe: candidatePath.sink.cwe,
+                                code: candidatePath.sink.code,
+                            },
+                            path: [{
+                                    file: targetFilePath,
+                                    line: 0,
+                                    variable: flow.targetSymbol,
+                                    operation: flow.flowType,
+                                }],
+                            verified: flow.confidence > (options.crossFileConfidence ?? 0.8),
+                            confidence: flow.confidence,
+                            exploitability: flow.confidence > 0.8 ? 'high' : flow.confidence > 0.5 ? 'medium' : 'low',
+                            reasoning: response.reasoning || 'Cross-file taint flow detected',
+                        });
+                    }
+                }
+            }
+            catch (pairError) {
+                console.warn(`[Phase2] Analysis failed for ${pairKey}:`, pairError);
+            }
+        }
+    }
+    catch (error) {
+        console.warn('[Phase2] Cross-file analysis failed:', error);
+    }
+    return crossFileFlows;
+}
+// ============================================================================
+// Main Entry Point
+// ============================================================================
+/**
+ * Analyze a project using two-phase LLM-enhanced analysis.
+ *
+ * Phase 1: Per-file static analysis + LLM enrichment (parallelizable)
+ * Phase 2: Cross-file LLM analysis with full project context
+ */
+export async function analyzeProjectTwoPhase(files, options = {}) {
+    const totalStartTime = Date.now();
+    // Ensure analyzer is initialized
+    if (!isAnalyzerInitialized()) {
+        await initAnalyzer();
+    }
+    // =========================================================================
+    // PHASE 1: Per-File Analysis
+    // =========================================================================
+    const phase1Start = Date.now();
+    const enrichedFiles = await runPhase1(files, options);
+    const phase1Time = Date.now() - phase1Start;
+    options.onPhase1Complete?.(enrichedFiles);
+    // Convert to FileAnalysis for compatibility
+    const fileAnalyses = enrichedFiles.map(ef => ({
+        file: ef.file,
+        analysis: ef.staticAnalysis,
+    }));
+    // =========================================================================
+    // AGGREGATION: Build Project Context
+    // =========================================================================
+    // Initialize cross-file resolution infrastructure
+    const typeResolver = createWithJdkTypes();
+    const symbolTable = new SymbolTable();
+    const crossFileResolver = new CrossFileResolver(symbolTable, typeResolver);
+    // Register files with resolver
+    for (const ef of enrichedFiles) {
+        crossFileResolver.addFile(ef.file, ef.staticAnalysis);
+    }
+    // Build type hierarchy
+    const typeHierarchy = buildTypeHierarchy(fileAnalyses);
+    // Merge type hierarchy from resolver
+    for (const type of typeResolver.getAllTypes()) {
+        if (type.kind === 'class' || type.kind === 'enum') {
+            if (!typeHierarchy.classes[type.fqn]) {
+                typeHierarchy.classes[type.fqn] = {
+                    file: type.file,
+                    extends: type.extends || null,
+                    implements: type.implements,
+                    subclasses: typeResolver.getDirectSubtypes(type.fqn),
+                };
+            }
+        }
+        else if (type.kind === 'interface') {
+            if (!typeHierarchy.interfaces[type.fqn]) {
+                typeHierarchy.interfaces[type.fqn] = {
+                    file: type.file,
+                    extends: type.extendsInterfaces,
+                    implementations: typeResolver.getDirectImplementations(type.fqn),
+                };
+            }
+        }
+    }
+    // Build cross-file call graph
+    const crossFileCalls = buildCrossFileCalls(fileAnalyses, typeHierarchy);
+    // Build project context for Phase 2
+    const projectContext = buildProjectContext(enrichedFiles, typeHierarchy, crossFileCalls);
+    // =========================================================================
+    // PHASE 2: Cross-File LLM Analysis
+    // =========================================================================
+    options.onPhase2Start?.();
+    const phase2Start = Date.now();
+    const crossFileFlows = await runPhase2(projectContext, files, options);
+    const phase2Time = Date.now() - phase2Start;
+    // =========================================================================
+    // Generate Final Results
+    // =========================================================================
+    // Find intra-file taint paths
+    let taintPaths = findTaintPaths(fileAnalyses, crossFileCalls);
+    // Add verified cross-file flows to taint paths
+    for (const flow of crossFileFlows) {
+        if (flow.verified) {
+            taintPaths.push({
+                id: flow.id,
+                source: {
+                    file: flow.source.file,
+                    line: flow.source.line,
+                    type: flow.source.type,
+                    code: flow.source.code,
+                },
+                sink: {
+                    file: flow.sink.file,
+                    line: flow.sink.line,
+                    type: flow.sink.type,
+                    cwe: flow.sink.cwe,
+                    code: flow.sink.code,
+                },
+                hops: flow.path.map(p => ({
+                    file: p.file,
+                    method: 'cross-file',
+                    line: p.line,
+                    code: p.operation,
+                    variable: p.variable,
+                })),
+                path_exists: true,
+                sanitizers_in_path: [],
+                confidence: flow.confidence,
+            });
+        }
+    }
+    // Aggregate findings
+    const findings = aggregateFindings(fileAnalyses, taintPaths, crossFileFlows);
+    // Build project metadata
+    const meta = {
+        name: options.name ?? extractProjectName(files),
+        root: options.root ?? extractRoot(files),
+        language: options.language ?? detectPrimaryLanguage(files),
+        framework: options.framework ?? projectContext.meta.framework,
+        framework_version: options.frameworkVersion,
+        total_files: files.length,
+        total_loc: projectContext.meta.totalLoc,
+        analyzed_at: new Date().toISOString(),
+    };
+    const totalTime = Date.now() - totalStartTime;
+    return {
+        meta,
+        files: fileAnalyses,
+        type_hierarchy: typeHierarchy,
+        cross_file_calls: crossFileCalls,
+        taint_paths: taintPaths,
+        findings,
+        // Two-phase specific additions
+        enrichedFiles,
+        crossFileFlows,
+        timing: {
+            phase1TotalMs: phase1Time,
+            phase2TotalMs: phase2Time,
+            totalMs: totalTime,
+        },
+    };
+}
+// ============================================================================
+// Helper Functions
+// ============================================================================
+function detectLanguage(filePath) {
+    if (filePath.endsWith('.java'))
+        return 'java';
+    if (filePath.endsWith('.c') || filePath.endsWith('.h'))
+        return 'c';
+    if (filePath.endsWith('.cpp') || filePath.endsWith('.cc') ||
+        filePath.endsWith('.cxx') || filePath.endsWith('.hpp'))
+        return 'cpp';
+    if (filePath.endsWith('.js') || filePath.endsWith('.jsx') ||
+        filePath.endsWith('.mjs') || filePath.endsWith('.cjs'))
+        return 'javascript';
+    if (filePath.endsWith('.ts') || filePath.endsWith('.tsx') ||
+        filePath.endsWith('.mts') || filePath.endsWith('.cts'))
+        return 'typescript';
+    if (filePath.endsWith('.py'))
+        return 'python';
+    return 'java';
+}
+function detectPrimaryLanguage(files) {
+    const counts = { java: 0, c: 0, cpp: 0, javascript: 0, typescript: 0, python: 0, rust: 0 };
+    for (const file of files) {
+        counts[detectLanguage(file.path)]++;
+    }
+    return Object.entries(counts).sort((a, b) => b[1] - a[1])[0][0];
+}
+function extractProjectName(files) {
+    if (files.length === 0)
+        return 'unknown';
+    const paths = files.map(f => f.path.split('/'));
+    let commonPrefix = [];
+    for (let i = 0; i < paths[0].length; i++) {
+        if (paths.every(p => p[i] === paths[0][i])) {
+            commonPrefix.push(paths[0][i]);
+        }
+        else
+            break;
+    }
+    return commonPrefix.length > 0 ? commonPrefix[commonPrefix.length - 1] : 'unknown';
+}
+function extractRoot(files) {
+    if (files.length === 0)
+        return '/';
+    const paths = files.map(f => f.path.split('/'));
+    const commonPrefix = [];
+    for (let i = 0; i < paths[0].length - 1; i++) {
+        if (paths.every(p => p[i] === paths[0][i])) {
+            commonPrefix.push(paths[0][i]);
+        }
+        else
+            break;
+    }
+    return commonPrefix.join('/') || '/';
+}
+function calculateSeverity(input) {
+    const criticalSinks = ['sql_injection', 'command_injection', 'code_injection', 'deserialization'];
+    const highSinks = ['xss', 'path_traversal', 'xxe', 'ssrf', 'ldap_injection'];
+    if (criticalSinks.some(s => input.sinkType.includes(s))) {
+        return input.pathExists ? 'critical' : 'high';
+    }
+    if (highSinks.some(s => input.sinkType.includes(s))) {
+        return input.pathExists ? 'high' : 'medium';
+    }
+    return input.pathExists ? 'medium' : 'low';
+}
+function getRemediation(sinkType) {
+    const remediations = {
+        sql_injection: 'Use parameterized queries or prepared statements',
+        command_injection: 'Avoid shell execution; use array-based APIs with validated input',
+        xss: 'Encode output using context-appropriate encoding (HTML, JavaScript, URL)',
+        path_traversal: 'Validate and canonicalize paths; use allowlists',
+        xxe: 'Disable external entity processing in XML parsers',
+        ssrf: 'Validate URLs against allowlist; block internal network access',
+        deserialization: 'Avoid deserializing untrusted data; use allowlists',
+        ldap_injection: 'Use parameterized LDAP queries; escape special characters',
+    };
+    for (const [key, value] of Object.entries(remediations)) {
+        if (sinkType.includes(key))
+            return value;
+    }
+    return 'Validate and sanitize all user input before use';
+}
+function aggregateFindings(fileAnalyses, taintPaths, crossFileFlows) {
+    const findings = [];
+    const seenIds = new Set();
+    // Generate findings from taint paths
+    for (const path of taintPaths) {
+        if (path.path_exists && path.sanitizers_in_path.length === 0) {
+            const id = `${path.source.file}:${path.source.line}-${path.sink.file}:${path.sink.line}`;
+            if (!seenIds.has(id)) {
+                seenIds.add(id);
+                const crossFileFlow = crossFileFlows.find(f => f.id === path.id);
+                findings.push({
+                    id,
+                    type: path.sink.type,
+                    cwe: path.sink.cwe,
+                    severity: calculateSeverity({
+                        sourceType: path.source.type,
+                        sinkType: path.sink.type,
+                        pathExists: path.path_exists,
+                        confidence: path.confidence,
+                    }),
+                    confidence: path.confidence,
+                    source: {
+                        file: path.source.file,
+                        line: path.source.line,
+                        code: path.source.code,
+                    },
+                    sink: {
+                        file: path.sink.file,
+                        line: path.sink.line,
+                        code: path.sink.code,
+                    },
+                    path: path.hops,
+                    exploitable: crossFileFlow?.exploitability === 'high' || (path.path_exists && path.confidence > 0.7),
+                    explanation: generateExplanation(path),
+                    remediation: getRemediation(path.sink.type),
+                    verification: {
+                        graph_path_exists: path.path_exists,
+                        llm_verified: crossFileFlow?.verified ?? false,
+                        llm_confidence: crossFileFlow?.confidence ?? 0,
+                    },
+                });
+            }
+        }
+    }
+    // Sort by severity
+    const severityOrder = { critical: 0, high: 1, medium: 2, low: 3 };
+    findings.sort((a, b) => severityOrder[a.severity] - severityOrder[b.severity]);
+    return findings;
+}
+function generateExplanation(path) {
+    const sourceDesc = `User-controlled data from ${path.source.type} at ${path.source.file}:${path.source.line}`;
+    const sinkDesc = `reaches a ${path.sink.type} sink at ${path.sink.file}:${path.sink.line}`;
+    const hopDesc = path.hops.length > 0
+        ? ` through ${path.hops.length} intermediate step(s)`
+        : ' directly';
+    return `${sourceDesc}${hopDesc} and ${sinkDesc}. ${path.sink.cwe}`;
+}
+//# sourceMappingURL=two-phase-analyzer.js.map