circle-ir 3.1.0

package/dist/analysis/dfg-verifier.js

@@ -0,0 +1,399 @@
+/**
+ * DFG Verifier - Track 2 validation using def-use chains
+ *
+ * Verifies that taint actually flows from source to sink by following
+ * the data flow graph. This provides a more precise validation than
+ * pattern matching alone.
+ */
+/**
+ * DFGVerifier - Verifies taint flows using def-use chains
+ */
+export class DFGVerifier {
+    dfg;
+    calls;
+    sanitizers;
+    config;
+    // Lookup maps
+    defById = new Map();
+    defsByLine = new Map();
+    defsByVar = new Map();
+    usesByDefId = new Map();
+    usesByLine = new Map();
+    callsByLine = new Map();
+    sanitizerLines = new Set();
+    // Chain lookup for faster traversal
+    chainsByFromDef = new Map();
+    constructor(dfg, calls, sanitizers, config = {}) {
+        this.dfg = dfg;
+        this.calls = calls;
+        this.sanitizers = sanitizers;
+        this.config = {
+            maxDepth: config.maxDepth ?? 30,
+            requireDirectFlow: config.requireDirectFlow ?? false,
+            allowFieldFlows: config.allowFieldFlows ?? true,
+        };
+        this.buildLookupMaps();
+    }
+    /**
+     * Build lookup maps for efficient querying
+     */
+    buildLookupMaps() {
+        for (const def of this.dfg.defs) {
+            this.defById.set(def.id, def);
+            const byLine = this.defsByLine.get(def.line) ?? [];
+            byLine.push(def);
+            this.defsByLine.set(def.line, byLine);
+            const byVar = this.defsByVar.get(def.variable) ?? [];
+            byVar.push(def);
+            this.defsByVar.set(def.variable, byVar);
+        }
+        for (const use of this.dfg.uses) {
+            const byLine = this.usesByLine.get(use.line) ?? [];
+            byLine.push(use);
+            this.usesByLine.set(use.line, byLine);
+            if (use.def_id !== null) {
+                const byDefId = this.usesByDefId.get(use.def_id) ?? [];
+                byDefId.push(use);
+                this.usesByDefId.set(use.def_id, byDefId);
+            }
+        }
+        for (const call of this.calls) {
+            const byLine = this.callsByLine.get(call.location.line) ?? [];
+            byLine.push(call);
+            this.callsByLine.set(call.location.line, byLine);
+        }
+        for (const sanitizer of this.sanitizers) {
+            this.sanitizerLines.add(sanitizer.line);
+        }
+        // Build chain lookup
+        if (this.dfg.chains) {
+            for (const chain of this.dfg.chains) {
+                const byFromDef = this.chainsByFromDef.get(chain.from_def) ?? [];
+                byFromDef.push(chain);
+                this.chainsByFromDef.set(chain.from_def, byFromDef);
+            }
+        }
+    }
+    /**
+     * Verify if taint flows from source to sink
+     */
+    verify(source, sink) {
+        // Find definitions at the source line
+        const sourceDefs = this.defsByLine.get(source.line) ?? [];
+        if (sourceDefs.length === 0) {
+            return {
+                verified: false,
+                confidence: 0,
+                reason: `No variable definition found at source line ${source.line}`,
+            };
+        }
+        // Try to find a path from any source definition to the sink
+        const allPaths = [];
+        for (const sourceDef of sourceDefs) {
+            const path = this.findPath(sourceDef, sink);
+            if (path) {
+                allPaths.push(path);
+            }
+        }
+        if (allPaths.length === 0) {
+            return {
+                verified: false,
+                confidence: 0.2, // Some confidence since pattern matched
+                reason: `No def-use chain found from source (line ${source.line}) to sink (line ${sink.line})`,
+            };
+        }
+        // Find the best path (shortest, direct if possible)
+        const bestPath = this.selectBestPath(allPaths);
+        // Check for sanitizers in path
+        const sanitizerInPath = this.checkSanitizers(bestPath);
+        if (sanitizerInPath) {
+            return {
+                verified: false,
+                confidence: 0.1,
+                reason: `Flow sanitized at line ${sanitizerInPath.line} by ${sanitizerInPath.method}`,
+                path: bestPath,
+                alternativePaths: allPaths.length - 1,
+            };
+        }
+        // Calculate confidence based on path characteristics
+        const confidence = this.calculateConfidence(bestPath);
+        return {
+            verified: true,
+            confidence,
+            reason: `Verified: ${bestPath.length}-step flow from line ${source.line} to line ${sink.line}`,
+            path: bestPath,
+            alternativePaths: allPaths.length - 1,
+        };
+    }
+    /**
+     * Find a path from a definition to a sink using BFS
+     */
+    findPath(sourceDef, sink) {
+        const initialStep = {
+            defId: sourceDef.id,
+            variable: sourceDef.variable,
+            line: sourceDef.line,
+            kind: sourceDef.kind,
+            flowType: 'direct',
+        };
+        const queue = [{
+                def: sourceDef,
+                steps: [initialStep],
+                visited: new Set([sourceDef.id]),
+            }];
+        while (queue.length > 0) {
+            const state = queue.shift();
+            // Check depth limit
+            if (state.steps.length > this.config.maxDepth) {
+                continue;
+            }
+            // Check if current definition reaches the sink
+            if (this.reachesSink(state.def, sink)) {
+                return {
+                    steps: state.steps,
+                    length: state.steps.length,
+                    hasDirectFlow: state.steps.every(s => s.flowType === 'direct' || s.flowType === 'assignment'),
+                };
+            }
+            // Explore via def-use chains (if available)
+            const chains = this.chainsByFromDef.get(state.def.id) ?? [];
+            for (const chain of chains) {
+                const nextDef = this.defById.get(chain.to_def);
+                if (!nextDef || state.visited.has(nextDef.id))
+                    continue;
+                const step = {
+                    defId: nextDef.id,
+                    variable: nextDef.variable,
+                    line: nextDef.line,
+                    kind: nextDef.kind,
+                    flowType: 'assignment',
+                };
+                const newVisited = new Set(state.visited);
+                newVisited.add(nextDef.id);
+                queue.push({
+                    def: nextDef,
+                    steps: [...state.steps, step],
+                    visited: newVisited,
+                });
+            }
+            // Explore via uses of the current definition
+            const uses = this.usesByDefId.get(state.def.id) ?? [];
+            for (const use of uses) {
+                // Find definitions at the use line
+                const nextDefs = this.defsByLine.get(use.line) ?? [];
+                for (const nextDef of nextDefs) {
+                    if (state.visited.has(nextDef.id))
+                        continue;
+                    // Skip field flows if not allowed
+                    if (!this.config.allowFieldFlows && nextDef.kind === 'field') {
+                        continue;
+                    }
+                    const flowType = this.determineFlowType(state.def, nextDef, use.line);
+                    const step = {
+                        defId: nextDef.id,
+                        variable: nextDef.variable,
+                        line: nextDef.line,
+                        kind: nextDef.kind,
+                        flowType,
+                    };
+                    const newVisited = new Set(state.visited);
+                    newVisited.add(nextDef.id);
+                    queue.push({
+                        def: nextDef,
+                        steps: [...state.steps, step],
+                        visited: newVisited,
+                    });
+                }
+            }
+            // Explore same-variable definitions at later lines
+            const laterDefs = (this.defsByVar.get(state.def.variable) ?? [])
+                .filter(d => d.line > state.def.line && d.line <= sink.line && !state.visited.has(d.id))
+                .slice(0, 5); // Limit branching
+            for (const nextDef of laterDefs) {
+                const step = {
+                    defId: nextDef.id,
+                    variable: nextDef.variable,
+                    line: nextDef.line,
+                    kind: nextDef.kind,
+                    flowType: 'assignment',
+                };
+                const newVisited = new Set(state.visited);
+                newVisited.add(nextDef.id);
+                queue.push({
+                    def: nextDef,
+                    steps: [...state.steps, step],
+                    visited: newVisited,
+                });
+            }
+        }
+        return null;
+    }
+    /**
+     * Check if a definition reaches a sink
+     */
+    reachesSink(def, sink) {
+        // Check uses at sink line
+        const uses = this.usesByLine.get(sink.line) ?? [];
+        for (const use of uses) {
+            if (use.variable === def.variable || use.def_id === def.id) {
+                return true;
+            }
+        }
+        // Check call arguments at sink line
+        const calls = this.callsByLine.get(sink.line) ?? [];
+        for (const call of calls) {
+            for (const arg of call.arguments) {
+                if (arg.variable === def.variable) {
+                    return true;
+                }
+            }
+        }
+        // Check if definition is at or before sink line with same variable
+        if (def.line <= sink.line) {
+            const laterDefs = (this.defsByVar.get(def.variable) ?? [])
+                .filter(d => d.line > def.line && d.line <= sink.line);
+            // If no redefinition between def and sink, it reaches
+            if (laterDefs.length === 0) {
+                return true;
+            }
+        }
+        return false;
+    }
+    /**
+     * Determine the type of flow between two definitions
+     */
+    determineFlowType(fromDef, toDef, useLine) {
+        // Check for call at the line
+        const calls = this.callsByLine.get(useLine) ?? [];
+        if (calls.length > 0) {
+            // If the variable changed, it's a return assignment
+            if (fromDef.variable !== toDef.variable) {
+                return 'return';
+            }
+            return 'call';
+        }
+        // Check for field access
+        if (toDef.kind === 'field') {
+            return 'field';
+        }
+        // Simple assignment
+        if (fromDef.variable === toDef.variable) {
+            return 'direct';
+        }
+        return 'assignment';
+    }
+    /**
+     * Select the best path from multiple candidates
+     */
+    selectBestPath(paths) {
+        // Prefer direct flows
+        const directPaths = paths.filter(p => p.hasDirectFlow);
+        if (directPaths.length > 0) {
+            return directPaths.reduce((a, b) => a.length <= b.length ? a : b);
+        }
+        // Otherwise, prefer shortest path
+        return paths.reduce((a, b) => a.length <= b.length ? a : b);
+    }
+    /**
+     * Check if any sanitizer is in the path
+     */
+    checkSanitizers(path) {
+        for (const step of path.steps) {
+            if (this.sanitizerLines.has(step.line)) {
+                return this.sanitizers.find(s => s.line === step.line) || null;
+            }
+        }
+        return null;
+    }
+    /**
+     * Calculate confidence based on path characteristics
+     */
+    calculateConfidence(path) {
+        let confidence = 0.9; // Base confidence for verified flow
+        // Bonus for direct flow
+        if (path.hasDirectFlow) {
+            confidence += 0.05;
+        }
+        // Penalty for long paths
+        if (path.length > 5) {
+            confidence -= 0.05;
+        }
+        if (path.length > 10) {
+            confidence -= 0.1;
+        }
+        // Penalty for field flows
+        const fieldSteps = path.steps.filter(s => s.flowType === 'field').length;
+        confidence -= fieldSteps * 0.05;
+        return Math.max(0.5, Math.min(1.0, confidence));
+    }
+    /**
+     * Batch verify multiple source-sink pairs
+     */
+    verifyAll(sources, sinks) {
+        const results = new Map();
+        for (const source of sources) {
+            for (const sink of sinks) {
+                const key = `${source.line}:${sink.line}`;
+                const result = this.verify(source, sink);
+                results.set(key, result);
+            }
+        }
+        return results;
+    }
+    /**
+     * Get verification statistics
+     */
+    getStats(results) {
+        let verified = 0;
+        let notVerified = 0;
+        let sanitized = 0;
+        let totalConfidence = 0;
+        for (const result of results.values()) {
+            if (result.verified) {
+                verified++;
+                totalConfidence += result.confidence;
+            }
+            else if (result.reason.includes('sanitized')) {
+                sanitized++;
+            }
+            else {
+                notVerified++;
+            }
+        }
+        return {
+            total: results.size,
+            verified,
+            notVerified,
+            sanitized,
+            avgConfidence: verified > 0 ? totalConfidence / verified : 0,
+        };
+    }
+}
+/**
+ * Convenience function to verify a single flow
+ */
+export function verifyTaintFlow(dfg, calls, source, sink, sanitizers = [], config = {}) {
+    const verifier = new DFGVerifier(dfg, calls, sanitizers, config);
+    return verifier.verify(source, sink);
+}
+/**
+ * Format verification result for display
+ */
+export function formatVerificationResult(result) {
+    const lines = [];
+    const status = result.verified ? '✓ VERIFIED' : '✗ NOT VERIFIED';
+    lines.push(`${status} (${Math.round(result.confidence * 100)}% confidence)`);
+    lines.push(`Reason: ${result.reason}`);
+    if (result.path) {
+        lines.push(`Path length: ${result.path.length} steps`);
+        lines.push('Steps:');
+        for (const step of result.path.steps) {
+            lines.push(`  - Line ${step.line}: ${step.variable} (${step.flowType})`);
+        }
+    }
+    if (result.alternativePaths && result.alternativePaths > 0) {
+        lines.push(`Alternative paths found: ${result.alternativePaths}`);
+    }
+    return lines.join('\n');
+}
+//# sourceMappingURL=dfg-verifier.js.map

package/dist/analysis/dfg-verifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dfg-verifier.js","sourceRoot":"","sources":["../../src/analysis/dfg-verifier.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAqDH;;GAEG;AACH,MAAM,OAAO,WAAW;IACd,GAAG,CAAM;IACT,KAAK,CAAa;IAClB,UAAU,CAAmB;IAC7B,MAAM,CAA2B;IAEzC,cAAc;IACN,OAAO,GAAwB,IAAI,GAAG,EAAE,CAAC;IACzC,UAAU,GAA0B,IAAI,GAAG,EAAE,CAAC;IAC9C,SAAS,GAA0B,IAAI,GAAG,EAAE,CAAC;IAC7C,WAAW,GAA0B,IAAI,GAAG,EAAE,CAAC;IAC/C,UAAU,GAA0B,IAAI,GAAG,EAAE,CAAC;IAC9C,WAAW,GAA4B,IAAI,GAAG,EAAE,CAAC;IACjD,cAAc,GAAgB,IAAI,GAAG,EAAE,CAAC;IAEhD,oCAAoC;IAC5B,eAAe,GAA4B,IAAI,GAAG,EAAE,CAAC;IAE7D,YACE,GAAQ,EACR,KAAiB,EACjB,UAA4B,EAC5B,SAAyB,EAAE;QAE3B,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC;QACf,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;QAC7B,IAAI,CAAC,MAAM,GAAG;YACZ,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,EAAE;YAC/B,iBAAiB,EAAE,MAAM,CAAC,iBAAiB,IAAI,KAAK;YACpD,eAAe,EAAE,MAAM,CAAC,eAAe,IAAI,IAAI;SAChD,CAAC;QAEF,IAAI,CAAC,eAAe,EAAE,CAAC;IACzB,CAAC;IAED;;OAEG;IACK,eAAe;QACrB,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;YAChC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;YAE9B,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YACnD,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACjB,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;YAEtC,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;YACrD,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAChB,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;QAC1C,CAAC;QAED,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;YAChC,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YACnD,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACjB,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;YAEtC,IAAI,GAAG,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC;gBACxB,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;gBACvD,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBAClB,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YAC5C,CAAC;QACH,CAAC;QAED,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YAC9B,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YAC9D,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClB,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QACnD,CAAC;QAED,KAAK,MAAM,SAAS,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACxC,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QAC1C,CAAC;QAED,qBAAqB;QACrB,IAAI,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;YACpB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;gBACpC,MAAM,SAAS,GAAG,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;gBACjE,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBACtB,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;YACtD,CAAC;QACH,CAAC;IACH,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,MAAmB,EAAE,IAAe;QACzC,sCAAsC;QACtC,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAE1D,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,OAAO;gBACL,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,CAAC;gBACb,MAAM,EAAE,+CAA+C,MAAM,CAAC,IAAI,EAAE;aACrE,CAAC;QACJ,CAAC;QAED,4DAA4D;QAC5D,MAAM,QAAQ,GAAuB,EAAE,CAAC;QAExC,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;YACnC,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;YAC5C,IAAI,IAAI,EAAE,CAAC;gBACT,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACtB,CAAC;QACH,CAAC;QAED,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC1B,OAAO;gBACL,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,GAAG,EAAG,wCAAwC;gBAC1D,MAAM,EAAE,4CAA4C,MAAM,CAAC,IAAI,mBAAmB,IAAI,CAAC,IAAI,GAAG;aAC/F,CAAC;QACJ,CAAC;QAED,oDAAoD;QACpD,MAAM,QAAQ,GAAG,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;QAE/C,+BAA+B;QAC/B,MAAM,eAAe,GAAG,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;QACvD,IAAI,eAAe,EAAE,CAAC;YACpB,OAAO;gBACL,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,GAAG;gBACf,MAAM,EAAE,0BAA0B,eAAe,CAAC,IAAI,OAAO,eAAe,CAAC,MAAM,EAAE;gBACrF,IAAI,EAAE,QAAQ;gBACd,gBAAgB,EAAE,QAAQ,CAAC,MAAM,GAAG,CAAC;aACtC,CAAC;QACJ,CAAC;QAED,qDAAqD;QACrD,MAAM,UAAU,GAAG,IAAI,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAC;QAEtD,OAAO;YACL,QAAQ,EAAE,IAAI;YACd,UAAU;YACV,MAAM,EAAE,aAAa,QAAQ,CAAC,MAAM,wBAAwB,MAAM,CAAC,IAAI,YAAY,IAAI,CAAC,IAAI,EAAE;YAC9F,IAAI,EAAE,QAAQ;YACd,gBAAgB,EAAE,QAAQ,CAAC,MAAM,GAAG,CAAC;SACtC,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,QAAQ,CAAC,SAAiB,EAAE,IAAe;QAOjD,MAAM,WAAW,GAAqB;YACpC,KAAK,EAAE,SAAS,CAAC,EAAE;YACnB,QAAQ,EAAE,SAAS,CAAC,QAAQ;YAC5B,IAAI,EAAE,SAAS,CAAC,IAAI;YACpB,IAAI,EAAE,SAAS,CAAC,IAAI;YACpB,QAAQ,EAAE,QAAQ;SACnB,CAAC;QAEF,MAAM,KAAK,GAAkB,CAAC;gBAC5B,GAAG,EAAE,SAAS;gBACd,KAAK,EAAE,CAAC,WAAW,CAAC;gBACpB,OAAO,EAAE,IAAI,GAAG,CAAC,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;aACjC,CAAC,CAAC;QAEH,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,EAAG,CAAC;YAE7B,oBAAoB;YACpB,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;gBAC9C,SAAS;YACX,CAAC;YAED,+CAA+C;YAC/C,IAAI,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,GAAG,EAAE,IAAI,CAAC,EAAE,CAAC;gBACtC,OAAO;oBACL,KAAK,EAAE,KAAK,CAAC,KAAK;oBAClB,MAAM,EAAE,KAAK,CAAC,KAAK,CAAC,MAAM;oBAC1B,aAAa,EAAE,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,IAAI,CAAC,CAAC,QAAQ,KAAK,YAAY,CAAC;iBAC9F,CAAC;YACJ,CAAC;YAED,4CAA4C;YAC5C,MAAM,MAAM,GAAG,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC;YAC5D,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;gBAC3B,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;gBAC/C,IAAI,CAAC,OAAO,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;oBAAE,SAAS;gBAExD,MAAM,IAAI,GAAqB;oBAC7B,KAAK,EAAE,OAAO,CAAC,EAAE;oBACjB,QAAQ,EAAE,OAAO,CAAC,QAAQ;oBAC1B,IAAI,EAAE,OAAO,CAAC,IAAI;oBAClB,IAAI,EAAE,OAAO,CAAC,IAAI;oBAClB,QAAQ,EAAE,YAAY;iBACvB,CAAC;gBAEF,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;gBAC1C,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;gBAE3B,KAAK,CAAC,IAAI,CAAC;oBACT,GAAG,EAAE,OAAO;oBACZ,KAAK,EAAE,CAAC,GAAG,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC;oBAC7B,OAAO,EAAE,UAAU;iBACpB,CAAC,CAAC;YACL,CAAC;YAED,6CAA6C;YAC7C,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC;YACtD,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;gBACvB,mCAAmC;gBACnC,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;gBAErD,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;oBAC/B,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;wBAAE,SAAS;oBAE5C,kCAAkC;oBAClC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,eAAe,IAAI,OAAO,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;wBAC7D,SAAS;oBACX,CAAC;oBAED,MAAM,QAAQ,GAAG,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;oBAEtE,MAAM,IAAI,GAAqB;wBAC7B,KAAK,EAAE,OAAO,CAAC,EAAE;wBACjB,QAAQ,EAAE,OAAO,CAAC,QAAQ;wBAC1B,IAAI,EAAE,OAAO,CAAC,IAAI;wBAClB,IAAI,EAAE,OAAO,CAAC,IAAI;wBAClB,QAAQ;qBACT,CAAC;oBAEF,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;oBAC1C,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;oBAE3B,KAAK,CAAC,IAAI,CAAC;wBACT,GAAG,EAAE,OAAO;wBACZ,KAAK,EAAE,CAAC,GAAG,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC;wBAC7B,OAAO,EAAE,UAAU;qBACpB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,mDAAmD;YACnD,MAAM,SAAS,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;iBAC7D,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;iBACvF,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAE,kBAAkB;YAEnC,KAAK,MAAM,OAAO,IAAI,SAAS,EAAE,CAAC;gBAChC,MAAM,IAAI,GAAqB;oBAC7B,KAAK,EAAE,OAAO,CAAC,EAAE;oBACjB,QAAQ,EAAE,OAAO,CAAC,QAAQ;oBAC1B,IAAI,EAAE,OAAO,CAAC,IAAI;oBAClB,IAAI,EAAE,OAAO,CAAC,IAAI;oBAClB,QAAQ,EAAE,YAAY;iBACvB,CAAC;gBAEF,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;gBAC1C,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;gBAE3B,KAAK,CAAC,IAAI,CAAC;oBACT,GAAG,EAAE,OAAO;oBACZ,KAAK,EAAE,CAAC,GAAG,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC;oBAC7B,OAAO,EAAE,UAAU;iBACpB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACK,WAAW,CAAC,GAAW,EAAE,IAAe;QAC9C,0BAA0B;QAC1B,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAClD,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,IAAI,GAAG,CAAC,QAAQ,KAAK,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,CAAC,EAAE,EAAE,CAAC;gBAC3D,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAED,oCAAoC;QACpC,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QACpD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACjC,IAAI,GAAG,CAAC,QAAQ,KAAK,GAAG,CAAC,QAAQ,EAAE,CAAC;oBAClC,OAAO,IAAI,CAAC;gBACd,CAAC;YACH,CAAC;QACH,CAAC;QAED,mEAAmE;QACnE,IAAI,GAAG,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YAC1B,MAAM,SAAS,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;iBACvD,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,CAAC;YAEzD,sDAAsD;YACtD,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC3B,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACK,iBAAiB,CACvB,OAAe,EACf,KAAa,EACb,OAAe;QAEf,6BAA6B;QAC7B,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QAClD,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrB,oDAAoD;YACpD,IAAI,OAAO,CAAC,QAAQ,KAAK,KAAK,CAAC,QAAQ,EAAE,CAAC;gBACxC,OAAO,QAAQ,CAAC;YAClB,CAAC;YACD,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,yBAAyB;QACzB,IAAI,KAAK,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAC3B,OAAO,OAAO,CAAC;QACjB,CAAC;QAED,oBAAoB;QACpB,IAAI,OAAO,CAAC,QAAQ,KAAK,KAAK,CAAC,QAAQ,EAAE,CAAC;YACxC,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,OAAO,YAAY,CAAC;IACtB,CAAC;IAED;;OAEG;IACK,cAAc,CAAC,KAAyB;QAC9C,sBAAsB;QACtB,MAAM,WAAW,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC;QACvD,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC3B,OAAO,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACpE,CAAC;QAED,kCAAkC;QAClC,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC9D,CAAC;IAED;;OAEG;IACK,eAAe,CAAC,IAAsB;QAC5C,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YAC9B,IAAI,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvC,OAAO,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC;YACjE,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACK,mBAAmB,CAAC,IAAsB;QAChD,IAAI,UAAU,GAAG,GAAG,CAAC,CAAE,oCAAoC;QAE3D,wBAAwB;QACxB,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvB,UAAU,IAAI,IAAI,CAAC;QACrB,CAAC;QAED,yBAAyB;QACzB,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpB,UAAU,IAAI,IAAI,CAAC;QACrB,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YACrB,UAAU,IAAI,GAAG,CAAC;QACpB,CAAC;QAED,0BAA0B;QAC1B,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,MAAM,CAAC;QACzE,UAAU,IAAI,UAAU,GAAG,IAAI,CAAC;QAEhC,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC,CAAC;IAClD,CAAC;IAED;;OAEG;IACH,SAAS,CACP,OAAsB,EACtB,KAAkB;QAElB,MAAM,OAAO,GAAG,IAAI,GAAG,EAA8B,CAAC;QAEtD,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC7B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC1C,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;gBACzC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;YAC3B,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;OAEG;IACH,QAAQ,CAAC,OAAwC;QAO/C,IAAI,QAAQ,GAAG,CAAC,CAAC;QACjB,IAAI,WAAW,GAAG,CAAC,CAAC;QACpB,IAAI,SAAS,GAAG,CAAC,CAAC;QAClB,IAAI,eAAe,GAAG,CAAC,CAAC;QAExB,KAAK,MAAM,MAAM,IAAI,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;YACtC,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACpB,QAAQ,EAAE,CAAC;gBACX,eAAe,IAAI,MAAM,CAAC,UAAU,CAAC;YACvC,CAAC;iBAAM,IAAI,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;gBAC/C,SAAS,EAAE,CAAC;YACd,CAAC;iBAAM,CAAC;gBACN,WAAW,EAAE,CAAC;YAChB,CAAC;QACH,CAAC;QAED,OAAO;YACL,KAAK,EAAE,OAAO,CAAC,IAAI;YACnB,QAAQ;YACR,WAAW;YACX,SAAS;YACT,aAAa,EAAE,QAAQ,GAAG,CAAC,CAAC,CAAC,CAAC,eAAe,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;SAC7D,CAAC;IACJ,CAAC;CACF;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAC7B,GAAQ,EACR,KAAiB,EACjB,MAAmB,EACnB,IAAe,EACf,aAA+B,EAAE,EACjC,SAAyB,EAAE;IAE3B,MAAM,QAAQ,GAAG,IAAI,WAAW,CAAC,GAAG,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC;IACjE,OAAO,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,wBAAwB,CAAC,MAA0B;IACjE,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,MAAM,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,gBAAgB,CAAC;IACjE,KAAK,CAAC,IAAI,CAAC,GAAG,MAAM,KAAK,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,UAAU,GAAG,GAAG,CAAC,eAAe,CAAC,CAAC;IAC7E,KAAK,CAAC,IAAI,CAAC,WAAW,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IAEvC,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;QAChB,KAAK,CAAC,IAAI,CAAC,gBAAgB,MAAM,CAAC,IAAI,CAAC,MAAM,QAAQ,CAAC,CAAC;QACvD,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACrB,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;YACrC,KAAK,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,IAAI,KAAK,IAAI,CAAC,QAAQ,KAAK,IAAI,CAAC,QAAQ,GAAG,CAAC,CAAC;QAC3E,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,gBAAgB,IAAI,MAAM,CAAC,gBAAgB,GAAG,CAAC,EAAE,CAAC;QAC3D,KAAK,CAAC,IAAI,CAAC,4BAA4B,MAAM,CAAC,gBAAgB,EAAE,CAAC,CAAC;IACpE,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}

package/dist/analysis/findings.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Finding generator
+ *
+ * Combines taint sources, sinks, and data flow analysis to generate
+ * vulnerability findings with paths and remediation suggestions.
+ */
+import type { TaintSource, TaintSink, DFG, Finding } from '../types/index.js';
+/**
+ * Generate vulnerability findings from taint analysis results.
+ */
+export declare function generateFindings(sources: TaintSource[], sinks: TaintSink[], dfg: DFG, fileName: string): Finding[];

package/dist/analysis/findings.js

@@ -0,0 +1,228 @@
+/**
+ * Finding generator
+ *
+ * Combines taint sources, sinks, and data flow analysis to generate
+ * vulnerability findings with paths and remediation suggestions.
+ */
+import { calculateSeverity as calcSeverity, getRemediation, getSourceDescription, getSinkDescription, } from './rules.js';
+/**
+ * Generate vulnerability findings from taint analysis results.
+ */
+export function generateFindings(sources, sinks, dfg, fileName) {
+    const findings = [];
+    let findingId = 1;
+    // For each source, find potential paths to sinks
+    for (const source of sources) {
+        for (const sink of sinks) {
+            // Check if this source type can reach this sink type
+            if (!canSourceReachSink(source.type, sink.type)) {
+                continue;
+            }
+            // Try to find a path through the DFG
+            const pathResult = findTaintPath(source, sink, dfg);
+            if (pathResult.pathExists || isProximityVulnerability(source, sink)) {
+                const severity = calcSeverity({
+                    sourceType: source.type,
+                    sinkType: sink.type,
+                    pathExists: pathResult.pathExists,
+                });
+                const confidence = calculateConfidence(source, sink, pathResult);
+                findings.push({
+                    id: `vuln${findingId++}`,
+                    type: sink.type,
+                    cwe: sink.cwe,
+                    severity,
+                    confidence,
+                    source: {
+                        file: fileName,
+                        line: source.line,
+                        code: source.location,
+                    },
+                    sink: {
+                        file: fileName,
+                        line: sink.line,
+                        code: sink.location,
+                    },
+                    path: pathResult.hops.length > 0 ? pathResult.hops : undefined,
+                    exploitable: pathResult.pathExists && confidence > 0.7,
+                    explanation: generateExplanation(source, sink, pathResult),
+                    remediation: getRemediation(sink.type),
+                    verification: {
+                        graph_path_exists: pathResult.pathExists,
+                        llm_verified: false,
+                        llm_confidence: 0,
+                    },
+                });
+            }
+        }
+    }
+    // Sort by severity and confidence
+    findings.sort((a, b) => {
+        const severityOrder = { critical: 0, high: 1, medium: 2, low: 3 };
+        const severityDiff = severityOrder[a.severity] - severityOrder[b.severity];
+        if (severityDiff !== 0)
+            return severityDiff;
+        return b.confidence - a.confidence;
+    });
+    return findings;
+}
+/**
+ * Check if a source type can potentially reach a sink type.
+ */
+function canSourceReachSink(sourceType, sinkType) {
+    const sourceToSinkMapping = {
+        http_param: ['sql_injection', 'command_injection', 'path_traversal', 'xss', 'xpath_injection', 'ldap_injection', 'ssrf'],
+        http_body: ['sql_injection', 'command_injection', 'deserialization', 'xxe', 'xss', 'code_injection'],
+        http_header: ['sql_injection', 'xss', 'ssrf'],
+        http_cookie: ['sql_injection', 'xss'],
+        http_path: ['path_traversal', 'sql_injection', 'ssrf'],
+        http_query: ['sql_injection', 'command_injection', 'xss', 'ssrf'],
+        io_input: ['command_injection', 'path_traversal', 'deserialization', 'xxe', 'code_injection', 'xss'],
+        env_input: ['command_injection', 'path_traversal'],
+        db_input: ['xss', 'sql_injection'], // Second-order injection
+        file_input: ['deserialization', 'xxe', 'path_traversal', 'command_injection', 'code_injection'],
+        network_input: ['sql_injection', 'command_injection', 'xss', 'ssrf'],
+        config_param: ['sql_injection', 'command_injection', 'path_traversal', 'xss', 'ssrf'], // Servlet init params
+        interprocedural_param: ['sql_injection', 'command_injection', 'path_traversal', 'xss', 'xpath_injection', 'ldap_injection', 'ssrf', 'code_injection'], // Cross-method taint
+        plugin_param: ['sql_injection', 'command_injection', 'path_traversal', 'xss', 'code_injection'], // Plugin/config parameters
+    };
+    const validSinks = sourceToSinkMapping[sourceType];
+    return validSinks ? validSinks.includes(sinkType) : false;
+}
+/**
+ * Find a taint path from source to sink through the DFG.
+ */
+function findTaintPath(source, sink, dfg) {
+    const hops = [];
+    const variables = [];
+    // Find definitions near the source line
+    const sourceDefs = dfg.defs.filter(d => d.line >= source.line - 1 && d.line <= source.line + 1);
+    // Find uses near the sink line
+    const sinkUses = dfg.uses.filter(u => u.line >= sink.line - 1 && u.line <= sink.line + 1);
+    if (sourceDefs.length === 0 || sinkUses.length === 0) {
+        return { pathExists: false, hops: [], variables: [] };
+    }
+    // Use DFG chains to find path
+    const chains = dfg.chains ?? [];
+    // Try to find a path from any source def to any sink use
+    for (const sourceDef of sourceDefs) {
+        for (const sinkUse of sinkUses) {
+            const path = findPathThroughChains(sourceDef.id, sinkUse.def_id, chains, dfg);
+            if (path.length > 0) {
+                // Build hops from path
+                for (const defId of path) {
+                    const def = dfg.defs.find(d => d.id === defId);
+                    if (def) {
+                        hops.push({
+                            file: '', // Will be filled by caller
+                            method: '',
+                            line: def.line,
+                            code: `${def.variable} = ...`,
+                            variable: def.variable,
+                        });
+                        variables.push(def.variable);
+                    }
+                }
+                return { pathExists: true, hops, variables };
+            }
+        }
+    }
+    // Fallback: check for simple proximity-based path
+    // If source and sink are close, there might be a direct flow
+    if (Math.abs(source.line - sink.line) <= 10) {
+        // Look for common variables
+        const sourceVars = new Set(sourceDefs.map(d => d.variable));
+        const sinkVars = new Set(sinkUses.map(u => u.variable));
+        for (const v of sourceVars) {
+            if (sinkVars.has(v)) {
+                hops.push({
+                    file: '',
+                    method: '',
+                    line: source.line,
+                    code: `${v} = <source>`,
+                    variable: v,
+                });
+                hops.push({
+                    file: '',
+                    method: '',
+                    line: sink.line,
+                    code: `sink(${v})`,
+                    variable: v,
+                });
+                variables.push(v);
+                return { pathExists: true, hops, variables };
+            }
+        }
+    }
+    return { pathExists: false, hops: [], variables: [] };
+}
+/**
+ * Find a path through DFG chains from source def to target def.
+ */
+function findPathThroughChains(fromDefId, toDefId, chains, dfg, visited = new Set(), path = []) {
+    if (toDefId === null)
+        return [];
+    if (fromDefId === toDefId)
+        return [...path, fromDefId];
+    if (visited.has(fromDefId))
+        return [];
+    visited.add(fromDefId);
+    path.push(fromDefId);
+    // Find chains that start from this def
+    const outgoingChains = chains.filter(c => c.from_def === fromDefId);
+    for (const chain of outgoingChains) {
+        const result = findPathThroughChains(chain.to_def, toDefId, chains, dfg, visited, [...path]);
+        if (result.length > 0) {
+            return result;
+        }
+    }
+    return [];
+}
+/**
+ * Check if source and sink are close enough to suggest vulnerability.
+ */
+function isProximityVulnerability(source, sink) {
+    // Within same method (roughly 50 lines for complex functions)
+    return Math.abs(source.line - sink.line) <= 50;
+}
+/**
+ * Calculate confidence score.
+ */
+function calculateConfidence(source, sink, pathResult) {
+    let confidence = 0.5; // Base confidence
+    // Path exists: high confidence
+    if (pathResult.pathExists) {
+        confidence += 0.3;
+    }
+    // More hops = more confidence in the path
+    if (pathResult.hops.length > 0) {
+        confidence += Math.min(pathResult.hops.length * 0.05, 0.1);
+    }
+    // Source and sink confidence
+    confidence = confidence * source.confidence * sink.confidence;
+    // Proximity bonus
+    const lineDiff = Math.abs(source.line - sink.line);
+    if (lineDiff <= 5) {
+        confidence += 0.1;
+    }
+    else if (lineDiff <= 15) {
+        confidence += 0.05;
+    }
+    return Math.min(confidence, 1.0);
+}
+/**
+ * Generate explanation for the finding.
+ */
+function generateExplanation(source, sink, pathResult) {
+    const sourceDesc = getSourceDescription(source.type);
+    const sinkDesc = getSinkDescription(sink.type);
+    if (pathResult.pathExists && pathResult.variables.length > 0) {
+        const vars = pathResult.variables.join(' -> ');
+        return `${sourceDesc} flows through variables (${vars}) to ${sinkDesc} without proper sanitization.`;
+    }
+    if (pathResult.pathExists) {
+        return `${sourceDesc} flows to ${sinkDesc} without proper sanitization.`;
+    }
+    return `${sourceDesc} may reach ${sinkDesc}. Manual verification recommended.`;
+}
+//# sourceMappingURL=findings.js.map