circle-ir 3.1.0

package/dist/analysis/findings.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"findings.js","sourceRoot":"","sources":["../../src/analysis/findings.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAWH,OAAO,EACL,iBAAiB,IAAI,YAAY,EACjC,cAAc,EACd,oBAAoB,EACpB,kBAAkB,GACnB,MAAM,YAAY,CAAC;AAEpB;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAC9B,OAAsB,EACtB,KAAkB,EAClB,GAAQ,EACR,QAAgB;IAEhB,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,SAAS,GAAG,CAAC,CAAC;IAElB,iDAAiD;IACjD,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,qDAAqD;YACrD,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAChD,SAAS;YACX,CAAC;YAED,qCAAqC;YACrC,MAAM,UAAU,GAAG,aAAa,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;YAEpD,IAAI,UAAU,CAAC,UAAU,IAAI,wBAAwB,CAAC,MAAM,EAAE,IAAI,CAAC,EAAE,CAAC;gBACpE,MAAM,QAAQ,GAAG,YAAY,CAAC;oBAC5B,UAAU,EAAE,MAAM,CAAC,IAAI;oBACvB,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,UAAU,EAAE,UAAU,CAAC,UAAU;iBAClC,CAAC,CAAC;gBACH,MAAM,UAAU,GAAG,mBAAmB,CAAC,MAAM,EAAE,IAAI,EAAE,UAAU,CAAC,CAAC;gBAEjE,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,OAAO,SAAS,EAAE,EAAE;oBACxB,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,GAAG,EAAE,IAAI,CAAC,GAAG;oBACb,QAAQ;oBACR,UAAU;oBACV,MAAM,EAAE;wBACN,IAAI,EAAE,QAAQ;wBACd,IAAI,EAAE,MAAM,CAAC,IAAI;wBACjB,IAAI,EAAE,MAAM,CAAC,QAAQ;qBACtB;oBACD,IAAI,EAAE;wBACJ,IAAI,EAAE,QAAQ;wBACd,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,IAAI,EAAE,IAAI,CAAC,QAAQ;qBACpB;oBACD,IAAI,EAAE,UAAU,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;oBAC9D,WAAW,EAAE,UAAU,CAAC,UAAU,IAAI,UAAU,GAAG,GAAG;oBACtD,WAAW,EAAE,mBAAmB,CAAC,MAAM,EAAE,IAAI,EAAE,UAAU,CAAC;oBAC1D,WAAW,EAAE,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC;oBACtC,YAAY,EAAE;wBACZ,iBAAiB,EAAE,UAAU,CAAC,UAAU;wBACxC,YAAY,EAAE,KAAK;wBACnB,cAAc,EAAE,CAAC;qBAClB;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,kCAAkC;IAClC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACrB,MAAM,aAAa,GAAG,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;QAClE,MAAM,YAAY,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QAC3E,IAAI,YAAY,KAAK,CAAC;YAAE,OAAO,YAAY,CAAC;QAC5C,OAAO,CAAC,CAAC,UAAU,GAAG,CAAC,CAAC,UAAU,CAAC;IACrC,CAAC,CAAC,CAAC;IAEH,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CAAC,UAAkB,EAAE,QAAkB;IAChE,MAAM,mBAAmB,GAA+B;QACtD,UAAU,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,KAAK,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,CAAC;QACxH,SAAS,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,KAAK,EAAE,KAAK,EAAE,gBAAgB,CAAC;QACpG,WAAW,EAAE,CAAC,eAAe,EAAE,KAAK,EAAE,MAAM,CAAC;QAC7C,WAAW,EAAE,CAAC,eAAe,EAAE,KAAK,CAAC;QACrC,SAAS,EAAE,CAAC,gBAAgB,EAAE,eAAe,EAAE,MAAM,CAAC;QACtD,UAAU,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,KAAK,EAAE,MAAM,CAAC;QACjE,QAAQ,EAAE,CAAC,mBAAmB,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,KAAK,EAAE,gBAAgB,EAAE,KAAK,CAAC;QACpG,SAAS,EAAE,CAAC,mBAAmB,EAAE,gBAAgB,CAAC;QAClD,QAAQ,EAAE,CAAC,KAAK,EAAE,eAAe,CAAC,EAAE,yBAAyB;QAC7D,UAAU,EAAE,CAAC,iBAAiB,EAAE,KAAK,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,gBAAgB,CAAC;QAC/F,aAAa,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,KAAK,EAAE,MAAM,CAAC;QACpE,YAAY,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,KAAK,EAAE,MAAM,CAAC,EAAE,sBAAsB;QAC7G,qBAAqB,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,KAAK,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,EAAE,gBAAgB,CAAC,EAAE,qBAAqB;QAC5K,YAAY,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,KAAK,EAAE,gBAAgB,CAAC,EAAE,2BAA2B;KAC7H,CAAC;IAEF,MAAM,UAAU,GAAG,mBAAmB,CAAC,UAAU,CAAC,CAAC;IACnD,OAAO,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;AAC5D,CAAC;AAQD;;GAEG;AACH,SAAS,aAAa,CAAC,MAAmB,EAAE,IAAe,EAAE,GAAQ;IACnE,MAAM,IAAI,GAAe,EAAE,CAAC;IAC5B,MAAM,SAAS,GAAa,EAAE,CAAC;IAE/B,wCAAwC;IACxC,MAAM,UAAU,GAAG,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CACrC,CAAC,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,GAAG,CAAC,CACvD,CAAC;IAEF,+BAA+B;IAC/B,MAAM,QAAQ,GAAG,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CACnC,CAAC,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,GAAG,CAAC,CACnD,CAAC;IAEF,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrD,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;IACxD,CAAC;IAED,8BAA8B;IAC9B,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,EAAE,CAAC;IAEhC,yDAAyD;IACzD,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,MAAM,IAAI,GAAG,qBAAqB,CAAC,SAAS,CAAC,EAAE,EAAE,OAAO,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,CAAC,CAAC;YAC9E,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACpB,uBAAuB;gBACvB,KAAK,MAAM,KAAK,IAAI,IAAI,EAAE,CAAC;oBACzB,MAAM,GAAG,GAAG,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,KAAK,CAAC,CAAC;oBAC/C,IAAI,GAAG,EAAE,CAAC;wBACR,IAAI,CAAC,IAAI,CAAC;4BACR,IAAI,EAAE,EAAE,EAAE,2BAA2B;4BACrC,MAAM,EAAE,EAAE;4BACV,IAAI,EAAE,GAAG,CAAC,IAAI;4BACd,IAAI,EAAE,GAAG,GAAG,CAAC,QAAQ,QAAQ;4BAC7B,QAAQ,EAAE,GAAG,CAAC,QAAQ;yBACvB,CAAC,CAAC;wBACH,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;oBAC/B,CAAC;gBACH,CAAC;gBAED,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;YAC/C,CAAC;QACH,CAAC;IACH,CAAC;IAED,kDAAkD;IAClD,6DAA6D;IAC7D,IAAI,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;QAC5C,4BAA4B;QAC5B,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;QAC5D,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;QAExD,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;YAC3B,IAAI,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpB,IAAI,CAAC,IAAI,CAAC;oBACR,IAAI,EAAE,EAAE;oBACR,MAAM,EAAE,EAAE;oBACV,IAAI,EAAE,MAAM,CAAC,IAAI;oBACjB,IAAI,EAAE,GAAG,CAAC,aAAa;oBACvB,QAAQ,EAAE,CAAC;iBACZ,CAAC,CAAC;gBACH,IAAI,CAAC,IAAI,CAAC;oBACR,IAAI,EAAE,EAAE;oBACR,MAAM,EAAE,EAAE;oBACV,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,IAAI,EAAE,QAAQ,CAAC,GAAG;oBAClB,QAAQ,EAAE,CAAC;iBACZ,CAAC,CAAC;gBACH,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAClB,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;YAC/C,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;AACxD,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAC5B,SAAiB,EACjB,OAAsB,EACtB,MAAkB,EAClB,GAAQ,EACR,UAAuB,IAAI,GAAG,EAAE,EAChC,OAAiB,EAAE;IAEnB,IAAI,OAAO,KAAK,IAAI;QAAE,OAAO,EAAE,CAAC;IAChC,IAAI,SAAS,KAAK,OAAO;QAAE,OAAO,CAAC,GAAG,IAAI,EAAE,SAAS,CAAC,CAAC;IACvD,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC;QAAE,OAAO,EAAE,CAAC;IAEtC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACvB,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAErB,uCAAuC;IACvC,MAAM,cAAc,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC;IAEpE,KAAK,MAAM,KAAK,IAAI,cAAc,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,qBAAqB,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC;QAC7F,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtB,OAAO,MAAM,CAAC;QAChB,CAAC;IACH,CAAC;IAED,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;GAEG;AACH,SAAS,wBAAwB,CAAC,MAAmB,EAAE,IAAe;IACpE,8DAA8D;IAC9D,OAAO,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;AACjD,CAAC;AAGD;;GAEG;AACH,SAAS,mBAAmB,CAAC,MAAmB,EAAE,IAAe,EAAE,UAAsB;IACvF,IAAI,UAAU,GAAG,GAAG,CAAC,CAAC,kBAAkB;IAExC,+BAA+B;IAC/B,IAAI,UAAU,CAAC,UAAU,EAAE,CAAC;QAC1B,UAAU,IAAI,GAAG,CAAC;IACpB,CAAC;IAED,0CAA0C;IAC1C,IAAI,UAAU,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,UAAU,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,MAAM,GAAG,IAAI,EAAE,GAAG,CAAC,CAAC;IAC7D,CAAC;IAED,6BAA6B;IAC7B,UAAU,GAAG,UAAU,GAAG,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;IAE9D,kBAAkB;IAClB,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC;IACnD,IAAI,QAAQ,IAAI,CAAC,EAAE,CAAC;QAClB,UAAU,IAAI,GAAG,CAAC;IACpB,CAAC;SAAM,IAAI,QAAQ,IAAI,EAAE,EAAE,CAAC;QAC1B,UAAU,IAAI,IAAI,CAAC;IACrB,CAAC;IAED,OAAO,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAAC,MAAmB,EAAE,IAAe,EAAE,UAAsB;IACvF,MAAM,UAAU,GAAG,oBAAoB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACrD,MAAM,QAAQ,GAAG,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAE/C,IAAI,UAAU,CAAC,UAAU,IAAI,UAAU,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7D,MAAM,IAAI,GAAG,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC/C,OAAO,GAAG,UAAU,6BAA6B,IAAI,QAAQ,QAAQ,+BAA+B,CAAC;IACvG,CAAC;IAED,IAAI,UAAU,CAAC,UAAU,EAAE,CAAC;QAC1B,OAAO,GAAG,UAAU,aAAa,QAAQ,+BAA+B,CAAC;IAC3E,CAAC;IAED,OAAO,GAAG,UAAU,cAAc,QAAQ,oCAAoC,CAAC;AACjF,CAAC"}

package/dist/analysis/index.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Analysis module index
+ */
+export { parseConfig, loadSourceConfigs, loadSinkConfigs, createTaintConfig, getDefaultConfig, DEFAULT_SOURCES, DEFAULT_SINKS, DEFAULT_SANITIZERS, } from './config-loader.js';
+export { analyzeTaint, isInDangerousPosition, } from './taint-matcher.js';
+export { detectUnresolved, } from './unresolved.js';
+export { generateFindings, } from './findings.js';
+export { propagateTaint, type TaintPropagationResult, type TaintedVariable, type TaintFlow, } from './taint-propagation.js';
+export { analyzeInterprocedural, getInterproceduralSummary, findTaintBridges, getMethodTaintPaths, hasMethod, getMethod, isMethodTainted, type InterproceduralResult, type MethodNode, type CallEdge, } from './interprocedural.js';
+export { analyzeConstantPropagation, isFalsePositive, isCorrelatedPredicateFP, ConstantPropagator, isKnown, createUnknown, createConstant, getNodeText, getNodeLine, type ConstantValue, type ConstantType, type ConstantPropagatorResult, type ConstantPropagationOptions, } from './constant-propagation.js';
+export { PathFinder, findTaintPaths, formatTaintPath, type TaintHop, type TaintPath, type PathFinderResult, type PathFinderConfig, } from './path-finder.js';
+export { DFGVerifier, verifyTaintFlow, formatVerificationResult, type VerificationResult, type VerificationPath, type VerificationStep, type VerifierConfig, } from './dfg-verifier.js';
+export { loadBundledAdvisories, parseAdvisoryJson, categoryToSeverity, getAdvisoriesForCrate, findAdvisoryByCve, getVulnerableCrates, type AdvisoryVulnerability, type AdvisoryDatabase, } from './advisory-db.js';
+export { parseCargoLock, parseCargoToml, filterRegistryDeps, type CargoLock, type CargoLockDependency, type CargoToml, type CargoTomlDependency, } from './cargo-parser.js';
+export { scanCargoLock, checkCrateVulnerability, formatFinding, formatScanReport, type DependencyFinding, type ScanOptions, type ScanResult, } from './dependency-scanner.js';
+export { parseVersion, compareVersions, semverSatisfies, isVersionVulnerable, type ParsedVersion, } from './semver.js';

package/dist/analysis/index.js

@@ -0,0 +1,18 @@
+/**
+ * Analysis module index
+ */
+export { parseConfig, loadSourceConfigs, loadSinkConfigs, createTaintConfig, getDefaultConfig, DEFAULT_SOURCES, DEFAULT_SINKS, DEFAULT_SANITIZERS, } from './config-loader.js';
+export { analyzeTaint, isInDangerousPosition, } from './taint-matcher.js';
+export { detectUnresolved, } from './unresolved.js';
+export { generateFindings, } from './findings.js';
+export { propagateTaint, } from './taint-propagation.js';
+export { analyzeInterprocedural, getInterproceduralSummary, findTaintBridges, getMethodTaintPaths, hasMethod, getMethod, isMethodTainted, } from './interprocedural.js';
+export { analyzeConstantPropagation, isFalsePositive, isCorrelatedPredicateFP, ConstantPropagator, isKnown, createUnknown, createConstant, getNodeText, getNodeLine, } from './constant-propagation.js';
+export { PathFinder, findTaintPaths, formatTaintPath, } from './path-finder.js';
+export { DFGVerifier, verifyTaintFlow, formatVerificationResult, } from './dfg-verifier.js';
+// RustSec Advisory Database
+export { loadBundledAdvisories, parseAdvisoryJson, categoryToSeverity, getAdvisoriesForCrate, findAdvisoryByCve, getVulnerableCrates, } from './advisory-db.js';
+export { parseCargoLock, parseCargoToml, filterRegistryDeps, } from './cargo-parser.js';
+export { scanCargoLock, checkCrateVulnerability, formatFinding, formatScanReport, } from './dependency-scanner.js';
+export { parseVersion, compareVersions, semverSatisfies, isVersionVulnerable, } from './semver.js';
+//# sourceMappingURL=index.js.map

package/dist/analysis/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/analysis/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EACL,WAAW,EACX,iBAAiB,EACjB,eAAe,EACf,iBAAiB,EACjB,gBAAgB,EAChB,eAAe,EACf,aAAa,EACb,kBAAkB,GACnB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,YAAY,EACZ,qBAAqB,GACtB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,gBAAgB,GACjB,MAAM,iBAAiB,CAAC;AAEzB,OAAO,EACL,gBAAgB,GACjB,MAAM,eAAe,CAAC;AAEvB,OAAO,EACL,cAAc,GAIf,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,sBAAsB,EACtB,yBAAyB,EACzB,gBAAgB,EAChB,mBAAmB,EACnB,SAAS,EACT,SAAS,EACT,eAAe,GAIhB,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EACL,0BAA0B,EAC1B,eAAe,EACf,uBAAuB,EACvB,kBAAkB,EAClB,OAAO,EACP,aAAa,EACb,cAAc,EACd,WAAW,EACX,WAAW,GAKZ,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,UAAU,EACV,cAAc,EACd,eAAe,GAKhB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,WAAW,EACX,eAAe,EACf,wBAAwB,GAKzB,MAAM,mBAAmB,CAAC;AAE3B,4BAA4B;AAC5B,OAAO,EACL,qBAAqB,EACrB,iBAAiB,EACjB,kBAAkB,EAClB,qBAAqB,EACrB,iBAAiB,EACjB,mBAAmB,GAGpB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,cAAc,EACd,cAAc,EACd,kBAAkB,GAKnB,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EACL,aAAa,EACb,uBAAuB,EACvB,aAAa,EACb,gBAAgB,GAIjB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,YAAY,EACZ,eAAe,EACf,eAAe,EACf,mBAAmB,GAEpB,MAAM,aAAa,CAAC"}

package/dist/analysis/interprocedural.d.ts

@@ -0,0 +1,99 @@
+/**
+ * Inter-procedural Taint Analysis
+ *
+ * Tracks taint flow through method calls within the same file.
+ * - Propagates taint from arguments to parameters
+ * - Tracks taint through return values
+ * - Handles method call chains
+ */
+import type { CallInfo, TypeInfo, DFG, TaintSource, TaintSink, TaintSanitizer } from '../types/index.js';
+/**
+ * Represents a method in the call graph.
+ */
+export interface MethodNode {
+    /** Simple method name */
+    name: string;
+    /** Fully qualified name: ClassName.methodName */
+    fqn: string;
+    /** Class/type this method belongs to */
+    className: string | null;
+    /** Package name if available */
+    packageName: string | null;
+    parameters: ParameterTaint[];
+    returnsTainted: boolean;
+    returnTaintType: string | null;
+    /** Which parameter positions flow to the return value (null = all potentially taint) */
+    returnTaintedFromParams: number[] | null;
+    startLine: number;
+    endLine: number;
+}
+/**
+ * Parameter taint information.
+ */
+export interface ParameterTaint {
+    name: string;
+    position: number;
+    isTainted: boolean;
+    taintType: string | null;
+    sourceLine: number | null;
+}
+/**
+ * A call edge in the call graph.
+ */
+export interface CallEdge {
+    callerMethod: string;
+    calleeMethod: string;
+    callLine: number;
+    taintedArgs: number[];
+}
+/**
+ * Result of inter-procedural analysis.
+ */
+export interface InterproceduralResult {
+    methodNodes: Map<string, MethodNode>;
+    callEdges: CallEdge[];
+    taintedMethods: Set<string>;
+    taintedReturns: Map<string, string>;
+    propagatedSinks: TaintSink[];
+}
+/**
+ * Options for interprocedural analysis.
+ */
+export interface InterproceduralOptions {
+    /** Variables marked as tainted by constant propagation (e.g., collections with tainted elements) */
+    taintedVariables?: Set<string>;
+}
+/**
+ * Perform inter-procedural taint analysis.
+ */
+export declare function analyzeInterprocedural(types: TypeInfo[], calls: CallInfo[], dfg: DFG, sources: TaintSource[], sinks: TaintSink[], sanitizers: TaintSanitizer[], options?: InterproceduralOptions): InterproceduralResult;
+/**
+ * Get summary of inter-procedural analysis.
+ */
+export declare function getInterproceduralSummary(result: InterproceduralResult): {
+    totalMethods: number;
+    taintedMethods: number;
+    callEdges: number;
+    methodsReturningTaint: number;
+};
+/**
+ * Check if a method exists in the interprocedural result.
+ * Accepts either simple name or FQN.
+ */
+export declare function hasMethod(result: InterproceduralResult, nameOrFqn: string): boolean;
+/**
+ * Get a method node by simple name or FQN.
+ */
+export declare function getMethod(result: InterproceduralResult, nameOrFqn: string): MethodNode | undefined;
+/**
+ * Check if a method is tainted (by simple name or FQN).
+ */
+export declare function isMethodTainted(result: InterproceduralResult, nameOrFqn: string): boolean;
+/**
+ * Find methods that act as "taint bridges" - receiving taint and passing it on.
+ */
+export declare function findTaintBridges(result: InterproceduralResult): string[];
+/**
+ * Get taint flow paths through methods.
+ */
+export declare function getMethodTaintPaths(result: InterproceduralResult, maxDepth?: number): string[][];

package/dist/analysis/interprocedural.js

@@ -0,0 +1,526 @@
+/**
+ * Inter-procedural Taint Analysis
+ *
+ * Tracks taint flow through method calls within the same file.
+ * - Propagates taint from arguments to parameters
+ * - Tracks taint through return values
+ * - Handles method call chains
+ */
+/**
+ * Perform inter-procedural taint analysis.
+ */
+export function analyzeInterprocedural(types, calls, dfg, sources, sinks, sanitizers, options = {}) {
+    // Build method nodes from type information
+    const methodNodes = buildMethodNodes(types);
+    // Build call graph edges with receiver type resolution
+    const callEdges = buildCallEdges(calls, methodNodes, types);
+    // Identify initially tainted parameters (from sources)
+    const taintedMethods = new Set();
+    const taintedReturns = new Map();
+    // Mark methods containing sources as tainted (using FQN)
+    for (const source of sources) {
+        const methodInfo = findMethodAtLine(types, source.line);
+        if (methodInfo) {
+            const fqn = buildMethodFQN(methodInfo.packageName, methodInfo.className, methodInfo.methodName);
+            taintedMethods.add(fqn);
+        }
+    }
+    // Build taint map from DFG
+    const taintedDefIds = buildTaintedDefIds(dfg, sources);
+    // Get tainted variables from constant propagation (tracks collections with tainted elements)
+    const taintedVarsFromCP = options.taintedVariables ?? new Set();
+    // Analyze each call to propagate taint
+    const propagatedSinks = [];
+    // Track which method names are collection methods (should not create external escape sinks)
+    const collectionMethods = new Set([
+        'add', 'addLast', 'addFirst', 'addAll', 'put', 'putAll', 'set', 'push', 'offer',
+        'get', 'getLast', 'getFirst', 'peek', 'poll', 'pop', 'remove', 'removeFirst', 'removeLast',
+        'iterator', 'listIterator', 'next', 'hasNext', 'size', 'isEmpty', 'contains', 'containsKey',
+        'toString', 'valueOf', 'hashCode', 'equals', 'clone', 'clear',
+    ]);
+    // Build set of sanitizer method names (methods that clean tainted data)
+    // Sanitizer methods may be in formats like "encode" or "URLEncoder.encode()"
+    const sanitizerMethods = new Set();
+    for (const san of sanitizers) {
+        sanitizerMethods.add(san.method);
+        // Also extract just the method name if formatted as "Class.method()"
+        const match = san.method.match(/\.(\w+)\(\)$/);
+        if (match) {
+            sanitizerMethods.add(match[1]);
+        }
+    }
+    for (const call of calls) {
+        // Check if any arguments are tainted
+        const taintedArgPositions = [];
+        const taintedArgVars = [];
+        for (const arg of call.arguments) {
+            if (arg.variable) {
+                // Check 1: DFG-based taint tracking
+                const use = findUseAtLine(dfg, arg.variable, call.location.line);
+                const isTaintedByDFG = use && use.def_id !== null && taintedDefIds.has(use.def_id);
+                // Check 2: Constant propagation taint tracking (for collections with tainted elements)
+                const isTaintedByCP = taintedVarsFromCP.has(arg.variable);
+                if (isTaintedByDFG || isTaintedByCP) {
+                    taintedArgPositions.push(arg.position);
+                    taintedArgVars.push(arg.variable);
+                }
+            }
+        }
+        // Check if this is an internal method call (resolve using FQN or simple name)
+        const targetMethod = getMethodNode(methodNodes, call.method_name);
+        if (!targetMethod) {
+            // External method call - check if tainted data is escaping
+            // Skip collection methods (data manipulation) and sanitizer methods (data cleaning)
+            if (taintedArgPositions.length > 0 &&
+                !collectionMethods.has(call.method_name) &&
+                !sanitizerMethods.has(call.method_name)) {
+                // Create an "external_taint_escape" sink for this call
+                // This represents tainted data being passed to code we can't analyze
+                const sink = {
+                    type: 'external_taint_escape',
+                    cwe: 'CWE-668', // Exposure of Resource to Wrong Sphere
+                    location: `Tainted data (${taintedArgVars.join(', ')}) passed to external method ${call.receiver ? call.receiver + '.' : ''}${call.method_name}()`,
+                    line: call.location.line,
+                    confidence: 0.7, // Lower confidence since we can't verify the external method is dangerous
+                    method: call.method_name,
+                    argPositions: taintedArgPositions,
+                };
+                // Only add if not already present
+                if (!propagatedSinks.some(s => s.line === sink.line && s.type === sink.type)) {
+                    propagatedSinks.push(sink);
+                }
+            }
+            continue;
+        }
+        if (taintedArgPositions.length > 0) {
+            // Mark corresponding parameters as tainted
+            for (const pos of taintedArgPositions) {
+                if (pos < targetMethod.parameters.length) {
+                    targetMethod.parameters[pos].isTainted = true;
+                    targetMethod.parameters[pos].sourceLine = call.location.line;
+                }
+            }
+            taintedMethods.add(targetMethod.fqn);
+            // Check if target method has sinks
+            const methodSinks = sinks.filter(s => s.line >= targetMethod.startLine && s.line <= targetMethod.endLine);
+            // These sinks are now reachable via inter-procedural flow
+            for (const sink of methodSinks) {
+                // Check if not already in the list
+                if (!propagatedSinks.some(s => s.line === sink.line)) {
+                    propagatedSinks.push({
+                        ...sink,
+                        confidence: sink.confidence * 0.85, // Slightly lower confidence for inter-proc
+                    });
+                }
+            }
+        }
+    }
+    // Propagate taint through return values
+    propagateReturnTaint(types, dfg, taintedDefIds, taintedReturns, taintedMethods, methodNodes);
+    // Iteratively propagate taint through call chains
+    propagateThroughCallChains(callEdges, methodNodes, taintedMethods, taintedReturns, dfg, taintedDefIds);
+    return {
+        methodNodes: methodNodes.byFqn,
+        callEdges,
+        taintedMethods,
+        taintedReturns,
+        propagatedSinks,
+    };
+}
+/**
+ * Build a fully qualified name for a method.
+ * Format: [package.]ClassName.methodName
+ */
+function buildMethodFQN(packageName, className, methodName) {
+    if (packageName) {
+        return `${packageName}.${className}.${methodName}`;
+    }
+    return `${className}.${methodName}`;
+}
+/**
+ * Build method nodes from type information.
+ * Uses fully qualified names (FQN) as keys for precise method resolution.
+ */
+function buildMethodNodes(types) {
+    const byFqn = new Map();
+    const byName = new Map();
+    for (const type of types) {
+        for (const method of type.methods) {
+            const fqn = buildMethodFQN(type.package, type.name, method.name);
+            const node = {
+                name: method.name,
+                fqn,
+                className: type.name,
+                packageName: type.package,
+                parameters: method.parameters.map((p, i) => ({
+                    name: p.name,
+                    position: i,
+                    isTainted: false,
+                    taintType: null,
+                    sourceLine: null,
+                })),
+                returnsTainted: false,
+                returnTaintType: null,
+                returnTaintedFromParams: null, // Will be computed during analysis
+                startLine: method.start_line,
+                endLine: method.end_line,
+            };
+            // Store with FQN as primary key
+            byFqn.set(fqn, node);
+            // Store with simple name for fallback (first occurrence wins)
+            if (!byName.has(method.name)) {
+                byName.set(method.name, node);
+            }
+        }
+    }
+    return { byFqn, byName };
+}
+/**
+ * Get a method node by FQN or simple name.
+ */
+function getMethodNode(maps, key) {
+    return maps.byFqn.get(key) ?? maps.byName.get(key);
+}
+/**
+ * Resolve a method call to its target node, considering receiver type.
+ * Returns the FQN of the resolved method, or null if not found.
+ */
+function resolveMethodCall(call, methodNodes, types) {
+    const methodName = call.method_name;
+    // If receiver type is known, try FQN resolution first
+    if (call.receiver_type) {
+        // Try exact FQN match
+        const fqn = `${call.receiver_type}.${methodName}`;
+        if (methodNodes.byFqn.has(fqn)) {
+            return fqn;
+        }
+        // Try with common package prefixes
+        for (const type of types) {
+            if (type.name === call.receiver_type && type.package) {
+                const fullFqn = `${type.package}.${type.name}.${methodName}`;
+                if (methodNodes.byFqn.has(fullFqn)) {
+                    return fullFqn;
+                }
+            }
+        }
+    }
+    // If receiver is known, try ClassName.methodName
+    if (call.receiver) {
+        // Receiver might be a variable - try to infer its type from types
+        for (const type of types) {
+            const fqn = type.package
+                ? `${type.package}.${type.name}.${methodName}`
+                : `${type.name}.${methodName}`;
+            if (methodNodes.byFqn.has(fqn)) {
+                const node = methodNodes.byFqn.get(fqn);
+                // Check if this could be a match (same method name, right class)
+                if (node.name === methodName) {
+                    return fqn;
+                }
+            }
+        }
+    }
+    // Fallback: simple method name
+    if (methodNodes.byName.has(methodName)) {
+        const node = methodNodes.byName.get(methodName);
+        return node.fqn;
+    }
+    return null;
+}
+/**
+ * Build call edges from call information.
+ * Uses receiver type information for precise method resolution.
+ */
+function buildCallEdges(calls, methodNodes, types) {
+    const edges = [];
+    for (const call of calls) {
+        // Resolve the call target using receiver type
+        const resolvedFqn = resolveMethodCall(call, methodNodes, types);
+        if (!resolvedFqn)
+            continue;
+        // Find the caller method
+        const callerMethod = call.in_method;
+        if (!callerMethod)
+            continue;
+        edges.push({
+            callerMethod,
+            calleeMethod: resolvedFqn,
+            callLine: call.location.line,
+            taintedArgs: [],
+        });
+    }
+    return edges;
+}
+/**
+ * Build set of tainted definition IDs from sources.
+ */
+function buildTaintedDefIds(dfg, sources) {
+    const taintedDefIds = new Set();
+    // Find definitions on source lines
+    // Only mark defs on the EXACT source line as tainted
+    // (The previous +1 heuristic incorrectly marked unrelated defs as tainted)
+    for (const source of sources) {
+        for (const def of dfg.defs) {
+            if (def.line === source.line) {
+                taintedDefIds.add(def.id);
+            }
+        }
+    }
+    // Propagate through chains
+    if (dfg.chains) {
+        let changed = true;
+        while (changed) {
+            changed = false;
+            for (const chain of dfg.chains) {
+                if (taintedDefIds.has(chain.from_def) && !taintedDefIds.has(chain.to_def)) {
+                    taintedDefIds.add(chain.to_def);
+                    changed = true;
+                }
+            }
+        }
+    }
+    return taintedDefIds;
+}
+/**
+ * Find a use at a specific line.
+ */
+function findUseAtLine(dfg, variable, line) {
+    for (const use of dfg.uses) {
+        if (use.variable === variable && use.line === line) {
+            return use;
+        }
+    }
+    return null;
+}
+/**
+ * Find the method containing a specific line.
+ * Returns method info along with class and package context.
+ */
+function findMethodAtLine(types, line) {
+    for (const type of types) {
+        for (const method of type.methods) {
+            if (line >= method.start_line && line <= method.end_line) {
+                return {
+                    method,
+                    methodName: method.name,
+                    className: type.name,
+                    packageName: type.package,
+                };
+            }
+        }
+    }
+    return null;
+}
+/**
+ * Propagate taint through return values.
+ * Tracks which parameters flow to the return value for precise taint mapping.
+ */
+function propagateReturnTaint(types, dfg, taintedDefIds, taintedReturns, taintedMethods, methodNodes) {
+    // Find return statements that return tainted values
+    const returnDefs = dfg.defs.filter(d => d.kind === 'return');
+    for (const returnDef of returnDefs) {
+        // Find the method this return is in
+        const methodCtx = findMethodAtLine(types, returnDef.line);
+        if (!methodCtx)
+            continue;
+        const fqn = buildMethodFQN(methodCtx.packageName, methodCtx.className, methodCtx.methodName);
+        // Find uses on the same line (the returned value)
+        const usesOnLine = dfg.uses.filter(u => u.line === returnDef.line);
+        for (const use of usesOnLine) {
+            if (use.def_id !== null && taintedDefIds.has(use.def_id)) {
+                // This method returns a tainted value
+                taintedReturns.set(fqn, 'tainted');
+                taintedMethods.add(fqn);
+                // Track which parameter this return value came from
+                const methodNode = methodNodes.byFqn.get(fqn);
+                if (methodNode) {
+                    // Check if the returned variable matches a parameter name
+                    const paramIndex = methodNode.parameters.findIndex(p => p.name === use.variable);
+                    if (paramIndex >= 0) {
+                        // This return value comes from this parameter
+                        if (methodNode.returnTaintedFromParams === null) {
+                            methodNode.returnTaintedFromParams = [paramIndex];
+                        }
+                        else if (!methodNode.returnTaintedFromParams.includes(paramIndex)) {
+                            methodNode.returnTaintedFromParams.push(paramIndex);
+                        }
+                    }
+                }
+                break;
+            }
+        }
+    }
+}
+/**
+ * Propagate taint through call chains iteratively.
+ */
+function propagateThroughCallChains(callEdges, methodNodes, taintedMethods, taintedReturns, dfg, taintedDefIds) {
+    // Build reverse call graph (callee -> callers)
+    const callersOf = new Map();
+    for (const edge of callEdges) {
+        const existing = callersOf.get(edge.calleeMethod) ?? [];
+        existing.push(edge);
+        callersOf.set(edge.calleeMethod, existing);
+    }
+    // Iteratively propagate until fixed point
+    let changed = true;
+    let iterations = 0;
+    const maxIterations = 10; // Prevent infinite loops
+    while (changed && iterations < maxIterations) {
+        changed = false;
+        iterations++;
+        // For each method that returns tainted data
+        for (const [methodName, taintType] of taintedReturns) {
+            // Find all callers of this method
+            const callers = callersOf.get(methodName) ?? [];
+            for (const edge of callers) {
+                // The call site now produces tainted data
+                // Find definitions at the call line (the variable receiving the return value)
+                for (const def of dfg.defs) {
+                    if (def.line === edge.callLine && !taintedDefIds.has(def.id)) {
+                        taintedDefIds.add(def.id);
+                        changed = true;
+                        // Mark the caller method as tainted
+                        if (!taintedMethods.has(edge.callerMethod)) {
+                            taintedMethods.add(edge.callerMethod);
+                        }
+                    }
+                }
+            }
+        }
+        // Propagate through chains again
+        if (dfg.chains) {
+            for (const chain of dfg.chains) {
+                if (taintedDefIds.has(chain.from_def) && !taintedDefIds.has(chain.to_def)) {
+                    taintedDefIds.add(chain.to_def);
+                    changed = true;
+                }
+            }
+        }
+    }
+}
+/**
+ * Get summary of inter-procedural analysis.
+ */
+export function getInterproceduralSummary(result) {
+    return {
+        totalMethods: result.methodNodes.size,
+        taintedMethods: result.taintedMethods.size,
+        callEdges: result.callEdges.length,
+        methodsReturningTaint: result.taintedReturns.size,
+    };
+}
+/**
+ * Check if a method exists in the interprocedural result.
+ * Accepts either simple name or FQN.
+ */
+export function hasMethod(result, nameOrFqn) {
+    // Try exact match first (FQN)
+    if (result.methodNodes.has(nameOrFqn)) {
+        return true;
+    }
+    // Try matching by simple name
+    for (const [fqn, node] of result.methodNodes) {
+        if (node.name === nameOrFqn) {
+            return true;
+        }
+    }
+    return false;
+}
+/**
+ * Get a method node by simple name or FQN.
+ */
+export function getMethod(result, nameOrFqn) {
+    // Try exact match first (FQN)
+    if (result.methodNodes.has(nameOrFqn)) {
+        return result.methodNodes.get(nameOrFqn);
+    }
+    // Try matching by simple name
+    for (const [fqn, node] of result.methodNodes) {
+        if (node.name === nameOrFqn) {
+            return node;
+        }
+    }
+    return undefined;
+}
+/**
+ * Check if a method is tainted (by simple name or FQN).
+ */
+export function isMethodTainted(result, nameOrFqn) {
+    // Try exact match first (FQN)
+    if (result.taintedMethods.has(nameOrFqn)) {
+        return true;
+    }
+    // Try matching by simple name - check if any tainted method has this name
+    for (const fqn of result.taintedMethods) {
+        const node = result.methodNodes.get(fqn);
+        if (node && node.name === nameOrFqn) {
+            return true;
+        }
+    }
+    return false;
+}
+/**
+ * Find methods that act as "taint bridges" - receiving taint and passing it on.
+ */
+export function findTaintBridges(result) {
+    const bridges = [];
+    for (const [name, node] of result.methodNodes) {
+        const hasTaintedParams = node.parameters.some(p => p.isTainted);
+        const returnsTainted = result.taintedReturns.has(name);
+        if (hasTaintedParams && returnsTainted) {
+            bridges.push(name);
+        }
+    }
+    return bridges;
+}
+/**
+ * Get taint flow paths through methods.
+ */
+export function getMethodTaintPaths(result, maxDepth = 5) {
+    const paths = [];
+    // Find entry points (methods with tainted parameters from external sources)
+    const entryMethods = Array.from(result.methodNodes.entries())
+        .filter(([_, node]) => node.parameters.some(p => p.isTainted && p.sourceLine !== null))
+        .map(([name]) => name);
+    // Build call graph adjacency
+    const callsTo = new Map();
+    for (const edge of result.callEdges) {
+        const existing = callsTo.get(edge.callerMethod) ?? [];
+        if (!existing.includes(edge.calleeMethod)) {
+            existing.push(edge.calleeMethod);
+        }
+        callsTo.set(edge.callerMethod, existing);
+    }
+    // DFS to find paths
+    function dfs(current, path, visited) {
+        if (path.length > maxDepth)
+            return;
+        if (visited.has(current))
+            return;
+        visited.add(current);
+        path.push(current);
+        // If this method returns taint and has callees, continue
+        const callees = callsTo.get(current) ?? [];
+        if (callees.length === 0 || !result.taintedMethods.has(current)) {
+            // End of path
+            if (path.length > 1) {
+                paths.push([...path]);
+            }
+        }
+        else {
+            for (const callee of callees) {
+                if (result.taintedMethods.has(callee)) {
+                    dfs(callee, path, visited);
+                }
+            }
+        }
+        path.pop();
+        visited.delete(current);
+    }
+    for (const entry of entryMethods) {
+        dfs(entry, [], new Set());
+    }
+    return paths;
+}
+//# sourceMappingURL=interprocedural.js.map