npm - circle-ir - Versions diffs - 3.1.0 - Mend

circle-ir 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (194) hide show

package/LICENSE +15 -0
package/README.md +200 -0
package/configs/sinks/code_injection.yaml +672 -0
package/configs/sinks/command.yaml +917 -0
package/configs/sinks/deserialization.yaml +105 -0
package/configs/sinks/ldap.yaml +136 -0
package/configs/sinks/nodejs.json +629 -0
package/configs/sinks/path.yaml +715 -0
package/configs/sinks/python.json +501 -0
package/configs/sinks/rust.json +339 -0
package/configs/sinks/sql.yaml +233 -0
package/configs/sinks/ssrf.yaml +160 -0
package/configs/sinks/xpath.yaml +121 -0
package/configs/sinks/xss.yaml +727 -0
package/configs/sources/db_sources.yaml +90 -0
package/configs/sources/env_sources.yaml +94 -0
package/configs/sources/express.json +197 -0
package/configs/sources/file_sources.yaml +164 -0
package/configs/sources/http_sources.yaml +379 -0
package/configs/sources/io_sources.yaml +519 -0
package/configs/sources/network_sources.yaml +99 -0
package/configs/sources/python.json +230 -0
package/configs/sources/rust.json +286 -0
package/configs/sources/spring.yaml +70 -0
package/dist/analysis/advisory-db.d.ts +86 -0
package/dist/analysis/advisory-db.js +104 -0
package/dist/analysis/advisory-db.js.map +1 -0
package/dist/analysis/cargo-parser.d.ts +42 -0
package/dist/analysis/cargo-parser.js +102 -0
package/dist/analysis/cargo-parser.js.map +1 -0
package/dist/analysis/config-loader.d.ts +37 -0
package/dist/analysis/config-loader.js +1561 -0
package/dist/analysis/config-loader.js.map +1 -0
package/dist/analysis/constant-propagation/ast-utils.d.ts +25 -0
package/dist/analysis/constant-propagation/ast-utils.js +34 -0
package/dist/analysis/constant-propagation/ast-utils.js.map +1 -0
package/dist/analysis/constant-propagation/evaluator.d.ts +32 -0
package/dist/analysis/constant-propagation/evaluator.js +296 -0
package/dist/analysis/constant-propagation/evaluator.js.map +1 -0
package/dist/analysis/constant-propagation/index.d.ts +62 -0
package/dist/analysis/constant-propagation/index.js +152 -0
package/dist/analysis/constant-propagation/index.js.map +1 -0
package/dist/analysis/constant-propagation/patterns.d.ts +8 -0
package/dist/analysis/constant-propagation/patterns.js +126 -0
package/dist/analysis/constant-propagation/patterns.js.map +1 -0
package/dist/analysis/constant-propagation/propagator.d.ts +180 -0
package/dist/analysis/constant-propagation/propagator.js +1985 -0
package/dist/analysis/constant-propagation/propagator.js.map +1 -0
package/dist/analysis/constant-propagation/types.d.ts +63 -0
package/dist/analysis/constant-propagation/types.js +5 -0
package/dist/analysis/constant-propagation/types.js.map +1 -0
package/dist/analysis/constant-propagation.d.ts +9 -0
package/dist/analysis/constant-propagation.js +18 -0
package/dist/analysis/constant-propagation.js.map +1 -0
package/dist/analysis/dependency-scanner.d.ts +79 -0
package/dist/analysis/dependency-scanner.js +122 -0
package/dist/analysis/dependency-scanner.js.map +1 -0
package/dist/analysis/dfg-verifier.d.ts +116 -0
package/dist/analysis/dfg-verifier.js +399 -0
package/dist/analysis/dfg-verifier.js.map +1 -0
package/dist/analysis/findings.d.ts +11 -0
package/dist/analysis/findings.js +228 -0
package/dist/analysis/findings.js.map +1 -0
package/dist/analysis/index.d.ts +16 -0
package/dist/analysis/index.js +18 -0
package/dist/analysis/index.js.map +1 -0
package/dist/analysis/interprocedural.d.ts +99 -0
package/dist/analysis/interprocedural.js +526 -0
package/dist/analysis/interprocedural.js.map +1 -0
package/dist/analysis/path-finder.d.ts +133 -0
package/dist/analysis/path-finder.js +354 -0
package/dist/analysis/path-finder.js.map +1 -0
package/dist/analysis/rules.d.ts +75 -0
package/dist/analysis/rules.js +332 -0
package/dist/analysis/rules.js.map +1 -0
package/dist/analysis/semver.d.ts +27 -0
package/dist/analysis/semver.js +127 -0
package/dist/analysis/semver.js.map +1 -0
package/dist/analysis/taint-matcher.d.ts +15 -0
package/dist/analysis/taint-matcher.js +634 -0
package/dist/analysis/taint-matcher.js.map +1 -0
package/dist/analysis/taint-propagation.d.ts +67 -0
package/dist/analysis/taint-propagation.js +298 -0
package/dist/analysis/taint-propagation.js.map +1 -0
package/dist/analysis/unresolved.d.ts +14 -0
package/dist/analysis/unresolved.js +202 -0
package/dist/analysis/unresolved.js.map +1 -0
package/dist/analyzer.d.ts +43 -0
package/dist/analyzer.js +1010 -0
package/dist/analyzer.js.map +1 -0
package/dist/browser/circle-ir.js +16576 -0
package/dist/browser.d.ts +38 -0
package/dist/browser.js +38 -0
package/dist/browser.js.map +1 -0
package/dist/core/circle-ir-core.cjs +13626 -0
package/dist/core/circle-ir-core.d.ts +59 -0
package/dist/core/circle-ir-core.js +13591 -0
package/dist/core/extractors/calls.d.ts +13 -0
package/dist/core/extractors/calls.js +1429 -0
package/dist/core/extractors/calls.js.map +1 -0
package/dist/core/extractors/cfg.d.ts +9 -0
package/dist/core/extractors/cfg.js +519 -0
package/dist/core/extractors/cfg.js.map +1 -0
package/dist/core/extractors/dfg.d.ts +12 -0
package/dist/core/extractors/dfg.js +1081 -0
package/dist/core/extractors/dfg.js.map +1 -0
package/dist/core/extractors/exports.d.ts +14 -0
package/dist/core/extractors/exports.js +80 -0
package/dist/core/extractors/exports.js.map +1 -0
package/dist/core/extractors/imports.d.ts +9 -0
package/dist/core/extractors/imports.js +739 -0
package/dist/core/extractors/imports.js.map +1 -0
package/dist/core/extractors/index.d.ts +10 -0
package/dist/core/extractors/index.js +11 -0
package/dist/core/extractors/index.js.map +1 -0
package/dist/core/extractors/meta.d.ts +10 -0
package/dist/core/extractors/meta.js +109 -0
package/dist/core/extractors/meta.js.map +1 -0
package/dist/core/extractors/types.d.ts +10 -0
package/dist/core/extractors/types.js +1479 -0
package/dist/core/extractors/types.js.map +1 -0
package/dist/core/index.d.ts +5 -0
package/dist/core/index.js +8 -0
package/dist/core/index.js.map +1 -0
package/dist/core/parser.d.ts +84 -0
package/dist/core/parser.js +250 -0
package/dist/core/parser.js.map +1 -0
package/dist/core-lib.d.ts +59 -0
package/dist/core-lib.js +62 -0
package/dist/core-lib.js.map +1 -0
package/dist/index.d.ts +15 -0
package/dist/index.js +20 -0
package/dist/index.js.map +1 -0
package/dist/languages/index.d.ts +11 -0
package/dist/languages/index.js +14 -0
package/dist/languages/index.js.map +1 -0
package/dist/languages/plugins/base.d.ts +44 -0
package/dist/languages/plugins/base.js +82 -0
package/dist/languages/plugins/base.js.map +1 -0
package/dist/languages/plugins/index.d.ts +14 -0
package/dist/languages/plugins/index.js +25 -0
package/dist/languages/plugins/index.js.map +1 -0
package/dist/languages/plugins/java.d.ts +49 -0
package/dist/languages/plugins/java.js +402 -0
package/dist/languages/plugins/java.js.map +1 -0
package/dist/languages/plugins/javascript.d.ts +48 -0
package/dist/languages/plugins/javascript.js +445 -0
package/dist/languages/plugins/javascript.js.map +1 -0
package/dist/languages/plugins/python.d.ts +47 -0
package/dist/languages/plugins/python.js +480 -0
package/dist/languages/plugins/python.js.map +1 -0
package/dist/languages/plugins/rust.d.ts +47 -0
package/dist/languages/plugins/rust.js +405 -0
package/dist/languages/plugins/rust.js.map +1 -0
package/dist/languages/registry.d.ts +30 -0
package/dist/languages/registry.js +80 -0
package/dist/languages/registry.js.map +1 -0
package/dist/languages/types.d.ts +184 -0
package/dist/languages/types.js +8 -0
package/dist/languages/types.js.map +1 -0
package/dist/resolution/cross-file.d.ts +146 -0
package/dist/resolution/cross-file.js +439 -0
package/dist/resolution/cross-file.js.map +1 -0
package/dist/resolution/index.d.ts +12 -0
package/dist/resolution/index.js +10 -0
package/dist/resolution/index.js.map +1 -0
package/dist/resolution/symbol-table.d.ts +136 -0
package/dist/resolution/symbol-table.js +336 -0
package/dist/resolution/symbol-table.js.map +1 -0
package/dist/resolution/type-hierarchy.d.ts +124 -0
package/dist/resolution/type-hierarchy.js +515 -0
package/dist/resolution/type-hierarchy.js.map +1 -0
package/dist/types/config.d.ts +45 -0
package/dist/types/config.js +5 -0
package/dist/types/config.js.map +1 -0
package/dist/types/index.d.ts +392 -0
package/dist/types/index.js +7 -0
package/dist/types/index.js.map +1 -0
package/dist/utils/logger.d.ts +85 -0
package/dist/utils/logger.js +198 -0
package/dist/utils/logger.js.map +1 -0
package/dist/wasm/tree-sitter-java.wasm +0 -0
package/dist/wasm/tree-sitter-javascript.wasm +0 -0
package/dist/wasm/tree-sitter-python.wasm +0 -0
package/dist/wasm/tree-sitter-rust.wasm +0 -0
package/dist/wasm/web-tree-sitter.wasm +0 -0
package/docs/SPEC.md +1021 -0
package/examples/browser-example.html +610 -0
package/examples/node-example.ts +215 -0
package/package.json +107 -0
package/wasm/tree-sitter-java.wasm +0 -0
package/wasm/tree-sitter-javascript.wasm +0 -0
package/wasm/tree-sitter-python.wasm +0 -0
package/wasm/tree-sitter-rust.wasm +0 -0

package/dist/analysis/rules.js ADDED Viewed

@@ -0,0 +1,332 @@
+/**
+ * Centralized Security Rule Definitions
+ *
+ * Single source of truth for vulnerability types, severity levels,
+ * descriptions, and remediation advice used across the codebase.
+ */
+// =============================================================================
+// Sink Categories
+// =============================================================================
+/** Sinks that warrant critical severity when exploitable. */
+export const CRITICAL_SINKS = [
+    'sql_injection',
+    'command_injection',
+    'deserialization',
+    'code_injection',
+];
+/** Sinks that warrant high severity. */
+export const HIGH_SINKS = [
+    'xss',
+    'path_traversal',
+    'xxe',
+    'ssrf',
+    'ldap_injection',
+    'xpath_injection',
+];
+/** Source types that represent direct HTTP user input. */
+export const HIGH_SEVERITY_SOURCES = [
+    'http_param',
+    'http_body',
+    'http_header',
+];
+/**
+ * Complete rule definitions for all supported vulnerability types.
+ */
+export const RULE_DEFINITIONS = {
+    sql_injection: {
+        name: 'SQL Injection',
+        shortDescription: 'User input used in SQL query without sanitization',
+        fullDescription: 'The application constructs SQL queries using user-controlled input without proper sanitization or parameterization, allowing attackers to manipulate database queries.',
+        remediation: 'Use parameterized queries or prepared statements. Never concatenate user input directly into SQL strings.',
+        cvssScore: '9.8',
+        severityLevel: 'critical',
+        cwe: 'CWE-89',
+    },
+    nosql_injection: {
+        name: 'NoSQL Injection',
+        shortDescription: 'User input used in NoSQL query without sanitization',
+        fullDescription: 'The application constructs NoSQL queries using user-controlled input, allowing attackers to manipulate database queries in MongoDB, CouchDB, or similar databases.',
+        remediation: 'Validate and sanitize user input. Use parameterized queries. Avoid using $where with user input.',
+        cvssScore: '9.8',
+        severityLevel: 'critical',
+        cwe: 'CWE-943',
+    },
+    command_injection: {
+        name: 'Command Injection',
+        shortDescription: 'User input used in system command without sanitization',
+        fullDescription: 'The application executes system commands using user-controlled input, allowing attackers to execute arbitrary commands on the server.',
+        remediation: 'Avoid executing system commands with user input. If necessary, use strict input validation and avoid shell interpreters.',
+        cvssScore: '9.8',
+        severityLevel: 'critical',
+        cwe: 'CWE-78',
+    },
+    xss: {
+        name: 'Cross-Site Scripting (XSS)',
+        shortDescription: 'User input rendered in HTML without encoding',
+        fullDescription: 'The application includes user-controlled input in HTML output without proper encoding, allowing attackers to inject malicious scripts.',
+        remediation: 'Encode all user input before rendering in HTML. Use context-appropriate encoding (HTML, JavaScript, URL, CSS).',
+        cvssScore: '6.1',
+        severityLevel: 'medium',
+        cwe: 'CWE-79',
+    },
+    path_traversal: {
+        name: 'Path Traversal',
+        shortDescription: 'User input used in file path without validation',
+        fullDescription: 'The application uses user-controlled input to construct file paths, allowing attackers to access files outside the intended directory.',
+        remediation: 'Validate and sanitize file paths. Use allowlists for permitted directories. Resolve and verify canonical paths.',
+        cvssScore: '7.5',
+        severityLevel: 'high',
+        cwe: 'CWE-22',
+    },
+    deserialization: {
+        name: 'Unsafe Deserialization',
+        shortDescription: 'Untrusted data deserialized without validation',
+        fullDescription: 'The application deserializes data from untrusted sources, potentially allowing attackers to execute arbitrary code.',
+        remediation: 'Avoid deserializing untrusted data. Use safe serialization formats like JSON. Implement integrity checks.',
+        cvssScore: '9.8',
+        severityLevel: 'critical',
+        cwe: 'CWE-502',
+    },
+    xxe: {
+        name: 'XML External Entity (XXE)',
+        shortDescription: 'XML parser processes external entities from untrusted input',
+        fullDescription: 'The application parses XML with external entity processing enabled, allowing attackers to read local files or make server-side requests.',
+        remediation: 'Disable external entity processing in XML parsers. Use less complex data formats when possible.',
+        cvssScore: '7.5',
+        severityLevel: 'high',
+        cwe: 'CWE-611',
+    },
+    ldap_injection: {
+        name: 'LDAP Injection',
+        shortDescription: 'User input used in LDAP query without sanitization',
+        fullDescription: 'The application constructs LDAP queries using user-controlled input without proper sanitization.',
+        remediation: 'Use parameterized LDAP queries. Escape special characters in user input.',
+        cvssScore: '8.1',
+        severityLevel: 'high',
+        cwe: 'CWE-90',
+    },
+    xpath_injection: {
+        name: 'XPath Injection',
+        shortDescription: 'User input used in XPath query without sanitization',
+        fullDescription: 'The application constructs XPath queries using user-controlled input without proper sanitization.',
+        remediation: 'Use parameterized XPath queries. Compile expressions with variables instead of concatenation.',
+        cvssScore: '7.5',
+        severityLevel: 'high',
+        cwe: 'CWE-643',
+    },
+    ssrf: {
+        name: 'Server-Side Request Forgery (SSRF)',
+        shortDescription: 'User input used in server-side URL request',
+        fullDescription: 'The application makes HTTP requests to URLs controlled by user input, allowing attackers to access internal services.',
+        remediation: 'Validate and allowlist URLs. Block private IP ranges and internal hostnames.',
+        cvssScore: '8.6',
+        severityLevel: 'high',
+        cwe: 'CWE-918',
+    },
+    open_redirect: {
+        name: 'Open Redirect',
+        shortDescription: 'User input used in redirect URL',
+        fullDescription: 'The application redirects to URLs controlled by user input, allowing attackers to redirect users to malicious sites.',
+        remediation: 'Validate redirect URLs against an allowlist. Use relative URLs or validate the host component.',
+        cvssScore: '6.1',
+        severityLevel: 'medium',
+        cwe: 'CWE-601',
+    },
+    log_injection: {
+        name: 'Log Injection',
+        shortDescription: 'User input written to logs without sanitization',
+        fullDescription: 'The application writes user-controlled input directly to logs without sanitization, allowing attackers to forge log entries or inject malicious content.',
+        remediation: 'Sanitize log messages by removing or escaping newlines and control characters.',
+        cvssScore: '5.3',
+        severityLevel: 'low',
+        cwe: 'CWE-117',
+    },
+    code_injection: {
+        name: 'Code Injection',
+        shortDescription: 'User input executed as code',
+        fullDescription: 'The application evaluates user-controlled input as code, allowing attackers to execute arbitrary code.',
+        remediation: 'Avoid dynamic code evaluation. If necessary, use strict sandboxing and input validation.',
+        cvssScore: '9.8',
+        severityLevel: 'critical',
+        cwe: 'CWE-94',
+    },
+    weak_random: {
+        name: 'Weak Random Number Generator',
+        shortDescription: 'Cryptographically weak random number generator used',
+        fullDescription: 'The application uses a weak random number generator for security-sensitive operations.',
+        remediation: 'Use java.security.SecureRandom instead of java.util.Random for security-sensitive operations.',
+        cvssScore: '5.3',
+        severityLevel: 'medium',
+        cwe: 'CWE-330',
+    },
+    weak_hash: {
+        name: 'Weak Hash Algorithm',
+        shortDescription: 'Cryptographically weak hash algorithm used',
+        fullDescription: 'The application uses a weak hash algorithm (MD5, SHA-1) for security-sensitive operations.',
+        remediation: 'Use strong hash algorithms like SHA-256 or SHA-3. Avoid MD5 and SHA-1.',
+        cvssScore: '5.3',
+        severityLevel: 'medium',
+        cwe: 'CWE-328',
+    },
+    weak_crypto: {
+        name: 'Weak Cipher Algorithm',
+        shortDescription: 'Cryptographically weak encryption algorithm used',
+        fullDescription: 'The application uses a weak encryption algorithm that may be vulnerable to attacks.',
+        remediation: 'Use strong encryption algorithms like AES. Avoid DES, 3DES, RC4, and Blowfish.',
+        cvssScore: '5.3',
+        severityLevel: 'medium',
+        cwe: 'CWE-327',
+    },
+    insecure_cookie: {
+        name: 'Insecure Cookie',
+        shortDescription: 'Cookie set without security flags',
+        fullDescription: 'The application sets cookies without Secure, HttpOnly, or SameSite flags.',
+        remediation: 'Set Secure and HttpOnly flags on cookies. Use SameSite attribute.',
+        cvssScore: '4.3',
+        severityLevel: 'low',
+        cwe: 'CWE-614',
+    },
+    trust_boundary: {
+        name: 'Trust Boundary Violation',
+        shortDescription: 'Untrusted data crosses trust boundary',
+        fullDescription: 'The application stores untrusted user input in a trusted context (e.g., session).',
+        remediation: 'Validate and sanitize data before storing in session. Do not trust user input.',
+        cvssScore: '5.3',
+        severityLevel: 'medium',
+        cwe: 'CWE-501',
+    },
+    external_taint_escape: {
+        name: 'Tainted Data Passed to External Method',
+        shortDescription: 'User-controlled data passed to external method call',
+        fullDescription: 'The application passes user-controlled data to an external method that cannot be analyzed. This may result in security vulnerabilities if the external method does not properly sanitize the data.',
+        remediation: 'Sanitize user input before passing to external methods. Review external method documentation for security requirements.',
+        cvssScore: '5.0',
+        severityLevel: 'medium',
+        cwe: 'CWE-668',
+    },
+};
+// =============================================================================
+// Lookup Functions
+// =============================================================================
+/**
+ * Get complete rule information for a sink type.
+ */
+export function getRuleInfo(sinkType) {
+    const rule = RULE_DEFINITIONS[sinkType];
+    if (rule) {
+        return rule;
+    }
+    // Fallback for unknown types
+    return {
+        name: sinkType,
+        shortDescription: `Potential security issue: ${sinkType}`,
+        fullDescription: `The application may be vulnerable to ${sinkType} attacks.`,
+        remediation: 'Review and sanitize user input before use.',
+        cvssScore: '5.0',
+        severityLevel: 'medium',
+        cwe: 'CWE-20',
+    };
+}
+/**
+ * Get remediation advice for a sink type.
+ */
+export function getRemediation(sinkType) {
+    return getRuleInfo(sinkType).remediation;
+}
+/**
+ * Get severity level for a sink type.
+ */
+export function getSeverityLevel(sinkType) {
+    return getRuleInfo(sinkType).severityLevel;
+}
+/**
+ * Get CWE identifier for a sink type.
+ */
+export function getCwe(sinkType) {
+    return getRuleInfo(sinkType).cwe;
+}
+/**
+ * Check if a sink type is critical severity.
+ */
+export function isCriticalSink(sinkType) {
+    return CRITICAL_SINKS.includes(sinkType);
+}
+/**
+ * Check if a sink type is high severity.
+ */
+export function isHighSink(sinkType) {
+    return HIGH_SINKS.includes(sinkType);
+}
+// =============================================================================
+// Source Descriptions
+// =============================================================================
+const SOURCE_DESCRIPTIONS = {
+    http_param: 'User-controlled HTTP parameter',
+    http_body: 'User-controlled request body',
+    http_header: 'User-controlled HTTP header',
+    http_cookie: 'User-controlled cookie value',
+    http_path: 'User-controlled URL path',
+    http_query: 'User-controlled query string',
+    io_input: 'External file/console input',
+    env_input: 'Environment variable',
+    db_input: 'Database-sourced data',
+    file_input: 'File content',
+    network_input: 'Network input',
+    config_param: 'Servlet configuration parameter',
+};
+/**
+ * Get human-readable description for a source type.
+ */
+export function getSourceDescription(sourceType) {
+    return SOURCE_DESCRIPTIONS[sourceType] ?? 'Tainted data';
+}
+/**
+ * Get human-readable description for a sink type.
+ */
+export function getSinkDescription(sinkType) {
+    const rule = RULE_DEFINITIONS[sinkType];
+    if (rule) {
+        // Convert name to lowercase description
+        return rule.name.toLowerCase();
+    }
+    return 'dangerous operation';
+}
+/**
+ * Calculate severity based on source, sink, and path information.
+ */
+export function calculateSeverity(context) {
+    const { sourceType, sinkType, pathExists, confidence = 0.5 } = context;
+    const isCritical = isCriticalSink(sinkType);
+    const isHigh = isHighSink(sinkType);
+    const isHttpSource = sourceType ? HIGH_SEVERITY_SOURCES.includes(sourceType) : false;
+    // Critical: Direct path from HTTP to critical sink
+    if (pathExists && isCritical && isHttpSource) {
+        return 'critical';
+    }
+    // Critical: High confidence path to critical sink
+    if (pathExists && isCritical && confidence > 0.8) {
+        return 'critical';
+    }
+    // High: HTTP source to critical sink (even without confirmed path)
+    if (isHttpSource && isCritical) {
+        return 'high';
+    }
+    // High: Confirmed path to critical sink
+    if (pathExists && isCritical) {
+        return 'high';
+    }
+    // High: High confidence path to high-severity sink
+    if (pathExists && isHigh && confidence > 0.8) {
+        return 'high';
+    }
+    // Medium: Path exists but not critical
+    if (pathExists) {
+        return 'medium';
+    }
+    // Medium: Proximity to critical/high sink
+    if (isCritical || isHigh) {
+        return 'medium';
+    }
+    return 'low';
+}
+//# sourceMappingURL=rules.js.map

package/dist/analysis/rules.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"rules.js","sourceRoot":"","sources":["../../src/analysis/rules.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,gFAAgF;AAChF,kBAAkB;AAClB,gFAAgF;AAEhF,6DAA6D;AAC7D,MAAM,CAAC,MAAM,cAAc,GAAe;IACxC,eAAe;IACf,mBAAmB;IACnB,iBAAiB;IACjB,gBAAgB;CACjB,CAAC;AAEF,wCAAwC;AACxC,MAAM,CAAC,MAAM,UAAU,GAAe;IACpC,KAAK;IACL,gBAAgB;IAChB,KAAK;IACL,MAAM;IACN,gBAAgB;IAChB,iBAAiB;CAClB,CAAC;AAEF,0DAA0D;AAC1D,MAAM,CAAC,MAAM,qBAAqB,GAAG;IACnC,YAAY;IACZ,WAAW;IACX,aAAa;CACd,CAAC;AAuBF;;GAEG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAA+B;IAC1D,aAAa,EAAE;QACb,IAAI,EAAE,eAAe;QACrB,gBAAgB,EAAE,mDAAmD;QACrE,eAAe,EAAE,wKAAwK;QACzL,WAAW,EAAE,2GAA2G;QACxH,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,UAAU;QACzB,GAAG,EAAE,QAAQ;KACd;IACD,eAAe,EAAE;QACf,IAAI,EAAE,iBAAiB;QACvB,gBAAgB,EAAE,qDAAqD;QACvE,eAAe,EAAE,oKAAoK;QACrL,WAAW,EAAE,kGAAkG;QAC/G,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,UAAU;QACzB,GAAG,EAAE,SAAS;KACf;IACD,iBAAiB,EAAE;QACjB,IAAI,EAAE,mBAAmB;QACzB,gBAAgB,EAAE,wDAAwD;QAC1E,eAAe,EAAE,uIAAuI;QACxJ,WAAW,EAAE,0HAA0H;QACvI,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,UAAU;QACzB,GAAG,EAAE,QAAQ;KACd;IACD,GAAG,EAAE;QACH,IAAI,EAAE,4BAA4B;QAClC,gBAAgB,EAAE,8CAA8C;QAChE,eAAe,EAAE,wIAAwI;QACzJ,WAAW,EAAE,gHAAgH;QAC7H,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,QAAQ;QACvB,GAAG,EAAE,QAAQ;KACd;IACD,cAAc,EAAE;QACd,IAAI,EAAE,gBAAgB;QACtB,gBAAgB,EAAE,iDAAiD;QACnE,eAAe,EAAE,wIAAwI;QACzJ,WAAW,EAAE,iHAAiH;QAC9H,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,MAAM;QACrB,GAAG,EAAE,QAAQ;KACd;IACD,eAAe,EAAE;QACf,IAAI,EAAE,wBAAwB;QAC9B,gBAAgB,EAAE,gDAAgD;QAClE,eAAe,EAAE,qHAAqH;QACtI,WAAW,EAAE,2GAA2G;QACxH,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,UAAU;QACzB,GAAG,EAAE,SAAS;KACf;IACD,GAAG,EAAE;QACH,IAAI,EAAE,2BAA2B;QACjC,gBAAgB,EAAE,6DAA6D;QAC/E,eAAe,EAAE,0IAA0I;QAC3J,WAAW,EAAE,iGAAiG;QAC9G,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,MAAM;QACrB,GAAG,EAAE,SAAS;KACf;IACD,cAAc,EAAE;QACd,IAAI,EAAE,gBAAgB;QACtB,gBAAgB,EAAE,oDAAoD;QACtE,eAAe,EAAE,kGAAkG;QACnH,WAAW,EAAE,0EAA0E;QACvF,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,MAAM;QACrB,GAAG,EAAE,QAAQ;KACd;IACD,eAAe,EAAE;QACf,IAAI,EAAE,iBAAiB;QACvB,gBAAgB,EAAE,qDAAqD;QACvE,eAAe,EAAE,mGAAmG;QACpH,WAAW,EAAE,+FAA+F;QAC5G,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,MAAM;QACrB,GAAG,EAAE,SAAS;KACf;IACD,IAAI,EAAE;QACJ,IAAI,EAAE,oCAAoC;QAC1C,gBAAgB,EAAE,4CAA4C;QAC9D,eAAe,EAAE,uHAAuH;QACxI,WAAW,EAAE,8EAA8E;QAC3F,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,MAAM;QACrB,GAAG,EAAE,SAAS;KACf;IACD,aAAa,EAAE;QACb,IAAI,EAAE,eAAe;QACrB,gBAAgB,EAAE,iCAAiC;QACnD,eAAe,EAAE,sHAAsH;QACvI,WAAW,EAAE,gGAAgG;QAC7G,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,QAAQ;QACvB,GAAG,EAAE,SAAS;KACf;IACD,aAAa,EAAE;QACb,IAAI,EAAE,eAAe;QACrB,gBAAgB,EAAE,iDAAiD;QACnE,eAAe,EAAE,0JAA0J;QAC3K,WAAW,EAAE,gFAAgF;QAC7F,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,KAAK;QACpB,GAAG,EAAE,SAAS;KACf;IACD,cAAc,EAAE;QACd,IAAI,EAAE,gBAAgB;QACtB,gBAAgB,EAAE,6BAA6B;QAC/C,eAAe,EAAE,wGAAwG;QACzH,WAAW,EAAE,0FAA0F;QACvG,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,UAAU;QACzB,GAAG,EAAE,QAAQ;KACd;IACD,WAAW,EAAE;QACX,IAAI,EAAE,8BAA8B;QACpC,gBAAgB,EAAE,qDAAqD;QACvE,eAAe,EAAE,wFAAwF;QACzG,WAAW,EAAE,+FAA+F;QAC5G,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,QAAQ;QACvB,GAAG,EAAE,SAAS;KACf;IACD,SAAS,EAAE;QACT,IAAI,EAAE,qBAAqB;QAC3B,gBAAgB,EAAE,4CAA4C;QAC9D,eAAe,EAAE,4FAA4F;QAC7G,WAAW,EAAE,wEAAwE;QACrF,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,QAAQ;QACvB,GAAG,EAAE,SAAS;KACf;IACD,WAAW,EAAE;QACX,IAAI,EAAE,uBAAuB;QAC7B,gBAAgB,EAAE,kDAAkD;QACpE,eAAe,EAAE,qFAAqF;QACtG,WAAW,EAAE,gFAAgF;QAC7F,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,QAAQ;QACvB,GAAG,EAAE,SAAS;KACf;IACD,eAAe,EAAE;QACf,IAAI,EAAE,iBAAiB;QACvB,gBAAgB,EAAE,mCAAmC;QACrD,eAAe,EAAE,2EAA2E;QAC5F,WAAW,EAAE,mEAAmE;QAChF,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,KAAK;QACpB,GAAG,EAAE,SAAS;KACf;IACD,cAAc,EAAE;QACd,IAAI,EAAE,0BAA0B;QAChC,gBAAgB,EAAE,uCAAuC;QACzD,eAAe,EAAE,mFAAmF;QACpG,WAAW,EAAE,gFAAgF;QAC7F,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,QAAQ;QACvB,GAAG,EAAE,SAAS;KACf;IACD,qBAAqB,EAAE;QACrB,IAAI,EAAE,wCAAwC;QAC9C,gBAAgB,EAAE,qDAAqD;QACvE,eAAe,EAAE,oMAAoM;QACrN,WAAW,EAAE,yHAAyH;QACtI,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,QAAQ;QACvB,GAAG,EAAE,SAAS;KACf;CACF,CAAC;AAEF,gFAAgF;AAChF,mBAAmB;AACnB,gFAAgF;AAEhF;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,QAA2B;IACrD,MAAM,IAAI,GAAG,gBAAgB,CAAC,QAAoB,CAAC,CAAC;IACpD,IAAI,IAAI,EAAE,CAAC;QACT,OAAO,IAAI,CAAC;IACd,CAAC;IAED,6BAA6B;IAC7B,OAAO;QACL,IAAI,EAAE,QAAQ;QACd,gBAAgB,EAAE,6BAA6B,QAAQ,EAAE;QACzD,eAAe,EAAE,wCAAwC,QAAQ,WAAW;QAC5E,WAAW,EAAE,4CAA4C;QACzD,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,QAAQ;QACvB,GAAG,EAAE,QAAQ;KACd,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,QAA2B;IACxD,OAAO,WAAW,CAAC,QAAQ,CAAC,CAAC,WAAW,CAAC;AAC3C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,QAA2B;IAC1D,OAAO,WAAW,CAAC,QAAQ,CAAC,CAAC,aAAa,CAAC;AAC7C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,MAAM,CAAC,QAA2B;IAChD,OAAO,WAAW,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,QAA2B;IACxD,OAAO,cAAc,CAAC,QAAQ,CAAC,QAAoB,CAAC,CAAC;AACvD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,UAAU,CAAC,QAA2B;IACpD,OAAO,UAAU,CAAC,QAAQ,CAAC,QAAoB,CAAC,CAAC;AACnD,CAAC;AAED,gFAAgF;AAChF,sBAAsB;AACtB,gFAAgF;AAEhF,MAAM,mBAAmB,GAA2B;IAClD,UAAU,EAAE,gCAAgC;IAC5C,SAAS,EAAE,8BAA8B;IACzC,WAAW,EAAE,6BAA6B;IAC1C,WAAW,EAAE,8BAA8B;IAC3C,SAAS,EAAE,0BAA0B;IACrC,UAAU,EAAE,8BAA8B;IAC1C,QAAQ,EAAE,6BAA6B;IACvC,SAAS,EAAE,sBAAsB;IACjC,QAAQ,EAAE,uBAAuB;IACjC,UAAU,EAAE,cAAc;IAC1B,aAAa,EAAE,eAAe;IAC9B,YAAY,EAAE,iCAAiC;CAChD,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAC,UAAkB;IACrD,OAAO,mBAAmB,CAAC,UAAU,CAAC,IAAI,cAAc,CAAC;AAC3D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,QAA2B;IAC5D,MAAM,IAAI,GAAG,gBAAgB,CAAC,QAAoB,CAAC,CAAC;IACpD,IAAI,IAAI,EAAE,CAAC;QACT,wCAAwC;QACxC,OAAO,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;IACjC,CAAC;IACD,OAAO,qBAAqB,CAAC;AAC/B,CAAC;AAaD;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,OAAwB;IACxD,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,GAAG,GAAG,EAAE,GAAG,OAAO,CAAC;IAEvE,MAAM,UAAU,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC;IAC5C,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IACpC,MAAM,YAAY,GAAG,UAAU,CAAC,CAAC,CAAC,qBAAqB,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;IAErF,mDAAmD;IACnD,IAAI,UAAU,IAAI,UAAU,IAAI,YAAY,EAAE,CAAC;QAC7C,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,kDAAkD;IAClD,IAAI,UAAU,IAAI,UAAU,IAAI,UAAU,GAAG,GAAG,EAAE,CAAC;QACjD,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,mEAAmE;IACnE,IAAI,YAAY,IAAI,UAAU,EAAE,CAAC;QAC/B,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,wCAAwC;IACxC,IAAI,UAAU,IAAI,UAAU,EAAE,CAAC;QAC7B,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,mDAAmD;IACnD,IAAI,UAAU,IAAI,MAAM,IAAI,UAAU,GAAG,GAAG,EAAE,CAAC;QAC7C,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,uCAAuC;IACvC,IAAI,UAAU,EAAE,CAAC;QACf,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,0CAA0C;IAC1C,IAAI,UAAU,IAAI,MAAM,EAAE,CAAC;QACzB,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/analysis/semver.d.ts ADDED Viewed

@@ -0,0 +1,27 @@
+/**
+ * Semver version matching for RustSec advisory version constraints
+ * Supports: "1.0.0", "^1.0.0", ">=1.0.0", "<2.0.0", etc.
+ */
+export interface ParsedVersion {
+    major: number;
+    minor: number;
+    patch: number;
+    prerelease?: string;
+}
+/**
+ * Parse a version string into components
+ */
+export declare function parseVersion(version: string): ParsedVersion;
+/**
+ * Compare two versions
+ * Returns: -1 if a < b, 0 if a == b, 1 if a > b
+ */
+export declare function compareVersions(a: string, b: string): number;
+/**
+ * Check if a version satisfies a semver specification
+ */
+export declare function semverSatisfies(version: string, spec: string): boolean;
+/**
+ * Check if a version is in a vulnerable range based on patched/unaffected specs
+ */
+export declare function isVersionVulnerable(version: string, patched?: string[], unaffected?: string[]): boolean;

package/dist/analysis/semver.js ADDED Viewed

@@ -0,0 +1,127 @@
+/**
+ * Semver version matching for RustSec advisory version constraints
+ * Supports: "1.0.0", "^1.0.0", ">=1.0.0", "<2.0.0", etc.
+ */
+/**
+ * Parse a version string into components
+ */
+export function parseVersion(version) {
+    // Remove leading 'v' if present
+    const v = version.replace(/^v/, '').trim();
+    // Handle prerelease versions
+    const [mainPart, prerelease] = v.split('-');
+    const parts = mainPart.split('.');
+    return {
+        major: parseInt(parts[0] ?? '0', 10) || 0,
+        minor: parseInt(parts[1] ?? '0', 10) || 0,
+        patch: parseInt(parts[2] ?? '0', 10) || 0,
+        prerelease,
+    };
+}
+/**
+ * Compare two versions
+ * Returns: -1 if a < b, 0 if a == b, 1 if a > b
+ */
+export function compareVersions(a, b) {
+    const va = parseVersion(a);
+    const vb = parseVersion(b);
+    if (va.major !== vb.major)
+        return va.major < vb.major ? -1 : 1;
+    if (va.minor !== vb.minor)
+        return va.minor < vb.minor ? -1 : 1;
+    if (va.patch !== vb.patch)
+        return va.patch < vb.patch ? -1 : 1;
+    // Prerelease versions are lower than release
+    if (va.prerelease && !vb.prerelease)
+        return -1;
+    if (!va.prerelease && vb.prerelease)
+        return 1;
+    if (va.prerelease && vb.prerelease) {
+        return va.prerelease.localeCompare(vb.prerelease);
+    }
+    return 0;
+}
+/**
+ * Check if a version satisfies a semver specification
+ */
+export function semverSatisfies(version, spec) {
+    const trimmedSpec = spec.trim();
+    // Handle caret range: ^1.2.3 means >=1.2.3 and <2.0.0
+    if (trimmedSpec.startsWith('^')) {
+        const specParts = parseVersion(trimmedSpec.slice(1));
+        const vParts = parseVersion(version);
+        // Major must match (or be higher minor/patch)
+        if (vParts.major !== specParts.major)
+            return false;
+        if (vParts.minor < specParts.minor)
+            return false;
+        if (vParts.minor === specParts.minor && vParts.patch < specParts.patch)
+            return false;
+        return true;
+    }
+    // Handle tilde range: ~1.2.3 means >=1.2.3 and <1.3.0
+    if (trimmedSpec.startsWith('~')) {
+        const specParts = parseVersion(trimmedSpec.slice(1));
+        const vParts = parseVersion(version);
+        if (vParts.major !== specParts.major)
+            return false;
+        if (vParts.minor !== specParts.minor)
+            return false;
+        return vParts.patch >= specParts.patch;
+    }
+    // Handle >= comparison
+    if (trimmedSpec.startsWith('>=')) {
+        return compareVersions(version, trimmedSpec.slice(2).trim()) >= 0;
+    }
+    // Handle > comparison
+    if (trimmedSpec.startsWith('>') && !trimmedSpec.startsWith('>=')) {
+        return compareVersions(version, trimmedSpec.slice(1).trim()) > 0;
+    }
+    // Handle <= comparison
+    if (trimmedSpec.startsWith('<=')) {
+        return compareVersions(version, trimmedSpec.slice(2).trim()) <= 0;
+    }
+    // Handle < comparison
+    if (trimmedSpec.startsWith('<') && !trimmedSpec.startsWith('<=')) {
+        return compareVersions(version, trimmedSpec.slice(1).trim()) < 0;
+    }
+    // Handle = comparison (explicit)
+    if (trimmedSpec.startsWith('=')) {
+        return compareVersions(version, trimmedSpec.slice(1).trim()) === 0;
+    }
+    // Handle range: "1.0.0 - 2.0.0"
+    if (trimmedSpec.includes(' - ')) {
+        const [min, max] = trimmedSpec.split(' - ').map((s) => s.trim());
+        return (compareVersions(version, min) >= 0 && compareVersions(version, max) <= 0);
+    }
+    // Handle wildcard: "*" or "x"
+    if (trimmedSpec === '*' || trimmedSpec === 'x') {
+        return true;
+    }
+    // Exact match
+    return compareVersions(version, trimmedSpec) === 0;
+}
+/**
+ * Check if a version is in a vulnerable range based on patched/unaffected specs
+ */
+export function isVersionVulnerable(version, patched, unaffected) {
+    // Check if version is unaffected
+    if (unaffected) {
+        for (const spec of unaffected) {
+            if (semverSatisfies(version, spec)) {
+                return false; // Not vulnerable - in unaffected range
+            }
+        }
+    }
+    // Check if version is patched
+    if (patched) {
+        for (const spec of patched) {
+            if (semverSatisfies(version, spec)) {
+                return false; // Not vulnerable - patched version
+            }
+        }
+    }
+    // If not in unaffected or patched ranges, it's vulnerable
+    return true;
+}
+//# sourceMappingURL=semver.js.map

package/dist/analysis/semver.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"semver.js","sourceRoot":"","sources":["../../src/analysis/semver.ts"],"names":[],"mappings":"AAAA;;;GAGG;AASH;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,OAAe;IAC1C,gCAAgC;IAChC,MAAM,CAAC,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IAE3C,6BAA6B;IAC7B,MAAM,CAAC,QAAQ,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC5C,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAElC,OAAO;QACL,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC;QACzC,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC;QACzC,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC;QACzC,UAAU;KACX,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,CAAS,EAAE,CAAS;IAClD,MAAM,EAAE,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;IAC3B,MAAM,EAAE,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;IAE3B,IAAI,EAAE,CAAC,KAAK,KAAK,EAAE,CAAC,KAAK;QAAE,OAAO,EAAE,CAAC,KAAK,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/D,IAAI,EAAE,CAAC,KAAK,KAAK,EAAE,CAAC,KAAK;QAAE,OAAO,EAAE,CAAC,KAAK,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/D,IAAI,EAAE,CAAC,KAAK,KAAK,EAAE,CAAC,KAAK;QAAE,OAAO,EAAE,CAAC,KAAK,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAE/D,6CAA6C;IAC7C,IAAI,EAAE,CAAC,UAAU,IAAI,CAAC,EAAE,CAAC,UAAU;QAAE,OAAO,CAAC,CAAC,CAAC;IAC/C,IAAI,CAAC,EAAE,CAAC,UAAU,IAAI,EAAE,CAAC,UAAU;QAAE,OAAO,CAAC,CAAC;IAC9C,IAAI,EAAE,CAAC,UAAU,IAAI,EAAE,CAAC,UAAU,EAAE,CAAC;QACnC,OAAO,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC;IACpD,CAAC;IAED,OAAO,CAAC,CAAC;AACX,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,OAAe,EAAE,IAAY;IAC3D,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IAEhC,sDAAsD;IACtD,IAAI,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAChC,MAAM,SAAS,GAAG,YAAY,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QACrD,MAAM,MAAM,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;QAErC,8CAA8C;QAC9C,IAAI,MAAM,CAAC,KAAK,KAAK,SAAS,CAAC,KAAK;YAAE,OAAO,KAAK,CAAC;QACnD,IAAI,MAAM,CAAC,KAAK,GAAG,SAAS,CAAC,KAAK;YAAE,OAAO,KAAK,CAAC;QACjD,IAAI,MAAM,CAAC,KAAK,KAAK,SAAS,CAAC,KAAK,IAAI,MAAM,CAAC,KAAK,GAAG,SAAS,CAAC,KAAK;YACpE,OAAO,KAAK,CAAC;QACf,OAAO,IAAI,CAAC;IACd,CAAC;IAED,sDAAsD;IACtD,IAAI,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAChC,MAAM,SAAS,GAAG,YAAY,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QACrD,MAAM,MAAM,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;QAErC,IAAI,MAAM,CAAC,KAAK,KAAK,SAAS,CAAC,KAAK;YAAE,OAAO,KAAK,CAAC;QACnD,IAAI,MAAM,CAAC,KAAK,KAAK,SAAS,CAAC,KAAK;YAAE,OAAO,KAAK,CAAC;QACnD,OAAO,MAAM,CAAC,KAAK,IAAI,SAAS,CAAC,KAAK,CAAC;IACzC,CAAC;IAED,uBAAuB;IACvB,IAAI,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACjC,OAAO,eAAe,CAAC,OAAO,EAAE,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,CAAC;IACpE,CAAC;IAED,sBAAsB;IACtB,IAAI,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACjE,OAAO,eAAe,CAAC,OAAO,EAAE,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC;IACnE,CAAC;IAED,uBAAuB;IACvB,IAAI,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACjC,OAAO,eAAe,CAAC,OAAO,EAAE,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,CAAC;IACpE,CAAC;IAED,sBAAsB;IACtB,IAAI,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACjE,OAAO,eAAe,CAAC,OAAO,EAAE,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC;IACnE,CAAC;IAED,iCAAiC;IACjC,IAAI,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAChC,OAAO,eAAe,CAAC,OAAO,EAAE,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC;IACrE,CAAC;IAED,gCAAgC;IAChC,IAAI,WAAW,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QAChC,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QACjE,OAAO,CACL,eAAe,CAAC,OAAO,EAAE,GAAG,CAAC,IAAI,CAAC,IAAI,eAAe,CAAC,OAAO,EAAE,GAAG,CAAC,IAAI,CAAC,CACzE,CAAC;IACJ,CAAC;IAED,8BAA8B;IAC9B,IAAI,WAAW,KAAK,GAAG,IAAI,WAAW,KAAK,GAAG,EAAE,CAAC;QAC/C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,cAAc;IACd,OAAO,eAAe,CAAC,OAAO,EAAE,WAAW,CAAC,KAAK,CAAC,CAAC;AACrD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CACjC,OAAe,EACf,OAAkB,EAClB,UAAqB;IAErB,iCAAiC;IACjC,IAAI,UAAU,EAAE,CAAC;QACf,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;YAC9B,IAAI,eAAe,CAAC,OAAO,EAAE,IAAI,CAAC,EAAE,CAAC;gBACnC,OAAO,KAAK,CAAC,CAAC,uCAAuC;YACvD,CAAC;QACH,CAAC;IACH,CAAC;IAED,8BAA8B;IAC9B,IAAI,OAAO,EAAE,CAAC;QACZ,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE,CAAC;YAC3B,IAAI,eAAe,CAAC,OAAO,EAAE,IAAI,CAAC,EAAE,CAAC;gBACnC,OAAO,KAAK,CAAC,CAAC,mCAAmC;YACnD,CAAC;QACH,CAAC;IACH,CAAC;IAED,0DAA0D;IAC1D,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/analysis/taint-matcher.d.ts ADDED Viewed

@@ -0,0 +1,15 @@
+/**
+ * Taint source/sink matcher
+ *
+ * Matches method calls and annotations against taint configurations.
+ */
+import type { CallInfo, TypeInfo, Taint } from '../types/index.js';
+import type { TaintConfig, SinkPattern } from '../types/config.js';
+/**
+ * Analyze code for taint sources, sinks, and sanitizers.
+ */
+export declare function analyzeTaint(calls: CallInfo[], types: TypeInfo[], config?: TaintConfig): Taint;
+/**
+ * Check if a variable at a given position flows to a dangerous sink argument.
+ */
+export declare function isInDangerousPosition(argPosition: number, pattern: SinkPattern): boolean;