npm - circle-ir - Versions diffs - 3.1.0 - Mend

circle-ir 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (194) hide show

package/LICENSE +15 -0
package/README.md +200 -0
package/configs/sinks/code_injection.yaml +672 -0
package/configs/sinks/command.yaml +917 -0
package/configs/sinks/deserialization.yaml +105 -0
package/configs/sinks/ldap.yaml +136 -0
package/configs/sinks/nodejs.json +629 -0
package/configs/sinks/path.yaml +715 -0
package/configs/sinks/python.json +501 -0
package/configs/sinks/rust.json +339 -0
package/configs/sinks/sql.yaml +233 -0
package/configs/sinks/ssrf.yaml +160 -0
package/configs/sinks/xpath.yaml +121 -0
package/configs/sinks/xss.yaml +727 -0
package/configs/sources/db_sources.yaml +90 -0
package/configs/sources/env_sources.yaml +94 -0
package/configs/sources/express.json +197 -0
package/configs/sources/file_sources.yaml +164 -0
package/configs/sources/http_sources.yaml +379 -0
package/configs/sources/io_sources.yaml +519 -0
package/configs/sources/network_sources.yaml +99 -0
package/configs/sources/python.json +230 -0
package/configs/sources/rust.json +286 -0
package/configs/sources/spring.yaml +70 -0
package/dist/analysis/advisory-db.d.ts +86 -0
package/dist/analysis/advisory-db.js +104 -0
package/dist/analysis/advisory-db.js.map +1 -0
package/dist/analysis/cargo-parser.d.ts +42 -0
package/dist/analysis/cargo-parser.js +102 -0
package/dist/analysis/cargo-parser.js.map +1 -0
package/dist/analysis/config-loader.d.ts +37 -0
package/dist/analysis/config-loader.js +1561 -0
package/dist/analysis/config-loader.js.map +1 -0
package/dist/analysis/constant-propagation/ast-utils.d.ts +25 -0
package/dist/analysis/constant-propagation/ast-utils.js +34 -0
package/dist/analysis/constant-propagation/ast-utils.js.map +1 -0
package/dist/analysis/constant-propagation/evaluator.d.ts +32 -0
package/dist/analysis/constant-propagation/evaluator.js +296 -0
package/dist/analysis/constant-propagation/evaluator.js.map +1 -0
package/dist/analysis/constant-propagation/index.d.ts +62 -0
package/dist/analysis/constant-propagation/index.js +152 -0
package/dist/analysis/constant-propagation/index.js.map +1 -0
package/dist/analysis/constant-propagation/patterns.d.ts +8 -0
package/dist/analysis/constant-propagation/patterns.js +126 -0
package/dist/analysis/constant-propagation/patterns.js.map +1 -0
package/dist/analysis/constant-propagation/propagator.d.ts +180 -0
package/dist/analysis/constant-propagation/propagator.js +1985 -0
package/dist/analysis/constant-propagation/propagator.js.map +1 -0
package/dist/analysis/constant-propagation/types.d.ts +63 -0
package/dist/analysis/constant-propagation/types.js +5 -0
package/dist/analysis/constant-propagation/types.js.map +1 -0
package/dist/analysis/constant-propagation.d.ts +9 -0
package/dist/analysis/constant-propagation.js +18 -0
package/dist/analysis/constant-propagation.js.map +1 -0
package/dist/analysis/dependency-scanner.d.ts +79 -0
package/dist/analysis/dependency-scanner.js +122 -0
package/dist/analysis/dependency-scanner.js.map +1 -0
package/dist/analysis/dfg-verifier.d.ts +116 -0
package/dist/analysis/dfg-verifier.js +399 -0
package/dist/analysis/dfg-verifier.js.map +1 -0
package/dist/analysis/findings.d.ts +11 -0
package/dist/analysis/findings.js +228 -0
package/dist/analysis/findings.js.map +1 -0
package/dist/analysis/index.d.ts +16 -0
package/dist/analysis/index.js +18 -0
package/dist/analysis/index.js.map +1 -0
package/dist/analysis/interprocedural.d.ts +99 -0
package/dist/analysis/interprocedural.js +526 -0
package/dist/analysis/interprocedural.js.map +1 -0
package/dist/analysis/path-finder.d.ts +133 -0
package/dist/analysis/path-finder.js +354 -0
package/dist/analysis/path-finder.js.map +1 -0
package/dist/analysis/rules.d.ts +75 -0
package/dist/analysis/rules.js +332 -0
package/dist/analysis/rules.js.map +1 -0
package/dist/analysis/semver.d.ts +27 -0
package/dist/analysis/semver.js +127 -0
package/dist/analysis/semver.js.map +1 -0
package/dist/analysis/taint-matcher.d.ts +15 -0
package/dist/analysis/taint-matcher.js +634 -0
package/dist/analysis/taint-matcher.js.map +1 -0
package/dist/analysis/taint-propagation.d.ts +67 -0
package/dist/analysis/taint-propagation.js +298 -0
package/dist/analysis/taint-propagation.js.map +1 -0
package/dist/analysis/unresolved.d.ts +14 -0
package/dist/analysis/unresolved.js +202 -0
package/dist/analysis/unresolved.js.map +1 -0
package/dist/analyzer.d.ts +43 -0
package/dist/analyzer.js +1010 -0
package/dist/analyzer.js.map +1 -0
package/dist/browser/circle-ir.js +16576 -0
package/dist/browser.d.ts +38 -0
package/dist/browser.js +38 -0
package/dist/browser.js.map +1 -0
package/dist/core/circle-ir-core.cjs +13626 -0
package/dist/core/circle-ir-core.d.ts +59 -0
package/dist/core/circle-ir-core.js +13591 -0
package/dist/core/extractors/calls.d.ts +13 -0
package/dist/core/extractors/calls.js +1429 -0
package/dist/core/extractors/calls.js.map +1 -0
package/dist/core/extractors/cfg.d.ts +9 -0
package/dist/core/extractors/cfg.js +519 -0
package/dist/core/extractors/cfg.js.map +1 -0
package/dist/core/extractors/dfg.d.ts +12 -0
package/dist/core/extractors/dfg.js +1081 -0
package/dist/core/extractors/dfg.js.map +1 -0
package/dist/core/extractors/exports.d.ts +14 -0
package/dist/core/extractors/exports.js +80 -0
package/dist/core/extractors/exports.js.map +1 -0
package/dist/core/extractors/imports.d.ts +9 -0
package/dist/core/extractors/imports.js +739 -0
package/dist/core/extractors/imports.js.map +1 -0
package/dist/core/extractors/index.d.ts +10 -0
package/dist/core/extractors/index.js +11 -0
package/dist/core/extractors/index.js.map +1 -0
package/dist/core/extractors/meta.d.ts +10 -0
package/dist/core/extractors/meta.js +109 -0
package/dist/core/extractors/meta.js.map +1 -0
package/dist/core/extractors/types.d.ts +10 -0
package/dist/core/extractors/types.js +1479 -0
package/dist/core/extractors/types.js.map +1 -0
package/dist/core/index.d.ts +5 -0
package/dist/core/index.js +8 -0
package/dist/core/index.js.map +1 -0
package/dist/core/parser.d.ts +84 -0
package/dist/core/parser.js +250 -0
package/dist/core/parser.js.map +1 -0
package/dist/core-lib.d.ts +59 -0
package/dist/core-lib.js +62 -0
package/dist/core-lib.js.map +1 -0
package/dist/index.d.ts +15 -0
package/dist/index.js +20 -0
package/dist/index.js.map +1 -0
package/dist/languages/index.d.ts +11 -0
package/dist/languages/index.js +14 -0
package/dist/languages/index.js.map +1 -0
package/dist/languages/plugins/base.d.ts +44 -0
package/dist/languages/plugins/base.js +82 -0
package/dist/languages/plugins/base.js.map +1 -0
package/dist/languages/plugins/index.d.ts +14 -0
package/dist/languages/plugins/index.js +25 -0
package/dist/languages/plugins/index.js.map +1 -0
package/dist/languages/plugins/java.d.ts +49 -0
package/dist/languages/plugins/java.js +402 -0
package/dist/languages/plugins/java.js.map +1 -0
package/dist/languages/plugins/javascript.d.ts +48 -0
package/dist/languages/plugins/javascript.js +445 -0
package/dist/languages/plugins/javascript.js.map +1 -0
package/dist/languages/plugins/python.d.ts +47 -0
package/dist/languages/plugins/python.js +480 -0
package/dist/languages/plugins/python.js.map +1 -0
package/dist/languages/plugins/rust.d.ts +47 -0
package/dist/languages/plugins/rust.js +405 -0
package/dist/languages/plugins/rust.js.map +1 -0
package/dist/languages/registry.d.ts +30 -0
package/dist/languages/registry.js +80 -0
package/dist/languages/registry.js.map +1 -0
package/dist/languages/types.d.ts +184 -0
package/dist/languages/types.js +8 -0
package/dist/languages/types.js.map +1 -0
package/dist/resolution/cross-file.d.ts +146 -0
package/dist/resolution/cross-file.js +439 -0
package/dist/resolution/cross-file.js.map +1 -0
package/dist/resolution/index.d.ts +12 -0
package/dist/resolution/index.js +10 -0
package/dist/resolution/index.js.map +1 -0
package/dist/resolution/symbol-table.d.ts +136 -0
package/dist/resolution/symbol-table.js +336 -0
package/dist/resolution/symbol-table.js.map +1 -0
package/dist/resolution/type-hierarchy.d.ts +124 -0
package/dist/resolution/type-hierarchy.js +515 -0
package/dist/resolution/type-hierarchy.js.map +1 -0
package/dist/types/config.d.ts +45 -0
package/dist/types/config.js +5 -0
package/dist/types/config.js.map +1 -0
package/dist/types/index.d.ts +392 -0
package/dist/types/index.js +7 -0
package/dist/types/index.js.map +1 -0
package/dist/utils/logger.d.ts +85 -0
package/dist/utils/logger.js +198 -0
package/dist/utils/logger.js.map +1 -0
package/dist/wasm/tree-sitter-java.wasm +0 -0
package/dist/wasm/tree-sitter-javascript.wasm +0 -0
package/dist/wasm/tree-sitter-python.wasm +0 -0
package/dist/wasm/tree-sitter-rust.wasm +0 -0
package/dist/wasm/web-tree-sitter.wasm +0 -0
package/docs/SPEC.md +1021 -0
package/examples/browser-example.html +610 -0
package/examples/node-example.ts +215 -0
package/package.json +107 -0
package/wasm/tree-sitter-java.wasm +0 -0
package/wasm/tree-sitter-javascript.wasm +0 -0
package/wasm/tree-sitter-python.wasm +0 -0
package/wasm/tree-sitter-rust.wasm +0 -0

package/configs/sinks/command.yaml ADDED Viewed

@@ -0,0 +1,917 @@
+{
+  "sinks": [
+    {
+      "method": "fromXML",
+      "class": "XStream",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [
+        0
+      ],
+      "note": "XStream deserialization RCE"
+    },
+    {
+      "method": "unmarshal",
+      "class": "XStream",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [
+        0
+      ]
+    },
+    {
+      "method": "realClass",
+      "class": "Mapper",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [0],
+      "note": "XStream class resolution - can load arbitrary classes"
+    },
+    {
+      "method": "realClass",
+      "class": "CachingMapper",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [0],
+      "note": "XStream cached class resolution"
+    },
+    {
+      "method": "realClass",
+      "class": "MapperWrapper",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [0],
+      "note": "XStream mapper class resolution"
+    },
+    {
+      "method": "fromString",
+      "class": "FileConverter",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "high",
+      "arg_positions": [0],
+      "note": "XStream File converter - creates File from untrusted input"
+    },
+    {
+      "method": "fromString",
+      "class": "AbstractSingleValueConverter",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "high",
+      "arg_positions": [0],
+      "note": "XStream value converter - converts untrusted input"
+    },
+    {
+      "method": "fromString",
+      "class": "FileConverter",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "high",
+      "arg_positions": [0],
+      "note": "XStream File converter - creates File from untrusted string"
+    },
+    {
+      "method": "flushCache",
+      "class": "CachingMapper",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "high",
+      "note": "XStream cache flush - may be triggered by deserialization"
+    },
+    {
+      "method": "readObject",
+      "class": "ObjectInputStream",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "note": "Java deserialization RCE"
+    },
+    {
+      "method": "readUnshared",
+      "class": "ObjectInputStream",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical"
+    },
+    {
+      "method": "File",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "high",
+      "arg_positions": [
+        0
+      ],
+      "note": "File constructor in deserialization can lead to path traversal + RCE"
+    },
+    {
+      "method": "exec",
+      "class": "Runtime",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [
+        0
+      ],
+      "note": "Especially dangerous with shell invocation (sh -c, cmd /c)"
+    },
+    {
+      "method": "exec",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [
+        0
+      ],
+      "note": "Generic exec() call - likely Runtime.getRuntime().exec()"
+    },
+    {
+      "method": "exit",
+      "class": "System",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [
+        0
+      ],
+      "note": "Controlled System.exit() can cause DoS or command execution"
+    },
+    {
+      "method": "getRuntime",
+      "class": "Runtime",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "note": "Check if followed by exec"
+    },
+    {
+      "method": "ProcessBuilder",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [
+        0
+      ],
+      "note": "Constructor with command array"
+    },
+    {
+      "method": "command",
+      "class": "ProcessBuilder",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [
+        0
+      ]
+    },
+    {
+      "method": "start",
+      "class": "ProcessBuilder",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "note": "Executes the command"
+    },
+    {
+      "method": "Process",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "high"
+    },
+    {
+      "method": "execute",
+      "class": "Executor",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [
+        0
+      ]
+    },
+    {
+      "method": "execute",
+      "class": "DefaultExecutor",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [
+        0
+      ]
+    },
+    {
+      "method": "CommandLine",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "high",
+      "arg_positions": [
+        0
+      ],
+      "note": "Command line construction"
+    },
+    {
+      "method": "eval",
+      "class": "ScriptEngine",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [
+        0
+      ]
+    },
+    {
+      "method": "GroovyShell",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical"
+    },
+    {
+      "method": "evaluate",
+      "class": "GroovyShell",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [
+        0
+      ]
+    },
+    {
+      "method": "parse",
+      "class": "GroovyShell",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [
+        0
+      ],
+      "note": "Groovy script parsing"
+    },
+    {
+      "method": "doCheckScript",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "note": "Jenkins script validation bypass"
+    },
+    {
+      "class": "ScriptApproval",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "note": "Jenkins script approval mechanism"
+    },
+    {
+      "method": "sandbox",
+      "class": "GroovySandbox",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "note": "Jenkins Groovy sandbox"
+    },
+    {
+      "method": "evaluate",
+      "class": "CpsScript",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [
+        0
+      ],
+      "note": "Jenkins Pipeline CPS script evaluation"
+    },
+    {
+      "method": "sh",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [
+        0
+      ],
+      "note": "Jenkins pipeline shell command"
+    },
+    {
+      "method": "bat",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [
+        0
+      ],
+      "note": "Jenkins pipeline Windows batch command"
+    },
+    {
+      "method": "powershell",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [
+        0
+      ],
+      "note": "Jenkins pipeline PowerShell command"
+    },
+    {
+      "method": "pwsh",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [
+        0
+      ],
+      "note": "Jenkins pipeline PowerShell Core command"
+    },
+    {
+      "method": "node",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [
+        0
+      ],
+      "note": "Jenkins pipeline node step - may execute shell"
+    },
+    {
+      "method": "library",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [
+        0
+      ],
+      "note": "Jenkins shared library loading with arbitrary code execution"
+    },
+    {
+      "method": "load",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [
+        0
+      ],
+      "note": "Jenkins pipeline load step - loads and executes Groovy scripts"
+    },
+    {
+      "method": "tool",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "high",
+      "arg_positions": [
+        0
+      ],
+      "note": "Jenkins pipeline tool step - may execute installers"
+    },
+    {
+      "method": "withEnv",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "high",
+      "arg_positions": [
+        0
+      ],
+      "note": "Jenkins pipeline withEnv - environment manipulation"
+    },
+    {
+      "method": "Exec",
+      "class": "org.apache.tools.ant.taskdefs",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical"
+    },
+    {
+      "method": "setCommand",
+      "class": "Exec",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [
+        0
+      ]
+    },
+    {
+      "method": "File",
+      "class": "constructor",
+      "type": "command_injection",
+      "cwe": "CWE-78",
+      "severity": "critical",
+      "arg_positions": [
+        0
+      ],
+      "note": "Auto-mined from CVE analysis"
+    },
+    {
+      "method": "println",
+      "class": "PrintWriter",
+      "type": "command_injection",
+      "cwe": "CWE-78",
+      "severity": "critical",
+      "arg_positions": [
+        0
+      ],
+      "note": "Auto-mined from CVE analysis"
+    },
+    {
+      "method": "create",
+      "class": "CpsScmFlowDefinition",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "note": "Jenkins Pipeline SCM script loading"
+    },
+    {
+      "method": "getLibrary",
+      "class": "LibraryAdder",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "note": "Jenkins shared library loading"
+    },
+    {
+      "method": "checkout",
+      "class": "SCMCheckout",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "note": "Jenkins SCM checkout - may execute hooks"
+    },
+    {
+      "method": "imageName",
+      "class": "DockerRegistryEndpoint",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "note": "Jenkins Docker image name injection"
+    },
+    {
+      "method": "getShellArgs",
+      "class": "BourneShell",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "note": "Shell argument construction"
+    },
+    {
+      "method": "getRawCommandLine",
+      "class": "Shell",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "note": "Shell command line construction"
+    },
+    {
+      "method": "createProcess",
+      "class": "DefaultExecuteAsyncHandler",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [0]
+    },
+    {
+      "method": "processControlCommand",
+      "class": "TransportConnection",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "note": "ActiveMQ control command processing"
+    },
+    {
+      "method": "run",
+      "class": "GroovyScript",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "note": "Groovy script execution"
+    },
+    {
+      "method": "parseClass",
+      "class": "GroovyClassLoader",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [0],
+      "note": "Groovy class parsing with code execution"
+    },
+    {
+      "method": "newScript",
+      "class": "GroovyShell",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [0],
+      "note": "Groovy script creation"
+    },
+    {
+      "method": "execute",
+      "class": "CommandLine",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "note": "Apache Commons Exec command execution"
+    },
+    {
+      "method": "addArgument",
+      "class": "CommandLine",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "high",
+      "arg_positions": [0],
+      "note": "Adding potentially tainted argument to command"
+    },
+    {
+      "method": "addArguments",
+      "class": "CommandLine",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "high",
+      "arg_positions": [0],
+      "note": "Adding potentially tainted arguments to command"
+    },
+    {
+      "method": "CpsFlowDefinition",
+      "class": "constructor",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [0],
+      "note": "Jenkins CPS Flow Definition - executes Pipeline scripts"
+    },
+    {
+      "method": "CpsFlowExecution",
+      "class": "constructor",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [0],
+      "note": "Jenkins CPS Flow Execution - executes Pipeline scripts"
+    },
+    {
+      "method": "FlowExecution",
+      "class": "constructor",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [0],
+      "note": "Jenkins Flow Execution - executes Pipeline scripts"
+    },
+    {
+      "method": "FlowDefinition",
+      "class": "constructor",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [0],
+      "note": "Jenkins Flow Definition - executes Pipeline scripts"
+    },
+    {
+      "method": "parseScript",
+      "class": "CpsGroovyShell",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [0],
+      "note": "Jenkins CPS Groovy script parsing"
+    },
+    {
+      "method": "loadScript",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [0],
+      "note": "Script loading with execution"
+    },
+    {
+      "method": "readTrusted",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [0],
+      "note": "Jenkins trusted script reading"
+    },
+    {
+      "method": "retrieve",
+      "class": "LibraryAdder",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "note": "Jenkins shared library retrieval - CVE-2022-25174"
+    },
+    {
+      "method": "findResources",
+      "class": "LibraryAdder",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "note": "Jenkins shared library resource finding"
+    },
+    {
+      "method": "parse",
+      "class": "LibraryAdder",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "note": "Jenkins shared library parsing"
+    },
+    {
+      "method": "forGroup",
+      "class": "FolderLibraries",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "note": "Jenkins folder libraries - CVE-2022-25174"
+    },
+    {
+      "method": "BourneShell",
+      "class": "constructor",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "note": "Bourne shell constructor"
+    },
+    {
+      "method": "setQuotedArgumentsEnabled",
+      "class": "Shell",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "high",
+      "note": "Shell quoting configuration"
+    },
+    {
+      "method": "getExecutionPreamble",
+      "class": "Shell",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "high",
+      "note": "Shell preamble construction"
+    },
+    {
+      "method": "getEscapeChars",
+      "class": "Shell",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "high",
+      "note": "Shell escape character handling"
+    },
+    {
+      "method": "quoteWorkingDirectoryAndExecutable",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "high",
+      "note": "Shell path quoting"
+    },
+    {
+      "method": "escapeArgument",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "high",
+      "note": "Shell argument escaping"
+    },
+    {
+      "method": "createExpression",
+      "class": "JexlEngine",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [0],
+      "note": "Apache JEXL expression creation - can execute arbitrary code"
+    },
+    {
+      "method": "createScript",
+      "class": "JexlEngine",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [0],
+      "note": "Apache JEXL script creation - can execute arbitrary code"
+    },
+    {
+      "method": "evaluate",
+      "class": "JexlExpression",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "note": "Apache JEXL expression evaluation"
+    },
+    {
+      "method": "execute",
+      "class": "JexlScript",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "note": "Apache JEXL script execution"
+    },
+    {
+      "method": "getValue",
+      "class": "ExpressionFactory",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "note": "EL expression evaluation - may lead to RCE"
+    },
+    {
+      "method": "createValueExpression",
+      "class": "ExpressionFactory",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [1],
+      "note": "EL expression creation"
+    },
+    {
+      "method": "createMethodExpression",
+      "class": "ExpressionFactory",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [1],
+      "note": "EL method expression creation"
+    },
+    {
+      "method": "parseExpression",
+      "class": "SpelExpressionParser",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [0],
+      "note": "Spring SpEL expression parsing - CVE-2022-22963, CVE-2022-22947"
+    },
+    {
+      "method": "getValue",
+      "class": "SpelExpression",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "note": "Spring SpEL expression evaluation"
+    },
+    {
+      "method": "setValue",
+      "class": "SpelExpression",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "note": "Spring SpEL expression assignment"
+    },
+    {
+      "method": "getValue",
+      "class": "OgnlContext",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "note": "OGNL expression evaluation - CVE-2022-26134 (Confluence)"
+    },
+    {
+      "method": "parseExpression",
+      "class": "Ognl",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [0],
+      "note": "OGNL expression parsing"
+    },
+    {
+      "method": "compileExpression",
+      "class": "Ognl",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [0],
+      "note": "OGNL expression compilation"
+    },
+    {
+      "method": "evaluate",
+      "class": "Velocity",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [1],
+      "note": "Apache Velocity template evaluation"
+    },
+    {
+      "method": "mergeTemplate",
+      "class": "VelocityEngine",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [0, 2],
+      "note": "Apache Velocity template merging"
+    },
+    {
+      "method": "evaluate",
+      "class": "MvelEvaluator",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [0],
+      "note": "MVEL expression evaluation"
+    },
+    {
+      "method": "eval",
+      "class": "MVEL",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [0],
+      "note": "MVEL expression evaluation"
+    },
+    {
+      "method": "compileExpression",
+      "class": "MVEL",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [0],
+      "note": "MVEL expression compilation"
+    },
+    {
+      "method": "executeScript",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [0],
+      "note": "Generic script execution"
+    },
+    {
+      "method": "runScript",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [0],
+      "note": "Generic script execution"
+    },
+    {
+      "method": "executeCommand",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [0],
+      "note": "Generic command execution"
+    },
+    {
+      "method": "runCommand",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [0],
+      "note": "Generic command execution"
+    },
+    {
+      "method": "system",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [0],
+      "note": "System command execution"
+    },
+    {
+      "method": "shell",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [0],
+      "note": "Shell command execution"
+    }
+  ],
+  "sanitizers": [
+    {
+      "method": "matches",
+      "class": "String",
+      "removes": [
+        "command_injection"
+      ],
+      "note": "Regex validation - check pattern is restrictive"
+    },
+    {
+      "method": "quote",
+      "class": "Pattern",
+      "removes": [
+        "command_injection"
+      ],
+      "note": "Shell escape - still risky"
+    }
+  ],
+  "dangerous_patterns": [
+    {
+      "pattern": "sh -c",
+      "risk": "critical",
+      "note": "Shell execution with command string"
+    },
+    {
+      "pattern": "bash -c",
+      "risk": "critical",
+      "note": "Bash execution with command string"
+    },
+    {
+      "pattern": "cmd /c",
+      "risk": "critical",
+      "note": "Windows command execution"
+    },
+    {
+      "pattern": "/bin/sh",
+      "risk": "critical"
+    },
+    {
+      "pattern": "/bin/bash",
+      "risk": "critical"
+    }
+  ]
+}