circle-ir 3.1.1 → 3.3.0

package/README.md

@@ -6,7 +6,7 @@ A high-performance Static Application Security Testing (SAST) library for detect
 
 - **Taint Analysis**: Track data flow from sources (user input) to sinks (dangerous operations)
 - **Multi-language Support**: Java, JavaScript/TypeScript, Python, Rust
-- **High Accuracy**: 100% on OWASP Benchmark, 100% on Juliet Test Suite, 98.1% TPR on SecuriBench Micro
+- **High Accuracy**: 100% on OWASP Benchmark, 100% on Juliet Test Suite, 97.7% TPR on SecuriBench Micro
 - **Universal**: Works in Node.js, browsers, and Cloudflare Workers
 - **Zero External Dependencies**: Core analysis runs without network calls or external services
 - **Browser Compatible**: Tree-sitter WASM for universal parsing
@@ -187,7 +187,7 @@ sources:
 |-----------|-------|---------|
 | **OWASP Benchmark** | +100% | TPR 100%, FPR 0% (1415 test cases) |
 | **Juliet Test Suite** | +100% | 156/156 test cases, 9 CWEs |
-| **SecuriBench Micro** | 98.1% TPR | 106/108 vulns detected, 6.7% FPR |
+| **SecuriBench Micro** | 97.7% TPR | 105/108 vulns detected, 6.7% FPR |
 | **CWE-Bench-Java** | 65.5% | 509/777 real-world CVEs |
 
 ## Documentation

package/configs/sinks/code_injection.yaml

@@ -621,6 +621,142 @@
       "severity": "critical",
       "arg_positions": [0],
       "note": "Groovy class compilation from string"
+    },
+    {
+      "method": "interpolate",
+      "class": "StringSubstitutor",
+      "type": "code_injection",
+      "cwe": "CWE-094",
+      "severity": "critical",
+      "arg_positions": [0],
+      "note": "Apache Commons Text interpolation - CVE-2022-42889 (script:, dns:, url: lookups)"
+    },
+    {
+      "method": "replace",
+      "class": "StringSubstitutor",
+      "type": "code_injection",
+      "cwe": "CWE-094",
+      "severity": "critical",
+      "arg_positions": [0],
+      "note": "Apache Commons Text substitution with lookup"
+    },
+    {
+      "method": "interpolate",
+      "class": "StringLookupFactory",
+      "type": "code_injection",
+      "cwe": "CWE-094",
+      "severity": "critical",
+      "arg_positions": [0],
+      "note": "Apache Commons Text lookup interpolation"
+    },
+    {
+      "method": "getConnection",
+      "class": "DriverManager",
+      "type": "code_injection",
+      "cwe": "CWE-094",
+      "severity": "high",
+      "arg_positions": [0],
+      "note": "JDBC URL injection - can trigger JNDI/RCE via malicious JDBC URLs"
+    },
+    {
+      "method": "createConnection",
+      "type": "code_injection",
+      "cwe": "CWE-094",
+      "severity": "high",
+      "arg_positions": [0],
+      "note": "Database connection creation with attacker-controlled URL"
+    },
+    {
+      "method": "invoke",
+      "class": "RpcInvocation",
+      "type": "code_injection",
+      "cwe": "CWE-094",
+      "severity": "critical",
+      "note": "Dubbo RPC invocation - may execute arbitrary code"
+    },
+    {
+      "method": "decode",
+      "class": "DecodeableRpcInvocation",
+      "type": "code_injection",
+      "cwe": "CWE-094",
+      "severity": "critical",
+      "note": "Dubbo RPC deserialization"
+    },
+    {
+      "method": "refer",
+      "class": "RegistryProtocol",
+      "type": "code_injection",
+      "cwe": "CWE-094",
+      "severity": "high",
+      "note": "Dubbo registry protocol reference"
+    },
+    {
+      "method": "executeScript",
+      "class": "ScriptingComponentHelper",
+      "type": "code_injection",
+      "cwe": "CWE-094",
+      "severity": "critical",
+      "arg_positions": [0],
+      "note": "Apache NiFi script execution"
+    },
+    {
+      "method": "onTrigger",
+      "class": "ExecuteScript",
+      "type": "code_injection",
+      "cwe": "CWE-094",
+      "severity": "critical",
+      "note": "Apache NiFi ExecuteScript processor"
+    },
+    {
+      "method": "parse",
+      "class": "CronDefinition",
+      "type": "code_injection",
+      "cwe": "CWE-094",
+      "severity": "high",
+      "arg_positions": [0],
+      "note": "Cron expression parsing - potential injection"
+    },
+    {
+      "method": "parse",
+      "class": "CronParser",
+      "type": "code_injection",
+      "cwe": "CWE-094",
+      "severity": "high",
+      "arg_positions": [0],
+      "note": "Cron expression parsing"
+    },
+    {
+      "method": "check",
+      "class": "PermitAllPermissionEvaluator",
+      "type": "code_injection",
+      "cwe": "CWE-094",
+      "severity": "high",
+      "note": "Spring Security expression evaluation bypass"
+    },
+    {
+      "method": "evaluate",
+      "class": "SpelExpressionParser",
+      "type": "code_injection",
+      "cwe": "CWE-094",
+      "severity": "critical",
+      "arg_positions": [0],
+      "note": "SpEL direct evaluation"
+    },
+    {
+      "method": "setPropertyValues",
+      "class": "DataBinder",
+      "type": "code_injection",
+      "cwe": "CWE-094",
+      "severity": "high",
+      "note": "Spring DataBinder property binding - Spring4Shell"
+    },
+    {
+      "method": "bind",
+      "class": "DataBinder",
+      "type": "code_injection",
+      "cwe": "CWE-094",
+      "severity": "high",
+      "note": "Spring DataBinder bind - Spring4Shell"
     }
   ],
   "sanitizers": [

package/configs/sinks/command.yaml

@@ -869,6 +869,115 @@
       "severity": "critical",
       "arg_positions": [0],
       "note": "Shell command execution"
+    },
+    {
+      "method": "cmds",
+      "class": "ProcStarter",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [0],
+      "note": "Jenkins Launcher.ProcStarter command list"
+    },
+    {
+      "method": "launch",
+      "class": "Launcher",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "note": "Jenkins Launcher.launch() - process execution"
+    },
+    {
+      "method": "launch",
+      "class": "ProcStarter",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "note": "Jenkins ProcStarter.launch() - process execution"
+    },
+    {
+      "method": "start",
+      "class": "ProcStarter",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "note": "Jenkins ProcStarter.start() - process execution"
+    },
+    {
+      "method": "launchChannel",
+      "class": "Launcher",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [0],
+      "note": "Jenkins Launcher channel creation with command"
+    },
+    {
+      "method": "subcommand",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "high",
+      "arg_positions": [0],
+      "note": "Git CLI subcommand construction"
+    },
+    {
+      "method": "launchCommandIn",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [0],
+      "note": "Jenkins Git plugin command launch"
+    },
+    {
+      "method": "fetch",
+      "class": "CliGitAPIImpl",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "high",
+      "note": "Jenkins Git plugin fetch - may inject via refspec"
+    },
+    {
+      "method": "checkout",
+      "class": "CliGitAPIImpl",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "high",
+      "note": "Jenkins Git plugin checkout - may inject via branch name"
+    },
+    {
+      "method": "submoduleUpdate",
+      "class": "CliGitAPIImpl",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "high",
+      "note": "Jenkins Git plugin submodule update - CVE injection vector"
+    },
+    {
+      "method": "interpolate",
+      "class": "StringSubstitutor",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [0],
+      "note": "Apache Commons Text string interpolation - CVE-2022-42889"
+    },
+    {
+      "method": "replace",
+      "class": "StringSubstitutor",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "critical",
+      "arg_positions": [0],
+      "note": "Apache Commons Text string substitution"
+    },
+    {
+      "method": "getConnection",
+      "class": "DriverManager",
+      "type": "command_injection",
+      "cwe": "CWE-078",
+      "severity": "high",
+      "arg_positions": [0],
+      "note": "JDBC connection with attacker-controlled URL can lead to RCE"
     }
   ],
   "sanitizers": [

package/configs/sinks/path.yaml

@@ -684,6 +684,119 @@
       "cwe": "CWE-022",
       "severity": "high",
       "note": "Jenkins FilePath recursive delete"
+    },
+    {
+      "method": "createRelative",
+      "class": "Resource",
+      "type": "path_traversal",
+      "cwe": "CWE-022",
+      "severity": "high",
+      "arg_positions": [0],
+      "note": "Spring Resource.createRelative() - path traversal via relative path"
+    },
+    {
+      "method": "createRelative",
+      "type": "path_traversal",
+      "cwe": "CWE-022",
+      "severity": "high",
+      "arg_positions": [0],
+      "note": "Resource createRelative without class qualifier"
+    },
+    {
+      "method": "sendFile",
+      "type": "path_traversal",
+      "cwe": "CWE-022",
+      "severity": "high",
+      "arg_positions": [0],
+      "note": "Vert.x/HTTP file sending - path traversal"
+    },
+    {
+      "method": "sendStatic",
+      "type": "path_traversal",
+      "cwe": "CWE-022",
+      "severity": "high",
+      "arg_positions": [0],
+      "note": "Static file serving - path traversal"
+    },
+    {
+      "method": "handle",
+      "class": "StaticHandler",
+      "type": "path_traversal",
+      "cwe": "CWE-022",
+      "severity": "high",
+      "note": "Vert.x static file handler"
+    },
+    {
+      "method": "handle",
+      "class": "StaticHandlerImpl",
+      "type": "path_traversal",
+      "cwe": "CWE-022",
+      "severity": "high",
+      "note": "Vert.x static file handler implementation"
+    },
+    {
+      "method": "getFile",
+      "type": "path_traversal",
+      "cwe": "CWE-022",
+      "severity": "high",
+      "arg_positions": [0],
+      "note": "Generic getFile with user input"
+    },
+    {
+      "method": "extractEntry",
+      "type": "path_traversal",
+      "cwe": "CWE-022",
+      "severity": "high",
+      "arg_positions": [0],
+      "note": "Archive entry extraction - zip slip"
+    },
+    {
+      "method": "extractAll",
+      "type": "path_traversal",
+      "cwe": "CWE-022",
+      "severity": "high",
+      "arg_positions": [0],
+      "note": "Archive extraction - zip slip"
+    },
+    {
+      "method": "unzip",
+      "type": "path_traversal",
+      "cwe": "CWE-022",
+      "severity": "high",
+      "arg_positions": [0],
+      "note": "Unzip operation - zip slip"
+    },
+    {
+      "method": "getPath",
+      "class": "ZipEntry",
+      "type": "path_traversal",
+      "cwe": "CWE-022",
+      "severity": "high",
+      "note": "Zip entry path - may contain ../"
+    },
+    {
+      "method": "getName",
+      "class": "ZipEntry",
+      "type": "path_traversal",
+      "cwe": "CWE-022",
+      "severity": "high",
+      "note": "Zip entry name - may contain ../"
+    },
+    {
+      "method": "getEnvironment",
+      "class": "ConfigServicePropertySourceLocator",
+      "type": "path_traversal",
+      "cwe": "CWE-022",
+      "severity": "high",
+      "note": "Spring Cloud Config path traversal"
+    },
+    {
+      "method": "findOne",
+      "class": "GenericResourceRepository",
+      "type": "path_traversal",
+      "cwe": "CWE-022",
+      "severity": "high",
+      "note": "Spring Cloud Config resource repository"
     }
   ],
   "sanitizers": [

package/configs/sources/http_sources.yaml

@@ -374,6 +374,157 @@
       "severity": "high",
       "return_tainted": true,
       "note": "Model object getter - may contain HTTP request data"
+    },
+    {
+      "method": "getParameter",
+      "class": "StaplerRequest",
+      "type": "http_param",
+      "severity": "high",
+      "return_tainted": true,
+      "note": "Jenkins StaplerRequest parameter - attacker-controlled"
+    },
+    {
+      "method": "getSubmittedForm",
+      "class": "StaplerRequest",
+      "type": "http_body",
+      "severity": "high",
+      "return_tainted": true,
+      "note": "Jenkins StaplerRequest form submission"
+    },
+    {
+      "method": "bindJSON",
+      "class": "StaplerRequest",
+      "type": "http_body",
+      "severity": "high",
+      "return_tainted": true,
+      "note": "Jenkins StaplerRequest JSON binding"
+    },
+    {
+      "method": "getRequestURI",
+      "class": "StaplerRequest",
+      "type": "http_path",
+      "severity": "high",
+      "return_tainted": true,
+      "note": "Jenkins StaplerRequest URI"
+    },
+    {
+      "method": "getRestOfPath",
+      "class": "StaplerRequest",
+      "type": "http_path",
+      "severity": "high",
+      "return_tainted": true,
+      "note": "Jenkins StaplerRequest rest of path"
+    },
+    {
+      "method": "getPathParameter",
+      "class": "HandlerRequest",
+      "type": "http_param",
+      "severity": "high",
+      "return_tainted": true,
+      "note": "Apache Flink HandlerRequest path parameter"
+    },
+    {
+      "method": "getQueryParameter",
+      "class": "HandlerRequest",
+      "type": "http_param",
+      "severity": "high",
+      "return_tainted": true,
+      "note": "Apache Flink HandlerRequest query parameter"
+    },
+    {
+      "method": "getRequestBody",
+      "class": "HandlerRequest",
+      "type": "http_body",
+      "severity": "high",
+      "return_tainted": true,
+      "note": "Apache Flink HandlerRequest body"
+    },
+    {
+      "method": "path",
+      "class": "HttpServerRequest",
+      "type": "http_path",
+      "severity": "high",
+      "return_tainted": true,
+      "note": "Vert.x HTTP request path"
+    },
+    {
+      "method": "getParam",
+      "class": "HttpServerRequest",
+      "type": "http_param",
+      "severity": "high",
+      "return_tainted": true,
+      "note": "Vert.x HTTP request parameter"
+    },
+    {
+      "method": "getHeader",
+      "class": "HttpServerRequest",
+      "type": "http_header",
+      "severity": "high",
+      "return_tainted": true,
+      "note": "Vert.x HTTP request header"
+    },
+    {
+      "method": "request",
+      "class": "RoutingContext",
+      "type": "http_param",
+      "severity": "high",
+      "return_tainted": true,
+      "note": "Vert.x RoutingContext request access"
+    },
+    {
+      "method": "pathParam",
+      "class": "RoutingContext",
+      "type": "http_path",
+      "severity": "high",
+      "return_tainted": true,
+      "note": "Vert.x RoutingContext path parameter"
+    },
+    {
+      "method": "queryParam",
+      "class": "RoutingContext",
+      "type": "http_param",
+      "severity": "high",
+      "return_tainted": true,
+      "note": "Vert.x RoutingContext query parameter"
+    },
+    {
+      "method": "getBodyAsString",
+      "class": "RoutingContext",
+      "type": "http_body",
+      "severity": "high",
+      "return_tainted": true,
+      "note": "Vert.x RoutingContext body"
+    },
+    {
+      "method": "normalisedPath",
+      "class": "RoutingContext",
+      "type": "http_path",
+      "severity": "high",
+      "return_tainted": true,
+      "note": "Vert.x RoutingContext normalized path"
+    },
+    {
+      "method": "getRemoteEnvironment",
+      "type": "http_param",
+      "severity": "high",
+      "return_tainted": true,
+      "note": "Spring Cloud Config remote environment fetch"
+    },
+    {
+      "method": "getHeader",
+      "class": "ServerWebExchange",
+      "type": "http_header",
+      "severity": "high",
+      "return_tainted": true,
+      "note": "Spring WebFlux exchange header"
+    },
+    {
+      "method": "getExchange",
+      "class": "GatewayFilter",
+      "type": "http_param",
+      "severity": "high",
+      "return_tainted": true,
+      "note": "Spring Cloud Gateway exchange"
     }
   ]
 }

package/dist/analysis/index.d.ts

@@ -2,15 +2,12 @@
  * Analysis module index
  */
 export { parseConfig, loadSourceConfigs, loadSinkConfigs, createTaintConfig, getDefaultConfig, DEFAULT_SOURCES, DEFAULT_SINKS, DEFAULT_SANITIZERS, } from './config-loader.js';
-export { analyzeTaint, isInDangerousPosition, } from './taint-matcher.js';
+export { analyzeTaint, } from './taint-matcher.js';
 export { detectUnresolved, } from './unresolved.js';
 export { generateFindings, } from './findings.js';
 export { propagateTaint, type TaintPropagationResult, type TaintedVariable, type TaintFlow, } from './taint-propagation.js';
 export { analyzeInterprocedural, getInterproceduralSummary, findTaintBridges, getMethodTaintPaths, hasMethod, getMethod, isMethodTainted, type InterproceduralResult, type MethodNode, type CallEdge, } from './interprocedural.js';
 export { analyzeConstantPropagation, isFalsePositive, isCorrelatedPredicateFP, ConstantPropagator, isKnown, createUnknown, createConstant, getNodeText, getNodeLine, type ConstantValue, type ConstantType, type ConstantPropagatorResult, type ConstantPropagationOptions, } from './constant-propagation.js';
 export { PathFinder, findTaintPaths, formatTaintPath, type TaintHop, type TaintPath, type PathFinderResult, type PathFinderConfig, } from './path-finder.js';
-export { DFGVerifier, verifyTaintFlow, formatVerificationResult, type VerificationResult, type VerificationPath, type VerificationStep, type VerifierConfig, } from './dfg-verifier.js';
-export { loadBundledAdvisories, parseAdvisoryJson, categoryToSeverity, getAdvisoriesForCrate, findAdvisoryByCve, getVulnerableCrates, type AdvisoryVulnerability, type AdvisoryDatabase, } from './advisory-db.js';
-export { parseCargoLock, parseCargoToml, filterRegistryDeps, type CargoLock, type CargoLockDependency, type CargoToml, type CargoTomlDependency, } from './cargo-parser.js';
-export { scanCargoLock, checkCrateVulnerability, formatFinding, formatScanReport, type DependencyFinding, type ScanOptions, type ScanResult, } from './dependency-scanner.js';
+export { DFGVerifier, verifyTaintFlow, type VerificationResult, type VerificationPath, type VerificationStep, type VerifierConfig, } from './dfg-verifier.js';
 export { parseVersion, compareVersions, semverSatisfies, isVersionVulnerable, type ParsedVersion, } from './semver.js';

package/dist/analysis/index.js

@@ -2,17 +2,13 @@
  * Analysis module index
  */
 export { parseConfig, loadSourceConfigs, loadSinkConfigs, createTaintConfig, getDefaultConfig, DEFAULT_SOURCES, DEFAULT_SINKS, DEFAULT_SANITIZERS, } from './config-loader.js';
-export { analyzeTaint, isInDangerousPosition, } from './taint-matcher.js';
+export { analyzeTaint, } from './taint-matcher.js';
 export { detectUnresolved, } from './unresolved.js';
 export { generateFindings, } from './findings.js';
 export { propagateTaint, } from './taint-propagation.js';
 export { analyzeInterprocedural, getInterproceduralSummary, findTaintBridges, getMethodTaintPaths, hasMethod, getMethod, isMethodTainted, } from './interprocedural.js';
 export { analyzeConstantPropagation, isFalsePositive, isCorrelatedPredicateFP, ConstantPropagator, isKnown, createUnknown, createConstant, getNodeText, getNodeLine, } from './constant-propagation.js';
 export { PathFinder, findTaintPaths, formatTaintPath, } from './path-finder.js';
-export { DFGVerifier, verifyTaintFlow, formatVerificationResult, } from './dfg-verifier.js';
-// RustSec Advisory Database
-export { loadBundledAdvisories, parseAdvisoryJson, categoryToSeverity, getAdvisoriesForCrate, findAdvisoryByCve, getVulnerableCrates, } from './advisory-db.js';
-export { parseCargoLock, parseCargoToml, filterRegistryDeps, } from './cargo-parser.js';
-export { scanCargoLock, checkCrateVulnerability, formatFinding, formatScanReport, } from './dependency-scanner.js';
+export { DFGVerifier, verifyTaintFlow, } from './dfg-verifier.js';
 export { parseVersion, compareVersions, semverSatisfies, isVersionVulnerable, } from './semver.js';
 //# sourceMappingURL=index.js.map

package/dist/analysis/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/analysis/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EACL,WAAW,EACX,iBAAiB,EACjB,eAAe,EACf,iBAAiB,EACjB,gBAAgB,EAChB,eAAe,EACf,aAAa,EACb,kBAAkB,GACnB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,YAAY,EACZ,qBAAqB,GACtB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,gBAAgB,GACjB,MAAM,iBAAiB,CAAC;AAEzB,OAAO,EACL,gBAAgB,GACjB,MAAM,eAAe,CAAC;AAEvB,OAAO,EACL,cAAc,GAIf,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,sBAAsB,EACtB,yBAAyB,EACzB,gBAAgB,EAChB,mBAAmB,EACnB,SAAS,EACT,SAAS,EACT,eAAe,GAIhB,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EACL,0BAA0B,EAC1B,eAAe,EACf,uBAAuB,EACvB,kBAAkB,EAClB,OAAO,EACP,aAAa,EACb,cAAc,EACd,WAAW,EACX,WAAW,GAKZ,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,UAAU,EACV,cAAc,EACd,eAAe,GAKhB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,WAAW,EACX,eAAe,EACf,wBAAwB,GAKzB,MAAM,mBAAmB,CAAC;AAE3B,4BAA4B;AAC5B,OAAO,EACL,qBAAqB,EACrB,iBAAiB,EACjB,kBAAkB,EAClB,qBAAqB,EACrB,iBAAiB,EACjB,mBAAmB,GAGpB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,cAAc,EACd,cAAc,EACd,kBAAkB,GAKnB,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EACL,aAAa,EACb,uBAAuB,EACvB,aAAa,EACb,gBAAgB,GAIjB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,YAAY,EACZ,eAAe,EACf,eAAe,EACf,mBAAmB,GAEpB,MAAM,aAAa,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/analysis/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EACL,WAAW,EACX,iBAAiB,EACjB,eAAe,EACf,iBAAiB,EACjB,gBAAgB,EAChB,eAAe,EACf,aAAa,EACb,kBAAkB,GACnB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,YAAY,GACb,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,gBAAgB,GACjB,MAAM,iBAAiB,CAAC;AAEzB,OAAO,EACL,gBAAgB,GACjB,MAAM,eAAe,CAAC;AAEvB,OAAO,EACL,cAAc,GAIf,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,sBAAsB,EACtB,yBAAyB,EACzB,gBAAgB,EAChB,mBAAmB,EACnB,SAAS,EACT,SAAS,EACT,eAAe,GAIhB,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EACL,0BAA0B,EAC1B,eAAe,EACf,uBAAuB,EACvB,kBAAkB,EAClB,OAAO,EACP,aAAa,EACb,cAAc,EACd,WAAW,EACX,WAAW,GAKZ,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,UAAU,EACV,cAAc,EACd,eAAe,GAKhB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,WAAW,EACX,eAAe,GAKhB,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EACL,YAAY,EACZ,eAAe,EACf,eAAe,EACf,mBAAmB,GAEpB,MAAM,aAAa,CAAC"}

package/dist/analysis/taint-matcher.js

@@ -62,7 +62,7 @@ function findSources(calls, types, patterns) {
             if (method.modifiers.includes('private'))
                 continue;
             // Skip standard methods that are unlikely to receive tainted data
-            const skipMethods = ['toString', 'hashCode', 'equals', 'compareTo', 'getDescription', 'getVulnerabilityCount'];
+            const skipMethods = ['toString', 'hashCode', 'equals', 'compareTo'];
             if (skipMethods.includes(method.name))
                 continue;
             for (const param of method.parameters) {
@@ -179,6 +179,38 @@ function isInterproceduralTaintableType(typeName) {
     }
     return false;
 }
+/**
+ * Check if a SQL query call uses parameterized query pattern.
+ * Parameterized queries (e.g., db.query("SELECT ? ...", [param])) are safe
+ * because user input is passed as bound parameters, not concatenated into the query.
+ *
+ * Recognized patterns:
+ * - db.query(sql, [params], callback)  — Node.js mysql/pg
+ * - db.query(sql, [params])            — Node.js mysql2
+ * - knex.raw(sql, [params])            — Knex.js
+ */
+function isParameterizedQueryCall(call, pattern) {
+    // Only applies to SQL injection sinks
+    if (pattern.type !== 'sql_injection')
+        return false;
+    // Parameterized queries have at least 2 arguments:
+    // arg[0] = query string (with ? or $N placeholders)
+    // arg[1] = params array
+    if (call.arguments.length < 2)
+        return false;
+    // Check if the second argument looks like a params array
+    const secondArg = call.arguments.find(a => a.position === 1);
+    if (!secondArg)
+        return false;
+    // Check for array literal: [id], [id, name], etc.
+    if (secondArg.expression) {
+        const expr = secondArg.expression.trim();
+        if (expr.startsWith('[')) {
+            return true;
+        }
+    }
+    return false;
+}
 /**
  * Find taint sinks in method calls.
  * Deduplicates sinks at the same location+line+cwe, keeping highest confidence.
@@ -189,6 +221,10 @@ function findSinks(calls, patterns) {
     for (const call of calls) {
         for (const pattern of patterns) {
             if (matchesSinkPattern(call, pattern)) {
+                // Skip parameterized queries (safe pattern for SQL injection)
+                if (isParameterizedQueryCall(call, pattern)) {
+                    continue;
+                }
                 const location = formatCallLocation(call);
                 const key = `${location}:${call.location.line}:${pattern.cwe}`;
                 const confidence = calculateSinkConfidence(call, pattern);