circle-ir 3.20.0 → 3.22.0

package/dist/browser/circle-ir.js

@@ -4297,6 +4297,9 @@ function extractTypes(tree, cache, language) {
   const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript";
   const isPython = effectiveLanguage === "python";
   const isRust = effectiveLanguage === "rust";
+  if (effectiveLanguage === "go") {
+    return extractGoTypes(tree, cache);
+  }
   if (isRust) {
     return extractRustTypes(tree, cache);
   }
@@ -5432,6 +5435,143 @@ function extractRustDerives(node) {
   }
   return derives;
 }
+function extractGoTypes(tree, cache) {
+  const types = [];
+  const root = tree.rootNode;
+  const typeDecls = getNodesFromCache(root, "type_declaration", cache);
+  for (const decl of typeDecls) {
+    for (let i2 = 0; i2 < decl.childCount; i2++) {
+      const spec = decl.child(i2);
+      if (!spec || spec.type !== "type_spec") continue;
+      const nameNode = spec.childForFieldName("name");
+      const typeNode = spec.childForFieldName("type");
+      if (!nameNode || !typeNode) continue;
+      const name2 = getNodeText(nameNode);
+      const isInterface = typeNode.type === "interface_type";
+      const isStruct = typeNode.type === "struct_type";
+      if (!isStruct && !isInterface) continue;
+      const fields = [];
+      const methods = [];
+      if (isStruct) {
+        const fieldList = findChildByType(typeNode, "field_declaration_list");
+        if (fieldList) {
+          for (let j = 0; j < fieldList.childCount; j++) {
+            const field = fieldList.child(j);
+            if (!field || field.type !== "field_declaration") continue;
+            const fieldName = field.childForFieldName("name");
+            const fieldType = field.childForFieldName("type");
+            if (fieldName) {
+              fields.push({
+                name: getNodeText(fieldName),
+                type: fieldType ? getNodeText(fieldType) : null,
+                modifiers: [],
+                annotations: []
+              });
+            }
+          }
+        }
+      }
+      const methodDecls = getNodesFromCache(root, "method_declaration", cache);
+      for (const md of methodDecls) {
+        const receiver = md.childForFieldName("receiver");
+        if (!receiver) continue;
+        const receiverText = getNodeText(receiver);
+        if (receiverText.includes(name2)) {
+          const methodNameNode = md.childForFieldName("name");
+          const params = md.childForFieldName("parameters");
+          const result = md.childForFieldName("result");
+          if (methodNameNode) {
+            methods.push({
+              name: getNodeText(methodNameNode),
+              return_type: result ? getNodeText(result) : null,
+              parameters: params ? extractGoParameters(params) : [],
+              annotations: [],
+              modifiers: [],
+              start_line: md.startPosition.row + 1,
+              end_line: md.endPosition.row + 1
+            });
+          }
+        }
+      }
+      let pkg = null;
+      const pkgClause = findChildByType(root, "package_clause");
+      if (pkgClause) {
+        for (let j = 0; j < pkgClause.childCount; j++) {
+          const child = pkgClause.child(j);
+          if (child && child.type === "package_identifier") {
+            pkg = getNodeText(child);
+            break;
+          }
+        }
+      }
+      types.push({
+        name: name2,
+        kind: isInterface ? "interface" : "class",
+        package: pkg,
+        extends: null,
+        implements: [],
+        annotations: [],
+        methods,
+        fields,
+        start_line: decl.startPosition.row + 1,
+        end_line: decl.endPosition.row + 1
+      });
+    }
+  }
+  const functions = getNodesFromCache(root, "function_declaration", cache);
+  if (functions.length > 0) {
+    const moduleFunctions = [];
+    for (const func2 of functions) {
+      const nameNode = func2.childForFieldName("name");
+      const params = func2.childForFieldName("parameters");
+      const result = func2.childForFieldName("result");
+      if (nameNode) {
+        moduleFunctions.push({
+          name: getNodeText(nameNode),
+          return_type: result ? getNodeText(result) : null,
+          parameters: params ? extractGoParameters(params) : [],
+          annotations: [],
+          modifiers: [],
+          start_line: func2.startPosition.row + 1,
+          end_line: func2.endPosition.row + 1
+        });
+      }
+    }
+    if (moduleFunctions.length > 0) {
+      types.push({
+        name: "<module>",
+        kind: "class",
+        package: null,
+        extends: null,
+        implements: [],
+        annotations: [],
+        methods: moduleFunctions,
+        fields: [],
+        start_line: 1,
+        end_line: root.endPosition.row + 1
+      });
+    }
+  }
+  return types;
+}
+function extractGoParameters(params) {
+  const parameters = [];
+  for (let i2 = 0; i2 < params.childCount; i2++) {
+    const child = params.child(i2);
+    if (!child || child.type !== "parameter_declaration") continue;
+    const nameNode = child.childForFieldName("name");
+    const typeNode = child.childForFieldName("type");
+    if (nameNode) {
+      parameters.push({
+        name: getNodeText(nameNode),
+        type: typeNode ? getNodeText(typeNode) : null,
+        annotations: [],
+        line: child.startPosition.row + 1
+      });
+    }
+  }
+  return parameters;
+}
 function findChildByType(node, type) {
   for (let i2 = 0; i2 < node.childCount; i2++) {
     const child = node.child(i2);
@@ -5479,6 +5619,9 @@ function extractCalls(tree, cache, language) {
   const isJavaScript = detectedLanguage === "javascript" || detectedLanguage === "typescript";
   const isPython = detectedLanguage === "python";
   const isRust = detectedLanguage === "rust";
+  if (detectedLanguage === "go") {
+    return extractGoCalls(tree, cache);
+  }
   if (detectedLanguage === "bash") {
     return extractBashCalls(tree, cache);
   }
@@ -6761,6 +6904,104 @@ function resolveRustCall(methodName, receiver, context) {
     status: "external_method"
   };
 }
+function extractGoCalls(tree, cache) {
+  const calls = [];
+  const callExpressions = getNodesFromCache(tree.rootNode, "call_expression", cache);
+  for (const call of callExpressions) {
+    const callInfo = extractGoCallInfo(call);
+    if (callInfo) {
+      calls.push(callInfo);
+    }
+  }
+  return calls;
+}
+function extractGoCallInfo(node) {
+  const funcNode = node.childForFieldName("function");
+  if (!funcNode) return null;
+  let methodName;
+  let receiver = null;
+  if (funcNode.type === "selector_expression") {
+    const operand = funcNode.childForFieldName("operand");
+    const field = funcNode.childForFieldName("field");
+    receiver = operand ? getNodeText(operand) : null;
+    methodName = field ? getNodeText(field) : getNodeText(funcNode);
+  } else if (funcNode.type === "identifier") {
+    methodName = getNodeText(funcNode);
+  } else {
+    methodName = getNodeText(funcNode);
+  }
+  const argsNode = node.childForFieldName("arguments");
+  const args2 = argsNode ? extractGoArguments(argsNode) : [];
+  const inMethod = findGoEnclosingFunction(node);
+  return {
+    method_name: methodName,
+    receiver,
+    arguments: args2,
+    location: {
+      line: node.startPosition.row + 1,
+      column: node.startPosition.column
+    },
+    in_method: inMethod,
+    resolved: false,
+    resolution: { status: "external_method" }
+  };
+}
+function extractGoArguments(argsNode) {
+  const args2 = [];
+  let position = 0;
+  for (let i2 = 0; i2 < argsNode.childCount; i2++) {
+    const child = argsNode.child(i2);
+    if (!child) continue;
+    if (child.type === "(" || child.type === ")" || child.type === ",") continue;
+    const expression = getNodeText(child);
+    const variable = child.type === "identifier" ? expression : null;
+    const literal = isGoLiteral(child) ? extractGoLiteralValue(child) : null;
+    args2.push({
+      position: position++,
+      expression,
+      variable,
+      literal
+    });
+  }
+  return args2;
+}
+function isGoLiteral(node) {
+  const literalTypes = /* @__PURE__ */ new Set([
+    "interpreted_string_literal",
+    "raw_string_literal",
+    "int_literal",
+    "float_literal",
+    "true",
+    "false",
+    "nil"
+  ]);
+  return literalTypes.has(node.type);
+}
+function extractGoLiteralValue(node) {
+  const text = getNodeText(node);
+  if (node.type === "interpreted_string_literal") {
+    return text.slice(1, -1);
+  }
+  if (node.type === "raw_string_literal") {
+    return text.slice(1, -1);
+  }
+  return text;
+}
+function findGoEnclosingFunction(node) {
+  let current = node.parent;
+  while (current) {
+    if (current.type === "function_declaration") {
+      const nameNode = current.childForFieldName("name");
+      return nameNode ? getNodeText(nameNode) : null;
+    }
+    if (current.type === "method_declaration") {
+      const nameNode = current.childForFieldName("name");
+      return nameNode ? getNodeText(nameNode) : null;
+    }
+    current = current.parent;
+  }
+  return null;
+}
 
 // src/core/extractors/imports.ts
 function detectLanguage2(tree) {
@@ -6815,6 +7056,9 @@ function extractImports(tree, language) {
   const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript";
   const isPython = effectiveLanguage === "python";
   const isRust = effectiveLanguage === "rust";
+  if (effectiveLanguage === "go") {
+    return extractGoImports(tree);
+  }
   if (isRust) {
     return extractRustImports(tree);
   }
@@ -7362,6 +7606,61 @@ function extractRustScopedUseList(node, lineNumber) {
   }
   return imports;
 }
+function extractGoImports(tree) {
+  const imports = [];
+  const importDecls = findNodes(tree.rootNode, "import_declaration");
+  for (const decl of importDecls) {
+    const singleSpec = findGoChildByType(decl, "import_spec");
+    if (singleSpec) {
+      const parsed = parseGoImportSpec(singleSpec);
+      if (parsed) imports.push(parsed);
+      continue;
+    }
+    const specList = findGoChildByType(decl, "import_spec_list");
+    if (specList) {
+      for (let i2 = 0; i2 < specList.childCount; i2++) {
+        const spec = specList.child(i2);
+        if (!spec || spec.type !== "import_spec") continue;
+        const parsed = parseGoImportSpec(spec);
+        if (parsed) imports.push(parsed);
+      }
+    }
+  }
+  return imports;
+}
+function parseGoImportSpec(spec) {
+  let alias = null;
+  let path;
+  for (let i2 = 0; i2 < spec.childCount; i2++) {
+    const child = spec.child(i2);
+    if (!child) continue;
+    if (child.type === "package_identifier" || child.type === "blank_identifier" || child.type === "dot") {
+      alias = getNodeText(child);
+    }
+    if (child.type === "interpreted_string_literal") {
+      const text = getNodeText(child);
+      path = text.slice(1, -1);
+    }
+  }
+  if (!path) return null;
+  const shortName = alias || path.split("/").pop() || path;
+  return {
+    imported_name: shortName,
+    from_package: path,
+    alias,
+    is_wildcard: alias === ".",
+    line_number: spec.startPosition.row + 1
+  };
+}
+function findGoChildByType(node, type) {
+  for (let i2 = 0; i2 < node.childCount; i2++) {
+    const child = node.child(i2);
+    if (child?.type === type) {
+      return child;
+    }
+  }
+  return null;
+}
 
 // src/core/extractors/exports.ts
 function extractExports(types) {
@@ -7453,6 +7752,9 @@ function buildCFG(tree, language) {
   if (effectiveLanguage === "bash") {
     return buildBashCFG(tree, blockIdCounter);
   }
+  if (effectiveLanguage === "go") {
+    return buildGoCFG(tree, blockIdCounter);
+  }
   if (isJavaScript) {
     const functions = [
       ...findNodes(tree.rootNode, "function_declaration"),
@@ -7929,6 +8231,58 @@ function isStatement(node, isJavaScript) {
   ]);
   return isJavaScript ? jsStatementTypes.has(node.type) : javaStatementTypes.has(node.type);
 }
+function buildGoCFG(tree, blockIdCounter) {
+  const allBlocks = [];
+  const allEdges = [];
+  const functions = [
+    ...findNodes(tree.rootNode, "function_declaration"),
+    ...findNodes(tree.rootNode, "method_declaration")
+  ];
+  for (const func2 of functions) {
+    const body2 = func2.childForFieldName("body");
+    if (!body2 || body2.type !== "block") continue;
+    const { blocks, edges, nextId } = buildMethodCFG(body2, blockIdCounter, false);
+    allBlocks.push(...blocks);
+    allEdges.push(...edges);
+    blockIdCounter = nextId;
+  }
+  const hasTopLevelDecls = tree.rootNode.children.some(
+    (c) => c !== null && isGoStatement(c)
+  );
+  if (hasTopLevelDecls) {
+    const block = {
+      id: blockIdCounter++,
+      type: "normal",
+      start_line: 1,
+      end_line: tree.rootNode.endPosition.row + 1
+    };
+    allBlocks.push(block);
+  }
+  return { blocks: allBlocks, edges: allEdges };
+}
+function isGoStatement(node) {
+  const goStatementTypes = /* @__PURE__ */ new Set([
+    "short_var_declaration",
+    "var_declaration",
+    "assignment_statement",
+    "expression_statement",
+    "if_statement",
+    "for_statement",
+    "switch_statement",
+    "type_switch_statement",
+    "select_statement",
+    "return_statement",
+    "go_statement",
+    "defer_statement",
+    "send_statement",
+    "inc_statement",
+    "dec_statement",
+    "block",
+    "type_declaration",
+    "const_declaration"
+  ]);
+  return goStatementTypes.has(node.type);
+}
 
 // src/core/extractors/dfg.ts
 function detectLanguage4(tree) {
@@ -7976,6 +8330,9 @@ function buildDFG(tree, cache, language) {
   if (effectiveLanguage === "bash") {
     return buildBashDFG(tree);
   }
+  if (effectiveLanguage === "go") {
+    return buildGoDFG(tree);
+  }
   return buildJavaDFG(tree, cache);
 }
 function buildJavaDFG(tree, cache) {
@@ -8708,6 +9065,17 @@ function buildBashDFG(tree) {
   let defIdCounter = 1;
   let useIdCounter = 1;
   const scopeStack = [/* @__PURE__ */ new Map()];
+  const positionalParams = ["1", "2", "3", "4", "5", "6", "7", "8", "9", "@", "*"];
+  for (const p of positionalParams) {
+    const def = {
+      id: defIdCounter++,
+      variable: p,
+      line: 0,
+      kind: "param"
+    };
+    defs.push(def);
+    currentScope(scopeStack).set(p, def.id);
+  }
   walkTree(tree.rootNode, (node) => {
     if (node.type === "variable_assignment") {
       const nameNode = node.childForFieldName("name");
@@ -8721,11 +9089,6 @@ function buildBashDFG(tree) {
         };
         defs.push(def);
         currentScope(scopeStack).set(varName, def.id);
-        const valueNode = node.childForFieldName("value");
-        if (valueNode) {
-          extractBashUses(valueNode, uses, useIdCounter, scopeStack);
-          useIdCounter = uses.length + 1;
-        }
       }
     } else if (node.type === "command") {
       const nameNode = node.childForFieldName("name");
@@ -8791,37 +9154,6 @@ function buildBashDFG(tree) {
   const chains = computeChains(defs, uses);
   return { defs, uses, chains };
 }
-function extractBashUses(node, uses, _startId, scopeStack) {
-  walkTree(node, (child) => {
-    if (child.type === "simple_expansion") {
-      const varNameNode = child.namedChildCount > 0 ? child.namedChild(0) : null;
-      if (varNameNode) {
-        const varName = getNodeText(varNameNode);
-        if (varName && !varName.startsWith("?") && !varName.startsWith("#")) {
-          const reachingDef = findReachingDef(varName, scopeStack);
-          uses.push({
-            id: uses.length + 1,
-            variable: varName,
-            line: child.startPosition.row + 1,
-            def_id: reachingDef
-          });
-        }
-      }
-    } else if (child.type === "expansion") {
-      const varNameNode = child.namedChildCount > 0 ? child.namedChild(0) : null;
-      if (varNameNode && varNameNode.type === "variable_name") {
-        const varName = getNodeText(varNameNode);
-        const reachingDef = findReachingDef(varName, scopeStack);
-        uses.push({
-          id: uses.length + 1,
-          variable: varName,
-          line: child.startPosition.row + 1,
-          def_id: reachingDef
-        });
-      }
-    }
-  });
-}
 function buildRustDFG(tree, cache) {
   const defs = [];
   const uses = [];
@@ -8984,41 +9316,294 @@ function isRustKeyword(name2) {
   ]);
   return keywords.has(name2);
 }
-
-// src/analysis/config-loader.ts
-var DEFAULT_SOURCES = [
-  // HTTP Sources (Servlet API)
-  { method: "getParameter", class: "HttpServletRequest", type: "http_param", severity: "high", return_tainted: true },
-  { method: "getParameterValues", class: "HttpServletRequest", type: "http_param", severity: "high", return_tainted: true },
-  { method: "getParameterMap", class: "HttpServletRequest", type: "http_param", severity: "high", return_tainted: true },
-  { method: "getParameterNames", class: "HttpServletRequest", type: "http_param", severity: "high", return_tainted: true },
-  { method: "getHeader", class: "HttpServletRequest", type: "http_header", severity: "high", return_tainted: true },
-  { method: "getHeaders", class: "HttpServletRequest", type: "http_header", severity: "high", return_tainted: true },
-  { method: "getHeaderNames", class: "HttpServletRequest", type: "http_header", severity: "high", return_tainted: true },
-  { method: "getQueryString", class: "HttpServletRequest", type: "http_query", severity: "high", return_tainted: true },
-  { method: "getCookies", class: "HttpServletRequest", type: "http_cookie", severity: "high", return_tainted: true },
-  { method: "getInputStream", class: "HttpServletRequest", type: "http_body", severity: "high", return_tainted: true },
-  { method: "getReader", class: "HttpServletRequest", type: "http_body", severity: "high", return_tainted: true },
-  { method: "getPathInfo", class: "HttpServletRequest", type: "http_path", severity: "high", return_tainted: true },
-  { method: "getRequestURI", class: "HttpServletRequest", type: "http_path", severity: "high", return_tainted: true },
-  { method: "getRequestURL", class: "HttpServletRequest", type: "http_path", severity: "high", return_tainted: true },
-  { method: "getServletPath", class: "HttpServletRequest", type: "http_path", severity: "high", return_tainted: true },
-  { method: "getContextPath", class: "HttpServletRequest", type: "http_path", severity: "medium", return_tainted: true },
-  { method: "getRemoteHost", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
-  { method: "getRemoteAddr", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
-  // Additional HTTP request methods that can be attacker-controlled
-  { method: "getProtocol", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
-  { method: "getScheme", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
-  { method: "getAuthType", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
-  { method: "getRemoteUser", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
-  { method: "getMethod", class: "HttpServletRequest", type: "http_header", severity: "low", return_tainted: true },
-  { method: "getContentType", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
-  { method: "getCharacterEncoding", class: "HttpServletRequest", type: "http_header", severity: "low", return_tainted: true },
-  // Enumeration/Iterator sources (from request.getHeaders(), etc.)
-  { method: "nextElement", class: "Enumeration", type: "http_header", severity: "high", return_tainted: true },
-  { method: "nextElement", type: "http_header", severity: "high", return_tainted: true },
-  // Cookie sources
-  { method: "getValue", class: "Cookie", type: "http_cookie", severity: "high", return_tainted: true },
+var GO_KEYWORDS = /* @__PURE__ */ new Set([
+  "break",
+  "case",
+  "chan",
+  "const",
+  "continue",
+  "default",
+  "defer",
+  "else",
+  "fallthrough",
+  "for",
+  "func",
+  "go",
+  "goto",
+  "if",
+  "import",
+  "interface",
+  "map",
+  "package",
+  "range",
+  "return",
+  "select",
+  "struct",
+  "switch",
+  "type",
+  "var",
+  "true",
+  "false",
+  "nil",
+  "iota",
+  "append",
+  "cap",
+  "close",
+  "complex",
+  "copy",
+  "delete",
+  "imag",
+  "len",
+  "make",
+  "new",
+  "panic",
+  "print",
+  "println",
+  "real",
+  "recover",
+  "string",
+  "int",
+  "int8",
+  "int16",
+  "int32",
+  "int64",
+  "uint",
+  "uint8",
+  "uint16",
+  "uint32",
+  "uint64",
+  "float32",
+  "float64",
+  "complex64",
+  "complex128",
+  "byte",
+  "rune",
+  "bool",
+  "error",
+  "any"
+]);
+function buildGoDFG(tree) {
+  const defs = [];
+  const uses = [];
+  let defIdCounter = 1;
+  let useIdCounter = 1;
+  const scopeStack = [/* @__PURE__ */ new Map()];
+  const functions = [
+    ...findNodes(tree.rootNode, "function_declaration"),
+    ...findNodes(tree.rootNode, "method_declaration")
+  ];
+  for (const func2 of functions) {
+    scopeStack.push(/* @__PURE__ */ new Map());
+    const params = func2.childForFieldName("parameters");
+    if (params) {
+      extractGoParamDefs(params, defs, defIdCounter, scopeStack);
+      defIdCounter = defs.length + 1;
+    }
+    const receiver = func2.childForFieldName("receiver");
+    if (receiver) {
+      extractGoParamDefs(receiver, defs, defIdCounter, scopeStack);
+      defIdCounter = defs.length + 1;
+    }
+    const body2 = func2.childForFieldName("body");
+    if (body2) {
+      processGoBlock(body2, defs, uses, scopeStack, { defId: defIdCounter, useId: useIdCounter });
+      defIdCounter = defs.length + 1;
+      useIdCounter = uses.length + 1;
+    }
+    scopeStack.pop();
+  }
+  for (let i2 = 0; i2 < tree.rootNode.childCount; i2++) {
+    const child = tree.rootNode.child(i2);
+    if (!child) continue;
+    if (child.type === "var_declaration") {
+      processGoVarDecl(child, defs, scopeStack, { defId: defIdCounter });
+      defIdCounter = defs.length + 1;
+    }
+  }
+  const chains = computeChains(defs, uses);
+  return { defs, uses, chains };
+}
+function extractGoParamDefs(params, defs, _startId, scopeStack) {
+  for (let i2 = 0; i2 < params.childCount; i2++) {
+    const param = params.child(i2);
+    if (!param || param.type !== "parameter_declaration") continue;
+    const typeNode = param.childForFieldName("type");
+    for (let j = 0; j < param.childCount; j++) {
+      const nameNode = param.child(j);
+      if (!nameNode || nameNode.type !== "identifier") continue;
+      if (nameNode === typeNode) continue;
+      const varName = getNodeText(nameNode);
+      if (varName === "_") continue;
+      const def = {
+        id: defs.length + 1,
+        variable: varName,
+        kind: "param",
+        line: param.startPosition.row + 1
+      };
+      defs.push(def);
+      currentScope(scopeStack).set(varName, def.id);
+    }
+  }
+}
+function processGoBlock(node, defs, uses, scopeStack, counters) {
+  walkTree(node, (child) => {
+    if (child.type === "short_var_declaration") {
+      const left = child.childForFieldName("left");
+      const right = child.childForFieldName("right");
+      if (right) {
+        extractGoUses(right, uses, scopeStack);
+      }
+      if (left) {
+        extractGoLhsDefs(left, defs, scopeStack, child.startPosition.row + 1);
+      }
+    } else if (child.type === "var_declaration") {
+      processGoVarDecl(child, defs, scopeStack, counters);
+    } else if (child.type === "assignment_statement") {
+      const left = child.childForFieldName("left");
+      const right = child.childForFieldName("right");
+      if (right) {
+        extractGoUses(right, uses, scopeStack);
+      }
+      if (left) {
+        extractGoLhsDefs(left, defs, scopeStack, child.startPosition.row + 1);
+      }
+    } else if (child.type === "for_statement") {
+      const rangeClause = findChildByTypeGo(child, "range_clause");
+      if (rangeClause) {
+        const left = rangeClause.childForFieldName("left");
+        if (left) {
+          extractGoLhsDefs(left, defs, scopeStack, child.startPosition.row + 1);
+        }
+      }
+    } else if (child.type === "call_expression") {
+      extractGoUses(child, uses, scopeStack);
+    } else if (child.type === "return_statement") {
+      for (let i2 = 0; i2 < child.childCount; i2++) {
+        const expr = child.child(i2);
+        if (expr && expr.type !== "return") {
+          extractGoUses(expr, uses, scopeStack);
+        }
+      }
+    }
+  });
+}
+function processGoVarDecl(node, defs, scopeStack, _counters) {
+  for (let i2 = 0; i2 < node.childCount; i2++) {
+    const spec = node.child(i2);
+    if (!spec || spec.type !== "var_spec") continue;
+    for (let j = 0; j < spec.childCount; j++) {
+      const nameNode = spec.child(j);
+      if (!nameNode || nameNode.type !== "identifier") continue;
+      const varName = getNodeText(nameNode);
+      if (varName === "_") continue;
+      const def = {
+        id: defs.length + 1,
+        variable: varName,
+        kind: "local",
+        line: spec.startPosition.row + 1
+      };
+      defs.push(def);
+      currentScope(scopeStack).set(varName, def.id);
+    }
+  }
+}
+function extractGoLhsDefs(left, defs, scopeStack, line) {
+  if (left.type === "identifier") {
+    const varName = getNodeText(left);
+    if (varName === "_") return;
+    const def = {
+      id: defs.length + 1,
+      variable: varName,
+      kind: "local",
+      line
+    };
+    defs.push(def);
+    currentScope(scopeStack).set(varName, def.id);
+  } else if (left.type === "expression_list") {
+    for (let i2 = 0; i2 < left.childCount; i2++) {
+      const item = left.child(i2);
+      if (item && item.type === "identifier") {
+        const varName = getNodeText(item);
+        if (varName === "_") continue;
+        const def = {
+          id: defs.length + 1,
+          variable: varName,
+          kind: "local",
+          line
+        };
+        defs.push(def);
+        currentScope(scopeStack).set(varName, def.id);
+      }
+    }
+  }
+}
+function extractGoUses(node, uses, scopeStack) {
+  walkTree(node, (child) => {
+    if (child.type === "identifier") {
+      const varName = getNodeText(child);
+      if (varName === "_" || GO_KEYWORDS.has(varName)) return;
+      const parent = child.parent;
+      if (parent?.type === "selector_expression" && parent.childForFieldName("field") === child) {
+        return;
+      }
+      if (parent?.type === "parameter_declaration" && parent.childForFieldName("type") === child) {
+        return;
+      }
+      if (parent?.type === "type_identifier") {
+        return;
+      }
+      const defId = findReachingDef(varName, scopeStack);
+      uses.push({
+        id: uses.length + 1,
+        variable: varName,
+        line: child.startPosition.row + 1,
+        def_id: defId
+      });
+    }
+  });
+}
+function findChildByTypeGo(node, type) {
+  for (let i2 = 0; i2 < node.childCount; i2++) {
+    const child = node.child(i2);
+    if (child?.type === type) return child;
+  }
+  return null;
+}
+
+// src/analysis/config-loader.ts
+var DEFAULT_SOURCES = [
+  // HTTP Sources (Servlet API)
+  { method: "getParameter", class: "HttpServletRequest", type: "http_param", severity: "high", return_tainted: true },
+  { method: "getParameterValues", class: "HttpServletRequest", type: "http_param", severity: "high", return_tainted: true },
+  { method: "getParameterMap", class: "HttpServletRequest", type: "http_param", severity: "high", return_tainted: true },
+  { method: "getParameterNames", class: "HttpServletRequest", type: "http_param", severity: "high", return_tainted: true },
+  { method: "getHeader", class: "HttpServletRequest", type: "http_header", severity: "high", return_tainted: true },
+  { method: "getHeaders", class: "HttpServletRequest", type: "http_header", severity: "high", return_tainted: true },
+  { method: "getHeaderNames", class: "HttpServletRequest", type: "http_header", severity: "high", return_tainted: true },
+  { method: "getQueryString", class: "HttpServletRequest", type: "http_query", severity: "high", return_tainted: true },
+  { method: "getCookies", class: "HttpServletRequest", type: "http_cookie", severity: "high", return_tainted: true },
+  { method: "getInputStream", class: "HttpServletRequest", type: "http_body", severity: "high", return_tainted: true },
+  { method: "getReader", class: "HttpServletRequest", type: "http_body", severity: "high", return_tainted: true },
+  { method: "getPathInfo", class: "HttpServletRequest", type: "http_path", severity: "high", return_tainted: true },
+  { method: "getRequestURI", class: "HttpServletRequest", type: "http_path", severity: "high", return_tainted: true },
+  { method: "getRequestURL", class: "HttpServletRequest", type: "http_path", severity: "high", return_tainted: true },
+  { method: "getServletPath", class: "HttpServletRequest", type: "http_path", severity: "high", return_tainted: true },
+  { method: "getContextPath", class: "HttpServletRequest", type: "http_path", severity: "medium", return_tainted: true },
+  { method: "getRemoteHost", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
+  { method: "getRemoteAddr", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
+  // Additional HTTP request methods that can be attacker-controlled
+  { method: "getProtocol", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
+  { method: "getScheme", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
+  { method: "getAuthType", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
+  { method: "getRemoteUser", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
+  { method: "getMethod", class: "HttpServletRequest", type: "http_header", severity: "low", return_tainted: true },
+  { method: "getContentType", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
+  { method: "getCharacterEncoding", class: "HttpServletRequest", type: "http_header", severity: "low", return_tainted: true },
+  // Enumeration/Iterator sources (from request.getHeaders(), etc.)
+  { method: "nextElement", class: "Enumeration", type: "http_header", severity: "high", return_tainted: true },
+  { method: "nextElement", type: "http_header", severity: "high", return_tainted: true },
+  // Cookie sources
+  { method: "getValue", class: "Cookie", type: "http_cookie", severity: "high", return_tainted: true },
   { method: "getName", class: "Cookie", type: "http_cookie", severity: "high", return_tainted: true },
   // I/O Sources (Scanner, BufferedReader, etc.)
   { method: "readLine", class: "BufferedReader", type: "io_input", severity: "high", return_tainted: true },
@@ -17937,185 +18522,758 @@ var BashPlugin = class extends BaseLanguagePlugin {
         type: "sql_injection",
         cwe: "CWE-89",
         severity: "critical",
-        argPositions: [1]
+        argPositions: [1]
+      },
+      {
+        method: "sqlite3",
+        type: "sql_injection",
+        cwe: "CWE-89",
+        severity: "critical",
+        argPositions: [1]
+      },
+      // Path traversal via file operations (first arg is path)
+      {
+        method: "cat",
+        type: "path_traversal",
+        cwe: "CWE-22",
+        severity: "high",
+        argPositions: [0]
+      },
+      {
+        method: "rm",
+        type: "path_traversal",
+        cwe: "CWE-22",
+        severity: "high",
+        argPositions: [0]
+      },
+      {
+        method: "cp",
+        type: "path_traversal",
+        cwe: "CWE-22",
+        severity: "high",
+        argPositions: [0]
+      },
+      {
+        method: "mv",
+        type: "path_traversal",
+        cwe: "CWE-22",
+        severity: "high",
+        argPositions: [0]
+      },
+      {
+        method: "chmod",
+        type: "path_traversal",
+        cwe: "CWE-22",
+        severity: "medium",
+        argPositions: [1]
+      },
+      {
+        method: "chown",
+        type: "path_traversal",
+        cwe: "CWE-22",
+        severity: "medium",
+        argPositions: [1]
+      },
+      // SSRF — curl/wget with externally-controlled URL
+      {
+        method: "curl",
+        type: "ssrf",
+        cwe: "CWE-918",
+        severity: "high",
+        argPositions: [0]
+      },
+      {
+        method: "wget",
+        type: "ssrf",
+        cwe: "CWE-918",
+        severity: "high",
+        argPositions: [0]
+      }
+    ];
+  }
+  /**
+   * Shell has no OOP receiver types.
+   */
+  getReceiverType(_node, _context) {
+    return void 0;
+  }
+  /**
+   * Bash string literals: quoted strings and raw ($'...') strings.
+   */
+  isStringLiteral(node) {
+    return node.type === "string" || node.type === "raw_string" || node.type === "ansi_c_string";
+  }
+  /**
+   * Extract string value from bash string literal, stripping quotes.
+   */
+  getStringValue(node) {
+    if (!this.isStringLiteral(node)) return void 0;
+    const text = node.text;
+    if (node.type === "raw_string") {
+      return text.slice(1, -1);
+    }
+    if (node.type === "ansi_c_string") {
+      return text.slice(2, -1);
+    }
+    const match = text.match(/^"(.*)"$/s);
+    if (match) return match[1];
+    return text;
+  }
+  // Extraction methods — delegate to base extractors via generic walker
+  extractTypes(_context) {
+    return [];
+  }
+  extractCalls(_context) {
+    return [];
+  }
+  extractImports(_context) {
+    return [];
+  }
+  extractPackage(_context) {
+    return void 0;
+  }
+};
+
+// src/languages/plugins/html.ts
+var HtmlPlugin = class extends BaseLanguagePlugin {
+  id = "html";
+  name = "HTML";
+  extensions = [".html", ".htm", ".xhtml"];
+  wasmPath = "tree-sitter-html.wasm";
+  nodeTypes = {
+    // HTML has no OOP constructs
+    classDeclaration: [],
+    interfaceDeclaration: [],
+    enumDeclaration: [],
+    functionDeclaration: [],
+    methodDeclaration: [],
+    // No expressions in HTML
+    methodCall: [],
+    functionCall: [],
+    assignment: [],
+    variableDeclaration: [],
+    // No parameters
+    parameter: [],
+    argument: [],
+    // No annotations
+    annotation: [],
+    decorator: [],
+    // No imports
+    importStatement: [],
+    // No control flow
+    ifStatement: [],
+    forStatement: [],
+    whileStatement: [],
+    tryStatement: [],
+    returnStatement: []
+  };
+  detectFramework(_context) {
+    return void 0;
+  }
+  getBuiltinSources() {
+    return [];
+  }
+  getBuiltinSinks() {
+    return [];
+  }
+  getReceiverType(_node, _context) {
+    return void 0;
+  }
+  isStringLiteral(node) {
+    return node.type === "attribute_value" || node.type === "quoted_attribute_value";
+  }
+  getStringValue(node) {
+    if (!this.isStringLiteral(node)) return void 0;
+    const text = node.text;
+    if (text.startsWith('"') && text.endsWith('"') || text.startsWith("'") && text.endsWith("'")) {
+      return text.slice(1, -1);
+    }
+    return text;
+  }
+  extractTypes(_context) {
+    return [];
+  }
+  extractCalls(_context) {
+    return [];
+  }
+  extractImports(_context) {
+    return [];
+  }
+  extractPackage(_context) {
+    return void 0;
+  }
+};
+
+// src/languages/plugins/go.ts
+var GoPlugin = class extends BaseLanguagePlugin {
+  id = "go";
+  name = "Go";
+  extensions = [".go"];
+  wasmPath = "tree-sitter-go.wasm";
+  nodeTypes = {
+    // Type declarations
+    classDeclaration: ["type_declaration"],
+    interfaceDeclaration: ["type_declaration"],
+    enumDeclaration: [],
+    // Go has no enums (uses iota constants)
+    functionDeclaration: ["function_declaration"],
+    methodDeclaration: ["method_declaration"],
+    // Expressions
+    methodCall: ["call_expression"],
+    functionCall: ["call_expression"],
+    assignment: ["short_var_declaration", "assignment_statement", "var_declaration"],
+    variableDeclaration: ["short_var_declaration", "var_declaration"],
+    // Parameters and arguments
+    parameter: ["parameter_declaration"],
+    argument: ["argument_list"],
+    // Annotations/decorators
+    annotation: [],
+    // Go has no annotations
+    decorator: [],
+    // Go has no decorators
+    // Imports
+    importStatement: ["import_declaration"],
+    // Control flow
+    ifStatement: ["if_statement"],
+    forStatement: ["for_statement"],
+    whileStatement: [],
+    // Go uses for with condition
+    tryStatement: [],
+    // Go uses defer/recover
+    returnStatement: ["return_statement"]
+  };
+  /**
+   * Detect Go web frameworks from imports.
+   */
+  detectFramework(context) {
+    const indicators = [];
+    let framework;
+    let confidence = 0;
+    for (const imp of context.imports) {
+      const path = imp.from_package || imp.imported_name;
+      if (path.includes("gin-gonic/gin")) {
+        framework = "gin";
+        confidence = Math.max(confidence, 0.95);
+        indicators.push(`import: ${path}`);
+      }
+      if (path.includes("labstack/echo")) {
+        framework = "echo";
+        confidence = Math.max(confidence, 0.95);
+        indicators.push(`import: ${path}`);
+      }
+      if (path.includes("gofiber/fiber")) {
+        framework = "fiber";
+        confidence = Math.max(confidence, 0.95);
+        indicators.push(`import: ${path}`);
+      }
+      if (path.includes("go-chi/chi")) {
+        framework = "chi";
+        confidence = Math.max(confidence, 0.9);
+        indicators.push(`import: ${path}`);
+      }
+      if (path.includes("gorm.io/gorm")) {
+        indicators.push(`import: ${path}`);
+      }
+      if (path === "net/http") {
+        framework = framework || "net/http";
+        confidence = Math.max(confidence, 0.8);
+        indicators.push(`import: ${path}`);
+      }
+    }
+    if (framework) {
+      return { name: framework, confidence, indicators };
+    }
+    return void 0;
+  }
+  /**
+   * Go taint source patterns.
+   */
+  getBuiltinSources() {
+    return [
+      // net/http request methods
+      {
+        method: "FormValue",
+        class: "Request",
+        type: "http_param",
+        severity: "high",
+        confidence: 0.95,
+        returnTainted: true
+      },
+      {
+        method: "PostFormValue",
+        class: "Request",
+        type: "http_param",
+        severity: "high",
+        confidence: 0.95,
+        returnTainted: true
+      },
+      {
+        method: "Query",
+        class: "URL",
+        type: "http_param",
+        severity: "high",
+        confidence: 0.95,
+        returnTainted: true
+      },
+      {
+        method: "Get",
+        class: "Header",
+        type: "http_header",
+        severity: "high",
+        confidence: 0.9,
+        returnTainted: true
+      },
+      {
+        method: "Cookie",
+        class: "Request",
+        type: "http_cookie",
+        severity: "high",
+        confidence: 0.9,
+        returnTainted: true
+      },
+      // Gin framework
+      {
+        method: "Query",
+        class: "Context",
+        type: "http_param",
+        severity: "high",
+        confidence: 0.95,
+        returnTainted: true
+      },
+      {
+        method: "Param",
+        class: "Context",
+        type: "http_path",
+        severity: "high",
+        confidence: 0.95,
+        returnTainted: true
+      },
+      {
+        method: "PostForm",
+        class: "Context",
+        type: "http_param",
+        severity: "high",
+        confidence: 0.95,
+        returnTainted: true
+      },
+      {
+        method: "GetRawData",
+        class: "Context",
+        type: "http_body",
+        severity: "high",
+        confidence: 0.95,
+        returnTainted: true
+      },
+      // Standard library I/O
+      {
+        method: "Getenv",
+        class: "os",
+        type: "env_var",
+        severity: "medium",
+        confidence: 0.85,
+        returnTainted: true
+      },
+      {
+        method: "ReadAll",
+        class: "io",
+        type: "io_input",
+        severity: "medium",
+        confidence: 0.8,
+        returnTainted: true
+      },
+      {
+        method: "ReadFile",
+        class: "os",
+        type: "file_input",
+        severity: "medium",
+        confidence: 0.8,
+        returnTainted: true
+      },
+      {
+        method: "Text",
+        class: "Scanner",
+        type: "io_input",
+        severity: "medium",
+        confidence: 0.8,
+        returnTainted: true
+      }
+    ];
+  }
+  /**
+   * Go taint sink patterns.
+   */
+  getBuiltinSinks() {
+    return [
+      // SQL Injection
+      {
+        method: "Query",
+        class: "DB",
+        type: "sql_injection",
+        cwe: "CWE-89",
+        severity: "critical",
+        argPositions: [0]
+      },
+      {
+        method: "QueryRow",
+        class: "DB",
+        type: "sql_injection",
+        cwe: "CWE-89",
+        severity: "critical",
+        argPositions: [0]
+      },
+      {
+        method: "Exec",
+        class: "DB",
+        type: "sql_injection",
+        cwe: "CWE-89",
+        severity: "critical",
+        argPositions: [0]
       },
       {
-        method: "sqlite3",
+        method: "Query",
+        class: "Tx",
         type: "sql_injection",
         cwe: "CWE-89",
         severity: "critical",
-        argPositions: [1]
+        argPositions: [0]
       },
-      // Path traversal via file operations (first arg is path)
+      // Command Injection
       {
-        method: "cat",
-        type: "path_traversal",
-        cwe: "CWE-22",
-        severity: "high",
+        method: "Command",
+        class: "exec",
+        type: "command_injection",
+        cwe: "CWE-78",
+        severity: "critical",
         argPositions: [0]
       },
       {
-        method: "rm",
+        method: "CommandContext",
+        class: "exec",
+        type: "command_injection",
+        cwe: "CWE-78",
+        severity: "critical",
+        argPositions: [1]
+      },
+      // Path Traversal
+      {
+        method: "Open",
+        class: "os",
         type: "path_traversal",
         cwe: "CWE-22",
         severity: "high",
         argPositions: [0]
       },
       {
-        method: "cp",
+        method: "ReadFile",
+        class: "os",
         type: "path_traversal",
         cwe: "CWE-22",
         severity: "high",
         argPositions: [0]
       },
       {
-        method: "mv",
+        method: "WriteFile",
+        class: "os",
         type: "path_traversal",
         cwe: "CWE-22",
         severity: "high",
         argPositions: [0]
       },
+      // XSS (writing to http.ResponseWriter without escaping)
       {
-        method: "chmod",
-        type: "path_traversal",
-        cwe: "CWE-22",
-        severity: "medium",
+        method: "Fprintf",
+        class: "fmt",
+        type: "xss",
+        cwe: "CWE-79",
+        severity: "high",
         argPositions: [1]
       },
       {
-        method: "chown",
-        type: "path_traversal",
-        cwe: "CWE-22",
-        severity: "medium",
-        argPositions: [1]
+        method: "Write",
+        class: "ResponseWriter",
+        type: "xss",
+        cwe: "CWE-79",
+        severity: "high",
+        argPositions: [0]
       },
-      // SSRF — curl/wget with externally-controlled URL
+      // SSRF
       {
-        method: "curl",
+        method: "Get",
+        class: "http",
         type: "ssrf",
         cwe: "CWE-918",
         severity: "high",
         argPositions: [0]
       },
       {
-        method: "wget",
+        method: "Post",
+        class: "http",
         type: "ssrf",
         cwe: "CWE-918",
         severity: "high",
+        argPositions: [0, 2]
+      },
+      // Deserialization
+      {
+        method: "Unmarshal",
+        class: "json",
+        type: "deserialization",
+        cwe: "CWE-502",
+        severity: "medium",
+        argPositions: [0]
+      },
+      {
+        method: "Decode",
+        class: "Decoder",
+        type: "deserialization",
+        cwe: "CWE-502",
+        severity: "medium",
         argPositions: [0]
       }
     ];
   }
   /**
-   * Shell has no OOP receiver types.
+   * Get receiver type from a Go call expression.
    */
-  getReceiverType(_node, _context) {
+  getReceiverType(node, _context) {
+    if (node.type !== "call_expression") return void 0;
+    const func2 = node.childForFieldName("function");
+    if (!func2) return void 0;
+    if (func2.type === "selector_expression") {
+      const operand = func2.childForFieldName("operand");
+      if (operand) {
+        return operand.text;
+      }
+    }
     return void 0;
   }
   /**
-   * Bash string literals: quoted strings and raw ($'...') strings.
+   * Check if node is a Go string literal.
    */
   isStringLiteral(node) {
-    return node.type === "string" || node.type === "raw_string" || node.type === "ansi_c_string";
+    return node.type === "interpreted_string_literal" || node.type === "raw_string_literal";
   }
   /**
-   * Extract string value from bash string literal, stripping quotes.
+   * Get string value from Go string literal.
    */
   getStringValue(node) {
     if (!this.isStringLiteral(node)) return void 0;
     const text = node.text;
-    if (node.type === "raw_string") {
+    if (text.startsWith("`") && text.endsWith("`")) {
       return text.slice(1, -1);
     }
-    if (node.type === "ansi_c_string") {
-      return text.slice(2, -1);
+    if (text.startsWith('"') && text.endsWith('"')) {
+      return text.slice(1, -1);
     }
-    const match = text.match(/^"(.*)"$/s);
-    if (match) return match[1];
     return text;
   }
-  // Extraction methods — delegate to base extractors via generic walker
-  extractTypes(_context) {
-    return [];
-  }
-  extractCalls(_context) {
-    return [];
-  }
-  extractImports(_context) {
-    return [];
-  }
-  extractPackage(_context) {
-    return void 0;
-  }
-};
-
-// src/languages/plugins/html.ts
-var HtmlPlugin = class extends BaseLanguagePlugin {
-  id = "html";
-  name = "HTML";
-  extensions = [".html", ".htm", ".xhtml"];
-  wasmPath = "tree-sitter-html.wasm";
-  nodeTypes = {
-    // HTML has no OOP constructs
-    classDeclaration: [],
-    interfaceDeclaration: [],
-    enumDeclaration: [],
-    functionDeclaration: [],
-    methodDeclaration: [],
-    // No expressions in HTML
-    methodCall: [],
-    functionCall: [],
-    assignment: [],
-    variableDeclaration: [],
-    // No parameters
-    parameter: [],
-    argument: [],
-    // No annotations
-    annotation: [],
-    decorator: [],
-    // No imports
-    importStatement: [],
-    // No control flow
-    ifStatement: [],
-    forStatement: [],
-    whileStatement: [],
-    tryStatement: [],
-    returnStatement: []
-  };
-  detectFramework(_context) {
-    return void 0;
+  /**
+   * Extract type information from Go source.
+   */
+  extractTypes(context) {
+    const types = [];
+    const root = context.tree.rootNode;
+    const typeDecls = this.findNodes(root, "type_declaration");
+    for (const decl of typeDecls) {
+      for (let i2 = 0; i2 < decl.childCount; i2++) {
+        const spec = decl.child(i2);
+        if (!spec || spec.type !== "type_spec") continue;
+        const nameNode = spec.childForFieldName("name");
+        const typeNode = spec.childForFieldName("type");
+        if (!nameNode || !typeNode) continue;
+        const name2 = nameNode.text;
+        const isInterface = typeNode.type === "interface_type";
+        const isStruct = typeNode.type === "struct_type";
+        if (isStruct || isInterface) {
+          const fields = [];
+          const methods = [];
+          if (isStruct) {
+            const fieldList = typeNode.childForFieldName("fields") ?? this.findChildByType(typeNode, "field_declaration_list");
+            if (fieldList) {
+              for (let j = 0; j < fieldList.childCount; j++) {
+                const field = fieldList.child(j);
+                if (!field || field.type !== "field_declaration") continue;
+                const fieldName = field.childForFieldName("name");
+                const fieldType = field.childForFieldName("type");
+                if (fieldName) {
+                  fields.push({
+                    name: fieldName.text,
+                    type: fieldType?.text || null,
+                    modifiers: [],
+                    annotations: []
+                  });
+                }
+              }
+            }
+          }
+          const methodDecls = this.findNodes(root, "method_declaration");
+          for (const md of methodDecls) {
+            const receiver = md.childForFieldName("receiver");
+            if (!receiver) continue;
+            const receiverText = receiver.text;
+            if (receiverText.includes(name2)) {
+              const methodName = md.childForFieldName("name");
+              const params = md.childForFieldName("parameters");
+              const result = md.childForFieldName("result");
+              if (methodName) {
+                methods.push({
+                  name: methodName.text,
+                  return_type: result?.text || null,
+                  parameters: params ? this.extractGoParams(params) : [],
+                  annotations: [],
+                  modifiers: [],
+                  start_line: md.startPosition.row + 1,
+                  end_line: md.endPosition.row + 1
+                });
+              }
+            }
+          }
+          types.push({
+            name: name2,
+            kind: isInterface ? "interface" : "class",
+            package: context.package || null,
+            extends: null,
+            implements: [],
+            annotations: [],
+            methods,
+            fields,
+            start_line: decl.startPosition.row + 1,
+            end_line: decl.endPosition.row + 1
+          });
+        }
+      }
+    }
+    return types;
   }
-  getBuiltinSources() {
-    return [];
+  /**
+   * Extract call information from Go source.
+   */
+  extractCalls(context) {
+    const calls = [];
+    const root = context.tree.rootNode;
+    const callExprs = this.findNodes(root, "call_expression");
+    for (const call of callExprs) {
+      const func2 = call.childForFieldName("function");
+      if (!func2) continue;
+      let methodName;
+      let receiver = null;
+      if (func2.type === "selector_expression") {
+        const operand = func2.childForFieldName("operand");
+        const field = func2.childForFieldName("field");
+        receiver = operand?.text || null;
+        methodName = field?.text || func2.text;
+      } else {
+        methodName = func2.text;
+      }
+      const args2 = call.childForFieldName("arguments");
+      const argInfos = [];
+      let argPos = 0;
+      if (args2) {
+        for (let i2 = 0; i2 < args2.childCount; i2++) {
+          const arg = args2.child(i2);
+          if (arg && arg.type !== "(" && arg.type !== ")" && arg.type !== ",") {
+            argInfos.push({
+              position: argPos++,
+              expression: arg.text,
+              variable: arg.type === "identifier" ? arg.text : null,
+              literal: arg.type === "interpreted_string_literal" || arg.type === "int_literal" ? arg.text : null
+            });
+          }
+        }
+      }
+      calls.push({
+        method_name: methodName,
+        receiver,
+        arguments: argInfos,
+        location: {
+          line: call.startPosition.row + 1,
+          column: call.startPosition.column
+        }
+      });
+    }
+    return calls;
   }
-  getBuiltinSinks() {
-    return [];
+  /**
+   * Extract import information from Go source.
+   */
+  extractImports(context) {
+    const imports = [];
+    const root = context.tree.rootNode;
+    const importDecls = this.findNodes(root, "import_declaration");
+    for (const decl of importDecls) {
+      const singleSpec = this.findChildByType(decl, "import_spec");
+      if (singleSpec) {
+        const parsed = this.parseImportSpec(singleSpec);
+        if (parsed) imports.push(parsed);
+        continue;
+      }
+      const specList = this.findChildByType(decl, "import_spec_list");
+      if (specList) {
+        for (let i2 = 0; i2 < specList.childCount; i2++) {
+          const spec = specList.child(i2);
+          if (!spec || spec.type !== "import_spec") continue;
+          const parsed = this.parseImportSpec(spec);
+          if (parsed) imports.push(parsed);
+        }
+      }
+    }
+    return imports;
   }
-  getReceiverType(_node, _context) {
+  /**
+   * Extract package name from Go source.
+   */
+  extractPackage(context) {
+    const root = context.tree.rootNode;
+    const pkgClause = this.findChildByType(root, "package_clause");
+    if (!pkgClause) return void 0;
+    for (let i2 = 0; i2 < pkgClause.childCount; i2++) {
+      const child = pkgClause.child(i2);
+      if (child && child.type === "package_identifier") {
+        return child.text;
+      }
+    }
     return void 0;
   }
-  isStringLiteral(node) {
-    return node.type === "attribute_value" || node.type === "quoted_attribute_value";
-  }
-  getStringValue(node) {
-    if (!this.isStringLiteral(node)) return void 0;
-    const text = node.text;
-    if (text.startsWith('"') && text.endsWith('"') || text.startsWith("'") && text.endsWith("'")) {
-      return text.slice(1, -1);
+  // ── Private helpers ─────────────────────────────────────────────────────
+  parseImportSpec(spec) {
+    let alias = null;
+    let path;
+    for (let i2 = 0; i2 < spec.childCount; i2++) {
+      const child = spec.child(i2);
+      if (!child) continue;
+      if (child.type === "package_identifier" || child.type === "blank_identifier" || child.type === "dot") {
+        alias = child.text;
+      }
+      if (child.type === "interpreted_string_literal") {
+        path = child.text.slice(1, -1);
+      }
     }
-    return text;
-  }
-  extractTypes(_context) {
-    return [];
-  }
-  extractCalls(_context) {
-    return [];
-  }
-  extractImports(_context) {
-    return [];
+    if (!path) return null;
+    const shortName = alias || path.split("/").pop() || path;
+    return {
+      imported_name: shortName,
+      from_package: path,
+      alias,
+      is_wildcard: alias === ".",
+      line_number: spec.startPosition.row + 1
+    };
   }
-  extractPackage(_context) {
-    return void 0;
+  extractGoParams(params) {
+    const result = [];
+    for (let i2 = 0; i2 < params.childCount; i2++) {
+      const param = params.child(i2);
+      if (!param || param.type !== "parameter_declaration") continue;
+      const nameNode = param.childForFieldName("name");
+      const typeNode = param.childForFieldName("type");
+      if (nameNode) {
+        result.push({
+          name: nameNode.text,
+          type: typeNode?.text || null,
+          annotations: []
+        });
+      }
+    }
+    return result;
   }
 };
 
@@ -18127,6 +19285,7 @@ function registerBuiltinPlugins() {
   registerLanguage(new RustPlugin());
   registerLanguage(new BashPlugin());
   registerLanguage(new HtmlPlugin());
+  registerLanguage(new GoPlugin());
 }
 
 // src/utils/logger.ts
@@ -18908,6 +20067,7 @@ var LanguageSourcesPass = class {
     }
     const jsTaintedVars = buildJavaScriptTaintedVars(code, language);
     if (language === "bash") {
+      additionalSources.push(...findBashTaintSources(code, graph.ir.dfg));
       const bashFindings = findBashPatternFindings(code, graph.ir.meta.file);
       for (const finding of bashFindings) {
         ctx.addFinding(finding);
@@ -19215,6 +20375,91 @@ function buildJavaScriptTaintedVars(sourceCode, language) {
   }
   return tainted;
 }
+var BASH_UNTRUSTED_ENV_PATTERNS = [
+  /^USER_INPUT$/i,
+  /^QUERY_STRING$/i,
+  /^REQUEST_/i,
+  /^HTTP_/i,
+  /^REMOTE_/i,
+  /^CONTENT_TYPE$/i,
+  /^CONTENT_LENGTH$/i,
+  /^PATH_INFO$/i,
+  /^SCRIPT_NAME$/i,
+  /^SERVER_NAME$/i
+];
+var BASH_NETWORK_COMMANDS = /* @__PURE__ */ new Set(["curl", "wget", "nc", "ncat"]);
+var BASH_FILE_COMMANDS = /* @__PURE__ */ new Set(["cat", "head", "tail", "less", "more", "awk", "sed", "cut", "grep"]);
+function findBashTaintSources(sourceCode, dfg) {
+  const sources = [];
+  const lines = sourceCode.split("\n");
+  const definedVars = new Set(dfg.defs.filter((d) => d.kind === "local").map((d) => d.variable));
+  for (let i2 = 0; i2 < lines.length; i2++) {
+    const line = lines[i2];
+    const trimmed = line.trim();
+    const lineNumber = i2 + 1;
+    if (trimmed.startsWith("#")) continue;
+    const positionalRe = /\$([1-9@*])|\$\{([1-9@*])\}/g;
+    let m;
+    while ((m = positionalRe.exec(line)) !== null) {
+      const param = m[1] ?? m[2];
+      const alreadyExists = sources.some((s) => s.line === lineNumber && s.variable === param);
+      if (!alreadyExists) {
+        sources.push({
+          type: "io_input",
+          location: `positional parameter $${param}`,
+          severity: "high",
+          line: lineNumber,
+          confidence: 1,
+          variable: param
+        });
+      }
+    }
+    const cmdSubAssign = trimmed.match(/^(\w+)=\$\((\w+)\s/);
+    const cmdSubBacktick = trimmed.match(/^(\w+)=`(\w+)\s/);
+    const csMatch = cmdSubAssign ?? cmdSubBacktick;
+    if (csMatch) {
+      const [, varName, cmd] = csMatch;
+      if (BASH_NETWORK_COMMANDS.has(cmd)) {
+        sources.push({
+          type: "network_input",
+          location: `${varName}=$(${cmd} ...) \u2014 network command output`,
+          severity: "high",
+          line: lineNumber,
+          confidence: 0.9,
+          variable: varName
+        });
+      } else if (BASH_FILE_COMMANDS.has(cmd)) {
+        sources.push({
+          type: "file_input",
+          location: `${varName}=$(${cmd} ...) \u2014 file command output`,
+          severity: "medium",
+          line: lineNumber,
+          confidence: 0.7,
+          variable: varName
+        });
+      }
+    }
+    const envRe = /\$([A-Z][A-Z0-9_]{2,})|\$\{([A-Z][A-Z0-9_]{2,})\}/g;
+    let em;
+    while ((em = envRe.exec(line)) !== null) {
+      const envVar = em[1] ?? em[2];
+      if (!definedVars.has(envVar) && BASH_UNTRUSTED_ENV_PATTERNS.some((p) => p.test(envVar))) {
+        const alreadyExists = sources.some((s) => s.line === lineNumber && s.variable === envVar);
+        if (!alreadyExists) {
+          sources.push({
+            type: "env_input",
+            location: `environment variable $${envVar}`,
+            severity: "medium",
+            line: lineNumber,
+            confidence: 0.8,
+            variable: envVar
+          });
+        }
+      }
+    }
+  }
+  return sources;
+}
 var BASH_CREDENTIAL_PATTERN = /^(.*?)(password|passwd|secret|api_?key|token|auth_token|private_key|access_key)\s*=\s*["']?([^"'\s$][^"'\s]*)["']?\s*$/i;
 function findBashPatternFindings(sourceCode, file) {
   const findings = [];
@@ -24266,6 +25511,26 @@ function getNodeTypesForLanguage(language) {
         "self_closing_tag",
         "text"
       ]);
+    case "go":
+      return /* @__PURE__ */ new Set([
+        "call_expression",
+        "function_declaration",
+        "method_declaration",
+        "package_clause",
+        "import_declaration",
+        "import_spec",
+        "var_declaration",
+        "short_var_declaration",
+        "assignment_statement",
+        "type_declaration",
+        "if_statement",
+        "for_statement",
+        "return_statement",
+        "defer_statement",
+        "go_statement",
+        "selector_expression",
+        "identifier"
+      ]);
     default:
       return /* @__PURE__ */ new Set([
         "method_invocation",