circle-ir 3.21.0 → 3.22.1

package/dist/browser/circle-ir.js

@@ -4297,6 +4297,9 @@ function extractTypes(tree, cache, language) {
   const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript";
   const isPython = effectiveLanguage === "python";
   const isRust = effectiveLanguage === "rust";
+  if (effectiveLanguage === "go") {
+    return extractGoTypes(tree, cache);
+  }
   if (isRust) {
     return extractRustTypes(tree, cache);
   }
@@ -5432,6 +5435,143 @@ function extractRustDerives(node) {
   }
   return derives;
 }
+function extractGoTypes(tree, cache) {
+  const types = [];
+  const root = tree.rootNode;
+  const typeDecls = getNodesFromCache(root, "type_declaration", cache);
+  for (const decl of typeDecls) {
+    for (let i2 = 0; i2 < decl.childCount; i2++) {
+      const spec = decl.child(i2);
+      if (!spec || spec.type !== "type_spec") continue;
+      const nameNode = spec.childForFieldName("name");
+      const typeNode = spec.childForFieldName("type");
+      if (!nameNode || !typeNode) continue;
+      const name2 = getNodeText(nameNode);
+      const isInterface = typeNode.type === "interface_type";
+      const isStruct = typeNode.type === "struct_type";
+      if (!isStruct && !isInterface) continue;
+      const fields = [];
+      const methods = [];
+      if (isStruct) {
+        const fieldList = findChildByType(typeNode, "field_declaration_list");
+        if (fieldList) {
+          for (let j = 0; j < fieldList.childCount; j++) {
+            const field = fieldList.child(j);
+            if (!field || field.type !== "field_declaration") continue;
+            const fieldName = field.childForFieldName("name");
+            const fieldType = field.childForFieldName("type");
+            if (fieldName) {
+              fields.push({
+                name: getNodeText(fieldName),
+                type: fieldType ? getNodeText(fieldType) : null,
+                modifiers: [],
+                annotations: []
+              });
+            }
+          }
+        }
+      }
+      const methodDecls = getNodesFromCache(root, "method_declaration", cache);
+      for (const md of methodDecls) {
+        const receiver = md.childForFieldName("receiver");
+        if (!receiver) continue;
+        const receiverText = getNodeText(receiver);
+        if (receiverText.includes(name2)) {
+          const methodNameNode = md.childForFieldName("name");
+          const params = md.childForFieldName("parameters");
+          const result = md.childForFieldName("result");
+          if (methodNameNode) {
+            methods.push({
+              name: getNodeText(methodNameNode),
+              return_type: result ? getNodeText(result) : null,
+              parameters: params ? extractGoParameters(params) : [],
+              annotations: [],
+              modifiers: [],
+              start_line: md.startPosition.row + 1,
+              end_line: md.endPosition.row + 1
+            });
+          }
+        }
+      }
+      let pkg = null;
+      const pkgClause = findChildByType(root, "package_clause");
+      if (pkgClause) {
+        for (let j = 0; j < pkgClause.childCount; j++) {
+          const child = pkgClause.child(j);
+          if (child && child.type === "package_identifier") {
+            pkg = getNodeText(child);
+            break;
+          }
+        }
+      }
+      types.push({
+        name: name2,
+        kind: isInterface ? "interface" : "class",
+        package: pkg,
+        extends: null,
+        implements: [],
+        annotations: [],
+        methods,
+        fields,
+        start_line: decl.startPosition.row + 1,
+        end_line: decl.endPosition.row + 1
+      });
+    }
+  }
+  const functions = getNodesFromCache(root, "function_declaration", cache);
+  if (functions.length > 0) {
+    const moduleFunctions = [];
+    for (const func2 of functions) {
+      const nameNode = func2.childForFieldName("name");
+      const params = func2.childForFieldName("parameters");
+      const result = func2.childForFieldName("result");
+      if (nameNode) {
+        moduleFunctions.push({
+          name: getNodeText(nameNode),
+          return_type: result ? getNodeText(result) : null,
+          parameters: params ? extractGoParameters(params) : [],
+          annotations: [],
+          modifiers: [],
+          start_line: func2.startPosition.row + 1,
+          end_line: func2.endPosition.row + 1
+        });
+      }
+    }
+    if (moduleFunctions.length > 0) {
+      types.push({
+        name: "<module>",
+        kind: "class",
+        package: null,
+        extends: null,
+        implements: [],
+        annotations: [],
+        methods: moduleFunctions,
+        fields: [],
+        start_line: 1,
+        end_line: root.endPosition.row + 1
+      });
+    }
+  }
+  return types;
+}
+function extractGoParameters(params) {
+  const parameters = [];
+  for (let i2 = 0; i2 < params.childCount; i2++) {
+    const child = params.child(i2);
+    if (!child || child.type !== "parameter_declaration") continue;
+    const nameNode = child.childForFieldName("name");
+    const typeNode = child.childForFieldName("type");
+    if (nameNode) {
+      parameters.push({
+        name: getNodeText(nameNode),
+        type: typeNode ? getNodeText(typeNode) : null,
+        annotations: [],
+        line: child.startPosition.row + 1
+      });
+    }
+  }
+  return parameters;
+}
 function findChildByType(node, type) {
   for (let i2 = 0; i2 < node.childCount; i2++) {
     const child = node.child(i2);
@@ -5479,6 +5619,9 @@ function extractCalls(tree, cache, language) {
   const isJavaScript = detectedLanguage === "javascript" || detectedLanguage === "typescript";
   const isPython = detectedLanguage === "python";
   const isRust = detectedLanguage === "rust";
+  if (detectedLanguage === "go") {
+    return extractGoCalls(tree, cache);
+  }
   if (detectedLanguage === "bash") {
     return extractBashCalls(tree, cache);
   }
@@ -6205,7 +6348,7 @@ function extractBashCommandInfo(node) {
   for (let i2 = 0; i2 < node.childCount; i2++) {
     const child = node.child(i2);
     if (!child) continue;
-    if (child === nameNode) continue;
+    if (child === nameNode || child.id === nameNode.id) continue;
     if (child.type.includes("redirect") || child.type === "heredoc_body" || child.type === "file_descriptor") {
       continue;
     }
@@ -6761,6 +6904,104 @@ function resolveRustCall(methodName, receiver, context) {
     status: "external_method"
   };
 }
+function extractGoCalls(tree, cache) {
+  const calls = [];
+  const callExpressions = getNodesFromCache(tree.rootNode, "call_expression", cache);
+  for (const call of callExpressions) {
+    const callInfo = extractGoCallInfo(call);
+    if (callInfo) {
+      calls.push(callInfo);
+    }
+  }
+  return calls;
+}
+function extractGoCallInfo(node) {
+  const funcNode = node.childForFieldName("function");
+  if (!funcNode) return null;
+  let methodName;
+  let receiver = null;
+  if (funcNode.type === "selector_expression") {
+    const operand = funcNode.childForFieldName("operand");
+    const field = funcNode.childForFieldName("field");
+    receiver = operand ? getNodeText(operand) : null;
+    methodName = field ? getNodeText(field) : getNodeText(funcNode);
+  } else if (funcNode.type === "identifier") {
+    methodName = getNodeText(funcNode);
+  } else {
+    methodName = getNodeText(funcNode);
+  }
+  const argsNode = node.childForFieldName("arguments");
+  const args2 = argsNode ? extractGoArguments(argsNode) : [];
+  const inMethod = findGoEnclosingFunction(node);
+  return {
+    method_name: methodName,
+    receiver,
+    arguments: args2,
+    location: {
+      line: node.startPosition.row + 1,
+      column: node.startPosition.column
+    },
+    in_method: inMethod,
+    resolved: false,
+    resolution: { status: "external_method" }
+  };
+}
+function extractGoArguments(argsNode) {
+  const args2 = [];
+  let position = 0;
+  for (let i2 = 0; i2 < argsNode.childCount; i2++) {
+    const child = argsNode.child(i2);
+    if (!child) continue;
+    if (child.type === "(" || child.type === ")" || child.type === ",") continue;
+    const expression = getNodeText(child);
+    const variable = child.type === "identifier" ? expression : null;
+    const literal = isGoLiteral(child) ? extractGoLiteralValue(child) : null;
+    args2.push({
+      position: position++,
+      expression,
+      variable,
+      literal
+    });
+  }
+  return args2;
+}
+function isGoLiteral(node) {
+  const literalTypes = /* @__PURE__ */ new Set([
+    "interpreted_string_literal",
+    "raw_string_literal",
+    "int_literal",
+    "float_literal",
+    "true",
+    "false",
+    "nil"
+  ]);
+  return literalTypes.has(node.type);
+}
+function extractGoLiteralValue(node) {
+  const text = getNodeText(node);
+  if (node.type === "interpreted_string_literal") {
+    return text.slice(1, -1);
+  }
+  if (node.type === "raw_string_literal") {
+    return text.slice(1, -1);
+  }
+  return text;
+}
+function findGoEnclosingFunction(node) {
+  let current = node.parent;
+  while (current) {
+    if (current.type === "function_declaration") {
+      const nameNode = current.childForFieldName("name");
+      return nameNode ? getNodeText(nameNode) : null;
+    }
+    if (current.type === "method_declaration") {
+      const nameNode = current.childForFieldName("name");
+      return nameNode ? getNodeText(nameNode) : null;
+    }
+    current = current.parent;
+  }
+  return null;
+}
 
 // src/core/extractors/imports.ts
 function detectLanguage2(tree) {
@@ -6815,6 +7056,9 @@ function extractImports(tree, language) {
   const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript";
   const isPython = effectiveLanguage === "python";
   const isRust = effectiveLanguage === "rust";
+  if (effectiveLanguage === "go") {
+    return extractGoImports(tree);
+  }
   if (isRust) {
     return extractRustImports(tree);
   }
@@ -7362,6 +7606,61 @@ function extractRustScopedUseList(node, lineNumber) {
   }
   return imports;
 }
+function extractGoImports(tree) {
+  const imports = [];
+  const importDecls = findNodes(tree.rootNode, "import_declaration");
+  for (const decl of importDecls) {
+    const singleSpec = findGoChildByType(decl, "import_spec");
+    if (singleSpec) {
+      const parsed = parseGoImportSpec(singleSpec);
+      if (parsed) imports.push(parsed);
+      continue;
+    }
+    const specList = findGoChildByType(decl, "import_spec_list");
+    if (specList) {
+      for (let i2 = 0; i2 < specList.childCount; i2++) {
+        const spec = specList.child(i2);
+        if (!spec || spec.type !== "import_spec") continue;
+        const parsed = parseGoImportSpec(spec);
+        if (parsed) imports.push(parsed);
+      }
+    }
+  }
+  return imports;
+}
+function parseGoImportSpec(spec) {
+  let alias = null;
+  let path;
+  for (let i2 = 0; i2 < spec.childCount; i2++) {
+    const child = spec.child(i2);
+    if (!child) continue;
+    if (child.type === "package_identifier" || child.type === "blank_identifier" || child.type === "dot") {
+      alias = getNodeText(child);
+    }
+    if (child.type === "interpreted_string_literal") {
+      const text = getNodeText(child);
+      path = text.slice(1, -1);
+    }
+  }
+  if (!path) return null;
+  const shortName = alias || path.split("/").pop() || path;
+  return {
+    imported_name: shortName,
+    from_package: path,
+    alias,
+    is_wildcard: alias === ".",
+    line_number: spec.startPosition.row + 1
+  };
+}
+function findGoChildByType(node, type) {
+  for (let i2 = 0; i2 < node.childCount; i2++) {
+    const child = node.child(i2);
+    if (child?.type === type) {
+      return child;
+    }
+  }
+  return null;
+}
 
 // src/core/extractors/exports.ts
 function extractExports(types) {
@@ -7453,6 +7752,9 @@ function buildCFG(tree, language) {
   if (effectiveLanguage === "bash") {
     return buildBashCFG(tree, blockIdCounter);
   }
+  if (effectiveLanguage === "go") {
+    return buildGoCFG(tree, blockIdCounter);
+  }
   if (isJavaScript) {
     const functions = [
       ...findNodes(tree.rootNode, "function_declaration"),
@@ -7929,6 +8231,58 @@ function isStatement(node, isJavaScript) {
   ]);
   return isJavaScript ? jsStatementTypes.has(node.type) : javaStatementTypes.has(node.type);
 }
+function buildGoCFG(tree, blockIdCounter) {
+  const allBlocks = [];
+  const allEdges = [];
+  const functions = [
+    ...findNodes(tree.rootNode, "function_declaration"),
+    ...findNodes(tree.rootNode, "method_declaration")
+  ];
+  for (const func2 of functions) {
+    const body2 = func2.childForFieldName("body");
+    if (!body2 || body2.type !== "block") continue;
+    const { blocks, edges, nextId } = buildMethodCFG(body2, blockIdCounter, false);
+    allBlocks.push(...blocks);
+    allEdges.push(...edges);
+    blockIdCounter = nextId;
+  }
+  const hasTopLevelDecls = tree.rootNode.children.some(
+    (c) => c !== null && isGoStatement(c)
+  );
+  if (hasTopLevelDecls) {
+    const block = {
+      id: blockIdCounter++,
+      type: "normal",
+      start_line: 1,
+      end_line: tree.rootNode.endPosition.row + 1
+    };
+    allBlocks.push(block);
+  }
+  return { blocks: allBlocks, edges: allEdges };
+}
+function isGoStatement(node) {
+  const goStatementTypes = /* @__PURE__ */ new Set([
+    "short_var_declaration",
+    "var_declaration",
+    "assignment_statement",
+    "expression_statement",
+    "if_statement",
+    "for_statement",
+    "switch_statement",
+    "type_switch_statement",
+    "select_statement",
+    "return_statement",
+    "go_statement",
+    "defer_statement",
+    "send_statement",
+    "inc_statement",
+    "dec_statement",
+    "block",
+    "type_declaration",
+    "const_declaration"
+  ]);
+  return goStatementTypes.has(node.type);
+}
 
 // src/core/extractors/dfg.ts
 function detectLanguage4(tree) {
@@ -7976,6 +8330,9 @@ function buildDFG(tree, cache, language) {
   if (effectiveLanguage === "bash") {
     return buildBashDFG(tree);
   }
+  if (effectiveLanguage === "go") {
+    return buildGoDFG(tree);
+  }
   return buildJavaDFG(tree, cache);
 }
 function buildJavaDFG(tree, cache) {
@@ -8959,68 +9316,321 @@ function isRustKeyword(name2) {
   ]);
   return keywords.has(name2);
 }
-
-// src/analysis/config-loader.ts
-var DEFAULT_SOURCES = [
-  // HTTP Sources (Servlet API)
-  { method: "getParameter", class: "HttpServletRequest", type: "http_param", severity: "high", return_tainted: true },
-  { method: "getParameterValues", class: "HttpServletRequest", type: "http_param", severity: "high", return_tainted: true },
-  { method: "getParameterMap", class: "HttpServletRequest", type: "http_param", severity: "high", return_tainted: true },
-  { method: "getParameterNames", class: "HttpServletRequest", type: "http_param", severity: "high", return_tainted: true },
-  { method: "getHeader", class: "HttpServletRequest", type: "http_header", severity: "high", return_tainted: true },
-  { method: "getHeaders", class: "HttpServletRequest", type: "http_header", severity: "high", return_tainted: true },
-  { method: "getHeaderNames", class: "HttpServletRequest", type: "http_header", severity: "high", return_tainted: true },
-  { method: "getQueryString", class: "HttpServletRequest", type: "http_query", severity: "high", return_tainted: true },
-  { method: "getCookies", class: "HttpServletRequest", type: "http_cookie", severity: "high", return_tainted: true },
-  { method: "getInputStream", class: "HttpServletRequest", type: "http_body", severity: "high", return_tainted: true },
-  { method: "getReader", class: "HttpServletRequest", type: "http_body", severity: "high", return_tainted: true },
-  { method: "getPathInfo", class: "HttpServletRequest", type: "http_path", severity: "high", return_tainted: true },
-  { method: "getRequestURI", class: "HttpServletRequest", type: "http_path", severity: "high", return_tainted: true },
-  { method: "getRequestURL", class: "HttpServletRequest", type: "http_path", severity: "high", return_tainted: true },
-  { method: "getServletPath", class: "HttpServletRequest", type: "http_path", severity: "high", return_tainted: true },
-  { method: "getContextPath", class: "HttpServletRequest", type: "http_path", severity: "medium", return_tainted: true },
-  { method: "getRemoteHost", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
-  { method: "getRemoteAddr", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
-  // Additional HTTP request methods that can be attacker-controlled
-  { method: "getProtocol", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
-  { method: "getScheme", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
-  { method: "getAuthType", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
-  { method: "getRemoteUser", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
-  { method: "getMethod", class: "HttpServletRequest", type: "http_header", severity: "low", return_tainted: true },
-  { method: "getContentType", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
-  { method: "getCharacterEncoding", class: "HttpServletRequest", type: "http_header", severity: "low", return_tainted: true },
-  // Enumeration/Iterator sources (from request.getHeaders(), etc.)
-  { method: "nextElement", class: "Enumeration", type: "http_header", severity: "high", return_tainted: true },
-  { method: "nextElement", type: "http_header", severity: "high", return_tainted: true },
-  // Cookie sources
-  { method: "getValue", class: "Cookie", type: "http_cookie", severity: "high", return_tainted: true },
-  { method: "getName", class: "Cookie", type: "http_cookie", severity: "high", return_tainted: true },
-  // I/O Sources (Scanner, BufferedReader, etc.)
-  { method: "readLine", class: "BufferedReader", type: "io_input", severity: "high", return_tainted: true },
-  { method: "readLine", type: "io_input", severity: "high", return_tainted: true },
-  { method: "nextLine", class: "Scanner", type: "io_input", severity: "high", return_tainted: true },
-  { method: "next", class: "Scanner", type: "io_input", severity: "high", return_tainted: true },
-  { method: "nextInt", class: "Scanner", type: "io_input", severity: "high", return_tainted: true },
-  // Database result sources
-  { method: "getString", class: "ResultSet", type: "db_input", severity: "medium", return_tainted: true },
-  { method: "getObject", class: "ResultSet", type: "db_input", severity: "medium", return_tainted: true },
-  { method: "getInt", class: "ResultSet", type: "db_input", severity: "medium", return_tainted: true },
-  // Spring annotations
-  { annotation: "RequestParam", type: "http_param", severity: "high", param_tainted: true },
-  { annotation: "RequestBody", type: "http_body", severity: "high", param_tainted: true },
-  { annotation: "PathVariable", type: "http_path", severity: "medium", param_tainted: true },
-  { annotation: "RequestHeader", type: "http_header", severity: "high", param_tainted: true },
-  { annotation: "CookieValue", type: "http_cookie", severity: "high", param_tainted: true },
-  // JAX-RS annotations
-  { annotation: "QueryParam", type: "http_param", severity: "high", param_tainted: true },
-  { annotation: "FormParam", type: "http_param", severity: "high", param_tainted: true },
-  { annotation: "PathParam", type: "http_path", severity: "medium", param_tainted: true },
-  { annotation: "HeaderParam", type: "http_header", severity: "high", param_tainted: true },
-  // Environment
-  { method: "getenv", class: "System", type: "env_input", severity: "medium", return_tainted: true },
-  { method: "getProperty", class: "System", type: "env_input", severity: "medium", return_tainted: true },
-  // Note: Properties.getProperty is NOT included by default as it causes many false positives
-  // in OWASP Benchmark. Include it via custom config if needed for specific analyses.
+var GO_KEYWORDS = /* @__PURE__ */ new Set([
+  "break",
+  "case",
+  "chan",
+  "const",
+  "continue",
+  "default",
+  "defer",
+  "else",
+  "fallthrough",
+  "for",
+  "func",
+  "go",
+  "goto",
+  "if",
+  "import",
+  "interface",
+  "map",
+  "package",
+  "range",
+  "return",
+  "select",
+  "struct",
+  "switch",
+  "type",
+  "var",
+  "true",
+  "false",
+  "nil",
+  "iota",
+  "append",
+  "cap",
+  "close",
+  "complex",
+  "copy",
+  "delete",
+  "imag",
+  "len",
+  "make",
+  "new",
+  "panic",
+  "print",
+  "println",
+  "real",
+  "recover",
+  "string",
+  "int",
+  "int8",
+  "int16",
+  "int32",
+  "int64",
+  "uint",
+  "uint8",
+  "uint16",
+  "uint32",
+  "uint64",
+  "float32",
+  "float64",
+  "complex64",
+  "complex128",
+  "byte",
+  "rune",
+  "bool",
+  "error",
+  "any"
+]);
+function buildGoDFG(tree) {
+  const defs = [];
+  const uses = [];
+  let defIdCounter = 1;
+  let useIdCounter = 1;
+  const scopeStack = [/* @__PURE__ */ new Map()];
+  const functions = [
+    ...findNodes(tree.rootNode, "function_declaration"),
+    ...findNodes(tree.rootNode, "method_declaration")
+  ];
+  for (const func2 of functions) {
+    scopeStack.push(/* @__PURE__ */ new Map());
+    const params = func2.childForFieldName("parameters");
+    if (params) {
+      extractGoParamDefs(params, defs, defIdCounter, scopeStack);
+      defIdCounter = defs.length + 1;
+    }
+    const receiver = func2.childForFieldName("receiver");
+    if (receiver) {
+      extractGoParamDefs(receiver, defs, defIdCounter, scopeStack);
+      defIdCounter = defs.length + 1;
+    }
+    const body2 = func2.childForFieldName("body");
+    if (body2) {
+      processGoBlock(body2, defs, uses, scopeStack, { defId: defIdCounter, useId: useIdCounter });
+      defIdCounter = defs.length + 1;
+      useIdCounter = uses.length + 1;
+    }
+    scopeStack.pop();
+  }
+  for (let i2 = 0; i2 < tree.rootNode.childCount; i2++) {
+    const child = tree.rootNode.child(i2);
+    if (!child) continue;
+    if (child.type === "var_declaration") {
+      processGoVarDecl(child, defs, scopeStack, { defId: defIdCounter });
+      defIdCounter = defs.length + 1;
+    }
+  }
+  const chains = computeChains(defs, uses);
+  return { defs, uses, chains };
+}
+function extractGoParamDefs(params, defs, _startId, scopeStack) {
+  for (let i2 = 0; i2 < params.childCount; i2++) {
+    const param = params.child(i2);
+    if (!param || param.type !== "parameter_declaration") continue;
+    const typeNode = param.childForFieldName("type");
+    for (let j = 0; j < param.childCount; j++) {
+      const nameNode = param.child(j);
+      if (!nameNode || nameNode.type !== "identifier") continue;
+      if (nameNode === typeNode) continue;
+      const varName = getNodeText(nameNode);
+      if (varName === "_") continue;
+      const def = {
+        id: defs.length + 1,
+        variable: varName,
+        kind: "param",
+        line: param.startPosition.row + 1
+      };
+      defs.push(def);
+      currentScope(scopeStack).set(varName, def.id);
+    }
+  }
+}
+function processGoBlock(node, defs, uses, scopeStack, counters) {
+  walkTree(node, (child) => {
+    if (child.type === "short_var_declaration") {
+      const left = child.childForFieldName("left");
+      const right = child.childForFieldName("right");
+      if (right) {
+        extractGoUses(right, uses, scopeStack);
+      }
+      if (left) {
+        extractGoLhsDefs(left, defs, scopeStack, child.startPosition.row + 1);
+      }
+    } else if (child.type === "var_declaration") {
+      processGoVarDecl(child, defs, scopeStack, counters);
+    } else if (child.type === "assignment_statement") {
+      const left = child.childForFieldName("left");
+      const right = child.childForFieldName("right");
+      if (right) {
+        extractGoUses(right, uses, scopeStack);
+      }
+      if (left) {
+        extractGoLhsDefs(left, defs, scopeStack, child.startPosition.row + 1);
+      }
+    } else if (child.type === "for_statement") {
+      const rangeClause = findChildByTypeGo(child, "range_clause");
+      if (rangeClause) {
+        const left = rangeClause.childForFieldName("left");
+        if (left) {
+          extractGoLhsDefs(left, defs, scopeStack, child.startPosition.row + 1);
+        }
+      }
+    } else if (child.type === "call_expression") {
+      extractGoUses(child, uses, scopeStack);
+    } else if (child.type === "return_statement") {
+      for (let i2 = 0; i2 < child.childCount; i2++) {
+        const expr = child.child(i2);
+        if (expr && expr.type !== "return") {
+          extractGoUses(expr, uses, scopeStack);
+        }
+      }
+    }
+  });
+}
+function processGoVarDecl(node, defs, scopeStack, _counters) {
+  for (let i2 = 0; i2 < node.childCount; i2++) {
+    const spec = node.child(i2);
+    if (!spec || spec.type !== "var_spec") continue;
+    for (let j = 0; j < spec.childCount; j++) {
+      const nameNode = spec.child(j);
+      if (!nameNode || nameNode.type !== "identifier") continue;
+      const varName = getNodeText(nameNode);
+      if (varName === "_") continue;
+      const def = {
+        id: defs.length + 1,
+        variable: varName,
+        kind: "local",
+        line: spec.startPosition.row + 1
+      };
+      defs.push(def);
+      currentScope(scopeStack).set(varName, def.id);
+    }
+  }
+}
+function extractGoLhsDefs(left, defs, scopeStack, line) {
+  if (left.type === "identifier") {
+    const varName = getNodeText(left);
+    if (varName === "_") return;
+    const def = {
+      id: defs.length + 1,
+      variable: varName,
+      kind: "local",
+      line
+    };
+    defs.push(def);
+    currentScope(scopeStack).set(varName, def.id);
+  } else if (left.type === "expression_list") {
+    for (let i2 = 0; i2 < left.childCount; i2++) {
+      const item = left.child(i2);
+      if (item && item.type === "identifier") {
+        const varName = getNodeText(item);
+        if (varName === "_") continue;
+        const def = {
+          id: defs.length + 1,
+          variable: varName,
+          kind: "local",
+          line
+        };
+        defs.push(def);
+        currentScope(scopeStack).set(varName, def.id);
+      }
+    }
+  }
+}
+function extractGoUses(node, uses, scopeStack) {
+  walkTree(node, (child) => {
+    if (child.type === "identifier") {
+      const varName = getNodeText(child);
+      if (varName === "_" || GO_KEYWORDS.has(varName)) return;
+      const parent = child.parent;
+      if (parent?.type === "selector_expression" && parent.childForFieldName("field") === child) {
+        return;
+      }
+      if (parent?.type === "parameter_declaration" && parent.childForFieldName("type") === child) {
+        return;
+      }
+      if (parent?.type === "type_identifier") {
+        return;
+      }
+      const defId = findReachingDef(varName, scopeStack);
+      uses.push({
+        id: uses.length + 1,
+        variable: varName,
+        line: child.startPosition.row + 1,
+        def_id: defId
+      });
+    }
+  });
+}
+function findChildByTypeGo(node, type) {
+  for (let i2 = 0; i2 < node.childCount; i2++) {
+    const child = node.child(i2);
+    if (child?.type === type) return child;
+  }
+  return null;
+}
+
+// src/analysis/config-loader.ts
+var DEFAULT_SOURCES = [
+  // HTTP Sources (Servlet API)
+  { method: "getParameter", class: "HttpServletRequest", type: "http_param", severity: "high", return_tainted: true },
+  { method: "getParameterValues", class: "HttpServletRequest", type: "http_param", severity: "high", return_tainted: true },
+  { method: "getParameterMap", class: "HttpServletRequest", type: "http_param", severity: "high", return_tainted: true },
+  { method: "getParameterNames", class: "HttpServletRequest", type: "http_param", severity: "high", return_tainted: true },
+  { method: "getHeader", class: "HttpServletRequest", type: "http_header", severity: "high", return_tainted: true },
+  { method: "getHeaders", class: "HttpServletRequest", type: "http_header", severity: "high", return_tainted: true },
+  { method: "getHeaderNames", class: "HttpServletRequest", type: "http_header", severity: "high", return_tainted: true },
+  { method: "getQueryString", class: "HttpServletRequest", type: "http_query", severity: "high", return_tainted: true },
+  { method: "getCookies", class: "HttpServletRequest", type: "http_cookie", severity: "high", return_tainted: true },
+  { method: "getInputStream", class: "HttpServletRequest", type: "http_body", severity: "high", return_tainted: true },
+  { method: "getReader", class: "HttpServletRequest", type: "http_body", severity: "high", return_tainted: true },
+  { method: "getPathInfo", class: "HttpServletRequest", type: "http_path", severity: "high", return_tainted: true },
+  { method: "getRequestURI", class: "HttpServletRequest", type: "http_path", severity: "high", return_tainted: true },
+  { method: "getRequestURL", class: "HttpServletRequest", type: "http_path", severity: "high", return_tainted: true },
+  { method: "getServletPath", class: "HttpServletRequest", type: "http_path", severity: "high", return_tainted: true },
+  { method: "getContextPath", class: "HttpServletRequest", type: "http_path", severity: "medium", return_tainted: true },
+  { method: "getRemoteHost", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
+  { method: "getRemoteAddr", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
+  // Additional HTTP request methods that can be attacker-controlled
+  { method: "getProtocol", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
+  { method: "getScheme", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
+  { method: "getAuthType", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
+  { method: "getRemoteUser", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
+  { method: "getMethod", class: "HttpServletRequest", type: "http_header", severity: "low", return_tainted: true },
+  { method: "getContentType", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
+  { method: "getCharacterEncoding", class: "HttpServletRequest", type: "http_header", severity: "low", return_tainted: true },
+  // Enumeration/Iterator sources (from request.getHeaders(), etc.)
+  { method: "nextElement", class: "Enumeration", type: "http_header", severity: "high", return_tainted: true },
+  { method: "nextElement", type: "http_header", severity: "high", return_tainted: true },
+  // Cookie sources
+  { method: "getValue", class: "Cookie", type: "http_cookie", severity: "high", return_tainted: true },
+  { method: "getName", class: "Cookie", type: "http_cookie", severity: "high", return_tainted: true },
+  // I/O Sources (Scanner, BufferedReader, etc.)
+  { method: "readLine", class: "BufferedReader", type: "io_input", severity: "high", return_tainted: true },
+  { method: "readLine", type: "io_input", severity: "high", return_tainted: true },
+  { method: "nextLine", class: "Scanner", type: "io_input", severity: "high", return_tainted: true },
+  { method: "next", class: "Scanner", type: "io_input", severity: "high", return_tainted: true },
+  { method: "nextInt", class: "Scanner", type: "io_input", severity: "high", return_tainted: true },
+  // Database result sources
+  { method: "getString", class: "ResultSet", type: "db_input", severity: "medium", return_tainted: true },
+  { method: "getObject", class: "ResultSet", type: "db_input", severity: "medium", return_tainted: true },
+  { method: "getInt", class: "ResultSet", type: "db_input", severity: "medium", return_tainted: true },
+  // Spring annotations
+  { annotation: "RequestParam", type: "http_param", severity: "high", param_tainted: true },
+  { annotation: "RequestBody", type: "http_body", severity: "high", param_tainted: true },
+  { annotation: "PathVariable", type: "http_path", severity: "medium", param_tainted: true },
+  { annotation: "RequestHeader", type: "http_header", severity: "high", param_tainted: true },
+  { annotation: "CookieValue", type: "http_cookie", severity: "high", param_tainted: true },
+  // JAX-RS annotations
+  { annotation: "QueryParam", type: "http_param", severity: "high", param_tainted: true },
+  { annotation: "FormParam", type: "http_param", severity: "high", param_tainted: true },
+  { annotation: "PathParam", type: "http_path", severity: "medium", param_tainted: true },
+  { annotation: "HeaderParam", type: "http_header", severity: "high", param_tainted: true },
+  // Environment
+  { method: "getenv", class: "System", type: "env_input", severity: "medium", return_tainted: true },
+  { method: "getProperty", class: "System", type: "env_input", severity: "medium", return_tainted: true },
+  // Note: Properties.getProperty is NOT included by default as it causes many false positives
+  // in OWASP Benchmark. Include it via custom config if needed for specific analyses.
   // Servlet Configuration Parameters (can be attacker-influenced in some deployments)
   { method: "getInitParameter", class: "ServletConfig", type: "http_param", severity: "medium", return_tainted: true },
   { method: "getInitParameter", class: "ServletContext", type: "http_param", severity: "medium", return_tainted: true },
@@ -9373,9 +9983,8 @@ var DEFAULT_SINKS = [
   { method: "FlowExecution", class: "constructor", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   // ActiveMQ control commands
   { method: "processControlCommand", class: "TransportConnection", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  // XStream deserialization (leads to RCE via gadget chains)
-  { method: "fromXML", class: "XStream", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "unmarshal", class: "XStream", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  // XStream deserialization — classified as CWE-502 (deserialization), not CWE-78 (command injection).
+  // The deserialization sink entries at lines ~1059 handle this correctly.
   { method: "fromString", class: "FileConverter", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   // Plexus command line
   { method: "getPosition", class: "Commandline", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
@@ -10059,7 +10668,8 @@ var DEFAULT_SINKS = [
   { method: "query", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
   { method: "query", class: "Pool", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
   { method: "query", class: "Client", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  { method: "query", type: "sql_injection", cwe: "CWE-89", severity: "high", arg_positions: [0] },
+  // Note: classless { method: 'query' } removed — too many FPs (UriComponentsBuilder.query(), etc.)
+  // SQL query calls are covered by class-specific patterns above (Connection, Pool, Client, JdbcTemplate)
   { method: "raw", type: "sql_injection", cwe: "CWE-89", severity: "high", arg_positions: [0] },
   // Browser DOM XSS sinks
   { method: "setAttribute", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [1] },
@@ -10256,8 +10866,8 @@ var DEFAULT_SINKS = [
   { method: "execute", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
   { method: "query_row", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
   { method: "prepare", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  // sqlx::query macro
-  { method: "query", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
+  // sqlx::query macro — use class-specific pattern
+  { method: "query", class: "sqlx", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
   // rusqlite specific
   { method: "prepare", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
   { method: "execute", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
@@ -10859,15 +11469,24 @@ function isInterproceduralTaintableType(typeName) {
 }
 function isParameterizedQueryCall(call, pattern) {
   if (pattern.type !== "sql_injection") return false;
-  if (call.arguments.length < 2) return false;
-  const secondArg = call.arguments.find((a) => a.position === 1);
-  if (!secondArg) return false;
-  if (secondArg.expression) {
-    const expr = secondArg.expression.trim();
-    if (expr.startsWith("[")) {
+  const queryArg = call.arguments.find((a) => a.position === 0);
+  if (queryArg) {
+    const queryText = queryArg.literal ?? queryArg.expression ?? "";
+    const hasPlaceholders = /(\?(?:\s|,|$|\))|\$\d+|:\w+|%s)/.test(queryText);
+    const hasConcatenation = /\+\s*[^+]/.test(queryText) || queryText.includes("${");
+    if (hasPlaceholders && !hasConcatenation && call.arguments.length >= 2) {
       return true;
     }
   }
+  if (call.arguments.length >= 2) {
+    const secondArg = call.arguments.find((a) => a.position === 1);
+    if (secondArg?.expression) {
+      const expr = secondArg.expression.trim();
+      if (expr.startsWith("[")) {
+        return true;
+      }
+    }
+  }
   return false;
 }
 function findSinks(calls, patterns, typeHierarchy) {
@@ -10993,9 +11612,130 @@ var SAFE_RECEIVERS_BY_METHOD = {
     "stmt",
     "statement",
     "cursor"
+  ]),
+  // query() is only a SQL sink when receiver is a database handle — not URL builders,
+  // DOM selectors, GraphQL clients, DNS resolvers, etc.
+  query: /* @__PURE__ */ new Set([
+    "uri",
+    "url",
+    "builder",
+    "uribuilder",
+    "uricomponents",
+    "uricomponentsbuilder",
+    "servleturicomponentsbuilder",
+    "httpurl",
+    "urlbuilder",
+    "webclient",
+    "request",
+    "req",
+    "router",
+    "route",
+    "app",
+    "express",
+    "parser",
+    "selector",
+    "jquery",
+    "dom",
+    "document",
+    "element",
+    "xmlpath",
+    "xpath",
+    "dns",
+    "resolver",
+    "graphql",
+    "apollo",
+    "querybuilder",
+    "criteria"
+  ]),
+  // authenticate() — safe on auth framework objects (token verification, not code exec)
+  authenticate: /* @__PURE__ */ new Set([
+    "auth",
+    "authenticator",
+    "authmanager",
+    "authprovider",
+    "authenticationmanager",
+    "authservice",
+    "oauth",
+    "token",
+    "jwt",
+    "passport",
+    "session",
+    "security",
+    "credentials",
+    "identityprovider",
+    "ldap",
+    "saml",
+    "oidc"
+  ]),
+  // add() is extremely generic — safe on collections, UI containers, builders, etc.
+  add: /* @__PURE__ */ new Set([
+    "list",
+    "set",
+    "map",
+    "collection",
+    "array",
+    "queue",
+    "deque",
+    "stack",
+    "vector",
+    "builder",
+    "panel",
+    "container",
+    "group",
+    "layout",
+    "menu",
+    "toolbar",
+    "model",
+    "registry",
+    "context",
+    "config",
+    "options",
+    "params",
+    "headers",
+    "attributes",
+    "listeners",
+    "handlers",
+    "filters",
+    "interceptors",
+    "validators",
+    "extensions",
+    "plugins",
+    "modules",
+    "components",
+    "children",
+    "items",
+    "elements",
+    "entries",
+    "rows",
+    "columns",
+    "fields",
+    "properties",
+    "descriptors",
+    "nodes",
+    "actions",
+    "results",
+    "errors",
+    "warnings",
+    "messages",
+    "notifications",
+    "events",
+    "subscribers",
+    "observers",
+    "providers",
+    "services",
+    "beans",
+    "tasks",
+    "jobs",
+    "workers",
+    "threads",
+    "schedulers"
   ])
 };
-function isKnownSafeReceiverForMethod(receiver, method, _sinkType) {
+function isKnownSafeReceiverForMethod(receiver, method, sinkType) {
+  const lowerMethod = method.toLowerCase();
+  if ((lowerMethod === "fromxml" || lowerMethod === "unmarshal") && sinkType === "command_injection") {
+    return true;
+  }
   const safeReceivers = SAFE_RECEIVERS_BY_METHOD[method];
   if (!safeReceivers) return false;
   const lowerReceiver = receiver.toLowerCase();
@@ -11101,11 +11841,23 @@ function receiverMightBeClass(receiver, className) {
       }
     }
   }
-  if (lowerClass.includes(lowerReceiver)) {
-    return true;
+  if (lowerReceiver.length >= 3 && lowerClass.includes(lowerReceiver)) {
+    if (lowerReceiver.length >= 5 || lowerReceiver.length / lowerClass.length >= 0.4) {
+      return true;
+    }
   }
-  if (lowerClass.startsWith(lowerReceiver.substring(0, 3))) {
-    return true;
+  if (lowerReceiver.length >= 2) {
+    if (lowerClass.startsWith(lowerReceiver) || lowerClass.endsWith(lowerReceiver)) {
+      return true;
+    }
+  }
+  if (lowerReceiver.length >= 3) {
+    const words = className.replace(/([a-z])([A-Z])/g, "$1\0$2").toLowerCase().split("\0");
+    for (const word of words) {
+      if (word.startsWith(lowerReceiver) && lowerReceiver.length / word.length >= 0.4) {
+        return true;
+      }
+    }
   }
   const commonMappings = {
     // HTTP/Servlet
@@ -11126,8 +11878,10 @@ function receiverMightBeClass(receiver, className) {
     // Process/Runtime
     runtime: ["Runtime"],
     pb: ["ProcessBuilder"],
-    // Scripting
+    // Scripting / Expression evaluation
     engine: ["ScriptEngine"],
+    ev: ["ExpressionEvaluator", "ScriptEvaluator", "ClassBodyEvaluator"],
+    evaluator: ["ExpressionEvaluator", "ScriptEvaluator", "ClassBodyEvaluator"],
     // LDAP
     ctx: ["Context", "InitialContext", "DirContext", "InitialDirContext", "LdapContext"],
     context: ["Context", "InitialContext", "DirContext", "InitialDirContext", "LdapContext"],
@@ -11217,12 +11971,25 @@ function receiverMightBeClass(receiver, className) {
     knex: ["knex"],
     prisma: ["prisma"],
     axios: ["axios"],
-    fetch: ["fetch"]
+    fetch: ["fetch"],
+    // Go idioms (single-letter receivers)
+    r: ["Request"],
+    w: ["ResponseWriter"]
   };
   const mappings = commonMappings[lowerReceiver];
   if (mappings && Array.isArray(mappings) && mappings.includes(className)) {
     return true;
   }
+  const strippedReceiver = lowerReceiver.replace(/\d+$/, "");
+  if (strippedReceiver !== lowerReceiver && strippedReceiver.length >= 2) {
+    const strippedMappings = commonMappings[strippedReceiver];
+    if (strippedMappings && Array.isArray(strippedMappings) && strippedMappings.includes(className)) {
+      return true;
+    }
+    if (lowerClass.startsWith(strippedReceiver) || strippedReceiver.startsWith(lowerClass)) {
+      return true;
+    }
+  }
   return false;
 }
 function formatCallLocation(call) {
@@ -17886,211 +18653,784 @@ var BashPlugin = class extends BaseLanguagePlugin {
         argPositions: [1]
       },
       {
-        method: "zsh",
-        type: "command_injection",
-        cwe: "CWE-78",
-        severity: "critical",
-        argPositions: [1]
+        method: "zsh",
+        type: "command_injection",
+        cwe: "CWE-78",
+        severity: "critical",
+        argPositions: [1]
+      },
+      {
+        method: "ksh",
+        type: "command_injection",
+        cwe: "CWE-78",
+        severity: "critical",
+        argPositions: [1]
+      },
+      // SQL injection via DB CLI clients (first arg is query/expression)
+      {
+        method: "mysql",
+        type: "sql_injection",
+        cwe: "CWE-89",
+        severity: "critical",
+        argPositions: [1]
+      },
+      {
+        method: "psql",
+        type: "sql_injection",
+        cwe: "CWE-89",
+        severity: "critical",
+        argPositions: [1]
+      },
+      {
+        method: "sqlite3",
+        type: "sql_injection",
+        cwe: "CWE-89",
+        severity: "critical",
+        argPositions: [1]
+      },
+      // Path traversal via file operations (first arg is path)
+      {
+        method: "cat",
+        type: "path_traversal",
+        cwe: "CWE-22",
+        severity: "high",
+        argPositions: [0]
+      },
+      {
+        method: "rm",
+        type: "path_traversal",
+        cwe: "CWE-22",
+        severity: "high",
+        argPositions: [0]
+      },
+      {
+        method: "cp",
+        type: "path_traversal",
+        cwe: "CWE-22",
+        severity: "high",
+        argPositions: [0]
+      },
+      {
+        method: "mv",
+        type: "path_traversal",
+        cwe: "CWE-22",
+        severity: "high",
+        argPositions: [0]
+      },
+      {
+        method: "chmod",
+        type: "path_traversal",
+        cwe: "CWE-22",
+        severity: "medium",
+        argPositions: [1]
+      },
+      {
+        method: "chown",
+        type: "path_traversal",
+        cwe: "CWE-22",
+        severity: "medium",
+        argPositions: [1]
+      },
+      // SSRF — curl/wget with externally-controlled URL
+      {
+        method: "curl",
+        type: "ssrf",
+        cwe: "CWE-918",
+        severity: "high",
+        argPositions: [0]
+      },
+      {
+        method: "wget",
+        type: "ssrf",
+        cwe: "CWE-918",
+        severity: "high",
+        argPositions: [0]
+      }
+    ];
+  }
+  /**
+   * Shell has no OOP receiver types.
+   */
+  getReceiverType(_node, _context) {
+    return void 0;
+  }
+  /**
+   * Bash string literals: quoted strings and raw ($'...') strings.
+   */
+  isStringLiteral(node) {
+    return node.type === "string" || node.type === "raw_string" || node.type === "ansi_c_string";
+  }
+  /**
+   * Extract string value from bash string literal, stripping quotes.
+   */
+  getStringValue(node) {
+    if (!this.isStringLiteral(node)) return void 0;
+    const text = node.text;
+    if (node.type === "raw_string") {
+      return text.slice(1, -1);
+    }
+    if (node.type === "ansi_c_string") {
+      return text.slice(2, -1);
+    }
+    const match = text.match(/^"(.*)"$/s);
+    if (match) return match[1];
+    return text;
+  }
+  // Extraction methods — delegate to base extractors via generic walker
+  extractTypes(_context) {
+    return [];
+  }
+  extractCalls(_context) {
+    return [];
+  }
+  extractImports(_context) {
+    return [];
+  }
+  extractPackage(_context) {
+    return void 0;
+  }
+};
+
+// src/languages/plugins/html.ts
+var HtmlPlugin = class extends BaseLanguagePlugin {
+  id = "html";
+  name = "HTML";
+  extensions = [".html", ".htm", ".xhtml"];
+  wasmPath = "tree-sitter-html.wasm";
+  nodeTypes = {
+    // HTML has no OOP constructs
+    classDeclaration: [],
+    interfaceDeclaration: [],
+    enumDeclaration: [],
+    functionDeclaration: [],
+    methodDeclaration: [],
+    // No expressions in HTML
+    methodCall: [],
+    functionCall: [],
+    assignment: [],
+    variableDeclaration: [],
+    // No parameters
+    parameter: [],
+    argument: [],
+    // No annotations
+    annotation: [],
+    decorator: [],
+    // No imports
+    importStatement: [],
+    // No control flow
+    ifStatement: [],
+    forStatement: [],
+    whileStatement: [],
+    tryStatement: [],
+    returnStatement: []
+  };
+  detectFramework(_context) {
+    return void 0;
+  }
+  getBuiltinSources() {
+    return [];
+  }
+  getBuiltinSinks() {
+    return [];
+  }
+  getReceiverType(_node, _context) {
+    return void 0;
+  }
+  isStringLiteral(node) {
+    return node.type === "attribute_value" || node.type === "quoted_attribute_value";
+  }
+  getStringValue(node) {
+    if (!this.isStringLiteral(node)) return void 0;
+    const text = node.text;
+    if (text.startsWith('"') && text.endsWith('"') || text.startsWith("'") && text.endsWith("'")) {
+      return text.slice(1, -1);
+    }
+    return text;
+  }
+  extractTypes(_context) {
+    return [];
+  }
+  extractCalls(_context) {
+    return [];
+  }
+  extractImports(_context) {
+    return [];
+  }
+  extractPackage(_context) {
+    return void 0;
+  }
+};
+
+// src/languages/plugins/go.ts
+var GoPlugin = class extends BaseLanguagePlugin {
+  id = "go";
+  name = "Go";
+  extensions = [".go"];
+  wasmPath = "tree-sitter-go.wasm";
+  nodeTypes = {
+    // Type declarations
+    classDeclaration: ["type_declaration"],
+    interfaceDeclaration: ["type_declaration"],
+    enumDeclaration: [],
+    // Go has no enums (uses iota constants)
+    functionDeclaration: ["function_declaration"],
+    methodDeclaration: ["method_declaration"],
+    // Expressions
+    methodCall: ["call_expression"],
+    functionCall: ["call_expression"],
+    assignment: ["short_var_declaration", "assignment_statement", "var_declaration"],
+    variableDeclaration: ["short_var_declaration", "var_declaration"],
+    // Parameters and arguments
+    parameter: ["parameter_declaration"],
+    argument: ["argument_list"],
+    // Annotations/decorators
+    annotation: [],
+    // Go has no annotations
+    decorator: [],
+    // Go has no decorators
+    // Imports
+    importStatement: ["import_declaration"],
+    // Control flow
+    ifStatement: ["if_statement"],
+    forStatement: ["for_statement"],
+    whileStatement: [],
+    // Go uses for with condition
+    tryStatement: [],
+    // Go uses defer/recover
+    returnStatement: ["return_statement"]
+  };
+  /**
+   * Detect Go web frameworks from imports.
+   */
+  detectFramework(context) {
+    const indicators = [];
+    let framework;
+    let confidence = 0;
+    for (const imp of context.imports) {
+      const path = imp.from_package || imp.imported_name;
+      if (path.includes("gin-gonic/gin")) {
+        framework = "gin";
+        confidence = Math.max(confidence, 0.95);
+        indicators.push(`import: ${path}`);
+      }
+      if (path.includes("labstack/echo")) {
+        framework = "echo";
+        confidence = Math.max(confidence, 0.95);
+        indicators.push(`import: ${path}`);
+      }
+      if (path.includes("gofiber/fiber")) {
+        framework = "fiber";
+        confidence = Math.max(confidence, 0.95);
+        indicators.push(`import: ${path}`);
+      }
+      if (path.includes("go-chi/chi")) {
+        framework = "chi";
+        confidence = Math.max(confidence, 0.9);
+        indicators.push(`import: ${path}`);
+      }
+      if (path.includes("gorm.io/gorm")) {
+        indicators.push(`import: ${path}`);
+      }
+      if (path === "net/http") {
+        framework = framework || "net/http";
+        confidence = Math.max(confidence, 0.8);
+        indicators.push(`import: ${path}`);
+      }
+    }
+    if (framework) {
+      return { name: framework, confidence, indicators };
+    }
+    return void 0;
+  }
+  /**
+   * Go taint source patterns.
+   */
+  getBuiltinSources() {
+    return [
+      // net/http request methods
+      {
+        method: "FormValue",
+        class: "Request",
+        type: "http_param",
+        severity: "high",
+        confidence: 0.95,
+        returnTainted: true
+      },
+      {
+        method: "PostFormValue",
+        class: "Request",
+        type: "http_param",
+        severity: "high",
+        confidence: 0.95,
+        returnTainted: true
+      },
+      {
+        method: "Query",
+        class: "URL",
+        type: "http_param",
+        severity: "high",
+        confidence: 0.95,
+        returnTainted: true
+      },
+      {
+        method: "Get",
+        class: "Header",
+        type: "http_header",
+        severity: "high",
+        confidence: 0.9,
+        returnTainted: true
+      },
+      {
+        method: "Cookie",
+        class: "Request",
+        type: "http_cookie",
+        severity: "high",
+        confidence: 0.9,
+        returnTainted: true
+      },
+      // Gin framework
+      {
+        method: "Query",
+        class: "Context",
+        type: "http_param",
+        severity: "high",
+        confidence: 0.95,
+        returnTainted: true
+      },
+      {
+        method: "Param",
+        class: "Context",
+        type: "http_path",
+        severity: "high",
+        confidence: 0.95,
+        returnTainted: true
+      },
+      {
+        method: "PostForm",
+        class: "Context",
+        type: "http_param",
+        severity: "high",
+        confidence: 0.95,
+        returnTainted: true
+      },
+      {
+        method: "GetRawData",
+        class: "Context",
+        type: "http_body",
+        severity: "high",
+        confidence: 0.95,
+        returnTainted: true
+      },
+      // Standard library I/O
+      {
+        method: "Getenv",
+        class: "os",
+        type: "env_var",
+        severity: "medium",
+        confidence: 0.85,
+        returnTainted: true
+      },
+      {
+        method: "ReadAll",
+        class: "io",
+        type: "io_input",
+        severity: "medium",
+        confidence: 0.8,
+        returnTainted: true
+      },
+      {
+        method: "ReadFile",
+        class: "os",
+        type: "file_input",
+        severity: "medium",
+        confidence: 0.8,
+        returnTainted: true
       },
       {
-        method: "ksh",
-        type: "command_injection",
-        cwe: "CWE-78",
+        method: "Text",
+        class: "Scanner",
+        type: "io_input",
+        severity: "medium",
+        confidence: 0.8,
+        returnTainted: true
+      }
+    ];
+  }
+  /**
+   * Go taint sink patterns.
+   */
+  getBuiltinSinks() {
+    return [
+      // SQL Injection
+      {
+        method: "Query",
+        class: "DB",
+        type: "sql_injection",
+        cwe: "CWE-89",
         severity: "critical",
-        argPositions: [1]
+        argPositions: [0]
       },
-      // SQL injection via DB CLI clients (first arg is query/expression)
       {
-        method: "mysql",
+        method: "QueryRow",
+        class: "DB",
         type: "sql_injection",
         cwe: "CWE-89",
         severity: "critical",
-        argPositions: [1]
+        argPositions: [0]
       },
       {
-        method: "psql",
+        method: "Exec",
+        class: "DB",
         type: "sql_injection",
         cwe: "CWE-89",
         severity: "critical",
-        argPositions: [1]
+        argPositions: [0]
       },
       {
-        method: "sqlite3",
+        method: "Query",
+        class: "Tx",
         type: "sql_injection",
         cwe: "CWE-89",
         severity: "critical",
-        argPositions: [1]
+        argPositions: [0]
       },
-      // Path traversal via file operations (first arg is path)
+      // Command Injection
       {
-        method: "cat",
-        type: "path_traversal",
-        cwe: "CWE-22",
-        severity: "high",
+        method: "Command",
+        class: "exec",
+        type: "command_injection",
+        cwe: "CWE-78",
+        severity: "critical",
         argPositions: [0]
       },
       {
-        method: "rm",
+        method: "CommandContext",
+        class: "exec",
+        type: "command_injection",
+        cwe: "CWE-78",
+        severity: "critical",
+        argPositions: [1]
+      },
+      // Path Traversal
+      {
+        method: "Open",
+        class: "os",
         type: "path_traversal",
         cwe: "CWE-22",
         severity: "high",
         argPositions: [0]
       },
       {
-        method: "cp",
+        method: "ReadFile",
+        class: "os",
         type: "path_traversal",
         cwe: "CWE-22",
         severity: "high",
         argPositions: [0]
       },
       {
-        method: "mv",
+        method: "WriteFile",
+        class: "os",
         type: "path_traversal",
         cwe: "CWE-22",
         severity: "high",
         argPositions: [0]
       },
+      // XSS (writing to http.ResponseWriter without escaping)
       {
-        method: "chmod",
-        type: "path_traversal",
-        cwe: "CWE-22",
-        severity: "medium",
+        method: "Fprintf",
+        class: "fmt",
+        type: "xss",
+        cwe: "CWE-79",
+        severity: "high",
         argPositions: [1]
       },
       {
-        method: "chown",
-        type: "path_traversal",
-        cwe: "CWE-22",
-        severity: "medium",
-        argPositions: [1]
+        method: "Write",
+        class: "ResponseWriter",
+        type: "xss",
+        cwe: "CWE-79",
+        severity: "high",
+        argPositions: [0]
       },
-      // SSRF — curl/wget with externally-controlled URL
+      // SSRF
       {
-        method: "curl",
+        method: "Get",
+        class: "http",
         type: "ssrf",
         cwe: "CWE-918",
         severity: "high",
         argPositions: [0]
       },
       {
-        method: "wget",
+        method: "Post",
+        class: "http",
         type: "ssrf",
         cwe: "CWE-918",
         severity: "high",
+        argPositions: [0, 2]
+      },
+      // Deserialization
+      {
+        method: "Unmarshal",
+        class: "json",
+        type: "deserialization",
+        cwe: "CWE-502",
+        severity: "medium",
+        argPositions: [0]
+      },
+      {
+        method: "Decode",
+        class: "Decoder",
+        type: "deserialization",
+        cwe: "CWE-502",
+        severity: "medium",
         argPositions: [0]
       }
     ];
   }
   /**
-   * Shell has no OOP receiver types.
+   * Get receiver type from a Go call expression.
    */
-  getReceiverType(_node, _context) {
+  getReceiverType(node, _context) {
+    if (node.type !== "call_expression") return void 0;
+    const func2 = node.childForFieldName("function");
+    if (!func2) return void 0;
+    if (func2.type === "selector_expression") {
+      const operand = func2.childForFieldName("operand");
+      if (operand) {
+        return operand.text;
+      }
+    }
     return void 0;
   }
   /**
-   * Bash string literals: quoted strings and raw ($'...') strings.
+   * Check if node is a Go string literal.
    */
   isStringLiteral(node) {
-    return node.type === "string" || node.type === "raw_string" || node.type === "ansi_c_string";
+    return node.type === "interpreted_string_literal" || node.type === "raw_string_literal";
   }
   /**
-   * Extract string value from bash string literal, stripping quotes.
+   * Get string value from Go string literal.
    */
   getStringValue(node) {
     if (!this.isStringLiteral(node)) return void 0;
     const text = node.text;
-    if (node.type === "raw_string") {
+    if (text.startsWith("`") && text.endsWith("`")) {
       return text.slice(1, -1);
     }
-    if (node.type === "ansi_c_string") {
-      return text.slice(2, -1);
+    if (text.startsWith('"') && text.endsWith('"')) {
+      return text.slice(1, -1);
     }
-    const match = text.match(/^"(.*)"$/s);
-    if (match) return match[1];
     return text;
   }
-  // Extraction methods — delegate to base extractors via generic walker
-  extractTypes(_context) {
-    return [];
-  }
-  extractCalls(_context) {
-    return [];
-  }
-  extractImports(_context) {
-    return [];
-  }
-  extractPackage(_context) {
-    return void 0;
-  }
-};
-
-// src/languages/plugins/html.ts
-var HtmlPlugin = class extends BaseLanguagePlugin {
-  id = "html";
-  name = "HTML";
-  extensions = [".html", ".htm", ".xhtml"];
-  wasmPath = "tree-sitter-html.wasm";
-  nodeTypes = {
-    // HTML has no OOP constructs
-    classDeclaration: [],
-    interfaceDeclaration: [],
-    enumDeclaration: [],
-    functionDeclaration: [],
-    methodDeclaration: [],
-    // No expressions in HTML
-    methodCall: [],
-    functionCall: [],
-    assignment: [],
-    variableDeclaration: [],
-    // No parameters
-    parameter: [],
-    argument: [],
-    // No annotations
-    annotation: [],
-    decorator: [],
-    // No imports
-    importStatement: [],
-    // No control flow
-    ifStatement: [],
-    forStatement: [],
-    whileStatement: [],
-    tryStatement: [],
-    returnStatement: []
-  };
-  detectFramework(_context) {
-    return void 0;
+  /**
+   * Extract type information from Go source.
+   */
+  extractTypes(context) {
+    const types = [];
+    const root = context.tree.rootNode;
+    const typeDecls = this.findNodes(root, "type_declaration");
+    for (const decl of typeDecls) {
+      for (let i2 = 0; i2 < decl.childCount; i2++) {
+        const spec = decl.child(i2);
+        if (!spec || spec.type !== "type_spec") continue;
+        const nameNode = spec.childForFieldName("name");
+        const typeNode = spec.childForFieldName("type");
+        if (!nameNode || !typeNode) continue;
+        const name2 = nameNode.text;
+        const isInterface = typeNode.type === "interface_type";
+        const isStruct = typeNode.type === "struct_type";
+        if (isStruct || isInterface) {
+          const fields = [];
+          const methods = [];
+          if (isStruct) {
+            const fieldList = typeNode.childForFieldName("fields") ?? this.findChildByType(typeNode, "field_declaration_list");
+            if (fieldList) {
+              for (let j = 0; j < fieldList.childCount; j++) {
+                const field = fieldList.child(j);
+                if (!field || field.type !== "field_declaration") continue;
+                const fieldName = field.childForFieldName("name");
+                const fieldType = field.childForFieldName("type");
+                if (fieldName) {
+                  fields.push({
+                    name: fieldName.text,
+                    type: fieldType?.text || null,
+                    modifiers: [],
+                    annotations: []
+                  });
+                }
+              }
+            }
+          }
+          const methodDecls = this.findNodes(root, "method_declaration");
+          for (const md of methodDecls) {
+            const receiver = md.childForFieldName("receiver");
+            if (!receiver) continue;
+            const receiverText = receiver.text;
+            if (receiverText.includes(name2)) {
+              const methodName = md.childForFieldName("name");
+              const params = md.childForFieldName("parameters");
+              const result = md.childForFieldName("result");
+              if (methodName) {
+                methods.push({
+                  name: methodName.text,
+                  return_type: result?.text || null,
+                  parameters: params ? this.extractGoParams(params) : [],
+                  annotations: [],
+                  modifiers: [],
+                  start_line: md.startPosition.row + 1,
+                  end_line: md.endPosition.row + 1
+                });
+              }
+            }
+          }
+          types.push({
+            name: name2,
+            kind: isInterface ? "interface" : "class",
+            package: context.package || null,
+            extends: null,
+            implements: [],
+            annotations: [],
+            methods,
+            fields,
+            start_line: decl.startPosition.row + 1,
+            end_line: decl.endPosition.row + 1
+          });
+        }
+      }
+    }
+    return types;
   }
-  getBuiltinSources() {
-    return [];
+  /**
+   * Extract call information from Go source.
+   */
+  extractCalls(context) {
+    const calls = [];
+    const root = context.tree.rootNode;
+    const callExprs = this.findNodes(root, "call_expression");
+    for (const call of callExprs) {
+      const func2 = call.childForFieldName("function");
+      if (!func2) continue;
+      let methodName;
+      let receiver = null;
+      if (func2.type === "selector_expression") {
+        const operand = func2.childForFieldName("operand");
+        const field = func2.childForFieldName("field");
+        receiver = operand?.text || null;
+        methodName = field?.text || func2.text;
+      } else {
+        methodName = func2.text;
+      }
+      const args2 = call.childForFieldName("arguments");
+      const argInfos = [];
+      let argPos = 0;
+      if (args2) {
+        for (let i2 = 0; i2 < args2.childCount; i2++) {
+          const arg = args2.child(i2);
+          if (arg && arg.type !== "(" && arg.type !== ")" && arg.type !== ",") {
+            argInfos.push({
+              position: argPos++,
+              expression: arg.text,
+              variable: arg.type === "identifier" ? arg.text : null,
+              literal: arg.type === "interpreted_string_literal" || arg.type === "int_literal" ? arg.text : null
+            });
+          }
+        }
+      }
+      calls.push({
+        method_name: methodName,
+        receiver,
+        arguments: argInfos,
+        location: {
+          line: call.startPosition.row + 1,
+          column: call.startPosition.column
+        }
+      });
+    }
+    return calls;
   }
-  getBuiltinSinks() {
-    return [];
+  /**
+   * Extract import information from Go source.
+   */
+  extractImports(context) {
+    const imports = [];
+    const root = context.tree.rootNode;
+    const importDecls = this.findNodes(root, "import_declaration");
+    for (const decl of importDecls) {
+      const singleSpec = this.findChildByType(decl, "import_spec");
+      if (singleSpec) {
+        const parsed = this.parseImportSpec(singleSpec);
+        if (parsed) imports.push(parsed);
+        continue;
+      }
+      const specList = this.findChildByType(decl, "import_spec_list");
+      if (specList) {
+        for (let i2 = 0; i2 < specList.childCount; i2++) {
+          const spec = specList.child(i2);
+          if (!spec || spec.type !== "import_spec") continue;
+          const parsed = this.parseImportSpec(spec);
+          if (parsed) imports.push(parsed);
+        }
+      }
+    }
+    return imports;
   }
-  getReceiverType(_node, _context) {
+  /**
+   * Extract package name from Go source.
+   */
+  extractPackage(context) {
+    const root = context.tree.rootNode;
+    const pkgClause = this.findChildByType(root, "package_clause");
+    if (!pkgClause) return void 0;
+    for (let i2 = 0; i2 < pkgClause.childCount; i2++) {
+      const child = pkgClause.child(i2);
+      if (child && child.type === "package_identifier") {
+        return child.text;
+      }
+    }
     return void 0;
   }
-  isStringLiteral(node) {
-    return node.type === "attribute_value" || node.type === "quoted_attribute_value";
-  }
-  getStringValue(node) {
-    if (!this.isStringLiteral(node)) return void 0;
-    const text = node.text;
-    if (text.startsWith('"') && text.endsWith('"') || text.startsWith("'") && text.endsWith("'")) {
-      return text.slice(1, -1);
+  // ── Private helpers ─────────────────────────────────────────────────────
+  parseImportSpec(spec) {
+    let alias = null;
+    let path;
+    for (let i2 = 0; i2 < spec.childCount; i2++) {
+      const child = spec.child(i2);
+      if (!child) continue;
+      if (child.type === "package_identifier" || child.type === "blank_identifier" || child.type === "dot") {
+        alias = child.text;
+      }
+      if (child.type === "interpreted_string_literal") {
+        path = child.text.slice(1, -1);
+      }
     }
-    return text;
-  }
-  extractTypes(_context) {
-    return [];
-  }
-  extractCalls(_context) {
-    return [];
-  }
-  extractImports(_context) {
-    return [];
+    if (!path) return null;
+    const shortName = alias || path.split("/").pop() || path;
+    return {
+      imported_name: shortName,
+      from_package: path,
+      alias,
+      is_wildcard: alias === ".",
+      line_number: spec.startPosition.row + 1
+    };
   }
-  extractPackage(_context) {
-    return void 0;
+  extractGoParams(params) {
+    const result = [];
+    for (let i2 = 0; i2 < params.childCount; i2++) {
+      const param = params.child(i2);
+      if (!param || param.type !== "parameter_declaration") continue;
+      const nameNode = param.childForFieldName("name");
+      const typeNode = param.childForFieldName("type");
+      if (nameNode) {
+        result.push({
+          name: nameNode.text,
+          type: typeNode?.text || null,
+          annotations: []
+        });
+      }
+    }
+    return result;
   }
 };
 
@@ -18102,6 +19442,7 @@ function registerBuiltinPlugins() {
   registerLanguage(new RustPlugin());
   registerLanguage(new BashPlugin());
   registerLanguage(new HtmlPlugin());
+  registerLanguage(new GoPlugin());
 }
 
 // src/utils/logger.ts
@@ -24327,6 +25668,26 @@ function getNodeTypesForLanguage(language) {
         "self_closing_tag",
         "text"
       ]);
+    case "go":
+      return /* @__PURE__ */ new Set([
+        "call_expression",
+        "function_declaration",
+        "method_declaration",
+        "package_clause",
+        "import_declaration",
+        "import_spec",
+        "var_declaration",
+        "short_var_declaration",
+        "assignment_statement",
+        "type_declaration",
+        "if_statement",
+        "for_statement",
+        "return_statement",
+        "defer_statement",
+        "go_statement",
+        "selector_expression",
+        "identifier"
+      ]);
     default:
       return /* @__PURE__ */ new Set([
         "method_invocation",