circle-ir 3.21.0 → 3.22.1

package/dist/core/circle-ir-core.cjs

@@ -4373,6 +4373,9 @@ function extractTypes(tree, cache, language) {
   const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript";
   const isPython = effectiveLanguage === "python";
   const isRust = effectiveLanguage === "rust";
+  if (effectiveLanguage === "go") {
+    return extractGoTypes(tree, cache);
+  }
   if (isRust) {
     return extractRustTypes(tree, cache);
   }
@@ -5508,6 +5511,143 @@ function extractRustDerives(node) {
   }
   return derives;
 }
+function extractGoTypes(tree, cache) {
+  const types = [];
+  const root = tree.rootNode;
+  const typeDecls = getNodesFromCache(root, "type_declaration", cache);
+  for (const decl of typeDecls) {
+    for (let i2 = 0; i2 < decl.childCount; i2++) {
+      const spec = decl.child(i2);
+      if (!spec || spec.type !== "type_spec") continue;
+      const nameNode = spec.childForFieldName("name");
+      const typeNode = spec.childForFieldName("type");
+      if (!nameNode || !typeNode) continue;
+      const name2 = getNodeText(nameNode);
+      const isInterface = typeNode.type === "interface_type";
+      const isStruct = typeNode.type === "struct_type";
+      if (!isStruct && !isInterface) continue;
+      const fields = [];
+      const methods = [];
+      if (isStruct) {
+        const fieldList = findChildByType(typeNode, "field_declaration_list");
+        if (fieldList) {
+          for (let j = 0; j < fieldList.childCount; j++) {
+            const field = fieldList.child(j);
+            if (!field || field.type !== "field_declaration") continue;
+            const fieldName = field.childForFieldName("name");
+            const fieldType = field.childForFieldName("type");
+            if (fieldName) {
+              fields.push({
+                name: getNodeText(fieldName),
+                type: fieldType ? getNodeText(fieldType) : null,
+                modifiers: [],
+                annotations: []
+              });
+            }
+          }
+        }
+      }
+      const methodDecls = getNodesFromCache(root, "method_declaration", cache);
+      for (const md of methodDecls) {
+        const receiver = md.childForFieldName("receiver");
+        if (!receiver) continue;
+        const receiverText = getNodeText(receiver);
+        if (receiverText.includes(name2)) {
+          const methodNameNode = md.childForFieldName("name");
+          const params = md.childForFieldName("parameters");
+          const result = md.childForFieldName("result");
+          if (methodNameNode) {
+            methods.push({
+              name: getNodeText(methodNameNode),
+              return_type: result ? getNodeText(result) : null,
+              parameters: params ? extractGoParameters(params) : [],
+              annotations: [],
+              modifiers: [],
+              start_line: md.startPosition.row + 1,
+              end_line: md.endPosition.row + 1
+            });
+          }
+        }
+      }
+      let pkg = null;
+      const pkgClause = findChildByType(root, "package_clause");
+      if (pkgClause) {
+        for (let j = 0; j < pkgClause.childCount; j++) {
+          const child = pkgClause.child(j);
+          if (child && child.type === "package_identifier") {
+            pkg = getNodeText(child);
+            break;
+          }
+        }
+      }
+      types.push({
+        name: name2,
+        kind: isInterface ? "interface" : "class",
+        package: pkg,
+        extends: null,
+        implements: [],
+        annotations: [],
+        methods,
+        fields,
+        start_line: decl.startPosition.row + 1,
+        end_line: decl.endPosition.row + 1
+      });
+    }
+  }
+  const functions = getNodesFromCache(root, "function_declaration", cache);
+  if (functions.length > 0) {
+    const moduleFunctions = [];
+    for (const func2 of functions) {
+      const nameNode = func2.childForFieldName("name");
+      const params = func2.childForFieldName("parameters");
+      const result = func2.childForFieldName("result");
+      if (nameNode) {
+        moduleFunctions.push({
+          name: getNodeText(nameNode),
+          return_type: result ? getNodeText(result) : null,
+          parameters: params ? extractGoParameters(params) : [],
+          annotations: [],
+          modifiers: [],
+          start_line: func2.startPosition.row + 1,
+          end_line: func2.endPosition.row + 1
+        });
+      }
+    }
+    if (moduleFunctions.length > 0) {
+      types.push({
+        name: "<module>",
+        kind: "class",
+        package: null,
+        extends: null,
+        implements: [],
+        annotations: [],
+        methods: moduleFunctions,
+        fields: [],
+        start_line: 1,
+        end_line: root.endPosition.row + 1
+      });
+    }
+  }
+  return types;
+}
+function extractGoParameters(params) {
+  const parameters = [];
+  for (let i2 = 0; i2 < params.childCount; i2++) {
+    const child = params.child(i2);
+    if (!child || child.type !== "parameter_declaration") continue;
+    const nameNode = child.childForFieldName("name");
+    const typeNode = child.childForFieldName("type");
+    if (nameNode) {
+      parameters.push({
+        name: getNodeText(nameNode),
+        type: typeNode ? getNodeText(typeNode) : null,
+        annotations: [],
+        line: child.startPosition.row + 1
+      });
+    }
+  }
+  return parameters;
+}
 function findChildByType(node, type) {
   for (let i2 = 0; i2 < node.childCount; i2++) {
     const child = node.child(i2);
@@ -5555,6 +5695,9 @@ function extractCalls(tree, cache, language) {
   const isJavaScript = detectedLanguage === "javascript" || detectedLanguage === "typescript";
   const isPython = detectedLanguage === "python";
   const isRust = detectedLanguage === "rust";
+  if (detectedLanguage === "go") {
+    return extractGoCalls(tree, cache);
+  }
   if (detectedLanguage === "bash") {
     return extractBashCalls(tree, cache);
   }
@@ -6281,7 +6424,7 @@ function extractBashCommandInfo(node) {
   for (let i2 = 0; i2 < node.childCount; i2++) {
     const child = node.child(i2);
     if (!child) continue;
-    if (child === nameNode) continue;
+    if (child === nameNode || child.id === nameNode.id) continue;
     if (child.type.includes("redirect") || child.type === "heredoc_body" || child.type === "file_descriptor") {
       continue;
     }
@@ -6837,6 +6980,104 @@ function resolveRustCall(methodName, receiver, context) {
     status: "external_method"
   };
 }
+function extractGoCalls(tree, cache) {
+  const calls = [];
+  const callExpressions = getNodesFromCache(tree.rootNode, "call_expression", cache);
+  for (const call of callExpressions) {
+    const callInfo = extractGoCallInfo(call);
+    if (callInfo) {
+      calls.push(callInfo);
+    }
+  }
+  return calls;
+}
+function extractGoCallInfo(node) {
+  const funcNode = node.childForFieldName("function");
+  if (!funcNode) return null;
+  let methodName;
+  let receiver = null;
+  if (funcNode.type === "selector_expression") {
+    const operand = funcNode.childForFieldName("operand");
+    const field = funcNode.childForFieldName("field");
+    receiver = operand ? getNodeText(operand) : null;
+    methodName = field ? getNodeText(field) : getNodeText(funcNode);
+  } else if (funcNode.type === "identifier") {
+    methodName = getNodeText(funcNode);
+  } else {
+    methodName = getNodeText(funcNode);
+  }
+  const argsNode = node.childForFieldName("arguments");
+  const args2 = argsNode ? extractGoArguments(argsNode) : [];
+  const inMethod = findGoEnclosingFunction(node);
+  return {
+    method_name: methodName,
+    receiver,
+    arguments: args2,
+    location: {
+      line: node.startPosition.row + 1,
+      column: node.startPosition.column
+    },
+    in_method: inMethod,
+    resolved: false,
+    resolution: { status: "external_method" }
+  };
+}
+function extractGoArguments(argsNode) {
+  const args2 = [];
+  let position = 0;
+  for (let i2 = 0; i2 < argsNode.childCount; i2++) {
+    const child = argsNode.child(i2);
+    if (!child) continue;
+    if (child.type === "(" || child.type === ")" || child.type === ",") continue;
+    const expression = getNodeText(child);
+    const variable = child.type === "identifier" ? expression : null;
+    const literal = isGoLiteral(child) ? extractGoLiteralValue(child) : null;
+    args2.push({
+      position: position++,
+      expression,
+      variable,
+      literal
+    });
+  }
+  return args2;
+}
+function isGoLiteral(node) {
+  const literalTypes = /* @__PURE__ */ new Set([
+    "interpreted_string_literal",
+    "raw_string_literal",
+    "int_literal",
+    "float_literal",
+    "true",
+    "false",
+    "nil"
+  ]);
+  return literalTypes.has(node.type);
+}
+function extractGoLiteralValue(node) {
+  const text = getNodeText(node);
+  if (node.type === "interpreted_string_literal") {
+    return text.slice(1, -1);
+  }
+  if (node.type === "raw_string_literal") {
+    return text.slice(1, -1);
+  }
+  return text;
+}
+function findGoEnclosingFunction(node) {
+  let current = node.parent;
+  while (current) {
+    if (current.type === "function_declaration") {
+      const nameNode = current.childForFieldName("name");
+      return nameNode ? getNodeText(nameNode) : null;
+    }
+    if (current.type === "method_declaration") {
+      const nameNode = current.childForFieldName("name");
+      return nameNode ? getNodeText(nameNode) : null;
+    }
+    current = current.parent;
+  }
+  return null;
+}
 
 // src/core/extractors/imports.ts
 function detectLanguage2(tree) {
@@ -6891,6 +7132,9 @@ function extractImports(tree, language) {
   const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript";
   const isPython = effectiveLanguage === "python";
   const isRust = effectiveLanguage === "rust";
+  if (effectiveLanguage === "go") {
+    return extractGoImports(tree);
+  }
   if (isRust) {
     return extractRustImports(tree);
   }
@@ -7438,6 +7682,61 @@ function extractRustScopedUseList(node, lineNumber) {
   }
   return imports;
 }
+function extractGoImports(tree) {
+  const imports = [];
+  const importDecls = findNodes(tree.rootNode, "import_declaration");
+  for (const decl of importDecls) {
+    const singleSpec = findGoChildByType(decl, "import_spec");
+    if (singleSpec) {
+      const parsed = parseGoImportSpec(singleSpec);
+      if (parsed) imports.push(parsed);
+      continue;
+    }
+    const specList = findGoChildByType(decl, "import_spec_list");
+    if (specList) {
+      for (let i2 = 0; i2 < specList.childCount; i2++) {
+        const spec = specList.child(i2);
+        if (!spec || spec.type !== "import_spec") continue;
+        const parsed = parseGoImportSpec(spec);
+        if (parsed) imports.push(parsed);
+      }
+    }
+  }
+  return imports;
+}
+function parseGoImportSpec(spec) {
+  let alias = null;
+  let path;
+  for (let i2 = 0; i2 < spec.childCount; i2++) {
+    const child = spec.child(i2);
+    if (!child) continue;
+    if (child.type === "package_identifier" || child.type === "blank_identifier" || child.type === "dot") {
+      alias = getNodeText(child);
+    }
+    if (child.type === "interpreted_string_literal") {
+      const text = getNodeText(child);
+      path = text.slice(1, -1);
+    }
+  }
+  if (!path) return null;
+  const shortName = alias || path.split("/").pop() || path;
+  return {
+    imported_name: shortName,
+    from_package: path,
+    alias,
+    is_wildcard: alias === ".",
+    line_number: spec.startPosition.row + 1
+  };
+}
+function findGoChildByType(node, type) {
+  for (let i2 = 0; i2 < node.childCount; i2++) {
+    const child = node.child(i2);
+    if (child?.type === type) {
+      return child;
+    }
+  }
+  return null;
+}
 
 // src/core/extractors/exports.ts
 function extractExports(types) {
@@ -7529,6 +7828,9 @@ function buildCFG(tree, language) {
   if (effectiveLanguage === "bash") {
     return buildBashCFG(tree, blockIdCounter);
   }
+  if (effectiveLanguage === "go") {
+    return buildGoCFG(tree, blockIdCounter);
+  }
   if (isJavaScript) {
     const functions = [
       ...findNodes(tree.rootNode, "function_declaration"),
@@ -8005,6 +8307,58 @@ function isStatement(node, isJavaScript) {
   ]);
   return isJavaScript ? jsStatementTypes.has(node.type) : javaStatementTypes.has(node.type);
 }
+function buildGoCFG(tree, blockIdCounter) {
+  const allBlocks = [];
+  const allEdges = [];
+  const functions = [
+    ...findNodes(tree.rootNode, "function_declaration"),
+    ...findNodes(tree.rootNode, "method_declaration")
+  ];
+  for (const func2 of functions) {
+    const body2 = func2.childForFieldName("body");
+    if (!body2 || body2.type !== "block") continue;
+    const { blocks, edges, nextId } = buildMethodCFG(body2, blockIdCounter, false);
+    allBlocks.push(...blocks);
+    allEdges.push(...edges);
+    blockIdCounter = nextId;
+  }
+  const hasTopLevelDecls = tree.rootNode.children.some(
+    (c) => c !== null && isGoStatement(c)
+  );
+  if (hasTopLevelDecls) {
+    const block = {
+      id: blockIdCounter++,
+      type: "normal",
+      start_line: 1,
+      end_line: tree.rootNode.endPosition.row + 1
+    };
+    allBlocks.push(block);
+  }
+  return { blocks: allBlocks, edges: allEdges };
+}
+function isGoStatement(node) {
+  const goStatementTypes = /* @__PURE__ */ new Set([
+    "short_var_declaration",
+    "var_declaration",
+    "assignment_statement",
+    "expression_statement",
+    "if_statement",
+    "for_statement",
+    "switch_statement",
+    "type_switch_statement",
+    "select_statement",
+    "return_statement",
+    "go_statement",
+    "defer_statement",
+    "send_statement",
+    "inc_statement",
+    "dec_statement",
+    "block",
+    "type_declaration",
+    "const_declaration"
+  ]);
+  return goStatementTypes.has(node.type);
+}
 
 // src/core/extractors/dfg.ts
 function detectLanguage4(tree) {
@@ -8052,6 +8406,9 @@ function buildDFG(tree, cache, language) {
   if (effectiveLanguage === "bash") {
     return buildBashDFG(tree);
   }
+  if (effectiveLanguage === "go") {
+    return buildGoDFG(tree);
+  }
   return buildJavaDFG(tree, cache);
 }
 function buildJavaDFG(tree, cache) {
@@ -9035,6 +9392,259 @@ function isRustKeyword(name2) {
   ]);
   return keywords.has(name2);
 }
+var GO_KEYWORDS = /* @__PURE__ */ new Set([
+  "break",
+  "case",
+  "chan",
+  "const",
+  "continue",
+  "default",
+  "defer",
+  "else",
+  "fallthrough",
+  "for",
+  "func",
+  "go",
+  "goto",
+  "if",
+  "import",
+  "interface",
+  "map",
+  "package",
+  "range",
+  "return",
+  "select",
+  "struct",
+  "switch",
+  "type",
+  "var",
+  "true",
+  "false",
+  "nil",
+  "iota",
+  "append",
+  "cap",
+  "close",
+  "complex",
+  "copy",
+  "delete",
+  "imag",
+  "len",
+  "make",
+  "new",
+  "panic",
+  "print",
+  "println",
+  "real",
+  "recover",
+  "string",
+  "int",
+  "int8",
+  "int16",
+  "int32",
+  "int64",
+  "uint",
+  "uint8",
+  "uint16",
+  "uint32",
+  "uint64",
+  "float32",
+  "float64",
+  "complex64",
+  "complex128",
+  "byte",
+  "rune",
+  "bool",
+  "error",
+  "any"
+]);
+function buildGoDFG(tree) {
+  const defs = [];
+  const uses = [];
+  let defIdCounter = 1;
+  let useIdCounter = 1;
+  const scopeStack = [/* @__PURE__ */ new Map()];
+  const functions = [
+    ...findNodes(tree.rootNode, "function_declaration"),
+    ...findNodes(tree.rootNode, "method_declaration")
+  ];
+  for (const func2 of functions) {
+    scopeStack.push(/* @__PURE__ */ new Map());
+    const params = func2.childForFieldName("parameters");
+    if (params) {
+      extractGoParamDefs(params, defs, defIdCounter, scopeStack);
+      defIdCounter = defs.length + 1;
+    }
+    const receiver = func2.childForFieldName("receiver");
+    if (receiver) {
+      extractGoParamDefs(receiver, defs, defIdCounter, scopeStack);
+      defIdCounter = defs.length + 1;
+    }
+    const body2 = func2.childForFieldName("body");
+    if (body2) {
+      processGoBlock(body2, defs, uses, scopeStack, { defId: defIdCounter, useId: useIdCounter });
+      defIdCounter = defs.length + 1;
+      useIdCounter = uses.length + 1;
+    }
+    scopeStack.pop();
+  }
+  for (let i2 = 0; i2 < tree.rootNode.childCount; i2++) {
+    const child = tree.rootNode.child(i2);
+    if (!child) continue;
+    if (child.type === "var_declaration") {
+      processGoVarDecl(child, defs, scopeStack, { defId: defIdCounter });
+      defIdCounter = defs.length + 1;
+    }
+  }
+  const chains = computeChains(defs, uses);
+  return { defs, uses, chains };
+}
+function extractGoParamDefs(params, defs, _startId, scopeStack) {
+  for (let i2 = 0; i2 < params.childCount; i2++) {
+    const param = params.child(i2);
+    if (!param || param.type !== "parameter_declaration") continue;
+    const typeNode = param.childForFieldName("type");
+    for (let j = 0; j < param.childCount; j++) {
+      const nameNode = param.child(j);
+      if (!nameNode || nameNode.type !== "identifier") continue;
+      if (nameNode === typeNode) continue;
+      const varName = getNodeText(nameNode);
+      if (varName === "_") continue;
+      const def = {
+        id: defs.length + 1,
+        variable: varName,
+        kind: "param",
+        line: param.startPosition.row + 1
+      };
+      defs.push(def);
+      currentScope(scopeStack).set(varName, def.id);
+    }
+  }
+}
+function processGoBlock(node, defs, uses, scopeStack, counters) {
+  walkTree(node, (child) => {
+    if (child.type === "short_var_declaration") {
+      const left = child.childForFieldName("left");
+      const right = child.childForFieldName("right");
+      if (right) {
+        extractGoUses(right, uses, scopeStack);
+      }
+      if (left) {
+        extractGoLhsDefs(left, defs, scopeStack, child.startPosition.row + 1);
+      }
+    } else if (child.type === "var_declaration") {
+      processGoVarDecl(child, defs, scopeStack, counters);
+    } else if (child.type === "assignment_statement") {
+      const left = child.childForFieldName("left");
+      const right = child.childForFieldName("right");
+      if (right) {
+        extractGoUses(right, uses, scopeStack);
+      }
+      if (left) {
+        extractGoLhsDefs(left, defs, scopeStack, child.startPosition.row + 1);
+      }
+    } else if (child.type === "for_statement") {
+      const rangeClause = findChildByTypeGo(child, "range_clause");
+      if (rangeClause) {
+        const left = rangeClause.childForFieldName("left");
+        if (left) {
+          extractGoLhsDefs(left, defs, scopeStack, child.startPosition.row + 1);
+        }
+      }
+    } else if (child.type === "call_expression") {
+      extractGoUses(child, uses, scopeStack);
+    } else if (child.type === "return_statement") {
+      for (let i2 = 0; i2 < child.childCount; i2++) {
+        const expr = child.child(i2);
+        if (expr && expr.type !== "return") {
+          extractGoUses(expr, uses, scopeStack);
+        }
+      }
+    }
+  });
+}
+function processGoVarDecl(node, defs, scopeStack, _counters) {
+  for (let i2 = 0; i2 < node.childCount; i2++) {
+    const spec = node.child(i2);
+    if (!spec || spec.type !== "var_spec") continue;
+    for (let j = 0; j < spec.childCount; j++) {
+      const nameNode = spec.child(j);
+      if (!nameNode || nameNode.type !== "identifier") continue;
+      const varName = getNodeText(nameNode);
+      if (varName === "_") continue;
+      const def = {
+        id: defs.length + 1,
+        variable: varName,
+        kind: "local",
+        line: spec.startPosition.row + 1
+      };
+      defs.push(def);
+      currentScope(scopeStack).set(varName, def.id);
+    }
+  }
+}
+function extractGoLhsDefs(left, defs, scopeStack, line) {
+  if (left.type === "identifier") {
+    const varName = getNodeText(left);
+    if (varName === "_") return;
+    const def = {
+      id: defs.length + 1,
+      variable: varName,
+      kind: "local",
+      line
+    };
+    defs.push(def);
+    currentScope(scopeStack).set(varName, def.id);
+  } else if (left.type === "expression_list") {
+    for (let i2 = 0; i2 < left.childCount; i2++) {
+      const item = left.child(i2);
+      if (item && item.type === "identifier") {
+        const varName = getNodeText(item);
+        if (varName === "_") continue;
+        const def = {
+          id: defs.length + 1,
+          variable: varName,
+          kind: "local",
+          line
+        };
+        defs.push(def);
+        currentScope(scopeStack).set(varName, def.id);
+      }
+    }
+  }
+}
+function extractGoUses(node, uses, scopeStack) {
+  walkTree(node, (child) => {
+    if (child.type === "identifier") {
+      const varName = getNodeText(child);
+      if (varName === "_" || GO_KEYWORDS.has(varName)) return;
+      const parent = child.parent;
+      if (parent?.type === "selector_expression" && parent.childForFieldName("field") === child) {
+        return;
+      }
+      if (parent?.type === "parameter_declaration" && parent.childForFieldName("type") === child) {
+        return;
+      }
+      if (parent?.type === "type_identifier") {
+        return;
+      }
+      const defId = findReachingDef(varName, scopeStack);
+      uses.push({
+        id: uses.length + 1,
+        variable: varName,
+        line: child.startPosition.row + 1,
+        def_id: defId
+      });
+    }
+  });
+}
+function findChildByTypeGo(node, type) {
+  for (let i2 = 0; i2 < node.childCount; i2++) {
+    const child = node.child(i2);
+    if (child?.type === type) return child;
+  }
+  return null;
+}
 
 // src/analysis/config-loader.ts
 function parseConfig(content) {
@@ -9486,9 +10096,8 @@ var DEFAULT_SINKS = [
   { method: "FlowExecution", class: "constructor", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   // ActiveMQ control commands
   { method: "processControlCommand", class: "TransportConnection", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  // XStream deserialization (leads to RCE via gadget chains)
-  { method: "fromXML", class: "XStream", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "unmarshal", class: "XStream", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  // XStream deserialization — classified as CWE-502 (deserialization), not CWE-78 (command injection).
+  // The deserialization sink entries at lines ~1059 handle this correctly.
   { method: "fromString", class: "FileConverter", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   // Plexus command line
   { method: "getPosition", class: "Commandline", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
@@ -10172,7 +10781,8 @@ var DEFAULT_SINKS = [
   { method: "query", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
   { method: "query", class: "Pool", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
   { method: "query", class: "Client", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  { method: "query", type: "sql_injection", cwe: "CWE-89", severity: "high", arg_positions: [0] },
+  // Note: classless { method: 'query' } removed — too many FPs (UriComponentsBuilder.query(), etc.)
+  // SQL query calls are covered by class-specific patterns above (Connection, Pool, Client, JdbcTemplate)
   { method: "raw", type: "sql_injection", cwe: "CWE-89", severity: "high", arg_positions: [0] },
   // Browser DOM XSS sinks
   { method: "setAttribute", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [1] },
@@ -10369,8 +10979,8 @@ var DEFAULT_SINKS = [
   { method: "execute", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
   { method: "query_row", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
   { method: "prepare", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  // sqlx::query macro
-  { method: "query", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
+  // sqlx::query macro — use class-specific pattern
+  { method: "query", class: "sqlx", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
   // rusqlite specific
   { method: "prepare", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
   { method: "execute", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
@@ -10885,15 +11495,24 @@ function isInterproceduralTaintableType(typeName) {
 }
 function isParameterizedQueryCall(call, pattern) {
   if (pattern.type !== "sql_injection") return false;
-  if (call.arguments.length < 2) return false;
-  const secondArg = call.arguments.find((a) => a.position === 1);
-  if (!secondArg) return false;
-  if (secondArg.expression) {
-    const expr = secondArg.expression.trim();
-    if (expr.startsWith("[")) {
+  const queryArg = call.arguments.find((a) => a.position === 0);
+  if (queryArg) {
+    const queryText = queryArg.literal ?? queryArg.expression ?? "";
+    const hasPlaceholders = /(\?(?:\s|,|$|\))|\$\d+|:\w+|%s)/.test(queryText);
+    const hasConcatenation = /\+\s*[^+]/.test(queryText) || queryText.includes("${");
+    if (hasPlaceholders && !hasConcatenation && call.arguments.length >= 2) {
       return true;
     }
   }
+  if (call.arguments.length >= 2) {
+    const secondArg = call.arguments.find((a) => a.position === 1);
+    if (secondArg?.expression) {
+      const expr = secondArg.expression.trim();
+      if (expr.startsWith("[")) {
+        return true;
+      }
+    }
+  }
   return false;
 }
 function findSinks(calls, patterns, typeHierarchy) {
@@ -11019,9 +11638,130 @@ var SAFE_RECEIVERS_BY_METHOD = {
     "stmt",
     "statement",
     "cursor"
+  ]),
+  // query() is only a SQL sink when receiver is a database handle — not URL builders,
+  // DOM selectors, GraphQL clients, DNS resolvers, etc.
+  query: /* @__PURE__ */ new Set([
+    "uri",
+    "url",
+    "builder",
+    "uribuilder",
+    "uricomponents",
+    "uricomponentsbuilder",
+    "servleturicomponentsbuilder",
+    "httpurl",
+    "urlbuilder",
+    "webclient",
+    "request",
+    "req",
+    "router",
+    "route",
+    "app",
+    "express",
+    "parser",
+    "selector",
+    "jquery",
+    "dom",
+    "document",
+    "element",
+    "xmlpath",
+    "xpath",
+    "dns",
+    "resolver",
+    "graphql",
+    "apollo",
+    "querybuilder",
+    "criteria"
+  ]),
+  // authenticate() — safe on auth framework objects (token verification, not code exec)
+  authenticate: /* @__PURE__ */ new Set([
+    "auth",
+    "authenticator",
+    "authmanager",
+    "authprovider",
+    "authenticationmanager",
+    "authservice",
+    "oauth",
+    "token",
+    "jwt",
+    "passport",
+    "session",
+    "security",
+    "credentials",
+    "identityprovider",
+    "ldap",
+    "saml",
+    "oidc"
+  ]),
+  // add() is extremely generic — safe on collections, UI containers, builders, etc.
+  add: /* @__PURE__ */ new Set([
+    "list",
+    "set",
+    "map",
+    "collection",
+    "array",
+    "queue",
+    "deque",
+    "stack",
+    "vector",
+    "builder",
+    "panel",
+    "container",
+    "group",
+    "layout",
+    "menu",
+    "toolbar",
+    "model",
+    "registry",
+    "context",
+    "config",
+    "options",
+    "params",
+    "headers",
+    "attributes",
+    "listeners",
+    "handlers",
+    "filters",
+    "interceptors",
+    "validators",
+    "extensions",
+    "plugins",
+    "modules",
+    "components",
+    "children",
+    "items",
+    "elements",
+    "entries",
+    "rows",
+    "columns",
+    "fields",
+    "properties",
+    "descriptors",
+    "nodes",
+    "actions",
+    "results",
+    "errors",
+    "warnings",
+    "messages",
+    "notifications",
+    "events",
+    "subscribers",
+    "observers",
+    "providers",
+    "services",
+    "beans",
+    "tasks",
+    "jobs",
+    "workers",
+    "threads",
+    "schedulers"
   ])
 };
-function isKnownSafeReceiverForMethod(receiver, method, _sinkType) {
+function isKnownSafeReceiverForMethod(receiver, method, sinkType) {
+  const lowerMethod = method.toLowerCase();
+  if ((lowerMethod === "fromxml" || lowerMethod === "unmarshal") && sinkType === "command_injection") {
+    return true;
+  }
   const safeReceivers = SAFE_RECEIVERS_BY_METHOD[method];
   if (!safeReceivers) return false;
   const lowerReceiver = receiver.toLowerCase();
@@ -11127,11 +11867,23 @@ function receiverMightBeClass(receiver, className) {
       }
     }
   }
-  if (lowerClass.includes(lowerReceiver)) {
-    return true;
+  if (lowerReceiver.length >= 3 && lowerClass.includes(lowerReceiver)) {
+    if (lowerReceiver.length >= 5 || lowerReceiver.length / lowerClass.length >= 0.4) {
+      return true;
+    }
   }
-  if (lowerClass.startsWith(lowerReceiver.substring(0, 3))) {
-    return true;
+  if (lowerReceiver.length >= 2) {
+    if (lowerClass.startsWith(lowerReceiver) || lowerClass.endsWith(lowerReceiver)) {
+      return true;
+    }
+  }
+  if (lowerReceiver.length >= 3) {
+    const words = className.replace(/([a-z])([A-Z])/g, "$1\0$2").toLowerCase().split("\0");
+    for (const word of words) {
+      if (word.startsWith(lowerReceiver) && lowerReceiver.length / word.length >= 0.4) {
+        return true;
+      }
+    }
   }
   const commonMappings = {
     // HTTP/Servlet
@@ -11152,8 +11904,10 @@ function receiverMightBeClass(receiver, className) {
     // Process/Runtime
     runtime: ["Runtime"],
     pb: ["ProcessBuilder"],
-    // Scripting
+    // Scripting / Expression evaluation
     engine: ["ScriptEngine"],
+    ev: ["ExpressionEvaluator", "ScriptEvaluator", "ClassBodyEvaluator"],
+    evaluator: ["ExpressionEvaluator", "ScriptEvaluator", "ClassBodyEvaluator"],
     // LDAP
     ctx: ["Context", "InitialContext", "DirContext", "InitialDirContext", "LdapContext"],
     context: ["Context", "InitialContext", "DirContext", "InitialDirContext", "LdapContext"],
@@ -11243,12 +11997,25 @@ function receiverMightBeClass(receiver, className) {
     knex: ["knex"],
     prisma: ["prisma"],
     axios: ["axios"],
-    fetch: ["fetch"]
+    fetch: ["fetch"],
+    // Go idioms (single-letter receivers)
+    r: ["Request"],
+    w: ["ResponseWriter"]
   };
   const mappings = commonMappings[lowerReceiver];
   if (mappings && Array.isArray(mappings) && mappings.includes(className)) {
     return true;
   }
+  const strippedReceiver = lowerReceiver.replace(/\d+$/, "");
+  if (strippedReceiver !== lowerReceiver && strippedReceiver.length >= 2) {
+    const strippedMappings = commonMappings[strippedReceiver];
+    if (strippedMappings && Array.isArray(strippedMappings) && strippedMappings.includes(className)) {
+      return true;
+    }
+    if (lowerClass.startsWith(strippedReceiver) || strippedReceiver.startsWith(lowerClass)) {
+      return true;
+    }
+  }
   return false;
 }
 function formatCallLocation(call) {