circle-ir 3.22.0 → 3.22.2

package/dist/browser/circle-ir.js

@@ -6348,7 +6348,7 @@ function extractBashCommandInfo(node) {
   for (let i2 = 0; i2 < node.childCount; i2++) {
     const child = node.child(i2);
     if (!child) continue;
-    if (child === nameNode) continue;
+    if (child === nameNode || child.id === nameNode.id) continue;
     if (child.type.includes("redirect") || child.type === "heredoc_body" || child.type === "file_descriptor") {
       continue;
     }
@@ -9983,9 +9983,8 @@ var DEFAULT_SINKS = [
   { method: "FlowExecution", class: "constructor", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   // ActiveMQ control commands
   { method: "processControlCommand", class: "TransportConnection", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  // XStream deserialization (leads to RCE via gadget chains)
-  { method: "fromXML", class: "XStream", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "unmarshal", class: "XStream", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  // XStream deserialization — classified as CWE-502 (deserialization), not CWE-78 (command injection).
+  // The deserialization sink entries at lines ~1059 handle this correctly.
   { method: "fromString", class: "FileConverter", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   // Plexus command line
   { method: "getPosition", class: "Commandline", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
@@ -10669,7 +10668,8 @@ var DEFAULT_SINKS = [
   { method: "query", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
   { method: "query", class: "Pool", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
   { method: "query", class: "Client", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  { method: "query", type: "sql_injection", cwe: "CWE-89", severity: "high", arg_positions: [0] },
+  // Note: classless { method: 'query' } removed — too many FPs (UriComponentsBuilder.query(), etc.)
+  // SQL query calls are covered by class-specific patterns above (Connection, Pool, Client, JdbcTemplate)
   { method: "raw", type: "sql_injection", cwe: "CWE-89", severity: "high", arg_positions: [0] },
   // Browser DOM XSS sinks
   { method: "setAttribute", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [1] },
@@ -10866,8 +10866,8 @@ var DEFAULT_SINKS = [
   { method: "execute", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
   { method: "query_row", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
   { method: "prepare", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  // sqlx::query macro
-  { method: "query", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
+  // sqlx::query macro — use class-specific pattern
+  { method: "query", class: "sqlx", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
   // rusqlite specific
   { method: "prepare", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
   { method: "execute", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
@@ -11469,15 +11469,24 @@ function isInterproceduralTaintableType(typeName) {
 }
 function isParameterizedQueryCall(call, pattern) {
   if (pattern.type !== "sql_injection") return false;
-  if (call.arguments.length < 2) return false;
-  const secondArg = call.arguments.find((a) => a.position === 1);
-  if (!secondArg) return false;
-  if (secondArg.expression) {
-    const expr = secondArg.expression.trim();
-    if (expr.startsWith("[")) {
+  const queryArg = call.arguments.find((a) => a.position === 0);
+  if (queryArg) {
+    const queryText = queryArg.literal ?? queryArg.expression ?? "";
+    const hasPlaceholders = /(\?(?:\s|,|$|\))|\$\d+|:\w+|%s)/.test(queryText);
+    const hasConcatenation = /\+\s*[^+]/.test(queryText) || queryText.includes("${");
+    if (hasPlaceholders && !hasConcatenation && call.arguments.length >= 2) {
       return true;
     }
   }
+  if (call.arguments.length >= 2) {
+    const secondArg = call.arguments.find((a) => a.position === 1);
+    if (secondArg?.expression) {
+      const expr = secondArg.expression.trim();
+      if (expr.startsWith("[")) {
+        return true;
+      }
+    }
+  }
   return false;
 }
 function findSinks(calls, patterns, typeHierarchy) {
@@ -11603,9 +11612,130 @@ var SAFE_RECEIVERS_BY_METHOD = {
     "stmt",
     "statement",
     "cursor"
+  ]),
+  // query() is only a SQL sink when receiver is a database handle — not URL builders,
+  // DOM selectors, GraphQL clients, DNS resolvers, etc.
+  query: /* @__PURE__ */ new Set([
+    "uri",
+    "url",
+    "builder",
+    "uribuilder",
+    "uricomponents",
+    "uricomponentsbuilder",
+    "servleturicomponentsbuilder",
+    "httpurl",
+    "urlbuilder",
+    "webclient",
+    "request",
+    "req",
+    "router",
+    "route",
+    "app",
+    "express",
+    "parser",
+    "selector",
+    "jquery",
+    "dom",
+    "document",
+    "element",
+    "xmlpath",
+    "xpath",
+    "dns",
+    "resolver",
+    "graphql",
+    "apollo",
+    "querybuilder",
+    "criteria"
+  ]),
+  // authenticate() — safe on auth framework objects (token verification, not code exec)
+  authenticate: /* @__PURE__ */ new Set([
+    "auth",
+    "authenticator",
+    "authmanager",
+    "authprovider",
+    "authenticationmanager",
+    "authservice",
+    "oauth",
+    "token",
+    "jwt",
+    "passport",
+    "session",
+    "security",
+    "credentials",
+    "identityprovider",
+    "ldap",
+    "saml",
+    "oidc"
+  ]),
+  // add() is extremely generic — safe on collections, UI containers, builders, etc.
+  add: /* @__PURE__ */ new Set([
+    "list",
+    "set",
+    "map",
+    "collection",
+    "array",
+    "queue",
+    "deque",
+    "stack",
+    "vector",
+    "builder",
+    "panel",
+    "container",
+    "group",
+    "layout",
+    "menu",
+    "toolbar",
+    "model",
+    "registry",
+    "context",
+    "config",
+    "options",
+    "params",
+    "headers",
+    "attributes",
+    "listeners",
+    "handlers",
+    "filters",
+    "interceptors",
+    "validators",
+    "extensions",
+    "plugins",
+    "modules",
+    "components",
+    "children",
+    "items",
+    "elements",
+    "entries",
+    "rows",
+    "columns",
+    "fields",
+    "properties",
+    "descriptors",
+    "nodes",
+    "actions",
+    "results",
+    "errors",
+    "warnings",
+    "messages",
+    "notifications",
+    "events",
+    "subscribers",
+    "observers",
+    "providers",
+    "services",
+    "beans",
+    "tasks",
+    "jobs",
+    "workers",
+    "threads",
+    "schedulers"
   ])
 };
-function isKnownSafeReceiverForMethod(receiver, method, _sinkType) {
+function isKnownSafeReceiverForMethod(receiver, method, sinkType) {
+  const lowerMethod = method.toLowerCase();
+  if ((lowerMethod === "fromxml" || lowerMethod === "unmarshal") && sinkType === "command_injection") {
+    return true;
+  }
   const safeReceivers = SAFE_RECEIVERS_BY_METHOD[method];
   if (!safeReceivers) return false;
   const lowerReceiver = receiver.toLowerCase();
@@ -11661,6 +11791,15 @@ function receiverMightBeClass(receiver, className) {
   if (receiver === className) {
     return true;
   }
+  if (receiver.includes("::")) {
+    const scopePrefix = receiver.match(/^(\w+)::/);
+    if (scopePrefix) {
+      const typeName = scopePrefix[1];
+      if (typeName === className || typeName.toLowerCase() === className.toLowerCase()) {
+        return true;
+      }
+    }
+  }
   const lowerReceiver = receiver.toLowerCase();
   const lowerClass = className.toLowerCase();
   if (lowerReceiver.endsWith(lowerClass) || lowerReceiver.endsWith("." + lowerClass)) {
@@ -11711,11 +11850,23 @@ function receiverMightBeClass(receiver, className) {
       }
     }
   }
-  if (lowerClass.includes(lowerReceiver)) {
-    return true;
+  if (lowerReceiver.length >= 3 && lowerClass.includes(lowerReceiver)) {
+    if (lowerReceiver.length >= 5 || lowerReceiver.length / lowerClass.length >= 0.4) {
+      return true;
+    }
   }
-  if (lowerClass.startsWith(lowerReceiver.substring(0, 3))) {
-    return true;
+  if (lowerReceiver.length >= 2) {
+    if (lowerClass.startsWith(lowerReceiver) || lowerClass.endsWith(lowerReceiver)) {
+      return true;
+    }
+  }
+  if (lowerReceiver.length >= 3) {
+    const words = className.replace(/([a-z])([A-Z])/g, "$1\0$2").toLowerCase().split("\0");
+    for (const word of words) {
+      if (word.startsWith(lowerReceiver) && lowerReceiver.length / word.length >= 0.4) {
+        return true;
+      }
+    }
   }
   const commonMappings = {
     // HTTP/Servlet
@@ -11736,8 +11887,10 @@ function receiverMightBeClass(receiver, className) {
     // Process/Runtime
     runtime: ["Runtime"],
     pb: ["ProcessBuilder"],
-    // Scripting
+    // Scripting / Expression evaluation
     engine: ["ScriptEngine"],
+    ev: ["ExpressionEvaluator", "ScriptEvaluator", "ClassBodyEvaluator"],
+    evaluator: ["ExpressionEvaluator", "ScriptEvaluator", "ClassBodyEvaluator"],
     // LDAP
     ctx: ["Context", "InitialContext", "DirContext", "InitialDirContext", "LdapContext"],
     context: ["Context", "InitialContext", "DirContext", "InitialDirContext", "LdapContext"],
@@ -11827,12 +11980,25 @@ function receiverMightBeClass(receiver, className) {
     knex: ["knex"],
     prisma: ["prisma"],
     axios: ["axios"],
-    fetch: ["fetch"]
+    fetch: ["fetch"],
+    // Go idioms (single-letter receivers)
+    r: ["Request"],
+    w: ["ResponseWriter"]
   };
   const mappings = commonMappings[lowerReceiver];
   if (mappings && Array.isArray(mappings) && mappings.includes(className)) {
     return true;
   }
+  const strippedReceiver = lowerReceiver.replace(/\d+$/, "");
+  if (strippedReceiver !== lowerReceiver && strippedReceiver.length >= 2) {
+    const strippedMappings = commonMappings[strippedReceiver];
+    if (strippedMappings && Array.isArray(strippedMappings) && strippedMappings.includes(className)) {
+      return true;
+    }
+    if (lowerClass.startsWith(strippedReceiver) || strippedReceiver.startsWith(lowerClass)) {
+      return true;
+    }
+  }
   return false;
 }
 function formatCallLocation(call) {
@@ -22605,6 +22771,18 @@ var ITERATOR_LOOP_PATTERNS = [
   /\bfor\s*\([^)]+\s*:\s*[^)]+\)/
   // Java: for (Type x : collection)
 ];
+var BOUNDED_LOOP_PATTERNS = [
+  /\bfor\s*\([^;]*;\s*\w+\s*[<>!=]+\s*[^;]*\.length\b/,
+  // for (i=0; i < arr.length; i++)
+  /\bfor\s*\([^;]*;\s*\w+\s*<\s*\w+\s*;/,
+  // for (i=0; i < N; i++)
+  /\bfor\s*\([^;]*;\s*\w+\s*>\s*\d+\s*;/,
+  // for (i=N; i > 0; i--)
+  /\bfor\s*\([^;]*;\s*\w+\s*<=\s*\w+\s*;/,
+  // for (i=0; i <= N; i++)
+  /\bfor\s*\([^;]*;\s*\w+\s*>=\s*\d+\s*;/
+  // for (i=N; i >= 0; i--)
+];
 var InfiniteLoopPass = class {
   name = "infinite-loop";
   category = "reliability";
@@ -22672,6 +22850,8 @@ var InfiniteLoopPass = class {
       const headerLine = codeLines[header.start_line - 1] ?? "";
       const isIteratorLoop = ITERATOR_LOOP_PATTERNS.some((pattern) => pattern.test(headerLine));
       if (isIteratorLoop) continue;
+      const isBoundedLoop = BOUNDED_LOOP_PATTERNS.some((pattern) => pattern.test(headerLine));
+      if (isBoundedLoop) continue;
       reportedHeaders.add(headerId);
       potentialInfiniteLoops.push({ headerLine: header.start_line, bodyEndLine: bodyEnd });
       const loc = bodyStart === bodyEnd ? `line ${bodyStart}` : `lines ${bodyStart}\u2013${bodyEnd}`;
@@ -23187,6 +23367,19 @@ var SwallowedExceptionPass = class {
           break;
         }
       }
+      if (!hasAction) {
+        const catchVarMatch = (codeLines[catchLine - 1] ?? "").match(/catch\s*\(\s*(\w+)/);
+        if (catchVarMatch) {
+          const catchVar = catchVarMatch[1];
+          const forwardRe = new RegExp(`\\w+\\s*\\([^)]*\\b${catchVar}\\b`);
+          for (let ln = catchLine + 1; ln <= catchBodyEnd && ln <= codeLines.length; ln++) {
+            if (forwardRe.test(codeLines[ln - 1] ?? "")) {
+              hasAction = true;
+              break;
+            }
+          }
+        }
+      }
       if (!hasAction) {
         reported.add(catchLine);
         swallowed.push({ line: catchLine });
@@ -23287,6 +23480,19 @@ var BroadCatchPass = class {
 // src/analysis/passes/unhandled-exception-pass.ts
 var JS_THROW_RE = /^\s*throw\s+/;
 var PYTHON_RAISE_RE = /^\s*raise\b/;
+function isValidationThrow(lines, throwLine) {
+  const throwText = lines[throwLine - 1] ?? "";
+  if (!/\bthrow\s+new\s+(TypeError|RangeError|ArgumentError|ERR_\w+)\b/.test(throwText)) {
+    return false;
+  }
+  for (let i2 = 1; i2 <= 3 && throwLine - i2 >= 1; i2++) {
+    const prev = lines[throwLine - i2 - 1] ?? "";
+    if (/\bif\s*\(/.test(prev) && /typeof|===\s*['"]undefined['"]|===\s*null|!|\.length|<\s*\d|>\s*\d/.test(prev)) {
+      return true;
+    }
+  }
+  return false;
+}
 var JS_TRY_RE = /^\s*try\s*\{/;
 var JS_CATCH_RE = /^\s*\}\s*catch\b/;
 var PY_TRY_RE = /^\s*try\s*:/;
@@ -23408,6 +23614,7 @@ var UnhandledExceptionPass = class {
       const methodInfo = graph.methodAtLine(ln);
       const methodKey = methodInfo ? `${methodInfo.method.start_line}-${methodInfo.method.end_line}` : `global-${ln}`;
       if (reportedMethods.has(methodKey)) continue;
+      if (isValidationThrow(codeLines, ln)) continue;
       reportedMethods.add(methodKey);
       const methodName = methodInfo?.method.name ?? "<anonymous>";
       unhandled.push({ line: ln, method: methodName });

package/dist/core/circle-ir-core.cjs

@@ -6424,7 +6424,7 @@ function extractBashCommandInfo(node) {
   for (let i2 = 0; i2 < node.childCount; i2++) {
     const child = node.child(i2);
     if (!child) continue;
-    if (child === nameNode) continue;
+    if (child === nameNode || child.id === nameNode.id) continue;
     if (child.type.includes("redirect") || child.type === "heredoc_body" || child.type === "file_descriptor") {
       continue;
     }
@@ -10096,9 +10096,8 @@ var DEFAULT_SINKS = [
   { method: "FlowExecution", class: "constructor", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   // ActiveMQ control commands
   { method: "processControlCommand", class: "TransportConnection", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  // XStream deserialization (leads to RCE via gadget chains)
-  { method: "fromXML", class: "XStream", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "unmarshal", class: "XStream", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  // XStream deserialization — classified as CWE-502 (deserialization), not CWE-78 (command injection).
+  // The deserialization sink entries at lines ~1059 handle this correctly.
   { method: "fromString", class: "FileConverter", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   // Plexus command line
   { method: "getPosition", class: "Commandline", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
@@ -10782,7 +10781,8 @@ var DEFAULT_SINKS = [
   { method: "query", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
   { method: "query", class: "Pool", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
   { method: "query", class: "Client", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  { method: "query", type: "sql_injection", cwe: "CWE-89", severity: "high", arg_positions: [0] },
+  // Note: classless { method: 'query' } removed — too many FPs (UriComponentsBuilder.query(), etc.)
+  // SQL query calls are covered by class-specific patterns above (Connection, Pool, Client, JdbcTemplate)
   { method: "raw", type: "sql_injection", cwe: "CWE-89", severity: "high", arg_positions: [0] },
   // Browser DOM XSS sinks
   { method: "setAttribute", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [1] },
@@ -10979,8 +10979,8 @@ var DEFAULT_SINKS = [
   { method: "execute", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
   { method: "query_row", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
   { method: "prepare", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  // sqlx::query macro
-  { method: "query", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
+  // sqlx::query macro — use class-specific pattern
+  { method: "query", class: "sqlx", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
   // rusqlite specific
   { method: "prepare", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
   { method: "execute", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
@@ -11495,15 +11495,24 @@ function isInterproceduralTaintableType(typeName) {
 }
 function isParameterizedQueryCall(call, pattern) {
   if (pattern.type !== "sql_injection") return false;
-  if (call.arguments.length < 2) return false;
-  const secondArg = call.arguments.find((a) => a.position === 1);
-  if (!secondArg) return false;
-  if (secondArg.expression) {
-    const expr = secondArg.expression.trim();
-    if (expr.startsWith("[")) {
+  const queryArg = call.arguments.find((a) => a.position === 0);
+  if (queryArg) {
+    const queryText = queryArg.literal ?? queryArg.expression ?? "";
+    const hasPlaceholders = /(\?(?:\s|,|$|\))|\$\d+|:\w+|%s)/.test(queryText);
+    const hasConcatenation = /\+\s*[^+]/.test(queryText) || queryText.includes("${");
+    if (hasPlaceholders && !hasConcatenation && call.arguments.length >= 2) {
       return true;
     }
   }
+  if (call.arguments.length >= 2) {
+    const secondArg = call.arguments.find((a) => a.position === 1);
+    if (secondArg?.expression) {
+      const expr = secondArg.expression.trim();
+      if (expr.startsWith("[")) {
+        return true;
+      }
+    }
+  }
   return false;
 }
 function findSinks(calls, patterns, typeHierarchy) {
@@ -11629,9 +11638,130 @@ var SAFE_RECEIVERS_BY_METHOD = {
     "stmt",
     "statement",
     "cursor"
+  ]),
+  // query() is only a SQL sink when receiver is a database handle — not URL builders,
+  // DOM selectors, GraphQL clients, DNS resolvers, etc.
+  query: /* @__PURE__ */ new Set([
+    "uri",
+    "url",
+    "builder",
+    "uribuilder",
+    "uricomponents",
+    "uricomponentsbuilder",
+    "servleturicomponentsbuilder",
+    "httpurl",
+    "urlbuilder",
+    "webclient",
+    "request",
+    "req",
+    "router",
+    "route",
+    "app",
+    "express",
+    "parser",
+    "selector",
+    "jquery",
+    "dom",
+    "document",
+    "element",
+    "xmlpath",
+    "xpath",
+    "dns",
+    "resolver",
+    "graphql",
+    "apollo",
+    "querybuilder",
+    "criteria"
+  ]),
+  // authenticate() — safe on auth framework objects (token verification, not code exec)
+  authenticate: /* @__PURE__ */ new Set([
+    "auth",
+    "authenticator",
+    "authmanager",
+    "authprovider",
+    "authenticationmanager",
+    "authservice",
+    "oauth",
+    "token",
+    "jwt",
+    "passport",
+    "session",
+    "security",
+    "credentials",
+    "identityprovider",
+    "ldap",
+    "saml",
+    "oidc"
+  ]),
+  // add() is extremely generic — safe on collections, UI containers, builders, etc.
+  add: /* @__PURE__ */ new Set([
+    "list",
+    "set",
+    "map",
+    "collection",
+    "array",
+    "queue",
+    "deque",
+    "stack",
+    "vector",
+    "builder",
+    "panel",
+    "container",
+    "group",
+    "layout",
+    "menu",
+    "toolbar",
+    "model",
+    "registry",
+    "context",
+    "config",
+    "options",
+    "params",
+    "headers",
+    "attributes",
+    "listeners",
+    "handlers",
+    "filters",
+    "interceptors",
+    "validators",
+    "extensions",
+    "plugins",
+    "modules",
+    "components",
+    "children",
+    "items",
+    "elements",
+    "entries",
+    "rows",
+    "columns",
+    "fields",
+    "properties",
+    "descriptors",
+    "nodes",
+    "actions",
+    "results",
+    "errors",
+    "warnings",
+    "messages",
+    "notifications",
+    "events",
+    "subscribers",
+    "observers",
+    "providers",
+    "services",
+    "beans",
+    "tasks",
+    "jobs",
+    "workers",
+    "threads",
+    "schedulers"
   ])
 };
-function isKnownSafeReceiverForMethod(receiver, method, _sinkType) {
+function isKnownSafeReceiverForMethod(receiver, method, sinkType) {
+  const lowerMethod = method.toLowerCase();
+  if ((lowerMethod === "fromxml" || lowerMethod === "unmarshal") && sinkType === "command_injection") {
+    return true;
+  }
   const safeReceivers = SAFE_RECEIVERS_BY_METHOD[method];
   if (!safeReceivers) return false;
   const lowerReceiver = receiver.toLowerCase();
@@ -11687,6 +11817,15 @@ function receiverMightBeClass(receiver, className) {
   if (receiver === className) {
     return true;
   }
+  if (receiver.includes("::")) {
+    const scopePrefix = receiver.match(/^(\w+)::/);
+    if (scopePrefix) {
+      const typeName = scopePrefix[1];
+      if (typeName === className || typeName.toLowerCase() === className.toLowerCase()) {
+        return true;
+      }
+    }
+  }
   const lowerReceiver = receiver.toLowerCase();
   const lowerClass = className.toLowerCase();
   if (lowerReceiver.endsWith(lowerClass) || lowerReceiver.endsWith("." + lowerClass)) {
@@ -11737,11 +11876,23 @@ function receiverMightBeClass(receiver, className) {
       }
     }
   }
-  if (lowerClass.includes(lowerReceiver)) {
-    return true;
+  if (lowerReceiver.length >= 3 && lowerClass.includes(lowerReceiver)) {
+    if (lowerReceiver.length >= 5 || lowerReceiver.length / lowerClass.length >= 0.4) {
+      return true;
+    }
   }
-  if (lowerClass.startsWith(lowerReceiver.substring(0, 3))) {
-    return true;
+  if (lowerReceiver.length >= 2) {
+    if (lowerClass.startsWith(lowerReceiver) || lowerClass.endsWith(lowerReceiver)) {
+      return true;
+    }
+  }
+  if (lowerReceiver.length >= 3) {
+    const words = className.replace(/([a-z])([A-Z])/g, "$1\0$2").toLowerCase().split("\0");
+    for (const word of words) {
+      if (word.startsWith(lowerReceiver) && lowerReceiver.length / word.length >= 0.4) {
+        return true;
+      }
+    }
   }
   const commonMappings = {
     // HTTP/Servlet
@@ -11762,8 +11913,10 @@ function receiverMightBeClass(receiver, className) {
     // Process/Runtime
     runtime: ["Runtime"],
     pb: ["ProcessBuilder"],
-    // Scripting
+    // Scripting / Expression evaluation
     engine: ["ScriptEngine"],
+    ev: ["ExpressionEvaluator", "ScriptEvaluator", "ClassBodyEvaluator"],
+    evaluator: ["ExpressionEvaluator", "ScriptEvaluator", "ClassBodyEvaluator"],
     // LDAP
     ctx: ["Context", "InitialContext", "DirContext", "InitialDirContext", "LdapContext"],
     context: ["Context", "InitialContext", "DirContext", "InitialDirContext", "LdapContext"],
@@ -11853,12 +12006,25 @@ function receiverMightBeClass(receiver, className) {
     knex: ["knex"],
     prisma: ["prisma"],
     axios: ["axios"],
-    fetch: ["fetch"]
+    fetch: ["fetch"],
+    // Go idioms (single-letter receivers)
+    r: ["Request"],
+    w: ["ResponseWriter"]
   };
   const mappings = commonMappings[lowerReceiver];
   if (mappings && Array.isArray(mappings) && mappings.includes(className)) {
     return true;
   }
+  const strippedReceiver = lowerReceiver.replace(/\d+$/, "");
+  if (strippedReceiver !== lowerReceiver && strippedReceiver.length >= 2) {
+    const strippedMappings = commonMappings[strippedReceiver];
+    if (strippedMappings && Array.isArray(strippedMappings) && strippedMappings.includes(className)) {
+      return true;
+    }
+    if (lowerClass.startsWith(strippedReceiver) || strippedReceiver.startsWith(lowerClass)) {
+      return true;
+    }
+  }
   return false;
 }
 function formatCallLocation(call) {