circle-ir 3.28.0 → 3.29.0

package/dist/browser/circle-ir.js

@@ -9998,7 +9998,9 @@ var DEFAULT_SINKS = [
   { method: "ProcessBuilder", class: "constructor", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "command", class: "ProcessBuilder", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   // Commons Exec
-  { method: "execute", class: "Executor", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  // Note: bare class 'Executor' removed — it collided with java.util.concurrent.Executor
+  // (Executor.execute(Runnable) is not command injection). Apache Commons Exec users
+  // typically declare DefaultExecutor explicitly, so we match that instead. See issue #14.
   { method: "execute", class: "DefaultExecutor", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "CommandLine", class: "constructor", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "parse", class: "CommandLine", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
@@ -10066,8 +10068,8 @@ var DEFAULT_SINKS = [
   { method: "popen", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "system", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   // Apache Commons Exec
-  { method: "execute", class: "Executor", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "setCommandline", class: "Executor", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  // Note: bare class 'Executor' removed (see comment above) — DefaultExecutor matched explicitly.
+  { method: "setCommandline", class: "DefaultExecutor", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "parse", class: "CommandLine", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "addArgument", class: "CommandLine", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   // Process-related utilities
@@ -10076,7 +10078,10 @@ var DEFAULT_SINKS = [
   { method: "redirectOutput", class: "ProcessBuilder", type: "command_injection", cwe: "CWE-78", severity: "medium", arg_positions: [0] },
   { method: "redirectInput", class: "ProcessBuilder", type: "command_injection", cwe: "CWE-78", severity: "medium", arg_positions: [0] },
   // Path Traversal (CWE-22)
-  { method: "File", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
+  // File: covers both File(String pathname) and File(parent, child). The 2-arg
+  // overload's child argument carries CVE-2018-8041 (Camel mail Content-Disposition
+  // filename written to disk).
+  { method: "File", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0, 1] },
   { method: "FileInputStream", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "FileOutputStream", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "FileReader", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
@@ -10689,11 +10694,14 @@ var DEFAULT_SINKS = [
   { method: "spawn", class: "child_process", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "spawnSync", class: "child_process", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   // Also match without receiver (destructured imports: const { exec } = require('child_process'))
+  // `exec` is intentionally classless: catches Node.js child_process.exec AND
+  // Java Runtime.exec (via `r.exec()` where heuristic can't resolve r → Runtime).
   { method: "exec", type: "command_injection", cwe: "CWE-78", severity: "high", arg_positions: [0] },
-  { method: "execSync", type: "command_injection", cwe: "CWE-78", severity: "high", arg_positions: [0] },
-  { method: "spawn", type: "command_injection", cwe: "CWE-78", severity: "high", arg_positions: [0] },
-  { method: "spawnSync", type: "command_injection", cwe: "CWE-78", severity: "high", arg_positions: [0] },
-  { method: "execFile", type: "command_injection", cwe: "CWE-78", severity: "high", arg_positions: [0] },
+  // `execSync`/`spawn`/`spawnSync`/`execFile` are Node-specific — language-scope them.
+  { method: "execSync", type: "command_injection", cwe: "CWE-78", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "spawn", type: "command_injection", cwe: "CWE-78", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "spawnSync", type: "command_injection", cwe: "CWE-78", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "execFile", type: "command_injection", cwe: "CWE-78", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
   // Node.js File System (path traversal)
   { method: "readFile", class: "fs", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0] },
   { method: "readFileSync", class: "fs", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0] },
@@ -10706,12 +10714,15 @@ var DEFAULT_SINKS = [
   { method: "createReadStream", class: "fs", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0] },
   { method: "createWriteStream", class: "fs", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0] },
   // Node.js SQL (mysql, pg, sqlite, etc.)
-  { method: "query", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  { method: "query", class: "Pool", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  { method: "query", class: "Client", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
+  // Language-scoped: generic class names `Pool`/`Connection`/`Client` substring-match
+  // unrelated Java identifiers like `cachedThreadPool`, `dbConnection`. See issue #14.
+  { method: "query", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "query", class: "Pool", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "query", class: "Client", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
   // Note: classless { method: 'query' } removed — too many FPs (UriComponentsBuilder.query(), etc.)
   // SQL query calls are covered by class-specific patterns above (Connection, Pool, Client, JdbcTemplate)
-  { method: "raw", type: "sql_injection", cwe: "CWE-89", severity: "high", arg_positions: [0] },
+  // Note: `raw` is shared with Python (Django ORM) — scoped to JS+TS to avoid leaking.
+  { method: "raw", type: "sql_injection", cwe: "CWE-89", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
   // Browser DOM XSS sinks
   { method: "setAttribute", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [1] },
   // Express.js XSS (response methods)
@@ -10721,7 +10732,7 @@ var DEFAULT_SINKS = [
   { method: "html", class: "Response", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "render", class: "Response", type: "xss", cwe: "CWE-79", severity: "medium", arg_positions: [1] },
   // Node.js Code Injection (eval, vm, etc.)
-  { method: "eval", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
+  { method: "eval", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
   { method: "Function", class: "constructor", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "runInContext", class: "vm", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "runInNewContext", class: "vm", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
@@ -10737,7 +10748,7 @@ var DEFAULT_SINKS = [
   { method: "get", class: "axios", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "post", class: "axios", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "request", class: "axios", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
-  { method: "fetch", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
+  { method: "fetch", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
   { method: "request", class: "http", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "get", class: "http", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "request", class: "https", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
@@ -10766,10 +10777,12 @@ var DEFAULT_SINKS = [
   { method: "check_call", class: "subprocess", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "Popen", class: "subprocess", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   // Python Code Injection
-  { method: "eval", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
-  { method: "exec", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
-  { method: "compile", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0] },
-  { method: "__import__", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0] },
+  // Language-scoped: classless `exec`/`eval`/`compile` collide with Java/JS builtins
+  // and Java util.concurrent (e.g. Executor.execute / future.compile).
+  { method: "eval", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["python"] },
+  { method: "exec", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["python"] },
+  { method: "compile", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "__import__", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0], languages: ["python"] },
   // Python Deserialization
   { method: "loads", class: "pickle", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0] },
   { method: "load", class: "pickle", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0] },
@@ -10777,36 +10790,39 @@ var DEFAULT_SINKS = [
   { method: "load", class: "yaml", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0] },
   { method: "loads", class: "yaml", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0] },
   // Python SQL Injection
-  { method: "execute", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  { method: "executemany", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  { method: "raw", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  { method: "extra", type: "sql_injection", cwe: "CWE-89", severity: "high", arg_positions: [0] },
+  // Language-scoped: classless `execute`/`raw` collide with Java util.concurrent
+  // (Executor.execute, ThreadPool.execute) and other languages. See issue #14.
+  { method: "execute", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["python"] },
+  { method: "executemany", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["python"] },
+  { method: "raw", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["python"] },
+  { method: "extra", type: "sql_injection", cwe: "CWE-89", severity: "high", arg_positions: [0], languages: ["python"] },
   // Python Path Traversal
-  { method: "open", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
+  // Language-scoped: classless `open` collides with Java I/O / JS DOM.
+  { method: "open", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0], languages: ["python"] },
   { method: "remove", class: "os", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "unlink", class: "os", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "rmdir", class: "os", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "rmtree", class: "shutil", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0] },
-  { method: "send_file", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
+  { method: "send_file", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0], languages: ["python"] },
   // Python XSS / SSTI
-  { method: "render_template_string", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
-  { method: "Markup", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
-  { method: "mark_safe", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "render_template_string", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "Markup", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "mark_safe", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0], languages: ["python"] },
   // Python SSRF
   { method: "get", class: "requests", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "post", class: "requests", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "urlopen", class: "urllib.request", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   // Python Open Redirect
-  { method: "redirect", type: "open_redirect", cwe: "CWE-601", severity: "medium", arg_positions: [0] },
+  { method: "redirect", type: "open_redirect", cwe: "CWE-601", severity: "medium", arg_positions: [0], languages: ["python"] },
   // Python XPath Injection
-  { method: "xpath", type: "xpath_injection", cwe: "CWE-643", severity: "high", arg_positions: [0] },
+  { method: "xpath", type: "xpath_injection", cwe: "CWE-643", severity: "high", arg_positions: [0], languages: ["python"] },
   { method: "find", class: "etree", type: "xpath_injection", cwe: "CWE-643", severity: "high", arg_positions: [0] },
   { method: "findall", class: "etree", type: "xpath_injection", cwe: "CWE-643", severity: "high", arg_positions: [0] },
   { method: "iterfind", class: "etree", type: "xpath_injection", cwe: "CWE-643", severity: "high", arg_positions: [0] },
   { method: "XPath", class: "lxml", type: "xpath_injection", cwe: "CWE-643", severity: "high", arg_positions: [0] },
   // elementpath library (XPath 2.0/3.0)
   { method: "select", class: "elementpath", type: "xpath_injection", cwe: "CWE-643", severity: "high", arg_positions: [1] },
-  { method: "select", type: "xpath_injection", cwe: "CWE-643", severity: "high", arg_positions: [0] },
+  { method: "select", type: "xpath_injection", cwe: "CWE-643", severity: "high", arg_positions: [0], languages: ["python"] },
   { method: "iter_select", class: "elementpath", type: "xpath_injection", cwe: "CWE-643", severity: "high", arg_positions: [1] },
   { method: "Selector", class: "elementpath", type: "xpath_injection", cwe: "CWE-643", severity: "high", arg_positions: [0] },
   // Python XXE
@@ -10898,36 +10914,42 @@ var DEFAULT_SINKS = [
   { method: "arg", class: "Command", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "args", class: "Command", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   // Rust SQL Injection (sqlx, diesel, rusqlite, tokio-postgres)
-  { method: "query", class: "Client", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  { method: "execute", class: "Client", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  { method: "query", class: "Pool", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  { method: "execute", class: "Pool", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  { method: "sql_query", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  { method: "raw_sql", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  { method: "execute", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  { method: "query_row", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  { method: "prepare", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
+  // Language-scoped: generic class names `Pool`/`Connection`/`Client` substring-match
+  // unrelated Java identifiers (cachedThreadPool, dbConnection). See issue #14.
+  { method: "query", class: "Client", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["rust"] },
+  { method: "execute", class: "Client", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["rust"] },
+  { method: "query", class: "Pool", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["rust"] },
+  { method: "execute", class: "Pool", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["rust"] },
+  { method: "sql_query", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["rust"] },
+  { method: "raw_sql", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["rust"] },
+  { method: "execute", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["rust"] },
+  { method: "query_row", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["rust"] },
+  { method: "prepare", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["rust"] },
   // sqlx::query macro — use class-specific pattern
   { method: "query", class: "sqlx", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
   // rusqlite specific
-  { method: "prepare", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  { method: "execute", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  { method: "query_map", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
+  // Language-scoped: classless `execute`/`prepare`/`query_map` collide with
+  // Java util.concurrent (Executor.execute, ExecutorService) and other languages.
+  { method: "prepare", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["rust"] },
+  { method: "execute", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["rust"] },
+  { method: "query_map", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["rust"] },
   // Rust Path Traversal
   { method: "open", class: "File", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "create", class: "File", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "read_dir", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "remove_file", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "remove_dir", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "remove_dir_all", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0] },
-  { method: "copy", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0, 1] },
-  { method: "rename", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0, 1] },
-  { method: "write", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "read_to_string", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "create_dir", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "create_dir_all", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "metadata", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [0] },
-  { method: "symlink_metadata", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [0] },
+  // Language-scoped: classless std::fs helpers collide with Java/JS method names
+  // (write, copy, rename, metadata, etc.) See issue #14.
+  { method: "read_dir", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0], languages: ["rust"] },
+  { method: "remove_file", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0], languages: ["rust"] },
+  { method: "remove_dir", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0], languages: ["rust"] },
+  { method: "remove_dir_all", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0], languages: ["rust"] },
+  { method: "copy", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0, 1], languages: ["rust"] },
+  { method: "rename", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0, 1], languages: ["rust"] },
+  { method: "write", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0], languages: ["rust"] },
+  { method: "read_to_string", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0], languages: ["rust"] },
+  { method: "create_dir", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0], languages: ["rust"] },
+  { method: "create_dir_all", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0], languages: ["rust"] },
+  { method: "metadata", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [0], languages: ["rust"] },
+  { method: "symlink_metadata", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [0], languages: ["rust"] },
   // Tokio async fs
   { method: "read_to_string", class: "fs", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "write", class: "fs", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
@@ -11292,9 +11314,9 @@ var PYTHON_TAINTED_PATTERNS = [
   { pattern: /\brequest\.query_params\b/, sourceType: "http_param" },
   { pattern: /\brequest\.path_params\b/, sourceType: "http_param" }
 ];
-function analyzeTaint(calls, types, config = getDefaultConfig(), typeHierarchy) {
+function analyzeTaint(calls, types, config = getDefaultConfig(), typeHierarchy, language) {
   const sources = findSources(calls, types, config.sources);
-  const sinks = findSinks(calls, config.sinks, typeHierarchy);
+  const sinks = findSinks(calls, config.sinks, typeHierarchy, language);
   const sanitizers = findSanitizers(calls, types, config.sanitizers);
   return { sources, sinks, sanitizers };
 }
@@ -11548,11 +11570,11 @@ function isParameterizedQueryCall(call, pattern) {
   }
   return false;
 }
-function findSinks(calls, patterns, typeHierarchy) {
+function findSinks(calls, patterns, typeHierarchy, language) {
   const sinkMap = /* @__PURE__ */ new Map();
   for (const call of calls) {
     for (const pattern of patterns) {
-      if (matchesSinkPattern(call, pattern, typeHierarchy)) {
+      if (matchesSinkPattern(call, pattern, typeHierarchy, language)) {
         if (isParameterizedQueryCall(call, pattern)) {
           continue;
         }
@@ -11805,7 +11827,12 @@ function isKnownSafeReceiverForMethod(receiver, method, sinkType) {
   }
   return false;
 }
-function matchesSinkPattern(call, pattern, typeHierarchy) {
+function matchesSinkPattern(call, pattern, typeHierarchy, language) {
+  if (pattern.languages && pattern.languages.length > 0 && language !== void 0) {
+    if (!pattern.languages.includes(language)) {
+      return false;
+    }
+  }
   const callMethodName = call.method_name;
   const patternMethod = pattern.method;
   let methodMatches = callMethodName === patternMethod;
@@ -11909,17 +11936,29 @@ function receiverMightBeClass(receiver, className) {
       }
     }
   }
-  if (lowerReceiver.length >= 3 && lowerClass.includes(lowerReceiver)) {
+  const ambiguousIdentifiers = /* @__PURE__ */ new Set([
+    "executor",
+    "pool",
+    "connection",
+    "manager",
+    "handler",
+    "controller",
+    "task",
+    "thread",
+    "job"
+  ]);
+  const isAmbiguous = ambiguousIdentifiers.has(lowerReceiver);
+  if (!isAmbiguous && lowerReceiver.length >= 3 && lowerClass.includes(lowerReceiver)) {
     if (lowerReceiver.length >= 5 || lowerReceiver.length / lowerClass.length >= 0.4) {
       return true;
     }
   }
-  if (lowerReceiver.length >= 2) {
+  if (!isAmbiguous && lowerReceiver.length >= 2) {
     if (lowerClass.startsWith(lowerReceiver) || lowerClass.endsWith(lowerReceiver)) {
       return true;
     }
   }
-  if (lowerReceiver.length >= 3) {
+  if (!isAmbiguous && lowerReceiver.length >= 3) {
     const words = className.replace(/([a-z])([A-Z])/g, "$1\0$2").toLowerCase().split("\0");
     for (const word of words) {
       if (word.startsWith(lowerReceiver) && lowerReceiver.length / word.length >= 0.4) {
@@ -20124,7 +20163,7 @@ var TaintMatcherPass = class {
     }
     const hierarchy = createWithJdkTypes();
     hierarchy.addFromIR(graph.ir, graph.ir.meta.file);
-    const taint = analyzeTaint(calls, types, mergedConfig, hierarchy);
+    const taint = analyzeTaint(calls, types, mergedConfig, hierarchy, language);
     const sanitizerMethods = [];
     for (const type of types) {
       for (const method of type.methods) {
@@ -26286,7 +26325,7 @@ async function analyzeForAPI(code, filePath, language, options = {}) {
     const calls = extractCalls(tree, nodeCache, language);
     const constPropResult = analyzeConstantPropagation(tree, code);
     const config = options.taintConfig ?? getDefaultConfig();
-    const taint = analyzeTaint(calls, types, config);
+    const taint = analyzeTaint(calls, types, config, void 0, language);
     let filteredSinks = taint.sinks.filter((sink) => !constPropResult.unreachableLines.has(sink.line));
     filteredSinks = filterCleanVariableSinks(
       filteredSinks,