circle-ir 3.53.0 → 3.55.0

package/dist/analysis/passes/mass-assignment-pass.js

@@ -0,0 +1,124 @@
+/**
+ * Pass: mass-assignment (CWE-915, category: security)
+ *
+ * Pattern pass — flags code paths that splat an HTTP request bag (form /
+ * body / query / json) directly into a domain-object constructor or update
+ * helper without an allow-list. This complements the taint-based
+ * `mass_assignment` SinkType which catches `Object.assign(user, req.body)`
+ * via the regular sink matcher; this pass catches the *syntactic spread /
+ * kwargs* forms that aren't a discrete call argument.
+ *
+ * Detection per language:
+ *   Python:
+ *     - `Model(**request.form)`
+ *     - `Model(**request.json)` / `**request.get_json()`
+ *     - `Model(**request.args)` / `**request.values`
+ *     - `Model.objects.create(**request.X)` (Django ORM)
+ *     - `Model.objects.update(**request.X)`
+ *   JavaScript / TypeScript:
+ *     - `{ ...req.body }`, `{ ...req.query }`, `{ ...req.params }`
+ *     - `{ ...request.body }`, `{ ...ctx.request.body }` (Koa)
+ *     - `await Model.create({ ...req.body })`
+ *     - `await user.update({ ...req.body })`
+ *
+ * Severity: high (direct privilege escalation vector).
+ * Issue: #86, Sprint 6.
+ */
+// Python: `**<httpSource>` where httpSource is one of the known
+// request bags. We intentionally allow trailing dots / call-syntax
+// (`request.get_json()`).
+const PY_KWARGS_SPLAT_RE = /\*\*\s*(?:request|self\.request|flask\.request|ctx|self)\s*\.\s*(?:form|args|values|json|get_json\s*\(\s*\)|files|data)/;
+// JS object-spread of an HTTP source. We match `{...<source>}` where the
+// source begins with `req|request|ctx|context` and continues into `body`,
+// `query`, `params`, `request.body`, etc.
+const JS_OBJECT_SPREAD_RE = /\{\s*\.\.\.\s*(?:req|request|ctx|context)(?:\.request)?\s*\.\s*(?:body|query|params|form)\b/;
+export class MassAssignmentPass {
+    name = 'mass-assignment';
+    category = 'security';
+    run(ctx) {
+        const { graph, language } = ctx;
+        const file = graph.ir.meta.file;
+        const findings = [];
+        const code = ctx.code ?? '';
+        if (!code)
+            return { findings };
+        const lines = code.split('\n');
+        if (language === 'python') {
+            for (let i = 0; i < lines.length; i++) {
+                const text = lines[i] ?? '';
+                const m = PY_KWARGS_SPLAT_RE.exec(text);
+                if (!m)
+                    continue;
+                const line = i + 1;
+                const det = {
+                    pattern: '**request.<bag>',
+                    match: m[0],
+                };
+                findings.push({
+                    line,
+                    language,
+                    pattern: det.pattern,
+                    snippet: text.trim().slice(0, 200),
+                });
+                ctx.addFinding({
+                    id: `${this.name}-${file}-${line}`,
+                    pass: this.name,
+                    category: this.category,
+                    rule_id: this.name,
+                    cwe: 'CWE-915',
+                    severity: 'high',
+                    level: 'error',
+                    message: `HTTP request bag splatted into constructor / ORM helper via ` +
+                        `\`${det.match}\`. Every form field becomes a settable attribute ` +
+                        'on the domain object, including ones the endpoint did not ' +
+                        'intend to expose (e.g. `is_admin`, `role`, `owner_id`).',
+                    file,
+                    line,
+                    fix: 'Replace the `**` splat with an explicit allow-list: ' +
+                        "`Model(name=request.form['name'], email=request.form['email'])`. " +
+                        'For Django, use a `ModelForm` / serializer with `fields = [...]`.',
+                    evidence: { pattern: det.pattern, match: det.match, language },
+                });
+            }
+            return { findings };
+        }
+        if (language === 'javascript' || language === 'typescript') {
+            for (let i = 0; i < lines.length; i++) {
+                const text = lines[i] ?? '';
+                const m = JS_OBJECT_SPREAD_RE.exec(text);
+                if (!m)
+                    continue;
+                const line = i + 1;
+                findings.push({
+                    line,
+                    language,
+                    pattern: '{...req.<bag>}',
+                    snippet: text.trim().slice(0, 200),
+                });
+                ctx.addFinding({
+                    id: `${this.name}-${file}-${line}`,
+                    pass: this.name,
+                    category: this.category,
+                    rule_id: this.name,
+                    cwe: 'CWE-915',
+                    severity: 'high',
+                    level: 'error',
+                    message: `HTTP request bag spread into object literal via \`${m[0]}\`. ` +
+                        'Every body field becomes a settable property on the resulting ' +
+                        'object, including ones the endpoint did not intend to expose ' +
+                        '(e.g. `isAdmin`, `role`, `ownerId`).',
+                    file,
+                    line,
+                    fix: 'Replace the spread with an explicit pick: ' +
+                        '`const { name, email } = req.body; const user = { name, email };`. ' +
+                        'For ORMs, use a DTO / Zod schema with `.pick(...)` or ' +
+                        'allow-list serializers.',
+                    evidence: { pattern: '{...req.<bag>}', match: m[0], language },
+                });
+            }
+            return { findings };
+        }
+        return { findings };
+    }
+}
+//# sourceMappingURL=mass-assignment-pass.js.map

package/dist/analysis/passes/mass-assignment-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mass-assignment-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/mass-assignment-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAIH,gEAAgE;AAChE,mEAAmE;AACnE,0BAA0B;AAC1B,MAAM,kBAAkB,GACtB,yHAAyH,CAAC;AAE5H,yEAAyE;AACzE,0EAA0E;AAC1E,0CAA0C;AAC1C,MAAM,mBAAmB,GACvB,6FAA6F,CAAC;AAoBhG,MAAM,OAAO,kBAAkB;IAGpB,IAAI,GAAG,iBAAiB,CAAC;IACzB,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAChC,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,QAAQ,GAAqC,EAAE,CAAC;QACtD,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,IAAI;YAAE,OAAO,EAAE,QAAQ,EAAE,CAAC;QAE/B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAE/B,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC5B,MAAM,CAAC,GAAG,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACxC,IAAI,CAAC,CAAC;oBAAE,SAAS;gBACjB,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;gBACnB,MAAM,GAAG,GAAgB;oBACvB,OAAO,EAAE,iBAAiB;oBAC1B,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC;iBACZ,CAAC;gBACF,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI;oBACJ,QAAQ;oBACR,OAAO,EAAE,GAAG,CAAC,OAAO;oBACpB,OAAO,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;iBACnC,CAAC,CAAC;gBACH,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,EAAE;oBAClC,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;oBAClB,GAAG,EAAE,SAAS;oBACd,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,OAAO;oBACd,OAAO,EACL,8DAA8D;wBAC9D,KAAK,GAAG,CAAC,KAAK,oDAAoD;wBAClE,4DAA4D;wBAC5D,yDAAyD;oBAC3D,IAAI;oBACJ,IAAI;oBACJ,GAAG,EACD,sDAAsD;wBACtD,mEAAmE;wBACnE,mEAAmE;oBACrE,QAAQ,EAAE,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,QAAQ,EAAE;iBAC/D,CAAC,CAAC;YACL,CAAC;YACD,OAAO,EAAE,QAAQ,EAAE,CAAC;QACtB,CAAC;QAED,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC3D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC5B,MAAM,CAAC,GAAG,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACzC,IAAI,CAAC,CAAC;oBAAE,SAAS;gBACjB,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;gBACnB,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI;oBACJ,QAAQ;oBACR,OAAO,EAAE,gBAAgB;oBACzB,OAAO,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;iBACnC,CAAC,CAAC;gBACH,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,EAAE;oBAClC,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;oBAClB,GAAG,EAAE,SAAS;oBACd,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,OAAO;oBACd,OAAO,EACL,qDAAqD,CAAC,CAAC,CAAC,CAAC,MAAM;wBAC/D,gEAAgE;wBAChE,+DAA+D;wBAC/D,sCAAsC;oBACxC,IAAI;oBACJ,IAAI;oBACJ,GAAG,EACD,4CAA4C;wBAC5C,qEAAqE;wBACrE,wDAAwD;wBACxD,yBAAyB;oBAC3B,QAAQ,EAAE,EAAE,OAAO,EAAE,gBAAgB,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE;iBAC/D,CAAC,CAAC;YACL,CAAC;YACD,OAAO,EAAE,QAAQ,EAAE,CAAC;QACtB,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,CAAC;IACtB,CAAC;CACF"}

package/dist/analysis/passes/xml-entity-expansion-pass.d.ts

@@ -0,0 +1,58 @@
+/**
+ * Pass: xml-entity-expansion (CWE-776 / CWE-611, category: security)
+ *
+ * Pattern pass — flags XML parser instantiation that does *not* disable
+ * DTD / external-entity processing in the same file. This covers:
+ *   - Billion-laughs / quadratic blow-up DoS (CWE-776)
+ *   - External-entity disclosure (CWE-611) [already partially covered by
+ *     existing xxe taint sinks; this pass adds the config-level signal]
+ *
+ * Detection (Java):
+ *   Factory instantiation:
+ *     - `SAXParserFactory.newInstance()`
+ *     - `DocumentBuilderFactory.newInstance()`
+ *     - `XMLInputFactory.newInstance()` (StAX)
+ *     - `SchemaFactory.newInstance(...)`
+ *     - `TransformerFactory.newInstance()`
+ *   Safe-feature setters (any of these in the same file silences the
+ *   finding for that factory class):
+ *     - `setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)`
+ *     - `setFeature("http://xml.org/sax/features/external-general-entities", false)`
+ *     - `setFeature("http://xml.org/sax/features/external-parameter-entities", false)`
+ *     - `setProperty(XMLInputFactory.SUPPORT_DTD, false)`
+ *     - `setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "")`
+ *
+ * Detection (Python):
+ *   - `xml.etree.ElementTree.parse` / `fromstring` — defxml advises
+ *     `defusedxml.ElementTree` instead.
+ *   - `lxml.etree.parse(...)` without `XMLParser(resolve_entities=False)`
+ *     argument. We only fire if `resolve_entities=False` does NOT appear
+ *     in the file.
+ *
+ * Note: the existing `xxe` taint sinks (`SAXParser.parse`, `XMLReader.parse`,
+ * etc.) already fire when *tainted* XML reaches the parser. This pass is
+ * the orthogonal *configuration* signal — fire even on hard-coded inputs
+ * because billion-laughs is exploitable via any attacker-supplied entity
+ * file even when the parse() argument itself is trusted.
+ *
+ * Issue: #86, Sprint 6.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface XmlEntityExpansionResult {
+    findings: Array<{
+        line: number;
+        language: string;
+        pattern: string;
+        api: string;
+    }>;
+}
+export declare class XmlEntityExpansionPass implements AnalysisPass<XmlEntityExpansionResult> {
+    readonly name = "xml-entity-expansion";
+    readonly category: "security";
+    run(ctx: PassContext): XmlEntityExpansionResult;
+    private detectJavaCall;
+    private detectPythonCall;
+    private fixForJava;
+    private fixForPython;
+}
+//# sourceMappingURL=xml-entity-expansion-pass.d.ts.map

package/dist/analysis/passes/xml-entity-expansion-pass.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"xml-entity-expansion-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/xml-entity-expansion-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAyB9E,MAAM,WAAW,wBAAwB;IACvC,QAAQ,EAAE,KAAK,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,OAAO,EAAE,MAAM,CAAC;QAChB,GAAG,EAAE,MAAM,CAAC;KACb,CAAC,CAAC;CACJ;AAED,qBAAa,sBACX,YAAW,YAAY,CAAC,wBAAwB,CAAC;IAEjD,QAAQ,CAAC,IAAI,0BAA0B;IACvC,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,wBAAwB;IA0E/C,OAAO,CAAC,cAAc;IAiBtB,OAAO,CAAC,gBAAgB;IAyBxB,OAAO,CAAC,UAAU;IA6BlB,OAAO,CAAC,YAAY;CAarB"}

package/dist/analysis/passes/xml-entity-expansion-pass.js

@@ -0,0 +1,196 @@
+/**
+ * Pass: xml-entity-expansion (CWE-776 / CWE-611, category: security)
+ *
+ * Pattern pass — flags XML parser instantiation that does *not* disable
+ * DTD / external-entity processing in the same file. This covers:
+ *   - Billion-laughs / quadratic blow-up DoS (CWE-776)
+ *   - External-entity disclosure (CWE-611) [already partially covered by
+ *     existing xxe taint sinks; this pass adds the config-level signal]
+ *
+ * Detection (Java):
+ *   Factory instantiation:
+ *     - `SAXParserFactory.newInstance()`
+ *     - `DocumentBuilderFactory.newInstance()`
+ *     - `XMLInputFactory.newInstance()` (StAX)
+ *     - `SchemaFactory.newInstance(...)`
+ *     - `TransformerFactory.newInstance()`
+ *   Safe-feature setters (any of these in the same file silences the
+ *   finding for that factory class):
+ *     - `setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)`
+ *     - `setFeature("http://xml.org/sax/features/external-general-entities", false)`
+ *     - `setFeature("http://xml.org/sax/features/external-parameter-entities", false)`
+ *     - `setProperty(XMLInputFactory.SUPPORT_DTD, false)`
+ *     - `setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "")`
+ *
+ * Detection (Python):
+ *   - `xml.etree.ElementTree.parse` / `fromstring` — defxml advises
+ *     `defusedxml.ElementTree` instead.
+ *   - `lxml.etree.parse(...)` without `XMLParser(resolve_entities=False)`
+ *     argument. We only fire if `resolve_entities=False` does NOT appear
+ *     in the file.
+ *
+ * Note: the existing `xxe` taint sinks (`SAXParser.parse`, `XMLReader.parse`,
+ * etc.) already fire when *tainted* XML reaches the parser. This pass is
+ * the orthogonal *configuration* signal — fire even on hard-coded inputs
+ * because billion-laughs is exploitable via any attacker-supplied entity
+ * file even when the parse() argument itself is trusted.
+ *
+ * Issue: #86, Sprint 6.
+ */
+const JAVA_FACTORIES = new Set([
+    'SAXParserFactory',
+    'DocumentBuilderFactory',
+    'XMLInputFactory',
+    'SchemaFactory',
+    'TransformerFactory',
+]);
+// "Disallow DTD" / safe-feature evidence — any one of these in the file
+// suppresses the warning. Conservative on purpose: a missed feature still
+// fires; FPs only on cross-file configuration.
+const JAVA_SAFE_EVIDENCE_RE = /(disallow-doctype-decl|external-general-entities|external-parameter-entities|SUPPORT_DTD|ACCESS_EXTERNAL_DTD|ACCESS_EXTERNAL_SCHEMA|setXIncludeAware\s*\(\s*false\s*\)|setExpandEntityReferences\s*\(\s*false\s*\))/;
+const PY_LXML_PARSER_INSECURE_DEFAULT_RE = /\bresolve_entities\s*=\s*False\b/;
+export class XmlEntityExpansionPass {
+    name = 'xml-entity-expansion';
+    category = 'security';
+    run(ctx) {
+        const { graph, language } = ctx;
+        const file = graph.ir.meta.file;
+        const findings = [];
+        const code = ctx.code ?? '';
+        if (language === 'java') {
+            const safeInFile = JAVA_SAFE_EVIDENCE_RE.test(code);
+            if (safeInFile)
+                return { findings };
+            for (const call of graph.ir.calls) {
+                const det = this.detectJavaCall(call);
+                if (!det)
+                    continue;
+                const line = call.location.line;
+                findings.push({ line, language, ...det });
+                ctx.addFinding({
+                    id: `${this.name}-${file}-${line}-${det.api}`,
+                    pass: this.name,
+                    category: this.category,
+                    rule_id: this.name,
+                    cwe: det.cwe,
+                    severity: 'high',
+                    level: 'error',
+                    message: `${det.api} created without disabling DTD / external-entity ` +
+                        'processing. Vulnerable to billion-laughs / quadratic ' +
+                        'blow-up DoS (CWE-776) and external-entity disclosure ' +
+                        '(CWE-611). Add `setFeature("http://apache.org/xml/features/' +
+                        'disallow-doctype-decl", true)` (or the equivalent) before ' +
+                        'parsing.',
+                    file,
+                    line,
+                    fix: this.fixForJava(det.api),
+                    evidence: { ...det, language, safeFeatureInFile: false },
+                });
+            }
+            return { findings };
+        }
+        if (language === 'python') {
+            const safeInFile = PY_LXML_PARSER_INSECURE_DEFAULT_RE.test(code) ||
+                /\bdefusedxml\b/.test(code);
+            if (safeInFile)
+                return { findings };
+            for (const call of graph.ir.calls) {
+                const det = this.detectPythonCall(call);
+                if (!det)
+                    continue;
+                const line = call.location.line;
+                findings.push({ line, language, ...det });
+                ctx.addFinding({
+                    id: `${this.name}-${file}-${line}-${det.api}`,
+                    pass: this.name,
+                    category: this.category,
+                    rule_id: this.name,
+                    cwe: det.cwe,
+                    severity: 'high',
+                    level: 'error',
+                    message: `${det.api} called without an entity-safe parser. Vulnerable ` +
+                        'to billion-laughs / quadratic blow-up DoS (CWE-776) and ' +
+                        'external-entity disclosure (CWE-611). Use `defusedxml` or pass ' +
+                        'an `XMLParser(resolve_entities=False)` to lxml.',
+                    file,
+                    line,
+                    fix: this.fixForPython(det.api),
+                    evidence: { ...det, language, safeFeatureInFile: false },
+                });
+            }
+            return { findings };
+        }
+        return { findings };
+    }
+    detectJavaCall(call) {
+        if (call.method_name !== 'newInstance')
+            return null;
+        const recv = call.receiver ?? '';
+        const recvType = call.receiver_type ?? '';
+        for (const factory of JAVA_FACTORIES) {
+            if (recv === factory || recvType === factory ||
+                recv.endsWith('.' + factory) || recvType.endsWith('.' + factory)) {
+                return {
+                    pattern: `${factory}.newInstance()`,
+                    api: factory,
+                    cwe: 'CWE-776',
+                };
+            }
+        }
+        return null;
+    }
+    detectPythonCall(call) {
+        const recv = call.receiver ?? '';
+        const method = call.method_name;
+        // lxml.etree.parse / lxml.etree.fromstring
+        if ((method === 'parse' || method === 'fromstring' || method === 'XML') &&
+            (recv === 'etree' || recv.endsWith('.etree'))) {
+            return {
+                pattern: `etree.${method}`,
+                api: `lxml.etree.${method}`,
+                cwe: 'CWE-776',
+            };
+        }
+        // xml.etree.ElementTree.parse / fromstring
+        if ((method === 'parse' || method === 'fromstring') &&
+            (recv === 'ET' || recv === 'ElementTree' ||
+                recv.endsWith('.ElementTree'))) {
+            return {
+                pattern: `ElementTree.${method}`,
+                api: `xml.etree.ElementTree.${method}`,
+                cwe: 'CWE-776',
+            };
+        }
+        return null;
+    }
+    fixForJava(api) {
+        if (api === 'SAXParserFactory') {
+            return ('Call `factory.setFeature("http://apache.org/xml/features/' +
+                'disallow-doctype-decl", true)` and ' +
+                '`factory.setXIncludeAware(false)` before `newSAXParser()`.');
+        }
+        if (api === 'DocumentBuilderFactory') {
+            return ('Call `factory.setFeature("http://apache.org/xml/features/' +
+                'disallow-doctype-decl", true)` and ' +
+                '`factory.setExpandEntityReferences(false)` before ' +
+                '`newDocumentBuilder()`.');
+        }
+        if (api === 'XMLInputFactory') {
+            return ('Call `factory.setProperty(XMLInputFactory.SUPPORT_DTD, false)` ' +
+                'and `factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_' +
+                'ENTITIES, false)` before `createXMLStreamReader`.');
+        }
+        return ('Use `XMLConstants.FEATURE_SECURE_PROCESSING` and explicitly disable ' +
+            'DTD / external-entity loading on the factory before parsing.');
+    }
+    fixForPython(api) {
+        if (api.startsWith('lxml.etree')) {
+            return ('Pass an explicit parser: ' +
+                '`etree.parse(src, parser=etree.XMLParser(resolve_entities=False, ' +
+                'no_network=True))`. Even better, use the `defusedxml.lxml` wrapper.');
+        }
+        return ('Replace `xml.etree.ElementTree` with `defusedxml.ElementTree`, which ' +
+            'disables DTD / entity processing by default.');
+    }
+}
+//# sourceMappingURL=xml-entity-expansion-pass.js.map

package/dist/analysis/passes/xml-entity-expansion-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"xml-entity-expansion-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/xml-entity-expansion-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAKH,MAAM,cAAc,GAAG,IAAI,GAAG,CAAS;IACrC,kBAAkB;IAClB,wBAAwB;IACxB,iBAAiB;IACjB,eAAe;IACf,oBAAoB;CACrB,CAAC,CAAC;AAEH,wEAAwE;AACxE,0EAA0E;AAC1E,+CAA+C;AAC/C,MAAM,qBAAqB,GACzB,qNAAqN,CAAC;AAExN,MAAM,kCAAkC,GAAG,kCAAkC,CAAC;AAiB9E,MAAM,OAAO,sBAAsB;IAGxB,IAAI,GAAG,sBAAsB,CAAC;IAC9B,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAChC,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,QAAQ,GAAyC,EAAE,CAAC;QAC1D,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;QAE5B,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YACxB,MAAM,UAAU,GAAG,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACpD,IAAI,UAAU;gBAAE,OAAO,EAAE,QAAQ,EAAE,CAAC;YAEpC,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;gBAClC,MAAM,GAAG,GAAG,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;gBACtC,IAAI,CAAC,GAAG;oBAAE,SAAS;gBACnB,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;gBAChC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,GAAG,EAAE,CAAC,CAAC;gBAC1C,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,GAAG,CAAC,GAAG,EAAE;oBAC7C,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;oBAClB,GAAG,EAAE,GAAG,CAAC,GAAG;oBACZ,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,OAAO;oBACd,OAAO,EACL,GAAG,GAAG,CAAC,GAAG,mDAAmD;wBAC7D,uDAAuD;wBACvD,uDAAuD;wBACvD,6DAA6D;wBAC7D,4DAA4D;wBAC5D,UAAU;oBACZ,IAAI;oBACJ,IAAI;oBACJ,GAAG,EAAE,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC;oBAC7B,QAAQ,EAAE,EAAE,GAAG,GAAG,EAAE,QAAQ,EAAE,iBAAiB,EAAE,KAAK,EAAE;iBACzD,CAAC,CAAC;YACL,CAAC;YACD,OAAO,EAAE,QAAQ,EAAE,CAAC;QACtB,CAAC;QAED,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,MAAM,UAAU,GAAG,kCAAkC,CAAC,IAAI,CAAC,IAAI,CAAC;gBAC9C,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC9C,IAAI,UAAU;gBAAE,OAAO,EAAE,QAAQ,EAAE,CAAC;YAEpC,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;gBAClC,MAAM,GAAG,GAAG,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC;gBACxC,IAAI,CAAC,GAAG;oBAAE,SAAS;gBACnB,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;gBAChC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,GAAG,EAAE,CAAC,CAAC;gBAC1C,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,GAAG,CAAC,GAAG,EAAE;oBAC7C,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;oBAClB,GAAG,EAAE,GAAG,CAAC,GAAG;oBACZ,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,OAAO;oBACd,OAAO,EACL,GAAG,GAAG,CAAC,GAAG,oDAAoD;wBAC9D,0DAA0D;wBAC1D,iEAAiE;wBACjE,iDAAiD;oBACnD,IAAI;oBACJ,IAAI;oBACJ,GAAG,EAAE,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC;oBAC/B,QAAQ,EAAE,EAAE,GAAG,GAAG,EAAE,QAAQ,EAAE,iBAAiB,EAAE,KAAK,EAAE;iBACzD,CAAC,CAAC;YACL,CAAC;YACD,OAAO,EAAE,QAAQ,EAAE,CAAC;QACtB,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,CAAC;IACtB,CAAC;IAEO,cAAc,CAAC,IAAc;QACnC,IAAI,IAAI,CAAC,WAAW,KAAK,aAAa;YAAE,OAAO,IAAI,CAAC;QACpD,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;QACjC,MAAM,QAAQ,GAAG,IAAI,CAAC,aAAa,IAAI,EAAE,CAAC;QAC1C,KAAK,MAAM,OAAO,IAAI,cAAc,EAAE,CAAC;YACrC,IAAI,IAAI,KAAK,OAAO,IAAI,QAAQ,KAAK,OAAO;gBACxC,IAAI,CAAC,QAAQ,CAAC,GAAG,GAAG,OAAO,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,GAAG,OAAO,CAAC,EAAE,CAAC;gBACrE,OAAO;oBACL,OAAO,EAAE,GAAG,OAAO,gBAAgB;oBACnC,GAAG,EAAE,OAAO;oBACZ,GAAG,EAAE,SAAS;iBACf,CAAC;YACJ,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,gBAAgB,CAAC,IAAc;QACrC,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;QACjC,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC;QAChC,2CAA2C;QAC3C,IAAI,CAAC,MAAM,KAAK,OAAO,IAAI,MAAM,KAAK,YAAY,IAAI,MAAM,KAAK,KAAK,CAAC;YACnE,CAAC,IAAI,KAAK,OAAO,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;YAClD,OAAO;gBACL,OAAO,EAAE,SAAS,MAAM,EAAE;gBAC1B,GAAG,EAAE,cAAc,MAAM,EAAE;gBAC3B,GAAG,EAAE,SAAS;aACf,CAAC;QACJ,CAAC;QACD,2CAA2C;QAC3C,IAAI,CAAC,MAAM,KAAK,OAAO,IAAI,MAAM,KAAK,YAAY,CAAC;YAC/C,CAAC,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,aAAa;gBACvC,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,EAAE,CAAC;YACpC,OAAO;gBACL,OAAO,EAAE,eAAe,MAAM,EAAE;gBAChC,GAAG,EAAE,yBAAyB,MAAM,EAAE;gBACtC,GAAG,EAAE,SAAS;aACf,CAAC;QACJ,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,UAAU,CAAC,GAAW;QAC5B,IAAI,GAAG,KAAK,kBAAkB,EAAE,CAAC;YAC/B,OAAO,CACL,2DAA2D;gBAC3D,qCAAqC;gBACrC,4DAA4D,CAC7D,CAAC;QACJ,CAAC;QACD,IAAI,GAAG,KAAK,wBAAwB,EAAE,CAAC;YACrC,OAAO,CACL,2DAA2D;gBAC3D,qCAAqC;gBACrC,oDAAoD;gBACpD,yBAAyB,CAC1B,CAAC;QACJ,CAAC;QACD,IAAI,GAAG,KAAK,iBAAiB,EAAE,CAAC;YAC9B,OAAO,CACL,iEAAiE;gBACjE,kEAAkE;gBAClE,mDAAmD,CACpD,CAAC;QACJ,CAAC;QACD,OAAO,CACL,sEAAsE;YACtE,8DAA8D,CAC/D,CAAC;IACJ,CAAC;IAEO,YAAY,CAAC,GAAW;QAC9B,IAAI,GAAG,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;YACjC,OAAO,CACL,2BAA2B;gBAC3B,mEAAmE;gBACnE,qEAAqE,CACtE,CAAC;QACJ,CAAC;QACD,OAAO,CACL,uEAAuE;YACvE,8CAA8C,CAC/C,CAAC;IACJ,CAAC;CACF"}

package/dist/analysis/rules.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"rules.d.ts","sourceRoot":"","sources":["../../src/analysis/rules.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAM5D,6DAA6D;AAC7D,eAAO,MAAM,cAAc,EAAE,QAAQ,EAKpC,CAAC;AAEF,wCAAwC;AACxC,eAAO,MAAM,UAAU,EAAE,QAAQ,EAOhC,CAAC;AAEF,0DAA0D;AAC1D,eAAO,MAAM,qBAAqB,UAIjC,CAAC;AAMF,MAAM,WAAW,QAAQ;IACvB,wCAAwC;IACxC,IAAI,EAAE,MAAM,CAAC;IACb,sCAAsC;IACtC,gBAAgB,EAAE,MAAM,CAAC;IACzB,uCAAuC;IACvC,eAAe,EAAE,MAAM,CAAC;IACxB,2BAA2B;IAC3B,WAAW,EAAE,MAAM,CAAC;IACpB,sDAAsD;IACtD,SAAS,EAAE,MAAM,CAAC;IAClB,8BAA8B;IAC9B,aAAa,EAAE,QAAQ,CAAC;IACxB,qBAAqB;IACrB,GAAG,EAAE,MAAM,CAAC;CACb;AAED;;GAEG;AACH,eAAO,MAAM,gBAAgB,EAAE,MAAM,CAAC,QAAQ,EAAE,QAAQ,CAqLvD,CAAC;AAMF;;GAEG;AACH,wBAAgB,WAAW,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM,GAAG,QAAQ,CAgBjE;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM,GAAG,MAAM,CAElE;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM,GAAG,QAAQ,CAEtE;AAED;;GAEG;AACH,wBAAgB,MAAM,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM,GAAG,MAAM,CAE1D;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM,GAAG,OAAO,CAEnE;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM,GAAG,OAAO,CAE/D;AAqBD;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAE/D;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM,GAAG,MAAM,CAOtE;AAMD,MAAM,WAAW,eAAe;IAC9B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,QAAQ,GAAG,MAAM,CAAC;IAC5B,UAAU,EAAE,OAAO,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,eAAe,GAAG,QAAQ,CA2CpE"}
+{"version":3,"file":"rules.d.ts","sourceRoot":"","sources":["../../src/analysis/rules.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAM5D,6DAA6D;AAC7D,eAAO,MAAM,cAAc,EAAE,QAAQ,EAKpC,CAAC;AAEF,wCAAwC;AACxC,eAAO,MAAM,UAAU,EAAE,QAAQ,EAOhC,CAAC;AAEF,0DAA0D;AAC1D,eAAO,MAAM,qBAAqB,UAIjC,CAAC;AAMF,MAAM,WAAW,QAAQ;IACvB,wCAAwC;IACxC,IAAI,EAAE,MAAM,CAAC;IACb,sCAAsC;IACtC,gBAAgB,EAAE,MAAM,CAAC;IACzB,uCAAuC;IACvC,eAAe,EAAE,MAAM,CAAC;IACxB,2BAA2B;IAC3B,WAAW,EAAE,MAAM,CAAC;IACpB,sDAAsD;IACtD,SAAS,EAAE,MAAM,CAAC;IAClB,8BAA8B;IAC9B,aAAa,EAAE,QAAQ,CAAC;IACxB,qBAAqB;IACrB,GAAG,EAAE,MAAM,CAAC;CACb;AAED;;GAEG;AACH,eAAO,MAAM,gBAAgB,EAAE,MAAM,CAAC,QAAQ,EAAE,QAAQ,CAyNvD,CAAC;AAMF;;GAEG;AACH,wBAAgB,WAAW,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM,GAAG,QAAQ,CAgBjE;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM,GAAG,MAAM,CAElE;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM,GAAG,QAAQ,CAEtE;AAED;;GAEG;AACH,wBAAgB,MAAM,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM,GAAG,MAAM,CAE1D;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM,GAAG,OAAO,CAEnE;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM,GAAG,OAAO,CAE/D;AAqBD;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAE/D;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM,GAAG,MAAM,CAOtE;AAMD,MAAM,WAAW,eAAe;IAC9B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,QAAQ,GAAG,MAAM,CAAC;IAC5B,UAAU,EAAE,OAAO,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,eAAe,GAAG,QAAQ,CA2CpE"}

package/dist/analysis/rules.js

@@ -204,6 +204,42 @@ export const RULE_DEFINITIONS = {
         severityLevel: 'medium',
         cwe: 'CWE-668',
     },
+    redos: {
+        name: 'Regular Expression DoS (ReDoS)',
+        shortDescription: 'User-controlled regex pattern reaches a regex engine',
+        fullDescription: 'The application compiles or matches a regular expression whose pattern comes from user input. A crafted catastrophic-backtracking pattern (e.g. `(a+)+$`) can cause the engine to consume exponential CPU and stall the request thread, leading to denial of service.',
+        remediation: 'Never compile a regex from untrusted input. Either pre-compile a fixed pattern, validate the user-supplied pattern against an allowlist, use a non-backtracking engine (Go `regexp`, Rust `regex`, `re2`), or impose a wall-clock timeout on the match.',
+        cvssScore: '7.5',
+        severityLevel: 'high',
+        cwe: 'CWE-1333',
+    },
+    format_string: {
+        name: 'Format-String Injection',
+        shortDescription: 'User-controlled format string reaches a formatter',
+        fullDescription: 'The application uses user-controlled input as the format string passed to a formatter (`String.format`, `str.format`, `printf`, `Formatter.format`). Format-string controls allow attackers to leak information (`%s` index out of bounds, exception message disclosure) or, in C-style runtimes, write to arbitrary memory (`%n`).',
+        remediation: 'Always pass a constant format string and supply user input as a value argument. Never let untrusted data become the format string itself.',
+        cvssScore: '7.5',
+        severityLevel: 'high',
+        cwe: 'CWE-134',
+    },
+    crlf: {
+        name: 'HTTP Response Header / CRLF Injection',
+        shortDescription: 'User-controlled value reaches an HTTP response header sink',
+        fullDescription: 'The application writes user-controlled input into an HTTP response header, cookie, or status line without filtering out the CR (\\r) and LF (\\n) characters. An attacker can inject `\\r\\n` to terminate the current header and emit forged headers (e.g. fake `Set-Cookie`, cache-poisoning headers) or split the response entirely (HTTP response splitting / smuggling).',
+        remediation: 'Validate header values against `\\r\\n` (reject or strip). Prefer a high-level cookie API that escapes these characters automatically. In Java, use `Cookie` objects rather than `setHeader("Set-Cookie", ...)`.',
+        cvssScore: '6.1',
+        severityLevel: 'medium',
+        cwe: 'CWE-113',
+    },
+    mass_assignment: {
+        name: 'Mass Assignment / Over-Posting',
+        shortDescription: 'Untrusted request bag is splatted into a domain object',
+        fullDescription: 'The application takes the full HTTP request body / form / JSON and assigns every key onto a domain object (constructor kwargs, `Object.assign`, object spread, `Model.objects.create(**req.X)`). Attackers can set fields the form never exposed — `is_admin`, `role`, `owner_id`, `email_verified` — escalating privileges or bypassing business invariants.',
+        remediation: 'Use an explicit allow-list of fields. In Python, copy keys one by one from `request.form` instead of `**request.form`. In JS, destructure the expected fields instead of `Object.assign(user, req.body)`. In ORMs, declare `fillable` / `attr_accessible` / serializer fields.',
+        cvssScore: '8.1',
+        severityLevel: 'high',
+        cwe: 'CWE-915',
+    },
     mybatis_mapper_call: {
         name: 'MyBatis Mapper Method Call',
         shortDescription: 'Tainted argument passed to a MyBatis mapper interface method',

package/dist/analysis/rules.js.map

@@ -1 +1 @@
-{"version":3,"file":"rules.js","sourceRoot":"","sources":["../../src/analysis/rules.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,gFAAgF;AAChF,kBAAkB;AAClB,gFAAgF;AAEhF,6DAA6D;AAC7D,MAAM,CAAC,MAAM,cAAc,GAAe;IACxC,eAAe;IACf,mBAAmB;IACnB,iBAAiB;IACjB,gBAAgB;CACjB,CAAC;AAEF,wCAAwC;AACxC,MAAM,CAAC,MAAM,UAAU,GAAe;IACpC,KAAK;IACL,gBAAgB;IAChB,KAAK;IACL,MAAM;IACN,gBAAgB;IAChB,iBAAiB;CAClB,CAAC;AAEF,0DAA0D;AAC1D,MAAM,CAAC,MAAM,qBAAqB,GAAG;IACnC,YAAY;IACZ,WAAW;IACX,aAAa;CACd,CAAC;AAuBF;;GAEG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAA+B;IAC1D,aAAa,EAAE;QACb,IAAI,EAAE,eAAe;QACrB,gBAAgB,EAAE,mDAAmD;QACrE,eAAe,EAAE,wKAAwK;QACzL,WAAW,EAAE,2GAA2G;QACxH,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,UAAU;QACzB,GAAG,EAAE,QAAQ;KACd;IACD,eAAe,EAAE;QACf,IAAI,EAAE,iBAAiB;QACvB,gBAAgB,EAAE,qDAAqD;QACvE,eAAe,EAAE,oKAAoK;QACrL,WAAW,EAAE,kGAAkG;QAC/G,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,UAAU;QACzB,GAAG,EAAE,SAAS;KACf;IACD,iBAAiB,EAAE;QACjB,IAAI,EAAE,mBAAmB;QACzB,gBAAgB,EAAE,wDAAwD;QAC1E,eAAe,EAAE,uIAAuI;QACxJ,WAAW,EAAE,0HAA0H;QACvI,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,UAAU;QACzB,GAAG,EAAE,QAAQ;KACd;IACD,GAAG,EAAE;QACH,IAAI,EAAE,4BAA4B;QAClC,gBAAgB,EAAE,8CAA8C;QAChE,eAAe,EAAE,wIAAwI;QACzJ,WAAW,EAAE,gHAAgH;QAC7H,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,QAAQ;QACvB,GAAG,EAAE,QAAQ;KACd;IACD,cAAc,EAAE;QACd,IAAI,EAAE,gBAAgB;QACtB,gBAAgB,EAAE,iDAAiD;QACnE,eAAe,EAAE,wIAAwI;QACzJ,WAAW,EAAE,iHAAiH;QAC9H,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,MAAM;QACrB,GAAG,EAAE,QAAQ;KACd;IACD,eAAe,EAAE;QACf,IAAI,EAAE,wBAAwB;QAC9B,gBAAgB,EAAE,gDAAgD;QAClE,eAAe,EAAE,qHAAqH;QACtI,WAAW,EAAE,2GAA2G;QACxH,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,UAAU;QACzB,GAAG,EAAE,SAAS;KACf;IACD,GAAG,EAAE;QACH,IAAI,EAAE,2BAA2B;QACjC,gBAAgB,EAAE,6DAA6D;QAC/E,eAAe,EAAE,0IAA0I;QAC3J,WAAW,EAAE,iGAAiG;QAC9G,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,MAAM;QACrB,GAAG,EAAE,SAAS;KACf;IACD,cAAc,EAAE;QACd,IAAI,EAAE,gBAAgB;QACtB,gBAAgB,EAAE,oDAAoD;QACtE,eAAe,EAAE,kGAAkG;QACnH,WAAW,EAAE,0EAA0E;QACvF,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,MAAM;QACrB,GAAG,EAAE,QAAQ;KACd;IACD,eAAe,EAAE;QACf,IAAI,EAAE,iBAAiB;QACvB,gBAAgB,EAAE,qDAAqD;QACvE,eAAe,EAAE,mGAAmG;QACpH,WAAW,EAAE,+FAA+F;QAC5G,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,MAAM;QACrB,GAAG,EAAE,SAAS;KACf;IACD,IAAI,EAAE;QACJ,IAAI,EAAE,oCAAoC;QAC1C,gBAAgB,EAAE,4CAA4C;QAC9D,eAAe,EAAE,uHAAuH;QACxI,WAAW,EAAE,8EAA8E;QAC3F,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,MAAM;QACrB,GAAG,EAAE,SAAS;KACf;IACD,aAAa,EAAE;QACb,IAAI,EAAE,eAAe;QACrB,gBAAgB,EAAE,iCAAiC;QACnD,eAAe,EAAE,sHAAsH;QACvI,WAAW,EAAE,gGAAgG;QAC7G,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,QAAQ;QACvB,GAAG,EAAE,SAAS;KACf;IACD,aAAa,EAAE;QACb,IAAI,EAAE,eAAe;QACrB,gBAAgB,EAAE,iDAAiD;QACnE,eAAe,EAAE,0JAA0J;QAC3K,WAAW,EAAE,gFAAgF;QAC7F,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,KAAK;QACpB,GAAG,EAAE,SAAS;KACf;IACD,cAAc,EAAE;QACd,IAAI,EAAE,gBAAgB;QACtB,gBAAgB,EAAE,6BAA6B;QAC/C,eAAe,EAAE,wGAAwG;QACzH,WAAW,EAAE,0FAA0F;QACvG,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,UAAU;QACzB,GAAG,EAAE,QAAQ;KACd;IACD,WAAW,EAAE;QACX,IAAI,EAAE,8BAA8B;QACpC,gBAAgB,EAAE,qDAAqD;QACvE,eAAe,EAAE,wFAAwF;QACzG,WAAW,EAAE,+FAA+F;QAC5G,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,QAAQ;QACvB,GAAG,EAAE,SAAS;KACf;IACD,SAAS,EAAE;QACT,IAAI,EAAE,qBAAqB;QAC3B,gBAAgB,EAAE,4CAA4C;QAC9D,eAAe,EAAE,4FAA4F;QAC7G,WAAW,EAAE,wEAAwE;QACrF,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,QAAQ;QACvB,GAAG,EAAE,SAAS;KACf;IACD,WAAW,EAAE;QACX,IAAI,EAAE,uBAAuB;QAC7B,gBAAgB,EAAE,kDAAkD;QACpE,eAAe,EAAE,qFAAqF;QACtG,WAAW,EAAE,gFAAgF;QAC7F,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,QAAQ;QACvB,GAAG,EAAE,SAAS;KACf;IACD,eAAe,EAAE;QACf,IAAI,EAAE,iBAAiB;QACvB,gBAAgB,EAAE,mCAAmC;QACrD,eAAe,EAAE,2EAA2E;QAC5F,WAAW,EAAE,mEAAmE;QAChF,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,KAAK;QACpB,GAAG,EAAE,SAAS;KACf;IACD,cAAc,EAAE;QACd,IAAI,EAAE,0BAA0B;QAChC,gBAAgB,EAAE,uCAAuC;QACzD,eAAe,EAAE,mFAAmF;QACpG,WAAW,EAAE,gFAAgF;QAC7F,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,QAAQ;QACvB,GAAG,EAAE,SAAS;KACf;IACD,qBAAqB,EAAE;QACrB,IAAI,EAAE,wCAAwC;QAC9C,gBAAgB,EAAE,qDAAqD;QACvE,eAAe,EAAE,oMAAoM;QACrN,WAAW,EAAE,yHAAyH;QACtI,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,QAAQ;QACvB,GAAG,EAAE,SAAS;KACf;IACD,mBAAmB,EAAE;QACnB,IAAI,EAAE,4BAA4B;QAClC,gBAAgB,EAAE,8DAA8D;QAChF,eAAe,EAAE,8XAA8X;QAC/Y,WAAW,EAAE,mQAAmQ;QAChR,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,QAAQ;QACvB,GAAG,EAAE,QAAQ;KACd;CACF,CAAC;AAEF,gFAAgF;AAChF,mBAAmB;AACnB,gFAAgF;AAEhF;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,QAA2B;IACrD,MAAM,IAAI,GAAG,gBAAgB,CAAC,QAAoB,CAAC,CAAC;IACpD,IAAI,IAAI,EAAE,CAAC;QACT,OAAO,IAAI,CAAC;IACd,CAAC;IAED,6BAA6B;IAC7B,OAAO;QACL,IAAI,EAAE,QAAQ;QACd,gBAAgB,EAAE,6BAA6B,QAAQ,EAAE;QACzD,eAAe,EAAE,wCAAwC,QAAQ,WAAW;QAC5E,WAAW,EAAE,4CAA4C;QACzD,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,QAAQ;QACvB,GAAG,EAAE,QAAQ;KACd,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,QAA2B;IACxD,OAAO,WAAW,CAAC,QAAQ,CAAC,CAAC,WAAW,CAAC;AAC3C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,QAA2B;IAC1D,OAAO,WAAW,CAAC,QAAQ,CAAC,CAAC,aAAa,CAAC;AAC7C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,MAAM,CAAC,QAA2B;IAChD,OAAO,WAAW,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,QAA2B;IACxD,OAAO,cAAc,CAAC,QAAQ,CAAC,QAAoB,CAAC,CAAC;AACvD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,UAAU,CAAC,QAA2B;IACpD,OAAO,UAAU,CAAC,QAAQ,CAAC,QAAoB,CAAC,CAAC;AACnD,CAAC;AAED,gFAAgF;AAChF,sBAAsB;AACtB,gFAAgF;AAEhF,MAAM,mBAAmB,GAA2B;IAClD,UAAU,EAAE,gCAAgC;IAC5C,SAAS,EAAE,8BAA8B;IACzC,WAAW,EAAE,6BAA6B;IAC1C,WAAW,EAAE,8BAA8B;IAC3C,SAAS,EAAE,0BAA0B;IACrC,UAAU,EAAE,8BAA8B;IAC1C,QAAQ,EAAE,6BAA6B;IACvC,SAAS,EAAE,sBAAsB;IACjC,QAAQ,EAAE,uBAAuB;IACjC,UAAU,EAAE,cAAc;IAC1B,aAAa,EAAE,eAAe;IAC9B,YAAY,EAAE,iCAAiC;CAChD,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAC,UAAkB;IACrD,OAAO,mBAAmB,CAAC,UAAU,CAAC,IAAI,cAAc,CAAC;AAC3D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,QAA2B;IAC5D,MAAM,IAAI,GAAG,gBAAgB,CAAC,QAAoB,CAAC,CAAC;IACpD,IAAI,IAAI,EAAE,CAAC;QACT,wCAAwC;QACxC,OAAO,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;IACjC,CAAC;IACD,OAAO,qBAAqB,CAAC;AAC/B,CAAC;AAaD;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,OAAwB;IACxD,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,GAAG,GAAG,EAAE,GAAG,OAAO,CAAC;IAEvE,MAAM,UAAU,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC;IAC5C,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IACpC,MAAM,YAAY,GAAG,UAAU,CAAC,CAAC,CAAC,qBAAqB,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;IAErF,mDAAmD;IACnD,IAAI,UAAU,IAAI,UAAU,IAAI,YAAY,EAAE,CAAC;QAC7C,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,kDAAkD;IAClD,IAAI,UAAU,IAAI,UAAU,IAAI,UAAU,GAAG,GAAG,EAAE,CAAC;QACjD,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,mEAAmE;IACnE,IAAI,YAAY,IAAI,UAAU,EAAE,CAAC;QAC/B,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,wCAAwC;IACxC,IAAI,UAAU,IAAI,UAAU,EAAE,CAAC;QAC7B,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,mDAAmD;IACnD,IAAI,UAAU,IAAI,MAAM,IAAI,UAAU,GAAG,GAAG,EAAE,CAAC;QAC7C,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,uCAAuC;IACvC,IAAI,UAAU,EAAE,CAAC;QACf,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,0CAA0C;IAC1C,IAAI,UAAU,IAAI,MAAM,EAAE,CAAC;QACzB,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC"}
+{"version":3,"file":"rules.js","sourceRoot":"","sources":["../../src/analysis/rules.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,gFAAgF;AAChF,kBAAkB;AAClB,gFAAgF;AAEhF,6DAA6D;AAC7D,MAAM,CAAC,MAAM,cAAc,GAAe;IACxC,eAAe;IACf,mBAAmB;IACnB,iBAAiB;IACjB,gBAAgB;CACjB,CAAC;AAEF,wCAAwC;AACxC,MAAM,CAAC,MAAM,UAAU,GAAe;IACpC,KAAK;IACL,gBAAgB;IAChB,KAAK;IACL,MAAM;IACN,gBAAgB;IAChB,iBAAiB;CAClB,CAAC;AAEF,0DAA0D;AAC1D,MAAM,CAAC,MAAM,qBAAqB,GAAG;IACnC,YAAY;IACZ,WAAW;IACX,aAAa;CACd,CAAC;AAuBF;;GAEG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAA+B;IAC1D,aAAa,EAAE;QACb,IAAI,EAAE,eAAe;QACrB,gBAAgB,EAAE,mDAAmD;QACrE,eAAe,EAAE,wKAAwK;QACzL,WAAW,EAAE,2GAA2G;QACxH,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,UAAU;QACzB,GAAG,EAAE,QAAQ;KACd;IACD,eAAe,EAAE;QACf,IAAI,EAAE,iBAAiB;QACvB,gBAAgB,EAAE,qDAAqD;QACvE,eAAe,EAAE,oKAAoK;QACrL,WAAW,EAAE,kGAAkG;QAC/G,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,UAAU;QACzB,GAAG,EAAE,SAAS;KACf;IACD,iBAAiB,EAAE;QACjB,IAAI,EAAE,mBAAmB;QACzB,gBAAgB,EAAE,wDAAwD;QAC1E,eAAe,EAAE,uIAAuI;QACxJ,WAAW,EAAE,0HAA0H;QACvI,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,UAAU;QACzB,GAAG,EAAE,QAAQ;KACd;IACD,GAAG,EAAE;QACH,IAAI,EAAE,4BAA4B;QAClC,gBAAgB,EAAE,8CAA8C;QAChE,eAAe,EAAE,wIAAwI;QACzJ,WAAW,EAAE,gHAAgH;QAC7H,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,QAAQ;QACvB,GAAG,EAAE,QAAQ;KACd;IACD,cAAc,EAAE;QACd,IAAI,EAAE,gBAAgB;QACtB,gBAAgB,EAAE,iDAAiD;QACnE,eAAe,EAAE,wIAAwI;QACzJ,WAAW,EAAE,iHAAiH;QAC9H,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,MAAM;QACrB,GAAG,EAAE,QAAQ;KACd;IACD,eAAe,EAAE;QACf,IAAI,EAAE,wBAAwB;QAC9B,gBAAgB,EAAE,gDAAgD;QAClE,eAAe,EAAE,qHAAqH;QACtI,WAAW,EAAE,2GAA2G;QACxH,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,UAAU;QACzB,GAAG,EAAE,SAAS;KACf;IACD,GAAG,EAAE;QACH,IAAI,EAAE,2BAA2B;QACjC,gBAAgB,EAAE,6DAA6D;QAC/E,eAAe,EAAE,0IAA0I;QAC3J,WAAW,EAAE,iGAAiG;QAC9G,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,MAAM;QACrB,GAAG,EAAE,SAAS;KACf;IACD,cAAc,EAAE;QACd,IAAI,EAAE,gBAAgB;QACtB,gBAAgB,EAAE,oDAAoD;QACtE,eAAe,EAAE,kGAAkG;QACnH,WAAW,EAAE,0EAA0E;QACvF,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,MAAM;QACrB,GAAG,EAAE,QAAQ;KACd;IACD,eAAe,EAAE;QACf,IAAI,EAAE,iBAAiB;QACvB,gBAAgB,EAAE,qDAAqD;QACvE,eAAe,EAAE,mGAAmG;QACpH,WAAW,EAAE,+FAA+F;QAC5G,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,MAAM;QACrB,GAAG,EAAE,SAAS;KACf;IACD,IAAI,EAAE;QACJ,IAAI,EAAE,oCAAoC;QAC1C,gBAAgB,EAAE,4CAA4C;QAC9D,eAAe,EAAE,uHAAuH;QACxI,WAAW,EAAE,8EAA8E;QAC3F,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,MAAM;QACrB,GAAG,EAAE,SAAS;KACf;IACD,aAAa,EAAE;QACb,IAAI,EAAE,eAAe;QACrB,gBAAgB,EAAE,iCAAiC;QACnD,eAAe,EAAE,sHAAsH;QACvI,WAAW,EAAE,gGAAgG;QAC7G,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,QAAQ;QACvB,GAAG,EAAE,SAAS;KACf;IACD,aAAa,EAAE;QACb,IAAI,EAAE,eAAe;QACrB,gBAAgB,EAAE,iDAAiD;QACnE,eAAe,EAAE,0JAA0J;QAC3K,WAAW,EAAE,gFAAgF;QAC7F,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,KAAK;QACpB,GAAG,EAAE,SAAS;KACf;IACD,cAAc,EAAE;QACd,IAAI,EAAE,gBAAgB;QACtB,gBAAgB,EAAE,6BAA6B;QAC/C,eAAe,EAAE,wGAAwG;QACzH,WAAW,EAAE,0FAA0F;QACvG,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,UAAU;QACzB,GAAG,EAAE,QAAQ;KACd;IACD,WAAW,EAAE;QACX,IAAI,EAAE,8BAA8B;QACpC,gBAAgB,EAAE,qDAAqD;QACvE,eAAe,EAAE,wFAAwF;QACzG,WAAW,EAAE,+FAA+F;QAC5G,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,QAAQ;QACvB,GAAG,EAAE,SAAS;KACf;IACD,SAAS,EAAE;QACT,IAAI,EAAE,qBAAqB;QAC3B,gBAAgB,EAAE,4CAA4C;QAC9D,eAAe,EAAE,4FAA4F;QAC7G,WAAW,EAAE,wEAAwE;QACrF,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,QAAQ;QACvB,GAAG,EAAE,SAAS;KACf;IACD,WAAW,EAAE;QACX,IAAI,EAAE,uBAAuB;QAC7B,gBAAgB,EAAE,kDAAkD;QACpE,eAAe,EAAE,qFAAqF;QACtG,WAAW,EAAE,gFAAgF;QAC7F,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,QAAQ;QACvB,GAAG,EAAE,SAAS;KACf;IACD,eAAe,EAAE;QACf,IAAI,EAAE,iBAAiB;QACvB,gBAAgB,EAAE,mCAAmC;QACrD,eAAe,EAAE,2EAA2E;QAC5F,WAAW,EAAE,mEAAmE;QAChF,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,KAAK;QACpB,GAAG,EAAE,SAAS;KACf;IACD,cAAc,EAAE;QACd,IAAI,EAAE,0BAA0B;QAChC,gBAAgB,EAAE,uCAAuC;QACzD,eAAe,EAAE,mFAAmF;QACpG,WAAW,EAAE,gFAAgF;QAC7F,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,QAAQ;QACvB,GAAG,EAAE,SAAS;KACf;IACD,qBAAqB,EAAE;QACrB,IAAI,EAAE,wCAAwC;QAC9C,gBAAgB,EAAE,qDAAqD;QACvE,eAAe,EAAE,oMAAoM;QACrN,WAAW,EAAE,yHAAyH;QACtI,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,QAAQ;QACvB,GAAG,EAAE,SAAS;KACf;IACD,KAAK,EAAE;QACL,IAAI,EAAE,gCAAgC;QACtC,gBAAgB,EAAE,sDAAsD;QACxE,eAAe,EAAE,uQAAuQ;QACxR,WAAW,EAAE,yPAAyP;QACtQ,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,MAAM;QACrB,GAAG,EAAE,UAAU;KAChB;IACD,aAAa,EAAE;QACb,IAAI,EAAE,yBAAyB;QAC/B,gBAAgB,EAAE,mDAAmD;QACrE,eAAe,EAAE,qUAAqU;QACtV,WAAW,EAAE,2IAA2I;QACxJ,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,MAAM;QACrB,GAAG,EAAE,SAAS;KACf;IACD,IAAI,EAAE;QACJ,IAAI,EAAE,uCAAuC;QAC7C,gBAAgB,EAAE,4DAA4D;QAC9E,eAAe,EAAE,+WAA+W;QAChY,WAAW,EAAE,kNAAkN;QAC/N,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,QAAQ;QACvB,GAAG,EAAE,SAAS;KACf;IACD,eAAe,EAAE;QACf,IAAI,EAAE,gCAAgC;QACtC,gBAAgB,EAAE,wDAAwD;QAC1E,eAAe,EAAE,+VAA+V;QAChX,WAAW,EAAE,gRAAgR;QAC7R,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,MAAM;QACrB,GAAG,EAAE,SAAS;KACf;IACD,mBAAmB,EAAE;QACnB,IAAI,EAAE,4BAA4B;QAClC,gBAAgB,EAAE,8DAA8D;QAChF,eAAe,EAAE,8XAA8X;QAC/Y,WAAW,EAAE,mQAAmQ;QAChR,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,QAAQ;QACvB,GAAG,EAAE,QAAQ;KACd;CACF,CAAC;AAEF,gFAAgF;AAChF,mBAAmB;AACnB,gFAAgF;AAEhF;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,QAA2B;IACrD,MAAM,IAAI,GAAG,gBAAgB,CAAC,QAAoB,CAAC,CAAC;IACpD,IAAI,IAAI,EAAE,CAAC;QACT,OAAO,IAAI,CAAC;IACd,CAAC;IAED,6BAA6B;IAC7B,OAAO;QACL,IAAI,EAAE,QAAQ;QACd,gBAAgB,EAAE,6BAA6B,QAAQ,EAAE;QACzD,eAAe,EAAE,wCAAwC,QAAQ,WAAW;QAC5E,WAAW,EAAE,4CAA4C;QACzD,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,QAAQ;QACvB,GAAG,EAAE,QAAQ;KACd,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,QAA2B;IACxD,OAAO,WAAW,CAAC,QAAQ,CAAC,CAAC,WAAW,CAAC;AAC3C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,QAA2B;IAC1D,OAAO,WAAW,CAAC,QAAQ,CAAC,CAAC,aAAa,CAAC;AAC7C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,MAAM,CAAC,QAA2B;IAChD,OAAO,WAAW,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,QAA2B;IACxD,OAAO,cAAc,CAAC,QAAQ,CAAC,QAAoB,CAAC,CAAC;AACvD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,UAAU,CAAC,QAA2B;IACpD,OAAO,UAAU,CAAC,QAAQ,CAAC,QAAoB,CAAC,CAAC;AACnD,CAAC;AAED,gFAAgF;AAChF,sBAAsB;AACtB,gFAAgF;AAEhF,MAAM,mBAAmB,GAA2B;IAClD,UAAU,EAAE,gCAAgC;IAC5C,SAAS,EAAE,8BAA8B;IACzC,WAAW,EAAE,6BAA6B;IAC1C,WAAW,EAAE,8BAA8B;IAC3C,SAAS,EAAE,0BAA0B;IACrC,UAAU,EAAE,8BAA8B;IAC1C,QAAQ,EAAE,6BAA6B;IACvC,SAAS,EAAE,sBAAsB;IACjC,QAAQ,EAAE,uBAAuB;IACjC,UAAU,EAAE,cAAc;IAC1B,aAAa,EAAE,eAAe;IAC9B,YAAY,EAAE,iCAAiC;CAChD,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAC,UAAkB;IACrD,OAAO,mBAAmB,CAAC,UAAU,CAAC,IAAI,cAAc,CAAC;AAC3D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,QAA2B;IAC5D,MAAM,IAAI,GAAG,gBAAgB,CAAC,QAAoB,CAAC,CAAC;IACpD,IAAI,IAAI,EAAE,CAAC;QACT,wCAAwC;QACxC,OAAO,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;IACjC,CAAC;IACD,OAAO,qBAAqB,CAAC;AAC/B,CAAC;AAaD;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,OAAwB;IACxD,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,GAAG,GAAG,EAAE,GAAG,OAAO,CAAC;IAEvE,MAAM,UAAU,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC;IAC5C,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IACpC,MAAM,YAAY,GAAG,UAAU,CAAC,CAAC,CAAC,qBAAqB,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;IAErF,mDAAmD;IACnD,IAAI,UAAU,IAAI,UAAU,IAAI,YAAY,EAAE,CAAC;QAC7C,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,kDAAkD;IAClD,IAAI,UAAU,IAAI,UAAU,IAAI,UAAU,GAAG,GAAG,EAAE,CAAC;QACjD,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,mEAAmE;IACnE,IAAI,YAAY,IAAI,UAAU,EAAE,CAAC;QAC/B,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,wCAAwC;IACxC,IAAI,UAAU,IAAI,UAAU,EAAE,CAAC;QAC7B,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,mDAAmD;IACnD,IAAI,UAAU,IAAI,MAAM,IAAI,UAAU,GAAG,GAAG,EAAE,CAAC;QAC7C,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,uCAAuC;IACvC,IAAI,UAAU,EAAE,CAAC;QACf,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,0CAA0C;IAC1C,IAAI,UAAU,IAAI,MAAM,EAAE,CAAC;QACzB,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/analysis/taint-propagation.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"taint-propagation.d.ts","sourceRoot":"","sources":["../../src/analysis/taint-propagation.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EACV,GAAG,EAIH,QAAQ,EACR,WAAW,EACX,SAAS,EACT,cAAc,EAEf,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAE9C;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,MAAM,EAAE,WAAW,CAAC;IACpB,IAAI,EAAE,SAAS,CAAC;IAChB,IAAI,EAAE,aAAa,EAAE,CAAC;IACtB,SAAS,EAAE,OAAO,CAAC;IACnB,SAAS,CAAC,EAAE,cAAc,CAAC;IAC3B,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,QAAQ,GAAG,YAAY,GAAG,KAAK,GAAG,QAAQ,GAAG,OAAO,GAAG,MAAM,CAAC;IACpE,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,WAAW,EAAE,eAAe,EAAE,CAAC;IAC/B,KAAK,EAAE,SAAS,EAAE,CAAC;IACnB,cAAc,EAAE,GAAG,CAAC,SAAS,EAAE,WAAW,EAAE,CAAC,CAAC;CAC/C;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAC5B,UAAU,EAAE,SAAS,GAAG,GAAG,EAC3B,cAAc,EAAE,QAAQ,EAAE,GAAG,WAAW,EAAE,EAC1C,cAAc,EAAE,WAAW,EAAE,GAAG,SAAS,EAAE,EAC3C,iBAAiB,EAAE,SAAS,EAAE,GAAG,cAAc,EAAE,EACjD,aAAa,CAAC,EAAE,cAAc,EAAE,GAC/B,sBAAsB,CAiIxB;AA+ND;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,GAAG,EAAE,GAAG,EACR,KAAK,EAAE,QAAQ,EAAE,EACjB,WAAW,EAAE,eAAe,EAAE,GAC7B,eAAe,EAAE,CAsBnB;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,SAAS,GAAG,MAAM,CAgB/D;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,sBAAsB,GAAG;IAC7D,gBAAgB,EAAE,MAAM,CAAC;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,eAAe,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACrC,aAAa,EAAE,MAAM,CAAC;CACvB,CAkBA"}
+{"version":3,"file":"taint-propagation.d.ts","sourceRoot":"","sources":["../../src/analysis/taint-propagation.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EACV,GAAG,EAIH,QAAQ,EACR,WAAW,EACX,SAAS,EACT,cAAc,EAEf,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAE9C;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,MAAM,EAAE,WAAW,CAAC;IACpB,IAAI,EAAE,SAAS,CAAC;IAChB,IAAI,EAAE,aAAa,EAAE,CAAC;IACtB,SAAS,EAAE,OAAO,CAAC;IACnB,SAAS,CAAC,EAAE,cAAc,CAAC;IAC3B,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,QAAQ,GAAG,YAAY,GAAG,KAAK,GAAG,QAAQ,GAAG,OAAO,GAAG,MAAM,CAAC;IACpE,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,WAAW,EAAE,eAAe,EAAE,CAAC;IAC/B,KAAK,EAAE,SAAS,EAAE,CAAC;IACnB,cAAc,EAAE,GAAG,CAAC,SAAS,EAAE,WAAW,EAAE,CAAC,CAAC;CAC/C;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAC5B,UAAU,EAAE,SAAS,GAAG,GAAG,EAC3B,cAAc,EAAE,QAAQ,EAAE,GAAG,WAAW,EAAE,EAC1C,cAAc,EAAE,WAAW,EAAE,GAAG,SAAS,EAAE,EAC3C,iBAAiB,EAAE,SAAS,EAAE,GAAG,cAAc,EAAE,EACjD,aAAa,CAAC,EAAE,cAAc,EAAE,GAC/B,sBAAsB,CAiIxB;AAgOD;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,GAAG,EAAE,GAAG,EACR,KAAK,EAAE,QAAQ,EAAE,EACjB,WAAW,EAAE,eAAe,EAAE,GAC7B,eAAe,EAAE,CAsBnB;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,SAAS,GAAG,MAAM,CAgB/D;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,sBAAsB,GAAG;IAC7D,gBAAgB,EAAE,MAAM,CAAC;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,eAAe,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACrC,aAAa,EAAE,MAAM,CAAC;CACvB,CAkBA"}

package/dist/analysis/taint-propagation.js

@@ -209,6 +209,7 @@ const KNOWN_SINK_TYPES = new Set([
     'sql_injection', 'xss', 'path_traversal', 'command_injection',
     'ssrf', 'ldap_injection', 'xpath_injection', 'log_injection',
     'xxe', 'deserialization', 'code_injection', 'mybatis_mapper_call',
+    'redos', 'format_string', 'crlf', 'mass_assignment',
 ]);
 /**
  * Check if a taint flow is sanitized at the target line.

package/dist/analysis/taint-propagation.js.map

@@ -1 +1 @@
-{"version":3,"file":"taint-propagation.js","sourceRoot":"","sources":["../../src/analysis/taint-propagation.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAaH,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AA6C9C;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAC5B,UAA2B,EAC3B,cAA0C,EAC1C,cAA2C,EAC3C,iBAAiD,EACjD,aAAgC;IAEhC,IAAI,KAAgB,CAAC;IACrB,IAAI,OAAsB,CAAC;IAC3B,IAAI,KAAkB,CAAC;IACvB,IAAI,UAA4B,CAAC;IAEjC,IAAI,UAAU,YAAY,SAAS,EAAE,CAAC;QACpC,qDAAqD;QACrD,KAAK,GAAG,UAAU,CAAC;QACnB,OAAO,GAAG,cAA+B,CAAC;QAC1C,KAAK,GAAG,cAA6B,CAAC;QACtC,UAAU,GAAG,iBAAqC,CAAC;IACrD,CAAC;SAAM,CAAC;QACN,6DAA6D;QAC7D,MAAM,GAAG,GAAG,UAAiB,CAAC;QAC9B,MAAM,KAAK,GAAG,cAA4B,CAAC;QAC3C,OAAO,GAAG,cAA+B,CAAC;QAC1C,KAAK,GAAG,iBAAgC,CAAC;QACzC,UAAU,GAAG,aAAa,IAAI,EAAE,CAAC;QACjC,KAAK,GAAG,IAAI,SAAS,CAAC;YACpB,IAAI,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE;YACxE,KAAK,EAAE,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,GAAG;YACrD,KAAK,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,UAAU,EAAE;YAC7C,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE;SACvD,CAAC,CAAC;IACL,CAAC;IAED,MAAM,WAAW,GAAsB,EAAE,CAAC;IAC1C,MAAM,KAAK,GAAgB,EAAE,CAAC;IAC9B,MAAM,cAAc,GAAG,IAAI,GAAG,EAA4B,CAAC;IAE3D,yEAAyE;IACzE,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,CAAC;IACpC,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,CAAC;IACpC,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,CAAC;IACtC,MAAM,gBAAgB,GAAG,KAAK,CAAC,gBAAgB,CAAC;IAChD,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC;IAE9B,8DAA8D;IAC9D,MAAM,eAAe,GAAG,gBAAgB,CAAC,OAAO,EAAE,WAAW,EAAE,UAAU,CAAC,CAAC;IAE3E,6EAA6E;IAC7E,uEAAuE;IACvE,6EAA6E;IAC7E,MAAM,YAAY,GAAG,eAAe,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE;QAC/C,IAAI,EAAE,CAAC,IAAI,KAAK,EAAE,CAAC,UAAU;YAAE,OAAO,IAAI,CAAC;QAC3C,MAAM,QAAQ,GAAG,cAAc,CAAC,EAAE,CAAC,UAAU,EAAE,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,UAAU,EAAE,gBAAgB,CAAC,CAAC;QACzF,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;IAC7B,CAAC,CAAC,CAAC;IACH,WAAW,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,CAAC;IAElC,iDAAiD;IACjD,MAAM,eAAe,GAAG,sBAAsB,CAC5C,YAAY,EACZ,KAAK,CAAC,eAAe,EACrB,OAAO,EACP,gBAAgB,CACjB,CAAC;IACF,WAAW,CAAC,IAAI,CAAC,GAAG,eAAe,CAAC,CAAC;IAErC,kCAAkC;IAClC,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAAU,CAAC;IAC3C,MAAM,YAAY,GAAG,IAAI,GAAG,EAA2B,CAAC;IACxD,KAAK,MAAM,EAAE,IAAI,WAAW,EAAE,CAAC;QAC7B,gBAAgB,CAAC,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC;QAC/B,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACjC,CAAC;IAED,iEAAiE;IACjE,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,UAAU,GAAG,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QACnD,MAAM,WAAW,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAErD,oDAAoD;QACpD,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAC/B,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACjC,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;oBACjB,yEAAyE;oBACzE,uEAAuE;oBACvE,oEAAoE;oBACpE,IAAI,IAAI,CAAC,YAAY,IAAI,IAAI,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;wBACtD,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;4BAC9C,SAAS;wBACX,CAAC;oBACH,CAAC;oBACD,uCAAuC;oBACvC,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;wBAC7B,IAAI,GAAG,CAAC,QAAQ,KAAK,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC;4BACzD,IAAI,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;gCACrC,MAAM,SAAS,GAAG,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;gCAC/C,IAAI,SAAS,EAAE,CAAC;oCACd,qBAAqB;oCACrB,MAAM,WAAW,GAAG,cAAc,CAChC,SAAS,CAAC,IAAI,EACd,IAAI,CAAC,IAAI,EACT,IAAI,CAAC,IAAI,EACT,gBAAgB,CACjB,CAAC;oCAEF,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,CAAC;wCAC3B,kBAAkB;wCAClB,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,UAAU,CAAC,CAAC;wCAClE,IAAI,MAAM,EAAE,CAAC;4CACX,kBAAkB;4CAClB,MAAM,IAAI,GAAG,cAAc,CACzB,MAAM,EACN,IAAI,EACJ,SAAS,CACV,CAAC;4CACF,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;4CAEjB,wBAAwB;4CACxB,MAAM,eAAe,GAAG,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;4CACvD,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;gDACvD,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;4CAC/B,CAAC;4CACD,cAAc,CAAC,GAAG,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;wCAC5C,CAAC;oCACH,CAAC;gCACH,CAAC;4BACH,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,WAAW,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC;AAChD,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CACvB,OAAsB,EACtB,WAAoC,EACpC,UAAiC;IAEjC,MAAM,OAAO,GAAsB,EAAE,CAAC;IAEtC,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,kDAAkD;QAClD,MAAM,UAAU,GAAG,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAErD,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;YAC7B,OAAO,CAAC,IAAI,CAAC;gBACX,QAAQ,EAAE,GAAG,CAAC,QAAQ;gBACtB,KAAK,EAAE,GAAG,CAAC,EAAE;gBACb,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,UAAU,EAAE,MAAM,CAAC,IAAI;gBACvB,UAAU,EAAE,MAAM,CAAC,IAAI;gBACvB,UAAU,EAAE,MAAM,CAAC,UAAU;aAC9B,CAAC,CAAC;QACL,CAAC;QAED,oFAAoF;QACpF,MAAM,YAAY,GAAG,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;QAC3D,KAAK,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;YAC/B,oDAAoD;YACpD,MAAM,iBAAiB,GAAG,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YAC7D,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACjC,OAAO,CAAC,IAAI,CAAC;oBACX,QAAQ,EAAE,GAAG,CAAC,QAAQ;oBACtB,KAAK,EAAE,GAAG,CAAC,EAAE;oBACb,IAAI,EAAE,GAAG,CAAC,IAAI;oBACd,UAAU,EAAE,MAAM,CAAC,IAAI;oBACvB,UAAU,EAAE,MAAM,CAAC,IAAI;oBACvB,UAAU,EAAE,MAAM,CAAC,UAAU,GAAG,GAAG,EAAE,4BAA4B;iBAClE,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;GAIG;AACH,SAAS,sBAAsB,CAC7B,YAA+B,EAC/B,eAAwC,EACxC,OAA4B,EAC5B,gBAA+C;IAE/C,MAAM,UAAU,GAAsB,EAAE,CAAC;IACzC,MAAM,aAAa,GAAG,IAAI,GAAG,CAAS,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;IACtE,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAA2B,CAAC;IAE5D,KAAK,MAAM,CAAC,IAAI,YAAY,EAAE,CAAC;QAC7B,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACnC,CAAC;IAED,yBAAyB;IACzB,MAAM,KAAK,GAAG,CAAC,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;IAClD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAS,KAAK,CAAC,CAAC;IAEvC,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,YAAY,GAAG,KAAK,CAAC,KAAK,EAAG,CAAC;QACpC,MAAM,YAAY,GAAG,gBAAgB,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QACxD,IAAI,CAAC,YAAY;YAAE,SAAS;QAE5B,MAAM,cAAc,GAAG,eAAe,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;QAE/D,KAAK,MAAM,KAAK,IAAI,cAAc,EAAE,CAAC;YACnC,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC;gBAAE,SAAS;YAExC,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;YAC5C,IAAI,CAAC,SAAS;gBAAE,SAAS;YAEzB,2DAA2D;YAC3D,MAAM,aAAa,GAAG,cAAc,CAClC,YAAY,CAAC,UAAU,EACvB,SAAS,CAAC,IAAI,EACd,YAAY,CAAC,UAAU,EACvB,gBAAgB,CACjB,CAAC;YAEF,IAAI,CAAC,aAAa,CAAC,SAAS,EAAE,CAAC;gBAC7B,MAAM,QAAQ,GAAoB;oBAChC,QAAQ,EAAE,SAAS,CAAC,QAAQ;oBAC5B,KAAK,EAAE,SAAS,CAAC,EAAE;oBACnB,IAAI,EAAE,SAAS,CAAC,IAAI;oBACpB,UAAU,EAAE,YAAY,CAAC,UAAU;oBACnC,UAAU,EAAE,YAAY,CAAC,UAAU;oBACnC,UAAU,EAAE,YAAY,CAAC,UAAU,GAAG,IAAI,EAAE,4BAA4B;iBACzE,CAAC;gBAEF,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBAC1B,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;gBAChC,gBAAgB,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;gBAC7C,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;gBAC1B,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;YAC3B,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,wEAAwE;AACxE,8EAA8E;AAC9E,4EAA4E;AAC5E,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAS;IACvC,eAAe,EAAE,KAAK,EAAE,gBAAgB,EAAE,mBAAmB;IAC7D,MAAM,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,eAAe;IAC5D,KAAK,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,qBAAqB;CAClE,CAAC,CAAC;AAEH;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,SAAS,cAAc,CACrB,SAAiB,EACjB,MAAc,EACd,QAAgB,EAChB,gBAA+C;IAE/C,MAAM,kBAAkB,GAAG,gBAAgB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACxD,IAAI,CAAC,kBAAkB,IAAI,kBAAkB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC3D,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;IAC9B,CAAC;IAED,MAAM,eAAe,GAAG,gBAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAEvD,KAAK,MAAM,GAAG,IAAI,kBAAkB,EAAE,CAAC;QACrC,IAAI,eAAe,EAAE,CAAC;YACpB,6EAA6E;YAC7E,IAAI,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAoB,CAAC,EAAE,CAAC;gBACjD,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC;YAC7C,CAAC;QACH,CAAC;aAAM,CAAC;YACN,qEAAqE;YACrE,oEAAoE;YACpE,IAAI,GAAG,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC7B,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC;YAC7C,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;AAC9B,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CACrB,MAAmB,EACnB,IAAe,EACf,SAA0B;IAE1B,MAAM,IAAI,GAAoB,EAAE,CAAC;IAEjC,oBAAoB;IACpB,IAAI,CAAC,IAAI,CAAC;QACR,QAAQ,EAAE,SAAS,CAAC,QAAQ;QAC5B,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,IAAI,EAAE,QAAQ;QACd,WAAW,EAAE,2BAA2B,MAAM,CAAC,IAAI,EAAE;KACtD,CAAC,CAAC;IAEH,oDAAoD;IACpD,oDAAoD;IACpD,IAAI,SAAS,CAAC,IAAI,KAAK,MAAM,CAAC,IAAI,EAAE,CAAC;QACnC,IAAI,CAAC,IAAI,CAAC;YACR,QAAQ,EAAE,SAAS,CAAC,QAAQ;YAC5B,IAAI,EAAE,SAAS,CAAC,IAAI;YACpB,IAAI,EAAE,YAAY;YAClB,WAAW,EAAE,6BAA6B,SAAS,CAAC,QAAQ,EAAE;SAC/D,CAAC,CAAC;IACL,CAAC;IAED,gBAAgB;IAChB,IAAI,CAAC,IAAI,CAAC;QACR,QAAQ,EAAE,SAAS,CAAC,QAAQ;QAC5B,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,IAAI,EAAE,MAAM;QACZ,WAAW,EAAE,yBAAyB,IAAI,CAAC,IAAI,OAAO;KACvD,CAAC,CAAC;IAEH,OAAO;QACL,MAAM;QACN,IAAI;QACJ,IAAI;QACJ,SAAS,EAAE,KAAK;QAChB,UAAU,EAAE,SAAS,CAAC,UAAU,GAAG,GAAG,EAAE,wBAAwB;KACjE,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAClC,GAAQ,EACR,KAAiB,EACjB,WAA8B;IAE9B,MAAM,eAAe,GAAsB,EAAE,CAAC;IAC9C,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;IAE7D,oDAAoD;IACpD,MAAM,UAAU,GAAG,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC;IAE7D,8DAA8D;IAC9D,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,8DAA8D;QAC9D,MAAM,UAAU,GAAG,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,IAAI,CAAC,CAAC;QAEnE,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;YAC7B,IAAI,GAAG,CAAC,MAAM,KAAK,IAAI,IAAI,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;gBACzD,gDAAgD;gBAChD,wDAAwD;gBACxD,mEAAmE;YACrE,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAC;AACzB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,uBAAuB,CAAC,IAAe;IACrD,IAAI,UAAU,GAAG,GAAG,CAAC;IAErB,8BAA8B;IAC9B,UAAU,IAAI,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC;IAErC,wDAAwD;IACxD,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC;IACpC,UAAU,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC,yBAAyB;IAEvE,yBAAyB;IACzB,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;QACnB,UAAU,GAAG,CAAC,CAAC;IACjB,CAAC;IAED,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC;AAC9C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,MAA8B;IAM1D,MAAM,eAAe,GAAG,IAAI,GAAG,EAAkB,CAAC;IAElD,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QAChC,MAAM,KAAK,GAAG,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvD,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC;IACjD,CAAC;IAED,MAAM,aAAa,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC;QAC3C,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM;QAC9E,CAAC,CAAC,CAAC,CAAC;IAEN,OAAO;QACL,gBAAgB,EAAE,MAAM,CAAC,WAAW,CAAC,MAAM;QAC3C,UAAU,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM;QAC/B,eAAe;QACf,aAAa;KACd,CAAC;AACJ,CAAC"}
+{"version":3,"file":"taint-propagation.js","sourceRoot":"","sources":["../../src/analysis/taint-propagation.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAaH,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AA6C9C;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAC5B,UAA2B,EAC3B,cAA0C,EAC1C,cAA2C,EAC3C,iBAAiD,EACjD,aAAgC;IAEhC,IAAI,KAAgB,CAAC;IACrB,IAAI,OAAsB,CAAC;IAC3B,IAAI,KAAkB,CAAC;IACvB,IAAI,UAA4B,CAAC;IAEjC,IAAI,UAAU,YAAY,SAAS,EAAE,CAAC;QACpC,qDAAqD;QACrD,KAAK,GAAG,UAAU,CAAC;QACnB,OAAO,GAAG,cAA+B,CAAC;QAC1C,KAAK,GAAG,cAA6B,CAAC;QACtC,UAAU,GAAG,iBAAqC,CAAC;IACrD,CAAC;SAAM,CAAC;QACN,6DAA6D;QAC7D,MAAM,GAAG,GAAG,UAAiB,CAAC;QAC9B,MAAM,KAAK,GAAG,cAA4B,CAAC;QAC3C,OAAO,GAAG,cAA+B,CAAC;QAC1C,KAAK,GAAG,iBAAgC,CAAC;QACzC,UAAU,GAAG,aAAa,IAAI,EAAE,CAAC;QACjC,KAAK,GAAG,IAAI,SAAS,CAAC;YACpB,IAAI,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE;YACxE,KAAK,EAAE,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,GAAG;YACrD,KAAK,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,UAAU,EAAE;YAC7C,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE;SACvD,CAAC,CAAC;IACL,CAAC;IAED,MAAM,WAAW,GAAsB,EAAE,CAAC;IAC1C,MAAM,KAAK,GAAgB,EAAE,CAAC;IAC9B,MAAM,cAAc,GAAG,IAAI,GAAG,EAA4B,CAAC;IAE3D,yEAAyE;IACzE,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,CAAC;IACpC,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,CAAC;IACpC,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,CAAC;IACtC,MAAM,gBAAgB,GAAG,KAAK,CAAC,gBAAgB,CAAC;IAChD,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC;IAE9B,8DAA8D;IAC9D,MAAM,eAAe,GAAG,gBAAgB,CAAC,OAAO,EAAE,WAAW,EAAE,UAAU,CAAC,CAAC;IAE3E,6EAA6E;IAC7E,uEAAuE;IACvE,6EAA6E;IAC7E,MAAM,YAAY,GAAG,eAAe,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE;QAC/C,IAAI,EAAE,CAAC,IAAI,KAAK,EAAE,CAAC,UAAU;YAAE,OAAO,IAAI,CAAC;QAC3C,MAAM,QAAQ,GAAG,cAAc,CAAC,EAAE,CAAC,UAAU,EAAE,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,UAAU,EAAE,gBAAgB,CAAC,CAAC;QACzF,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;IAC7B,CAAC,CAAC,CAAC;IACH,WAAW,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,CAAC;IAElC,iDAAiD;IACjD,MAAM,eAAe,GAAG,sBAAsB,CAC5C,YAAY,EACZ,KAAK,CAAC,eAAe,EACrB,OAAO,EACP,gBAAgB,CACjB,CAAC;IACF,WAAW,CAAC,IAAI,CAAC,GAAG,eAAe,CAAC,CAAC;IAErC,kCAAkC;IAClC,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAAU,CAAC;IAC3C,MAAM,YAAY,GAAG,IAAI,GAAG,EAA2B,CAAC;IACxD,KAAK,MAAM,EAAE,IAAI,WAAW,EAAE,CAAC;QAC7B,gBAAgB,CAAC,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC;QAC/B,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACjC,CAAC;IAED,iEAAiE;IACjE,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,UAAU,GAAG,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QACnD,MAAM,WAAW,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAErD,oDAAoD;QACpD,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAC/B,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACjC,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;oBACjB,yEAAyE;oBACzE,uEAAuE;oBACvE,oEAAoE;oBACpE,IAAI,IAAI,CAAC,YAAY,IAAI,IAAI,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;wBACtD,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;4BAC9C,SAAS;wBACX,CAAC;oBACH,CAAC;oBACD,uCAAuC;oBACvC,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;wBAC7B,IAAI,GAAG,CAAC,QAAQ,KAAK,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC;4BACzD,IAAI,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;gCACrC,MAAM,SAAS,GAAG,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;gCAC/C,IAAI,SAAS,EAAE,CAAC;oCACd,qBAAqB;oCACrB,MAAM,WAAW,GAAG,cAAc,CAChC,SAAS,CAAC,IAAI,EACd,IAAI,CAAC,IAAI,EACT,IAAI,CAAC,IAAI,EACT,gBAAgB,CACjB,CAAC;oCAEF,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,CAAC;wCAC3B,kBAAkB;wCAClB,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,UAAU,CAAC,CAAC;wCAClE,IAAI,MAAM,EAAE,CAAC;4CACX,kBAAkB;4CAClB,MAAM,IAAI,GAAG,cAAc,CACzB,MAAM,EACN,IAAI,EACJ,SAAS,CACV,CAAC;4CACF,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;4CAEjB,wBAAwB;4CACxB,MAAM,eAAe,GAAG,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;4CACvD,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;gDACvD,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;4CAC/B,CAAC;4CACD,cAAc,CAAC,GAAG,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;wCAC5C,CAAC;oCACH,CAAC;gCACH,CAAC;4BACH,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,WAAW,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC;AAChD,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CACvB,OAAsB,EACtB,WAAoC,EACpC,UAAiC;IAEjC,MAAM,OAAO,GAAsB,EAAE,CAAC;IAEtC,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,kDAAkD;QAClD,MAAM,UAAU,GAAG,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAErD,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;YAC7B,OAAO,CAAC,IAAI,CAAC;gBACX,QAAQ,EAAE,GAAG,CAAC,QAAQ;gBACtB,KAAK,EAAE,GAAG,CAAC,EAAE;gBACb,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,UAAU,EAAE,MAAM,CAAC,IAAI;gBACvB,UAAU,EAAE,MAAM,CAAC,IAAI;gBACvB,UAAU,EAAE,MAAM,CAAC,UAAU;aAC9B,CAAC,CAAC;QACL,CAAC;QAED,oFAAoF;QACpF,MAAM,YAAY,GAAG,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;QAC3D,KAAK,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;YAC/B,oDAAoD;YACpD,MAAM,iBAAiB,GAAG,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YAC7D,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACjC,OAAO,CAAC,IAAI,CAAC;oBACX,QAAQ,EAAE,GAAG,CAAC,QAAQ;oBACtB,KAAK,EAAE,GAAG,CAAC,EAAE;oBACb,IAAI,EAAE,GAAG,CAAC,IAAI;oBACd,UAAU,EAAE,MAAM,CAAC,IAAI;oBACvB,UAAU,EAAE,MAAM,CAAC,IAAI;oBACvB,UAAU,EAAE,MAAM,CAAC,UAAU,GAAG,GAAG,EAAE,4BAA4B;iBAClE,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;GAIG;AACH,SAAS,sBAAsB,CAC7B,YAA+B,EAC/B,eAAwC,EACxC,OAA4B,EAC5B,gBAA+C;IAE/C,MAAM,UAAU,GAAsB,EAAE,CAAC;IACzC,MAAM,aAAa,GAAG,IAAI,GAAG,CAAS,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;IACtE,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAA2B,CAAC;IAE5D,KAAK,MAAM,CAAC,IAAI,YAAY,EAAE,CAAC;QAC7B,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACnC,CAAC;IAED,yBAAyB;IACzB,MAAM,KAAK,GAAG,CAAC,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;IAClD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAS,KAAK,CAAC,CAAC;IAEvC,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,YAAY,GAAG,KAAK,CAAC,KAAK,EAAG,CAAC;QACpC,MAAM,YAAY,GAAG,gBAAgB,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QACxD,IAAI,CAAC,YAAY;YAAE,SAAS;QAE5B,MAAM,cAAc,GAAG,eAAe,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;QAE/D,KAAK,MAAM,KAAK,IAAI,cAAc,EAAE,CAAC;YACnC,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC;gBAAE,SAAS;YAExC,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;YAC5C,IAAI,CAAC,SAAS;gBAAE,SAAS;YAEzB,2DAA2D;YAC3D,MAAM,aAAa,GAAG,cAAc,CAClC,YAAY,CAAC,UAAU,EACvB,SAAS,CAAC,IAAI,EACd,YAAY,CAAC,UAAU,EACvB,gBAAgB,CACjB,CAAC;YAEF,IAAI,CAAC,aAAa,CAAC,SAAS,EAAE,CAAC;gBAC7B,MAAM,QAAQ,GAAoB;oBAChC,QAAQ,EAAE,SAAS,CAAC,QAAQ;oBAC5B,KAAK,EAAE,SAAS,CAAC,EAAE;oBACnB,IAAI,EAAE,SAAS,CAAC,IAAI;oBACpB,UAAU,EAAE,YAAY,CAAC,UAAU;oBACnC,UAAU,EAAE,YAAY,CAAC,UAAU;oBACnC,UAAU,EAAE,YAAY,CAAC,UAAU,GAAG,IAAI,EAAE,4BAA4B;iBACzE,CAAC;gBAEF,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBAC1B,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;gBAChC,gBAAgB,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;gBAC7C,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;gBAC1B,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;YAC3B,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,wEAAwE;AACxE,8EAA8E;AAC9E,4EAA4E;AAC5E,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAS;IACvC,eAAe,EAAE,KAAK,EAAE,gBAAgB,EAAE,mBAAmB;IAC7D,MAAM,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,eAAe;IAC5D,KAAK,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,qBAAqB;IACjE,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,iBAAiB;CACpD,CAAC,CAAC;AAEH;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,SAAS,cAAc,CACrB,SAAiB,EACjB,MAAc,EACd,QAAgB,EAChB,gBAA+C;IAE/C,MAAM,kBAAkB,GAAG,gBAAgB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACxD,IAAI,CAAC,kBAAkB,IAAI,kBAAkB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC3D,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;IAC9B,CAAC;IAED,MAAM,eAAe,GAAG,gBAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAEvD,KAAK,MAAM,GAAG,IAAI,kBAAkB,EAAE,CAAC;QACrC,IAAI,eAAe,EAAE,CAAC;YACpB,6EAA6E;YAC7E,IAAI,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAoB,CAAC,EAAE,CAAC;gBACjD,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC;YAC7C,CAAC;QACH,CAAC;aAAM,CAAC;YACN,qEAAqE;YACrE,oEAAoE;YACpE,IAAI,GAAG,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC7B,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC;YAC7C,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;AAC9B,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CACrB,MAAmB,EACnB,IAAe,EACf,SAA0B;IAE1B,MAAM,IAAI,GAAoB,EAAE,CAAC;IAEjC,oBAAoB;IACpB,IAAI,CAAC,IAAI,CAAC;QACR,QAAQ,EAAE,SAAS,CAAC,QAAQ;QAC5B,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,IAAI,EAAE,QAAQ;QACd,WAAW,EAAE,2BAA2B,MAAM,CAAC,IAAI,EAAE;KACtD,CAAC,CAAC;IAEH,oDAAoD;IACpD,oDAAoD;IACpD,IAAI,SAAS,CAAC,IAAI,KAAK,MAAM,CAAC,IAAI,EAAE,CAAC;QACnC,IAAI,CAAC,IAAI,CAAC;YACR,QAAQ,EAAE,SAAS,CAAC,QAAQ;YAC5B,IAAI,EAAE,SAAS,CAAC,IAAI;YACpB,IAAI,EAAE,YAAY;YAClB,WAAW,EAAE,6BAA6B,SAAS,CAAC,QAAQ,EAAE;SAC/D,CAAC,CAAC;IACL,CAAC;IAED,gBAAgB;IAChB,IAAI,CAAC,IAAI,CAAC;QACR,QAAQ,EAAE,SAAS,CAAC,QAAQ;QAC5B,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,IAAI,EAAE,MAAM;QACZ,WAAW,EAAE,yBAAyB,IAAI,CAAC,IAAI,OAAO;KACvD,CAAC,CAAC;IAEH,OAAO;QACL,MAAM;QACN,IAAI;QACJ,IAAI;QACJ,SAAS,EAAE,KAAK;QAChB,UAAU,EAAE,SAAS,CAAC,UAAU,GAAG,GAAG,EAAE,wBAAwB;KACjE,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAClC,GAAQ,EACR,KAAiB,EACjB,WAA8B;IAE9B,MAAM,eAAe,GAAsB,EAAE,CAAC;IAC9C,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;IAE7D,oDAAoD;IACpD,MAAM,UAAU,GAAG,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC;IAE7D,8DAA8D;IAC9D,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,8DAA8D;QAC9D,MAAM,UAAU,GAAG,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,IAAI,CAAC,CAAC;QAEnE,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;YAC7B,IAAI,GAAG,CAAC,MAAM,KAAK,IAAI,IAAI,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;gBACzD,gDAAgD;gBAChD,wDAAwD;gBACxD,mEAAmE;YACrE,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAC;AACzB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,uBAAuB,CAAC,IAAe;IACrD,IAAI,UAAU,GAAG,GAAG,CAAC;IAErB,8BAA8B;IAC9B,UAAU,IAAI,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC;IAErC,wDAAwD;IACxD,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC;IACpC,UAAU,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC,yBAAyB;IAEvE,yBAAyB;IACzB,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;QACnB,UAAU,GAAG,CAAC,CAAC;IACjB,CAAC;IAED,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC;AAC9C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,MAA8B;IAM1D,MAAM,eAAe,GAAG,IAAI,GAAG,EAAkB,CAAC;IAElD,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QAChC,MAAM,KAAK,GAAG,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvD,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC;IACjD,CAAC;IAED,MAAM,aAAa,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC;QAC3C,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM;QAC9E,CAAC,CAAC,CAAC,CAAC;IAEN,OAAO;QACL,gBAAgB,EAAE,MAAM,CAAC,WAAW,CAAC,MAAM;QAC3C,UAAU,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM;QAC/B,eAAe;QACf,aAAa;KACd,CAAC;AACJ,CAAC"}

package/dist/analyzer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"analyzer.d.ts","sourceRoot":"","sources":["../src/analyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqDG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,gBAAgB,EAA2B,eAAe,EAAe,MAAM,kBAAkB,CAAC;AAC1H,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAcL,KAAK,iBAAiB,EACvB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAKL,eAAe,EAChB,MAAM,qBAAqB,CAAC;AAgC7B,OAAO,EAAwB,KAAK,uBAAuB,EAAE,MAAM,8CAA8C,CAAC;AAKlH,OAAO,EAA2B,KAAK,0BAA0B,EAAE,MAAM,gDAAgD,CAAC;AAe1H,OAAO,EAAwB,KAAK,uBAAuB,EAAE,MAAM,6CAA6C,CAAC;AACjH,OAAO,EAAuB,KAAK,sBAAsB,EAA6B,MAAM,4CAA4C,CAAC;AA4BzI,MAAM,WAAW,eAAe;IAC9B;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;OAGG;IACH,UAAU,CAAC,EAAE,WAAW,CAAC,MAAM,CAAC;IAEhC;;OAEG;IACH,aAAa,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,iBAAiB,EAAE,MAAM,CAAC,CAAC,CAAC;IAE3D;;;OAGG;IACH,eAAe,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,iBAAiB,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC;IAEzE;;OAEG;IACH,WAAW,CAAC,EAAE,WAAW,CAAC;IAE1B;;OAEG;IACH,WAAW,CAAC,EAAE,WAAW,CAAC;IAE1B;;OAEG;IACH,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B,8CAA8C;IAC9C,gBAAgB,CAAC,EAAE,uBAAuB,CAAC;IAC3C,8CAA8C;IAC9C,gBAAgB,CAAC,EAAE,uBAAuB,CAAC;IAC3C,iDAAiD;IACjD,mBAAmB,CAAC,EAAE,0BAA0B,CAAC;IACjD,6CAA6C;IAC7C,eAAe,CAAC,EAAE,sBAAsB,CAAC;CAC1C;AAID;;GAEG;AACH,wBAAsB,YAAY,CAAC,OAAO,GAAE,eAAoB,GAAG,OAAO,CAAC,IAAI,CAAC,CAc/E;AA8HD;;GAEG;AACH,wBAAsB,OAAO,CAC3B,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,iBAAiB,EAC3B,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,QAAQ,CAAC,CAiKnB;AA4GD;;GAEG;AACH,wBAAsB,aAAa,CACjC,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,iBAAiB,EAC3B,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,gBAAgB,CAAC,CAwG3B;AAkID;;GAEG;AACH,wBAAgB,qBAAqB,IAAI,OAAO,CAE/C;AAED;;GAEG;AACH,wBAAgB,aAAa,IAAI,IAAI,CAEpC;AAMD;;;;;;;;;;GAUG;AACH,wBAAsB,cAAc,CAClC,KAAK,EAAE,KAAK,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,iBAAiB,CAAA;CAAE,CAAC,EAC7E,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,eAAe,CAAC,CAmE1B;AAsBD,OAAO,EAAE,eAAe,EAAE,CAAC"}
+{"version":3,"file":"analyzer.d.ts","sourceRoot":"","sources":["../src/analyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqDG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,gBAAgB,EAA2B,eAAe,EAAe,MAAM,kBAAkB,CAAC;AAC1H,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAcL,KAAK,iBAAiB,EACvB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAKL,eAAe,EAChB,MAAM,qBAAqB,CAAC;AAgC7B,OAAO,EAAwB,KAAK,uBAAuB,EAAE,MAAM,8CAA8C,CAAC;AAKlH,OAAO,EAA2B,KAAK,0BAA0B,EAAE,MAAM,gDAAgD,CAAC;AAe1H,OAAO,EAAwB,KAAK,uBAAuB,EAAE,MAAM,6CAA6C,CAAC;AACjH,OAAO,EAAuB,KAAK,sBAAsB,EAA6B,MAAM,4CAA4C,CAAC;AAgCzI,MAAM,WAAW,eAAe;IAC9B;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;OAGG;IACH,UAAU,CAAC,EAAE,WAAW,CAAC,MAAM,CAAC;IAEhC;;OAEG;IACH,aAAa,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,iBAAiB,EAAE,MAAM,CAAC,CAAC,CAAC;IAE3D;;;OAGG;IACH,eAAe,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,iBAAiB,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC;IAEzE;;OAEG;IACH,WAAW,CAAC,EAAE,WAAW,CAAC;IAE1B;;OAEG;IACH,WAAW,CAAC,EAAE,WAAW,CAAC;IAE1B;;OAEG;IACH,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B,8CAA8C;IAC9C,gBAAgB,CAAC,EAAE,uBAAuB,CAAC;IAC3C,8CAA8C;IAC9C,gBAAgB,CAAC,EAAE,uBAAuB,CAAC;IAC3C,iDAAiD;IACjD,mBAAmB,CAAC,EAAE,0BAA0B,CAAC;IACjD,6CAA6C;IAC7C,eAAe,CAAC,EAAE,sBAAsB,CAAC;CAC1C;AAID;;GAEG;AACH,wBAAsB,YAAY,CAAC,OAAO,GAAE,eAAoB,GAAG,OAAO,CAAC,IAAI,CAAC,CAc/E;AA8HD;;GAEG;AACH,wBAAsB,OAAO,CAC3B,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,iBAAiB,EAC3B,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,QAAQ,CAAC,CAqKnB;AA4GD;;GAEG;AACH,wBAAsB,aAAa,CACjC,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,iBAAiB,EAC3B,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,gBAAgB,CAAC,CAwG3B;AAkID;;GAEG;AACH,wBAAgB,qBAAqB,IAAI,OAAO,CAE/C;AAED;;GAEG;AACH,wBAAgB,aAAa,IAAI,IAAI,CAEpC;AAMD;;;;;;;;;;GAUG;AACH,wBAAsB,cAAc,CAClC,KAAK,EAAE,KAAK,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,iBAAiB,CAAA;CAAE,CAAC,EAC7E,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,eAAe,CAAC,CAmE1B;AAsBD,OAAO,EAAE,eAAe,EAAE,CAAC"}

package/dist/analyzer.js

@@ -111,6 +111,10 @@ import { WeakHashPass } from './analysis/passes/weak-hash-pass.js';
 import { WeakCryptoPass } from './analysis/passes/weak-crypto-pass.js';
 import { WeakRandomPass } from './analysis/passes/weak-random-pass.js';
 import { TlsVerifyDisabledPass } from './analysis/passes/tls-verify-disabled-pass.js';
+import { JwtVerifyDisabledPass } from './analysis/passes/jwt-verify-disabled-pass.js';
+import { CsrfProtectionDisabledPass } from './analysis/passes/csrf-protection-disabled-pass.js';
+import { XmlEntityExpansionPass } from './analysis/passes/xml-entity-expansion-pass.js';
+import { MassAssignmentPass } from './analysis/passes/mass-assignment-pass.js';
 // Project-level pass imports
 import { ImportGraph } from './graph/import-graph.js';
 import { CircularDependencyPass } from './analysis/passes/circular-dependency-pass.js';
@@ -396,6 +400,14 @@ export async function analyze(code, filePath, language, options = {}) {
             pipeline.add(new WeakRandomPass());
         if (!disabledPasses.has('tls-verify-disabled'))
             pipeline.add(new TlsVerifyDisabledPass());
+        if (!disabledPasses.has('jwt-verify-disabled'))
+            pipeline.add(new JwtVerifyDisabledPass());
+        if (!disabledPasses.has('csrf-protection-disabled'))
+            pipeline.add(new CsrfProtectionDisabledPass());
+        if (!disabledPasses.has('xml-entity-expansion'))
+            pipeline.add(new XmlEntityExpansionPass());
+        if (!disabledPasses.has('mass-assignment'))
+            pipeline.add(new MassAssignmentPass());
         // Run the pipeline
         const { results, findings } = pipeline.run(graph, code, language, config);
         const sinkFilter = results.get('sink-filter');