circle-ir 3.72.1 → 3.74.0

package/dist/browser/circle-ir.js

@@ -12502,11 +12502,21 @@ var DEFAULT_SANITIZERS = [
   // (defense-in-depth — mirrors Java getCanonicalPath in this table; the
   // stricter Clean+HasPrefix guard recognition is tracked separately).
   // EvalSymlinks is the Go equivalent of Java's Path.toRealPath.
-  { method: "Base", class: "filepath", removes: ["path_traversal"] },
-  { method: "Base", class: "path", removes: ["path_traversal"] },
-  { method: "Clean", class: "filepath", removes: ["path_traversal"] },
-  { method: "Clean", class: "path", removes: ["path_traversal"] },
-  { method: "EvalSymlinks", class: "filepath", removes: ["path_traversal"] },
+  // Sprint 24 (#102 FP-27): broadened to cover external_taint_escape (CWE-668)
+  // fallback so canonicalised paths don't trigger the synthetic sink.
+  { method: "Base", class: "filepath", removes: ["path_traversal", "external_taint_escape"] },
+  { method: "Base", class: "path", removes: ["path_traversal", "external_taint_escape"] },
+  { method: "Clean", class: "filepath", removes: ["path_traversal", "external_taint_escape"] },
+  { method: "Clean", class: "path", removes: ["path_traversal", "external_taint_escape"] },
+  { method: "EvalSymlinks", class: "filepath", removes: ["path_traversal", "external_taint_escape"] },
+  // Go html/template escape helpers (#102 FP-27) — registered explicitly because
+  // configs/sinks/golang.json is not loaded at runtime.
+  { method: "EscapeString", class: "html", removes: ["xss", "external_taint_escape", "log_injection", "open_redirect"] },
+  { method: "HTMLEscapeString", class: "template", removes: ["xss", "external_taint_escape", "log_injection", "open_redirect"] },
+  { method: "JSEscapeString", class: "template", removes: ["xss", "external_taint_escape", "log_injection"] },
+  { method: "URLQueryEscaper", class: "template", removes: ["xss", "external_taint_escape", "open_redirect"] },
+  { method: "QueryEscape", class: "url", removes: ["xss", "external_taint_escape", "open_redirect"] },
+  { method: "PathEscape", class: "url", removes: ["xss", "external_taint_escape", "open_redirect"] },
   // Log Injection sanitizers
   { method: "replace", removes: ["log_injection"] },
   // Used to remove newlines/control chars
@@ -12985,6 +12995,15 @@ function findSources(calls, types, patterns, sourceLines, language) {
       s.variable = m[1];
     }
   }
+  if (language === "go" && sourceLines) {
+    const GO_ASSIGN_LHS = /^\s*(?:var\s+)?([A-Za-z_]\w*)(?:\s*,\s*[A-Za-z_]\w*)*\s*(?::\s*[A-Za-z_][\w.]*\s*)?(?::?=)(?!=)/;
+    for (const s of result) {
+      if (s.variable && s.variable.length > 0) continue;
+      const lineText = sourceLines[s.line - 1] ?? "";
+      const m = GO_ASSIGN_LHS.exec(lineText);
+      if (m) s.variable = m[1];
+    }
+  }
   return result;
 }
 function isInterproceduralTaintableType(typeName) {
@@ -13104,6 +13123,42 @@ function isSafePythonSubprocessCall(call, pattern, language) {
   }
   return true;
 }
+function isSafeGoExecCommandCall(call, pattern, language) {
+  if (language !== "go") return false;
+  if (pattern.type !== "command_injection") return false;
+  if (pattern.class !== "exec") return false;
+  if (pattern.method !== "Command" && pattern.method !== "CommandContext") return false;
+  const programArgPos = pattern.method === "CommandContext" ? 1 : 0;
+  const programArg = call.arguments.find((a) => a.position === programArgPos);
+  if (!programArg) return false;
+  let program;
+  if (programArg.literal !== null && programArg.literal !== void 0) {
+    program = String(programArg.literal).split("/").pop() ?? String(programArg.literal);
+  } else {
+    const expr = (programArg.expression ?? "").trim();
+    if (!(expr.startsWith('"') || expr.startsWith("`") || expr.startsWith("'"))) {
+      return false;
+    }
+    const stripped = expr.slice(1, -1);
+    program = stripped.split("/").pop() ?? stripped;
+  }
+  const SHELL_PROGRAMS = /* @__PURE__ */ new Set([
+    "sh",
+    "bash",
+    "zsh",
+    "dash",
+    "ash",
+    "ksh",
+    "cmd",
+    "cmd.exe",
+    "powershell",
+    "pwsh",
+    "powershell.exe",
+    "pwsh.exe"
+  ]);
+  if (SHELL_PROGRAMS.has(program)) return false;
+  return true;
+}
 var CLASS_LITERAL_RE = /^(?:[A-Za-z_][\w]*\.)*[A-Z][\w]*(?:\[\])*\.class$/;
 function argIsClassLiteral(call, position) {
   const arg = call.arguments.find((a) => a.position === position);
@@ -13123,6 +13178,9 @@ function findSinks(calls, patterns, typeHierarchy, language, sourceLines) {
         if (isSafePythonSubprocessCall(call, pattern, language)) {
           continue;
         }
+        if (isSafeGoExecCommandCall(call, pattern, language)) {
+          continue;
+        }
         if (pattern.safe_if_class_literal_at !== void 0 && argIsClassLiteral(call, pattern.safe_if_class_literal_at)) {
           continue;
         }
@@ -15544,8 +15602,32 @@ function analyzeInterprocedural(graphOrTypes, callsOrSources, dfgOrSinks, source
     "BufferedWriter",
     "PrintStream",
     "PrintWriter",
-    "ObjectOutputStream"
+    "ObjectOutputStream",
     // ObjectInputStream IS a sink (deserialization), keep it out
+    // Go database/sql query methods — when parameterised (?, $N, :name),
+    // these are safe boundaries; the sql_injection check governs the unsafe
+    // shape. Without this, parameterised queries fall through to
+    // external_taint_escape. (cognium-dev #102 FP-19a)
+    "Query",
+    "QueryRow",
+    "QueryContext",
+    "QueryRowContext",
+    "Exec",
+    "ExecContext",
+    // Go html/template escape helpers — explicit safe utilities.
+    // Belt-and-suspenders with the sanitizer config so external_taint_escape
+    // is suppressed regardless of class-prefix matching. (cognium-dev #102 FP-27)
+    "EscapeString",
+    "HTMLEscapeString",
+    "JSEscapeString",
+    "URLQueryEscaper",
+    // Go os/exec — when isSafeGoExecCommandCall has already cleared the
+    // command_injection sink (fixed program literal, non-shell), the call
+    // should not fall through to external_taint_escape on the variadic args.
+    // Genuine command_injection is still emitted via the configured sink.
+    // (cognium-dev #102 FP-25)
+    "Command",
+    "CommandContext"
   ]);
   const sanitizerMethods = /* @__PURE__ */ new Set();
   for (const san of sanitizers) {
@@ -21326,14 +21408,19 @@ var GoPlugin = class extends BaseLanguagePlugin {
         severity: "critical",
         argPositions: [0]
       },
-      // Command Injection
+      // Command Injection — argPositions intentionally empty so all variadic
+      // positions are scanned. `exec.Command("sh", "-c", taintedCmd)` puts the
+      // injection at arg[2]; `exec.Command(taintedName, args...)` puts it at
+      // arg[0]; `exec.Command("git", taintedFlag)` is argument-injection at
+      // arg[1] (CWE-88). All three shapes are dangerous when any positional
+      // arg is tainted. (cognium-dev #53)
       {
         method: "Command",
         class: "exec",
         type: "command_injection",
         cwe: "CWE-78",
         severity: "critical",
-        argPositions: [0]
+        argPositions: []
       },
       {
         method: "CommandContext",
@@ -21341,7 +21428,7 @@ var GoPlugin = class extends BaseLanguagePlugin {
         type: "command_injection",
         cwe: "CWE-78",
         severity: "critical",
-        argPositions: [1]
+        argPositions: []
       },
       // Path Traversal
       {
@@ -21436,6 +21523,117 @@ var GoPlugin = class extends BaseLanguagePlugin {
         cwe: "CWE-502",
         severity: "medium",
         argPositions: [0]
+      },
+      // Log Injection — `log.Printf("event=%s", userInput)` allows
+      // CRLF/log forging when the format string interpolates user data.
+      // CWE-117. (cognium-dev #107)
+      {
+        method: "Print",
+        class: "log",
+        type: "log_injection",
+        cwe: "CWE-117",
+        severity: "medium",
+        argPositions: []
+      },
+      {
+        method: "Println",
+        class: "log",
+        type: "log_injection",
+        cwe: "CWE-117",
+        severity: "medium",
+        argPositions: []
+      },
+      {
+        method: "Printf",
+        class: "log",
+        type: "log_injection",
+        cwe: "CWE-117",
+        severity: "medium",
+        argPositions: []
+      },
+      {
+        method: "Fatal",
+        class: "log",
+        type: "log_injection",
+        cwe: "CWE-117",
+        severity: "medium",
+        argPositions: []
+      },
+      {
+        method: "Fatalln",
+        class: "log",
+        type: "log_injection",
+        cwe: "CWE-117",
+        severity: "medium",
+        argPositions: []
+      },
+      {
+        method: "Fatalf",
+        class: "log",
+        type: "log_injection",
+        cwe: "CWE-117",
+        severity: "medium",
+        argPositions: []
+      },
+      {
+        method: "Panic",
+        class: "log",
+        type: "log_injection",
+        cwe: "CWE-117",
+        severity: "medium",
+        argPositions: []
+      },
+      {
+        method: "Panicln",
+        class: "log",
+        type: "log_injection",
+        cwe: "CWE-117",
+        severity: "medium",
+        argPositions: []
+      },
+      {
+        method: "Panicf",
+        class: "log",
+        type: "log_injection",
+        cwe: "CWE-117",
+        severity: "medium",
+        argPositions: []
+      },
+      // Server-Side Template Injection — `text/template` and `html/template`
+      // template parse-time injection. When the *template source itself*
+      // is tainted (not the data), the rendered output can execute
+      // arbitrary template directives. CWE-94. (cognium-dev #108)
+      {
+        method: "Parse",
+        class: "Template",
+        type: "code_injection",
+        cwe: "CWE-94",
+        severity: "high",
+        argPositions: [0]
+      },
+      {
+        method: "ParseFiles",
+        class: "template",
+        type: "code_injection",
+        cwe: "CWE-94",
+        severity: "high",
+        argPositions: []
+      },
+      {
+        method: "ParseGlob",
+        class: "template",
+        type: "code_injection",
+        cwe: "CWE-94",
+        severity: "high",
+        argPositions: [0]
+      },
+      {
+        method: "ParseFS",
+        class: "template",
+        type: "code_injection",
+        cwe: "CWE-94",
+        severity: "high",
+        argPositions: []
       }
     ];
   }
@@ -22498,6 +22696,11 @@ var LanguageSourcesPass = class {
         ctx.addFinding(finding);
       }
       additionalSanitizers.push(...findBashRegexAllowlistSanitizers(code));
+      additionalSanitizers.push(...findBashRealpathPrefixGuardSanitizers(code));
+    }
+    if (language === "go") {
+      additionalSanitizers.push(...findGoMapAllowlistGuardSanitizers(code));
+      additionalSanitizers.push(...findGoHtmlTemplateImportSanitizers(code));
     }
     attachSourceLineCode(additionalSources, additionalSinks, code);
     return { additionalSources, additionalSinks, additionalSanitizers, pyTaintedVars, pySanitizedVars, jsTaintedVars };
@@ -23361,6 +23564,140 @@ function isSafeBashAllowlistRegex(literal) {
   }
   return consumed === body2.length;
 }
+function findBashRealpathPrefixGuardSanitizers(code) {
+  const sanitizers = [];
+  const lines = code.split("\n");
+  const caseOpen = /^\s*case\s+"?\$\{?\w+\}?"?\s+in\b/;
+  const esacClose = /^\s*esac\b/;
+  const armOpener = /^\s*([^)\s][^)]*?)\)/;
+  const prefixArm = /^(?:"\$\{?\w+\}?"|"[^"]*"|\/[\w\-./]+|\$\{?\w+\}?|[\w\-./]+)(?:\/|\*)/;
+  const catchAllArm = /^(?:\*|\\\*)$/;
+  let i2 = 0;
+  while (i2 < lines.length) {
+    if (!caseOpen.test(lines[i2])) {
+      i2++;
+      continue;
+    }
+    let caseEnd = -1;
+    for (let j = i2 + 1; j < lines.length; j++) {
+      if (esacClose.test(lines[j])) {
+        caseEnd = j;
+        break;
+      }
+    }
+    if (caseEnd === -1) {
+      i2++;
+      continue;
+    }
+    let hasPrefixArm = false;
+    let hasTerminalCatchAll = false;
+    for (let j = i2 + 1; j < caseEnd; j++) {
+      const armMatch = armOpener.exec(lines[j]);
+      if (!armMatch) continue;
+      const pattern = armMatch[1].trim();
+      if (catchAllArm.test(pattern)) {
+        let bodyEnd = caseEnd;
+        for (let k = j + 1; k < caseEnd; k++) {
+          if (armOpener.test(lines[k])) {
+            bodyEnd = k;
+            break;
+          }
+        }
+        const armBody = lines.slice(j, bodyEnd).join(" ");
+        if (/\b(exit|return|die)\b/.test(armBody)) {
+          hasTerminalCatchAll = true;
+        }
+      } else if (prefixArm.test(pattern)) {
+        hasPrefixArm = true;
+      }
+    }
+    if (hasPrefixArm && hasTerminalCatchAll) {
+      for (let l = i2 + 1; l <= caseEnd + 1; l++) {
+        sanitizers.push({
+          type: "realpath_prefix_guard",
+          method: "case",
+          line: l,
+          sanitizes: [
+            "path_traversal",
+            "command_injection",
+            "code_injection",
+            "ssrf",
+            "open_redirect",
+            "log_injection"
+          ]
+        });
+      }
+    }
+    i2 = caseEnd + 1;
+  }
+  return sanitizers;
+}
+function findGoMapAllowlistGuardSanitizers(code) {
+  const sanitizers = [];
+  const lines = code.split("\n");
+  const guardOpen = /^\s*if\s+!\s*([A-Za-z_][A-Za-z0-9_]*)\s*\[\s*[A-Za-z_][A-Za-z0-9_]*\s*\]\s*\{/;
+  const allowlistName = /^(?:[A-Z][A-Z0-9_]+|.*?(allowed|accepted|whitelist|permitted|valid|approved).*)$/i;
+  for (let i2 = 0; i2 < lines.length; i2++) {
+    const m = guardOpen.exec(lines[i2]);
+    if (!m) continue;
+    const mapName = m[1];
+    if (!allowlistName.test(mapName)) continue;
+    let depth = 1;
+    let closeLine = -1;
+    let bodyHasTerminator = false;
+    const maxScan = Math.min(lines.length, i2 + 26);
+    for (let j = i2 + 1; j < maxScan; j++) {
+      const line = lines[j];
+      if (/\b(return|panic\s*\(|os\.Exit\s*\()/.test(line)) {
+        bodyHasTerminator = true;
+      }
+      for (const ch of line) {
+        if (ch === "{") depth++;
+        else if (ch === "}") depth--;
+      }
+      if (depth === 0) {
+        closeLine = j;
+        break;
+      }
+    }
+    if (closeLine === -1 || !bodyHasTerminator) continue;
+    for (let l = closeLine + 2; l <= lines.length; l++) {
+      sanitizers.push({
+        type: "go_map_allowlist_guard",
+        method: "if",
+        line: l,
+        sanitizes: [
+          "ssrf",
+          "open_redirect",
+          "path_traversal",
+          "sql_injection",
+          "command_injection",
+          "external_taint_escape"
+        ]
+      });
+    }
+  }
+  return sanitizers;
+}
+function findGoHtmlTemplateImportSanitizers(code) {
+  const sanitizers = [];
+  const hasHtmlTemplate = /["\s]html\/template["\s]/.test(code);
+  const hasTextTemplate = /["\s]text\/template["\s]/.test(code);
+  if (!hasHtmlTemplate) return sanitizers;
+  if (hasTextTemplate) return sanitizers;
+  const lines = code.split("\n");
+  const execCall = /\.(Execute|ExecuteTemplate)\s*\(/;
+  for (let i2 = 0; i2 < lines.length; i2++) {
+    if (!execCall.test(lines[i2])) continue;
+    sanitizers.push({
+      type: "html_template_auto_escape",
+      method: "Execute",
+      line: i2 + 1,
+      sanitizes: ["xss", "external_taint_escape", "open_redirect"]
+    });
+  }
+  return sanitizers;
+}
 
 // src/analysis/passes/sink-filter-pass.ts
 var JS_XSS_SANITIZERS = [
@@ -23858,6 +24195,38 @@ var TaintPropagationPass = class {
       }
       return true;
     });
+    if (sanitizers && sanitizers.length > 0) {
+      const sanitizersByLine = /* @__PURE__ */ new Map();
+      for (const san of sanitizers) {
+        const arr = sanitizersByLine.get(san.line) ?? [];
+        arr.push(san);
+        sanitizersByLine.set(san.line, arr);
+      }
+      finalFlows = finalFlows.filter((f) => {
+        if (f.sink_type === "external_taint_escape") {
+          const lo = Math.min(f.source_line, f.sink_line);
+          const hi = Math.max(f.source_line, f.sink_line);
+          for (let line = lo; line <= hi; line++) {
+            const sansAtLine = sanitizersByLine.get(line);
+            if (!sansAtLine) continue;
+            for (const san of sansAtLine) {
+              if (san.sanitizes.includes(f.sink_type)) {
+                return false;
+              }
+            }
+          }
+          return true;
+        }
+        const sansAtSink = sanitizersByLine.get(f.sink_line);
+        if (!sansAtSink || sansAtSink.length === 0) return true;
+        for (const san of sansAtSink) {
+          if (san.sanitizes.includes(f.sink_type)) {
+            return false;
+          }
+        }
+        return true;
+      });
+    }
     if (ctx.language === "java" && typeof ctx.code === "string") {
       finalFlows = finalFlows.filter((f) => {
         if (f.sink_type !== "path_traversal" && f.sink_type !== "xxe") return true;
@@ -24549,7 +24918,47 @@ var InterproceduralPass = class {
     if (additionalSinks.length > 0) {
       attachSourceLineCode([], additionalSinks, ctx.code);
     }
-    return { additionalSinks, additionalFlows, interprocedural };
+    let filteredAdditionalFlows = additionalFlows;
+    let filteredAdditionalSinks = additionalSinks;
+    if (sanitizers && sanitizers.length > 0) {
+      const sanitizersByLine = /* @__PURE__ */ new Map();
+      for (const san of sanitizers) {
+        const arr = sanitizersByLine.get(san.line) ?? [];
+        arr.push(san);
+        sanitizersByLine.set(san.line, arr);
+      }
+      const sanitizedSinkKeys = /* @__PURE__ */ new Set();
+      filteredAdditionalFlows = additionalFlows.filter((f) => {
+        if (f.sink_type === "external_taint_escape") {
+          const lo = Math.min(f.source_line, f.sink_line);
+          const hi = Math.max(f.source_line, f.sink_line);
+          for (let line = lo; line <= hi; line++) {
+            const sansAtLine = sanitizersByLine.get(line);
+            if (!sansAtLine) continue;
+            for (const san of sansAtLine) {
+              if (san.sanitizes.includes(f.sink_type)) {
+                sanitizedSinkKeys.add(`${f.sink_line}:${f.sink_type}`);
+                return false;
+              }
+            }
+          }
+          return true;
+        }
+        const sansAtSink = sanitizersByLine.get(f.sink_line);
+        if (!sansAtSink || sansAtSink.length === 0) return true;
+        for (const san of sansAtSink) {
+          if (san.sanitizes.includes(f.sink_type)) {
+            return false;
+          }
+        }
+        return true;
+      });
+      filteredAdditionalSinks = additionalSinks.filter((s) => {
+        if (s.type !== "external_taint_escape") return true;
+        return !sanitizedSinkKeys.has(`${s.line}:${s.type}`);
+      });
+    }
+    return { additionalSinks: filteredAdditionalSinks, additionalFlows: filteredAdditionalFlows, interprocedural };
   }
 };
 

package/dist/core/circle-ir-core.cjs

@@ -11884,11 +11884,21 @@ var DEFAULT_SANITIZERS = [
   // (defense-in-depth — mirrors Java getCanonicalPath in this table; the
   // stricter Clean+HasPrefix guard recognition is tracked separately).
   // EvalSymlinks is the Go equivalent of Java's Path.toRealPath.
-  { method: "Base", class: "filepath", removes: ["path_traversal"] },
-  { method: "Base", class: "path", removes: ["path_traversal"] },
-  { method: "Clean", class: "filepath", removes: ["path_traversal"] },
-  { method: "Clean", class: "path", removes: ["path_traversal"] },
-  { method: "EvalSymlinks", class: "filepath", removes: ["path_traversal"] },
+  // Sprint 24 (#102 FP-27): broadened to cover external_taint_escape (CWE-668)
+  // fallback so canonicalised paths don't trigger the synthetic sink.
+  { method: "Base", class: "filepath", removes: ["path_traversal", "external_taint_escape"] },
+  { method: "Base", class: "path", removes: ["path_traversal", "external_taint_escape"] },
+  { method: "Clean", class: "filepath", removes: ["path_traversal", "external_taint_escape"] },
+  { method: "Clean", class: "path", removes: ["path_traversal", "external_taint_escape"] },
+  { method: "EvalSymlinks", class: "filepath", removes: ["path_traversal", "external_taint_escape"] },
+  // Go html/template escape helpers (#102 FP-27) — registered explicitly because
+  // configs/sinks/golang.json is not loaded at runtime.
+  { method: "EscapeString", class: "html", removes: ["xss", "external_taint_escape", "log_injection", "open_redirect"] },
+  { method: "HTMLEscapeString", class: "template", removes: ["xss", "external_taint_escape", "log_injection", "open_redirect"] },
+  { method: "JSEscapeString", class: "template", removes: ["xss", "external_taint_escape", "log_injection"] },
+  { method: "URLQueryEscaper", class: "template", removes: ["xss", "external_taint_escape", "open_redirect"] },
+  { method: "QueryEscape", class: "url", removes: ["xss", "external_taint_escape", "open_redirect"] },
+  { method: "PathEscape", class: "url", removes: ["xss", "external_taint_escape", "open_redirect"] },
   // Log Injection sanitizers
   { method: "replace", removes: ["log_injection"] },
   // Used to remove newlines/control chars
@@ -12280,6 +12290,15 @@ function findSources(calls, types, patterns, sourceLines, language) {
       s.variable = m[1];
     }
   }
+  if (language === "go" && sourceLines) {
+    const GO_ASSIGN_LHS = /^\s*(?:var\s+)?([A-Za-z_]\w*)(?:\s*,\s*[A-Za-z_]\w*)*\s*(?::\s*[A-Za-z_][\w.]*\s*)?(?::?=)(?!=)/;
+    for (const s of result) {
+      if (s.variable && s.variable.length > 0) continue;
+      const lineText = sourceLines[s.line - 1] ?? "";
+      const m = GO_ASSIGN_LHS.exec(lineText);
+      if (m) s.variable = m[1];
+    }
+  }
   return result;
 }
 function isInterproceduralTaintableType(typeName) {
@@ -12399,6 +12418,42 @@ function isSafePythonSubprocessCall(call, pattern, language) {
   }
   return true;
 }
+function isSafeGoExecCommandCall(call, pattern, language) {
+  if (language !== "go") return false;
+  if (pattern.type !== "command_injection") return false;
+  if (pattern.class !== "exec") return false;
+  if (pattern.method !== "Command" && pattern.method !== "CommandContext") return false;
+  const programArgPos = pattern.method === "CommandContext" ? 1 : 0;
+  const programArg = call.arguments.find((a) => a.position === programArgPos);
+  if (!programArg) return false;
+  let program;
+  if (programArg.literal !== null && programArg.literal !== void 0) {
+    program = String(programArg.literal).split("/").pop() ?? String(programArg.literal);
+  } else {
+    const expr = (programArg.expression ?? "").trim();
+    if (!(expr.startsWith('"') || expr.startsWith("`") || expr.startsWith("'"))) {
+      return false;
+    }
+    const stripped = expr.slice(1, -1);
+    program = stripped.split("/").pop() ?? stripped;
+  }
+  const SHELL_PROGRAMS = /* @__PURE__ */ new Set([
+    "sh",
+    "bash",
+    "zsh",
+    "dash",
+    "ash",
+    "ksh",
+    "cmd",
+    "cmd.exe",
+    "powershell",
+    "pwsh",
+    "powershell.exe",
+    "pwsh.exe"
+  ]);
+  if (SHELL_PROGRAMS.has(program)) return false;
+  return true;
+}
 var CLASS_LITERAL_RE = /^(?:[A-Za-z_][\w]*\.)*[A-Z][\w]*(?:\[\])*\.class$/;
 function argIsClassLiteral(call, position) {
   const arg = call.arguments.find((a) => a.position === position);
@@ -12418,6 +12473,9 @@ function findSinks(calls, patterns, typeHierarchy, language, sourceLines) {
         if (isSafePythonSubprocessCall(call, pattern, language)) {
           continue;
         }
+        if (isSafeGoExecCommandCall(call, pattern, language)) {
+          continue;
+        }
         if (pattern.safe_if_class_literal_at !== void 0 && argIsClassLiteral(call, pattern.safe_if_class_literal_at)) {
           continue;
         }