circle-ir 3.8.3 → 3.9.7

package/dist/core/circle-ir-core.cjs

@@ -6865,6 +6865,20 @@ function extractJavaScriptImports(tree) {
     const importInfos = extractJSImportInfo(importStmt);
     imports.push(...importInfos);
   }
+  const exportStatements = findNodes(tree.rootNode, "export_statement");
+  for (const exportStmt of exportStatements) {
+    const sourceNode = exportStmt.childForFieldName("source");
+    if (!sourceNode) continue;
+    const fromPackage = getNodeText(sourceNode).replace(/['"]/g, "");
+    if (!fromPackage) continue;
+    imports.push({
+      imported_name: "*",
+      from_package: fromPackage,
+      alias: null,
+      is_wildcard: true,
+      line_number: exportStmt.startPosition.row + 1
+    });
+  }
   const requireCalls = findRequireCalls(tree);
   imports.push(...requireCalls);
   return imports;
@@ -9631,7 +9645,7 @@ var DEFAULT_SINKS = [
   // Jenkins/CI Pipeline execution
   { method: "executeScript", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "runScript", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
-  { method: "evaluate", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
+  { method: "evaluate", class: "ScriptEngine", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "execute", class: "Script", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
   { method: "run", class: "Script", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
   { method: "checkout", class: "SCM", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0] },
@@ -10591,7 +10605,10 @@ function matchesSourcePattern(call, pattern) {
       return false;
     }
     if (pattern.class && pattern.class !== "constructor") {
-      if (call.receiver && !receiverMightBeClass(call.receiver, pattern.class)) {
+      if (!call.receiver) {
+        return false;
+      }
+      if (!receiverMightBeClass(call.receiver, pattern.class)) {
         return false;
       }
     }
@@ -10950,38 +10967,296 @@ function formatSanitizerMethod(call) {
   return `${call.method_name}()`;
 }
 
-// src/analysis/taint-propagation.ts
-function propagateTaint(dfg, calls, sources, sinks, sanitizers) {
-  const taintedVars = [];
-  const flows = [];
-  const reachableSinks = /* @__PURE__ */ new Map();
-  const defById = /* @__PURE__ */ new Map();
-  const defsByLine = /* @__PURE__ */ new Map();
-  const usesByLine = /* @__PURE__ */ new Map();
-  const callsByLine = /* @__PURE__ */ new Map();
-  const sanitizersByLine = /* @__PURE__ */ new Map();
-  for (const def of dfg.defs) {
-    defById.set(def.id, def);
-    const existing = defsByLine.get(def.line) ?? [];
-    existing.push(def);
-    defsByLine.set(def.line, existing);
+// src/graph/code-graph.ts
+var CodeGraph = class {
+  ir;
+  constructor(ir) {
+    this.ir = ir;
+  }
+  // ---------------------------------------------------------------------------
+  // DFG indexes
+  // ---------------------------------------------------------------------------
+  _defById = null;
+  get defById() {
+    if (!this._defById) {
+      this._defById = /* @__PURE__ */ new Map();
+      for (const def of this.ir.dfg.defs) {
+        this._defById.set(def.id, def);
+      }
+    }
+    return this._defById;
+  }
+  _defsByLine = null;
+  get defsByLine() {
+    if (!this._defsByLine) {
+      this._defsByLine = /* @__PURE__ */ new Map();
+      for (const def of this.ir.dfg.defs) {
+        const arr = this._defsByLine.get(def.line) ?? [];
+        arr.push(def);
+        this._defsByLine.set(def.line, arr);
+      }
+    }
+    return this._defsByLine;
+  }
+  _defsByVar = null;
+  get defsByVar() {
+    if (!this._defsByVar) {
+      this._defsByVar = /* @__PURE__ */ new Map();
+      for (const def of this.ir.dfg.defs) {
+        const arr = this._defsByVar.get(def.variable) ?? [];
+        arr.push(def);
+        this._defsByVar.set(def.variable, arr);
+      }
+    }
+    return this._defsByVar;
+  }
+  _usesByLine = null;
+  get usesByLine() {
+    if (!this._usesByLine) {
+      this._usesByLine = /* @__PURE__ */ new Map();
+      for (const use of this.ir.dfg.uses) {
+        const arr = this._usesByLine.get(use.line) ?? [];
+        arr.push(use);
+        this._usesByLine.set(use.line, arr);
+      }
+    }
+    return this._usesByLine;
+  }
+  _usesByDefId = null;
+  get usesByDefId() {
+    if (!this._usesByDefId) {
+      this._usesByDefId = /* @__PURE__ */ new Map();
+      for (const use of this.ir.dfg.uses) {
+        if (use.def_id !== null) {
+          const arr = this._usesByDefId.get(use.def_id) ?? [];
+          arr.push(use);
+          this._usesByDefId.set(use.def_id, arr);
+        }
+      }
+    }
+    return this._usesByDefId;
+  }
+  _chainsByFromDef = null;
+  get chainsByFromDef() {
+    if (!this._chainsByFromDef) {
+      this._chainsByFromDef = /* @__PURE__ */ new Map();
+      for (const chain of this.ir.dfg.chains ?? []) {
+        const arr = this._chainsByFromDef.get(chain.from_def) ?? [];
+        arr.push(chain);
+        this._chainsByFromDef.set(chain.from_def, arr);
+      }
+    }
+    return this._chainsByFromDef;
+  }
+  // ---------------------------------------------------------------------------
+  // Call indexes
+  // ---------------------------------------------------------------------------
+  _callsByLine = null;
+  get callsByLine() {
+    if (!this._callsByLine) {
+      this._callsByLine = /* @__PURE__ */ new Map();
+      for (const call of this.ir.calls) {
+        const arr = this._callsByLine.get(call.location.line) ?? [];
+        arr.push(call);
+        this._callsByLine.set(call.location.line, arr);
+      }
+    }
+    return this._callsByLine;
+  }
+  _callsByMethod = null;
+  get callsByMethod() {
+    if (!this._callsByMethod) {
+      this._callsByMethod = /* @__PURE__ */ new Map();
+      for (const call of this.ir.calls) {
+        const arr = this._callsByMethod.get(call.method_name) ?? [];
+        arr.push(call);
+        this._callsByMethod.set(call.method_name, arr);
+      }
+    }
+    return this._callsByMethod;
   }
-  for (const use of dfg.uses) {
-    const existing = usesByLine.get(use.line) ?? [];
-    existing.push(use);
-    usesByLine.set(use.line, existing);
+  // ---------------------------------------------------------------------------
+  // Type / method indexes
+  // ---------------------------------------------------------------------------
+  _methodsByName = null;
+  get methodsByName() {
+    if (!this._methodsByName) {
+      this._methodsByName = /* @__PURE__ */ new Map();
+      for (const type of this.ir.types) {
+        for (const method of type.methods) {
+          const arr = this._methodsByName.get(method.name) ?? [];
+          arr.push({ type, method });
+          this._methodsByName.set(method.name, arr);
+        }
+      }
+    }
+    return this._methodsByName;
   }
-  for (const call of calls) {
-    const existing = callsByLine.get(call.location.line) ?? [];
-    existing.push(call);
-    callsByLine.set(call.location.line, existing);
+  /**
+   * Returns the TypeInfo + MethodInfo whose line range contains `line`, or null.
+   * Used by passes that need the enclosing method context for a given line.
+   */
+  methodAtLine(line) {
+    for (const type of this.ir.types) {
+      for (const method of type.methods) {
+        if (line >= method.start_line && line <= method.end_line) {
+          return { type, method };
+        }
+      }
+    }
+    return null;
+  }
+  // ---------------------------------------------------------------------------
+  // Taint indexes
+  // ---------------------------------------------------------------------------
+  _sanitizersByLine = null;
+  get sanitizersByLine() {
+    if (!this._sanitizersByLine) {
+      this._sanitizersByLine = /* @__PURE__ */ new Map();
+      for (const san of this.ir.taint.sanitizers ?? []) {
+        const arr = this._sanitizersByLine.get(san.line) ?? [];
+        arr.push(san);
+        this._sanitizersByLine.set(san.line, arr);
+      }
+    }
+    return this._sanitizersByLine;
+  }
+  // ---------------------------------------------------------------------------
+  // Query primitives
+  // ---------------------------------------------------------------------------
+  /** All DFGDefs at a given line. Returns [] if none. */
+  defsAtLine(line) {
+    return this.defsByLine.get(line) ?? [];
+  }
+  /** All DFGUses at a given line. Returns [] if none. */
+  usesAtLine(line) {
+    return this.usesByLine.get(line) ?? [];
+  }
+  /** All DFGUses that reach a specific definition ID. Returns [] if none. */
+  usesOfDef(defId) {
+    return this.usesByDefId.get(defId) ?? [];
   }
-  for (const san of sanitizers) {
-    const existing = sanitizersByLine.get(san.line) ?? [];
-    existing.push(san);
-    sanitizersByLine.set(san.line, existing);
+  /** All CallInfos at a given line. Returns [] if none. */
+  callsAtLine(line) {
+    return this.callsByLine.get(line) ?? [];
+  }
+  /** DFGChains outgoing from a definition ID. Returns [] if none. */
+  chainsFrom(defId) {
+    return this.chainsByFromDef.get(defId) ?? [];
+  }
+  /**
+   * All definitions of `variable` that appear strictly after `afterLine`
+   * and at or before `upToLine`. Used to detect whether a variable is
+   * redefined between a taint source and a sink.
+   */
+  laterDefsOfVar(variable, afterLine, upToLine) {
+    return (this.defsByVar.get(variable) ?? []).filter(
+      (d) => d.line > afterLine && d.line <= upToLine
+    );
   }
-  const rawInitialTaint = findInitialTaint(sources, dfg, callsByLine, defsByLine);
+  // ---------------------------------------------------------------------------
+  // CFG indexes
+  // ---------------------------------------------------------------------------
+  _blockById = null;
+  get blockById() {
+    if (!this._blockById) {
+      this._blockById = /* @__PURE__ */ new Map();
+      for (const block of this.ir.cfg.blocks) {
+        this._blockById.set(block.id, block);
+      }
+    }
+    return this._blockById;
+  }
+  /**
+   * Returns the line range of each detected loop body in the file.
+   *
+   * A loop is identified by CFG back-edges (type = "back"). For each back edge
+   * `A → B`, B is the loop header and A is the last block before the back-jump.
+   * The loop body spans from `header.start_line` to `A.end_line` (inclusive).
+   *
+   * Returns `{ start_line, end_line }` — one entry per back-edge.
+   * Overlapping ranges are returned separately; callers can merge as needed.
+   *
+   * Usage: check whether line L is inside any loop with
+   *   `graph.loopBodies().some(r => L >= r.start_line && L <= r.end_line)`
+   */
+  loopBodies() {
+    const loops = [];
+    for (const edge of this.ir.cfg.edges) {
+      if (edge.type !== "back") continue;
+      const header = this.blockById.get(edge.to);
+      const tail = this.blockById.get(edge.from);
+      if (header && tail) {
+        loops.push({ start_line: header.start_line, end_line: tail.end_line });
+      }
+    }
+    return loops;
+  }
+  /**
+   * Propagate a set of tainted definition IDs through DFGChains to a fixpoint.
+   *
+   * Returns a new Set (does not mutate the input). Each chain edge
+   * `from_def → to_def` spreads taint: if `from_def` is tainted, `to_def`
+   * becomes tainted. Iterates until no new IDs are added.
+   */
+  propagateTaintedDefIds(seed) {
+    const result = new Set(seed);
+    let changed = true;
+    while (changed) {
+      changed = false;
+      for (const [fromDef, chains] of this.chainsByFromDef) {
+        if (!result.has(fromDef)) continue;
+        for (const chain of chains) {
+          if (!result.has(chain.to_def)) {
+            result.add(chain.to_def);
+            changed = true;
+          }
+        }
+      }
+    }
+    return result;
+  }
+};
+
+// src/analysis/taint-propagation.ts
+function propagateTaint(graphOrDfg, callsOrSources, sourcesOrSinks, sinksOrSanitizers, sanitizersArg) {
+  let graph;
+  let sources;
+  let sinks;
+  let sanitizers;
+  if (graphOrDfg instanceof CodeGraph) {
+    graph = graphOrDfg;
+    sources = callsOrSources;
+    sinks = sourcesOrSinks;
+    sanitizers = sinksOrSanitizers;
+  } else {
+    const dfg = graphOrDfg;
+    const calls = callsOrSources;
+    sources = sourcesOrSinks;
+    sinks = sinksOrSanitizers;
+    sanitizers = sanitizersArg ?? [];
+    graph = new CodeGraph({
+      meta: { circle_ir: "3.0", file: "", language: "java", loc: 0, hash: "" },
+      types: [],
+      calls,
+      cfg: { blocks: [], edges: [] },
+      dfg,
+      taint: { sources: [], sinks: [], sanitizers },
+      imports: [],
+      exports: [],
+      unresolved: [],
+      enriched: {}
+    });
+  }
+  const taintedVars = [];
+  const flows = [];
+  const reachableSinks = /* @__PURE__ */ new Map();
+  const defsByLine = graph.defsByLine;
+  const usesByLine = graph.usesByLine;
+  const callsByLine = graph.callsByLine;
+  const sanitizersByLine = graph.sanitizersByLine;
+  const defById = graph.defById;
+  const rawInitialTaint = findInitialTaint(sources, callsByLine, defsByLine);
   const initialTaint = rawInitialTaint.filter((tv) => {
     if (tv.line === tv.sourceLine) return true;
     const sanCheck = checkSanitized(tv.sourceLine, tv.line, tv.sourceType, sanitizersByLine);
@@ -10990,7 +11265,7 @@ function propagateTaint(dfg, calls, sources, sinks, sanitizers) {
   taintedVars.push(...initialTaint);
   const propagatedTaint = propagateThroughChains(
     initialTaint,
-    dfg.chains ?? [],
+    graph.chainsByFromDef,
     defById,
     sanitizersByLine
   );
@@ -11024,9 +11299,7 @@ function propagateTaint(dfg, calls, sources, sinks, sanitizers) {
                       const flow = buildTaintFlow(
                         source,
                         sink,
-                        taintInfo,
-                        dfg,
-                        defById
+                        taintInfo
                       );
                       flows.push(flow);
                       const existingSources = reachableSinks.get(sink) ?? [];
@@ -11046,7 +11319,7 @@ function propagateTaint(dfg, calls, sources, sinks, sanitizers) {
   }
   return { taintedVars, flows, reachableSinks };
 }
-function findInitialTaint(sources, dfg, callsByLine, defsByLine) {
+function findInitialTaint(sources, callsByLine, defsByLine) {
   const tainted = [];
   for (const source of sources) {
     const defsOnLine = defsByLine.get(source.line) ?? [];
@@ -11078,19 +11351,13 @@ function findInitialTaint(sources, dfg, callsByLine, defsByLine) {
   }
   return tainted;
 }
-function propagateThroughChains(initialTaint, chains, defById, sanitizersByLine) {
+function propagateThroughChains(initialTaint, chainsByFromDef, defById, sanitizersByLine) {
   const propagated = [];
   const taintedDefIds = new Set(initialTaint.map((t) => t.defId));
   const taintInfoByDefId = /* @__PURE__ */ new Map();
   for (const t of initialTaint) {
     taintInfoByDefId.set(t.defId, t);
   }
-  const chainsByFromDef = /* @__PURE__ */ new Map();
-  for (const chain of chains) {
-    const existing = chainsByFromDef.get(chain.from_def) ?? [];
-    existing.push(chain);
-    chainsByFromDef.set(chain.from_def, existing);
-  }
   const queue = [...initialTaint.map((t) => t.defId)];
   const visited = new Set(queue);
   while (queue.length > 0) {
@@ -11160,7 +11427,7 @@ function checkSanitized(_fromLine, toLine, sinkType, sanitizersByLine) {
   }
   return { sanitized: false };
 }
-function buildTaintFlow(source, sink, taintInfo, dfg, defById) {
+function buildTaintFlow(source, sink, taintInfo) {
   const path = [];
   path.push({
     variable: taintInfo.variable,
@@ -13537,65 +13804,54 @@ function normalizeCondition(cond) {
 
 // src/analysis/path-finder.ts
 var PathFinder = class {
-  dfg;
-  calls;
+  graph;
   sources;
   sinks;
   sanitizers;
   config;
-  // Lookup maps
-  defById = /* @__PURE__ */ new Map();
-  defsByLine = /* @__PURE__ */ new Map();
-  defsByVar = /* @__PURE__ */ new Map();
-  usesByLine = /* @__PURE__ */ new Map();
-  usesByDefId = /* @__PURE__ */ new Map();
-  callsByLine = /* @__PURE__ */ new Map();
-  sanitizerLines = /* @__PURE__ */ new Set();
-  constructor(dfg, calls, sources, sinks, sanitizers, config = {}) {
-    this.dfg = dfg;
-    this.calls = calls;
-    this.sources = sources;
-    this.sinks = sinks;
-    this.sanitizers = sanitizers;
-    this.config = {
-      maxPathLength: config.maxPathLength ?? 50,
-      maxPathsPerSink: config.maxPathsPerSink ?? 10,
-      includeCode: config.includeCode ?? false,
-      sourceLines: config.sourceLines ?? []
-    };
-    this.buildLookupMaps();
-  }
-  /**
-   * Build all lookup maps for efficient querying
-   */
-  buildLookupMaps() {
-    for (const def of this.dfg.defs) {
-      this.defById.set(def.id, def);
-      const byLine = this.defsByLine.get(def.line) ?? [];
-      byLine.push(def);
-      this.defsByLine.set(def.line, byLine);
-      const byVar = this.defsByVar.get(def.variable) ?? [];
-      byVar.push(def);
-      this.defsByVar.set(def.variable, byVar);
-    }
-    for (const use of this.dfg.uses) {
-      const byLine = this.usesByLine.get(use.line) ?? [];
-      byLine.push(use);
-      this.usesByLine.set(use.line, byLine);
-      if (use.def_id !== null) {
-        const byDefId = this.usesByDefId.get(use.def_id) ?? [];
-        byDefId.push(use);
-        this.usesByDefId.set(use.def_id, byDefId);
-      }
-    }
-    for (const call of this.calls) {
-      const byLine = this.callsByLine.get(call.location.line) ?? [];
-      byLine.push(call);
-      this.callsByLine.set(call.location.line, byLine);
-    }
-    for (const sanitizer of this.sanitizers) {
-      this.sanitizerLines.add(sanitizer.line);
+  sanitizerLines;
+  constructor(graphOrDfg, callsOrSources, sourcesOrSinks, sinksOrSanitizers, sanitizersOrConfig, config = {}) {
+    if (graphOrDfg instanceof CodeGraph) {
+      this.graph = graphOrDfg;
+      this.sources = callsOrSources;
+      this.sinks = sourcesOrSinks;
+      this.sanitizers = sinksOrSanitizers;
+      const cfg = sanitizersOrConfig;
+      this.config = {
+        maxPathLength: cfg?.maxPathLength ?? 50,
+        maxPathsPerSink: cfg?.maxPathsPerSink ?? 10,
+        includeCode: cfg?.includeCode ?? false,
+        sourceLines: cfg?.sourceLines ?? []
+      };
+    } else {
+      const dfg = graphOrDfg;
+      const calls = callsOrSources;
+      const sources = sourcesOrSinks;
+      const sinks = sinksOrSanitizers;
+      const sanitizers = sanitizersOrConfig ?? [];
+      this.graph = new CodeGraph({
+        meta: { circle_ir: "3.0", file: "", language: "java", loc: 0, hash: "" },
+        types: [],
+        calls,
+        cfg: { blocks: [], edges: [] },
+        dfg,
+        taint: { sources: [], sinks: [], sanitizers },
+        imports: [],
+        exports: [],
+        unresolved: [],
+        enriched: {}
+      });
+      this.sources = sources;
+      this.sinks = sinks;
+      this.sanitizers = sanitizers;
+      this.config = {
+        maxPathLength: config.maxPathLength ?? 50,
+        maxPathsPerSink: config.maxPathsPerSink ?? 10,
+        includeCode: config.includeCode ?? false,
+        sourceLines: config.sourceLines ?? []
+      };
     }
+    this.sanitizerLines = new Set(this.sanitizers.map((s) => s.line));
   }
   /**
    * Find all taint paths from sources to sinks
@@ -13604,7 +13860,7 @@ var PathFinder = class {
     const paths = [];
     let pathId = 1;
     for (const source of this.sources) {
-      const sourceDefs = this.defsByLine.get(source.line) ?? [];
+      const sourceDefs = this.graph.defsAtLine(source.line);
       for (const sourceDef of sourceDefs) {
         const pathsFromSource = this.findPathsFromSource(source, sourceDef, pathId);
         paths.push(...pathsFromSource);
@@ -13660,7 +13916,7 @@ var PathFinder = class {
             description: `Flows into ${sink.type} sink`,
             code: this.getCodeAtLine(sink.line)
           };
-          const call = this.callsByLine.get(sink.line)?.[0];
+          const call = this.graph.callsAtLine(sink.line)[0];
           paths.push({
             id: `path-${startPathId + paths.length}`,
             source: {
@@ -13684,7 +13940,7 @@ var PathFinder = class {
           pathsPerSink.set(sink.line, sinkCount + 1);
         }
       }
-      const uses = this.usesByDefId.get(state.currentDef.id) ?? [];
+      const uses = this.graph.usesOfDef(state.currentDef.id);
       for (const use of uses) {
         let sanitizer = state.sanitizer;
         if (this.sanitizerLines.has(use.line) && !sanitizer) {
@@ -13693,7 +13949,7 @@ var PathFinder = class {
             sanitizer = { line: san.line, method: san.method };
           }
         }
-        const nextDefs = this.defsByLine.get(use.line) ?? [];
+        const nextDefs = this.graph.defsAtLine(use.line);
         for (const nextDef of nextDefs) {
           if (state.visited.has(nextDef.id)) continue;
           const hop = this.createHop(state.currentDef, nextDef, use);
@@ -13706,7 +13962,7 @@ var PathFinder = class {
             sanitizer
           });
         }
-        const laterDefs = (this.defsByVar.get(use.variable) ?? []).filter((d) => d.line > use.line && !state.visited.has(d.id));
+        const laterDefs = (this.graph.defsByVar.get(use.variable) ?? []).filter((d) => d.line > use.line && !state.visited.has(d.id));
         for (const laterDef of laterDefs.slice(0, 3)) {
           const hop = {
             line: laterDef.line,
@@ -13732,14 +13988,12 @@ var PathFinder = class {
    * Check if a definition reaches a sink
    */
   reachesSink(def, sink) {
-    const uses = this.usesByLine.get(sink.line) ?? [];
-    for (const use of uses) {
+    for (const use of this.graph.usesAtLine(sink.line)) {
       if (use.variable === def.variable || use.def_id === def.id) {
         return true;
       }
     }
-    const calls = this.callsByLine.get(sink.line) ?? [];
-    for (const call of calls) {
+    for (const call of this.graph.callsAtLine(sink.line)) {
       for (const arg of call.arguments) {
         if (arg.variable === def.variable) {
           return true;
@@ -13752,7 +14006,7 @@ var PathFinder = class {
    * Create a hop description between two definitions
    */
   createHop(fromDef, toDef, use) {
-    const call = this.callsByLine.get(toDef.line)?.[0];
+    const call = this.graph.callsAtLine(toDef.line)[0];
     let operation = "assign";
     let description = `Assigned to ${toDef.variable}`;
     if (call) {