npm - circle-ir - Versions diffs - 3.8.4 → 3.9.7 - Mend

circle-ir 3.8.4 → 3.9.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (157) hide show

package/README.md +82 -5
package/dist/analysis/dfg-verifier.d.ts +3 -14
package/dist/analysis/dfg-verifier.js +43 -74
package/dist/analysis/dfg-verifier.js.map +1 -1
package/dist/analysis/interprocedural.d.ts +5 -1
package/dist/analysis/interprocedural.js +62 -60
package/dist/analysis/interprocedural.js.map +1 -1
package/dist/analysis/metrics/index.d.ts +2 -0
package/dist/analysis/metrics/index.js +2 -0
package/dist/analysis/metrics/index.js.map +1 -0
package/dist/analysis/metrics/metric-pass.d.ts +27 -0
package/dist/analysis/metrics/metric-pass.js +2 -0
package/dist/analysis/metrics/metric-pass.js.map +1 -0
package/dist/analysis/metrics/metric-runner.d.ts +21 -0
package/dist/analysis/metrics/metric-runner.js +47 -0
package/dist/analysis/metrics/metric-runner.js.map +1 -0
package/dist/analysis/metrics/passes/cohesion-metrics-pass.d.ts +21 -0
package/dist/analysis/metrics/passes/cohesion-metrics-pass.js +100 -0
package/dist/analysis/metrics/passes/cohesion-metrics-pass.js.map +1 -0
package/dist/analysis/metrics/passes/complexity-metrics-pass.d.ts +15 -0
package/dist/analysis/metrics/passes/complexity-metrics-pass.js +76 -0
package/dist/analysis/metrics/passes/complexity-metrics-pass.js.map +1 -0
package/dist/analysis/metrics/passes/composite-metrics-pass.d.ts +17 -0
package/dist/analysis/metrics/passes/composite-metrics-pass.js +77 -0
package/dist/analysis/metrics/passes/composite-metrics-pass.js.map +1 -0
package/dist/analysis/metrics/passes/coupling-metrics-pass.d.ts +19 -0
package/dist/analysis/metrics/passes/coupling-metrics-pass.js +94 -0
package/dist/analysis/metrics/passes/coupling-metrics-pass.js.map +1 -0
package/dist/analysis/metrics/passes/data-flow-metrics-pass.d.ts +14 -0
package/dist/analysis/metrics/passes/data-flow-metrics-pass.js +25 -0
package/dist/analysis/metrics/passes/data-flow-metrics-pass.js.map +1 -0
package/dist/analysis/metrics/passes/documentation-metrics-pass.d.ts +15 -0
package/dist/analysis/metrics/passes/documentation-metrics-pass.js +64 -0
package/dist/analysis/metrics/passes/documentation-metrics-pass.js.map +1 -0
package/dist/analysis/metrics/passes/halstead-metrics-pass.d.ts +16 -0
package/dist/analysis/metrics/passes/halstead-metrics-pass.js +95 -0
package/dist/analysis/metrics/passes/halstead-metrics-pass.js.map +1 -0
package/dist/analysis/metrics/passes/inheritance-metrics-pass.d.ts +18 -0
package/dist/analysis/metrics/passes/inheritance-metrics-pass.js +73 -0
package/dist/analysis/metrics/passes/inheritance-metrics-pass.js.map +1 -0
package/dist/analysis/metrics/passes/size-metrics-pass.d.ts +11 -0
package/dist/analysis/metrics/passes/size-metrics-pass.js +64 -0
package/dist/analysis/metrics/passes/size-metrics-pass.js.map +1 -0
package/dist/analysis/passes/circular-dependency-pass.d.ts +18 -0
package/dist/analysis/passes/circular-dependency-pass.js +39 -0
package/dist/analysis/passes/circular-dependency-pass.js.map +1 -0
package/dist/analysis/passes/constant-propagation-pass.d.ts +22 -0
package/dist/analysis/passes/constant-propagation-pass.js +44 -0
package/dist/analysis/passes/constant-propagation-pass.js.map +1 -0
package/dist/analysis/passes/cross-file-pass.d.ts +27 -0
package/dist/analysis/passes/cross-file-pass.js +102 -0
package/dist/analysis/passes/cross-file-pass.js.map +1 -0
package/dist/analysis/passes/dead-code-pass.d.ts +25 -0
package/dist/analysis/passes/dead-code-pass.js +117 -0
package/dist/analysis/passes/dead-code-pass.js.map +1 -0
package/dist/analysis/passes/dependency-fan-out-pass.d.ts +19 -0
package/dist/analysis/passes/dependency-fan-out-pass.js +35 -0
package/dist/analysis/passes/dependency-fan-out-pass.js.map +1 -0
package/dist/analysis/passes/interprocedural-pass.d.ts +29 -0
package/dist/analysis/passes/interprocedural-pass.js +169 -0
package/dist/analysis/passes/interprocedural-pass.js.map +1 -0
package/dist/analysis/passes/language-sources-pass.d.ts +76 -0
package/dist/analysis/passes/language-sources-pass.js +491 -0
package/dist/analysis/passes/language-sources-pass.js.map +1 -0
package/dist/analysis/passes/leaked-global-pass.d.ts +34 -0
package/dist/analysis/passes/leaked-global-pass.js +108 -0
package/dist/analysis/passes/leaked-global-pass.js.map +1 -0
package/dist/analysis/passes/missing-await-pass.d.ts +29 -0
package/dist/analysis/passes/missing-await-pass.js +90 -0
package/dist/analysis/passes/missing-await-pass.js.map +1 -0
package/dist/analysis/passes/missing-public-doc-pass.d.ts +35 -0
package/dist/analysis/passes/missing-public-doc-pass.js +148 -0
package/dist/analysis/passes/missing-public-doc-pass.js.map +1 -0
package/dist/analysis/passes/n-plus-one-pass.d.ts +29 -0
package/dist/analysis/passes/n-plus-one-pass.js +100 -0
package/dist/analysis/passes/n-plus-one-pass.js.map +1 -0
package/dist/analysis/passes/null-deref-pass.d.ts +32 -0
package/dist/analysis/passes/null-deref-pass.js +130 -0
package/dist/analysis/passes/null-deref-pass.js.map +1 -0
package/dist/analysis/passes/orphan-module-pass.d.ts +21 -0
package/dist/analysis/passes/orphan-module-pass.js +38 -0
package/dist/analysis/passes/orphan-module-pass.js.map +1 -0
package/dist/analysis/passes/resource-leak-pass.d.ts +43 -0
package/dist/analysis/passes/resource-leak-pass.js +156 -0
package/dist/analysis/passes/resource-leak-pass.js.map +1 -0
package/dist/analysis/passes/sink-filter-pass.d.ts +39 -0
package/dist/analysis/passes/sink-filter-pass.js +231 -0
package/dist/analysis/passes/sink-filter-pass.js.map +1 -0
package/dist/analysis/passes/stale-doc-ref-pass.d.ts +21 -0
package/dist/analysis/passes/stale-doc-ref-pass.js +96 -0
package/dist/analysis/passes/stale-doc-ref-pass.js.map +1 -0
package/dist/analysis/passes/string-concat-loop-pass.d.ts +26 -0
package/dist/analysis/passes/string-concat-loop-pass.js +87 -0
package/dist/analysis/passes/string-concat-loop-pass.js.map +1 -0
package/dist/analysis/passes/sync-io-async-pass.d.ts +28 -0
package/dist/analysis/passes/sync-io-async-pass.js +80 -0
package/dist/analysis/passes/sync-io-async-pass.js.map +1 -0
package/dist/analysis/passes/taint-matcher-pass.d.ts +24 -0
package/dist/analysis/passes/taint-matcher-pass.js +71 -0
package/dist/analysis/passes/taint-matcher-pass.js.map +1 -0
package/dist/analysis/passes/taint-propagation-pass.d.ts +22 -0
package/dist/analysis/passes/taint-propagation-pass.js +266 -0
package/dist/analysis/passes/taint-propagation-pass.js.map +1 -0
package/dist/analysis/passes/todo-in-prod-pass.d.ts +28 -0
package/dist/analysis/passes/todo-in-prod-pass.js +71 -0
package/dist/analysis/passes/todo-in-prod-pass.js.map +1 -0
package/dist/analysis/passes/unchecked-return-pass.d.ts +34 -0
package/dist/analysis/passes/unchecked-return-pass.js +106 -0
package/dist/analysis/passes/unchecked-return-pass.js.map +1 -0
package/dist/analysis/passes/unused-variable-pass.d.ts +36 -0
package/dist/analysis/passes/unused-variable-pass.js +150 -0
package/dist/analysis/passes/unused-variable-pass.js.map +1 -0
package/dist/analysis/passes/variable-shadowing-pass.d.ts +41 -0
package/dist/analysis/passes/variable-shadowing-pass.js +211 -0
package/dist/analysis/passes/variable-shadowing-pass.js.map +1 -0
package/dist/analysis/path-finder.d.ts +3 -13
package/dist/analysis/path-finder.js +48 -63
package/dist/analysis/path-finder.js.map +1 -1
package/dist/analysis/taint-matcher.js +8 -1
package/dist/analysis/taint-matcher.js.map +1 -1
package/dist/analysis/taint-propagation.d.ts +5 -1
package/dist/analysis/taint-propagation.js +44 -41
package/dist/analysis/taint-propagation.js.map +1 -1
package/dist/analyzer.d.ts +42 -1
package/dist/analyzer.js +234 -1476
package/dist/analyzer.js.map +1 -1
package/dist/browser/circle-ir.js +3413 -1271
package/dist/core/circle-ir-core.cjs +360 -106
package/dist/core/circle-ir-core.js +360 -106
package/dist/core/extractors/imports.js +18 -0
package/dist/core/extractors/imports.js.map +1 -1
package/dist/graph/analysis-pass.d.ts +68 -0
package/dist/graph/analysis-pass.js +51 -0
package/dist/graph/analysis-pass.js.map +1 -0
package/dist/graph/code-graph.d.ts +92 -0
package/dist/graph/code-graph.js +262 -0
package/dist/graph/code-graph.js.map +1 -0
package/dist/graph/import-graph.d.ts +33 -0
package/dist/graph/import-graph.js +170 -0
package/dist/graph/import-graph.js.map +1 -0
package/dist/graph/index.d.ts +4 -0
package/dist/graph/index.js +5 -0
package/dist/graph/index.js.map +1 -0
package/dist/graph/project-graph.d.ts +43 -0
package/dist/graph/project-graph.js +80 -0
package/dist/graph/project-graph.js.map +1 -0
package/dist/graph/scope-graph.d.ts +63 -0
package/dist/graph/scope-graph.js +89 -0
package/dist/graph/scope-graph.js.map +1 -0
package/dist/index.d.ts +2 -2
package/dist/index.js +1 -1
package/dist/index.js.map +1 -1
package/dist/resolution/cross-file.js +52 -19
package/dist/resolution/cross-file.js.map +1 -1
package/dist/types/index.d.ts +151 -0
package/docs/SPEC.md +10 -6
package/package.json +1 -1

package/dist/analysis/passes/sink-filter-pass.js ADDED Viewed

@@ -0,0 +1,231 @@
+/**
+ * SinkFilterPass
+ *
+ * Applies the four-stage sink filtering pipeline to eliminate false positives,
+ * followed by language-specific XPath/XSS suppression.
+ *
+ * Filter stages (applied in order):
+ *   1. Dead code — remove sinks on unreachable lines
+ *   2. Clean array elements — strong updates via constant propagation
+ *   3. Clean variables — arguments proven non-tainted by constant propagation
+ *   4. Sanitized sinks — sinks wrapped by a recognised sanitizer call
+ *   5. Python XPath FP reduction
+ *   6. JavaScript XSS FP reduction
+ *
+ * Depends on: taint-matcher, constant-propagation, language-sources
+ */
+import { JS_TAINTED_PATTERNS } from './language-sources-pass.js';
+export class SinkFilterPass {
+    name = 'sink-filter';
+    category = 'security';
+    run(ctx) {
+        const { graph, language } = ctx;
+        const { calls, dfg } = graph.ir;
+        const taintMatcher = ctx.getResult('taint-matcher');
+        const constProp = ctx.getResult('constant-propagation');
+        const langSources = ctx.getResult('language-sources');
+        // Merge sources and sinks from both upstream passes.
+        const sources = [...taintMatcher.sources, ...langSources.additionalSources];
+        // Build merged sinks, deduplicating JS DOM sinks that may overlap with config sinks.
+        const sinks = [...taintMatcher.sinks];
+        for (const s of langSources.additionalSinks) {
+            if (!sinks.some(x => x.line === s.line && x.cwe === s.cwe && x.type === s.type)) {
+                sinks.push(s);
+            }
+        }
+        const sanitizers = taintMatcher.sanitizers;
+        // Stage 1 — dead code
+        let filtered = sinks.filter(sink => !constProp.unreachableLines.has(sink.line));
+        // Stage 2 — clean array elements
+        filtered = filterCleanArraySinks(filtered, calls, constProp.taintedArrayElements, constProp.symbols);
+        // Stage 3 — clean variables
+        filtered = filterCleanVariableSinks(filtered, calls, constProp.tainted, constProp.symbols, dfg, constProp.sanitizedVars, constProp.synchronizedLines);
+        // Stage 4 — sanitized sinks
+        filtered = filterSanitizedSinks(filtered, sanitizers, calls);
+        // Stage 5 — Python XPath FP reduction
+        if (language === 'python') {
+            const { pyTaintedVars, pySanitizedVars } = langSources;
+            const sourceLines = ctx.code.split('\n');
+            filtered = filtered.filter(sink => {
+                if (sink.type !== 'xpath_injection')
+                    return true;
+                const sinkLineText = sourceLines[sink.line - 1] ?? '';
+                const taintedVarOnLine = [...pyTaintedVars.keys()].find(v => new RegExp(`\\b${v}\\b`).test(sinkLineText));
+                if (!taintedVarOnLine)
+                    return false;
+                if (pySanitizedVars.has(taintedVarOnLine))
+                    return false;
+                if (new RegExp(`\\.xpath\\s*\\([^)]*\\b\\w+\\s*=\\s*\\b${taintedVarOnLine}\\b`).test(sinkLineText))
+                    return false;
+                return true;
+            });
+        }
+        // Stage 6 — JavaScript XSS FP reduction
+        if (['javascript', 'typescript'].includes(language)) {
+            const { jsTaintedVars } = langSources;
+            if (jsTaintedVars.size > 0) {
+                const sourceLines = ctx.code.split('\n');
+                filtered = filtered.filter(sink => {
+                    if (sink.type !== 'xss')
+                        return true;
+                    const sinkLineText = sourceLines[sink.line - 1] ?? '';
+                    if ([...jsTaintedVars.keys()].some(v => new RegExp(`\\b${v}\\b`).test(sinkLineText)))
+                        return true;
+                    if (JS_TAINTED_PATTERNS.some(p => p.pattern.test(sinkLineText)))
+                        return true;
+                    return false;
+                });
+            }
+        }
+        return { sources, sinks: filtered, sanitizers };
+    }
+}
+function evaluateSimpleExpression(expr, symbols) {
+    let evaluated = expr;
+    for (const [name, val] of symbols) {
+        if (val.type === 'int' || val.type === 'float') {
+            const regex = new RegExp(`\\b${name}\\b`, 'g');
+            evaluated = evaluated.replace(regex, String(val.value));
+        }
+    }
+    try {
+        if (/^[\d\s+\-*/().]+$/.test(evaluated)) {
+            const result = Function('"use strict"; return (' + evaluated + ')')();
+            if (typeof result === 'number' && !isNaN(result))
+                return String(Math.floor(result));
+        }
+    }
+    catch { /* evaluation failed */ }
+    return expr;
+}
+function isStringLiteralExpression(expr) {
+    const trimmed = expr.trim();
+    return (trimmed.startsWith('"') && trimmed.endsWith('"')) ||
+        (trimmed.startsWith("'") && trimmed.endsWith("'"));
+}
+function filterCleanArraySinks(sinks, calls, taintedArrayElements, symbols) {
+    const callsByLine = new Map();
+    for (const call of calls) {
+        const existing = callsByLine.get(call.location.line) ?? [];
+        existing.push(call);
+        callsByLine.set(call.location.line, existing);
+    }
+    return sinks.filter(sink => {
+        const callsAtSink = callsByLine.get(sink.line) ?? [];
+        for (const call of callsAtSink) {
+            for (const arg of call.arguments) {
+                const arrayAccessMatch = arg.expression?.match(/^(\w+)\[(\d+|[^[\]]+)\]$/);
+                if (arrayAccessMatch) {
+                    const arrayName = arrayAccessMatch[1];
+                    let indexStr = arrayAccessMatch[2];
+                    indexStr = evaluateSimpleExpression(indexStr, symbols);
+                    const taintedIndices = taintedArrayElements.get(arrayName);
+                    if (taintedIndices !== undefined) {
+                        const isTainted = taintedIndices.has(indexStr) || taintedIndices.has('*');
+                        if (!isTainted)
+                            return false;
+                    }
+                }
+            }
+        }
+        return true;
+    });
+}
+export function filterCleanVariableSinks(sinks, calls, taintedVars, symbols, dfg, sanitizedVars, synchronizedLines) {
+    const fieldNames = new Set();
+    if (dfg) {
+        for (const def of dfg.defs) {
+            if (def.kind === 'field')
+                fieldNames.add(def.variable);
+        }
+    }
+    const callsByLine = new Map();
+    for (const call of calls) {
+        const existing = callsByLine.get(call.location.line) ?? [];
+        existing.push(call);
+        callsByLine.set(call.location.line, existing);
+    }
+    return sinks.filter(sink => {
+        const callsAtSink = callsByLine.get(sink.line) ?? [];
+        const isInSynchronizedBlock = synchronizedLines?.has(sink.line) ?? false;
+        for (const call of callsAtSink) {
+            let allArgsAreClean = true;
+            const methodName = call.in_method;
+            for (const arg of call.arguments) {
+                if (arg.variable && !arg.expression?.includes('[')) {
+                    const varName = arg.variable;
+                    const scopedName = methodName ? `${methodName}:${varName}` : varName;
+                    if (fieldNames.has(varName) && !isInSynchronizedBlock) {
+                        allArgsAreClean = false;
+                        continue;
+                    }
+                    if (sanitizedVars?.has(scopedName) || sanitizedVars?.has(varName))
+                        continue;
+                    if (taintedVars.has(scopedName) || taintedVars.has(varName)) {
+                        allArgsAreClean = false;
+                        continue;
+                    }
+                    const symbolValue = symbols.get(scopedName) ?? symbols.get(varName);
+                    if (symbolValue && symbolValue.type !== 'unknown')
+                        continue;
+                    allArgsAreClean = false;
+                }
+                else {
+                    if (arg.literal != null)
+                        continue;
+                    if (arg.expression && !arg.variable && isStringLiteralExpression(arg.expression))
+                        continue;
+                    allArgsAreClean = false;
+                }
+            }
+            if (allArgsAreClean && call.arguments.length > 0)
+                return false;
+        }
+        return true;
+    });
+}
+export function filterSanitizedSinks(sinks, sanitizers, calls) {
+    if (!sanitizers || sanitizers.length === 0)
+        return sinks;
+    const sanitizersByLine = new Map();
+    for (const san of sanitizers) {
+        const existing = sanitizersByLine.get(san.line) ?? [];
+        existing.push(san);
+        sanitizersByLine.set(san.line, existing);
+    }
+    const callsByLine = new Map();
+    for (const call of calls) {
+        const existing = callsByLine.get(call.location.line) ?? [];
+        existing.push(call);
+        callsByLine.set(call.location.line, existing);
+    }
+    return sinks.filter(sink => {
+        const lineSanitizers = sanitizersByLine.get(sink.line);
+        if (!lineSanitizers || lineSanitizers.length === 0)
+            return true;
+        for (const san of lineSanitizers) {
+            if (san.sanitizes.includes(sink.type)) {
+                const lineCalls = callsByLine.get(sink.line) ?? [];
+                for (const call of lineCalls) {
+                    for (const arg of call.arguments) {
+                        const expr = arg.expression || '';
+                        const sanMethodMatch = san.method.match(/(?:(\w+)\.)?(\w+)\(\)/);
+                        if (sanMethodMatch) {
+                            const sanMethodName = sanMethodMatch[2];
+                            const sanClassName = sanMethodMatch[1];
+                            if (sanClassName) {
+                                if (expr.includes(`${sanClassName}.${sanMethodName}(`))
+                                    return false;
+                            }
+                            else if (expr.includes(`${sanMethodName}(`)) {
+                                return false;
+                            }
+                        }
+                    }
+                }
+            }
+        }
+        return true;
+    });
+}
+//# sourceMappingURL=sink-filter-pass.js.map

package/dist/analysis/passes/sink-filter-pass.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"sink-filter-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/sink-filter-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAOH,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AAUjE,MAAM,OAAO,cAAc;IAChB,IAAI,GAAG,aAAa,CAAC;IACrB,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAChC,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,KAAK,CAAC,EAAE,CAAC;QAEhC,MAAM,YAAY,GAAG,GAAG,CAAC,SAAS,CAAqB,eAAe,CAAC,CAAC;QACxE,MAAM,SAAS,GAAM,GAAG,CAAC,SAAS,CAA2B,sBAAsB,CAAC,CAAC;QACrF,MAAM,WAAW,GAAI,GAAG,CAAC,SAAS,CAAwB,kBAAkB,CAAC,CAAC;QAE9E,qDAAqD;QACrD,MAAM,OAAO,GAAkB,CAAC,GAAG,YAAY,CAAC,OAAO,EAAE,GAAG,WAAW,CAAC,iBAAiB,CAAC,CAAC;QAE3F,qFAAqF;QACrF,MAAM,KAAK,GAAgB,CAAC,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;QACnD,KAAK,MAAM,CAAC,IAAI,WAAW,CAAC,eAAe,EAAE,CAAC;YAC5C,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC;gBAChF,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAChB,CAAC;QACH,CAAC;QACD,MAAM,UAAU,GAAG,YAAY,CAAC,UAAU,CAAC;QAE3C,sBAAsB;QACtB,IAAI,QAAQ,GAAG,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;QAEhF,iCAAiC;QACjC,QAAQ,GAAG,qBAAqB,CAAC,QAAQ,EAAE,KAAK,EAAE,SAAS,CAAC,oBAAoB,EAAE,SAAS,CAAC,OAAO,CAAC,CAAC;QAErG,4BAA4B;QAC5B,QAAQ,GAAG,wBAAwB,CACjC,QAAQ,EAAE,KAAK,EAAE,SAAS,CAAC,OAAO,EAAE,SAAS,CAAC,OAAO,EACrD,GAAG,EAAE,SAAS,CAAC,aAAa,EAAE,SAAS,CAAC,iBAAiB,CAC1D,CAAC;QAEF,4BAA4B;QAC5B,QAAQ,GAAG,oBAAoB,CAAC,QAAQ,EAAE,UAAU,EAAE,KAAK,CAAC,CAAC;QAE7D,sCAAsC;QACtC,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,MAAM,EAAE,aAAa,EAAE,eAAe,EAAE,GAAG,WAAW,CAAC;YACvD,MAAM,WAAW,GAAG,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACzC,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE;gBAChC,IAAI,IAAI,CAAC,IAAI,KAAK,iBAAiB;oBAAE,OAAO,IAAI,CAAC;gBACjD,MAAM,YAAY,GAAG,WAAW,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;gBACtD,MAAM,gBAAgB,GAAG,CAAC,GAAG,aAAa,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAC1D,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAC5C,CAAC;gBACF,IAAI,CAAC,gBAAgB;oBAAE,OAAO,KAAK,CAAC;gBACpC,IAAI,eAAe,CAAC,GAAG,CAAC,gBAAgB,CAAC;oBAAE,OAAO,KAAK,CAAC;gBACxD,IAAI,IAAI,MAAM,CAAC,0CAA0C,gBAAgB,KAAK,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC;oBAAE,OAAO,KAAK,CAAC;gBACjH,OAAO,IAAI,CAAC;YACd,CAAC,CAAC,CAAC;QACL,CAAC;QAED,wCAAwC;QACxC,IAAI,CAAC,YAAY,EAAE,YAAY,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YACpD,MAAM,EAAE,aAAa,EAAE,GAAG,WAAW,CAAC;YACtC,IAAI,aAAa,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;gBAC3B,MAAM,WAAW,GAAG,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBACzC,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE;oBAChC,IAAI,IAAI,CAAC,IAAI,KAAK,KAAK;wBAAE,OAAO,IAAI,CAAC;oBACrC,MAAM,YAAY,GAAG,WAAW,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;oBACtD,IAAI,CAAC,GAAG,aAAa,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;wBAAE,OAAO,IAAI,CAAC;oBAClG,IAAI,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;wBAAE,OAAO,IAAI,CAAC;oBAC7E,OAAO,KAAK,CAAC;gBACf,CAAC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAC;IAClD,CAAC;CACF;AAUD,SAAS,wBAAwB,CAAC,IAAY,EAAE,OAAgB;IAC9D,IAAI,SAAS,GAAG,IAAI,CAAC;IACrB,KAAK,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,OAAO,EAAE,CAAC;QAClC,IAAI,GAAG,CAAC,IAAI,KAAK,KAAK,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAC/C,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,MAAM,IAAI,KAAK,EAAE,GAAG,CAAC,CAAC;YAC/C,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC;IACD,IAAI,CAAC;QACH,IAAI,mBAAmB,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;YACxC,MAAM,MAAM,GAAG,QAAQ,CAAC,wBAAwB,GAAG,SAAS,GAAG,GAAG,CAAC,EAAE,CAAC;YACtE,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC;gBAAE,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;QACtF,CAAC;IACH,CAAC;IAAC,MAAM,CAAC,CAAC,uBAAuB,CAAC,CAAC;IACnC,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,yBAAyB,CAAC,IAAY;IAC7C,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IAC5B,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAClD,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;AAC5D,CAAC;AAED,SAAS,qBAAqB,CAC5B,KAAiC,EACjC,KAAwB,EACxB,oBAA8C,EAC9C,OAAgB;IAEhB,MAAM,WAAW,GAAG,IAAI,GAAG,EAAwB,CAAC;IACpD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAC3D,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpB,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IAChD,CAAC;IAED,OAAO,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE;QACzB,MAAM,WAAW,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QACrD,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAC/B,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACjC,MAAM,gBAAgB,GAAG,GAAG,CAAC,UAAU,EAAE,KAAK,CAAC,0BAA0B,CAAC,CAAC;gBAC3E,IAAI,gBAAgB,EAAE,CAAC;oBACrB,MAAM,SAAS,GAAG,gBAAgB,CAAC,CAAC,CAAC,CAAC;oBACtC,IAAI,QAAQ,GAAG,gBAAgB,CAAC,CAAC,CAAC,CAAC;oBACnC,QAAQ,GAAG,wBAAwB,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;oBACvD,MAAM,cAAc,GAAG,oBAAoB,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;oBAC3D,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;wBACjC,MAAM,SAAS,GAAG,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;wBAC1E,IAAI,CAAC,SAAS;4BAAE,OAAO,KAAK,CAAC;oBAC/B,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,wBAAwB,CACtC,KAAiC,EACjC,KAAwB,EACxB,WAAwB,EACxB,OAAgB,EAChB,GAAqB,EACrB,aAA2B,EAC3B,iBAA+B;IAE/B,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;IACrC,IAAI,GAAG,EAAE,CAAC;QACR,KAAK,MAAM,GAAG,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;YAC3B,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO;gBAAE,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACzD,CAAC;IACH,CAAC;IAED,MAAM,WAAW,GAAG,IAAI,GAAG,EAAwB,CAAC;IACpD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAC3D,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpB,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IAChD,CAAC;IAED,OAAO,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE;QACzB,MAAM,WAAW,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QACrD,MAAM,qBAAqB,GAAG,iBAAiB,EAAE,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC;QAEzE,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAC/B,IAAI,eAAe,GAAG,IAAI,CAAC;YAC3B,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC;YAElC,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACjC,IAAI,GAAG,CAAC,QAAQ,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;oBACnD,MAAM,OAAO,GAAG,GAAG,CAAC,QAAQ,CAAC;oBAC7B,MAAM,UAAU,GAAG,UAAU,CAAC,CAAC,CAAC,GAAG,UAAU,IAAI,OAAO,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;oBAErE,IAAI,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,qBAAqB,EAAE,CAAC;wBAAC,eAAe,GAAG,KAAK,CAAC;wBAAC,SAAS;oBAAC,CAAC;oBAC7F,IAAI,aAAa,EAAE,GAAG,CAAC,UAAU,CAAC,IAAI,aAAa,EAAE,GAAG,CAAC,OAAO,CAAC;wBAAE,SAAS;oBAC5E,IAAI,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;wBAAC,eAAe,GAAG,KAAK,CAAC;wBAAC,SAAS;oBAAC,CAAC;oBAEnG,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;oBACpE,IAAI,WAAW,IAAI,WAAW,CAAC,IAAI,KAAK,SAAS;wBAAE,SAAS;oBAE5D,eAAe,GAAG,KAAK,CAAC;gBAC1B,CAAC;qBAAM,CAAC;oBACN,IAAI,GAAG,CAAC,OAAO,IAAI,IAAI;wBAAE,SAAS;oBAClC,IAAI,GAAG,CAAC,UAAU,IAAI,CAAC,GAAG,CAAC,QAAQ,IAAI,yBAAyB,CAAC,GAAG,CAAC,UAAU,CAAC;wBAAE,SAAS;oBAC3F,eAAe,GAAG,KAAK,CAAC;gBAC1B,CAAC;YACH,CAAC;YAED,IAAI,eAAe,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC;gBAAE,OAAO,KAAK,CAAC;QACjE,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,KAAiC,EACjC,UAA2C,EAC3C,KAAwB;IAExB,IAAI,CAAC,UAAU,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAEzD,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAA6B,CAAC;IAC9D,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7B,MAAM,QAAQ,GAAG,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QACtD,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACnB,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IAC3C,CAAC;IAED,MAAM,WAAW,GAAG,IAAI,GAAG,EAAwB,CAAC;IACpD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAC3D,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpB,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IAChD,CAAC;IAED,OAAO,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE;QACzB,MAAM,cAAc,GAAG,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvD,IAAI,CAAC,cAAc,IAAI,cAAc,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAEhE,KAAK,MAAM,GAAG,IAAI,cAAc,EAAE,CAAC;YACjC,IAAI,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAoC,CAAC,EAAE,CAAC;gBACtE,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;gBACnD,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;oBAC7B,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;wBACjC,MAAM,IAAI,GAAG,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC;wBAClC,MAAM,cAAc,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC;wBACjE,IAAI,cAAc,EAAE,CAAC;4BACnB,MAAM,aAAa,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC;4BACxC,MAAM,YAAY,GAAI,cAAc,CAAC,CAAC,CAAC,CAAC;4BACxC,IAAI,YAAY,EAAE,CAAC;gCACjB,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,YAAY,IAAI,aAAa,GAAG,CAAC;oCAAE,OAAO,KAAK,CAAC;4BACvE,CAAC;iCAAM,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,aAAa,GAAG,CAAC,EAAE,CAAC;gCAC9C,OAAO,KAAK,CAAC;4BACf,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/analysis/passes/stale-doc-ref-pass.d.ts ADDED Viewed

@@ -0,0 +1,21 @@
+/**
+ * Pass #33: stale-doc-ref
+ *
+ * Flags doc comment references ({@link ClassName} and @see ClassName) that
+ * point to symbols not found in the file's type declarations or imports.
+ * Stale doc refs cause confusion and erode documentation trustworthiness.
+ *
+ * Category: maintainability | Severity: low | Level: note | CWE: none
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface StaleDocRefResult {
+    staleRefs: Array<{
+        line: number;
+        ref: string;
+    }>;
+}
+export declare class StaleDocRefPass implements AnalysisPass<StaleDocRefResult> {
+    readonly name = "stale-doc-ref";
+    readonly category: "maintainability";
+    run(ctx: PassContext): StaleDocRefResult;
+}

package/dist/analysis/passes/stale-doc-ref-pass.js ADDED Viewed

@@ -0,0 +1,96 @@
+/**
+ * Pass #33: stale-doc-ref
+ *
+ * Flags doc comment references ({@link ClassName} and @see ClassName) that
+ * point to symbols not found in the file's type declarations or imports.
+ * Stale doc refs cause confusion and erode documentation trustworthiness.
+ *
+ * Category: maintainability | Severity: low | Level: note | CWE: none
+ */
+// Matches /** ... */ blocks (non-greedy, multiline)
+const DOC_BLOCK_RE = /\/\*\*([\s\S]*?)\*\//g;
+// Matches {@link Foo.Bar#method} or {@link Foo}
+const LINK_RE = /\{@link\s+([\w.#]+)/g;
+// Matches @see Foo.Bar or @see Foo
+const SEE_RE = /@see\s+([\w.#]+)/g;
+/**
+ * Normalize a symbol reference: strip method fragment (#method) and
+ * take the last dot-separated segment (so "java.util.List" → "List").
+ */
+function normalizeRef(raw) {
+    const withoutMethod = raw.split('#')[0];
+    const parts = withoutMethod.split('.');
+    return parts[parts.length - 1] ?? raw;
+}
+/**
+ * Return the 1-based line number of the start of a match within `code`.
+ */
+function lineOfIndex(code, index) {
+    let line = 1;
+    for (let i = 0; i < index && i < code.length; i++) {
+        if (code[i] === '\n')
+            line++;
+    }
+    return line;
+}
+export class StaleDocRefPass {
+    name = 'stale-doc-ref';
+    category = 'maintainability';
+    run(ctx) {
+        const staleRefs = [];
+        // Build known-symbol set from types + imports
+        const knownSymbols = new Set();
+        for (const t of ctx.graph.ir.types) {
+            knownSymbols.add(t.name);
+        }
+        for (const imp of ctx.graph.ir.imports) {
+            if (imp.imported_name && imp.imported_name !== '*' && imp.imported_name !== 'default') {
+                knownSymbols.add(imp.imported_name);
+            }
+            if (imp.alias) {
+                knownSymbols.add(imp.alias);
+            }
+        }
+        const code = ctx.code;
+        DOC_BLOCK_RE.lastIndex = 0;
+        let blockMatch;
+        while ((blockMatch = DOC_BLOCK_RE.exec(code)) !== null) {
+            const blockStart = blockMatch.index;
+            const blockText = blockMatch[0];
+            // Extract all refs from the block
+            const refs = [];
+            LINK_RE.lastIndex = 0;
+            let m;
+            while ((m = LINK_RE.exec(blockText)) !== null) {
+                refs.push({ raw: m[1], offsetInBlock: m.index });
+            }
+            SEE_RE.lastIndex = 0;
+            while ((m = SEE_RE.exec(blockText)) !== null) {
+                refs.push({ raw: m[1], offsetInBlock: m.index });
+            }
+            for (const { raw, offsetInBlock } of refs) {
+                const normalized = normalizeRef(raw);
+                if (!knownSymbols.has(normalized)) {
+                    const absIdx = blockStart + offsetInBlock;
+                    const line = lineOfIndex(code, absIdx);
+                    staleRefs.push({ line, ref: normalized });
+                    const finding = {
+                        id: `stale-doc-ref-${ctx.graph.ir.meta.file.replace(/[^a-z0-9]/gi, '-')}-${line}`,
+                        pass: 'stale-doc-ref',
+                        category: 'maintainability',
+                        rule_id: 'stale-doc-ref',
+                        severity: 'low',
+                        level: 'note',
+                        message: `Doc comment references unknown symbol '${normalized}'. Update or remove the stale reference.`,
+                        file: ctx.graph.ir.meta.file,
+                        line,
+                        evidence: { ref: normalized, raw },
+                    };
+                    ctx.addFinding(finding);
+                }
+            }
+        }
+        return { staleRefs };
+    }
+}
+//# sourceMappingURL=stale-doc-ref-pass.js.map

package/dist/analysis/passes/stale-doc-ref-pass.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"stale-doc-ref-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/stale-doc-ref-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AASH,oDAAoD;AACpD,MAAM,YAAY,GAAG,uBAAuB,CAAC;AAC7C,gDAAgD;AAChD,MAAM,OAAO,GAAG,sBAAsB,CAAC;AACvC,mCAAmC;AACnC,MAAM,MAAM,GAAI,mBAAmB,CAAC;AAEpC;;;GAGG;AACH,SAAS,YAAY,CAAC,GAAW;IAC/B,MAAM,aAAa,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACxC,MAAM,KAAK,GAAG,aAAa,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACvC,OAAO,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,IAAI,GAAG,CAAC;AACxC,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,IAAY,EAAE,KAAa;IAC9C,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,IAAI,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAClD,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI;YAAE,IAAI,EAAE,CAAC;IAC/B,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,OAAO,eAAe;IACjB,IAAI,GAAG,eAAe,CAAC;IACvB,QAAQ,GAAG,iBAA0B,CAAC;IAE/C,GAAG,CAAC,GAAgB;QAClB,MAAM,SAAS,GAAyC,EAAE,CAAC;QAE3D,8CAA8C;QAC9C,MAAM,YAAY,GAAG,IAAI,GAAG,EAAU,CAAC;QACvC,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YACnC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QAC3B,CAAC;QACD,KAAK,MAAM,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC;YACvC,IAAI,GAAG,CAAC,aAAa,IAAI,GAAG,CAAC,aAAa,KAAK,GAAG,IAAI,GAAG,CAAC,aAAa,KAAK,SAAS,EAAE,CAAC;gBACtF,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;YACtC,CAAC;YACD,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;gBACd,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;YAC9B,CAAC;QACH,CAAC;QAED,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC;QACtB,YAAY,CAAC,SAAS,GAAG,CAAC,CAAC;QAE3B,IAAI,UAAkC,CAAC;QACvC,OAAO,CAAC,UAAU,GAAG,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACvD,MAAM,UAAU,GAAG,UAAU,CAAC,KAAK,CAAC;YACpC,MAAM,SAAS,GAAI,UAAU,CAAC,CAAC,CAAC,CAAC;YAEjC,kCAAkC;YAClC,MAAM,IAAI,GAAkD,EAAE,CAAC;YAE/D,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YACtB,IAAI,CAAyB,CAAC;YAC9B,OAAO,CAAC,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAC9C,IAAI,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC;YACnD,CAAC;YAED,MAAM,CAAC,SAAS,GAAG,CAAC,CAAC;YACrB,OAAO,CAAC,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAC7C,IAAI,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC;YACnD,CAAC;YAED,KAAK,MAAM,EAAE,GAAG,EAAE,aAAa,EAAE,IAAI,IAAI,EAAE,CAAC;gBAC1C,MAAM,UAAU,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;gBACrC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;oBAClC,MAAM,MAAM,GAAG,UAAU,GAAG,aAAa,CAAC;oBAC1C,MAAM,IAAI,GAAK,WAAW,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;oBACzC,SAAS,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,UAAU,EAAE,CAAC,CAAC;oBAE1C,MAAM,OAAO,GAAgB;wBAC3B,EAAE,EAAQ,iBAAiB,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,GAAG,CAAC,IAAI,IAAI,EAAE;wBACvF,IAAI,EAAM,eAAe;wBACzB,QAAQ,EAAE,iBAAiB;wBAC3B,OAAO,EAAG,eAAe;wBACzB,QAAQ,EAAE,KAAK;wBACf,KAAK,EAAK,MAAM;wBAChB,OAAO,EAAG,0CAA0C,UAAU,0CAA0C;wBACxG,IAAI,EAAM,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI;wBAChC,IAAI;wBACJ,QAAQ,EAAE,EAAE,GAAG,EAAE,UAAU,EAAE,GAAG,EAAE;qBACnC,CAAC;oBACF,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;gBAC1B,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,EAAE,SAAS,EAAE,CAAC;IACvB,CAAC;CACF"}

package/dist/analysis/passes/string-concat-loop-pass.d.ts ADDED Viewed

@@ -0,0 +1,26 @@
+/**
+ * Pass #50: string-concat-loop (CWE-1046, category: performance)
+ *
+ * Detects string concatenation using `+=` inside loop bodies, which creates
+ * O(n²) string allocations. Each iteration copies the entire accumulated
+ * string, making this a common performance anti-pattern.
+ *
+ * Detection strategy:
+ *   1. Identify loop body line ranges via CFG back-edges (graph.loopBodies()).
+ *   2. For each line within a loop body, scan for `identifier +=` pattern.
+ *   3. Filter out obvious numeric variable names (i, count, sum, etc.) and
+ *      numeric-looking RHS literals to avoid FP on arithmetic accumulation.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface StringConcatLoopResult {
+    /** `+=` expressions inside loop bodies that are likely string concatenation. */
+    concatInLoops: Array<{
+        line: number;
+        variable: string;
+    }>;
+}
+export declare class StringConcatLoopPass implements AnalysisPass<StringConcatLoopResult> {
+    readonly name = "string-concat-loop";
+    readonly category: "performance";
+    run(ctx: PassContext): StringConcatLoopResult;
+}

package/dist/analysis/passes/string-concat-loop-pass.js ADDED Viewed

@@ -0,0 +1,87 @@
+/**
+ * Pass #50: string-concat-loop (CWE-1046, category: performance)
+ *
+ * Detects string concatenation using `+=` inside loop bodies, which creates
+ * O(n²) string allocations. Each iteration copies the entire accumulated
+ * string, making this a common performance anti-pattern.
+ *
+ * Detection strategy:
+ *   1. Identify loop body line ranges via CFG back-edges (graph.loopBodies()).
+ *   2. For each line within a loop body, scan for `identifier +=` pattern.
+ *   3. Filter out obvious numeric variable names (i, count, sum, etc.) and
+ *      numeric-looking RHS literals to avoid FP on arithmetic accumulation.
+ */
+/** Matches `varName +=` at a token boundary. Group 1 = variable name. */
+const CONCAT_RE = /\b([a-zA-Z_$][a-zA-Z0-9_$]*)\s*\+=/;
+/**
+ * Variable names that almost certainly hold numeric values.
+ * These can safely be skipped even if they appear in `+=` expressions.
+ */
+const NUMERIC_VAR_RE = /^(i|j|k|n|m|x|y|z|count|sum|total|size|index|len|length|num|idx|score|counter|offset|pos|col|row|result|ret|value|acc|bits|byte|bytes|flag|flags|step|delta|diff|dist|min|max|avg|mean|page|line|err|error)$/i;
+/** Variable name suffixes that strongly suggest numeric accumulation. */
+const NUMERIC_SUFFIX_RE = /(Count|Sum|Total|Size|Index|Length|Offset|Position|Score|Counter|Num|Amount|Val|Idx|Len|Max|Min|Avg|Delta|Diff|Step|Flag|Flags|Bits|Byte|Bytes|Calls|Items|Nodes|Edges|Blocks|Lines|Chars|Entries|Records|Rows)$/;
+/**
+ * Matches a right-hand side that starts with a digit or decimal point —
+ * these are numeric literals so the `+=` is arithmetic, not string concat.
+ */
+const NUMERIC_RHS_RE = /^\s*[\d.]/;
+export class StringConcatLoopPass {
+    name = 'string-concat-loop';
+    category = 'performance';
+    run(ctx) {
+        const { graph, code } = ctx;
+        const file = graph.ir.meta.file;
+        const loops = graph.loopBodies();
+        if (loops.length === 0)
+            return { concatInLoops: [] };
+        const codeLines = code.split('\n');
+        const concatInLoops = [];
+        const reported = new Set(); // one finding per line
+        for (const loop of loops) {
+            for (let ln = loop.start_line; ln <= loop.end_line; ln++) {
+                if (reported.has(ln))
+                    continue;
+                const src = codeLines[ln - 1] ?? '';
+                const match = CONCAT_RE.exec(src);
+                if (!match)
+                    continue;
+                const varName = match[1];
+                // Skip obviously-numeric variable names
+                if (NUMERIC_VAR_RE.test(varName))
+                    continue;
+                if (NUMERIC_SUFFIX_RE.test(varName))
+                    continue;
+                // Skip if the RHS after `+=` starts with a digit/decimal (numeric literal)
+                const opIdx = src.indexOf('+=');
+                const afterOp = opIdx >= 0 ? src.slice(opIdx + 2) : '';
+                if (NUMERIC_RHS_RE.test(afterOp))
+                    continue;
+                concatInLoops.push({ line: ln, variable: varName });
+                reported.add(ln);
+                ctx.addFinding({
+                    id: `string-concat-loop-${file}-${ln}`,
+                    pass: this.name,
+                    category: this.category,
+                    rule_id: this.name,
+                    cwe: 'CWE-1046',
+                    severity: 'low',
+                    level: 'warning',
+                    message: `String concatenation with '+=' inside a loop: '${varName}' grows O(n²). ` +
+                        `Each iteration copies the entire accumulated string.`,
+                    file,
+                    line: ln,
+                    snippet: src.trim(),
+                    fix: `Accumulate parts in an array and join() after the loop, ` +
+                        `or use StringBuilder (Java) / StringJoiner`,
+                    evidence: {
+                        variable: varName,
+                        loop_start: loop.start_line,
+                        loop_end: loop.end_line,
+                    },
+                });
+            }
+        }
+        return { concatInLoops };
+    }
+}
+//# sourceMappingURL=string-concat-loop-pass.js.map

package/dist/analysis/passes/string-concat-loop-pass.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"string-concat-loop-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/string-concat-loop-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAIH,yEAAyE;AACzE,MAAM,SAAS,GAAG,oCAAoC,CAAC;AAEvD;;;GAGG;AACH,MAAM,cAAc,GAClB,+MAA+M,CAAC;AAElN,yEAAyE;AACzE,MAAM,iBAAiB,GACrB,kNAAkN,CAAC;AAErN;;;GAGG;AACH,MAAM,cAAc,GAAG,WAAW,CAAC;AAOnC,MAAM,OAAO,oBAAoB;IACtB,IAAI,GAAG,oBAAoB,CAAC;IAC5B,QAAQ,GAAG,aAAsB,CAAC;IAE3C,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,GAAG,CAAC;QAC5B,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAEhC,MAAM,KAAK,GAAG,KAAK,CAAC,UAAU,EAAE,CAAC;QACjC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,aAAa,EAAE,EAAE,EAAE,CAAC;QAErD,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,aAAa,GAA8C,EAAE,CAAC;QACpE,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC,CAAC,uBAAuB;QAE3D,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,KAAK,IAAI,EAAE,GAAG,IAAI,CAAC,UAAU,EAAE,EAAE,IAAI,IAAI,CAAC,QAAQ,EAAE,EAAE,EAAE,EAAE,CAAC;gBACzD,IAAI,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;oBAAE,SAAS;gBAE/B,MAAM,GAAG,GAAG,SAAS,CAAC,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;gBACpC,MAAM,KAAK,GAAG,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBAClC,IAAI,CAAC,KAAK;oBAAE,SAAS;gBAErB,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBAEzB,wCAAwC;gBACxC,IAAI,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC;oBAAE,SAAS;gBAC3C,IAAI,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC;oBAAE,SAAS;gBAE9C,2EAA2E;gBAC3E,MAAM,KAAK,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;gBAChC,MAAM,OAAO,GAAG,KAAK,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBACvD,IAAI,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC;oBAAE,SAAS;gBAE3C,aAAa,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;gBACpD,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAEjB,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,sBAAsB,IAAI,IAAI,EAAE,EAAE;oBACtC,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;oBAClB,GAAG,EAAE,UAAU;oBACf,QAAQ,EAAE,KAAK;oBACf,KAAK,EAAE,SAAS;oBAChB,OAAO,EACL,kDAAkD,OAAO,iBAAiB;wBAC1E,sDAAsD;oBACxD,IAAI;oBACJ,IAAI,EAAE,EAAE;oBACR,OAAO,EAAE,GAAG,CAAC,IAAI,EAAE;oBACnB,GAAG,EACD,0DAA0D;wBAC1D,4CAA4C;oBAC9C,QAAQ,EAAE;wBACR,QAAQ,EAAE,OAAO;wBACjB,UAAU,EAAE,IAAI,CAAC,UAAU;wBAC3B,QAAQ,EAAE,IAAI,CAAC,QAAQ;qBACxB;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,EAAE,aAAa,EAAE,CAAC;IAC3B,CAAC;CACF"}

package/dist/analysis/passes/sync-io-async-pass.d.ts ADDED Viewed

@@ -0,0 +1,28 @@
+/**
+ * Pass #48: sync-io-async (CWE-1050, category: performance)
+ *
+ * Detects synchronous (blocking) I/O calls made inside async functions in
+ * JavaScript/TypeScript. Blocking calls stall the Node.js event loop,
+ * negating the benefits of async/await and starving other concurrent work.
+ *
+ * Detection strategy:
+ *   1. Collect async method line ranges from types[].methods where
+ *      modifiers include 'async'.
+ *   2. For each call site within an async range, check if the method name
+ *      ends in 'Sync' (Node.js blocking variants) or is in the curated
+ *      BLOCKING_METHODS set.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface SyncIoAsyncResult {
+    /** Blocking calls found inside async functions. */
+    blockingInAsyncFns: Array<{
+        line: number;
+        method: string;
+        enclosingMethod: string;
+    }>;
+}
+export declare class SyncIoAsyncPass implements AnalysisPass<SyncIoAsyncResult> {
+    readonly name = "sync-io-async";
+    readonly category: "performance";
+    run(ctx: PassContext): SyncIoAsyncResult;
+}

package/dist/analysis/passes/sync-io-async-pass.js ADDED Viewed

@@ -0,0 +1,80 @@
+/**
+ * Pass #48: sync-io-async (CWE-1050, category: performance)
+ *
+ * Detects synchronous (blocking) I/O calls made inside async functions in
+ * JavaScript/TypeScript. Blocking calls stall the Node.js event loop,
+ * negating the benefits of async/await and starving other concurrent work.
+ *
+ * Detection strategy:
+ *   1. Collect async method line ranges from types[].methods where
+ *      modifiers include 'async'.
+ *   2. For each call site within an async range, check if the method name
+ *      ends in 'Sync' (Node.js blocking variants) or is in the curated
+ *      BLOCKING_METHODS set.
+ */
+/**
+ * Methods that are always blocking regardless of name convention.
+ * Kept intentionally small — only add names with virtually no async usage.
+ */
+const BLOCKING_METHODS = new Set([
+    'sleep', // Python time.sleep / any sync sleep utility
+]);
+/** Any method whose name ends in 'Sync' is a blocking Node.js API variant. */
+const SYNC_SUFFIX_RE = /Sync$/;
+export class SyncIoAsyncPass {
+    name = 'sync-io-async';
+    category = 'performance';
+    run(ctx) {
+        const { graph, language } = ctx;
+        // Only relevant for JS/TS (and Python for sleep)
+        if (language !== 'javascript' && language !== 'typescript' && language !== 'python') {
+            return { blockingInAsyncFns: [] };
+        }
+        const file = graph.ir.meta.file;
+        // Collect async method line ranges
+        const asyncRanges = [];
+        for (const type of graph.ir.types) {
+            for (const method of type.methods) {
+                if (method.modifiers.includes('async')) {
+                    asyncRanges.push({
+                        start: method.start_line,
+                        end: method.end_line,
+                        name: method.name,
+                    });
+                }
+            }
+        }
+        if (asyncRanges.length === 0)
+            return { blockingInAsyncFns: [] };
+        const blockingInAsyncFns = [];
+        for (const call of graph.ir.calls) {
+            const name = call.method_name;
+            if (!SYNC_SUFFIX_RE.test(name) && !BLOCKING_METHODS.has(name))
+                continue;
+            const line = call.location.line;
+            const range = asyncRanges.find(r => line >= r.start && line <= r.end);
+            if (!range)
+                continue;
+            blockingInAsyncFns.push({ line, method: name, enclosingMethod: range.name });
+            ctx.addFinding({
+                id: `sync-io-async-${file}-${line}`,
+                pass: this.name,
+                category: this.category,
+                rule_id: this.name,
+                cwe: 'CWE-1050',
+                severity: 'medium',
+                level: 'warning',
+                message: `Blocking call \`${name}()\` inside async function '${range.name}' stalls the event loop`,
+                file,
+                line,
+                fix: `Replace \`${name}\` with its async equivalent and await the result`,
+                evidence: {
+                    blocking_method: name,
+                    async_method: range.name,
+                },
+            });
+        }
+        return { blockingInAsyncFns };
+    }
+}
+//# sourceMappingURL=sync-io-async-pass.js.map

package/dist/analysis/passes/sync-io-async-pass.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"sync-io-async-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/sync-io-async-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAIH;;;GAGG;AACH,MAAM,gBAAgB,GAAwB,IAAI,GAAG,CAAC;IACpD,OAAO,EAAE,6CAA6C;CACvD,CAAC,CAAC;AAEH,8EAA8E;AAC9E,MAAM,cAAc,GAAG,OAAO,CAAC;AAW/B,MAAM,OAAO,eAAe;IACjB,IAAI,GAAG,eAAe,CAAC;IACvB,QAAQ,GAAG,aAAsB,CAAC;IAE3C,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAEhC,iDAAiD;QACjD,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YACpF,OAAO,EAAE,kBAAkB,EAAE,EAAE,EAAE,CAAC;QACpC,CAAC;QAED,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAEhC,mCAAmC;QACnC,MAAM,WAAW,GAAwD,EAAE,CAAC;QAC5E,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAClC,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;gBAClC,IAAI,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;oBACvC,WAAW,CAAC,IAAI,CAAC;wBACf,KAAK,EAAE,MAAM,CAAC,UAAU;wBACxB,GAAG,EAAE,MAAM,CAAC,QAAQ;wBACpB,IAAI,EAAE,MAAM,CAAC,IAAI;qBAClB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,kBAAkB,EAAE,EAAE,EAAE,CAAC;QAEhE,MAAM,kBAAkB,GAA4C,EAAE,CAAC;QAEvE,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAClC,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC;YAC9B,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC;gBAAE,SAAS;YAExE,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;YAChC,MAAM,KAAK,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,CAAC,KAAK,IAAI,IAAI,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;YACtE,IAAI,CAAC,KAAK;gBAAE,SAAS;YAErB,kBAAkB,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,eAAe,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;YAE7E,GAAG,CAAC,UAAU,CAAC;gBACb,EAAE,EAAE,iBAAiB,IAAI,IAAI,IAAI,EAAE;gBACnC,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,GAAG,EAAE,UAAU;gBACf,QAAQ,EAAE,QAAQ;gBAClB,KAAK,EAAE,SAAS;gBAChB,OAAO,EACL,mBAAmB,IAAI,+BAA+B,KAAK,CAAC,IAAI,yBAAyB;gBAC3F,IAAI;gBACJ,IAAI;gBACJ,GAAG,EAAE,aAAa,IAAI,mDAAmD;gBACzE,QAAQ,EAAE;oBACR,eAAe,EAAE,IAAI;oBACrB,YAAY,EAAE,KAAK,CAAC,IAAI;iBACzB;aACF,CAAC,CAAC;QACL,CAAC;QAED,OAAO,EAAE,kBAAkB,EAAE,CAAC;IAChC,CAAC;CACF"}

package/dist/analysis/passes/taint-matcher-pass.d.ts ADDED Viewed

@@ -0,0 +1,24 @@
+/**
+ * TaintMatcherPass
+ *
+ * First pass in the analysis pipeline. Merges language-plugin built-in
+ * sources/sinks into the config, runs config-based taint matching, and
+ * extracts @sanitizer-annotated method names from type declarations.
+ */
+import type { TaintSource, TaintSink, TaintSanitizer } from '../../types/index.js';
+import type { TaintConfig } from '../../types/config.js';
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface TaintMatcherResult {
+    sources: TaintSource[];
+    sinks: TaintSink[];
+    sanitizers: TaintSanitizer[];
+    /** Method names annotated with @sanitizer (for ConstantPropagationPass). */
+    sanitizerMethods: string[];
+    /** Final merged config (with plugin extensions applied). */
+    config: TaintConfig;
+}
+export declare class TaintMatcherPass implements AnalysisPass<TaintMatcherResult> {
+    readonly name = "taint-matcher";
+    readonly category: "security";
+    run(ctx: PassContext): TaintMatcherResult;
+}