circle-ir 3.8.4 → 3.9.8

package/dist/analysis/passes/taint-propagation-pass.js

@@ -0,0 +1,266 @@
+/**
+ * TaintPropagationPass
+ *
+ * Propagates taint through the DFG to find verified source-to-sink flows,
+ * then supplements with three additional flow-detection strategies that the
+ * DFG-based analysis may miss:
+ *   - Array element flows (tainted array[idx] → sink)
+ *   - Collection/iterator flows (list.get(), queue.poll(), etc.)
+ *   - Direct parameter-to-sink flows (interprocedural parameter used at sink)
+ *
+ * Depends on: sink-filter, constant-propagation
+ */
+import { propagateTaint } from '../taint-propagation.js';
+import { isFalsePositive, isCorrelatedPredicateFP } from '../constant-propagation.js';
+export class TaintPropagationPass {
+    name = 'taint-propagation';
+    category = 'security';
+    run(ctx) {
+        const { graph } = ctx;
+        const { calls, types } = graph.ir;
+        const constProp = ctx.getResult('constant-propagation');
+        const sinkFilter = ctx.getResult('sink-filter');
+        const { sources, sinks, sanitizers } = sinkFilter;
+        if (sources.length === 0 || sinks.length === 0) {
+            return { flows: [] };
+        }
+        // DFG-based taint propagation
+        const propagationResult = propagateTaint(graph, sources, sinks, sanitizers);
+        // Filter flows: eliminate dead-code paths and constant-propagation FPs
+        const verifiedFlows = propagationResult.flows.filter(flow => {
+            if (constProp.unreachableLines.has(flow.sink.line))
+                return false;
+            for (const step of flow.path) {
+                const fpCheck = isFalsePositive(constProp, step.line, step.variable);
+                if (fpCheck.isFalsePositive)
+                    return false;
+            }
+            if (isCorrelatedPredicateFP(constProp, flow))
+                return false;
+            return true;
+        });
+        // Convert to TaintFlowInfo format
+        const flows = verifiedFlows.map(flow => ({
+            source_line: flow.source.line,
+            sink_line: flow.sink.line,
+            source_type: flow.source.type,
+            sink_type: flow.sink.type,
+            path: flow.path.map(step => ({
+                variable: step.variable,
+                line: step.line,
+                type: step.type,
+            })),
+            confidence: flow.confidence,
+            sanitized: flow.sanitized,
+        }));
+        // Supplement: array element flows
+        const arrayFlows = detectArrayElementFlows(calls, sources, sinks, constProp.taintedArrayElements, constProp.unreachableLines) ?? [];
+        for (const f of arrayFlows) {
+            if (!flows.some(x => x.source_line === f.source_line && x.sink_line === f.sink_line)) {
+                flows.push(f);
+            }
+        }
+        // Supplement: collection/iterator flows — with FP filtering
+        const collectionFlows = detectCollectionFlows(calls, sources, sinks, constProp.tainted, constProp.unreachableLines) ?? [];
+        for (const f of collectionFlows) {
+            if (flows.some(x => x.source_line === f.source_line && x.sink_line === f.sink_line))
+                continue;
+            const flowForCheck = {
+                source: { line: f.source_line, type: f.source_type },
+                sink: { line: f.sink_line, type: f.sink_type },
+                path: f.path.map(p => ({ variable: p.variable, line: p.line })),
+            };
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+            if (isCorrelatedPredicateFP(constProp, flowForCheck))
+                continue;
+            let isFP = false;
+            for (const step of f.path) {
+                if (isFalsePositive(constProp, step.line, step.variable).isFalsePositive) {
+                    isFP = true;
+                    break;
+                }
+            }
+            if (isFP)
+                continue;
+            flows.push(f);
+        }
+        // Supplement: direct parameter-to-sink flows
+        const paramFlows = detectParameterSinkFlows(types, calls, sources, sinks, constProp.unreachableLines) ?? [];
+        for (const f of paramFlows) {
+            if (!flows.some(x => x.source_line === f.source_line && x.sink_line === f.sink_line)) {
+                flows.push(f);
+            }
+        }
+        return { flows };
+    }
+}
+// ---------------------------------------------------------------------------
+// Helpers (moved verbatim from analyzer.ts)
+// ---------------------------------------------------------------------------
+function detectCollectionFlows(calls, sources, sinks, taintedVars, unreachableLines) {
+    const flows = [];
+    const callsByLine = new Map();
+    for (const call of calls) {
+        const existing = callsByLine.get(call.location.line) ?? [];
+        existing.push(call);
+        callsByLine.set(call.location.line, existing);
+    }
+    for (const sink of sinks) {
+        if (unreachableLines.has(sink.line))
+            continue;
+        const callsAtSink = callsByLine.get(sink.line) ?? [];
+        for (const call of callsAtSink) {
+            for (const arg of call.arguments) {
+                if (arg.variable) {
+                    const varName = arg.variable;
+                    const scopedName = call.in_method ? `${call.in_method}:${varName}` : varName;
+                    if (taintedVars.has(varName) || taintedVars.has(scopedName)) {
+                        const source = sources[0];
+                        if (source) {
+                            flows.push({
+                                source_line: source.line, sink_line: sink.line,
+                                source_type: source.type, sink_type: sink.type,
+                                path: [
+                                    { variable: varName, line: source.line, type: 'source' },
+                                    { variable: varName, line: sink.line, type: 'sink' },
+                                ],
+                                confidence: 0.8, sanitized: false,
+                            });
+                        }
+                    }
+                }
+                if (arg.expression) {
+                    const expr = arg.expression;
+                    const collectionMethods = ['getLast', 'getFirst', 'get', 'next', 'poll', 'peek', 'toArray'];
+                    for (const method of collectionMethods) {
+                        const match = expr.match(new RegExp(`(\\w+)\\.${method}\\(`));
+                        if (match) {
+                            const collectionVar = match[1];
+                            const scopedCollection = call.in_method ? `${call.in_method}:${collectionVar}` : collectionVar;
+                            if (taintedVars.has(collectionVar) || taintedVars.has(scopedCollection)) {
+                                const source = sources[0];
+                                if (source) {
+                                    flows.push({
+                                        source_line: source.line, sink_line: sink.line,
+                                        source_type: source.type, sink_type: sink.type,
+                                        path: [
+                                            { variable: collectionVar, line: source.line, type: 'source' },
+                                            { variable: collectionVar, line: sink.line, type: 'sink' },
+                                        ],
+                                        confidence: 0.75, sanitized: false,
+                                    });
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    }
+    return flows;
+}
+function detectArrayElementFlows(calls, sources, sinks, taintedArrayElements, unreachableLines) {
+    const flows = [];
+    const callsByLine = new Map();
+    for (const call of calls) {
+        const existing = callsByLine.get(call.location.line) ?? [];
+        existing.push(call);
+        callsByLine.set(call.location.line, existing);
+    }
+    for (const sink of sinks) {
+        if (unreachableLines.has(sink.line))
+            continue;
+        const callsAtSink = callsByLine.get(sink.line) ?? [];
+        for (const call of callsAtSink) {
+            for (const arg of call.arguments) {
+                const arrayAccessMatch = arg.expression?.match(/^(\w+)\[(\d+|[^[\]]+)\]$/);
+                if (arrayAccessMatch) {
+                    const arrayName = arrayAccessMatch[1];
+                    const indexStr = arrayAccessMatch[2];
+                    const taintedIndices = taintedArrayElements.get(arrayName);
+                    if (taintedIndices) {
+                        const isTainted = taintedIndices.has(indexStr) || taintedIndices.has('*');
+                        if (isTainted) {
+                            const source = sources[0];
+                            if (source) {
+                                flows.push({
+                                    source_line: source.line, sink_line: sink.line,
+                                    source_type: source.type, sink_type: sink.type,
+                                    path: [
+                                        { variable: arrayName, line: source.line, type: 'source' },
+                                        { variable: `${arrayName}[${indexStr}]`, line: sink.line, type: 'sink' },
+                                    ],
+                                    confidence: 0.85, sanitized: false,
+                                });
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    }
+    return flows;
+}
+function detectParameterSinkFlows(types, calls, sources, sinks, unreachableLines) {
+    const flows = [];
+    const paramSourcesByMethod = new Map();
+    for (const source of sources) {
+        if (source.type === 'interprocedural_param') {
+            const match = source.location.match(/(\S+)\s+(\S+)\s+in\s+(\S+)/);
+            if (match) {
+                const paramName = match[2];
+                const methodName = match[3];
+                let methodParams = paramSourcesByMethod.get(methodName);
+                if (!methodParams) {
+                    methodParams = new Map();
+                    paramSourcesByMethod.set(methodName, methodParams);
+                }
+                methodParams.set(paramName, source);
+            }
+        }
+    }
+    if (paramSourcesByMethod.size === 0)
+        return flows;
+    const callsByLine = new Map();
+    for (const call of calls) {
+        const existing = callsByLine.get(call.location.line) ?? [];
+        existing.push(call);
+        callsByLine.set(call.location.line, existing);
+    }
+    for (const sink of sinks) {
+        if (unreachableLines.has(sink.line))
+            continue;
+        const callsAtSink = callsByLine.get(sink.line) ?? [];
+        for (const call of callsAtSink) {
+            const methodName = call.in_method;
+            if (!methodName)
+                continue;
+            const methodParamSources = paramSourcesByMethod.get(methodName);
+            if (!methodParamSources)
+                continue;
+            for (const arg of call.arguments) {
+                if (arg.variable) {
+                    const paramSource = methodParamSources.get(arg.variable);
+                    if (paramSource) {
+                        const exists = flows.some(f => f.source_line === paramSource.line && f.sink_line === sink.line);
+                        if (!exists) {
+                            flows.push({
+                                source_line: paramSource.line, sink_line: sink.line,
+                                source_type: paramSource.type, sink_type: sink.type,
+                                path: [
+                                    { variable: arg.variable, line: paramSource.line, type: 'source' },
+                                    { variable: arg.variable, line: sink.line, type: 'sink' },
+                                ],
+                                confidence: 0.75, sanitized: false,
+                            });
+                        }
+                    }
+                }
+            }
+        }
+    }
+    // types parameter is accepted for API compatibility; not used in current implementation
+    void types;
+    return flows;
+}
+//# sourceMappingURL=taint-propagation-pass.js.map

package/dist/analysis/passes/taint-propagation-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"taint-propagation-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/taint-propagation-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAOH,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AACzD,OAAO,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,4BAA4B,CAAC;AAMtF,MAAM,OAAO,oBAAoB;IACtB,IAAI,GAAG,mBAAmB,CAAC;IAC3B,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,GAAG,GAAG,CAAC;QACtB,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,KAAK,CAAC,EAAE,CAAC;QAElC,MAAM,SAAS,GAAK,GAAG,CAAC,SAAS,CAA2B,sBAAsB,CAAC,CAAC;QACpF,MAAM,UAAU,GAAI,GAAG,CAAC,SAAS,CAAmB,aAAa,CAAC,CAAC;QACnE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,UAAU,CAAC;QAElD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC/C,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;QACvB,CAAC;QAED,8BAA8B;QAC9B,MAAM,iBAAiB,GAAG,cAAc,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,CAAC,CAAC;QAE5E,uEAAuE;QACvE,MAAM,aAAa,GAAG,iBAAiB,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE;YAC1D,IAAI,SAAS,CAAC,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,OAAO,KAAK,CAAC;YAEjE,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC7B,MAAM,OAAO,GAAG,eAAe,CAAC,SAAS,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;gBACrE,IAAI,OAAO,CAAC,eAAe;oBAAE,OAAO,KAAK,CAAC;YAC5C,CAAC;YAED,IAAI,uBAAuB,CAAC,SAAS,EAAE,IAAI,CAAC;gBAAE,OAAO,KAAK,CAAC;YAE3D,OAAO,IAAI,CAAC;QACd,CAAC,CAAC,CAAC;QAEH,kCAAkC;QAClC,MAAM,KAAK,GAAoB,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACxD,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI;YAC7B,SAAS,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI;YACzB,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI;YAC7B,SAAS,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI;YACzB,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;gBAC3B,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,IAAI,EAAE,IAAI,CAAC,IAAI;aAChB,CAAC,CAAC;YACH,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,SAAS,EAAE,IAAI,CAAC,SAAS;SAC1B,CAAC,CAAC,CAAC;QAEJ,kCAAkC;QAClC,MAAM,UAAU,GAAG,uBAAuB,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,CAAC,oBAAoB,EAAE,SAAS,CAAC,gBAAgB,CAAC,IAAI,EAAE,CAAC;QACpI,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;YAC3B,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,KAAK,CAAC,CAAC,WAAW,IAAI,CAAC,CAAC,SAAS,KAAK,CAAC,CAAC,SAAS,CAAC,EAAE,CAAC;gBACrF,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAChB,CAAC;QACH,CAAC;QAED,4DAA4D;QAC5D,MAAM,eAAe,GAAG,qBAAqB,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,CAAC,OAAO,EAAE,SAAS,CAAC,gBAAgB,CAAC,IAAI,EAAE,CAAC;QAC1H,KAAK,MAAM,CAAC,IAAI,eAAe,EAAE,CAAC;YAChC,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,KAAK,CAAC,CAAC,WAAW,IAAI,CAAC,CAAC,SAAS,KAAK,CAAC,CAAC,SAAS,CAAC;gBAAE,SAAS;YAE9F,MAAM,YAAY,GAAG;gBACnB,MAAM,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE;gBACpD,IAAI,EAAI,EAAE,IAAI,EAAE,CAAC,CAAC,SAAS,EAAI,IAAI,EAAE,CAAC,CAAC,SAAS,EAAI;gBACpD,IAAI,EAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;aAClE,CAAC;YACF,8DAA8D;YAC9D,IAAI,uBAAuB,CAAC,SAAS,EAAE,YAAmB,CAAC;gBAAE,SAAS;YAEtE,IAAI,IAAI,GAAG,KAAK,CAAC;YACjB,KAAK,MAAM,IAAI,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC1B,IAAI,eAAe,CAAC,SAAS,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC,eAAe,EAAE,CAAC;oBAAC,IAAI,GAAG,IAAI,CAAC;oBAAC,MAAM;gBAAC,CAAC;YACnG,CAAC;YACD,IAAI,IAAI;gBAAE,SAAS;YAEnB,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAChB,CAAC;QAED,6CAA6C;QAC7C,MAAM,UAAU,GAAG,wBAAwB,CAAC,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,CAAC,gBAAgB,CAAC,IAAI,EAAE,CAAC;QAC5G,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;YAC3B,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,KAAK,CAAC,CAAC,WAAW,IAAI,CAAC,CAAC,SAAS,KAAK,CAAC,CAAC,SAAS,CAAC,EAAE,CAAC;gBACrF,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAChB,CAAC;QACH,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,CAAC;IACnB,CAAC;CACF;AAED,8EAA8E;AAC9E,4CAA4C;AAC5C,8EAA8E;AAE9E,SAAS,qBAAqB,CAC5B,KAAwB,EACxB,OAAqC,EACrC,KAAiC,EACjC,WAAwB,EACxB,gBAA6B;IAE7B,MAAM,KAAK,GAA+B,EAAE,CAAC;IAC7C,MAAM,WAAW,GAAG,IAAI,GAAG,EAAwB,CAAC;IACpD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAC3D,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpB,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IAChD,CAAC;IAED,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,SAAS;QAC9C,MAAM,WAAW,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAErD,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAC/B,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACjC,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;oBACjB,MAAM,OAAO,GAAG,GAAG,CAAC,QAAQ,CAAC;oBAC7B,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,SAAS,IAAI,OAAO,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;oBAC7E,IAAI,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;wBAC5D,MAAM,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;wBAC1B,IAAI,MAAM,EAAE,CAAC;4BACX,KAAK,CAAC,IAAI,CAAC;gCACT,WAAW,EAAE,MAAM,CAAC,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,IAAI;gCAC9C,WAAW,EAAE,MAAM,CAAC,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,IAAI;gCAC9C,IAAI,EAAE;oCACJ,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,QAAiB,EAAE;oCACjE,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAI,IAAI,EAAE,MAAiB,EAAE;iCAClE;gCACD,UAAU,EAAE,GAAG,EAAE,SAAS,EAAE,KAAK;6BAClC,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;gBACH,CAAC;gBAED,IAAI,GAAG,CAAC,UAAU,EAAE,CAAC;oBACnB,MAAM,IAAI,GAAG,GAAG,CAAC,UAAU,CAAC;oBAC5B,MAAM,iBAAiB,GAAG,CAAC,SAAS,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;oBAC5F,KAAK,MAAM,MAAM,IAAI,iBAAiB,EAAE,CAAC;wBACvC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,YAAY,MAAM,KAAK,CAAC,CAAC,CAAC;wBAC9D,IAAI,KAAK,EAAE,CAAC;4BACV,MAAM,aAAa,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;4BAC/B,MAAM,gBAAgB,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,SAAS,IAAI,aAAa,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC;4BAC/F,IAAI,WAAW,CAAC,GAAG,CAAC,aAAa,CAAC,IAAI,WAAW,CAAC,GAAG,CAAC,gBAAgB,CAAC,EAAE,CAAC;gCACxE,MAAM,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;gCAC1B,IAAI,MAAM,EAAE,CAAC;oCACX,KAAK,CAAC,IAAI,CAAC;wCACT,WAAW,EAAE,MAAM,CAAC,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,IAAI;wCAC9C,WAAW,EAAE,MAAM,CAAC,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,IAAI;wCAC9C,IAAI,EAAE;4CACJ,EAAE,QAAQ,EAAE,aAAa,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,QAAiB,EAAE;4CACvE,EAAE,QAAQ,EAAE,aAAa,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAI,IAAI,EAAE,MAAiB,EAAE;yCACxE;wCACD,UAAU,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK;qCACnC,CAAC,CAAC;gCACL,CAAC;4BACH,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,uBAAuB,CAC9B,KAAwB,EACxB,OAAqC,EACrC,KAAiC,EACjC,oBAA8C,EAC9C,gBAA6B;IAE7B,MAAM,KAAK,GAA+B,EAAE,CAAC;IAC7C,MAAM,WAAW,GAAG,IAAI,GAAG,EAAwB,CAAC;IACpD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAC3D,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpB,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IAChD,CAAC;IAED,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,SAAS;QAC9C,MAAM,WAAW,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAErD,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAC/B,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACjC,MAAM,gBAAgB,GAAG,GAAG,CAAC,UAAU,EAAE,KAAK,CAAC,0BAA0B,CAAC,CAAC;gBAC3E,IAAI,gBAAgB,EAAE,CAAC;oBACrB,MAAM,SAAS,GAAG,gBAAgB,CAAC,CAAC,CAAC,CAAC;oBACtC,MAAM,QAAQ,GAAI,gBAAgB,CAAC,CAAC,CAAC,CAAC;oBACtC,MAAM,cAAc,GAAG,oBAAoB,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;oBAC3D,IAAI,cAAc,EAAE,CAAC;wBACnB,MAAM,SAAS,GAAG,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;wBAC1E,IAAI,SAAS,EAAE,CAAC;4BACd,MAAM,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;4BAC1B,IAAI,MAAM,EAAE,CAAC;gCACX,KAAK,CAAC,IAAI,CAAC;oCACT,WAAW,EAAE,MAAM,CAAC,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,IAAI;oCAC9C,WAAW,EAAE,MAAM,CAAC,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,IAAI;oCAC9C,IAAI,EAAE;wCACJ,EAAE,QAAQ,EAAE,SAAS,EAAqB,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,QAAiB,EAAE;wCACtF,EAAE,QAAQ,EAAE,GAAG,SAAS,IAAI,QAAQ,GAAG,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAI,IAAI,EAAE,MAAiB,EAAE;qCACtF;oCACD,UAAU,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK;iCACnC,CAAC,CAAC;4BACL,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,wBAAwB,CAC/B,KAAwB,EACxB,KAAwB,EACxB,OAAqC,EACrC,KAAiC,EACjC,gBAA6B;IAE7B,MAAM,KAAK,GAA+B,EAAE,CAAC;IAE7C,MAAM,oBAAoB,GAAG,IAAI,GAAG,EAAwD,CAAC;IAC7F,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,IAAI,MAAM,CAAC,IAAI,KAAK,uBAAuB,EAAE,CAAC;YAC5C,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,4BAA4B,CAAC,CAAC;YAClE,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,SAAS,GAAI,KAAK,CAAC,CAAC,CAAC,CAAC;gBAC5B,MAAM,UAAU,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBAC5B,IAAI,YAAY,GAAG,oBAAoB,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;gBACxD,IAAI,CAAC,YAAY,EAAE,CAAC;oBAAC,YAAY,GAAG,IAAI,GAAG,EAAE,CAAC;oBAAC,oBAAoB,CAAC,GAAG,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;gBAAC,CAAC;gBACpG,YAAY,CAAC,GAAG,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;YACtC,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,oBAAoB,CAAC,IAAI,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAElD,MAAM,WAAW,GAAG,IAAI,GAAG,EAAwB,CAAC;IACpD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAC3D,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpB,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IAChD,CAAC;IAED,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,SAAS;QAC9C,MAAM,WAAW,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAErD,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAC/B,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC;YAClC,IAAI,CAAC,UAAU;gBAAE,SAAS;YAC1B,MAAM,kBAAkB,GAAG,oBAAoB,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;YAChE,IAAI,CAAC,kBAAkB;gBAAE,SAAS;YAElC,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACjC,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;oBACjB,MAAM,WAAW,GAAG,kBAAkB,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;oBACzD,IAAI,WAAW,EAAE,CAAC;wBAChB,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,KAAK,WAAW,CAAC,IAAI,IAAI,CAAC,CAAC,SAAS,KAAK,IAAI,CAAC,IAAI,CAAC,CAAC;wBAChG,IAAI,CAAC,MAAM,EAAE,CAAC;4BACZ,KAAK,CAAC,IAAI,CAAC;gCACT,WAAW,EAAE,WAAW,CAAC,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,IAAI;gCACnD,WAAW,EAAE,WAAW,CAAC,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,IAAI;gCACnD,IAAI,EAAE;oCACJ,EAAE,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,IAAI,EAAE,WAAW,CAAC,IAAI,EAAE,IAAI,EAAE,QAAiB,EAAE;oCAC3E,EAAE,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAS,IAAI,EAAE,MAAiB,EAAE;iCAC5E;gCACD,UAAU,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK;6BACnC,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,wFAAwF;IACxF,KAAK,KAAK,CAAC;IACX,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/analysis/passes/todo-in-prod-pass.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Pass #36: todo-in-prod (category: maintainability)
+ *
+ * Flags TODO, FIXME, HACK, and XXX comments in production code. These markers
+ * signal deferred work or known defects that were never resolved. In production
+ * code they represent acknowledged technical debt.
+ *
+ * Test files are excluded entirely: TODO comments in test helpers or test
+ * setup code are expected and noise-free.
+ *
+ * Detection: line-by-line regex scan on the raw source text. A marker must
+ * appear in a comment context (after `//`, `#`, `--`, or inside `/* ... *\/`).
+ * Markers inside string literals are not flagged.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface TodoInProdPassResult {
+    /** Lines containing TODO/FIXME/HACK/XXX markers in production code. */
+    markerLines: Array<{
+        line: number;
+        marker: string;
+        text: string;
+    }>;
+}
+export declare class TodoInProdPass implements AnalysisPass<TodoInProdPassResult> {
+    readonly name = "todo-in-prod";
+    readonly category: "maintainability";
+    run(ctx: PassContext): TodoInProdPassResult;
+}

package/dist/analysis/passes/todo-in-prod-pass.js

@@ -0,0 +1,71 @@
+/**
+ * Pass #36: todo-in-prod (category: maintainability)
+ *
+ * Flags TODO, FIXME, HACK, and XXX comments in production code. These markers
+ * signal deferred work or known defects that were never resolved. In production
+ * code they represent acknowledged technical debt.
+ *
+ * Test files are excluded entirely: TODO comments in test helpers or test
+ * setup code are expected and noise-free.
+ *
+ * Detection: line-by-line regex scan on the raw source text. A marker must
+ * appear in a comment context (after `//`, `#`, `--`, or inside `/* ... *\/`).
+ * Markers inside string literals are not flagged.
+ */
+/** Files matching these path patterns are treated as test/spec files. */
+const TEST_PATH_RE = /[/._](test|tests|spec|specs|__tests?__|__mocks?__)[/._]/i;
+/**
+ * Matches comment markers on a line.
+ *
+ * Groups:
+ *   1 — comment prefix (`//`, `#`, `--`, `*`)
+ *   2 — marker keyword (TODO, FIXME, HACK, XXX)
+ */
+const MARKER_RE = /(?:\/\/|#|--|^\s*\*)\s*(TODO|FIXME|HACK|XXX)\b/i;
+/**
+ * Severity mapping by marker keyword.
+ * - FIXME / HACK → medium (known defect / deliberate workaround)
+ * - TODO / XXX  → low (deferred work / note)
+ */
+function markerSeverity(marker) {
+    const upper = marker.toUpperCase();
+    return upper === 'FIXME' || upper === 'HACK' ? 'medium' : 'low';
+}
+export class TodoInProdPass {
+    name = 'todo-in-prod';
+    category = 'maintainability';
+    run(ctx) {
+        const { graph, code } = ctx;
+        const file = graph.ir.meta.file;
+        // Exclude test/spec files.
+        if (TEST_PATH_RE.test(file)) {
+            return { markerLines: [] };
+        }
+        const lines = code.split('\n');
+        const markerLines = [];
+        for (let i = 0; i < lines.length; i++) {
+            const lineText = lines[i];
+            const match = MARKER_RE.exec(lineText);
+            if (!match)
+                continue;
+            const marker = match[1].toUpperCase();
+            const lineNum = i + 1; // 1-indexed
+            markerLines.push({ line: lineNum, marker, text: lineText.trim() });
+            ctx.addFinding({
+                id: `todo-in-prod-${file}-${lineNum}`,
+                pass: this.name,
+                category: this.category,
+                rule_id: this.name,
+                severity: markerSeverity(marker),
+                level: 'note',
+                message: `${marker} in production code at line ${lineNum}: ${lineText.trim()}`,
+                file,
+                line: lineNum,
+                snippet: lineText.trim(),
+                evidence: { marker },
+            });
+        }
+        return { markerLines };
+    }
+}
+//# sourceMappingURL=todo-in-prod-pass.js.map

package/dist/analysis/passes/todo-in-prod-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"todo-in-prod-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/todo-in-prod-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAIH,yEAAyE;AACzE,MAAM,YAAY,GAAG,0DAA0D,CAAC;AAEhF;;;;;;GAMG;AACH,MAAM,SAAS,GAAG,iDAAiD,CAAC;AAEpE;;;;GAIG;AACH,SAAS,cAAc,CAAC,MAAc;IACpC,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;IACnC,OAAO,KAAK,KAAK,OAAO,IAAI,KAAK,KAAK,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC;AAClE,CAAC;AAOD,MAAM,OAAO,cAAc;IAChB,IAAI,GAAG,cAAc,CAAC;IACtB,QAAQ,GAAG,iBAA0B,CAAC;IAE/C,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,GAAG,CAAC;QAC5B,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAEhC,2BAA2B;QAC3B,IAAI,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC5B,OAAO,EAAE,WAAW,EAAE,EAAE,EAAE,CAAC;QAC7B,CAAC;QAED,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC/B,MAAM,WAAW,GAA0D,EAAE,CAAC;QAE9E,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAC1B,MAAM,KAAK,GAAG,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACvC,IAAI,CAAC,KAAK;gBAAE,SAAS;YAErB,MAAM,MAAM,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;YACtC,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,YAAY;YAEnC,WAAW,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;YAEnE,GAAG,CAAC,UAAU,CAAC;gBACb,EAAE,EAAE,gBAAgB,IAAI,IAAI,OAAO,EAAE;gBACrC,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,QAAQ,EAAE,cAAc,CAAC,MAAM,CAAC;gBAChC,KAAK,EAAE,MAAM;gBACb,OAAO,EAAE,GAAG,MAAM,+BAA+B,OAAO,KAAK,QAAQ,CAAC,IAAI,EAAE,EAAE;gBAC9E,IAAI;gBACJ,IAAI,EAAE,OAAO;gBACb,OAAO,EAAE,QAAQ,CAAC,IAAI,EAAE;gBACxB,QAAQ,EAAE,EAAE,MAAM,EAAE;aACrB,CAAC,CAAC;QACL,CAAC;QAED,OAAO,EAAE,WAAW,EAAE,CAAC;IACzB,CAAC;CACF"}

package/dist/analysis/passes/unbounded-collection-pass.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Pass #31: unbounded-collection (CWE-770, category: performance)
+ *
+ * Detects collections that grow unboundedly inside a loop with no
+ * corresponding size limit check or clear/remove operation.
+ *
+ * Detection strategy:
+ *   1. For each loop body (via `graph.loopBodies()`), find all calls in the
+ *      range whose method_name is a known "grow" operation.
+ *   2. For each grow call, extract the receiver as the collection variable.
+ *   3. Check if the loop body also contains any shrink operation (`clear`,
+ *      `remove`, `delete`, `shift`, `pop`, `removeFirst`, `poll`) on the
+ *      same receiver, OR a size-limit guard in the source text
+ *      (`size() <`, `length <`, `size() <=`, etc.).
+ *   4. If grow-only with no limit found: emit a finding.
+ *
+ * Languages: Java, JavaScript/TypeScript, Python, Rust. Bash — skipped.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface UnboundedCollectionResult {
+    unboundedCollections: Array<{
+        receiver: string;
+        line: number;
+        loopStart: number;
+        loopEnd: number;
+    }>;
+}
+export declare class UnboundedCollectionPass implements AnalysisPass<UnboundedCollectionResult> {
+    readonly name = "unbounded-collection";
+    readonly category: "performance";
+    run(ctx: PassContext): UnboundedCollectionResult;
+}

package/dist/analysis/passes/unbounded-collection-pass.js

@@ -0,0 +1,128 @@
+/**
+ * Pass #31: unbounded-collection (CWE-770, category: performance)
+ *
+ * Detects collections that grow unboundedly inside a loop with no
+ * corresponding size limit check or clear/remove operation.
+ *
+ * Detection strategy:
+ *   1. For each loop body (via `graph.loopBodies()`), find all calls in the
+ *      range whose method_name is a known "grow" operation.
+ *   2. For each grow call, extract the receiver as the collection variable.
+ *   3. Check if the loop body also contains any shrink operation (`clear`,
+ *      `remove`, `delete`, `shift`, `pop`, `removeFirst`, `poll`) on the
+ *      same receiver, OR a size-limit guard in the source text
+ *      (`size() <`, `length <`, `size() <=`, etc.).
+ *   4. If grow-only with no limit found: emit a finding.
+ *
+ * Languages: Java, JavaScript/TypeScript, Python, Rust. Bash — skipped.
+ */
+/** Method names that grow a collection, keyed by language group. */
+const GROW_METHODS = {
+    java: new Set(['add', 'put', 'offer', 'push', 'addAll', 'addFirst', 'addLast', 'enqueue', 'insert']),
+    javascript: new Set(['push', 'set', 'add', 'unshift', 'append', 'prepend']),
+    typescript: new Set(['push', 'set', 'add', 'unshift', 'append', 'prepend']),
+    python: new Set(['append', 'extend', 'update', 'add', 'insert']),
+    rust: new Set(['push', 'insert', 'push_back', 'push_front']),
+};
+/** Method names that shrink a collection. Language-agnostic. */
+const SHRINK_METHODS = new Set([
+    'clear', 'remove', 'delete', 'shift', 'pop', 'removeFirst', 'removeLast',
+    'poll', 'pollFirst', 'pollLast', 'dequeue', 'discard', 'drain',
+]);
+/** Regex: size limit guard pattern in source text. */
+const SIZE_LIMIT_RE = /\b(?:size|length|count|len)\s*\(\)?\s*[<>]=?\s*\d|\b(?:MAX|LIMIT|CAPACITY|MAX_SIZE)\b/i;
+export class UnboundedCollectionPass {
+    name = 'unbounded-collection';
+    category = 'performance';
+    run(ctx) {
+        const { graph, code, language } = ctx;
+        if (language === 'bash') {
+            return { unboundedCollections: [] };
+        }
+        const growMethods = GROW_METHODS[language] ?? GROW_METHODS['javascript'];
+        const file = graph.ir.meta.file;
+        const codeLines = code.split('\n');
+        const loops = graph.loopBodies();
+        if (loops.length === 0)
+            return { unboundedCollections: [] };
+        const unboundedCollections = [];
+        const reported = new Set();
+        for (const loop of loops) {
+            const { start_line, end_line } = loop;
+            // Collect source text for the loop body (for heuristic checks)
+            const loopSource = codeLines.slice(start_line - 1, end_line).join('\n');
+            // Find grow calls in the loop body
+            const growCalls = [];
+            for (const call of graph.ir.calls) {
+                const ln = call.location.line;
+                if (ln < start_line || ln > end_line)
+                    continue;
+                if (!growMethods.has(call.method_name))
+                    continue;
+                if (!call.receiver)
+                    continue;
+                // Skip 'this' receiver — can't reliably bound
+                if (call.receiver === 'this' || call.receiver === 'self')
+                    continue;
+                growCalls.push({ receiver: call.receiver, line: ln });
+            }
+            if (growCalls.length === 0)
+                continue;
+            // Group by receiver
+            const receiverLines = new Map();
+            for (const { receiver, line } of growCalls) {
+                if (!receiverLines.has(receiver)) {
+                    receiverLines.set(receiver, line);
+                }
+            }
+            for (const [receiver, firstGrowLine] of receiverLines.entries()) {
+                // Check for shrink operations on the same receiver in the loop body
+                let hasShrink = false;
+                for (const call of graph.ir.calls) {
+                    const ln = call.location.line;
+                    if (ln < start_line || ln > end_line)
+                        continue;
+                    if (call.receiver !== receiver)
+                        continue;
+                    if (SHRINK_METHODS.has(call.method_name)) {
+                        hasShrink = true;
+                        break;
+                    }
+                }
+                if (hasShrink)
+                    continue;
+                // Check for size-limit guard in loop source
+                if (SIZE_LIMIT_RE.test(loopSource))
+                    continue;
+                const key = `${receiver}-${start_line}`;
+                if (reported.has(key))
+                    continue;
+                reported.add(key);
+                unboundedCollections.push({
+                    receiver,
+                    line: firstGrowLine,
+                    loopStart: start_line,
+                    loopEnd: end_line,
+                });
+                ctx.addFinding({
+                    id: `unbounded-collection-${file}-${firstGrowLine}`,
+                    pass: this.name,
+                    category: this.category,
+                    rule_id: this.name,
+                    cwe: 'CWE-770',
+                    severity: 'medium',
+                    level: 'warning',
+                    message: `Unbounded collection: \`${receiver}\` grows inside a loop (lines ${start_line}–${end_line}) ` +
+                        `with no size limit or clear`,
+                    file,
+                    line: firstGrowLine,
+                    fix: `Add a size limit check (e.g., \`if (${receiver}.size() >= MAX) break;\`) ` +
+                        `or periodically clear/drain \`${receiver}\`.`,
+                    evidence: { receiver, loop_start: start_line, loop_end: end_line },
+                });
+            }
+        }
+        return { unboundedCollections };
+    }
+}
+//# sourceMappingURL=unbounded-collection-pass.js.map

package/dist/analysis/passes/unbounded-collection-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"unbounded-collection-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/unbounded-collection-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAIH,oEAAoE;AACpE,MAAM,YAAY,GAAgC;IAChD,IAAI,EAAQ,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC;IAC1G,UAAU,EAAE,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAC;IAC3E,UAAU,EAAE,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAC;IAC3E,MAAM,EAAM,IAAI,GAAG,CAAC,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,CAAC,CAAC;IACpE,IAAI,EAAQ,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,YAAY,CAAC,CAAC;CACnE,CAAC;AAEF,gEAAgE;AAChE,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC;IAC7B,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,aAAa,EAAE,YAAY;IACxE,MAAM,EAAE,WAAW,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,OAAO;CAC/D,CAAC,CAAC;AAEH,sDAAsD;AACtD,MAAM,aAAa,GACjB,wFAAwF,CAAC;AAM3F,MAAM,OAAO,uBAAuB;IACzB,IAAI,GAAG,sBAAsB,CAAC;IAC9B,QAAQ,GAAG,aAAsB,CAAC;IAE3C,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAEtC,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YACxB,OAAO,EAAE,oBAAoB,EAAE,EAAE,EAAE,CAAC;QACtC,CAAC;QAED,MAAM,WAAW,GAAG,YAAY,CAAC,QAAQ,CAAC,IAAI,YAAY,CAAC,YAAY,CAAC,CAAC;QAEzE,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,KAAK,GAAG,KAAK,CAAC,UAAU,EAAE,CAAC;QAEjC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,oBAAoB,EAAE,EAAE,EAAE,CAAC;QAE5D,MAAM,oBAAoB,GAAsD,EAAE,CAAC;QACnF,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;QAEnC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC;YAEtC,+DAA+D;YAC/D,MAAM,UAAU,GAAG,SAAS,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAExE,mCAAmC;YACnC,MAAM,SAAS,GAA8C,EAAE,CAAC;YAChE,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;gBAClC,MAAM,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;gBAC9B,IAAI,EAAE,GAAG,UAAU,IAAI,EAAE,GAAG,QAAQ;oBAAE,SAAS;gBAC/C,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC;oBAAE,SAAS;gBACjD,IAAI,CAAC,IAAI,CAAC,QAAQ;oBAAE,SAAS;gBAC7B,8CAA8C;gBAC9C,IAAI,IAAI,CAAC,QAAQ,KAAK,MAAM,IAAI,IAAI,CAAC,QAAQ,KAAK,MAAM;oBAAE,SAAS;gBACnE,SAAS,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;YACxD,CAAC;YAED,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;gBAAE,SAAS;YAErC,oBAAoB;YACpB,MAAM,aAAa,GAAG,IAAI,GAAG,EAAkB,CAAC;YAChD,KAAK,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,SAAS,EAAE,CAAC;gBAC3C,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACjC,aAAa,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;gBACpC,CAAC;YACH,CAAC;YAED,KAAK,MAAM,CAAC,QAAQ,EAAE,aAAa,CAAC,IAAI,aAAa,CAAC,OAAO,EAAE,EAAE,CAAC;gBAChE,oEAAoE;gBACpE,IAAI,SAAS,GAAG,KAAK,CAAC;gBACtB,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;oBAClC,MAAM,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;oBAC9B,IAAI,EAAE,GAAG,UAAU,IAAI,EAAE,GAAG,QAAQ;wBAAE,SAAS;oBAC/C,IAAI,IAAI,CAAC,QAAQ,KAAK,QAAQ;wBAAE,SAAS;oBACzC,IAAI,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;wBACzC,SAAS,GAAG,IAAI,CAAC;wBACjB,MAAM;oBACR,CAAC;gBACH,CAAC;gBACD,IAAI,SAAS;oBAAE,SAAS;gBAExB,4CAA4C;gBAC5C,IAAI,aAAa,CAAC,IAAI,CAAC,UAAU,CAAC;oBAAE,SAAS;gBAE7C,MAAM,GAAG,GAAG,GAAG,QAAQ,IAAI,UAAU,EAAE,CAAC;gBACxC,IAAI,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC;oBAAE,SAAS;gBAChC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBAElB,oBAAoB,CAAC,IAAI,CAAC;oBACxB,QAAQ;oBACR,IAAI,EAAE,aAAa;oBACnB,SAAS,EAAE,UAAU;oBACrB,OAAO,EAAE,QAAQ;iBAClB,CAAC,CAAC;gBAEH,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,wBAAwB,IAAI,IAAI,aAAa,EAAE;oBACnD,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;oBAClB,GAAG,EAAE,SAAS;oBACd,QAAQ,EAAE,QAAQ;oBAClB,KAAK,EAAE,SAAS;oBAChB,OAAO,EACL,2BAA2B,QAAQ,iCAAiC,UAAU,IAAI,QAAQ,IAAI;wBAC9F,6BAA6B;oBAC/B,IAAI;oBACJ,IAAI,EAAE,aAAa;oBACnB,GAAG,EACD,uCAAuC,QAAQ,4BAA4B;wBAC3E,iCAAiC,QAAQ,KAAK;oBAChD,QAAQ,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE;iBACnE,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,EAAE,oBAAoB,EAAE,CAAC;IAClC,CAAC;CACF"}

package/dist/analysis/passes/unchecked-return-pass.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Pass #28: unchecked-return (CWE-252, category: reliability)
+ *
+ * Detects calls to methods that signal success/failure via their return value
+ * when that return value is silently discarded. Missing the check means silent
+ * failure propagation that can corrupt application state.
+ *
+ * Detection strategy:
+ *   Two-tier curated list:
+ *   HIGH: Always flag — the method's name is unambiguous (e.g. File.delete,
+ *         Matcher.find, Lock.tryLock) and discarding is almost always a bug.
+ *   MEDIUM: Flag only when the receiver name suggests a File object —
+ *           guards against common false positives on generic names.
+ *
+ *   For each candidate call:
+ *     1. If there is a DFG def at the call's line, the result was captured.
+ *     2. If the source line matches a conditional/assertion pattern, the
+ *        return value is already being used.
+ *     If neither applies → emit finding.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface UncheckedReturnResult {
+    /** Calls where the return value is silently discarded. */
+    uncheckedCalls: Array<{
+        line: number;
+        method: string;
+        receiver: string | null;
+    }>;
+}
+export declare class UncheckedReturnPass implements AnalysisPass<UncheckedReturnResult> {
+    readonly name = "unchecked-return";
+    readonly category: "reliability";
+    run(ctx: PassContext): UncheckedReturnResult;
+}