circle-ir 3.8.4 → 3.9.8

package/dist/analysis/passes/constant-propagation-pass.js

@@ -0,0 +1,44 @@
+/**
+ * ConstantPropagationPass
+ *
+ * Runs constant propagation + dead-code detection over the AST.
+ *
+ * Depends on: taint-matcher (to extract inter-procedural tainted parameters
+ * before propagation, so method-parameter taint is seeded correctly).
+ *
+ * Receives the parsed Tree via constructor because it needs the raw AST for
+ * node-level analysis — the CodeGraph contains only extracted IR.
+ */
+import { analyzeConstantPropagation } from '../constant-propagation.js';
+export class ConstantPropagationPass {
+    tree;
+    name = 'constant-propagation';
+    category = 'security';
+    constructor(tree) {
+        this.tree = tree;
+    }
+    run(ctx) {
+        const { code } = ctx;
+        const taintMatcher = ctx.getResult('taint-matcher');
+        // Extract inter-procedural parameter sources from the preliminary taint results.
+        // These seeds ensure that method parameters receiving tainted data are tracked.
+        const taintedParameters = [];
+        for (const source of taintMatcher.sources) {
+            if (source.type === 'interprocedural_param') {
+                // Location format: "ParamType paramName in methodName"
+                const match = source.location.match(/(\S+)\s+(\S+)\s+in\s+(\S+)/);
+                if (match) {
+                    taintedParameters.push({
+                        methodName: match[3],
+                        paramName: match[2],
+                    });
+                }
+            }
+        }
+        return analyzeConstantPropagation(this.tree, code, {
+            sanitizerMethods: taintMatcher.sanitizerMethods,
+            taintedParameters,
+        });
+    }
+}
+//# sourceMappingURL=constant-propagation-pass.js.map

package/dist/analysis/passes/constant-propagation-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"constant-propagation-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/constant-propagation-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAIH,OAAO,EAAE,0BAA0B,EAAiC,MAAM,4BAA4B,CAAC;AAKvG,MAAM,OAAO,uBAAuB;IAIL;IAHpB,IAAI,GAAG,sBAAsB,CAAC;IAC9B,QAAQ,GAAG,UAAmB,CAAC;IAExC,YAA6B,IAAU;QAAV,SAAI,GAAJ,IAAI,CAAM;IAAG,CAAC;IAE3C,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,IAAI,EAAE,GAAG,GAAG,CAAC;QACrB,MAAM,YAAY,GAAG,GAAG,CAAC,SAAS,CAAqB,eAAe,CAAC,CAAC;QAExE,iFAAiF;QACjF,gFAAgF;QAChF,MAAM,iBAAiB,GAAqD,EAAE,CAAC;QAC/E,KAAK,MAAM,MAAM,IAAI,YAAY,CAAC,OAAO,EAAE,CAAC;YAC1C,IAAI,MAAM,CAAC,IAAI,KAAK,uBAAuB,EAAE,CAAC;gBAC5C,uDAAuD;gBACvD,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,4BAA4B,CAAC,CAAC;gBAClE,IAAI,KAAK,EAAE,CAAC;oBACV,iBAAiB,CAAC,IAAI,CAAC;wBACrB,UAAU,EAAE,KAAK,CAAC,CAAC,CAAC;wBACpB,SAAS,EAAE,KAAK,CAAC,CAAC,CAAC;qBACpB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,0BAA0B,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE;YACjD,gBAAgB,EAAE,YAAY,CAAC,gBAAgB;YAC/C,iBAAiB;SAClB,CAAC,CAAC;IACL,CAAC;CACF"}

package/dist/analysis/passes/cross-file-pass.d.ts

@@ -0,0 +1,27 @@
+/**
+ * CrossFilePass
+ *
+ * Project-level pass that uses the CrossFileResolver to surface taint flows
+ * that cross file boundaries and to map resolved inter-file calls.
+ *
+ * Unlike the single-file AnalysisPass instances, CrossFilePass operates across
+ * the full set of files in a ProjectGraph and is invoked once after all
+ * per-file analyses are complete.
+ *
+ * Depends on: ProjectGraph (with all files registered)
+ */
+import type { CrossFileCall, TaintPath, TypeHierarchy } from '../../types/index.js';
+import type { ProjectGraph } from '../../graph/project-graph.js';
+export interface CrossFilePassResult {
+    /** Inter-file method calls (source file → target file). */
+    crossFileCalls: CrossFileCall[];
+    /** Taint paths that cross file boundaries. */
+    taintPaths: TaintPath[];
+    /** Type hierarchy across all files. */
+    typeHierarchy: TypeHierarchy;
+}
+export declare class CrossFilePass {
+    run(projectGraph: ProjectGraph, 
+    /** Raw source lines per file (used to populate `code` fields in paths). */
+    sourceLines: Map<string, string[]>): CrossFilePassResult;
+}

package/dist/analysis/passes/cross-file-pass.js

@@ -0,0 +1,102 @@
+/**
+ * CrossFilePass
+ *
+ * Project-level pass that uses the CrossFileResolver to surface taint flows
+ * that cross file boundaries and to map resolved inter-file calls.
+ *
+ * Unlike the single-file AnalysisPass instances, CrossFilePass operates across
+ * the full set of files in a ProjectGraph and is invoked once after all
+ * per-file analyses are complete.
+ *
+ * Depends on: ProjectGraph (with all files registered)
+ */
+export class CrossFilePass {
+    run(projectGraph, 
+    /** Raw source lines per file (used to populate `code` fields in paths). */
+    sourceLines) {
+        const resolver = projectGraph.resolver;
+        // --- 1. Cross-file taint flows → TaintPath[] ----------------------------
+        const flows = resolver.findCrossFileTaintFlows();
+        const taintPaths = flows.flatMap((flow, idx) => {
+            const srcLines = sourceLines.get(flow.sourceFile) ?? [];
+            const tgtLines = sourceLines.get(flow.targetFile) ?? [];
+            // Look up matched sink from the target file's IR to get type + cwe.
+            // Skip flows where no known sink exists at the target line — we never
+            // default to 'sql_injection' because that produces massive false positives
+            // for any TypeScript project that uses string manipulation helpers.
+            const targetIR = projectGraph.getIR(flow.targetFile);
+            if (!targetIR || targetIR.taint.sinks.length === 0)
+                return [];
+            const matchedSink = targetIR.taint.sinks.find(s => s.line === flow.targetLine);
+            if (!matchedSink)
+                return [];
+            return [{
+                    id: `cf-${idx}`,
+                    source: {
+                        file: flow.sourceFile,
+                        line: flow.sourceLine,
+                        type: flow.sourceType,
+                        code: srcLines[flow.sourceLine - 1] ?? '',
+                    },
+                    sink: {
+                        file: flow.targetFile,
+                        line: flow.targetLine,
+                        type: matchedSink.type,
+                        cwe: matchedSink.cwe,
+                        code: tgtLines[flow.targetLine - 1] ?? '',
+                    },
+                    hops: [
+                        {
+                            file: flow.sourceFile,
+                            method: '',
+                            line: flow.sourceLine,
+                            code: srcLines[flow.sourceLine - 1] ?? '',
+                            variable: '',
+                        },
+                        {
+                            file: flow.targetFile,
+                            method: flow.targetMethod,
+                            line: flow.targetLine,
+                            code: tgtLines[flow.targetLine - 1] ?? '',
+                            variable: '',
+                        },
+                    ],
+                    sanitizers_in_path: [],
+                    path_exists: true,
+                    confidence: 0.7,
+                }];
+        });
+        // --- 2. Resolved inter-file calls → CrossFileCall[] --------------------
+        const crossFileCalls = [];
+        for (const filePath of projectGraph.filePaths) {
+            const resolved = resolver.getResolvedCallsFromFile(filePath);
+            for (const rc of resolved) {
+                if (rc.sourceFile === rc.targetFile)
+                    continue; // same-file, skip
+                crossFileCalls.push({
+                    id: `${rc.sourceFile}:${rc.call.location.line}:${rc.targetMethod}`,
+                    from: {
+                        file: rc.sourceFile,
+                        method: rc.call.in_method ?? '',
+                        line: rc.call.location.line,
+                    },
+                    to: {
+                        file: rc.targetFile,
+                        method: rc.targetMethod,
+                        line: 0, // target line resolved via symbol table if needed
+                    },
+                    args_mapping: (rc.call.arguments ?? []).map((_, i) => ({
+                        caller_arg: i,
+                        callee_param: i,
+                        taint_propagates: false,
+                    })),
+                    resolved: rc.resolution === 'exact',
+                });
+            }
+        }
+        // --- 3. Type hierarchy --------------------------------------------------
+        const typeHierarchy = projectGraph.typeHierarchy.toTypeHierarchyData();
+        return { crossFileCalls, taintPaths, typeHierarchy };
+    }
+}
+//# sourceMappingURL=cross-file-pass.js.map

package/dist/analysis/passes/cross-file-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cross-file-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/cross-file-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAoBH,MAAM,OAAO,aAAa;IACxB,GAAG,CACD,YAA0B;IAC1B,2EAA2E;IAC3E,WAAkC;QAElC,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC;QAEvC,2EAA2E;QAC3E,MAAM,KAAK,GAAG,QAAQ,CAAC,uBAAuB,EAAE,CAAC;QACjD,MAAM,UAAU,GAAgB,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;YAC1D,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;YACxD,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;YAExD,oEAAoE;YACpE,sEAAsE;YACtE,2EAA2E;YAC3E,oEAAoE;YACpE,MAAM,QAAQ,GAAI,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YACtD,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,EAAE,CAAC;YAE9D,MAAM,WAAW,GAAG,QAAQ,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,UAAU,CAAC,CAAC;YAC/E,IAAI,CAAC,WAAW;gBAAE,OAAO,EAAE,CAAC;YAE5B,OAAO,CAAC;oBACN,EAAE,EAAE,MAAM,GAAG,EAAE;oBACf,MAAM,EAAE;wBACN,IAAI,EAAE,IAAI,CAAC,UAAU;wBACrB,IAAI,EAAE,IAAI,CAAC,UAAU;wBACrB,IAAI,EAAE,IAAI,CAAC,UAAwB;wBACnC,IAAI,EAAE,QAAQ,CAAC,IAAI,CAAC,UAAU,GAAG,CAAC,CAAC,IAAI,EAAE;qBAC1C;oBACD,IAAI,EAAE;wBACJ,IAAI,EAAE,IAAI,CAAC,UAAU;wBACrB,IAAI,EAAE,IAAI,CAAC,UAAU;wBACrB,IAAI,EAAE,WAAW,CAAC,IAAgB;wBAClC,GAAG,EAAG,WAAW,CAAC,GAAG;wBACrB,IAAI,EAAE,QAAQ,CAAC,IAAI,CAAC,UAAU,GAAG,CAAC,CAAC,IAAI,EAAE;qBAC1C;oBACD,IAAI,EAAE;wBACJ;4BACE,IAAI,EAAM,IAAI,CAAC,UAAU;4BACzB,MAAM,EAAI,EAAE;4BACZ,IAAI,EAAM,IAAI,CAAC,UAAU;4BACzB,IAAI,EAAM,QAAQ,CAAC,IAAI,CAAC,UAAU,GAAG,CAAC,CAAC,IAAI,EAAE;4BAC7C,QAAQ,EAAE,EAAE;yBACb;wBACD;4BACE,IAAI,EAAM,IAAI,CAAC,UAAU;4BACzB,MAAM,EAAI,IAAI,CAAC,YAAY;4BAC3B,IAAI,EAAM,IAAI,CAAC,UAAU;4BACzB,IAAI,EAAM,QAAQ,CAAC,IAAI,CAAC,UAAU,GAAG,CAAC,CAAC,IAAI,EAAE;4BAC7C,QAAQ,EAAE,EAAE;yBACb;qBACF;oBACD,kBAAkB,EAAE,EAAE;oBACtB,WAAW,EAAE,IAAI;oBACjB,UAAU,EAAE,GAAG;iBAChB,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,0EAA0E;QAC1E,MAAM,cAAc,GAAoB,EAAE,CAAC;QAC3C,KAAK,MAAM,QAAQ,IAAI,YAAY,CAAC,SAAS,EAAE,CAAC;YAC9C,MAAM,QAAQ,GAAG,QAAQ,CAAC,wBAAwB,CAAC,QAAQ,CAAC,CAAC;YAC7D,KAAK,MAAM,EAAE,IAAI,QAAQ,EAAE,CAAC;gBAC1B,IAAI,EAAE,CAAC,UAAU,KAAK,EAAE,CAAC,UAAU;oBAAE,SAAS,CAAC,kBAAkB;gBACjE,cAAc,CAAC,IAAI,CAAC;oBAClB,EAAE,EAAE,GAAG,EAAE,CAAC,UAAU,IAAI,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,IAAI,EAAE,CAAC,YAAY,EAAE;oBAClE,IAAI,EAAE;wBACJ,IAAI,EAAI,EAAE,CAAC,UAAU;wBACrB,MAAM,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,IAAI,EAAE;wBAC/B,IAAI,EAAI,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI;qBAC9B;oBACD,EAAE,EAAE;wBACF,IAAI,EAAI,EAAE,CAAC,UAAU;wBACrB,MAAM,EAAE,EAAE,CAAC,YAAY;wBACvB,IAAI,EAAI,CAAC,EAAG,kDAAkD;qBAC/D;oBACD,YAAY,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC;wBACrD,UAAU,EAAQ,CAAC;wBACnB,YAAY,EAAM,CAAC;wBACnB,gBAAgB,EAAE,KAAK;qBACxB,CAAC,CAAC;oBACH,QAAQ,EAAE,EAAE,CAAC,UAAU,KAAK,OAAO;iBACpC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,2EAA2E;QAC3E,MAAM,aAAa,GAAkB,YAAY,CAAC,aAAa,CAAC,mBAAmB,EAAE,CAAC;QAEtF,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,aAAa,EAAE,CAAC;IACvD,CAAC;CACF"}

package/dist/analysis/passes/dead-code-pass.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Pass #22: dead-code (CWE-561, category: reliability)
+ *
+ * Detects CFG blocks that are structurally unreachable from the entry block
+ * (i.e., no path of control-flow edges leads to them). This is pure CFG
+ * reachability — independent of constant-propagation or taint analysis.
+ *
+ * Examples: code after an unconditional `return`/`throw`, branches of
+ * `if (false)` where the condition is a literal (compiler-level dead code).
+ *
+ * Note: semantic dead code eliminated by constant propagation (e.g.,
+ * `if (DEBUG_MODE) { ... }` where DEBUG_MODE is a compile-time constant)
+ * is handled by ConstantPropagationPass, not this pass.
+ */
+import type { CFGBlock } from '../../types/index.js';
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface DeadCodePassResult {
+    /** CFG blocks with no incoming reachable path from the entry block. */
+    deadBlocks: CFGBlock[];
+}
+export declare class DeadCodePass implements AnalysisPass<DeadCodePassResult> {
+    readonly name = "dead-code";
+    readonly category: "reliability";
+    run(ctx: PassContext): DeadCodePassResult;
+}

package/dist/analysis/passes/dead-code-pass.js

@@ -0,0 +1,117 @@
+/**
+ * Pass #22: dead-code (CWE-561, category: reliability)
+ *
+ * Detects CFG blocks that are structurally unreachable from the entry block
+ * (i.e., no path of control-flow edges leads to them). This is pure CFG
+ * reachability — independent of constant-propagation or taint analysis.
+ *
+ * Examples: code after an unconditional `return`/`throw`, branches of
+ * `if (false)` where the condition is a literal (compiler-level dead code).
+ *
+ * Note: semantic dead code eliminated by constant propagation (e.g.,
+ * `if (DEBUG_MODE) { ... }` where DEBUG_MODE is a compile-time constant)
+ * is handled by ConstantPropagationPass, not this pass.
+ */
+export class DeadCodePass {
+    name = 'dead-code';
+    category = 'reliability';
+    run(ctx) {
+        const { graph, code } = ctx;
+        const { blocks, edges } = graph.ir.cfg;
+        const file = graph.ir.meta.file;
+        const language = graph.ir.meta.language ?? '';
+        if (blocks.length === 0)
+            return { deadBlocks: [] };
+        // Build outgoing adjacency: block id → reachable block ids
+        const outgoing = new Map();
+        for (const edge of edges) {
+            let list = outgoing.get(edge.from);
+            if (!list) {
+                list = [];
+                outgoing.set(edge.from, list);
+            }
+            list.push(edge.to);
+        }
+        // Find ALL root blocks: blocks with no incoming edges AND at least one
+        // outgoing edge. Each function body, arrow function, and class method
+        // creates its own disconnected sub-graph in the CFG (intra-procedural
+        // CFGs don't model call edges). These sub-graph roots have no incoming
+        // edges but DO have outgoing edges into their body blocks.
+        //
+        // A completely isolated block (no incoming, no outgoing) is the canonical
+        // shape of dead code after an unconditional return/throw — it is NOT
+        // treated as a root so it gets correctly reported.
+        const hasIncoming = new Set(edges.map(e => e.to));
+        const hasOutgoing = new Set(edges.map(e => e.from));
+        const roots = blocks.filter(b => !hasIncoming.has(b.id) && hasOutgoing.has(b.id));
+        // Always have at least one root: prefer type='entry', then any root,
+        // then the lowest-id block.
+        if (roots.length === 0) {
+            const fallback = blocks.find(b => b.type === 'entry') ??
+                blocks.find(b => !hasIncoming.has(b.id)) ??
+                blocks.reduce((a, b) => (a.id < b.id ? a : b));
+            roots.push(fallback);
+        }
+        // BFS from ALL roots to mark reachable block ids.
+        const reachable = new Set(roots.map(r => r.id));
+        const queue = roots.map(r => r.id);
+        while (queue.length > 0) {
+            const id = queue.shift();
+            for (const next of outgoing.get(id) ?? []) {
+                if (!reachable.has(next)) {
+                    reachable.add(next);
+                    queue.push(next);
+                }
+            }
+        }
+        // Collect unreachable blocks that are worth reporting:
+        // - not the entry or exit sentinel blocks
+        // - have a positive start line (skip synthetic 0-line blocks)
+        const isJsTs = language === 'javascript' || language === 'typescript';
+        const codeLines = isJsTs ? code.split('\n') : [];
+        const deadBlocks = [];
+        for (const block of blocks) {
+            if (reachable.has(block.id))
+                continue;
+            if (block.type === 'entry' || block.type === 'exit')
+                continue;
+            if (block.start_line <= 0)
+                continue;
+            // In JS/TS, completely isolated blocks (no incoming AND no outgoing edges)
+            // are often arrow function expression bodies or simple function bodies — the
+            // intra-procedural CFG extractor gives them no edges. Suppress these to avoid
+            // false positives. Real dead code (post-return) always has a preceding block
+            // with an outgoing edge, so it is not affected by this check.
+            if (isJsTs && !hasIncoming.has(block.id) && !hasOutgoing.has(block.id)) {
+                const prevLine = codeLines[block.start_line - 2]?.trimEnd() ?? '';
+                const startLine = codeLines[block.start_line - 1]?.trimEnd() ?? '';
+                // Arrow function body: the line before OR the block's own first line
+                // contains '=>' (handles both multi-line and inline arrow functions).
+                // Regular function/method body: the preceding line ends with '{'.
+                if (prevLine.includes('=>') || prevLine.endsWith('{') ||
+                    startLine.includes('=>'))
+                    continue;
+            }
+            deadBlocks.push(block);
+            const loc = block.start_line === block.end_line
+                ? `line ${block.start_line}`
+                : `lines ${block.start_line}–${block.end_line}`;
+            ctx.addFinding({
+                id: `dead-code-${file}-${block.start_line}`,
+                pass: this.name,
+                category: this.category,
+                rule_id: this.name,
+                cwe: 'CWE-561',
+                severity: 'low',
+                level: 'warning',
+                message: `Dead code at ${loc}: block is unreachable from any entry point`,
+                file,
+                line: block.start_line,
+                end_line: block.end_line > block.start_line ? block.end_line : undefined,
+                fix: 'Remove the unreachable block or fix the control flow that precedes it',
+            });
+        }
+        return { deadBlocks };
+    }
+}
+//# sourceMappingURL=dead-code-pass.js.map

package/dist/analysis/passes/dead-code-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dead-code-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/dead-code-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAUH,MAAM,OAAO,YAAY;IACd,IAAI,GAAG,WAAW,CAAC;IACnB,QAAQ,GAAG,aAAsB,CAAC;IAE3C,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,GAAG,CAAC;QAC5B,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC;QACvC,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,QAAQ,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;QAE9C,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;QAEnD,2DAA2D;QAC3D,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAoB,CAAC;QAC7C,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,IAAI,GAAG,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACnC,IAAI,CAAC,IAAI,EAAE,CAAC;gBAAC,IAAI,GAAG,EAAE,CAAC;gBAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;YAAC,CAAC;YACxD,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACrB,CAAC;QAED,uEAAuE;QACvE,sEAAsE;QACtE,sEAAsE;QACtE,uEAAuE;QACvE,2DAA2D;QAC3D,EAAE;QACF,0EAA0E;QAC1E,qEAAqE;QACrE,mDAAmD;QACnD,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QAClD,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;QACpD,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAC9B,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAChD,CAAC;QACF,qEAAqE;QACrE,4BAA4B;QAC5B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,QAAQ,GACZ,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,OAAO,CAAC;gBACpC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;gBACxC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YACjD,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACvB,CAAC;QAED,kDAAkD;QAClD,MAAM,SAAS,GAAG,IAAI,GAAG,CAAS,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QACxD,MAAM,KAAK,GAAa,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAC7C,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxB,MAAM,EAAE,GAAG,KAAK,CAAC,KAAK,EAAG,CAAC;YAC1B,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC;gBAC1C,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;oBACzB,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;oBACpB,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACnB,CAAC;YACH,CAAC;QACH,CAAC;QAED,uDAAuD;QACvD,0CAA0C;QAC1C,8DAA8D;QAC9D,MAAM,MAAM,GAAG,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,CAAC;QACtE,MAAM,SAAS,GAAG,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAEjD,MAAM,UAAU,GAAe,EAAE,CAAC;QAClC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,IAAI,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;gBAAE,SAAS;YACtC,IAAI,KAAK,CAAC,IAAI,KAAK,OAAO,IAAI,KAAK,CAAC,IAAI,KAAK,MAAM;gBAAE,SAAS;YAC9D,IAAI,KAAK,CAAC,UAAU,IAAI,CAAC;gBAAE,SAAS;YAEpC,2EAA2E;YAC3E,6EAA6E;YAC7E,8EAA8E;YAC9E,6EAA6E;YAC7E,8DAA8D;YAC9D,IAAI,MAAM,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,CAAC;gBACvE,MAAM,QAAQ,GAAG,SAAS,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;gBAClE,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;gBACnE,qEAAqE;gBACrE,sEAAsE;gBACtE,kEAAkE;gBAClE,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC;oBACjD,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC;oBAAE,SAAS;YACzC,CAAC;YAED,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAEvB,MAAM,GAAG,GAAG,KAAK,CAAC,UAAU,KAAK,KAAK,CAAC,QAAQ;gBAC7C,CAAC,CAAC,QAAQ,KAAK,CAAC,UAAU,EAAE;gBAC5B,CAAC,CAAC,SAAS,KAAK,CAAC,UAAU,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;YAElD,GAAG,CAAC,UAAU,CAAC;gBACb,EAAE,EAAE,aAAa,IAAI,IAAI,KAAK,CAAC,UAAU,EAAE;gBAC3C,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,GAAG,EAAE,SAAS;gBACd,QAAQ,EAAE,KAAK;gBACf,KAAK,EAAE,SAAS;gBAChB,OAAO,EAAE,gBAAgB,GAAG,6CAA6C;gBACzE,IAAI;gBACJ,IAAI,EAAE,KAAK,CAAC,UAAU;gBACtB,QAAQ,EAAE,KAAK,CAAC,QAAQ,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;gBACxE,GAAG,EAAE,uEAAuE;aAC7E,CAAC,CAAC;QACL,CAAC;QAED,OAAO,EAAE,UAAU,EAAE,CAAC;IACxB,CAAC;CACF"}

package/dist/analysis/passes/deep-inheritance-pass.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Pass #29: deep-inheritance (CWE-1086, category: architecture)
+ *
+ * Detects class inheritance chains deeper than the configured threshold
+ * (default: 5). Deep inheritance hierarchies increase coupling, make code
+ * harder to understand, and indicate a design smell (violation of composition
+ * over inheritance).
+ *
+ * Detection strategy:
+ *   1. Build a parentMap: className → parentName from `ir.types[*].extends`.
+ *   2. For each class with a known `start_line`, walk up the parentMap
+ *      counting depth. Stop at depth 20 to defend against cycles.
+ *   3. If depth > THRESHOLD, emit a finding at the class `start_line`.
+ *
+ * Languages: Java, JavaScript/TypeScript, Python. Rust/Bash do not have
+ * class inheritance — skipped.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface DeepInheritanceResult {
+    deepClasses: Array<{
+        className: string;
+        depth: number;
+        line: number;
+    }>;
+}
+export declare class DeepInheritancePass implements AnalysisPass<DeepInheritanceResult> {
+    readonly name = "deep-inheritance";
+    readonly category: "architecture";
+    run(ctx: PassContext): DeepInheritanceResult;
+}

package/dist/analysis/passes/deep-inheritance-pass.js

@@ -0,0 +1,82 @@
+/**
+ * Pass #29: deep-inheritance (CWE-1086, category: architecture)
+ *
+ * Detects class inheritance chains deeper than the configured threshold
+ * (default: 5). Deep inheritance hierarchies increase coupling, make code
+ * harder to understand, and indicate a design smell (violation of composition
+ * over inheritance).
+ *
+ * Detection strategy:
+ *   1. Build a parentMap: className → parentName from `ir.types[*].extends`.
+ *   2. For each class with a known `start_line`, walk up the parentMap
+ *      counting depth. Stop at depth 20 to defend against cycles.
+ *   3. If depth > THRESHOLD, emit a finding at the class `start_line`.
+ *
+ * Languages: Java, JavaScript/TypeScript, Python. Rust/Bash do not have
+ * class inheritance — skipped.
+ */
+const DEPTH_THRESHOLD = 5;
+const CYCLE_GUARD = 20;
+export class DeepInheritancePass {
+    name = 'deep-inheritance';
+    category = 'architecture';
+    run(ctx) {
+        const { graph, language } = ctx;
+        if (language === 'rust' || language === 'bash') {
+            return { deepClasses: [] };
+        }
+        const file = graph.ir.meta.file;
+        const types = graph.ir.types;
+        if (types.length === 0)
+            return { deepClasses: [] };
+        // Build parentMap: class name → parent class name
+        const parentMap = new Map();
+        for (const typeInfo of types) {
+            if (typeInfo.extends) {
+                // Strip generic parameters (e.g., "BaseRepo<User>" → "BaseRepo")
+                const parentName = typeInfo.extends.replace(/<.*>/, '').trim();
+                if (parentName) {
+                    parentMap.set(typeInfo.name, parentName);
+                }
+            }
+        }
+        const deepClasses = [];
+        for (const typeInfo of types) {
+            if (typeInfo.kind !== 'class')
+                continue;
+            if (typeInfo.start_line <= 0)
+                continue;
+            // Walk up the inheritance chain
+            let depth = 0;
+            let current = parentMap.get(typeInfo.name);
+            const visited = new Set([typeInfo.name]);
+            while (current !== undefined && depth < CYCLE_GUARD) {
+                depth++;
+                if (visited.has(current))
+                    break; // cycle guard
+                visited.add(current);
+                current = parentMap.get(current);
+            }
+            if (depth > DEPTH_THRESHOLD) {
+                deepClasses.push({ className: typeInfo.name, depth, line: typeInfo.start_line });
+                ctx.addFinding({
+                    id: `deep-inheritance-${file}-${typeInfo.start_line}`,
+                    pass: this.name,
+                    category: this.category,
+                    rule_id: this.name,
+                    cwe: 'CWE-1086',
+                    severity: 'low',
+                    level: 'warning',
+                    message: `Deep inheritance: class \`${typeInfo.name}\` has inheritance depth ${depth} (threshold: ${DEPTH_THRESHOLD})`,
+                    file,
+                    line: typeInfo.start_line,
+                    fix: `Refactor to prefer composition over inheritance. ` +
+                        `Consider extracting shared behaviour into interfaces or mixins.`,
+                    evidence: { depth, threshold: DEPTH_THRESHOLD },
+                });
+            }
+        }
+        return { deepClasses };
+    }
+}
+//# sourceMappingURL=deep-inheritance-pass.js.map

package/dist/analysis/passes/deep-inheritance-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"deep-inheritance-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/deep-inheritance-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAIH,MAAM,eAAe,GAAG,CAAC,CAAC;AAC1B,MAAM,WAAW,GAAG,EAAE,CAAC;AAMvB,MAAM,OAAO,mBAAmB;IACrB,IAAI,GAAG,kBAAkB,CAAC;IAC1B,QAAQ,GAAG,cAAuB,CAAC;IAE5C,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAEhC,IAAI,QAAQ,KAAK,MAAM,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YAC/C,OAAO,EAAE,WAAW,EAAE,EAAE,EAAE,CAAC;QAC7B,CAAC;QAED,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,KAAK,GAAG,KAAK,CAAC,EAAE,CAAC,KAAK,CAAC;QAE7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,WAAW,EAAE,EAAE,EAAE,CAAC;QAEnD,kDAAkD;QAClD,MAAM,SAAS,GAAG,IAAI,GAAG,EAAkB,CAAC;QAC5C,KAAK,MAAM,QAAQ,IAAI,KAAK,EAAE,CAAC;YAC7B,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;gBACrB,iEAAiE;gBACjE,MAAM,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC/D,IAAI,UAAU,EAAE,CAAC;oBACf,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;gBAC3C,CAAC;YACH,CAAC;QACH,CAAC;QAED,MAAM,WAAW,GAAyC,EAAE,CAAC;QAE7D,KAAK,MAAM,QAAQ,IAAI,KAAK,EAAE,CAAC;YAC7B,IAAI,QAAQ,CAAC,IAAI,KAAK,OAAO;gBAAE,SAAS;YACxC,IAAI,QAAQ,CAAC,UAAU,IAAI,CAAC;gBAAE,SAAS;YAEvC,gCAAgC;YAChC,IAAI,KAAK,GAAG,CAAC,CAAC;YACd,IAAI,OAAO,GAAuB,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YAC/D,MAAM,OAAO,GAAG,IAAI,GAAG,CAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;YAEjD,OAAO,OAAO,KAAK,SAAS,IAAI,KAAK,GAAG,WAAW,EAAE,CAAC;gBACpD,KAAK,EAAE,CAAC;gBACR,IAAI,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC;oBAAE,MAAM,CAAC,cAAc;gBAC/C,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gBACrB,OAAO,GAAG,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YACnC,CAAC;YAED,IAAI,KAAK,GAAG,eAAe,EAAE,CAAC;gBAC5B,WAAW,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,QAAQ,CAAC,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;gBAEjF,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,oBAAoB,IAAI,IAAI,QAAQ,CAAC,UAAU,EAAE;oBACrD,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;oBAClB,GAAG,EAAE,UAAU;oBACf,QAAQ,EAAE,KAAK;oBACf,KAAK,EAAE,SAAS;oBAChB,OAAO,EACL,6BAA6B,QAAQ,CAAC,IAAI,4BAA4B,KAAK,gBAAgB,eAAe,GAAG;oBAC/G,IAAI;oBACJ,IAAI,EAAE,QAAQ,CAAC,UAAU;oBACzB,GAAG,EACD,mDAAmD;wBACnD,iEAAiE;oBACnE,QAAQ,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,eAAe,EAAE;iBAChD,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,EAAE,WAAW,EAAE,CAAC;IACzB,CAAC;CACF"}

package/dist/analysis/passes/dependency-fan-out-pass.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Pass #72: dependency-fan-out
+ *
+ * Flags modules that import an excessive number of other modules (≥20).
+ * High fan-out is a coupling smell that makes modules hard to test and modify
+ * independently.
+ *
+ * Category: architecture | Severity: low | Level: note | CWE: none
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface DependencyFanOutResult {
+    importCount: number;
+    exceeded: boolean;
+}
+export declare class DependencyFanOutPass implements AnalysisPass<DependencyFanOutResult> {
+    readonly name = "dependency-fan-out";
+    readonly category: "architecture";
+    run(ctx: PassContext): DependencyFanOutResult;
+}

package/dist/analysis/passes/dependency-fan-out-pass.js

@@ -0,0 +1,35 @@
+/**
+ * Pass #72: dependency-fan-out
+ *
+ * Flags modules that import an excessive number of other modules (≥20).
+ * High fan-out is a coupling smell that makes modules hard to test and modify
+ * independently.
+ *
+ * Category: architecture | Severity: low | Level: note | CWE: none
+ */
+const FAN_OUT_THRESHOLD = 20;
+export class DependencyFanOutPass {
+    name = 'dependency-fan-out';
+    category = 'architecture';
+    run(ctx) {
+        const importCount = ctx.graph.ir.imports.length;
+        const exceeded = importCount >= FAN_OUT_THRESHOLD;
+        if (exceeded) {
+            const finding = {
+                id: `dependency-fan-out-${ctx.graph.ir.meta.file.replace(/[^a-z0-9]/gi, '-')}`,
+                pass: 'dependency-fan-out',
+                category: 'architecture',
+                rule_id: 'dependency-fan-out',
+                severity: 'low',
+                level: 'note',
+                message: `Module imports ${importCount} dependencies (threshold: ${FAN_OUT_THRESHOLD}). High fan-out increases coupling and makes the module harder to test.`,
+                file: ctx.graph.ir.meta.file,
+                line: 1,
+                evidence: { importCount, threshold: FAN_OUT_THRESHOLD },
+            };
+            ctx.addFinding(finding);
+        }
+        return { importCount, exceeded };
+    }
+}
+//# sourceMappingURL=dependency-fan-out-pass.js.map

package/dist/analysis/passes/dependency-fan-out-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dependency-fan-out-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/dependency-fan-out-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAUH,MAAM,iBAAiB,GAAG,EAAE,CAAC;AAE7B,MAAM,OAAO,oBAAoB;IACtB,IAAI,GAAG,oBAAoB,CAAC;IAC5B,QAAQ,GAAG,cAAuB,CAAC;IAE5C,GAAG,CAAC,GAAgB;QAClB,MAAM,WAAW,GAAG,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC;QAChD,MAAM,QAAQ,GAAM,WAAW,IAAI,iBAAiB,CAAC;QAErD,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,OAAO,GAAgB;gBAC3B,EAAE,EAAQ,sBAAsB,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,GAAG,CAAC,EAAE;gBACpF,IAAI,EAAM,oBAAoB;gBAC9B,QAAQ,EAAE,cAAc;gBACxB,OAAO,EAAG,oBAAoB;gBAC9B,QAAQ,EAAE,KAAK;gBACf,KAAK,EAAK,MAAM;gBAChB,OAAO,EAAG,kBAAkB,WAAW,6BAA6B,iBAAiB,yEAAyE;gBAC9J,IAAI,EAAM,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI;gBAChC,IAAI,EAAM,CAAC;gBACX,QAAQ,EAAE,EAAE,WAAW,EAAE,SAAS,EAAE,iBAAiB,EAAE;aACxD,CAAC;YACF,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QAC1B,CAAC;QAED,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,CAAC;IACnC,CAAC;CACF"}

package/dist/analysis/passes/infinite-loop-pass.d.ts

@@ -0,0 +1,31 @@
+/**
+ * Pass #28: infinite-loop (CWE-835, category: reliability)
+ *
+ * Detects loops with no reachable exit edge — i.e., loops that can run
+ * forever because every execution path through the loop body leads back to
+ * the loop header without a break, return, throw, or continue-to-outer.
+ *
+ * Detection strategy:
+ *   1. Identify loop headers: back-edge targets in the CFG (`edge.type === 'back'`).
+ *   2. For each loop, collect the loop body blocks via BFS from the header,
+ *      stopping at back-edge sources (the "tail" blocks).
+ *   3. Check whether any block in the body has an outgoing edge that exits
+ *      the loop (target not in body set and not back to header).
+ *   4. As a text-level fallback, scan source lines in the loop body for
+ *      `return`, `throw`/`raise`, `break`, `System.exit` keywords.
+ *   5. Emit a finding at the loop header's start_line if no exit is found.
+ *
+ * Languages: Java, JavaScript, TypeScript, Python, Rust. Skip Bash.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface InfiniteLoopResult {
+    potentialInfiniteLoops: Array<{
+        headerLine: number;
+        bodyEndLine: number;
+    }>;
+}
+export declare class InfiniteLoopPass implements AnalysisPass<InfiniteLoopResult> {
+    readonly name = "infinite-loop";
+    readonly category: "reliability";
+    run(ctx: PassContext): InfiniteLoopResult;
+}