circle-ir 3.8.4 → 3.9.8

package/dist/analysis/passes/null-deref-pass.js

@@ -0,0 +1,130 @@
+/**
+ * Pass #20: null-deref (CWE-476, category: reliability)
+ *
+ * Detects variables that are explicitly assigned null/None/undefined and then
+ * used as a receiver (method call or field access) without an intervening
+ * null guard.
+ *
+ * Detection strategy:
+ *   1. Find DFG defs where the expression is an explicit null literal
+ *      (null / None / undefined).
+ *   2. For each such def, find all DFG uses via graph.usesOfDef().
+ *   3. For each use that occurs after the def in the same method and is used
+ *      as a receiver, check whether any line between def and use contains a
+ *      null-check for that variable.
+ *   4. Emit a finding if no guard is found.
+ *
+ * Scope is limited to the enclosing method to avoid cross-method FPs.
+ */
+/** Expression values that represent an explicit null assignment. */
+const NULL_EXPR_RE = /^\s*(null|None|undefined)\s*$/;
+/** Escape a variable name for use in a RegExp. */
+function escRe(s) {
+    return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+/**
+ * Returns true if any source line in the range [fromLine, toLine) contains a
+ * null-guard pattern referencing varName.
+ *
+ * Guards recognised:
+ *   - Java/JS: `x != null`, `x !== null`, `null != x`
+ *   - Java/JS: `x == null`, `x === null` (guard on the null branch)
+ *   - Python: `x is not None`, `if x:`
+ *   - Optional chaining: `x?.`
+ *   - Optional API: `x.isPresent()`, `Optional`
+ */
+function hasNullGuard(codeLines, varName, fromLine, toLine) {
+    const esc = escRe(varName);
+    // Build one composite regex (OR of guard patterns)
+    const pattern = new RegExp(`\\b${esc}\\b\\s*!==?\\s*(null|None|undefined)` +
+        `|(null|None|undefined)\\s*!==?\\s*\\b${esc}\\b` +
+        `|\\b${esc}\\b\\s*===?\\s*(null|None|undefined)` + // null-branch check
+        `|(null|None|undefined)\\s*===?\\s*\\b${esc}\\b` +
+        `|\\bis\\s+not\\s+None\\b.*\\b${esc}\\b` + // Python is not None
+        `|\\b${esc}\\b.*\\bis\\s+not\\s+None\\b` +
+        `|if\\s*\\(\\s*${esc}\\s*[)!&|]` + // if (x), if (!x)
+        `|if\\s+${esc}\\s*:` + // Python: if x:
+        `|\\b${esc}\\b\\s*\\.\\s*isPresent\\(\\)` + // Optional.isPresent()
+        `|\\bOptional\\b`);
+    for (let l = fromLine; l < toLine; l++) {
+        const line = codeLines[l - 1] ?? '';
+        if (pattern.test(line))
+            return true;
+    }
+    return false;
+}
+export class NullDerefPass {
+    name = 'null-deref';
+    category = 'reliability';
+    run(ctx) {
+        const { graph, code, language } = ctx;
+        // Rust has the Option/Result type system — NPE is not applicable.
+        // Bash has no objects to dereference.
+        if (language === 'rust' || language === 'bash') {
+            return { potentialNullDerefs: [] };
+        }
+        const file = graph.ir.meta.file;
+        const codeLines = code.split('\n');
+        const potentialNullDerefs = [];
+        const reported = new Set(); // deduplicate by variable+useLine
+        for (const def of graph.ir.dfg.defs) {
+            if (!def.expression || !NULL_EXPR_RE.test(def.expression))
+                continue;
+            const varName = def.variable;
+            const defLine = def.line;
+            // Determine enclosing method bounds to limit search scope
+            const methodInfo = graph.methodAtLine(defLine);
+            const methodEnd = methodInfo?.method.end_line ?? Number.MAX_SAFE_INTEGER;
+            // Find all downstream uses of this null-assigned variable
+            const uses = graph.usesOfDef(def.id);
+            for (const use of uses) {
+                const useLine = use.line;
+                // Use must be AFTER the assignment and within the same method
+                if (useLine <= defLine || useLine > methodEnd)
+                    continue;
+                // Check if the variable is used as a call receiver at this line
+                const callsAtLine = graph.callsAtLine(useLine);
+                const isCallReceiver = callsAtLine.some(c => c.receiver === varName);
+                // Also detect field-access pattern: `varName.field`
+                const lineText = codeLines[useLine - 1] ?? '';
+                const fieldAccessRe = new RegExp(`\\b${escRe(varName)}\\s*\\.`);
+                const isFieldAccess = fieldAccessRe.test(lineText);
+                if (!isCallReceiver && !isFieldAccess)
+                    continue;
+                // Optional chaining (`?.`) is safe — skip
+                const optionalChainRe = new RegExp(`\\b${escRe(varName)}\\s*\\?\\s*\\.`);
+                if (optionalChainRe.test(lineText))
+                    continue;
+                // Check whether a null guard exists between the assignment and this use
+                if (hasNullGuard(codeLines, varName, defLine + 1, useLine))
+                    continue;
+                const key = `${varName}-${useLine}`;
+                if (reported.has(key))
+                    continue;
+                reported.add(key);
+                potentialNullDerefs.push({ defLine, useLine, variable: varName });
+                ctx.addFinding({
+                    id: `null-deref-${file}-${useLine}`,
+                    pass: this.name,
+                    category: this.category,
+                    rule_id: this.name,
+                    cwe: 'CWE-476',
+                    severity: 'high',
+                    level: 'error',
+                    message: `Potential null dereference: '${varName}' was assigned null at line ${defLine} ` +
+                        `and is used at line ${useLine} without a null check`,
+                    file,
+                    line: useLine,
+                    snippet: lineText.trim(),
+                    fix: `Add a null check before dereferencing: \`if (${varName} != null) { ... }\``,
+                    evidence: {
+                        variable: varName,
+                        assigned_null_at: defLine,
+                    },
+                });
+            }
+        }
+        return { potentialNullDerefs };
+    }
+}
+//# sourceMappingURL=null-deref-pass.js.map

package/dist/analysis/passes/null-deref-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"null-deref-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/null-deref-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAIH,oEAAoE;AACpE,MAAM,YAAY,GAAG,+BAA+B,CAAC;AAErD,kDAAkD;AAClD,SAAS,KAAK,CAAC,CAAS;IACtB,OAAO,CAAC,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC;AAClD,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAS,YAAY,CACnB,SAAmB,EACnB,OAAe,EACf,QAAgB,EAChB,MAAc;IAEd,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;IAC3B,mDAAmD;IACnD,MAAM,OAAO,GAAG,IAAI,MAAM,CACxB,MAAM,GAAG,sCAAsC;QAC/C,wCAAwC,GAAG,KAAK;QAChD,OAAO,GAAG,sCAAsC,GAAK,oBAAoB;QACzE,wCAAwC,GAAG,KAAK;QAChD,gCAAgC,GAAG,KAAK,GAAa,qBAAqB;QAC1E,OAAO,GAAG,8BAA8B;QACxC,iBAAiB,GAAG,YAAY,GAAoB,kBAAkB;QACtE,UAAU,GAAG,OAAO,GAAiC,gBAAgB;QACrE,OAAO,GAAG,+BAA+B,GAAY,uBAAuB;QAC5E,iBAAiB,CAClB,CAAC;IAEF,KAAK,IAAI,CAAC,GAAG,QAAQ,EAAE,CAAC,GAAG,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACvC,MAAM,IAAI,GAAG,SAAS,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;QACpC,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;IACtC,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAWD,MAAM,OAAO,aAAa;IACf,IAAI,GAAG,YAAY,CAAC;IACpB,QAAQ,GAAG,aAAsB,CAAC;IAE3C,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAEtC,kEAAkE;QAClE,sCAAsC;QACtC,IAAI,QAAQ,KAAK,MAAM,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YAC/C,OAAO,EAAE,mBAAmB,EAAE,EAAE,EAAE,CAAC;QACrC,CAAC;QAED,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,mBAAmB,GAA2C,EAAE,CAAC;QACvE,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC,CAAC,kCAAkC;QAEtE,KAAK,MAAM,GAAG,IAAI,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;YACpC,IAAI,CAAC,GAAG,CAAC,UAAU,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC;gBAAE,SAAS;YAEpE,MAAM,OAAO,GAAG,GAAG,CAAC,QAAQ,CAAC;YAC7B,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,CAAC;YAEzB,0DAA0D;YAC1D,MAAM,UAAU,GAAG,KAAK,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;YAC/C,MAAM,SAAS,GAAG,UAAU,EAAE,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,gBAAgB,CAAC;YAEzE,0DAA0D;YAC1D,MAAM,IAAI,GAAG,KAAK,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAErC,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;gBACvB,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,CAAC;gBAEzB,8DAA8D;gBAC9D,IAAI,OAAO,IAAI,OAAO,IAAI,OAAO,GAAG,SAAS;oBAAE,SAAS;gBAExD,gEAAgE;gBAChE,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;gBAC/C,MAAM,cAAc,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC;gBAErE,oDAAoD;gBACpD,MAAM,QAAQ,GAAG,SAAS,CAAC,OAAO,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC9C,MAAM,aAAa,GAAG,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;gBAChE,MAAM,aAAa,GAAG,aAAa,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBAEnD,IAAI,CAAC,cAAc,IAAI,CAAC,aAAa;oBAAE,SAAS;gBAEhD,0CAA0C;gBAC1C,MAAM,eAAe,GAAG,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;gBACzE,IAAI,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC;oBAAE,SAAS;gBAE7C,wEAAwE;gBACxE,IAAI,YAAY,CAAC,SAAS,EAAE,OAAO,EAAE,OAAO,GAAG,CAAC,EAAE,OAAO,CAAC;oBAAE,SAAS;gBAErE,MAAM,GAAG,GAAG,GAAG,OAAO,IAAI,OAAO,EAAE,CAAC;gBACpC,IAAI,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC;oBAAE,SAAS;gBAChC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBAElB,mBAAmB,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;gBAElE,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,cAAc,IAAI,IAAI,OAAO,EAAE;oBACnC,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;oBAClB,GAAG,EAAE,SAAS;oBACd,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,OAAO;oBACd,OAAO,EACL,gCAAgC,OAAO,+BAA+B,OAAO,GAAG;wBAChF,uBAAuB,OAAO,uBAAuB;oBACvD,IAAI;oBACJ,IAAI,EAAE,OAAO;oBACb,OAAO,EAAE,QAAQ,CAAC,IAAI,EAAE;oBACxB,GAAG,EAAE,gDAAgD,OAAO,qBAAqB;oBACjF,QAAQ,EAAE;wBACR,QAAQ,EAAE,OAAO;wBACjB,gBAAgB,EAAE,OAAO;qBAC1B;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,EAAE,mBAAmB,EAAE,CAAC;IACjC,CAAC;CACF"}

package/dist/analysis/passes/orphan-module-pass.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Pass #71: orphan-module (project-level)
+ *
+ * Flags modules that have no incoming import edges and are not recognized
+ * entry points. Orphan modules are likely dead code, leftover scaffolding,
+ * or files that were accidentally disconnected from the project.
+ *
+ * This is a project-level pass — it does NOT extend AnalysisPass.
+ * It is invoked from analyzeProject() after all per-file analyses are complete.
+ *
+ * Entry points (excluded from flagging): filename base matches
+ * /^(index|main|app|server|mod)$/i
+ *
+ * Category: architecture | Severity: low | Level: note | CWE: none
+ */
+import type { SastFinding } from '../../types/index.js';
+import type { ProjectGraph } from '../../graph/project-graph.js';
+import type { ImportGraph } from '../../graph/import-graph.js';
+export declare class OrphanModulePass {
+    run(_projectGraph: ProjectGraph, importGraph: ImportGraph): SastFinding[];
+}

package/dist/analysis/passes/orphan-module-pass.js

@@ -0,0 +1,38 @@
+/**
+ * Pass #71: orphan-module (project-level)
+ *
+ * Flags modules that have no incoming import edges and are not recognized
+ * entry points. Orphan modules are likely dead code, leftover scaffolding,
+ * or files that were accidentally disconnected from the project.
+ *
+ * This is a project-level pass — it does NOT extend AnalysisPass.
+ * It is invoked from analyzeProject() after all per-file analyses are complete.
+ *
+ * Entry points (excluded from flagging): filename base matches
+ * /^(index|main|app|server|mod)$/i
+ *
+ * Category: architecture | Severity: low | Level: note | CWE: none
+ */
+export class OrphanModulePass {
+    run(_projectGraph, importGraph) {
+        const findings = [];
+        const orphans = importGraph.findOrphans();
+        for (const file of orphans) {
+            const finding = {
+                id: `orphan-module-${file.replace(/[^a-z0-9]/gi, '-')}`,
+                pass: 'orphan-module',
+                category: 'architecture',
+                rule_id: 'orphan-module',
+                severity: 'low',
+                level: 'note',
+                message: `Module '${file}' has no incoming imports and is not a known entry point. It may be dead code.`,
+                file,
+                line: 1,
+                evidence: { file },
+            };
+            findings.push(finding);
+        }
+        return findings;
+    }
+}
+//# sourceMappingURL=orphan-module-pass.js.map

package/dist/analysis/passes/orphan-module-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"orphan-module-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/orphan-module-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAMH,MAAM,OAAO,gBAAgB;IAC3B,GAAG,CAAC,aAA2B,EAAE,WAAwB;QACvD,MAAM,QAAQ,GAAkB,EAAE,CAAC;QACnC,MAAM,OAAO,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;QAE1C,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE,CAAC;YAC3B,MAAM,OAAO,GAAgB;gBAC3B,EAAE,EAAQ,iBAAiB,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,GAAG,CAAC,EAAE;gBAC7D,IAAI,EAAM,eAAe;gBACzB,QAAQ,EAAE,cAAc;gBACxB,OAAO,EAAG,eAAe;gBACzB,QAAQ,EAAE,KAAK;gBACf,KAAK,EAAK,MAAM;gBAChB,OAAO,EAAG,WAAW,IAAI,gFAAgF;gBACzG,IAAI;gBACJ,IAAI,EAAM,CAAC;gBACX,QAAQ,EAAE,EAAE,IAAI,EAAE;aACnB,CAAC;YACF,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACzB,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF"}

package/dist/analysis/passes/react-inline-jsx-pass.d.ts

@@ -0,0 +1,36 @@
+/**
+ * Pass #33: react-inline-jsx (category: performance)
+ *
+ * Detects inline object literals or arrow functions passed as JSX props.
+ * These create a new reference on every render, defeating React.memo /
+ * shouldComponentUpdate optimisations and causing unnecessary re-renders.
+ *
+ * Detection strategy:
+ *   1. Only runs on JavaScript/TypeScript files that appear to contain JSX
+ *      (quick check: source contains a `<UpperCase` JSX component pattern).
+ *   2. Scans each source line for:
+ *      a. Inline object prop:  propName={{   (double-brace)
+ *      b. Inline arrow prop:   propName={(...) =>   or   propName={identifier =>
+ *      c. Inline function prop: propName={function(
+ *   3. Skips:
+ *      - `style={{` — idiomatic and near-impossible to hoist statically
+ *      - `key=` — must be inline
+ *      - `data-*` attribute names
+ *      - Lines that are comments
+ *   4. Emits one finding per matched line.
+ *
+ * Languages: JavaScript and TypeScript only.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface ReactInlineJsxResult {
+    inlineProps: Array<{
+        line: number;
+        propName: string;
+        kind: 'object' | 'arrow' | 'function';
+    }>;
+}
+export declare class ReactInlineJsxPass implements AnalysisPass<ReactInlineJsxResult> {
+    readonly name = "react-inline-jsx";
+    readonly category: "performance";
+    run(ctx: PassContext): ReactInlineJsxResult;
+}

package/dist/analysis/passes/react-inline-jsx-pass.js

@@ -0,0 +1,140 @@
+/**
+ * Pass #33: react-inline-jsx (category: performance)
+ *
+ * Detects inline object literals or arrow functions passed as JSX props.
+ * These create a new reference on every render, defeating React.memo /
+ * shouldComponentUpdate optimisations and causing unnecessary re-renders.
+ *
+ * Detection strategy:
+ *   1. Only runs on JavaScript/TypeScript files that appear to contain JSX
+ *      (quick check: source contains a `<UpperCase` JSX component pattern).
+ *   2. Scans each source line for:
+ *      a. Inline object prop:  propName={{   (double-brace)
+ *      b. Inline arrow prop:   propName={(...) =>   or   propName={identifier =>
+ *      c. Inline function prop: propName={function(
+ *   3. Skips:
+ *      - `style={{` — idiomatic and near-impossible to hoist statically
+ *      - `key=` — must be inline
+ *      - `data-*` attribute names
+ *      - Lines that are comments
+ *   4. Emits one finding per matched line.
+ *
+ * Languages: JavaScript and TypeScript only.
+ */
+/** Quick heuristic: does the file contain any JSX component usage? */
+const JSX_COMPONENT_RE = /<[A-Z][A-Za-z0-9]*/;
+/** Inline object prop: propName={{  (but NOT style={{ ) */
+const INLINE_OBJECT_RE = /\s([A-Za-z][A-Za-z0-9_]*)=\{\{/g;
+/** Inline arrow function prop: propName={(...) =>  or  propName={x => */
+const INLINE_ARROW_RE = /\s([A-Za-z][A-Za-z0-9_]*)=\{(?:\(|[A-Za-z_$]).*?=>/g;
+/** Inline function expression prop: propName={function( */
+const INLINE_FUNCTION_RE = /\s([A-Za-z][A-Za-z0-9_]*)=\{function\s*\(/g;
+/** Props to always skip regardless of value shape. */
+const SKIP_PROPS = new Set(['style', 'key', 'ref', 'className', 'id']);
+export class ReactInlineJsxPass {
+    name = 'react-inline-jsx';
+    category = 'performance';
+    run(ctx) {
+        const { graph, code, language } = ctx;
+        if (language !== 'javascript' && language !== 'typescript') {
+            return { inlineProps: [] };
+        }
+        // Quick file-level JSX check
+        if (!JSX_COMPONENT_RE.test(code)) {
+            return { inlineProps: [] };
+        }
+        const file = graph.ir.meta.file;
+        const codeLines = code.split('\n');
+        const inlineProps = [];
+        for (let i = 0; i < codeLines.length; i++) {
+            const lineText = codeLines[i];
+            const ln = i + 1;
+            // Skip comment lines
+            const trimmed = lineText.trimStart();
+            if (trimmed.startsWith('//') || trimmed.startsWith('*') || trimmed.startsWith('/*')) {
+                continue;
+            }
+            // --- Inline object prop: propName={{ ---
+            INLINE_OBJECT_RE.lastIndex = 0;
+            let m;
+            while ((m = INLINE_OBJECT_RE.exec(lineText)) !== null) {
+                const propName = m[1];
+                if (SKIP_PROPS.has(propName))
+                    continue;
+                if (propName.startsWith('data-'))
+                    continue; // data-* attributes
+                inlineProps.push({ line: ln, propName, kind: 'object' });
+                ctx.addFinding({
+                    id: `react-inline-jsx-obj-${file}-${ln}`,
+                    pass: this.name,
+                    category: this.category,
+                    rule_id: this.name,
+                    cwe: undefined,
+                    severity: 'low',
+                    level: 'note',
+                    message: `Inline object in JSX prop \`${propName}\` creates a new reference on every render, ` +
+                        `defeating memoization`,
+                    file,
+                    line: ln,
+                    snippet: lineText.trim(),
+                    fix: `Extract the object literal into a \`useMemo\` hook or a module-level constant, ` +
+                        `then pass the reference: \`${propName}={myConstObject}\`.`,
+                });
+            }
+            // --- Inline arrow function prop: propName={(...) => or propName={x => ---
+            INLINE_ARROW_RE.lastIndex = 0;
+            while ((m = INLINE_ARROW_RE.exec(lineText)) !== null) {
+                const propName = m[1];
+                if (SKIP_PROPS.has(propName))
+                    continue;
+                if (propName.startsWith('data'))
+                    continue;
+                inlineProps.push({ line: ln, propName, kind: 'arrow' });
+                ctx.addFinding({
+                    id: `react-inline-jsx-arrow-${file}-${ln}`,
+                    pass: this.name,
+                    category: this.category,
+                    rule_id: this.name,
+                    cwe: undefined,
+                    severity: 'low',
+                    level: 'note',
+                    message: `Inline arrow function in JSX prop \`${propName}\` creates a new function reference on every render, ` +
+                        `defeating memoization`,
+                    file,
+                    line: ln,
+                    snippet: lineText.trim(),
+                    fix: `Wrap the handler with \`useCallback\` or define it outside the component: ` +
+                        `\`const handle${propName.charAt(0).toUpperCase()}${propName.slice(1)} = useCallback(...)\`.`,
+                });
+            }
+            // --- Inline function expression prop: propName={function( ---
+            INLINE_FUNCTION_RE.lastIndex = 0;
+            while ((m = INLINE_FUNCTION_RE.exec(lineText)) !== null) {
+                const propName = m[1];
+                if (SKIP_PROPS.has(propName))
+                    continue;
+                if (propName.startsWith('data'))
+                    continue;
+                inlineProps.push({ line: ln, propName, kind: 'function' });
+                ctx.addFinding({
+                    id: `react-inline-jsx-fn-${file}-${ln}`,
+                    pass: this.name,
+                    category: this.category,
+                    rule_id: this.name,
+                    cwe: undefined,
+                    severity: 'low',
+                    level: 'note',
+                    message: `Inline function expression in JSX prop \`${propName}\` creates a new function reference on every render, ` +
+                        `defeating memoization`,
+                    file,
+                    line: ln,
+                    snippet: lineText.trim(),
+                    fix: `Wrap the handler with \`useCallback\` or define it outside the component: ` +
+                        `\`const handle${propName.charAt(0).toUpperCase()}${propName.slice(1)} = useCallback(...)\`.`,
+                });
+            }
+        }
+        return { inlineProps };
+    }
+}
+//# sourceMappingURL=react-inline-jsx-pass.js.map

package/dist/analysis/passes/react-inline-jsx-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"react-inline-jsx-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/react-inline-jsx-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAIH,sEAAsE;AACtE,MAAM,gBAAgB,GAAG,oBAAoB,CAAC;AAE9C,2DAA2D;AAC3D,MAAM,gBAAgB,GAAG,iCAAiC,CAAC;AAE3D,yEAAyE;AACzE,MAAM,eAAe,GAAG,qDAAqD,CAAC;AAE9E,2DAA2D;AAC3D,MAAM,kBAAkB,GAAG,4CAA4C,CAAC;AAExE,sDAAsD;AACtD,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,WAAW,EAAE,IAAI,CAAC,CAAC,CAAC;AAMvE,MAAM,OAAO,kBAAkB;IACpB,IAAI,GAAG,kBAAkB,CAAC;IAC1B,QAAQ,GAAG,aAAsB,CAAC;IAE3C,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAEtC,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC3D,OAAO,EAAE,WAAW,EAAE,EAAE,EAAE,CAAC;QAC7B,CAAC;QAED,6BAA6B;QAC7B,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACjC,OAAO,EAAE,WAAW,EAAE,EAAE,EAAE,CAAC;QAC7B,CAAC;QAED,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,WAAW,GAAwC,EAAE,CAAC;QAE5D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,SAAS,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC1C,MAAM,QAAQ,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;YAC9B,MAAM,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC;YAEjB,qBAAqB;YACrB,MAAM,OAAO,GAAG,QAAQ,CAAC,SAAS,EAAE,CAAC;YACrC,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;gBACpF,SAAS;YACX,CAAC;YAED,0CAA0C;YAC1C,gBAAgB,CAAC,SAAS,GAAG,CAAC,CAAC;YAC/B,IAAI,CAAyB,CAAC;YAC9B,OAAO,CAAC,CAAC,GAAG,gBAAgB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBACtD,MAAM,QAAQ,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;gBACtB,IAAI,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC;oBAAE,SAAS;gBACvC,IAAI,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC;oBAAE,SAAS,CAAC,oBAAoB;gBAEhE,WAAW,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;gBACzD,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,wBAAwB,IAAI,IAAI,EAAE,EAAE;oBACxC,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;oBAClB,GAAG,EAAE,SAAS;oBACd,QAAQ,EAAE,KAAK;oBACf,KAAK,EAAE,MAAM;oBACb,OAAO,EACL,+BAA+B,QAAQ,8CAA8C;wBACrF,uBAAuB;oBACzB,IAAI;oBACJ,IAAI,EAAE,EAAE;oBACR,OAAO,EAAE,QAAQ,CAAC,IAAI,EAAE;oBACxB,GAAG,EACD,iFAAiF;wBACjF,8BAA8B,QAAQ,qBAAqB;iBAC9D,CAAC,CAAC;YACL,CAAC;YAED,2EAA2E;YAC3E,eAAe,CAAC,SAAS,GAAG,CAAC,CAAC;YAC9B,OAAO,CAAC,CAAC,GAAG,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBACrD,MAAM,QAAQ,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;gBACtB,IAAI,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC;oBAAE,SAAS;gBACvC,IAAI,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC;oBAAE,SAAS;gBAE1C,WAAW,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;gBACxD,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,0BAA0B,IAAI,IAAI,EAAE,EAAE;oBAC1C,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;oBAClB,GAAG,EAAE,SAAS;oBACd,QAAQ,EAAE,KAAK;oBACf,KAAK,EAAE,MAAM;oBACb,OAAO,EACL,uCAAuC,QAAQ,uDAAuD;wBACtG,uBAAuB;oBACzB,IAAI;oBACJ,IAAI,EAAE,EAAE;oBACR,OAAO,EAAE,QAAQ,CAAC,IAAI,EAAE;oBACxB,GAAG,EACD,4EAA4E;wBAC5E,iBAAiB,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,wBAAwB;iBAChG,CAAC,CAAC;YACL,CAAC;YAED,+DAA+D;YAC/D,kBAAkB,CAAC,SAAS,GAAG,CAAC,CAAC;YACjC,OAAO,CAAC,CAAC,GAAG,kBAAkB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBACxD,MAAM,QAAQ,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;gBACtB,IAAI,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC;oBAAE,SAAS;gBACvC,IAAI,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC;oBAAE,SAAS;gBAE1C,WAAW,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,CAAC;gBAC3D,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,uBAAuB,IAAI,IAAI,EAAE,EAAE;oBACvC,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;oBAClB,GAAG,EAAE,SAAS;oBACd,QAAQ,EAAE,KAAK;oBACf,KAAK,EAAE,MAAM;oBACb,OAAO,EACL,4CAA4C,QAAQ,uDAAuD;wBAC3G,uBAAuB;oBACzB,IAAI;oBACJ,IAAI,EAAE,EAAE;oBACR,OAAO,EAAE,QAAQ,CAAC,IAAI,EAAE;oBACxB,GAAG,EACD,4EAA4E;wBAC5E,iBAAiB,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,wBAAwB;iBAChG,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,EAAE,WAAW,EAAE,CAAC;IACzB,CAAC;CACF"}

package/dist/analysis/passes/redundant-loop-pass.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Pass #30: redundant-loop-computation (CWE-1050, category: performance)
+ *
+ * Detects loop-invariant expressions that are recomputed on every iteration.
+ * The most common and highest-signal patterns:
+ *   - `.length` / `.size()` / `.count()` on a variable not modified in the loop
+ *   - `Object.keys(x)` / `Object.values(x)` / `Object.entries(x)` on invariant `x`
+ *   - Pure math: `Math.sqrt(x)`, `Math.pow(x, n)`, `Math.abs(x)` on invariant args
+ *
+ * Detection strategy:
+ *   1. Identify loop bodies via `graph.loopBodies()` (CFG back-edge derived).
+ *   2. Build `modifiedVars`: DFG defs whose line falls inside the loop range.
+ *   3. Scan source lines for the invariant patterns.
+ *   4. If the receiver/argument variable is NOT in `modifiedVars`, emit a finding.
+ *
+ * Languages: JavaScript/TypeScript, Java, Python, Rust. Bash — skipped.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface RedundantLoopResult {
+    invariants: Array<{
+        line: number;
+        expression: string;
+        variable: string;
+    }>;
+}
+export declare class RedundantLoopPass implements AnalysisPass<RedundantLoopResult> {
+    readonly name = "redundant-loop-computation";
+    readonly category: "performance";
+    run(ctx: PassContext): RedundantLoopResult;
+}

package/dist/analysis/passes/redundant-loop-pass.js

@@ -0,0 +1,146 @@
+/**
+ * Pass #30: redundant-loop-computation (CWE-1050, category: performance)
+ *
+ * Detects loop-invariant expressions that are recomputed on every iteration.
+ * The most common and highest-signal patterns:
+ *   - `.length` / `.size()` / `.count()` on a variable not modified in the loop
+ *   - `Object.keys(x)` / `Object.values(x)` / `Object.entries(x)` on invariant `x`
+ *   - Pure math: `Math.sqrt(x)`, `Math.pow(x, n)`, `Math.abs(x)` on invariant args
+ *
+ * Detection strategy:
+ *   1. Identify loop bodies via `graph.loopBodies()` (CFG back-edge derived).
+ *   2. Build `modifiedVars`: DFG defs whose line falls inside the loop range.
+ *   3. Scan source lines for the invariant patterns.
+ *   4. If the receiver/argument variable is NOT in `modifiedVars`, emit a finding.
+ *
+ * Languages: JavaScript/TypeScript, Java, Python, Rust. Bash — skipped.
+ */
+// Match:  varName.length  or  varName.size()  or  varName.count()
+const LENGTH_PATTERN = /\b([A-Za-z_$][A-Za-z0-9_$]*)\s*\.\s*(?:length|size\(\)|count\(\))/g;
+// Match:  Object.keys(varName)  Object.values(varName)  Object.entries(varName)
+const OBJECT_STATIC_PATTERN = /\bObject\s*\.\s*(?:keys|values|entries)\s*\(\s*([A-Za-z_$][A-Za-z0-9_$]*)\s*\)/g;
+// Match:  Math.sqrt(varName)  Math.pow(varName  Math.abs(varName)  Math.floor(varName)  Math.ceil(varName)
+const MATH_PATTERN = /\bMath\s*\.\s*(?:sqrt|pow|abs|floor|ceil|round|log|log2|log10)\s*\(\s*([A-Za-z_$][A-Za-z0-9_$]*)\s*[,)]/g;
+export class RedundantLoopPass {
+    name = 'redundant-loop-computation';
+    category = 'performance';
+    run(ctx) {
+        const { graph, code, language } = ctx;
+        if (language === 'bash') {
+            return { invariants: [] };
+        }
+        const file = graph.ir.meta.file;
+        const codeLines = code.split('\n');
+        const loops = graph.loopBodies();
+        if (loops.length === 0)
+            return { invariants: [] };
+        const invariants = [];
+        const reported = new Set(); // deduplicate by line+expression
+        for (const loop of loops) {
+            const { start_line, end_line } = loop;
+            // Collect variables modified (written) inside the loop body
+            const modifiedVars = new Set();
+            for (const def of graph.ir.dfg.defs) {
+                if (def.line >= start_line && def.line <= end_line) {
+                    modifiedVars.add(def.variable);
+                }
+            }
+            // Scan each line in the loop body for invariant patterns
+            for (let ln = start_line; ln <= end_line && ln <= codeLines.length; ln++) {
+                const lineText = codeLines[ln - 1] ?? '';
+                // Skip blank lines
+                if (lineText.trim() === '')
+                    continue;
+                // --- .length / .size() / .count() ---
+                LENGTH_PATTERN.lastIndex = 0;
+                let m;
+                while ((m = LENGTH_PATTERN.exec(lineText)) !== null) {
+                    const varName = m[1];
+                    if (modifiedVars.has(varName))
+                        continue;
+                    // Skip if used in a for-loop initialisation line (e.g., for (let i = 0; i < arr.length; i++))
+                    // — the loop header itself scanning is expected; flag it only inside the body
+                    const expr = m[0];
+                    const key = `${ln}-${expr}`;
+                    if (reported.has(key))
+                        continue;
+                    reported.add(key);
+                    invariants.push({ line: ln, expression: expr, variable: varName });
+                    ctx.addFinding({
+                        id: `redundant-loop-computation-${file}-${ln}`,
+                        pass: this.name,
+                        category: this.category,
+                        rule_id: this.name,
+                        cwe: 'CWE-1050',
+                        severity: 'low',
+                        level: 'note',
+                        message: `Loop-invariant computation: \`${expr}\` is recomputed on every iteration; hoist outside loop`,
+                        file,
+                        line: ln,
+                        snippet: lineText.trim(),
+                        fix: `Compute \`${expr}\` once before the loop and use the cached value inside.`,
+                        evidence: { variable: varName, loop_start: start_line, loop_end: end_line },
+                    });
+                }
+                // --- Object.keys/values/entries(x) ---
+                OBJECT_STATIC_PATTERN.lastIndex = 0;
+                while ((m = OBJECT_STATIC_PATTERN.exec(lineText)) !== null) {
+                    const varName = m[1];
+                    if (modifiedVars.has(varName))
+                        continue;
+                    const expr = m[0];
+                    const key = `${ln}-${expr}`;
+                    if (reported.has(key))
+                        continue;
+                    reported.add(key);
+                    invariants.push({ line: ln, expression: expr, variable: varName });
+                    ctx.addFinding({
+                        id: `redundant-loop-computation-${file}-${ln}-obj`,
+                        pass: this.name,
+                        category: this.category,
+                        rule_id: this.name,
+                        cwe: 'CWE-1050',
+                        severity: 'low',
+                        level: 'note',
+                        message: `Loop-invariant computation: \`${expr}\` allocates a new array on every iteration; hoist outside loop`,
+                        file,
+                        line: ln,
+                        snippet: lineText.trim(),
+                        fix: `Compute \`${expr}\` once before the loop.`,
+                        evidence: { variable: varName, loop_start: start_line, loop_end: end_line },
+                    });
+                }
+                // --- Math.*(x) ---
+                MATH_PATTERN.lastIndex = 0;
+                while ((m = MATH_PATTERN.exec(lineText)) !== null) {
+                    const varName = m[1];
+                    if (modifiedVars.has(varName))
+                        continue;
+                    const expr = m[0].replace(/[,)]?\s*$/, ')');
+                    const key = `${ln}-${expr}`;
+                    if (reported.has(key))
+                        continue;
+                    reported.add(key);
+                    invariants.push({ line: ln, expression: expr, variable: varName });
+                    ctx.addFinding({
+                        id: `redundant-loop-computation-${file}-${ln}-math`,
+                        pass: this.name,
+                        category: this.category,
+                        rule_id: this.name,
+                        cwe: 'CWE-1050',
+                        severity: 'low',
+                        level: 'note',
+                        message: `Loop-invariant computation: \`${expr}\` is recomputed on every iteration; hoist outside loop`,
+                        file,
+                        line: ln,
+                        snippet: lineText.trim(),
+                        fix: `Compute \`${expr}\` once before the loop.`,
+                        evidence: { variable: varName, loop_start: start_line, loop_end: end_line },
+                    });
+                }
+            }
+        }
+        return { invariants };
+    }
+}
+//# sourceMappingURL=redundant-loop-pass.js.map

package/dist/analysis/passes/redundant-loop-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"redundant-loop-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/redundant-loop-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAIH,kEAAkE;AAClE,MAAM,cAAc,GAAG,oEAAoE,CAAC;AAE5F,gFAAgF;AAChF,MAAM,qBAAqB,GACzB,iFAAiF,CAAC;AAEpF,2GAA2G;AAC3G,MAAM,YAAY,GAChB,0GAA0G,CAAC;AAM7G,MAAM,OAAO,iBAAiB;IACnB,IAAI,GAAG,4BAA4B,CAAC;IACpC,QAAQ,GAAG,aAAsB,CAAC;IAE3C,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAEtC,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YACxB,OAAO,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;QAC5B,CAAC;QAED,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,KAAK,GAAG,KAAK,CAAC,UAAU,EAAE,CAAC;QAEjC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;QAElD,MAAM,UAAU,GAAsC,EAAE,CAAC;QACzD,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC,CAAC,iCAAiC;QAErE,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC;YAEtC,4DAA4D;YAC5D,MAAM,YAAY,GAAG,IAAI,GAAG,EAAU,CAAC;YACvC,KAAK,MAAM,GAAG,IAAI,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;gBACpC,IAAI,GAAG,CAAC,IAAI,IAAI,UAAU,IAAI,GAAG,CAAC,IAAI,IAAI,QAAQ,EAAE,CAAC;oBACnD,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;gBACjC,CAAC;YACH,CAAC;YAED,yDAAyD;YACzD,KAAK,IAAI,EAAE,GAAG,UAAU,EAAE,EAAE,IAAI,QAAQ,IAAI,EAAE,IAAI,SAAS,CAAC,MAAM,EAAE,EAAE,EAAE,EAAE,CAAC;gBACzE,MAAM,QAAQ,GAAG,SAAS,CAAC,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;gBAEzC,mBAAmB;gBACnB,IAAI,QAAQ,CAAC,IAAI,EAAE,KAAK,EAAE;oBAAE,SAAS;gBAErC,uCAAuC;gBACvC,cAAc,CAAC,SAAS,GAAG,CAAC,CAAC;gBAC7B,IAAI,CAAyB,CAAC;gBAC9B,OAAO,CAAC,CAAC,GAAG,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;oBACpD,MAAM,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;oBACrB,IAAI,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC;wBAAE,SAAS;oBACxC,8FAA8F;oBAC9F,8EAA8E;oBAC9E,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;oBAClB,MAAM,GAAG,GAAG,GAAG,EAAE,IAAI,IAAI,EAAE,CAAC;oBAC5B,IAAI,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC;wBAAE,SAAS;oBAChC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;oBAElB,UAAU,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;oBACnE,GAAG,CAAC,UAAU,CAAC;wBACb,EAAE,EAAE,8BAA8B,IAAI,IAAI,EAAE,EAAE;wBAC9C,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;wBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;wBAClB,GAAG,EAAE,UAAU;wBACf,QAAQ,EAAE,KAAK;wBACf,KAAK,EAAE,MAAM;wBACb,OAAO,EACL,iCAAiC,IAAI,yDAAyD;wBAChG,IAAI;wBACJ,IAAI,EAAE,EAAE;wBACR,OAAO,EAAE,QAAQ,CAAC,IAAI,EAAE;wBACxB,GAAG,EAAE,aAAa,IAAI,0DAA0D;wBAChF,QAAQ,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE;qBAC5E,CAAC,CAAC;gBACL,CAAC;gBAED,wCAAwC;gBACxC,qBAAqB,CAAC,SAAS,GAAG,CAAC,CAAC;gBACpC,OAAO,CAAC,CAAC,GAAG,qBAAqB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;oBAC3D,MAAM,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;oBACrB,IAAI,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC;wBAAE,SAAS;oBACxC,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;oBAClB,MAAM,GAAG,GAAG,GAAG,EAAE,IAAI,IAAI,EAAE,CAAC;oBAC5B,IAAI,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC;wBAAE,SAAS;oBAChC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;oBAElB,UAAU,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;oBACnE,GAAG,CAAC,UAAU,CAAC;wBACb,EAAE,EAAE,8BAA8B,IAAI,IAAI,EAAE,MAAM;wBAClD,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;wBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;wBAClB,GAAG,EAAE,UAAU;wBACf,QAAQ,EAAE,KAAK;wBACf,KAAK,EAAE,MAAM;wBACb,OAAO,EACL,iCAAiC,IAAI,iEAAiE;wBACxG,IAAI;wBACJ,IAAI,EAAE,EAAE;wBACR,OAAO,EAAE,QAAQ,CAAC,IAAI,EAAE;wBACxB,GAAG,EAAE,aAAa,IAAI,0BAA0B;wBAChD,QAAQ,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE;qBAC5E,CAAC,CAAC;gBACL,CAAC;gBAED,oBAAoB;gBACpB,YAAY,CAAC,SAAS,GAAG,CAAC,CAAC;gBAC3B,OAAO,CAAC,CAAC,GAAG,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;oBAClD,MAAM,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;oBACrB,IAAI,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC;wBAAE,SAAS;oBACxC,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC;oBAC5C,MAAM,GAAG,GAAG,GAAG,EAAE,IAAI,IAAI,EAAE,CAAC;oBAC5B,IAAI,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC;wBAAE,SAAS;oBAChC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;oBAElB,UAAU,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;oBACnE,GAAG,CAAC,UAAU,CAAC;wBACb,EAAE,EAAE,8BAA8B,IAAI,IAAI,EAAE,OAAO;wBACnD,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;wBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;wBAClB,GAAG,EAAE,UAAU;wBACf,QAAQ,EAAE,KAAK;wBACf,KAAK,EAAE,MAAM;wBACb,OAAO,EACL,iCAAiC,IAAI,yDAAyD;wBAChG,IAAI;wBACJ,IAAI,EAAE,EAAE;wBACR,OAAO,EAAE,QAAQ,CAAC,IAAI,EAAE;wBACxB,GAAG,EAAE,aAAa,IAAI,0BAA0B;wBAChD,QAAQ,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE;qBAC5E,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,EAAE,UAAU,EAAE,CAAC;IACxB,CAAC;CACF"}

package/dist/analysis/passes/resource-leak-pass.d.ts

@@ -0,0 +1,43 @@
+/**
+ * Pass #21: resource-leak (CWE-772, category: reliability)
+ *
+ * Detects I/O resources (streams, connections, sockets) that are opened but
+ * not closed on all exit paths. Unclosed resources exhaust file descriptors
+ * or connection pools and cause subtle failures under load.
+ *
+ * Detection strategy:
+ *   1. Find resource-opening calls: known constructors (FileInputStream, etc.)
+ *      or factory methods (open, createReadStream, etc.).
+ *   2. Get the variable bound to the resource from DFG defs at the open line.
+ *   3. Within the enclosing method, look for a close()/dispose() call whose
+ *      receiver matches the resource variable.
+ *   4a. No close call found → definite leak (high, error).
+ *   4b. Close found but no `finally` keyword in the method after the open
+ *       → potential leak (medium, warning): an exception skips the close.
+ *
+ * Note: Java try-with-resources generates no explicit close() in the source;
+ * the pass treats the absence of both an explicit close AND a finally as a
+ * definite leak.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface ResourceLeakResult {
+    /** Resources that may not be properly closed. */
+    leaks: Array<{
+        line: number;
+        resource: string;
+        variable: string;
+        kind: 'definite' | 'potential';
+    }>;
+}
+export declare class ResourceLeakPass implements AnalysisPass<ResourceLeakResult> {
+    readonly name = "resource-leak";
+    readonly category: "reliability";
+    run(ctx: PassContext): ResourceLeakResult;
+    /** True if a `finally` keyword appears in the method body after the open line. */
+    private hasFinallyBlock;
+    /**
+     * True if a try-with-resources or Python `with` statement wraps the resource,
+     * indicating implicit close. Detects `try (` or `with open(` patterns.
+     */
+    private hasTryWithResources;
+}