circle-ir 3.8.4 → 3.9.8

package/dist/analysis/passes/resource-leak-pass.js

@@ -0,0 +1,156 @@
+/**
+ * Pass #21: resource-leak (CWE-772, category: reliability)
+ *
+ * Detects I/O resources (streams, connections, sockets) that are opened but
+ * not closed on all exit paths. Unclosed resources exhaust file descriptors
+ * or connection pools and cause subtle failures under load.
+ *
+ * Detection strategy:
+ *   1. Find resource-opening calls: known constructors (FileInputStream, etc.)
+ *      or factory methods (open, createReadStream, etc.).
+ *   2. Get the variable bound to the resource from DFG defs at the open line.
+ *   3. Within the enclosing method, look for a close()/dispose() call whose
+ *      receiver matches the resource variable.
+ *   4a. No close call found → definite leak (high, error).
+ *   4b. Close found but no `finally` keyword in the method after the open
+ *       → potential leak (medium, warning): an exception skips the close.
+ *
+ * Note: Java try-with-resources generates no explicit close() in the source;
+ * the pass treats the absence of both an explicit close AND a finally as a
+ * definite leak.
+ */
+/** Constructors that produce closeable resources. */
+const RESOURCE_CTORS = new Set([
+    // Java IO
+    'FileInputStream', 'FileOutputStream', 'FileReader', 'FileWriter',
+    'BufferedReader', 'BufferedWriter', 'PrintWriter', 'InputStreamReader',
+    'OutputStreamWriter', 'RandomAccessFile', 'DataInputStream', 'DataOutputStream',
+    'ObjectInputStream', 'ObjectOutputStream', 'ZipInputStream', 'ZipOutputStream',
+    'JarInputStream', 'JarOutputStream', 'GZIPInputStream', 'GZIPOutputStream',
+    // Java NIO
+    'FileChannel',
+    // Java Net
+    'Socket', 'ServerSocket', 'DatagramSocket',
+]);
+/** Factory / open methods that return closeable resources. */
+const RESOURCE_FACTORY_METHODS = new Set([
+    // Java NIO/IO
+    'openConnection', 'openStream', 'newInputStream', 'newOutputStream',
+    'newBufferedReader', 'newBufferedWriter', 'newByteChannel',
+    // Python built-in
+    'open',
+    // Node.js streams
+    'createReadStream', 'createWriteStream', 'createConnection',
+]);
+/** Methods that properly release a resource. */
+const CLOSE_METHODS = new Set([
+    'close', 'dispose', 'shutdown', 'disconnect', 'release', 'destroy', 'free',
+    'shutdownNow', 'terminate',
+]);
+export class ResourceLeakPass {
+    name = 'resource-leak';
+    category = 'reliability';
+    run(ctx) {
+        const { graph, code } = ctx;
+        const file = graph.ir.meta.file;
+        const codeLines = code.split('\n');
+        const leaks = [];
+        for (const call of graph.ir.calls) {
+            const name = call.method_name;
+            const isConstructor = call.is_constructor === true && RESOURCE_CTORS.has(name);
+            const isFactory = !call.is_constructor && RESOURCE_FACTORY_METHODS.has(name);
+            if (!isConstructor && !isFactory)
+                continue;
+            const openLine = call.location.line;
+            // Resource must be captured in a variable to be trackable
+            const defs = graph.defsAtLine(openLine);
+            if (defs.length === 0)
+                continue;
+            const resourceVar = defs[0].variable;
+            // Limit search to the enclosing method
+            const methodInfo = graph.methodAtLine(openLine);
+            if (!methodInfo)
+                continue;
+            const methodEnd = methodInfo.method.end_line;
+            // Look for a close() call on this resource within the method
+            const closeCall = graph.ir.calls.find(c => CLOSE_METHODS.has(c.method_name) &&
+                c.receiver === resourceVar &&
+                c.location.line > openLine &&
+                c.location.line <= methodEnd);
+            const snippet = (codeLines[openLine - 1] ?? '').trim();
+            if (!closeCall) {
+                // Also accept try-with-resources or with-statement as implicit close
+                if (this.hasTryWithResources(codeLines, openLine, methodEnd))
+                    continue;
+                // Definite leak: resource is never explicitly released
+                leaks.push({ line: openLine, resource: name, variable: resourceVar, kind: 'definite' });
+                ctx.addFinding({
+                    id: `resource-leak-${file}-${openLine}`,
+                    pass: this.name,
+                    category: this.category,
+                    rule_id: this.name,
+                    cwe: 'CWE-772',
+                    severity: 'high',
+                    level: 'error',
+                    message: `Resource leak: \`${name}\` assigned to '${resourceVar}' at line ${openLine} ` +
+                        `is never closed — file descriptors or connections may be exhausted`,
+                    file,
+                    line: openLine,
+                    snippet,
+                    fix: `Use try-with-resources (Java 7+): \`try (${name} ${resourceVar} = ...) { ... }\`, ` +
+                        `or call \`${resourceVar}.close()\` in a finally block`,
+                    evidence: { resource: name, variable: resourceVar },
+                });
+                continue;
+            }
+            // Close found — check if it is protected by a finally block
+            if (this.hasFinallyBlock(codeLines, openLine, methodEnd))
+                continue;
+            // Potential leak: close() exists but may be skipped on exception
+            leaks.push({ line: openLine, resource: name, variable: resourceVar, kind: 'potential' });
+            ctx.addFinding({
+                id: `resource-leak-${file}-${openLine}`,
+                pass: this.name,
+                category: this.category,
+                rule_id: this.name,
+                cwe: 'CWE-772',
+                severity: 'medium',
+                level: 'warning',
+                message: `Potential resource leak: \`${name}\` ('${resourceVar}') is closed at ` +
+                    `line ${closeCall.location.line} but not inside a finally block — ` +
+                    `an exception could skip the close`,
+                file,
+                line: openLine,
+                snippet,
+                fix: `Move \`${resourceVar}.close()\` into a finally block, or use try-with-resources`,
+                evidence: {
+                    resource: name,
+                    variable: resourceVar,
+                    close_line: closeCall.location.line,
+                },
+            });
+        }
+        return { leaks };
+    }
+    /** True if a `finally` keyword appears in the method body after the open line. */
+    hasFinallyBlock(lines, fromLine, toLine) {
+        for (let l = fromLine; l <= toLine && l <= lines.length; l++) {
+            if (/\bfinally\b/.test(lines[l - 1] ?? ''))
+                return true;
+        }
+        return false;
+    }
+    /**
+     * True if a try-with-resources or Python `with` statement wraps the resource,
+     * indicating implicit close. Detects `try (` or `with open(` patterns.
+     */
+    hasTryWithResources(lines, fromLine, toLine) {
+        for (let l = fromLine; l <= toLine && l <= lines.length; l++) {
+            const text = lines[l - 1] ?? '';
+            if (/\btry\s*\(/.test(text) || /\bwith\b.*\bopen\b/.test(text))
+                return true;
+        }
+        return false;
+    }
+}
+//# sourceMappingURL=resource-leak-pass.js.map

package/dist/analysis/passes/resource-leak-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resource-leak-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/resource-leak-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAIH,qDAAqD;AACrD,MAAM,cAAc,GAAwB,IAAI,GAAG,CAAC;IAClD,UAAU;IACV,iBAAiB,EAAE,kBAAkB,EAAE,YAAY,EAAE,YAAY;IACjE,gBAAgB,EAAE,gBAAgB,EAAE,aAAa,EAAE,mBAAmB;IACtE,oBAAoB,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,kBAAkB;IAC/E,mBAAmB,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,iBAAiB;IAC9E,gBAAgB,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,kBAAkB;IAC1E,WAAW;IACX,aAAa;IACb,WAAW;IACX,QAAQ,EAAE,cAAc,EAAE,gBAAgB;CAC3C,CAAC,CAAC;AAEH,8DAA8D;AAC9D,MAAM,wBAAwB,GAAwB,IAAI,GAAG,CAAC;IAC5D,cAAc;IACd,gBAAgB,EAAE,YAAY,EAAE,gBAAgB,EAAE,iBAAiB;IACnE,mBAAmB,EAAE,mBAAmB,EAAE,gBAAgB;IAC1D,kBAAkB;IAClB,MAAM;IACN,kBAAkB;IAClB,kBAAkB,EAAE,mBAAmB,EAAE,kBAAkB;CAC5D,CAAC,CAAC;AAEH,gDAAgD;AAChD,MAAM,aAAa,GAAwB,IAAI,GAAG,CAAC;IACjD,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,YAAY,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM;IAC1E,aAAa,EAAE,WAAW;CAC3B,CAAC,CAAC;AAYH,MAAM,OAAO,gBAAgB;IAClB,IAAI,GAAG,eAAe,CAAC;IACvB,QAAQ,GAAG,aAAsB,CAAC;IAE3C,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,GAAG,CAAC;QAC5B,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAEnC,MAAM,KAAK,GAAgC,EAAE,CAAC;QAE9C,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAClC,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC;YAE9B,MAAM,aAAa,GAAG,IAAI,CAAC,cAAc,KAAK,IAAI,IAAI,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YAC/E,MAAM,SAAS,GAAG,CAAC,IAAI,CAAC,cAAc,IAAI,wBAAwB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YAC7E,IAAI,CAAC,aAAa,IAAI,CAAC,SAAS;gBAAE,SAAS;YAE3C,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;YAEpC,0DAA0D;YAC1D,MAAM,IAAI,GAAG,KAAK,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;YACxC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;gBAAE,SAAS;YAChC,MAAM,WAAW,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC;YAErC,uCAAuC;YACvC,MAAM,UAAU,GAAG,KAAK,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;YAChD,IAAI,CAAC,UAAU;gBAAE,SAAS;YAC1B,MAAM,SAAS,GAAG,UAAU,CAAC,MAAM,CAAC,QAAQ,CAAC;YAE7C,6DAA6D;YAC7D,MAAM,SAAS,GAAG,KAAK,CAAC,EAAE,CAAC,KAAK,CAAC,IAAI,CACnC,CAAC,CAAC,EAAE,CACF,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC;gBAChC,CAAC,CAAC,QAAQ,KAAK,WAAW;gBAC1B,CAAC,CAAC,QAAQ,CAAC,IAAI,GAAG,QAAQ;gBAC1B,CAAC,CAAC,QAAQ,CAAC,IAAI,IAAI,SAAS,CAC/B,CAAC;YAEF,MAAM,OAAO,GAAG,CAAC,SAAS,CAAC,QAAQ,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YAEvD,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,qEAAqE;gBACrE,IAAI,IAAI,CAAC,mBAAmB,CAAC,SAAS,EAAE,QAAQ,EAAE,SAAS,CAAC;oBAAE,SAAS;gBAEvE,uDAAuD;gBACvD,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,CAAC;gBACxF,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,iBAAiB,IAAI,IAAI,QAAQ,EAAE;oBACvC,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;oBAClB,GAAG,EAAE,SAAS;oBACd,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,OAAO;oBACd,OAAO,EACL,oBAAoB,IAAI,mBAAmB,WAAW,aAAa,QAAQ,GAAG;wBAC9E,oEAAoE;oBACtE,IAAI;oBACJ,IAAI,EAAE,QAAQ;oBACd,OAAO;oBACP,GAAG,EACD,4CAA4C,IAAI,IAAI,WAAW,qBAAqB;wBACpF,aAAa,WAAW,+BAA+B;oBACzD,QAAQ,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE;iBACpD,CAAC,CAAC;gBACH,SAAS;YACX,CAAC;YAED,4DAA4D;YAC5D,IAAI,IAAI,CAAC,eAAe,CAAC,SAAS,EAAE,QAAQ,EAAE,SAAS,CAAC;gBAAE,SAAS;YAEnE,iEAAiE;YACjE,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC,CAAC;YACzF,GAAG,CAAC,UAAU,CAAC;gBACb,EAAE,EAAE,iBAAiB,IAAI,IAAI,QAAQ,EAAE;gBACvC,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,GAAG,EAAE,SAAS;gBACd,QAAQ,EAAE,QAAQ;gBAClB,KAAK,EAAE,SAAS;gBAChB,OAAO,EACL,8BAA8B,IAAI,QAAQ,WAAW,kBAAkB;oBACvE,QAAQ,SAAS,CAAC,QAAQ,CAAC,IAAI,oCAAoC;oBACnE,mCAAmC;gBACrC,IAAI;gBACJ,IAAI,EAAE,QAAQ;gBACd,OAAO;gBACP,GAAG,EAAE,UAAU,WAAW,4DAA4D;gBACtF,QAAQ,EAAE;oBACR,QAAQ,EAAE,IAAI;oBACd,QAAQ,EAAE,WAAW;oBACrB,UAAU,EAAE,SAAS,CAAC,QAAQ,CAAC,IAAI;iBACpC;aACF,CAAC,CAAC;QACL,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,CAAC;IACnB,CAAC;IAED,kFAAkF;IAC1E,eAAe,CAAC,KAAe,EAAE,QAAgB,EAAE,MAAc;QACvE,KAAK,IAAI,CAAC,GAAG,QAAQ,EAAE,CAAC,IAAI,MAAM,IAAI,CAAC,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC7D,IAAI,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;gBAAE,OAAO,IAAI,CAAC;QAC1D,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;;OAGG;IACK,mBAAmB,CAAC,KAAe,EAAE,QAAgB,EAAE,MAAc;QAC3E,KAAK,IAAI,CAAC,GAAG,QAAQ,EAAE,CAAC,IAAI,MAAM,IAAI,CAAC,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC7D,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;YAChC,IAAI,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,OAAO,IAAI,CAAC;QAC9E,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;CACF"}

package/dist/analysis/passes/serial-await-pass.d.ts

@@ -0,0 +1,36 @@
+/**
+ * Pass #32: serial-await (category: performance)
+ *
+ * Detects sequential `await` expressions in JavaScript/TypeScript where the
+ * two awaited operations have no data dependency — they could be parallelised
+ * with `Promise.all()`.
+ *
+ * Detection strategy:
+ *   1. Per function (group lines by enclosing method via `graph.methodAtLine()`),
+ *      scan lines in order for `await` patterns.
+ *   2. For consecutive pairs `(line1, line2)`:
+ *      a. Find the DFG def created at `line1` (if any) — this is the result
+ *         variable bound to the first await.
+ *      b. Check whether that variable name appears verbatim in the source
+ *         line at `line2`.
+ *      c. Also check whether any def on `line2` appears in `line1`'s source.
+ *      d. If neither direction has a textual dependency: the two awaits are
+ *         independent.
+ *   3. If a function has ≥ 2 independent consecutive awaits: emit one finding
+ *      per function at the first independent pair's line.
+ *
+ * Languages: JavaScript and TypeScript only.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface SerialAwaitResult {
+    serialAwaits: Array<{
+        functionLine: number;
+        firstAwaitLine: number;
+        secondAwaitLine: number;
+    }>;
+}
+export declare class SerialAwaitPass implements AnalysisPass<SerialAwaitResult> {
+    readonly name = "serial-await";
+    readonly category: "performance";
+    run(ctx: PassContext): SerialAwaitResult;
+}

package/dist/analysis/passes/serial-await-pass.js

@@ -0,0 +1,132 @@
+/**
+ * Pass #32: serial-await (category: performance)
+ *
+ * Detects sequential `await` expressions in JavaScript/TypeScript where the
+ * two awaited operations have no data dependency — they could be parallelised
+ * with `Promise.all()`.
+ *
+ * Detection strategy:
+ *   1. Per function (group lines by enclosing method via `graph.methodAtLine()`),
+ *      scan lines in order for `await` patterns.
+ *   2. For consecutive pairs `(line1, line2)`:
+ *      a. Find the DFG def created at `line1` (if any) — this is the result
+ *         variable bound to the first await.
+ *      b. Check whether that variable name appears verbatim in the source
+ *         line at `line2`.
+ *      c. Also check whether any def on `line2` appears in `line1`'s source.
+ *      d. If neither direction has a textual dependency: the two awaits are
+ *         independent.
+ *   3. If a function has ≥ 2 independent consecutive awaits: emit one finding
+ *      per function at the first independent pair's line.
+ *
+ * Languages: JavaScript and TypeScript only.
+ */
+/** Matches:  const/let/var? varName = await  or  bare  await  */
+const AWAIT_ASSIGN_RE = /(?:const|let|var)?\s*(\w+)\s*=\s*await\s/;
+const AWAIT_RE = /\bawait\s/;
+export class SerialAwaitPass {
+    name = 'serial-await';
+    category = 'performance';
+    run(ctx) {
+        const { graph, code, language } = ctx;
+        if (language !== 'javascript' && language !== 'typescript') {
+            return { serialAwaits: [] };
+        }
+        const file = graph.ir.meta.file;
+        const codeLines = code.split('\n');
+        const totalLines = codeLines.length;
+        const serialAwaits = [];
+        const reportedFunctions = new Set();
+        // Collect all await lines
+        const awaitLines = [];
+        for (let i = 0; i < totalLines; i++) {
+            const lineText = codeLines[i];
+            if (!AWAIT_RE.test(lineText))
+                continue;
+            const m = AWAIT_ASSIGN_RE.exec(lineText);
+            const boundVar = m ? m[1] : null;
+            awaitLines.push({ line: i + 1, boundVar });
+        }
+        if (awaitLines.length < 2)
+            return { serialAwaits: [] };
+        // Check consecutive pairs
+        for (let i = 0; i + 1 < awaitLines.length; i++) {
+            const a1 = awaitLines[i];
+            const a2 = awaitLines[i + 1];
+            // Must be in the same function
+            const method1 = graph.methodAtLine(a1.line);
+            const method2 = graph.methodAtLine(a2.line);
+            const methodKey1 = method1
+                ? `${method1.type.name}.${method1.method.name}.${method1.method.start_line}`
+                : `top.${a1.line}`;
+            const methodKey2 = method2
+                ? `${method2.type.name}.${method2.method.name}.${method2.method.start_line}`
+                : `top.${a2.line}`;
+            if (methodKey1 !== methodKey2)
+                continue;
+            // Skip if lines are not consecutive (allow up to 3 lines apart for formatting)
+            if (a2.line - a1.line > 4)
+                continue;
+            // Check dependency: does line2 reference the variable bound by line1?
+            const line2Text = codeLines[a2.line - 1] ?? '';
+            const line1Text = codeLines[a1.line - 1] ?? '';
+            let dependent = false;
+            // Forward dependency: var from line1 used in line2
+            if (a1.boundVar && new RegExp(`\\b${a1.boundVar}\\b`).test(line2Text)) {
+                dependent = true;
+            }
+            // Reverse dependency: var from line2's def used in line1 (rare but possible)
+            if (!dependent && a2.boundVar && new RegExp(`\\b${a2.boundVar}\\b`).test(line1Text)) {
+                dependent = true;
+            }
+            // DFG-level check: any def at line2 whose variable appears in defs of line1 args
+            if (!dependent) {
+                const defs1 = graph.defsAtLine(a1.line);
+                const defs2 = graph.defsAtLine(a2.line);
+                for (const d1 of defs1) {
+                    for (const d2 of defs2) {
+                        if (d1.variable === d2.variable) {
+                            dependent = true;
+                            break;
+                        }
+                    }
+                    if (dependent)
+                        break;
+                }
+            }
+            if (dependent)
+                continue;
+            // Skip if already reported for this function
+            if (reportedFunctions.has(methodKey1))
+                continue;
+            reportedFunctions.add(methodKey1);
+            const funcLine = method1?.method.start_line ?? a1.line;
+            serialAwaits.push({ functionLine: funcLine, firstAwaitLine: a1.line, secondAwaitLine: a2.line });
+            // Extract readable names from the await expressions
+            const expr1 = line1Text.trim().replace(/^(?:const|let|var)\s+/, '');
+            const expr2 = line2Text.trim().replace(/^(?:const|let|var)\s+/, '');
+            ctx.addFinding({
+                id: `serial-await-${file}-${a1.line}`,
+                pass: this.name,
+                category: this.category,
+                rule_id: this.name,
+                cwe: undefined,
+                severity: 'low',
+                level: 'note',
+                message: `Serial awaits: \`${expr1}\` (line ${a1.line}) and \`${expr2}\` (line ${a2.line}) ` +
+                    `have no data dependency; consider using Promise.all()`,
+                file,
+                line: a1.line,
+                end_line: a2.line,
+                fix: `const [result1, result2] = await Promise.all([operation1, operation2]);`,
+                evidence: {
+                    first_await_line: a1.line,
+                    second_await_line: a2.line,
+                    function_line: funcLine,
+                },
+            });
+        }
+        return { serialAwaits };
+    }
+}
+//# sourceMappingURL=serial-await-pass.js.map

package/dist/analysis/passes/serial-await-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"serial-await-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/serial-await-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAIH,iEAAiE;AACjE,MAAM,eAAe,GAAG,0CAA0C,CAAC;AACnE,MAAM,QAAQ,GAAG,WAAW,CAAC;AAM7B,MAAM,OAAO,eAAe;IACjB,IAAI,GAAG,cAAc,CAAC;IACtB,QAAQ,GAAG,aAAsB,CAAC;IAE3C,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAEtC,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC3D,OAAO,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC;QAC9B,CAAC;QAED,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,UAAU,GAAG,SAAS,CAAC,MAAM,CAAC;QAEpC,MAAM,YAAY,GAAsC,EAAE,CAAC;QAC3D,MAAM,iBAAiB,GAAG,IAAI,GAAG,EAAU,CAAC;QAE5C,0BAA0B;QAC1B,MAAM,UAAU,GAAqD,EAAE,CAAC;QACxE,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,UAAU,EAAE,CAAC,EAAE,EAAE,CAAC;YACpC,MAAM,QAAQ,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;YAC9B,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAAE,SAAS;YACvC,MAAM,CAAC,GAAG,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACzC,MAAM,QAAQ,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;YACjC,UAAU,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC;QAC7C,CAAC;QAED,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC;QAEvD,0BAA0B;QAC1B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,GAAG,UAAU,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC/C,MAAM,EAAE,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;YACzB,MAAM,EAAE,GAAG,UAAU,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YAE7B,+BAA+B;YAC/B,MAAM,OAAO,GAAG,KAAK,CAAC,YAAY,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;YAC5C,MAAM,OAAO,GAAG,KAAK,CAAC,YAAY,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;YAE5C,MAAM,UAAU,GAAG,OAAO;gBACxB,CAAC,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,OAAO,CAAC,MAAM,CAAC,IAAI,IAAI,OAAO,CAAC,MAAM,CAAC,UAAU,EAAE;gBAC5E,CAAC,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,CAAC;YACrB,MAAM,UAAU,GAAG,OAAO;gBACxB,CAAC,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,OAAO,CAAC,MAAM,CAAC,IAAI,IAAI,OAAO,CAAC,MAAM,CAAC,UAAU,EAAE;gBAC5E,CAAC,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,CAAC;YAErB,IAAI,UAAU,KAAK,UAAU;gBAAE,SAAS;YAExC,+EAA+E;YAC/E,IAAI,EAAE,CAAC,IAAI,GAAG,EAAE,CAAC,IAAI,GAAG,CAAC;gBAAE,SAAS;YAEpC,sEAAsE;YACtE,MAAM,SAAS,GAAG,SAAS,CAAC,EAAE,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;YAC/C,MAAM,SAAS,GAAG,SAAS,CAAC,EAAE,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;YAE/C,IAAI,SAAS,GAAG,KAAK,CAAC;YAEtB,mDAAmD;YACnD,IAAI,EAAE,CAAC,QAAQ,IAAI,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,KAAK,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;gBACtE,SAAS,GAAG,IAAI,CAAC;YACnB,CAAC;YAED,6EAA6E;YAC7E,IAAI,CAAC,SAAS,IAAI,EAAE,CAAC,QAAQ,IAAI,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,KAAK,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;gBACpF,SAAS,GAAG,IAAI,CAAC;YACnB,CAAC;YAED,iFAAiF;YACjF,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,MAAM,KAAK,GAAG,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;gBACxC,MAAM,KAAK,GAAG,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;gBACxC,KAAK,MAAM,EAAE,IAAI,KAAK,EAAE,CAAC;oBACvB,KAAK,MAAM,EAAE,IAAI,KAAK,EAAE,CAAC;wBACvB,IAAI,EAAE,CAAC,QAAQ,KAAK,EAAE,CAAC,QAAQ,EAAE,CAAC;4BAAC,SAAS,GAAG,IAAI,CAAC;4BAAC,MAAM;wBAAC,CAAC;oBAC/D,CAAC;oBACD,IAAI,SAAS;wBAAE,MAAM;gBACvB,CAAC;YACH,CAAC;YAED,IAAI,SAAS;gBAAE,SAAS;YAExB,6CAA6C;YAC7C,IAAI,iBAAiB,CAAC,GAAG,CAAC,UAAU,CAAC;gBAAE,SAAS;YAChD,iBAAiB,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;YAElC,MAAM,QAAQ,GAAG,OAAO,EAAE,MAAM,CAAC,UAAU,IAAI,EAAE,CAAC,IAAI,CAAC;YACvD,YAAY,CAAC,IAAI,CAAC,EAAE,YAAY,EAAE,QAAQ,EAAE,cAAc,EAAE,EAAE,CAAC,IAAI,EAAE,eAAe,EAAE,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC;YAEjG,oDAAoD;YACpD,MAAM,KAAK,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,uBAAuB,EAAE,EAAE,CAAC,CAAC;YACpE,MAAM,KAAK,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,uBAAuB,EAAE,EAAE,CAAC,CAAC;YAEpE,GAAG,CAAC,UAAU,CAAC;gBACb,EAAE,EAAE,gBAAgB,IAAI,IAAI,EAAE,CAAC,IAAI,EAAE;gBACrC,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,GAAG,EAAE,SAAS;gBACd,QAAQ,EAAE,KAAK;gBACf,KAAK,EAAE,MAAM;gBACb,OAAO,EACL,oBAAoB,KAAK,YAAY,EAAE,CAAC,IAAI,WAAW,KAAK,YAAY,EAAE,CAAC,IAAI,IAAI;oBACnF,uDAAuD;gBACzD,IAAI;gBACJ,IAAI,EAAE,EAAE,CAAC,IAAI;gBACb,QAAQ,EAAE,EAAE,CAAC,IAAI;gBACjB,GAAG,EAAE,yEAAyE;gBAC9E,QAAQ,EAAE;oBACR,gBAAgB,EAAE,EAAE,CAAC,IAAI;oBACzB,iBAAiB,EAAE,EAAE,CAAC,IAAI;oBAC1B,aAAa,EAAE,QAAQ;iBACxB;aACF,CAAC,CAAC;QACL,CAAC;QAED,OAAO,EAAE,YAAY,EAAE,CAAC;IAC1B,CAAC;CACF"}

package/dist/analysis/passes/sink-filter-pass.d.ts

@@ -0,0 +1,39 @@
+/**
+ * SinkFilterPass
+ *
+ * Applies the four-stage sink filtering pipeline to eliminate false positives,
+ * followed by language-specific XPath/XSS suppression.
+ *
+ * Filter stages (applied in order):
+ *   1. Dead code — remove sinks on unreachable lines
+ *   2. Clean array elements — strong updates via constant propagation
+ *   3. Clean variables — arguments proven non-tainted by constant propagation
+ *   4. Sanitized sinks — sinks wrapped by a recognised sanitizer call
+ *   5. Python XPath FP reduction
+ *   6. JavaScript XSS FP reduction
+ *
+ * Depends on: taint-matcher, constant-propagation, language-sources
+ */
+import type { TaintSource, TaintSink, TaintSanitizer } from '../../types/index.js';
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface SinkFilterResult {
+    /** Merged sources: taint-matcher + language-sources. */
+    sources: TaintSource[];
+    /** Filtered sinks. */
+    sinks: TaintSink[];
+    sanitizers: TaintSanitizer[];
+}
+export declare class SinkFilterPass implements AnalysisPass<SinkFilterResult> {
+    readonly name = "sink-filter";
+    readonly category: "security";
+    run(ctx: PassContext): SinkFilterResult;
+}
+import type { CircleIR } from '../../types/index.js';
+type Symbols = Map<string, {
+    value: string | number | boolean | null;
+    type: string;
+    sourceLine: number;
+}>;
+export declare function filterCleanVariableSinks(sinks: CircleIR['taint']['sinks'], calls: CircleIR['calls'], taintedVars: Set<string>, symbols: Symbols, dfg?: CircleIR['dfg'], sanitizedVars?: Set<string>, synchronizedLines?: Set<number>): CircleIR['taint']['sinks'];
+export declare function filterSanitizedSinks(sinks: CircleIR['taint']['sinks'], sanitizers: CircleIR['taint']['sanitizers'], calls: CircleIR['calls']): CircleIR['taint']['sinks'];
+export {};

package/dist/analysis/passes/sink-filter-pass.js

@@ -0,0 +1,231 @@
+/**
+ * SinkFilterPass
+ *
+ * Applies the four-stage sink filtering pipeline to eliminate false positives,
+ * followed by language-specific XPath/XSS suppression.
+ *
+ * Filter stages (applied in order):
+ *   1. Dead code — remove sinks on unreachable lines
+ *   2. Clean array elements — strong updates via constant propagation
+ *   3. Clean variables — arguments proven non-tainted by constant propagation
+ *   4. Sanitized sinks — sinks wrapped by a recognised sanitizer call
+ *   5. Python XPath FP reduction
+ *   6. JavaScript XSS FP reduction
+ *
+ * Depends on: taint-matcher, constant-propagation, language-sources
+ */
+import { JS_TAINTED_PATTERNS } from './language-sources-pass.js';
+export class SinkFilterPass {
+    name = 'sink-filter';
+    category = 'security';
+    run(ctx) {
+        const { graph, language } = ctx;
+        const { calls, dfg } = graph.ir;
+        const taintMatcher = ctx.getResult('taint-matcher');
+        const constProp = ctx.getResult('constant-propagation');
+        const langSources = ctx.getResult('language-sources');
+        // Merge sources and sinks from both upstream passes.
+        const sources = [...taintMatcher.sources, ...langSources.additionalSources];
+        // Build merged sinks, deduplicating JS DOM sinks that may overlap with config sinks.
+        const sinks = [...taintMatcher.sinks];
+        for (const s of langSources.additionalSinks) {
+            if (!sinks.some(x => x.line === s.line && x.cwe === s.cwe && x.type === s.type)) {
+                sinks.push(s);
+            }
+        }
+        const sanitizers = taintMatcher.sanitizers;
+        // Stage 1 — dead code
+        let filtered = sinks.filter(sink => !constProp.unreachableLines.has(sink.line));
+        // Stage 2 — clean array elements
+        filtered = filterCleanArraySinks(filtered, calls, constProp.taintedArrayElements, constProp.symbols);
+        // Stage 3 — clean variables
+        filtered = filterCleanVariableSinks(filtered, calls, constProp.tainted, constProp.symbols, dfg, constProp.sanitizedVars, constProp.synchronizedLines);
+        // Stage 4 — sanitized sinks
+        filtered = filterSanitizedSinks(filtered, sanitizers, calls);
+        // Stage 5 — Python XPath FP reduction
+        if (language === 'python') {
+            const { pyTaintedVars, pySanitizedVars } = langSources;
+            const sourceLines = ctx.code.split('\n');
+            filtered = filtered.filter(sink => {
+                if (sink.type !== 'xpath_injection')
+                    return true;
+                const sinkLineText = sourceLines[sink.line - 1] ?? '';
+                const taintedVarOnLine = [...pyTaintedVars.keys()].find(v => new RegExp(`\\b${v}\\b`).test(sinkLineText));
+                if (!taintedVarOnLine)
+                    return false;
+                if (pySanitizedVars.has(taintedVarOnLine))
+                    return false;
+                if (new RegExp(`\\.xpath\\s*\\([^)]*\\b\\w+\\s*=\\s*\\b${taintedVarOnLine}\\b`).test(sinkLineText))
+                    return false;
+                return true;
+            });
+        }
+        // Stage 6 — JavaScript XSS FP reduction
+        if (['javascript', 'typescript'].includes(language)) {
+            const { jsTaintedVars } = langSources;
+            if (jsTaintedVars.size > 0) {
+                const sourceLines = ctx.code.split('\n');
+                filtered = filtered.filter(sink => {
+                    if (sink.type !== 'xss')
+                        return true;
+                    const sinkLineText = sourceLines[sink.line - 1] ?? '';
+                    if ([...jsTaintedVars.keys()].some(v => new RegExp(`\\b${v}\\b`).test(sinkLineText)))
+                        return true;
+                    if (JS_TAINTED_PATTERNS.some(p => p.pattern.test(sinkLineText)))
+                        return true;
+                    return false;
+                });
+            }
+        }
+        return { sources, sinks: filtered, sanitizers };
+    }
+}
+function evaluateSimpleExpression(expr, symbols) {
+    let evaluated = expr;
+    for (const [name, val] of symbols) {
+        if (val.type === 'int' || val.type === 'float') {
+            const regex = new RegExp(`\\b${name}\\b`, 'g');
+            evaluated = evaluated.replace(regex, String(val.value));
+        }
+    }
+    try {
+        if (/^[\d\s+\-*/().]+$/.test(evaluated)) {
+            const result = Function('"use strict"; return (' + evaluated + ')')();
+            if (typeof result === 'number' && !isNaN(result))
+                return String(Math.floor(result));
+        }
+    }
+    catch { /* evaluation failed */ }
+    return expr;
+}
+function isStringLiteralExpression(expr) {
+    const trimmed = expr.trim();
+    return (trimmed.startsWith('"') && trimmed.endsWith('"')) ||
+        (trimmed.startsWith("'") && trimmed.endsWith("'"));
+}
+function filterCleanArraySinks(sinks, calls, taintedArrayElements, symbols) {
+    const callsByLine = new Map();
+    for (const call of calls) {
+        const existing = callsByLine.get(call.location.line) ?? [];
+        existing.push(call);
+        callsByLine.set(call.location.line, existing);
+    }
+    return sinks.filter(sink => {
+        const callsAtSink = callsByLine.get(sink.line) ?? [];
+        for (const call of callsAtSink) {
+            for (const arg of call.arguments) {
+                const arrayAccessMatch = arg.expression?.match(/^(\w+)\[(\d+|[^[\]]+)\]$/);
+                if (arrayAccessMatch) {
+                    const arrayName = arrayAccessMatch[1];
+                    let indexStr = arrayAccessMatch[2];
+                    indexStr = evaluateSimpleExpression(indexStr, symbols);
+                    const taintedIndices = taintedArrayElements.get(arrayName);
+                    if (taintedIndices !== undefined) {
+                        const isTainted = taintedIndices.has(indexStr) || taintedIndices.has('*');
+                        if (!isTainted)
+                            return false;
+                    }
+                }
+            }
+        }
+        return true;
+    });
+}
+export function filterCleanVariableSinks(sinks, calls, taintedVars, symbols, dfg, sanitizedVars, synchronizedLines) {
+    const fieldNames = new Set();
+    if (dfg) {
+        for (const def of dfg.defs) {
+            if (def.kind === 'field')
+                fieldNames.add(def.variable);
+        }
+    }
+    const callsByLine = new Map();
+    for (const call of calls) {
+        const existing = callsByLine.get(call.location.line) ?? [];
+        existing.push(call);
+        callsByLine.set(call.location.line, existing);
+    }
+    return sinks.filter(sink => {
+        const callsAtSink = callsByLine.get(sink.line) ?? [];
+        const isInSynchronizedBlock = synchronizedLines?.has(sink.line) ?? false;
+        for (const call of callsAtSink) {
+            let allArgsAreClean = true;
+            const methodName = call.in_method;
+            for (const arg of call.arguments) {
+                if (arg.variable && !arg.expression?.includes('[')) {
+                    const varName = arg.variable;
+                    const scopedName = methodName ? `${methodName}:${varName}` : varName;
+                    if (fieldNames.has(varName) && !isInSynchronizedBlock) {
+                        allArgsAreClean = false;
+                        continue;
+                    }
+                    if (sanitizedVars?.has(scopedName) || sanitizedVars?.has(varName))
+                        continue;
+                    if (taintedVars.has(scopedName) || taintedVars.has(varName)) {
+                        allArgsAreClean = false;
+                        continue;
+                    }
+                    const symbolValue = symbols.get(scopedName) ?? symbols.get(varName);
+                    if (symbolValue && symbolValue.type !== 'unknown')
+                        continue;
+                    allArgsAreClean = false;
+                }
+                else {
+                    if (arg.literal != null)
+                        continue;
+                    if (arg.expression && !arg.variable && isStringLiteralExpression(arg.expression))
+                        continue;
+                    allArgsAreClean = false;
+                }
+            }
+            if (allArgsAreClean && call.arguments.length > 0)
+                return false;
+        }
+        return true;
+    });
+}
+export function filterSanitizedSinks(sinks, sanitizers, calls) {
+    if (!sanitizers || sanitizers.length === 0)
+        return sinks;
+    const sanitizersByLine = new Map();
+    for (const san of sanitizers) {
+        const existing = sanitizersByLine.get(san.line) ?? [];
+        existing.push(san);
+        sanitizersByLine.set(san.line, existing);
+    }
+    const callsByLine = new Map();
+    for (const call of calls) {
+        const existing = callsByLine.get(call.location.line) ?? [];
+        existing.push(call);
+        callsByLine.set(call.location.line, existing);
+    }
+    return sinks.filter(sink => {
+        const lineSanitizers = sanitizersByLine.get(sink.line);
+        if (!lineSanitizers || lineSanitizers.length === 0)
+            return true;
+        for (const san of lineSanitizers) {
+            if (san.sanitizes.includes(sink.type)) {
+                const lineCalls = callsByLine.get(sink.line) ?? [];
+                for (const call of lineCalls) {
+                    for (const arg of call.arguments) {
+                        const expr = arg.expression || '';
+                        const sanMethodMatch = san.method.match(/(?:(\w+)\.)?(\w+)\(\)/);
+                        if (sanMethodMatch) {
+                            const sanMethodName = sanMethodMatch[2];
+                            const sanClassName = sanMethodMatch[1];
+                            if (sanClassName) {
+                                if (expr.includes(`${sanClassName}.${sanMethodName}(`))
+                                    return false;
+                            }
+                            else if (expr.includes(`${sanMethodName}(`)) {
+                                return false;
+                            }
+                        }
+                    }
+                }
+            }
+        }
+        return true;
+    });
+}
+//# sourceMappingURL=sink-filter-pass.js.map

package/dist/analysis/passes/sink-filter-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sink-filter-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/sink-filter-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAOH,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AAUjE,MAAM,OAAO,cAAc;IAChB,IAAI,GAAG,aAAa,CAAC;IACrB,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAChC,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,KAAK,CAAC,EAAE,CAAC;QAEhC,MAAM,YAAY,GAAG,GAAG,CAAC,SAAS,CAAqB,eAAe,CAAC,CAAC;QACxE,MAAM,SAAS,GAAM,GAAG,CAAC,SAAS,CAA2B,sBAAsB,CAAC,CAAC;QACrF,MAAM,WAAW,GAAI,GAAG,CAAC,SAAS,CAAwB,kBAAkB,CAAC,CAAC;QAE9E,qDAAqD;QACrD,MAAM,OAAO,GAAkB,CAAC,GAAG,YAAY,CAAC,OAAO,EAAE,GAAG,WAAW,CAAC,iBAAiB,CAAC,CAAC;QAE3F,qFAAqF;QACrF,MAAM,KAAK,GAAgB,CAAC,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;QACnD,KAAK,MAAM,CAAC,IAAI,WAAW,CAAC,eAAe,EAAE,CAAC;YAC5C,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC;gBAChF,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAChB,CAAC;QACH,CAAC;QACD,MAAM,UAAU,GAAG,YAAY,CAAC,UAAU,CAAC;QAE3C,sBAAsB;QACtB,IAAI,QAAQ,GAAG,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;QAEhF,iCAAiC;QACjC,QAAQ,GAAG,qBAAqB,CAAC,QAAQ,EAAE,KAAK,EAAE,SAAS,CAAC,oBAAoB,EAAE,SAAS,CAAC,OAAO,CAAC,CAAC;QAErG,4BAA4B;QAC5B,QAAQ,GAAG,wBAAwB,CACjC,QAAQ,EAAE,KAAK,EAAE,SAAS,CAAC,OAAO,EAAE,SAAS,CAAC,OAAO,EACrD,GAAG,EAAE,SAAS,CAAC,aAAa,EAAE,SAAS,CAAC,iBAAiB,CAC1D,CAAC;QAEF,4BAA4B;QAC5B,QAAQ,GAAG,oBAAoB,CAAC,QAAQ,EAAE,UAAU,EAAE,KAAK,CAAC,CAAC;QAE7D,sCAAsC;QACtC,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,MAAM,EAAE,aAAa,EAAE,eAAe,EAAE,GAAG,WAAW,CAAC;YACvD,MAAM,WAAW,GAAG,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACzC,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE;gBAChC,IAAI,IAAI,CAAC,IAAI,KAAK,iBAAiB;oBAAE,OAAO,IAAI,CAAC;gBACjD,MAAM,YAAY,GAAG,WAAW,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;gBACtD,MAAM,gBAAgB,GAAG,CAAC,GAAG,aAAa,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAC1D,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAC5C,CAAC;gBACF,IAAI,CAAC,gBAAgB;oBAAE,OAAO,KAAK,CAAC;gBACpC,IAAI,eAAe,CAAC,GAAG,CAAC,gBAAgB,CAAC;oBAAE,OAAO,KAAK,CAAC;gBACxD,IAAI,IAAI,MAAM,CAAC,0CAA0C,gBAAgB,KAAK,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC;oBAAE,OAAO,KAAK,CAAC;gBACjH,OAAO,IAAI,CAAC;YACd,CAAC,CAAC,CAAC;QACL,CAAC;QAED,wCAAwC;QACxC,IAAI,CAAC,YAAY,EAAE,YAAY,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YACpD,MAAM,EAAE,aAAa,EAAE,GAAG,WAAW,CAAC;YACtC,IAAI,aAAa,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;gBAC3B,MAAM,WAAW,GAAG,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBACzC,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE;oBAChC,IAAI,IAAI,CAAC,IAAI,KAAK,KAAK;wBAAE,OAAO,IAAI,CAAC;oBACrC,MAAM,YAAY,GAAG,WAAW,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;oBACtD,IAAI,CAAC,GAAG,aAAa,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;wBAAE,OAAO,IAAI,CAAC;oBAClG,IAAI,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;wBAAE,OAAO,IAAI,CAAC;oBAC7E,OAAO,KAAK,CAAC;gBACf,CAAC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAC;IAClD,CAAC;CACF;AAUD,SAAS,wBAAwB,CAAC,IAAY,EAAE,OAAgB;IAC9D,IAAI,SAAS,GAAG,IAAI,CAAC;IACrB,KAAK,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,OAAO,EAAE,CAAC;QAClC,IAAI,GAAG,CAAC,IAAI,KAAK,KAAK,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAC/C,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,MAAM,IAAI,KAAK,EAAE,GAAG,CAAC,CAAC;YAC/C,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC;IACD,IAAI,CAAC;QACH,IAAI,mBAAmB,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;YACxC,MAAM,MAAM,GAAG,QAAQ,CAAC,wBAAwB,GAAG,SAAS,GAAG,GAAG,CAAC,EAAE,CAAC;YACtE,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC;gBAAE,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;QACtF,CAAC;IACH,CAAC;IAAC,MAAM,CAAC,CAAC,uBAAuB,CAAC,CAAC;IACnC,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,yBAAyB,CAAC,IAAY;IAC7C,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IAC5B,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAClD,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;AAC5D,CAAC;AAED,SAAS,qBAAqB,CAC5B,KAAiC,EACjC,KAAwB,EACxB,oBAA8C,EAC9C,OAAgB;IAEhB,MAAM,WAAW,GAAG,IAAI,GAAG,EAAwB,CAAC;IACpD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAC3D,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpB,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IAChD,CAAC;IAED,OAAO,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE;QACzB,MAAM,WAAW,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QACrD,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAC/B,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACjC,MAAM,gBAAgB,GAAG,GAAG,CAAC,UAAU,EAAE,KAAK,CAAC,0BAA0B,CAAC,CAAC;gBAC3E,IAAI,gBAAgB,EAAE,CAAC;oBACrB,MAAM,SAAS,GAAG,gBAAgB,CAAC,CAAC,CAAC,CAAC;oBACtC,IAAI,QAAQ,GAAG,gBAAgB,CAAC,CAAC,CAAC,CAAC;oBACnC,QAAQ,GAAG,wBAAwB,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;oBACvD,MAAM,cAAc,GAAG,oBAAoB,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;oBAC3D,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;wBACjC,MAAM,SAAS,GAAG,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;wBAC1E,IAAI,CAAC,SAAS;4BAAE,OAAO,KAAK,CAAC;oBAC/B,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,wBAAwB,CACtC,KAAiC,EACjC,KAAwB,EACxB,WAAwB,EACxB,OAAgB,EAChB,GAAqB,EACrB,aAA2B,EAC3B,iBAA+B;IAE/B,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;IACrC,IAAI,GAAG,EAAE,CAAC;QACR,KAAK,MAAM,GAAG,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;YAC3B,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO;gBAAE,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACzD,CAAC;IACH,CAAC;IAED,MAAM,WAAW,GAAG,IAAI,GAAG,EAAwB,CAAC;IACpD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAC3D,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpB,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IAChD,CAAC;IAED,OAAO,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE;QACzB,MAAM,WAAW,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QACrD,MAAM,qBAAqB,GAAG,iBAAiB,EAAE,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC;QAEzE,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAC/B,IAAI,eAAe,GAAG,IAAI,CAAC;YAC3B,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC;YAElC,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACjC,IAAI,GAAG,CAAC,QAAQ,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;oBACnD,MAAM,OAAO,GAAG,GAAG,CAAC,QAAQ,CAAC;oBAC7B,MAAM,UAAU,GAAG,UAAU,CAAC,CAAC,CAAC,GAAG,UAAU,IAAI,OAAO,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;oBAErE,IAAI,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,qBAAqB,EAAE,CAAC;wBAAC,eAAe,GAAG,KAAK,CAAC;wBAAC,SAAS;oBAAC,CAAC;oBAC7F,IAAI,aAAa,EAAE,GAAG,CAAC,UAAU,CAAC,IAAI,aAAa,EAAE,GAAG,CAAC,OAAO,CAAC;wBAAE,SAAS;oBAC5E,IAAI,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;wBAAC,eAAe,GAAG,KAAK,CAAC;wBAAC,SAAS;oBAAC,CAAC;oBAEnG,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;oBACpE,IAAI,WAAW,IAAI,WAAW,CAAC,IAAI,KAAK,SAAS;wBAAE,SAAS;oBAE5D,eAAe,GAAG,KAAK,CAAC;gBAC1B,CAAC;qBAAM,CAAC;oBACN,IAAI,GAAG,CAAC,OAAO,IAAI,IAAI;wBAAE,SAAS;oBAClC,IAAI,GAAG,CAAC,UAAU,IAAI,CAAC,GAAG,CAAC,QAAQ,IAAI,yBAAyB,CAAC,GAAG,CAAC,UAAU,CAAC;wBAAE,SAAS;oBAC3F,eAAe,GAAG,KAAK,CAAC;gBAC1B,CAAC;YACH,CAAC;YAED,IAAI,eAAe,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC;gBAAE,OAAO,KAAK,CAAC;QACjE,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,KAAiC,EACjC,UAA2C,EAC3C,KAAwB;IAExB,IAAI,CAAC,UAAU,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAEzD,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAA6B,CAAC;IAC9D,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7B,MAAM,QAAQ,GAAG,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QACtD,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACnB,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IAC3C,CAAC;IAED,MAAM,WAAW,GAAG,IAAI,GAAG,EAAwB,CAAC;IACpD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAC3D,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpB,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IAChD,CAAC;IAED,OAAO,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE;QACzB,MAAM,cAAc,GAAG,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvD,IAAI,CAAC,cAAc,IAAI,cAAc,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAEhE,KAAK,MAAM,GAAG,IAAI,cAAc,EAAE,CAAC;YACjC,IAAI,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAoC,CAAC,EAAE,CAAC;gBACtE,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;gBACnD,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;oBAC7B,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;wBACjC,MAAM,IAAI,GAAG,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC;wBAClC,MAAM,cAAc,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC;wBACjE,IAAI,cAAc,EAAE,CAAC;4BACnB,MAAM,aAAa,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC;4BACxC,MAAM,YAAY,GAAI,cAAc,CAAC,CAAC,CAAC,CAAC;4BACxC,IAAI,YAAY,EAAE,CAAC;gCACjB,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,YAAY,IAAI,aAAa,GAAG,CAAC;oCAAE,OAAO,KAAK,CAAC;4BACvE,CAAC;iCAAM,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,aAAa,GAAG,CAAC,EAAE,CAAC;gCAC9C,OAAO,KAAK,CAAC;4BACf,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/analysis/passes/stale-doc-ref-pass.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Pass #33: stale-doc-ref
+ *
+ * Flags doc comment references ({@link ClassName} and @see ClassName) that
+ * point to symbols not found in the file's type declarations or imports.
+ * Stale doc refs cause confusion and erode documentation trustworthiness.
+ *
+ * Category: maintainability | Severity: low | Level: note | CWE: none
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface StaleDocRefResult {
+    staleRefs: Array<{
+        line: number;
+        ref: string;
+    }>;
+}
+export declare class StaleDocRefPass implements AnalysisPass<StaleDocRefResult> {
+    readonly name = "stale-doc-ref";
+    readonly category: "maintainability";
+    run(ctx: PassContext): StaleDocRefResult;
+}