circle-ir 3.9.10 → 3.11.0

package/dist/browser/circle-ir.js

@@ -10257,9 +10257,9 @@ var PYTHON_TAINTED_PATTERNS = [
   { pattern: /\brequest\.query_params\b/, sourceType: "http_param" },
   { pattern: /\brequest\.path_params\b/, sourceType: "http_param" }
 ];
-function analyzeTaint(calls, types, config = getDefaultConfig()) {
+function analyzeTaint(calls, types, config = getDefaultConfig(), typeHierarchy) {
   const sources = findSources(calls, types, config.sources);
-  const sinks = findSinks(calls, config.sinks);
+  const sinks = findSinks(calls, config.sinks, typeHierarchy);
   const sanitizers = findSanitizers(calls, types, config.sanitizers);
   return { sources, sinks, sanitizers };
 }
@@ -10465,11 +10465,11 @@ function isParameterizedQueryCall(call, pattern) {
   }
   return false;
 }
-function findSinks(calls, patterns) {
+function findSinks(calls, patterns, typeHierarchy) {
   const sinkMap = /* @__PURE__ */ new Map();
   for (const call of calls) {
     for (const pattern of patterns) {
-      if (matchesSinkPattern(call, pattern)) {
+      if (matchesSinkPattern(call, pattern, typeHierarchy)) {
         if (isParameterizedQueryCall(call, pattern)) {
           continue;
         }
@@ -10561,7 +10561,7 @@ function isJavaScriptTaintedArgument(argExpression, sourcePatterns) {
   }
   return { isTainted: false, sourceType: null };
 }
-function matchesSinkPattern(call, pattern) {
+function matchesSinkPattern(call, pattern, typeHierarchy) {
   const callMethodName = call.method_name;
   const patternMethod = pattern.method;
   let methodMatches = callMethodName === patternMethod;
@@ -10577,6 +10577,9 @@ function matchesSinkPattern(call, pattern) {
       return true;
     }
     if (call.receiver && !receiverMightBeClass(call.receiver, pattern.class)) {
+      if (typeHierarchy && typeHierarchy.couldBeType(call.receiver, pattern.class)) {
+        return true;
+      }
       return false;
     }
     if (!call.receiver) {
@@ -11279,6 +11282,633 @@ var CodeGraph = class {
   }
 };
 
+// src/resolution/type-hierarchy.ts
+var TypeHierarchyResolver = class {
+  // All known types by FQN
+  types = /* @__PURE__ */ new Map();
+  // Simple name to FQN mapping (for resolution)
+  nameToFqn = /* @__PURE__ */ new Map();
+  // Subtype relationships: parent FQN -> child FQNs
+  subtypes = /* @__PURE__ */ new Map();
+  // Implementation relationships: interface FQN -> implementing class FQNs
+  implementations = /* @__PURE__ */ new Map();
+  /**
+   * Add types from a CircleIR analysis result
+   */
+  addFromIR(ir, filePath) {
+    for (const type of ir.types) {
+      this.addType(type, filePath, ir.meta.package || null);
+    }
+  }
+  /**
+   * Add a single type to the hierarchy
+   */
+  addType(type, filePath, defaultPackage = null) {
+    const pkg = type.package || defaultPackage || "";
+    const fqn = pkg ? `${pkg}.${type.name}` : type.name;
+    const node = {
+      name: type.name,
+      fqn,
+      kind: type.kind,
+      extends: type.extends,
+      implements: type.implements,
+      extendsInterfaces: type.kind === "interface" ? type.implements : [],
+      file: filePath,
+      line: type.start_line
+    };
+    this.types.set(fqn, node);
+    if (!this.nameToFqn.has(type.name)) {
+      this.nameToFqn.set(type.name, /* @__PURE__ */ new Set());
+    }
+    this.nameToFqn.get(type.name).add(fqn);
+    if (type.kind === "class" || type.kind === "enum") {
+      if (type.extends) {
+        const parentFqn = this.resolveTypeName(type.extends, pkg);
+        if (!this.subtypes.has(parentFqn)) {
+          this.subtypes.set(parentFqn, /* @__PURE__ */ new Set());
+        }
+        this.subtypes.get(parentFqn).add(fqn);
+      }
+      for (const iface of type.implements) {
+        const ifaceFqn = this.resolveTypeName(iface, pkg);
+        if (!this.implementations.has(ifaceFqn)) {
+          this.implementations.set(ifaceFqn, /* @__PURE__ */ new Set());
+        }
+        this.implementations.get(ifaceFqn).add(fqn);
+      }
+    } else if (type.kind === "interface") {
+      for (const parentIface of type.implements) {
+        const parentFqn = this.resolveTypeName(parentIface, pkg);
+        if (!this.subtypes.has(parentFqn)) {
+          this.subtypes.set(parentFqn, /* @__PURE__ */ new Set());
+        }
+        this.subtypes.get(parentFqn).add(fqn);
+      }
+    }
+  }
+  /**
+   * Get all direct subtypes of a class
+   */
+  getDirectSubtypes(className) {
+    const fqn = this.resolveFqn(className);
+    return Array.from(this.subtypes.get(fqn) || []);
+  }
+  /**
+   * Get all subtypes (transitive) of a class
+   */
+  getAllSubtypes(className) {
+    const fqn = this.resolveFqn(className);
+    const result = /* @__PURE__ */ new Set();
+    const queue = [fqn];
+    while (queue.length > 0) {
+      const current = queue.shift();
+      const children = this.subtypes.get(current);
+      if (children) {
+        for (const child of children) {
+          if (!result.has(child)) {
+            result.add(child);
+            queue.push(child);
+          }
+        }
+      }
+    }
+    return Array.from(result);
+  }
+  /**
+   * Get all direct implementations of an interface
+   */
+  getDirectImplementations(interfaceName) {
+    const fqn = this.resolveFqn(interfaceName);
+    return Array.from(this.implementations.get(fqn) || []);
+  }
+  /**
+   * Get all implementations (including through subinterfaces) of an interface
+   */
+  getAllImplementations(interfaceName) {
+    const fqn = this.resolveFqn(interfaceName);
+    const result = /* @__PURE__ */ new Set();
+    const visited = /* @__PURE__ */ new Set();
+    const queue = [fqn];
+    while (queue.length > 0) {
+      const current = queue.shift();
+      if (visited.has(current)) continue;
+      visited.add(current);
+      const impls = this.implementations.get(current);
+      if (impls) {
+        for (const impl of impls) {
+          result.add(impl);
+          const subtypes = this.getAllSubtypes(impl);
+          for (const subtype of subtypes) {
+            result.add(subtype);
+          }
+        }
+      }
+      const subInterfaces = this.subtypes.get(current);
+      if (subInterfaces) {
+        for (const sub of subInterfaces) {
+          queue.push(sub);
+        }
+      }
+    }
+    return Array.from(result);
+  }
+  /**
+   * Check if a type is a subtype of another (including transitive)
+   */
+  isSubtypeOf(childName, parentName) {
+    const childFqn = this.resolveFqn(childName);
+    const parentFqn = this.resolveFqn(parentName);
+    if (childFqn === parentFqn) return true;
+    const allSubtypes = this.getAllSubtypes(parentFqn);
+    if (allSubtypes.includes(childFqn)) return true;
+    const allImpls = this.getAllImplementations(parentFqn);
+    if (allImpls.includes(childFqn)) return true;
+    return false;
+  }
+  /**
+   * Check if a type implements an interface (directly or through inheritance)
+   * Also handles interface-extends-interface relationships
+   */
+  implementsInterface(typeName, interfaceName) {
+    const typeFqn = this.resolveFqn(typeName);
+    const ifaceFqn = this.resolveFqn(interfaceName);
+    const allImpls = this.getAllImplementations(ifaceFqn);
+    if (allImpls.includes(typeFqn)) return true;
+    const allSubtypes = this.getAllSubtypes(ifaceFqn);
+    if (allSubtypes.includes(typeFqn)) return true;
+    return false;
+  }
+  /**
+   * Get type info by name
+   */
+  getType(name2) {
+    const fqn = this.resolveFqn(name2);
+    return this.types.get(fqn);
+  }
+  /**
+   * Get all types matching a simple name
+   */
+  getTypesByName(simpleName) {
+    const fqns = this.nameToFqn.get(simpleName);
+    if (!fqns) return [];
+    return Array.from(fqns).map((fqn) => this.types.get(fqn)).filter((t) => t !== void 0);
+  }
+  /**
+   * Get the file where a type is defined
+   */
+  getTypeFile(name2) {
+    const type = this.getType(name2);
+    return type?.file;
+  }
+  /**
+   * Check if a receiver type could match a target class
+   * Handles: exact match, subtype, implementation, simple name match
+   */
+  couldBeType(receiverType, targetClass) {
+    if (receiverType === targetClass) return true;
+    const receiverSimple = this.getSimpleName(receiverType);
+    const targetSimple = this.getSimpleName(targetClass);
+    if (receiverSimple === targetSimple) return true;
+    if (this.isSubtypeOf(receiverType, targetClass)) return true;
+    const allSubtypes = this.getAllSubtypes(targetClass);
+    const allImpls = this.getAllImplementations(targetClass);
+    for (const sub of [...allSubtypes, ...allImpls]) {
+      const subSimple = this.getSimpleName(sub);
+      if (subSimple === receiverSimple) return true;
+    }
+    return false;
+  }
+  /**
+   * Export hierarchy data in the CircleIR format
+   */
+  toTypeHierarchyData() {
+    const classes = {};
+    const interfaces = {};
+    for (const [fqn, node] of this.types) {
+      if (node.kind === "class" || node.kind === "enum") {
+        classes[fqn] = {
+          file: node.file,
+          extends: node.extends ? this.resolveTypeName(node.extends, this.getPackage(fqn)) : null,
+          implements: node.implements.map((i2) => this.resolveTypeName(i2, this.getPackage(fqn))),
+          subclasses: this.getDirectSubtypes(fqn)
+        };
+      } else if (node.kind === "interface") {
+        interfaces[fqn] = {
+          file: node.file,
+          extends: node.extendsInterfaces.map((i2) => this.resolveTypeName(i2, this.getPackage(fqn))),
+          implementations: this.getDirectImplementations(fqn)
+        };
+      }
+    }
+    return { classes, interfaces };
+  }
+  /**
+   * Get statistics about the hierarchy
+   */
+  getStats() {
+    let classes = 0, interfaces = 0, enums = 0;
+    for (const node of this.types.values()) {
+      if (node.kind === "class") classes++;
+      else if (node.kind === "interface") interfaces++;
+      else if (node.kind === "enum") enums++;
+    }
+    return { totalTypes: this.types.size, classes, interfaces, enums };
+  }
+  /**
+   * Get all types in the hierarchy
+   */
+  getAllTypes() {
+    return Array.from(this.types.values());
+  }
+  /**
+   * Clear all data
+   */
+  clear() {
+    this.types.clear();
+    this.nameToFqn.clear();
+    this.subtypes.clear();
+    this.implementations.clear();
+  }
+  // --- Private helpers ---
+  /**
+   * Resolve a type name to its FQN
+   */
+  resolveTypeName(name2, currentPackage) {
+    if (name2.includes(".")) return name2;
+    const fqns = this.nameToFqn.get(name2);
+    if (fqns && fqns.size === 1) {
+      return Array.from(fqns)[0];
+    }
+    return currentPackage ? `${currentPackage}.${name2}` : name2;
+  }
+  /**
+   * Resolve a name (simple or FQN) to its FQN
+   */
+  resolveFqn(name2) {
+    if (this.types.has(name2)) return name2;
+    const fqns = this.nameToFqn.get(name2);
+    if (fqns && fqns.size > 0) {
+      return Array.from(fqns)[0];
+    }
+    return name2;
+  }
+  /**
+   * Get simple name from FQN
+   */
+  getSimpleName(name2) {
+    const lastDot = name2.lastIndexOf(".");
+    return lastDot === -1 ? name2 : name2.substring(lastDot + 1);
+  }
+  /**
+   * Get package from FQN
+   */
+  getPackage(fqn) {
+    const lastDot = fqn.lastIndexOf(".");
+    return lastDot === -1 ? "" : fqn.substring(0, lastDot);
+  }
+};
+function createWithJdkTypes() {
+  const resolver = new TypeHierarchyResolver();
+  const jdbcTypes = [
+    {
+      name: "Statement",
+      kind: "interface",
+      package: "java.sql",
+      extends: null,
+      implements: [],
+      annotations: [],
+      methods: [],
+      fields: [],
+      start_line: 0,
+      end_line: 0
+    },
+    {
+      name: "PreparedStatement",
+      kind: "interface",
+      package: "java.sql",
+      extends: null,
+      implements: ["Statement"],
+      annotations: [],
+      methods: [],
+      fields: [],
+      start_line: 0,
+      end_line: 0
+    },
+    {
+      name: "CallableStatement",
+      kind: "interface",
+      package: "java.sql",
+      extends: null,
+      implements: ["PreparedStatement"],
+      annotations: [],
+      methods: [],
+      fields: [],
+      start_line: 0,
+      end_line: 0
+    }
+  ];
+  const ioTypes = [
+    {
+      name: "InputStream",
+      kind: "class",
+      package: "java.io",
+      extends: null,
+      implements: [],
+      annotations: [],
+      methods: [],
+      fields: [],
+      start_line: 0,
+      end_line: 0
+    },
+    {
+      name: "FileInputStream",
+      kind: "class",
+      package: "java.io",
+      extends: "InputStream",
+      implements: [],
+      annotations: [],
+      methods: [],
+      fields: [],
+      start_line: 0,
+      end_line: 0
+    },
+    {
+      name: "OutputStream",
+      kind: "class",
+      package: "java.io",
+      extends: null,
+      implements: [],
+      annotations: [],
+      methods: [],
+      fields: [],
+      start_line: 0,
+      end_line: 0
+    },
+    {
+      name: "FileOutputStream",
+      kind: "class",
+      package: "java.io",
+      extends: "OutputStream",
+      implements: [],
+      annotations: [],
+      methods: [],
+      fields: [],
+      start_line: 0,
+      end_line: 0
+    },
+    {
+      name: "Writer",
+      kind: "class",
+      package: "java.io",
+      extends: null,
+      implements: [],
+      annotations: [],
+      methods: [],
+      fields: [],
+      start_line: 0,
+      end_line: 0
+    },
+    {
+      name: "PrintWriter",
+      kind: "class",
+      package: "java.io",
+      extends: "Writer",
+      implements: [],
+      annotations: [],
+      methods: [],
+      fields: [],
+      start_line: 0,
+      end_line: 0
+    }
+  ];
+  const servletTypes = [
+    {
+      name: "ServletRequest",
+      kind: "interface",
+      package: "javax.servlet",
+      extends: null,
+      implements: [],
+      annotations: [],
+      methods: [],
+      fields: [],
+      start_line: 0,
+      end_line: 0
+    },
+    {
+      name: "HttpServletRequest",
+      kind: "interface",
+      package: "javax.servlet.http",
+      extends: null,
+      implements: ["javax.servlet.ServletRequest"],
+      // FQN for cross-package reference
+      annotations: [],
+      methods: [],
+      fields: [],
+      start_line: 0,
+      end_line: 0
+    },
+    {
+      name: "ServletResponse",
+      kind: "interface",
+      package: "javax.servlet",
+      extends: null,
+      implements: [],
+      annotations: [],
+      methods: [],
+      fields: [],
+      start_line: 0,
+      end_line: 0
+    },
+    {
+      name: "HttpServletResponse",
+      kind: "interface",
+      package: "javax.servlet.http",
+      extends: null,
+      implements: ["javax.servlet.ServletResponse"],
+      // FQN for cross-package reference
+      annotations: [],
+      methods: [],
+      fields: [],
+      start_line: 0,
+      end_line: 0
+    }
+  ];
+  for (const type of [...jdbcTypes, ...ioTypes, ...servletTypes]) {
+    resolver.addType(type, "jdk", type.package);
+  }
+  return resolver;
+}
+
+// src/graph/dominator-graph.ts
+function computeRPO(cfg, entryId) {
+  const outgoing = /* @__PURE__ */ new Map();
+  for (const edge of cfg.edges) {
+    const list = outgoing.get(edge.from) ?? [];
+    list.push(edge.to);
+    outgoing.set(edge.from, list);
+  }
+  const visited = /* @__PURE__ */ new Set();
+  const postOrder = [];
+  const stack = [{ id: entryId, childIndex: 0 }];
+  visited.add(entryId);
+  while (stack.length > 0) {
+    const top = stack[stack.length - 1];
+    const children = outgoing.get(top.id) ?? [];
+    let pushed = false;
+    while (top.childIndex < children.length) {
+      const child = children[top.childIndex++];
+      if (!visited.has(child)) {
+        visited.add(child);
+        stack.push({ id: child, childIndex: 0 });
+        pushed = true;
+        break;
+      }
+    }
+    if (!pushed) {
+      postOrder.push(top.id);
+      stack.pop();
+    }
+  }
+  const rpoOrder = postOrder.reverse();
+  const rpoIndex = /* @__PURE__ */ new Map();
+  for (let i2 = 0; i2 < rpoOrder.length; i2++) {
+    rpoIndex.set(rpoOrder[i2], i2);
+  }
+  return { rpoOrder, rpoIndex };
+}
+function intersect(b1, b2, idom, rpoIndex) {
+  let finger1 = b1;
+  let finger2 = b2;
+  while (finger1 !== finger2) {
+    while ((rpoIndex.get(finger1) ?? Number.MAX_SAFE_INTEGER) > (rpoIndex.get(finger2) ?? Number.MAX_SAFE_INTEGER)) {
+      const parent = idom.get(finger1);
+      if (parent === void 0 || parent === finger1) break;
+      finger1 = parent;
+    }
+    while ((rpoIndex.get(finger2) ?? Number.MAX_SAFE_INTEGER) > (rpoIndex.get(finger1) ?? Number.MAX_SAFE_INTEGER)) {
+      const parent = idom.get(finger2);
+      if (parent === void 0 || parent === finger2) break;
+      finger2 = parent;
+    }
+    if (finger1 === finger2) break;
+    const rpo1 = rpoIndex.get(finger1) ?? Number.MAX_SAFE_INTEGER;
+    const rpo2 = rpoIndex.get(finger2) ?? Number.MAX_SAFE_INTEGER;
+    if (rpo1 === rpo2 && finger1 !== finger2) break;
+  }
+  return finger1;
+}
+function computeIdom(cfg, rpoOrder, rpoIndex, entryId) {
+  const incoming = /* @__PURE__ */ new Map();
+  for (const edge of cfg.edges) {
+    const list = incoming.get(edge.to) ?? [];
+    list.push(edge.from);
+    incoming.set(edge.to, list);
+  }
+  const idom = /* @__PURE__ */ new Map();
+  idom.set(entryId, entryId);
+  let changed = true;
+  while (changed) {
+    changed = false;
+    for (let i2 = 1; i2 < rpoOrder.length; i2++) {
+      const b = rpoOrder[i2];
+      const preds = incoming.get(b) ?? [];
+      let newIdom;
+      for (const p of preds) {
+        if (idom.has(p)) {
+          newIdom = p;
+          break;
+        }
+      }
+      if (newIdom === void 0) continue;
+      for (const p of preds) {
+        if (p === newIdom) continue;
+        if (idom.has(p)) {
+          newIdom = intersect(p, newIdom, idom, rpoIndex);
+        }
+      }
+      if (idom.get(b) !== newIdom) {
+        idom.set(b, newIdom);
+        changed = true;
+      }
+    }
+  }
+  return idom;
+}
+var DominatorGraph = class {
+  idom;
+  rpoIndex;
+  entryId;
+  /** Cached reverse map: blockId → all blockIds it strictly dominates. */
+  _dominated = null;
+  constructor(cfg, entryId) {
+    if (cfg.blocks.length === 0) {
+      this.entryId = entryId ?? 0;
+      this.idom = /* @__PURE__ */ new Map();
+      this.rpoIndex = /* @__PURE__ */ new Map();
+      return;
+    }
+    this.entryId = entryId ?? cfg.blocks.find((b) => b.type === "entry")?.id ?? cfg.blocks.reduce((a, b) => a.id < b.id ? a : b).id;
+    const { rpoOrder, rpoIndex } = computeRPO(cfg, this.entryId);
+    this.rpoIndex = rpoIndex;
+    this.idom = computeIdom(cfg, rpoOrder, rpoIndex, this.entryId);
+    this.idom.delete(this.entryId);
+  }
+  /**
+   * Returns true if block `a` dominates block `b`.
+   * A block dominates itself (reflexive).
+   */
+  dominates(a, b) {
+    if (a === b) return true;
+    return this.strictlyDominates(a, b);
+  }
+  /**
+   * Returns true if block `a` strictly dominates block `b` (a ≠ b and a dom b).
+   */
+  strictlyDominates(a, b) {
+    if (a === b) return false;
+    const visited = /* @__PURE__ */ new Set();
+    let cur = this.idom.get(b);
+    while (cur !== void 0 && !visited.has(cur)) {
+      if (cur === a) return true;
+      visited.add(cur);
+      cur = this.idom.get(cur);
+    }
+    return false;
+  }
+  /**
+   * Returns the immediate dominator of `blockId`, or null for the entry block
+   * (or any block not in the dominator tree).
+   */
+  immediateDominator(blockId) {
+    return this.idom.get(blockId) ?? null;
+  }
+  /**
+   * Returns all block IDs strictly dominated by `blockId`.
+   * (Computed lazily and cached on first call.)
+   */
+  dominated(blockId) {
+    if (!this._dominated) {
+      this._dominated = /* @__PURE__ */ new Map();
+      for (const [child, parent] of this.idom.entries()) {
+        const ancestors = [];
+        const seen = /* @__PURE__ */ new Set();
+        let cur = parent;
+        while (cur !== void 0 && !seen.has(cur)) {
+          seen.add(cur);
+          ancestors.push(cur);
+          cur = this.idom.get(cur);
+        }
+        for (const anc of ancestors) {
+          const list = this._dominated.get(anc) ?? [];
+          list.push(child);
+          this._dominated.set(anc, list);
+        }
+      }
+    }
+    return this._dominated.get(blockId) ?? [];
+  }
+};
+
 // src/graph/exception-flow-graph.ts
 var ExceptionFlowGraph = class {
   /** All try/catch pairs found in the CFG. */
@@ -16899,7 +17529,9 @@ var TaintMatcherPass = class {
         };
       }
     }
-    const taint = analyzeTaint(calls, types, mergedConfig);
+    const hierarchy = createWithJdkTypes();
+    hierarchy.addFromIR(graph.ir, graph.ir.meta.file);
+    const taint = analyzeTaint(calls, types, mergedConfig, hierarchy);
     const sanitizerMethods = [];
     for (const type of types) {
       for (const method of type.methods) {
@@ -17424,6 +18056,73 @@ var SinkFilterPass = class {
     return { sources, sinks: filtered, sanitizers };
   }
 };
+function evalArithmetic(input) {
+  let pos = 0;
+  function peek() {
+    return input[pos] ?? "";
+  }
+  function consume() {
+    return input[pos++] ?? "";
+  }
+  function skipWs() {
+    while (pos < input.length && input[pos] === " ") pos++;
+  }
+  function parseNumber() {
+    skipWs();
+    let s = "";
+    if (peek() === "-") {
+      s += consume();
+    }
+    while (pos < input.length && /[\d.]/.test(input[pos])) s += consume();
+    if (s === "" || s === "-") return null;
+    const n = parseFloat(s);
+    return isFinite(n) ? n : null;
+  }
+  function parseFactor() {
+    skipWs();
+    if (peek() === "(") {
+      consume();
+      const val = parseExpr();
+      skipWs();
+      if (peek() === ")") consume();
+      return val;
+    }
+    return parseNumber();
+  }
+  function parseTerm() {
+    let left = parseFactor();
+    if (left === null) return null;
+    while (true) {
+      skipWs();
+      const op = peek();
+      if (op !== "*" && op !== "/") break;
+      consume();
+      const right = parseFactor();
+      if (right === null) return null;
+      left = op === "*" ? left * right : right === 0 ? null : left / right;
+      if (left === null) return null;
+    }
+    return left;
+  }
+  function parseExpr() {
+    let left = parseTerm();
+    if (left === null) return null;
+    while (true) {
+      skipWs();
+      const op = peek();
+      if (op !== "+" && op !== "-") break;
+      consume();
+      const right = parseTerm();
+      if (right === null) return null;
+      left = op === "+" ? left + right : left - right;
+    }
+    return left;
+  }
+  if (!/^[\d\s+\-*/().]+$/.test(input)) return null;
+  const result = parseExpr();
+  skipWs();
+  return pos === input.length ? result : null;
+}
 function evaluateSimpleExpression(expr, symbols) {
   let evaluated = expr;
   for (const [name2, val] of symbols) {
@@ -17432,13 +18131,8 @@ function evaluateSimpleExpression(expr, symbols) {
       evaluated = evaluated.replace(regex, String(val.value));
     }
   }
-  try {
-    if (/^[\d\s+\-*/().]+$/.test(evaluated)) {
-      const result = Function('"use strict"; return (' + evaluated + ")")();
-      if (typeof result === "number" && !isNaN(result)) return String(Math.floor(result));
-    }
-  } catch {
-  }
+  const result = evalArithmetic(evaluated);
+  if (result !== null && !isNaN(result)) return String(Math.floor(result));
   return expr;
 }
 function isStringLiteralExpression(expr) {
@@ -17606,8 +18300,8 @@ var TaintPropagationPass = class {
     for (const f of collectionFlows) {
       if (flows.some((x) => x.source_line === f.source_line && x.sink_line === f.sink_line)) continue;
       const flowForCheck = {
-        source: { line: f.source_line, type: f.source_type },
-        sink: { line: f.sink_line, type: f.sink_type },
+        source: { line: f.source_line },
+        sink: { line: f.sink_line },
         path: f.path.map((p) => ({ variable: p.variable, line: p.line }))
       };
       if (isCorrelatedPredicateFP(constProp, flowForCheck)) continue;
@@ -20182,6 +20876,325 @@ var UseAfterClosePass = class {
   }
 };
 
+// src/analysis/passes/missing-guard-dom-pass.ts
+var AUTH_METHODS = /* @__PURE__ */ new Set([
+  "authenticate",
+  "isAuthenticated",
+  "isAuthorized",
+  "isAdmin",
+  "checkAuth",
+  "hasPermission",
+  "requiresAuth",
+  "verifyToken",
+  "validateToken",
+  "checkRole",
+  "authorize",
+  "isLoggedIn"
+]);
+var SENSITIVE_METHODS = /* @__PURE__ */ new Set([
+  "delete",
+  "deleteById",
+  "drop",
+  "truncate",
+  "executeUpdate",
+  "createUser",
+  "createAdmin",
+  "modifyPermission",
+  "grantRole",
+  "setAdmin",
+  "elevatePrivilege"
+]);
+var MissingGuardDomPass = class {
+  name = "missing-guard-dom";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    if (language !== "java") return { findings: 0 };
+    const { cfg, calls } = graph.ir;
+    if (cfg.blocks.length === 0 || cfg.edges.length === 0) return { findings: 0 };
+    const dom = new DominatorGraph(cfg);
+    const file = graph.ir.meta.file;
+    const authCallLines = [];
+    const sensitiveOps = [];
+    for (const call of calls) {
+      if (AUTH_METHODS.has(call.method_name)) {
+        authCallLines.push(call.location.line);
+      }
+      if (SENSITIVE_METHODS.has(call.method_name)) {
+        sensitiveOps.push({ line: call.location.line, method: call.method_name });
+      }
+    }
+    if (sensitiveOps.length === 0) return { findings: 0 };
+    const blockContainingLine = (line) => cfg.blocks.find((b) => b.start_line <= line && line <= b.end_line) ?? null;
+    const reportedMethods = /* @__PURE__ */ new Set();
+    let count = 0;
+    for (const op of sensitiveOps) {
+      const opBlock = blockContainingLine(op.line);
+      if (!opBlock) continue;
+      const methodInfo = graph.methodAtLine(op.line);
+      if (!methodInfo) continue;
+      const methodKey = `${methodInfo.type.name}::${methodInfo.method.name}`;
+      if (reportedMethods.has(methodKey)) continue;
+      const { start_line, end_line } = methodInfo.method;
+      const authInMethod = authCallLines.filter((l) => l >= start_line && l <= end_line);
+      const dominated = authInMethod.some((authLine) => {
+        const authBlock = blockContainingLine(authLine);
+        return authBlock !== null && dom.dominates(authBlock.id, opBlock.id);
+      });
+      if (!dominated) {
+        reportedMethods.add(methodKey);
+        count++;
+        ctx.addFinding({
+          id: `missing-guard-dom-${file}-${op.line}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: "missing-guard-dom",
+          cwe: "CWE-285",
+          severity: "high",
+          level: "error",
+          message: `Sensitive operation \`${op.method}()\` at line ${op.line} is not dominated by an authentication check`,
+          file,
+          line: op.line,
+          fix: `Add authentication/authorization check on all paths leading to line ${op.line}`,
+          evidence: { method: op.method }
+        });
+      }
+    }
+    return { findings: count };
+  }
+};
+
+// src/analysis/passes/cleanup-verify-pass.ts
+var RESOURCE_CTORS4 = /* @__PURE__ */ new Set([
+  "FileInputStream",
+  "FileOutputStream",
+  "FileReader",
+  "FileWriter",
+  "BufferedReader",
+  "BufferedWriter",
+  "PrintWriter",
+  "InputStreamReader",
+  "OutputStreamWriter",
+  "RandomAccessFile",
+  "DataInputStream",
+  "DataOutputStream",
+  "ObjectInputStream",
+  "ObjectOutputStream",
+  "ZipInputStream",
+  "ZipOutputStream",
+  "JarInputStream",
+  "JarOutputStream",
+  "GZIPInputStream",
+  "GZIPOutputStream",
+  "FileChannel",
+  "Socket",
+  "ServerSocket",
+  "DatagramSocket"
+]);
+var RESOURCE_FACTORY_METHODS4 = /* @__PURE__ */ new Set([
+  "openConnection",
+  "openStream",
+  "newInputStream",
+  "newOutputStream",
+  "newBufferedReader",
+  "newBufferedWriter",
+  "newByteChannel",
+  "open",
+  "createReadStream",
+  "createWriteStream",
+  "createConnection"
+]);
+var CLOSE_METHODS4 = /* @__PURE__ */ new Set([
+  "close",
+  "dispose",
+  "shutdown",
+  "disconnect",
+  "release",
+  "destroy",
+  "free",
+  "shutdownNow",
+  "terminate"
+]);
+function buildPostDomGraph(cfg) {
+  const exitBlock = cfg.blocks.find((b) => b.type === "exit") ?? cfg.blocks.find((b) => !cfg.edges.some((e) => e.from === b.id));
+  if (!exitBlock || cfg.blocks.length === 0) {
+    return new DominatorGraph({ blocks: [], edges: [] });
+  }
+  const reversed = {
+    blocks: cfg.blocks,
+    edges: cfg.edges.map((e) => ({ from: e.to, to: e.from, type: e.type }))
+  };
+  return new DominatorGraph(reversed, exitBlock.id);
+}
+var CleanupVerifyPass = class {
+  name = "cleanup-verify";
+  category = "reliability";
+  run(ctx) {
+    const { graph, language } = ctx;
+    if (language === "rust" || language === "bash") return { findings: 0 };
+    const { cfg, calls } = graph.ir;
+    const file = graph.ir.meta.file;
+    if (cfg.blocks.length === 0) return { findings: 0 };
+    const postDom = buildPostDomGraph(cfg);
+    const blockContainingLine = (line) => cfg.blocks.find((b) => b.start_line <= line && line <= b.end_line) ?? null;
+    let count = 0;
+    for (const call of calls) {
+      const name2 = call.method_name;
+      const isConstructor = call.is_constructor === true && RESOURCE_CTORS4.has(name2);
+      const isFactory = !call.is_constructor && RESOURCE_FACTORY_METHODS4.has(name2);
+      if (!isConstructor && !isFactory) continue;
+      const openLine = call.location.line;
+      const defs = graph.defsAtLine(openLine);
+      if (defs.length === 0) continue;
+      const resourceVar = defs[0].variable;
+      const methodInfo = graph.methodAtLine(openLine);
+      if (!methodInfo) continue;
+      const methodEnd = methodInfo.method.end_line;
+      const closeCall = calls.find(
+        (c) => CLOSE_METHODS4.has(c.method_name) && c.receiver === resourceVar && c.location.line > openLine && c.location.line <= methodEnd
+      );
+      if (!closeCall) continue;
+      const openBlock = blockContainingLine(openLine);
+      const closeBlock = blockContainingLine(closeCall.location.line);
+      if (!openBlock || !closeBlock) continue;
+      if (postDom.dominates(closeBlock.id, openBlock.id)) continue;
+      count++;
+      ctx.addFinding({
+        id: `cleanup-verify-${file}-${openLine}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: "cleanup-verify",
+        cwe: "CWE-772",
+        severity: "medium",
+        level: "warning",
+        message: `Resource \`${resourceVar}\` opened at line ${openLine} may not close on all paths \u2014 close() at line ${closeCall.location.line} does not post-dominate the acquisition`,
+        file,
+        line: openLine,
+        fix: "Use try-with-resources (Java) or a finally block to guarantee cleanup on all paths",
+        evidence: {
+          resource: name2,
+          variable: resourceVar,
+          close_line: closeCall.location.line
+        }
+      });
+    }
+    return { findings: count };
+  }
+};
+
+// src/analysis/passes/missing-override-pass.ts
+var MissingOverridePass = class {
+  name = "missing-override";
+  category = "maintainability";
+  run(ctx) {
+    const { graph, language } = ctx;
+    if (language !== "java") return { findings: 0 };
+    const { types } = graph.ir;
+    const file = graph.ir.meta.file;
+    if (types.length === 0) return { findings: 0 };
+    const methodsByClass = /* @__PURE__ */ new Map();
+    for (const type of types) {
+      methodsByClass.set(type.name, new Set(type.methods.map((m) => m.name)));
+    }
+    const parentMap = /* @__PURE__ */ new Map();
+    for (const type of types) {
+      if (type.extends) {
+        const parent = type.extends.replace(/<[^>]*>/g, "").trim();
+        parentMap.set(type.name, parent);
+      }
+    }
+    if (parentMap.size === 0) return { findings: 0 };
+    const getAncestorMethods = (className) => {
+      const methods = /* @__PURE__ */ new Set();
+      const visited = /* @__PURE__ */ new Set();
+      let current = parentMap.get(className);
+      let hops = 0;
+      while (current && !visited.has(current) && hops < 10) {
+        visited.add(current);
+        const parentMethods = methodsByClass.get(current);
+        if (parentMethods) {
+          for (const m of parentMethods) methods.add(m);
+        }
+        current = parentMap.get(current);
+        hops++;
+      }
+      return methods;
+    };
+    const dedup = /* @__PURE__ */ new Set();
+    let count = 0;
+    for (const type of types) {
+      if (!parentMap.has(type.name)) continue;
+      const ancestorMethods = getAncestorMethods(type.name);
+      if (ancestorMethods.size === 0) continue;
+      for (const method of type.methods) {
+        if (method.name === type.name) continue;
+        if (method.modifiers.includes("private")) continue;
+        if (method.modifiers.includes("static")) continue;
+        if (method.modifiers.includes("abstract")) continue;
+        if (!ancestorMethods.has(method.name)) continue;
+        if (method.annotations.includes("Override")) continue;
+        const key = `${type.name}:${method.name}`;
+        if (dedup.has(key)) continue;
+        dedup.add(key);
+        count++;
+        ctx.addFinding({
+          id: `missing-override-${file}-${method.start_line}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: "missing-override",
+          severity: "low",
+          level: "warning",
+          message: `Method \`${method.name}()\` in \`${type.name}\` overrides a parent method but lacks @Override`,
+          file,
+          line: method.start_line,
+          fix: "Add @Override to make the intent explicit and catch signature mismatches at compile time",
+          evidence: { className: type.name, methodName: method.name }
+        });
+      }
+    }
+    return { findings: count };
+  }
+};
+
+// src/analysis/passes/unused-interface-method-pass.ts
+var UnusedInterfaceMethodPass = class {
+  name = "unused-interface-method";
+  category = "maintainability";
+  run(ctx) {
+    const { graph, language } = ctx;
+    if (language !== "java" && language !== "typescript") return { findings: 0 };
+    const { types, calls } = graph.ir;
+    const file = graph.ir.meta.file;
+    const calledMethods = new Set(calls.map((c) => c.method_name));
+    const dedup = /* @__PURE__ */ new Set();
+    let count = 0;
+    for (const type of types) {
+      if (type.kind !== "interface") continue;
+      for (const method of type.methods) {
+        if (calledMethods.has(method.name)) continue;
+        const key = `${type.name}:${method.name}`;
+        if (dedup.has(key)) continue;
+        dedup.add(key);
+        count++;
+        ctx.addFinding({
+          id: `unused-interface-method-${file}-${method.start_line}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: "unused-interface-method",
+          severity: "low",
+          level: "note",
+          message: `Interface method \`${method.name}()\` in \`${type.name}\` is never called in this file`,
+          file,
+          line: method.start_line,
+          fix: "Remove this method or verify it is used from other files; unused interface methods inflate the public API",
+          evidence: { interfaceName: type.name, methodName: method.name }
+        });
+      }
+    }
+    return { findings: count };
+  }
+};
+
 // src/analysis/metrics/passes/size-metrics-pass.ts
 var SizeMetricsPass = class {
   name = "size-metrics";
@@ -20981,7 +21994,7 @@ async function analyze(code, filePath, language, options = {}) {
     enriched: {}
   });
   const config = options.taintConfig ?? getDefaultConfig();
-  const { results, findings } = new AnalysisPipeline().add(new TaintMatcherPass()).add(new ConstantPropagationPass(tree)).add(new LanguageSourcesPass()).add(new SinkFilterPass()).add(new TaintPropagationPass()).add(new InterproceduralPass()).add(new DeadCodePass()).add(new MissingAwaitPass()).add(new NPlusOnePass()).add(new MissingPublicDocPass()).add(new TodoInProdPass()).add(new StringConcatLoopPass()).add(new SyncIoAsyncPass()).add(new UncheckedReturnPass()).add(new NullDerefPass()).add(new ResourceLeakPass()).add(new VariableShadowingPass()).add(new LeakedGlobalPass()).add(new UnusedVariablePass()).add(new DependencyFanOutPass()).add(new StaleDocRefPass()).add(new InfiniteLoopPass()).add(new DeepInheritancePass()).add(new RedundantLoopPass()).add(new UnboundedCollectionPass()).add(new SerialAwaitPass()).add(new ReactInlineJsxPass()).add(new SwallowedExceptionPass()).add(new BroadCatchPass()).add(new UnhandledExceptionPass()).add(new DoubleClosePass()).add(new UseAfterClosePass()).run(graph, code, language, config);
+  const { results, findings } = new AnalysisPipeline().add(new TaintMatcherPass()).add(new ConstantPropagationPass(tree)).add(new LanguageSourcesPass()).add(new SinkFilterPass()).add(new TaintPropagationPass()).add(new InterproceduralPass()).add(new DeadCodePass()).add(new MissingAwaitPass()).add(new NPlusOnePass()).add(new MissingPublicDocPass()).add(new TodoInProdPass()).add(new StringConcatLoopPass()).add(new SyncIoAsyncPass()).add(new UncheckedReturnPass()).add(new NullDerefPass()).add(new ResourceLeakPass()).add(new VariableShadowingPass()).add(new LeakedGlobalPass()).add(new UnusedVariablePass()).add(new DependencyFanOutPass()).add(new StaleDocRefPass()).add(new InfiniteLoopPass()).add(new DeepInheritancePass()).add(new RedundantLoopPass()).add(new UnboundedCollectionPass()).add(new SerialAwaitPass()).add(new ReactInlineJsxPass()).add(new SwallowedExceptionPass()).add(new BroadCatchPass()).add(new UnhandledExceptionPass()).add(new DoubleClosePass()).add(new UseAfterClosePass()).add(new MissingGuardDomPass()).add(new CleanupVerifyPass()).add(new MissingOverridePass()).add(new UnusedInterfaceMethodPass()).run(graph, code, language, config);
   const sinkFilter = results.get("sink-filter");
   const interProc = results.get("interprocedural");
   const taint = {