circle-ir 3.9.7 → 3.9.10

package/dist/analysis/passes/swallowed-exception-pass.js

@@ -0,0 +1,103 @@
+/**
+ * Pass #28: swallowed-exception (CWE-390, category: reliability)
+ *
+ * Detects catch blocks that silently discard exceptions — no re-throw,
+ * no logging call, no error return.  Swallowed exceptions hide failures,
+ * make debugging extremely difficult, and can mask security issues.
+ *
+ * Detection strategy:
+ *   1. Build an ExceptionFlowGraph from the CFG exception edges.
+ *   2. For each catch handler entry block, determine the catch body bounds
+ *      using a brace-depth walk of the source text.
+ *   3. Scan the catch body for any "meaningful action": throw/raise,
+ *      logging API call, or a non-empty return statement.
+ *   4. If nothing is found → emit a finding at the catch line.
+ *
+ * Languages: Java, JavaScript, TypeScript, Python (skip Rust/Bash).
+ */
+import { ExceptionFlowGraph } from '../../graph/exception-flow-graph.js';
+const MEANINGFUL_ACTION_RE = /\b(throw|raise|log|logger|console\.(error|warn|log|debug|info)|System\.(out|err)\.|print(?:ln|f)?|warn|error|debug|info|fatal|LOGGER|LOG|logging\.(warning|error|debug|info|critical))\b|\breturn\s+\S/;
+export class SwallowedExceptionPass {
+    name = 'swallowed-exception';
+    category = 'reliability';
+    run(ctx) {
+        const { graph, code, language } = ctx;
+        if (language === 'rust' || language === 'bash') {
+            return { swallowed: [] };
+        }
+        const { cfg } = graph.ir;
+        if (cfg.blocks.length === 0)
+            return { swallowed: [] };
+        const exGraph = new ExceptionFlowGraph(cfg, graph.blockById);
+        if (!exGraph.hasTryCatch)
+            return { swallowed: [] };
+        const file = graph.ir.meta.file;
+        const codeLines = code.split('\n');
+        const swallowed = [];
+        const reported = new Set();
+        for (const pair of exGraph.pairs) {
+            const catchLine = pair.catchBlock.start_line;
+            if (reported.has(catchLine))
+                continue;
+            // Determine catch body end via brace-depth walk
+            const methodInfo = graph.methodAtLine(catchLine);
+            const scanEnd = methodInfo ? methodInfo.method.end_line : codeLines.length;
+            const catchBodyEnd = this.findCatchBodyEnd(codeLines, catchLine, scanEnd);
+            // Scan for any meaningful action
+            let hasAction = false;
+            for (let ln = catchLine; ln <= catchBodyEnd && ln <= codeLines.length; ln++) {
+                if (MEANINGFUL_ACTION_RE.test(codeLines[ln - 1] ?? '')) {
+                    hasAction = true;
+                    break;
+                }
+            }
+            if (!hasAction) {
+                reported.add(catchLine);
+                swallowed.push({ line: catchLine });
+                const snippet = (codeLines[catchLine - 1] ?? '').trim();
+                ctx.addFinding({
+                    id: `swallowed-exception-${file}-${catchLine}`,
+                    pass: this.name,
+                    category: this.category,
+                    rule_id: this.name,
+                    cwe: 'CWE-390',
+                    severity: 'medium',
+                    level: 'warning',
+                    message: `Swallowed exception: catch block at line ${catchLine} has no throw, log, or ` +
+                        `return — the exception is silently discarded`,
+                    file,
+                    line: catchLine,
+                    snippet,
+                    fix: 'At minimum log the exception, or re-throw it; never silently discard exceptions',
+                });
+            }
+        }
+        return { swallowed };
+    }
+    /**
+     * Walks source lines starting at `startLine` counting brace depth.
+     * Returns the line where the brace depth first returns to zero after
+     * the opening brace (i.e., the closing brace of the catch block).
+     * Capped at `maxLine`.
+     */
+    findCatchBodyEnd(lines, startLine, maxLine) {
+        let depth = 0;
+        let started = false;
+        for (let ln = startLine; ln <= maxLine && ln <= lines.length; ln++) {
+            const text = lines[ln - 1] ?? '';
+            for (const ch of text) {
+                if (ch === '{') {
+                    depth++;
+                    started = true;
+                }
+                else if (ch === '}' && started) {
+                    depth--;
+                }
+            }
+            if (started && depth <= 0)
+                return ln;
+        }
+        return maxLine;
+    }
+}
+//# sourceMappingURL=swallowed-exception-pass.js.map

package/dist/analysis/passes/swallowed-exception-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"swallowed-exception-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/swallowed-exception-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAGH,OAAO,EAAE,kBAAkB,EAAE,MAAM,qCAAqC,CAAC;AAEzE,MAAM,oBAAoB,GACxB,wMAAwM,CAAC;AAM3M,MAAM,OAAO,sBAAsB;IACxB,IAAI,GAAG,qBAAqB,CAAC;IAC7B,QAAQ,GAAG,aAAsB,CAAC;IAE3C,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAEtC,IAAI,QAAQ,KAAK,MAAM,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YAC/C,OAAO,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;QAC3B,CAAC;QAED,MAAM,EAAE,GAAG,EAAE,GAAG,KAAK,CAAC,EAAE,CAAC;QACzB,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;QAEtD,MAAM,OAAO,GAAG,IAAI,kBAAkB,CAAC,GAAG,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;QAC7D,IAAI,CAAC,OAAO,CAAC,WAAW;YAAE,OAAO,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;QAEnD,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,SAAS,GAA0C,EAAE,CAAC;QAC5D,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;QAEnC,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YACjC,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC;YAC7C,IAAI,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC;gBAAE,SAAS;YAEtC,gDAAgD;YAChD,MAAM,UAAU,GAAG,KAAK,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC;YACjD,MAAM,OAAO,GAAG,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC;YAC3E,MAAM,YAAY,GAAG,IAAI,CAAC,gBAAgB,CAAC,SAAS,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;YAE1E,iCAAiC;YACjC,IAAI,SAAS,GAAG,KAAK,CAAC;YACtB,KAAK,IAAI,EAAE,GAAG,SAAS,EAAE,EAAE,IAAI,YAAY,IAAI,EAAE,IAAI,SAAS,CAAC,MAAM,EAAE,EAAE,EAAE,EAAE,CAAC;gBAC5E,IAAI,oBAAoB,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,CAAC;oBACvD,SAAS,GAAG,IAAI,CAAC;oBACjB,MAAM;gBACR,CAAC;YACH,CAAC;YAED,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;gBACxB,SAAS,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC;gBAEpC,MAAM,OAAO,GAAG,CAAC,SAAS,CAAC,SAAS,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBACxD,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,uBAAuB,IAAI,IAAI,SAAS,EAAE;oBAC9C,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;oBAClB,GAAG,EAAE,SAAS;oBACd,QAAQ,EAAE,QAAQ;oBAClB,KAAK,EAAE,SAAS;oBAChB,OAAO,EACL,4CAA4C,SAAS,yBAAyB;wBAC9E,8CAA8C;oBAChD,IAAI;oBACJ,IAAI,EAAE,SAAS;oBACf,OAAO;oBACP,GAAG,EAAE,iFAAiF;iBACvF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,EAAE,SAAS,EAAE,CAAC;IACvB,CAAC;IAED;;;;;OAKG;IACK,gBAAgB,CAAC,KAAe,EAAE,SAAiB,EAAE,OAAe;QAC1E,IAAI,KAAK,GAAG,CAAC,CAAC;QACd,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,KAAK,IAAI,EAAE,GAAG,SAAS,EAAE,EAAE,IAAI,OAAO,IAAI,EAAE,IAAI,KAAK,CAAC,MAAM,EAAE,EAAE,EAAE,EAAE,CAAC;YACnE,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;YACjC,KAAK,MAAM,EAAE,IAAI,IAAI,EAAE,CAAC;gBACtB,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;oBACf,KAAK,EAAE,CAAC;oBACR,OAAO,GAAG,IAAI,CAAC;gBACjB,CAAC;qBAAM,IAAI,EAAE,KAAK,GAAG,IAAI,OAAO,EAAE,CAAC;oBACjC,KAAK,EAAE,CAAC;gBACV,CAAC;YACH,CAAC;YACD,IAAI,OAAO,IAAI,KAAK,IAAI,CAAC;gBAAE,OAAO,EAAE,CAAC;QACvC,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;CACF"}

package/dist/analysis/passes/unbounded-collection-pass.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Pass #31: unbounded-collection (CWE-770, category: performance)
+ *
+ * Detects collections that grow unboundedly inside a loop with no
+ * corresponding size limit check or clear/remove operation.
+ *
+ * Detection strategy:
+ *   1. For each loop body (via `graph.loopBodies()`), find all calls in the
+ *      range whose method_name is a known "grow" operation.
+ *   2. For each grow call, extract the receiver as the collection variable.
+ *   3. Check if the loop body also contains any shrink operation (`clear`,
+ *      `remove`, `delete`, `shift`, `pop`, `removeFirst`, `poll`) on the
+ *      same receiver, OR a size-limit guard in the source text
+ *      (`size() <`, `length <`, `size() <=`, etc.).
+ *   4. If grow-only with no limit found: emit a finding.
+ *
+ * Languages: Java, JavaScript/TypeScript, Python, Rust. Bash — skipped.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface UnboundedCollectionResult {
+    unboundedCollections: Array<{
+        receiver: string;
+        line: number;
+        loopStart: number;
+        loopEnd: number;
+    }>;
+}
+export declare class UnboundedCollectionPass implements AnalysisPass<UnboundedCollectionResult> {
+    readonly name = "unbounded-collection";
+    readonly category: "performance";
+    run(ctx: PassContext): UnboundedCollectionResult;
+}

package/dist/analysis/passes/unbounded-collection-pass.js

@@ -0,0 +1,128 @@
+/**
+ * Pass #31: unbounded-collection (CWE-770, category: performance)
+ *
+ * Detects collections that grow unboundedly inside a loop with no
+ * corresponding size limit check or clear/remove operation.
+ *
+ * Detection strategy:
+ *   1. For each loop body (via `graph.loopBodies()`), find all calls in the
+ *      range whose method_name is a known "grow" operation.
+ *   2. For each grow call, extract the receiver as the collection variable.
+ *   3. Check if the loop body also contains any shrink operation (`clear`,
+ *      `remove`, `delete`, `shift`, `pop`, `removeFirst`, `poll`) on the
+ *      same receiver, OR a size-limit guard in the source text
+ *      (`size() <`, `length <`, `size() <=`, etc.).
+ *   4. If grow-only with no limit found: emit a finding.
+ *
+ * Languages: Java, JavaScript/TypeScript, Python, Rust. Bash — skipped.
+ */
+/** Method names that grow a collection, keyed by language group. */
+const GROW_METHODS = {
+    java: new Set(['add', 'put', 'offer', 'push', 'addAll', 'addFirst', 'addLast', 'enqueue', 'insert']),
+    javascript: new Set(['push', 'set', 'add', 'unshift', 'append', 'prepend']),
+    typescript: new Set(['push', 'set', 'add', 'unshift', 'append', 'prepend']),
+    python: new Set(['append', 'extend', 'update', 'add', 'insert']),
+    rust: new Set(['push', 'insert', 'push_back', 'push_front']),
+};
+/** Method names that shrink a collection. Language-agnostic. */
+const SHRINK_METHODS = new Set([
+    'clear', 'remove', 'delete', 'shift', 'pop', 'removeFirst', 'removeLast',
+    'poll', 'pollFirst', 'pollLast', 'dequeue', 'discard', 'drain',
+]);
+/** Regex: size limit guard pattern in source text. */
+const SIZE_LIMIT_RE = /\b(?:size|length|count|len)\s*\(\)?\s*[<>]=?\s*\d|\b(?:MAX|LIMIT|CAPACITY|MAX_SIZE)\b/i;
+export class UnboundedCollectionPass {
+    name = 'unbounded-collection';
+    category = 'performance';
+    run(ctx) {
+        const { graph, code, language } = ctx;
+        if (language === 'bash') {
+            return { unboundedCollections: [] };
+        }
+        const growMethods = GROW_METHODS[language] ?? GROW_METHODS['javascript'];
+        const file = graph.ir.meta.file;
+        const codeLines = code.split('\n');
+        const loops = graph.loopBodies();
+        if (loops.length === 0)
+            return { unboundedCollections: [] };
+        const unboundedCollections = [];
+        const reported = new Set();
+        for (const loop of loops) {
+            const { start_line, end_line } = loop;
+            // Collect source text for the loop body (for heuristic checks)
+            const loopSource = codeLines.slice(start_line - 1, end_line).join('\n');
+            // Find grow calls in the loop body
+            const growCalls = [];
+            for (const call of graph.ir.calls) {
+                const ln = call.location.line;
+                if (ln < start_line || ln > end_line)
+                    continue;
+                if (!growMethods.has(call.method_name))
+                    continue;
+                if (!call.receiver)
+                    continue;
+                // Skip 'this' receiver — can't reliably bound
+                if (call.receiver === 'this' || call.receiver === 'self')
+                    continue;
+                growCalls.push({ receiver: call.receiver, line: ln });
+            }
+            if (growCalls.length === 0)
+                continue;
+            // Group by receiver
+            const receiverLines = new Map();
+            for (const { receiver, line } of growCalls) {
+                if (!receiverLines.has(receiver)) {
+                    receiverLines.set(receiver, line);
+                }
+            }
+            for (const [receiver, firstGrowLine] of receiverLines.entries()) {
+                // Check for shrink operations on the same receiver in the loop body
+                let hasShrink = false;
+                for (const call of graph.ir.calls) {
+                    const ln = call.location.line;
+                    if (ln < start_line || ln > end_line)
+                        continue;
+                    if (call.receiver !== receiver)
+                        continue;
+                    if (SHRINK_METHODS.has(call.method_name)) {
+                        hasShrink = true;
+                        break;
+                    }
+                }
+                if (hasShrink)
+                    continue;
+                // Check for size-limit guard in loop source
+                if (SIZE_LIMIT_RE.test(loopSource))
+                    continue;
+                const key = `${receiver}-${start_line}`;
+                if (reported.has(key))
+                    continue;
+                reported.add(key);
+                unboundedCollections.push({
+                    receiver,
+                    line: firstGrowLine,
+                    loopStart: start_line,
+                    loopEnd: end_line,
+                });
+                ctx.addFinding({
+                    id: `unbounded-collection-${file}-${firstGrowLine}`,
+                    pass: this.name,
+                    category: this.category,
+                    rule_id: this.name,
+                    cwe: 'CWE-770',
+                    severity: 'medium',
+                    level: 'warning',
+                    message: `Unbounded collection: \`${receiver}\` grows inside a loop (lines ${start_line}–${end_line}) ` +
+                        `with no size limit or clear`,
+                    file,
+                    line: firstGrowLine,
+                    fix: `Add a size limit check (e.g., \`if (${receiver}.size() >= MAX) break;\`) ` +
+                        `or periodically clear/drain \`${receiver}\`.`,
+                    evidence: { receiver, loop_start: start_line, loop_end: end_line },
+                });
+            }
+        }
+        return { unboundedCollections };
+    }
+}
+//# sourceMappingURL=unbounded-collection-pass.js.map

package/dist/analysis/passes/unbounded-collection-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"unbounded-collection-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/unbounded-collection-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAIH,oEAAoE;AACpE,MAAM,YAAY,GAAgC;IAChD,IAAI,EAAQ,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC;IAC1G,UAAU,EAAE,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAC;IAC3E,UAAU,EAAE,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAC;IAC3E,MAAM,EAAM,IAAI,GAAG,CAAC,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,CAAC,CAAC;IACpE,IAAI,EAAQ,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,YAAY,CAAC,CAAC;CACnE,CAAC;AAEF,gEAAgE;AAChE,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC;IAC7B,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,aAAa,EAAE,YAAY;IACxE,MAAM,EAAE,WAAW,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,OAAO;CAC/D,CAAC,CAAC;AAEH,sDAAsD;AACtD,MAAM,aAAa,GACjB,wFAAwF,CAAC;AAM3F,MAAM,OAAO,uBAAuB;IACzB,IAAI,GAAG,sBAAsB,CAAC;IAC9B,QAAQ,GAAG,aAAsB,CAAC;IAE3C,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAEtC,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YACxB,OAAO,EAAE,oBAAoB,EAAE,EAAE,EAAE,CAAC;QACtC,CAAC;QAED,MAAM,WAAW,GAAG,YAAY,CAAC,QAAQ,CAAC,IAAI,YAAY,CAAC,YAAY,CAAC,CAAC;QAEzE,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,KAAK,GAAG,KAAK,CAAC,UAAU,EAAE,CAAC;QAEjC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,oBAAoB,EAAE,EAAE,EAAE,CAAC;QAE5D,MAAM,oBAAoB,GAAsD,EAAE,CAAC;QACnF,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;QAEnC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC;YAEtC,+DAA+D;YAC/D,MAAM,UAAU,GAAG,SAAS,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAExE,mCAAmC;YACnC,MAAM,SAAS,GAA8C,EAAE,CAAC;YAChE,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;gBAClC,MAAM,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;gBAC9B,IAAI,EAAE,GAAG,UAAU,IAAI,EAAE,GAAG,QAAQ;oBAAE,SAAS;gBAC/C,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC;oBAAE,SAAS;gBACjD,IAAI,CAAC,IAAI,CAAC,QAAQ;oBAAE,SAAS;gBAC7B,8CAA8C;gBAC9C,IAAI,IAAI,CAAC,QAAQ,KAAK,MAAM,IAAI,IAAI,CAAC,QAAQ,KAAK,MAAM;oBAAE,SAAS;gBACnE,SAAS,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;YACxD,CAAC;YAED,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;gBAAE,SAAS;YAErC,oBAAoB;YACpB,MAAM,aAAa,GAAG,IAAI,GAAG,EAAkB,CAAC;YAChD,KAAK,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,SAAS,EAAE,CAAC;gBAC3C,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACjC,aAAa,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;gBACpC,CAAC;YACH,CAAC;YAED,KAAK,MAAM,CAAC,QAAQ,EAAE,aAAa,CAAC,IAAI,aAAa,CAAC,OAAO,EAAE,EAAE,CAAC;gBAChE,oEAAoE;gBACpE,IAAI,SAAS,GAAG,KAAK,CAAC;gBACtB,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;oBAClC,MAAM,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;oBAC9B,IAAI,EAAE,GAAG,UAAU,IAAI,EAAE,GAAG,QAAQ;wBAAE,SAAS;oBAC/C,IAAI,IAAI,CAAC,QAAQ,KAAK,QAAQ;wBAAE,SAAS;oBACzC,IAAI,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;wBACzC,SAAS,GAAG,IAAI,CAAC;wBACjB,MAAM;oBACR,CAAC;gBACH,CAAC;gBACD,IAAI,SAAS;oBAAE,SAAS;gBAExB,4CAA4C;gBAC5C,IAAI,aAAa,CAAC,IAAI,CAAC,UAAU,CAAC;oBAAE,SAAS;gBAE7C,MAAM,GAAG,GAAG,GAAG,QAAQ,IAAI,UAAU,EAAE,CAAC;gBACxC,IAAI,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC;oBAAE,SAAS;gBAChC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBAElB,oBAAoB,CAAC,IAAI,CAAC;oBACxB,QAAQ;oBACR,IAAI,EAAE,aAAa;oBACnB,SAAS,EAAE,UAAU;oBACrB,OAAO,EAAE,QAAQ;iBAClB,CAAC,CAAC;gBAEH,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,wBAAwB,IAAI,IAAI,aAAa,EAAE;oBACnD,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;oBAClB,GAAG,EAAE,SAAS;oBACd,QAAQ,EAAE,QAAQ;oBAClB,KAAK,EAAE,SAAS;oBAChB,OAAO,EACL,2BAA2B,QAAQ,iCAAiC,UAAU,IAAI,QAAQ,IAAI;wBAC9F,6BAA6B;oBAC/B,IAAI;oBACJ,IAAI,EAAE,aAAa;oBACnB,GAAG,EACD,uCAAuC,QAAQ,4BAA4B;wBAC3E,iCAAiC,QAAQ,KAAK;oBAChD,QAAQ,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE;iBACnE,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,EAAE,oBAAoB,EAAE,CAAC;IAClC,CAAC;CACF"}

package/dist/analysis/passes/unhandled-exception-pass.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Pass #30: unhandled-exception (CWE-390, category: reliability)
+ *
+ * Detects explicit throw/raise statements that are not covered by any
+ * try/catch in the same function.  Uncaught exceptions surface as
+ * unhandled-rejection crashes (Node.js) or propagate unexpectedly to
+ * callers who may not anticipate them.
+ *
+ * Detection strategy (conservative, low false-positive):
+ *   1. Build ExceptionFlowGraph.  Derive "covered" line ranges as
+ *      [tryBlock.start_line, catchBlock.start_line − 1] for each pair.
+ *   2. Scan source lines for explicit throw/raise keywords.
+ *   3. Skip if the throw line is already inside a catch block (re-throw).
+ *   4. Skip if the throw line falls within any covered range.
+ *   5. Emit one finding per enclosing method (avoid duplicate findings for
+ *      multiple throws in the same uncovered method).
+ *
+ * Languages: JavaScript, TypeScript, Python only.
+ *   - Java: checked exceptions are intentionally propagated via `throws`;
+ *     too noisy without type hierarchy support.
+ *   - Rust/Bash: no traditional throw/raise; skip.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface UnhandledExceptionResult {
+    unhandled: Array<{
+        line: number;
+        method: string;
+    }>;
+}
+export declare class UnhandledExceptionPass implements AnalysisPass<UnhandledExceptionResult> {
+    readonly name = "unhandled-exception";
+    readonly category: "reliability";
+    run(ctx: PassContext): UnhandledExceptionResult;
+}

package/dist/analysis/passes/unhandled-exception-pass.js

@@ -0,0 +1,123 @@
+/**
+ * Pass #30: unhandled-exception (CWE-390, category: reliability)
+ *
+ * Detects explicit throw/raise statements that are not covered by any
+ * try/catch in the same function.  Uncaught exceptions surface as
+ * unhandled-rejection crashes (Node.js) or propagate unexpectedly to
+ * callers who may not anticipate them.
+ *
+ * Detection strategy (conservative, low false-positive):
+ *   1. Build ExceptionFlowGraph.  Derive "covered" line ranges as
+ *      [tryBlock.start_line, catchBlock.start_line − 1] for each pair.
+ *   2. Scan source lines for explicit throw/raise keywords.
+ *   3. Skip if the throw line is already inside a catch block (re-throw).
+ *   4. Skip if the throw line falls within any covered range.
+ *   5. Emit one finding per enclosing method (avoid duplicate findings for
+ *      multiple throws in the same uncovered method).
+ *
+ * Languages: JavaScript, TypeScript, Python only.
+ *   - Java: checked exceptions are intentionally propagated via `throws`;
+ *     too noisy without type hierarchy support.
+ *   - Rust/Bash: no traditional throw/raise; skip.
+ */
+import { ExceptionFlowGraph } from '../../graph/exception-flow-graph.js';
+const JS_THROW_RE = /^\s*throw\s+/;
+const PYTHON_RAISE_RE = /^\s*raise\b/;
+export class UnhandledExceptionPass {
+    name = 'unhandled-exception';
+    category = 'reliability';
+    run(ctx) {
+        const { graph, code, language } = ctx;
+        if (language !== 'javascript' && language !== 'typescript' && language !== 'python') {
+            return { unhandled: [] };
+        }
+        const { cfg } = graph.ir;
+        const file = graph.ir.meta.file;
+        const codeLines = code.split('\n');
+        const exGraph = new ExceptionFlowGraph(cfg, graph.blockById);
+        // Build covered ranges: [tryBlock.start_line, catchBlock.start_line - 1]
+        const coveredRanges = [];
+        for (const pair of exGraph.pairs) {
+            if (pair.catchBlock.start_line > pair.tryBlock.start_line) {
+                coveredRanges.push({
+                    start: pair.tryBlock.start_line,
+                    end: pair.catchBlock.start_line - 1,
+                });
+            }
+        }
+        // Collect catch-block start lines (to detect re-throws)
+        const catchStarts = new Set(exGraph.pairs.map(p => p.catchBlock.start_line));
+        const throwRe = language === 'python' ? PYTHON_RAISE_RE : JS_THROW_RE;
+        const unhandled = [];
+        const reportedMethods = new Set();
+        for (let ln = 1; ln <= codeLines.length; ln++) {
+            const lineText = codeLines[ln - 1] ?? '';
+            if (!throwRe.test(lineText))
+                continue;
+            // Skip re-throws inside catch blocks
+            let inCatch = false;
+            for (const cs of catchStarts) {
+                if (ln >= cs) {
+                    inCatch = true;
+                    break;
+                }
+            }
+            // More precise: only skip if ln is actually within a catch body
+            // (not just any line after a catch start). Use method boundary check.
+            // Simplified: if the line is >= any catch start within the same method, skip.
+            // Better heuristic: check if any pair has catchBlock.start_line <= ln
+            // and the throw is inside that catch body (ln <= methodEnd of that catch).
+            // We use a simple check: if the throw line is >= a catch start and
+            // the enclosing method contains the corresponding try, treat as re-throw.
+            inCatch = false;
+            for (const pair of exGraph.pairs) {
+                if (ln >= pair.catchBlock.start_line) {
+                    // Check same method
+                    const mThrow = graph.methodAtLine(ln);
+                    const mCatch = graph.methodAtLine(pair.catchBlock.start_line);
+                    if (mThrow &&
+                        mCatch &&
+                        mThrow.method.start_line === mCatch.method.start_line) {
+                        inCatch = true;
+                        break;
+                    }
+                }
+            }
+            if (inCatch)
+                continue;
+            // Check if covered by a try/catch range
+            const isCovered = coveredRanges.some(r => ln >= r.start && ln <= r.end);
+            if (isCovered)
+                continue;
+            // Deduplicate by enclosing method
+            const methodInfo = graph.methodAtLine(ln);
+            const methodKey = methodInfo
+                ? `${methodInfo.method.start_line}-${methodInfo.method.end_line}`
+                : `global-${ln}`;
+            if (reportedMethods.has(methodKey))
+                continue;
+            reportedMethods.add(methodKey);
+            const methodName = methodInfo?.method.name ?? '<anonymous>';
+            unhandled.push({ line: ln, method: methodName });
+            const snippet = lineText.trim();
+            ctx.addFinding({
+                id: `unhandled-exception-${file}-${ln}`,
+                pass: this.name,
+                category: this.category,
+                rule_id: this.name,
+                cwe: 'CWE-390',
+                severity: 'medium',
+                level: 'warning',
+                message: `Unhandled exception: \`throw\` at line ${ln} in \`${methodName}\` is not inside ` +
+                    `a try/catch — callers receive an unexpected exception`,
+                file,
+                line: ln,
+                snippet,
+                fix: 'Wrap throwing code in a try/catch, or document the exception in the function signature',
+                evidence: { method: methodName },
+            });
+        }
+        return { unhandled };
+    }
+}
+//# sourceMappingURL=unhandled-exception-pass.js.map

package/dist/analysis/passes/unhandled-exception-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"unhandled-exception-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/unhandled-exception-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAGH,OAAO,EAAE,kBAAkB,EAAE,MAAM,qCAAqC,CAAC;AAEzE,MAAM,WAAW,GAAG,cAAc,CAAC;AACnC,MAAM,eAAe,GAAG,aAAa,CAAC;AAMtC,MAAM,OAAO,sBAAsB;IACxB,IAAI,GAAG,qBAAqB,CAAC;IAC7B,QAAQ,GAAG,aAAsB,CAAC;IAE3C,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAEtC,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YACpF,OAAO,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;QAC3B,CAAC;QAED,MAAM,EAAE,GAAG,EAAE,GAAG,KAAK,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAEnC,MAAM,OAAO,GAAG,IAAI,kBAAkB,CAAC,GAAG,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;QAE7D,yEAAyE;QACzE,MAAM,aAAa,GAA0C,EAAE,CAAC;QAChE,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YACjC,IAAI,IAAI,CAAC,UAAU,CAAC,UAAU,GAAG,IAAI,CAAC,QAAQ,CAAC,UAAU,EAAE,CAAC;gBAC1D,aAAa,CAAC,IAAI,CAAC;oBACjB,KAAK,EAAE,IAAI,CAAC,QAAQ,CAAC,UAAU;oBAC/B,GAAG,EAAE,IAAI,CAAC,UAAU,CAAC,UAAU,GAAG,CAAC;iBACpC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,wDAAwD;QACxD,MAAM,WAAW,GAAG,IAAI,GAAG,CACzB,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,UAAU,CAAC,CAChD,CAAC;QAEF,MAAM,OAAO,GAAG,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,WAAW,CAAC;QAEtE,MAAM,SAAS,GAA0C,EAAE,CAAC;QAC5D,MAAM,eAAe,GAAG,IAAI,GAAG,EAAU,CAAC;QAE1C,KAAK,IAAI,EAAE,GAAG,CAAC,EAAE,EAAE,IAAI,SAAS,CAAC,MAAM,EAAE,EAAE,EAAE,EAAE,CAAC;YAC9C,MAAM,QAAQ,GAAG,SAAS,CAAC,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;YACzC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAAE,SAAS;YAEtC,qCAAqC;YACrC,IAAI,OAAO,GAAG,KAAK,CAAC;YACpB,KAAK,MAAM,EAAE,IAAI,WAAW,EAAE,CAAC;gBAC7B,IAAI,EAAE,IAAI,EAAE,EAAE,CAAC;oBAAC,OAAO,GAAG,IAAI,CAAC;oBAAC,MAAM;gBAAC,CAAC;YAC1C,CAAC;YACD,gEAAgE;YAChE,sEAAsE;YACtE,8EAA8E;YAC9E,sEAAsE;YACtE,2EAA2E;YAC3E,mEAAmE;YACnE,0EAA0E;YAC1E,OAAO,GAAG,KAAK,CAAC;YAChB,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;gBACjC,IAAI,EAAE,IAAI,IAAI,CAAC,UAAU,CAAC,UAAU,EAAE,CAAC;oBACrC,oBAAoB;oBACpB,MAAM,MAAM,GAAG,KAAK,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;oBACtC,MAAM,MAAM,GAAG,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;oBAC9D,IACE,MAAM;wBACN,MAAM;wBACN,MAAM,CAAC,MAAM,CAAC,UAAU,KAAK,MAAM,CAAC,MAAM,CAAC,UAAU,EACrD,CAAC;wBACD,OAAO,GAAG,IAAI,CAAC;wBACf,MAAM;oBACR,CAAC;gBACH,CAAC;YACH,CAAC;YACD,IAAI,OAAO;gBAAE,SAAS;YAEtB,wCAAwC;YACxC,MAAM,SAAS,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;YACxE,IAAI,SAAS;gBAAE,SAAS;YAExB,kCAAkC;YAClC,MAAM,UAAU,GAAG,KAAK,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;YAC1C,MAAM,SAAS,GAAG,UAAU;gBAC1B,CAAC,CAAC,GAAG,UAAU,CAAC,MAAM,CAAC,UAAU,IAAI,UAAU,CAAC,MAAM,CAAC,QAAQ,EAAE;gBACjE,CAAC,CAAC,UAAU,EAAE,EAAE,CAAC;YAEnB,IAAI,eAAe,CAAC,GAAG,CAAC,SAAS,CAAC;gBAAE,SAAS;YAC7C,eAAe,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YAE/B,MAAM,UAAU,GAAG,UAAU,EAAE,MAAM,CAAC,IAAI,IAAI,aAAa,CAAC;YAC5D,SAAS,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,CAAC;YAEjD,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC;YAChC,GAAG,CAAC,UAAU,CAAC;gBACb,EAAE,EAAE,uBAAuB,IAAI,IAAI,EAAE,EAAE;gBACvC,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,GAAG,EAAE,SAAS;gBACd,QAAQ,EAAE,QAAQ;gBAClB,KAAK,EAAE,SAAS;gBAChB,OAAO,EACL,0CAA0C,EAAE,SAAS,UAAU,mBAAmB;oBAClF,uDAAuD;gBACzD,IAAI;gBACJ,IAAI,EAAE,EAAE;gBACR,OAAO;gBACP,GAAG,EAAE,wFAAwF;gBAC7F,QAAQ,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE;aACjC,CAAC,CAAC;QACL,CAAC;QAED,OAAO,EAAE,SAAS,EAAE,CAAC;IACvB,CAAC;CACF"}

package/dist/analysis/passes/use-after-close-pass.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Pass #32: use-after-close (CWE-672, category: reliability)
+ *
+ * Detects method calls on a resource variable that occur after the resource
+ * has been closed (close/dispose/shutdown).  Using a closed stream or
+ * connection throws an IOException or similar, causing unexpected runtime
+ * failures.
+ *
+ * Detection strategy:
+ *   1. Find resource-opening calls (same patterns as resource-leak-pass).
+ *   2. Find the FIRST close() call on the resource variable within the method.
+ *   3. If a close is found, scan subsequent calls on the same receiver variable
+ *      that are NOT themselves close calls → use-after-close.
+ *
+ * Languages: Java, JavaScript, TypeScript, Python, Rust (skip Bash).
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface UseAfterCloseResult {
+    useAfterCloses: Array<{
+        openLine: number;
+        closeLine: number;
+        useLine: number;
+        variable: string;
+    }>;
+}
+export declare class UseAfterClosePass implements AnalysisPass<UseAfterCloseResult> {
+    readonly name = "use-after-close";
+    readonly category: "reliability";
+    run(ctx: PassContext): UseAfterCloseResult;
+}

package/dist/analysis/passes/use-after-close-pass.js

@@ -0,0 +1,100 @@
+/**
+ * Pass #32: use-after-close (CWE-672, category: reliability)
+ *
+ * Detects method calls on a resource variable that occur after the resource
+ * has been closed (close/dispose/shutdown).  Using a closed stream or
+ * connection throws an IOException or similar, causing unexpected runtime
+ * failures.
+ *
+ * Detection strategy:
+ *   1. Find resource-opening calls (same patterns as resource-leak-pass).
+ *   2. Find the FIRST close() call on the resource variable within the method.
+ *   3. If a close is found, scan subsequent calls on the same receiver variable
+ *      that are NOT themselves close calls → use-after-close.
+ *
+ * Languages: Java, JavaScript, TypeScript, Python, Rust (skip Bash).
+ */
+const RESOURCE_CTORS = new Set([
+    'FileInputStream', 'FileOutputStream', 'FileReader', 'FileWriter',
+    'BufferedReader', 'BufferedWriter', 'PrintWriter', 'InputStreamReader',
+    'OutputStreamWriter', 'RandomAccessFile', 'DataInputStream', 'DataOutputStream',
+    'ObjectInputStream', 'ObjectOutputStream', 'ZipInputStream', 'ZipOutputStream',
+    'JarInputStream', 'JarOutputStream', 'GZIPInputStream', 'GZIPOutputStream',
+    'FileChannel', 'Socket', 'ServerSocket', 'DatagramSocket',
+]);
+const RESOURCE_FACTORY_METHODS = new Set([
+    'openConnection', 'openStream', 'newInputStream', 'newOutputStream',
+    'newBufferedReader', 'newBufferedWriter', 'newByteChannel',
+    'open', 'createReadStream', 'createWriteStream', 'createConnection',
+]);
+const CLOSE_METHODS = new Set([
+    'close', 'dispose', 'shutdown', 'disconnect', 'release', 'destroy', 'free',
+    'shutdownNow', 'terminate',
+]);
+export class UseAfterClosePass {
+    name = 'use-after-close';
+    category = 'reliability';
+    run(ctx) {
+        const { graph, code } = ctx;
+        if (ctx.language === 'bash')
+            return { useAfterCloses: [] };
+        const file = graph.ir.meta.file;
+        const codeLines = code.split('\n');
+        const useAfterCloses = [];
+        for (const call of graph.ir.calls) {
+            const name = call.method_name;
+            const isConstructor = call.is_constructor === true && RESOURCE_CTORS.has(name);
+            const isFactory = !call.is_constructor && RESOURCE_FACTORY_METHODS.has(name);
+            if (!isConstructor && !isFactory)
+                continue;
+            const openLine = call.location.line;
+            const defs = graph.defsAtLine(openLine);
+            if (defs.length === 0)
+                continue;
+            const resourceVar = defs[0].variable;
+            const methodInfo = graph.methodAtLine(openLine);
+            if (!methodInfo)
+                continue;
+            const methodEnd = methodInfo.method.end_line;
+            // Find the FIRST close call on resourceVar
+            const firstClose = graph.ir.calls
+                .filter(c => CLOSE_METHODS.has(c.method_name) &&
+                c.receiver === resourceVar &&
+                c.location.line > openLine &&
+                c.location.line <= methodEnd)
+                .sort((a, b) => a.location.line - b.location.line)[0];
+            if (!firstClose)
+                continue; // No close → handled by resource-leak pass
+            const closeLine = firstClose.location.line;
+            // Find any non-close call on resourceVar after closeLine
+            const usesAfterClose = graph.ir.calls.filter(c => c.receiver === resourceVar &&
+                c.location.line > closeLine &&
+                c.location.line <= methodEnd &&
+                !CLOSE_METHODS.has(c.method_name));
+            for (const use of usesAfterClose) {
+                const useLine = use.location.line;
+                useAfterCloses.push({ openLine, closeLine, useLine, variable: resourceVar });
+                const snippet = (codeLines[useLine - 1] ?? '').trim();
+                ctx.addFinding({
+                    id: `use-after-close-${file}-${useLine}`,
+                    pass: this.name,
+                    category: this.category,
+                    rule_id: this.name,
+                    cwe: 'CWE-672',
+                    severity: 'high',
+                    level: 'error',
+                    message: `Use after close: \`${resourceVar}.${use.method_name}()\` at line ${useLine} ` +
+                        `is called after \`${resourceVar}.close()\` at line ${closeLine}`,
+                    file,
+                    line: useLine,
+                    snippet,
+                    fix: `Do not use a resource after closing it; keep \`${resourceVar}\` open ` +
+                        `until all uses are complete`,
+                    evidence: { variable: resourceVar, close_line: closeLine, open_line: openLine },
+                });
+            }
+        }
+        return { useAfterCloses };
+    }
+}
+//# sourceMappingURL=use-after-close-pass.js.map

package/dist/analysis/passes/use-after-close-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"use-after-close-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/use-after-close-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAIH,MAAM,cAAc,GAAwB,IAAI,GAAG,CAAC;IAClD,iBAAiB,EAAE,kBAAkB,EAAE,YAAY,EAAE,YAAY;IACjE,gBAAgB,EAAE,gBAAgB,EAAE,aAAa,EAAE,mBAAmB;IACtE,oBAAoB,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,kBAAkB;IAC/E,mBAAmB,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,iBAAiB;IAC9E,gBAAgB,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,kBAAkB;IAC1E,aAAa,EAAE,QAAQ,EAAE,cAAc,EAAE,gBAAgB;CAC1D,CAAC,CAAC;AAEH,MAAM,wBAAwB,GAAwB,IAAI,GAAG,CAAC;IAC5D,gBAAgB,EAAE,YAAY,EAAE,gBAAgB,EAAE,iBAAiB;IACnE,mBAAmB,EAAE,mBAAmB,EAAE,gBAAgB;IAC1D,MAAM,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,kBAAkB;CACpE,CAAC,CAAC;AAEH,MAAM,aAAa,GAAwB,IAAI,GAAG,CAAC;IACjD,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,YAAY,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM;IAC1E,aAAa,EAAE,WAAW;CAC3B,CAAC,CAAC;AAMH,MAAM,OAAO,iBAAiB;IACnB,IAAI,GAAG,iBAAiB,CAAC;IACzB,QAAQ,GAAG,aAAsB,CAAC;IAE3C,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,GAAG,CAAC;QAE5B,IAAI,GAAG,CAAC,QAAQ,KAAK,MAAM;YAAE,OAAO,EAAE,cAAc,EAAE,EAAE,EAAE,CAAC;QAE3D,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,cAAc,GAA0C,EAAE,CAAC;QAEjE,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAClC,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC;YAC9B,MAAM,aAAa,GAAG,IAAI,CAAC,cAAc,KAAK,IAAI,IAAI,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YAC/E,MAAM,SAAS,GAAG,CAAC,IAAI,CAAC,cAAc,IAAI,wBAAwB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YAC7E,IAAI,CAAC,aAAa,IAAI,CAAC,SAAS;gBAAE,SAAS;YAE3C,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;YACpC,MAAM,IAAI,GAAG,KAAK,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;YACxC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;gBAAE,SAAS;YAChC,MAAM,WAAW,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC;YAErC,MAAM,UAAU,GAAG,KAAK,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;YAChD,IAAI,CAAC,UAAU;gBAAE,SAAS;YAC1B,MAAM,SAAS,GAAG,UAAU,CAAC,MAAM,CAAC,QAAQ,CAAC;YAE7C,2CAA2C;YAC3C,MAAM,UAAU,GAAG,KAAK,CAAC,EAAE,CAAC,KAAK;iBAC9B,MAAM,CACL,CAAC,CAAC,EAAE,CACF,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC;gBAChC,CAAC,CAAC,QAAQ,KAAK,WAAW;gBAC1B,CAAC,CAAC,QAAQ,CAAC,IAAI,GAAG,QAAQ;gBAC1B,CAAC,CAAC,QAAQ,CAAC,IAAI,IAAI,SAAS,CAC/B;iBACA,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,GAAG,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;YAExD,IAAI,CAAC,UAAU;gBAAE,SAAS,CAAC,2CAA2C;YAEtE,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC;YAE3C,yDAAyD;YACzD,MAAM,cAAc,GAAG,KAAK,CAAC,EAAE,CAAC,KAAK,CAAC,MAAM,CAC1C,CAAC,CAAC,EAAE,CACF,CAAC,CAAC,QAAQ,KAAK,WAAW;gBAC1B,CAAC,CAAC,QAAQ,CAAC,IAAI,GAAG,SAAS;gBAC3B,CAAC,CAAC,QAAQ,CAAC,IAAI,IAAI,SAAS;gBAC5B,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,CACpC,CAAC;YAEF,KAAK,MAAM,GAAG,IAAI,cAAc,EAAE,CAAC;gBACjC,MAAM,OAAO,GAAG,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC;gBAClC,cAAc,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,CAAC,CAAC;gBAE7E,MAAM,OAAO,GAAG,CAAC,SAAS,CAAC,OAAO,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBACtD,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,mBAAmB,IAAI,IAAI,OAAO,EAAE;oBACxC,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;oBAClB,GAAG,EAAE,SAAS;oBACd,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,OAAO;oBACd,OAAO,EACL,sBAAsB,WAAW,IAAI,GAAG,CAAC,WAAW,gBAAgB,OAAO,GAAG;wBAC9E,qBAAqB,WAAW,sBAAsB,SAAS,EAAE;oBACnE,IAAI;oBACJ,IAAI,EAAE,OAAO;oBACb,OAAO;oBACP,GAAG,EACD,kDAAkD,WAAW,UAAU;wBACvE,6BAA6B;oBAC/B,QAAQ,EAAE,EAAE,QAAQ,EAAE,WAAW,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,QAAQ,EAAE;iBAChF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,EAAE,cAAc,EAAE,CAAC;IAC5B,CAAC;CACF"}

package/dist/analysis/taint-matcher.js

@@ -279,6 +279,7 @@ function findSinks(calls, patterns) {
                         location,
                         line: call.location.line,
                         confidence,
+                        method: call.method_name,
                     });
                 }
             }