circle-ir 3.9.8 → 3.11.0

package/dist/analysis/passes/broad-catch-pass.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Pass #29: broad-catch (CWE-396, category: reliability)
+ *
+ * Detects catch clauses that catch a base exception type (Exception,
+ * Throwable, BaseException) rather than the specific subtypes the code
+ * can handle.  Broad catches suppress unexpected errors, make bugs harder
+ * to find, and can inadvertently catch serious errors (OutOfMemoryError,
+ * StackOverflowError) that should not be swallowed.
+ *
+ * Detection strategy:
+ *   1. Build an ExceptionFlowGraph to locate catch handler entry lines.
+ *   2. Check the source text of each catch line for broad-catch patterns.
+ *
+ * Languages: Java, Python only.
+ *   - JS/TS: no typed catch clauses; not applicable.
+ *   - Rust/Bash: no traditional exceptions; skip.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface BroadCatchResult {
+    broadCatches: Array<{
+        line: number;
+        type: string;
+    }>;
+}
+export declare class BroadCatchPass implements AnalysisPass<BroadCatchResult> {
+    readonly name = "broad-catch";
+    readonly category: "reliability";
+    run(ctx: PassContext): BroadCatchResult;
+}

package/dist/analysis/passes/broad-catch-pass.js

@@ -0,0 +1,79 @@
+/**
+ * Pass #29: broad-catch (CWE-396, category: reliability)
+ *
+ * Detects catch clauses that catch a base exception type (Exception,
+ * Throwable, BaseException) rather than the specific subtypes the code
+ * can handle.  Broad catches suppress unexpected errors, make bugs harder
+ * to find, and can inadvertently catch serious errors (OutOfMemoryError,
+ * StackOverflowError) that should not be swallowed.
+ *
+ * Detection strategy:
+ *   1. Build an ExceptionFlowGraph to locate catch handler entry lines.
+ *   2. Check the source text of each catch line for broad-catch patterns.
+ *
+ * Languages: Java, Python only.
+ *   - JS/TS: no typed catch clauses; not applicable.
+ *   - Rust/Bash: no traditional exceptions; skip.
+ */
+import { ExceptionFlowGraph } from '../../graph/exception-flow-graph.js';
+/** Java: catch(Exception|Throwable|RuntimeException|Error ...) */
+const JAVA_BROAD_RE = /catch\s*\(\s*(Exception|Throwable|RuntimeException|Error)\s/;
+/**
+ * Python: bare `except:` or `except Exception[/BaseException][:]`
+ * Also matches `except (Exception, ...):` patterns.
+ */
+const PYTHON_BROAD_RE = /^\s*except\s*:|except\s+(Exception|BaseException)\b/;
+export class BroadCatchPass {
+    name = 'broad-catch';
+    category = 'reliability';
+    run(ctx) {
+        const { graph, code, language } = ctx;
+        if (language !== 'java' && language !== 'python') {
+            return { broadCatches: [] };
+        }
+        const { cfg } = graph.ir;
+        if (cfg.blocks.length === 0)
+            return { broadCatches: [] };
+        const exGraph = new ExceptionFlowGraph(cfg, graph.blockById);
+        if (!exGraph.hasTryCatch)
+            return { broadCatches: [] };
+        const file = graph.ir.meta.file;
+        const codeLines = code.split('\n');
+        const broadCatches = [];
+        const reported = new Set();
+        const pattern = language === 'java' ? JAVA_BROAD_RE : PYTHON_BROAD_RE;
+        for (const pair of exGraph.pairs) {
+            const catchLine = pair.catchBlock.start_line;
+            if (reported.has(catchLine))
+                continue;
+            const lineText = codeLines[catchLine - 1] ?? '';
+            const match = pattern.exec(lineText);
+            if (!match)
+                continue;
+            const caughtType = match[1] ?? 'Exception';
+            reported.add(catchLine);
+            broadCatches.push({ line: catchLine, type: caughtType });
+            const snippet = lineText.trim();
+            ctx.addFinding({
+                id: `broad-catch-${file}-${catchLine}`,
+                pass: this.name,
+                category: this.category,
+                rule_id: this.name,
+                cwe: 'CWE-396',
+                severity: 'low',
+                level: 'warning',
+                message: `Broad catch: catching \`${caughtType}\` at line ${catchLine} suppresses ` +
+                    `unexpected errors and hides bugs`,
+                file,
+                line: catchLine,
+                snippet,
+                fix: language === 'java'
+                    ? `Catch the specific exception types your code can handle (e.g., \`IOException\`, \`SQLException\`)`
+                    : `Catch the specific exception types your code can handle (e.g., \`ValueError\`, \`KeyError\`)`,
+                evidence: { caughtType },
+            });
+        }
+        return { broadCatches };
+    }
+}
+//# sourceMappingURL=broad-catch-pass.js.map

package/dist/analysis/passes/broad-catch-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"broad-catch-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/broad-catch-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAGH,OAAO,EAAE,kBAAkB,EAAE,MAAM,qCAAqC,CAAC;AAEzE,kEAAkE;AAClE,MAAM,aAAa,GAAG,6DAA6D,CAAC;AAEpF;;;GAGG;AACH,MAAM,eAAe,GAAG,qDAAqD,CAAC;AAM9E,MAAM,OAAO,cAAc;IAChB,IAAI,GAAG,aAAa,CAAC;IACrB,QAAQ,GAAG,aAAsB,CAAC;IAE3C,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAEtC,IAAI,QAAQ,KAAK,MAAM,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YACjD,OAAO,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC;QAC9B,CAAC;QAED,MAAM,EAAE,GAAG,EAAE,GAAG,KAAK,CAAC,EAAE,CAAC;QACzB,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC;QAEzD,MAAM,OAAO,GAAG,IAAI,kBAAkB,CAAC,GAAG,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;QAC7D,IAAI,CAAC,OAAO,CAAC,WAAW;YAAE,OAAO,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC;QAEtD,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,YAAY,GAAqC,EAAE,CAAC;QAC1D,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;QAEnC,MAAM,OAAO,GAAG,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,eAAe,CAAC;QAEtE,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YACjC,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC;YAC7C,IAAI,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC;gBAAE,SAAS;YAEtC,MAAM,QAAQ,GAAG,SAAS,CAAC,SAAS,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;YAChD,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACrC,IAAI,CAAC,KAAK;gBAAE,SAAS;YAErB,MAAM,UAAU,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,WAAW,CAAC;YAC3C,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YACxB,YAAY,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,CAAC;YAEzD,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC;YAChC,GAAG,CAAC,UAAU,CAAC;gBACb,EAAE,EAAE,eAAe,IAAI,IAAI,SAAS,EAAE;gBACtC,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,GAAG,EAAE,SAAS;gBACd,QAAQ,EAAE,KAAK;gBACf,KAAK,EAAE,SAAS;gBAChB,OAAO,EACL,2BAA2B,UAAU,cAAc,SAAS,cAAc;oBAC1E,kCAAkC;gBACpC,IAAI;gBACJ,IAAI,EAAE,SAAS;gBACf,OAAO;gBACP,GAAG,EACD,QAAQ,KAAK,MAAM;oBACjB,CAAC,CAAC,mGAAmG;oBACrG,CAAC,CAAC,8FAA8F;gBACpG,QAAQ,EAAE,EAAE,UAAU,EAAE;aACzB,CAAC,CAAC;QACL,CAAC;QAED,OAAO,EAAE,YAAY,EAAE,CAAC;IAC1B,CAAC;CACF"}

package/dist/analysis/passes/cleanup-verify-pass.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Pass: cleanup-verify (#54, CWE-772)
+ *
+ * Detects resources that have a close() call but that close() does not
+ * post-dominate the acquisition point — meaning some control-flow paths
+ * skip the cleanup entirely.
+ *
+ * Detection strategy:
+ *   1. Find resource-opening calls (same set as ResourceLeakPass).
+ *   2. Locate the corresponding close() call within the enclosing method.
+ *   3. Build a post-dominator graph by reversing all CFG edges and computing
+ *      a DominatorGraph from the exit block.
+ *   4. If close() block does NOT post-dominate the open block → emit finding.
+ *
+ * Languages: Java, Python, JavaScript/TypeScript.
+ * Skips: Rust (RAII guarantees cleanup), Bash.
+ *
+ * Note: complements ResourceLeakPass, which handles the no-close() case.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface CleanupVerifyResult {
+    findings: number;
+}
+export declare class CleanupVerifyPass implements AnalysisPass<CleanupVerifyResult> {
+    readonly name = "cleanup-verify";
+    readonly category: "reliability";
+    run(ctx: PassContext): CleanupVerifyResult;
+}

package/dist/analysis/passes/cleanup-verify-pass.js

@@ -0,0 +1,130 @@
+/**
+ * Pass: cleanup-verify (#54, CWE-772)
+ *
+ * Detects resources that have a close() call but that close() does not
+ * post-dominate the acquisition point — meaning some control-flow paths
+ * skip the cleanup entirely.
+ *
+ * Detection strategy:
+ *   1. Find resource-opening calls (same set as ResourceLeakPass).
+ *   2. Locate the corresponding close() call within the enclosing method.
+ *   3. Build a post-dominator graph by reversing all CFG edges and computing
+ *      a DominatorGraph from the exit block.
+ *   4. If close() block does NOT post-dominate the open block → emit finding.
+ *
+ * Languages: Java, Python, JavaScript/TypeScript.
+ * Skips: Rust (RAII guarantees cleanup), Bash.
+ *
+ * Note: complements ResourceLeakPass, which handles the no-close() case.
+ */
+import { DominatorGraph } from '../../graph/dominator-graph.js';
+/** Resource-opening constructors (same set as ResourceLeakPass). */
+const RESOURCE_CTORS = new Set([
+    'FileInputStream', 'FileOutputStream', 'FileReader', 'FileWriter',
+    'BufferedReader', 'BufferedWriter', 'PrintWriter', 'InputStreamReader',
+    'OutputStreamWriter', 'RandomAccessFile', 'DataInputStream', 'DataOutputStream',
+    'ObjectInputStream', 'ObjectOutputStream', 'ZipInputStream', 'ZipOutputStream',
+    'JarInputStream', 'JarOutputStream', 'GZIPInputStream', 'GZIPOutputStream',
+    'FileChannel', 'Socket', 'ServerSocket', 'DatagramSocket',
+]);
+/** Factory / open methods that return closeable resources. */
+const RESOURCE_FACTORY_METHODS = new Set([
+    'openConnection', 'openStream', 'newInputStream', 'newOutputStream',
+    'newBufferedReader', 'newBufferedWriter', 'newByteChannel',
+    'open', 'createReadStream', 'createWriteStream', 'createConnection',
+]);
+/** Methods that release a resource. */
+const CLOSE_METHODS = new Set([
+    'close', 'dispose', 'shutdown', 'disconnect', 'release', 'destroy', 'free',
+    'shutdownNow', 'terminate',
+]);
+/**
+ * Build a post-dominator graph by reversing all CFG edges and running
+ * the dominator algorithm from the exit block.
+ * `postDom.dominates(A, B)` means "A post-dominates B in the original CFG".
+ */
+function buildPostDomGraph(cfg) {
+    const exitBlock = cfg.blocks.find(b => b.type === 'exit') ??
+        cfg.blocks.find(b => !cfg.edges.some(e => e.from === b.id));
+    if (!exitBlock || cfg.blocks.length === 0) {
+        return new DominatorGraph({ blocks: [], edges: [] });
+    }
+    const reversed = {
+        blocks: cfg.blocks,
+        edges: cfg.edges.map(e => ({ from: e.to, to: e.from, type: e.type })),
+    };
+    return new DominatorGraph(reversed, exitBlock.id);
+}
+export class CleanupVerifyPass {
+    name = 'cleanup-verify';
+    category = 'reliability';
+    run(ctx) {
+        const { graph, language } = ctx;
+        // Rust RAII guarantees cleanup; Bash has no structured resource model
+        if (language === 'rust' || language === 'bash')
+            return { findings: 0 };
+        const { cfg, calls } = graph.ir;
+        const file = graph.ir.meta.file;
+        if (cfg.blocks.length === 0)
+            return { findings: 0 };
+        const postDom = buildPostDomGraph(cfg);
+        const blockContainingLine = (line) => cfg.blocks.find(b => b.start_line <= line && line <= b.end_line) ?? null;
+        let count = 0;
+        for (const call of calls) {
+            const name = call.method_name;
+            const isConstructor = call.is_constructor === true && RESOURCE_CTORS.has(name);
+            const isFactory = !call.is_constructor && RESOURCE_FACTORY_METHODS.has(name);
+            if (!isConstructor && !isFactory)
+                continue;
+            const openLine = call.location.line;
+            // Resource must be captured in a variable to be trackable
+            const defs = graph.defsAtLine(openLine);
+            if (defs.length === 0)
+                continue;
+            const resourceVar = defs[0].variable;
+            const methodInfo = graph.methodAtLine(openLine);
+            if (!methodInfo)
+                continue;
+            const methodEnd = methodInfo.method.end_line;
+            // Find the first close() call for this resource within the enclosing method
+            const closeCall = calls.find(c => CLOSE_METHODS.has(c.method_name) &&
+                c.receiver === resourceVar &&
+                c.location.line > openLine &&
+                c.location.line <= methodEnd);
+            // ResourceLeakPass handles the no-close() case; we only care about
+            // close() calls that may be skipped on some paths
+            if (!closeCall)
+                continue;
+            const openBlock = blockContainingLine(openLine);
+            const closeBlock = blockContainingLine(closeCall.location.line);
+            if (!openBlock || !closeBlock)
+                continue;
+            // If close post-dominates open, cleanup is guaranteed on every exit path
+            if (postDom.dominates(closeBlock.id, openBlock.id))
+                continue;
+            count++;
+            ctx.addFinding({
+                id: `cleanup-verify-${file}-${openLine}`,
+                pass: this.name,
+                category: this.category,
+                rule_id: 'cleanup-verify',
+                cwe: 'CWE-772',
+                severity: 'medium',
+                level: 'warning',
+                message: `Resource \`${resourceVar}\` opened at line ${openLine} may not close on all ` +
+                    `paths — close() at line ${closeCall.location.line} does not post-dominate ` +
+                    `the acquisition`,
+                file,
+                line: openLine,
+                fix: 'Use try-with-resources (Java) or a finally block to guarantee cleanup on all paths',
+                evidence: {
+                    resource: name,
+                    variable: resourceVar,
+                    close_line: closeCall.location.line,
+                },
+            });
+        }
+        return { findings: count };
+    }
+}
+//# sourceMappingURL=cleanup-verify-pass.js.map

package/dist/analysis/passes/cleanup-verify-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cleanup-verify-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/cleanup-verify-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAGH,OAAO,EAAE,cAAc,EAAE,MAAM,gCAAgC,CAAC;AAGhE,oEAAoE;AACpE,MAAM,cAAc,GAAwB,IAAI,GAAG,CAAC;IAClD,iBAAiB,EAAE,kBAAkB,EAAE,YAAY,EAAE,YAAY;IACjE,gBAAgB,EAAE,gBAAgB,EAAE,aAAa,EAAE,mBAAmB;IACtE,oBAAoB,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,kBAAkB;IAC/E,mBAAmB,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,iBAAiB;IAC9E,gBAAgB,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,kBAAkB;IAC1E,aAAa,EAAE,QAAQ,EAAE,cAAc,EAAE,gBAAgB;CAC1D,CAAC,CAAC;AAEH,8DAA8D;AAC9D,MAAM,wBAAwB,GAAwB,IAAI,GAAG,CAAC;IAC5D,gBAAgB,EAAE,YAAY,EAAE,gBAAgB,EAAE,iBAAiB;IACnE,mBAAmB,EAAE,mBAAmB,EAAE,gBAAgB;IAC1D,MAAM,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,kBAAkB;CACpE,CAAC,CAAC;AAEH,uCAAuC;AACvC,MAAM,aAAa,GAAwB,IAAI,GAAG,CAAC;IACjD,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,YAAY,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM;IAC1E,aAAa,EAAE,WAAW;CAC3B,CAAC,CAAC;AAEH;;;;GAIG;AACH,SAAS,iBAAiB,CAAC,GAAQ;IACjC,MAAM,SAAS,GACb,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC;QACvC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAE9D,IAAI,CAAC,SAAS,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1C,OAAO,IAAI,cAAc,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC;IACvD,CAAC;IAED,MAAM,QAAQ,GAAQ;QACpB,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,KAAK,EAAE,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;KACtE,CAAC;IAEF,OAAO,IAAI,cAAc,CAAC,QAAQ,EAAE,SAAS,CAAC,EAAE,CAAC,CAAC;AACpD,CAAC;AAMD,MAAM,OAAO,iBAAiB;IACnB,IAAI,GAAG,gBAAgB,CAAC;IACxB,QAAQ,GAAG,aAAsB,CAAC;IAE3C,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAEhC,sEAAsE;QACtE,IAAI,QAAQ,KAAK,MAAM,IAAI,QAAQ,KAAK,MAAM;YAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;QAEvE,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,KAAK,CAAC,EAAE,CAAC;QAChC,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAEhC,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;QAEpD,MAAM,OAAO,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;QAEvC,MAAM,mBAAmB,GAAG,CAAC,IAAY,EAAE,EAAE,CAC3C,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,IAAI,IAAI,IAAI,IAAI,IAAI,CAAC,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC;QAE3E,IAAI,KAAK,GAAG,CAAC,CAAC;QAEd,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC;YAC9B,MAAM,aAAa,GAAG,IAAI,CAAC,cAAc,KAAK,IAAI,IAAI,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YAC/E,MAAM,SAAS,GAAG,CAAC,IAAI,CAAC,cAAc,IAAI,wBAAwB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YAC7E,IAAI,CAAC,aAAa,IAAI,CAAC,SAAS;gBAAE,SAAS;YAE3C,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;YAEpC,0DAA0D;YAC1D,MAAM,IAAI,GAAG,KAAK,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;YACxC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;gBAAE,SAAS;YAChC,MAAM,WAAW,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC;YAErC,MAAM,UAAU,GAAG,KAAK,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;YAChD,IAAI,CAAC,UAAU;gBAAE,SAAS;YAC1B,MAAM,SAAS,GAAG,UAAU,CAAC,MAAM,CAAC,QAAQ,CAAC;YAE7C,4EAA4E;YAC5E,MAAM,SAAS,GAAG,KAAK,CAAC,IAAI,CAC1B,CAAC,CAAC,EAAE,CACF,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC;gBAChC,CAAC,CAAC,QAAQ,KAAK,WAAW;gBAC1B,CAAC,CAAC,QAAQ,CAAC,IAAI,GAAG,QAAQ;gBAC1B,CAAC,CAAC,QAAQ,CAAC,IAAI,IAAI,SAAS,CAC/B,CAAC;YAEF,mEAAmE;YACnE,kDAAkD;YAClD,IAAI,CAAC,SAAS;gBAAE,SAAS;YAEzB,MAAM,SAAS,GAAI,mBAAmB,CAAC,QAAQ,CAAC,CAAC;YACjD,MAAM,UAAU,GAAG,mBAAmB,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YAChE,IAAI,CAAC,SAAS,IAAI,CAAC,UAAU;gBAAE,SAAS;YAExC,yEAAyE;YACzE,IAAI,OAAO,CAAC,SAAS,CAAC,UAAU,CAAC,EAAE,EAAE,SAAS,CAAC,EAAE,CAAC;gBAAE,SAAS;YAE7D,KAAK,EAAE,CAAC;YACR,GAAG,CAAC,UAAU,CAAC;gBACb,EAAE,EAAE,kBAAkB,IAAI,IAAI,QAAQ,EAAE;gBACxC,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,OAAO,EAAE,gBAAgB;gBACzB,GAAG,EAAE,SAAS;gBACd,QAAQ,EAAE,QAAQ;gBAClB,KAAK,EAAE,SAAS;gBAChB,OAAO,EACL,cAAc,WAAW,qBAAqB,QAAQ,wBAAwB;oBAC9E,2BAA2B,SAAS,CAAC,QAAQ,CAAC,IAAI,0BAA0B;oBAC5E,iBAAiB;gBACnB,IAAI;gBACJ,IAAI,EAAE,QAAQ;gBACd,GAAG,EAAE,oFAAoF;gBACzF,QAAQ,EAAE;oBACR,QAAQ,EAAE,IAAI;oBACd,QAAQ,EAAE,WAAW;oBACrB,UAAU,EAAE,SAAS,CAAC,QAAQ,CAAC,IAAI;iBACpC;aACF,CAAC,CAAC;QACL,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;IAC7B,CAAC;CACF"}

package/dist/analysis/passes/double-close-pass.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Pass #31: double-close (CWE-675, category: reliability)
+ *
+ * Detects I/O resources that are closed more than once within the same
+ * method.  Calling close() on an already-closed stream (e.g., Java's
+ * FileInputStream, Node.js streams) typically throws an exception and
+ * indicates a resource-management bug.
+ *
+ * Detection strategy:
+ *   1. Find resource-opening calls (same patterns as resource-leak-pass).
+ *   2. Collect the bound variable from DFG defs at the open line.
+ *   3. Find ALL close() calls on that variable within the enclosing method.
+ *   4. If two or more close calls exist:
+ *      a. Skip if both are inside a finally block (benign idiomatic pattern).
+ *      b. Otherwise emit a finding.
+ *
+ * Languages: Java, JavaScript, TypeScript, Python, Rust (skip Bash).
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface DoubleCloseResult {
+    doubleCloses: Array<{
+        openLine: number;
+        closeLines: number[];
+        variable: string;
+    }>;
+}
+export declare class DoubleClosePass implements AnalysisPass<DoubleCloseResult> {
+    readonly name = "double-close";
+    readonly category: "reliability";
+    run(ctx: PassContext): DoubleCloseResult;
+    /** True if the given line is inside a `finally` block in the method. */
+    private isInFinallyBlock;
+}

package/dist/analysis/passes/double-close-pass.js

@@ -0,0 +1,109 @@
+/**
+ * Pass #31: double-close (CWE-675, category: reliability)
+ *
+ * Detects I/O resources that are closed more than once within the same
+ * method.  Calling close() on an already-closed stream (e.g., Java's
+ * FileInputStream, Node.js streams) typically throws an exception and
+ * indicates a resource-management bug.
+ *
+ * Detection strategy:
+ *   1. Find resource-opening calls (same patterns as resource-leak-pass).
+ *   2. Collect the bound variable from DFG defs at the open line.
+ *   3. Find ALL close() calls on that variable within the enclosing method.
+ *   4. If two or more close calls exist:
+ *      a. Skip if both are inside a finally block (benign idiomatic pattern).
+ *      b. Otherwise emit a finding.
+ *
+ * Languages: Java, JavaScript, TypeScript, Python, Rust (skip Bash).
+ */
+/** Constructors that produce closeable resources. */
+const RESOURCE_CTORS = new Set([
+    'FileInputStream', 'FileOutputStream', 'FileReader', 'FileWriter',
+    'BufferedReader', 'BufferedWriter', 'PrintWriter', 'InputStreamReader',
+    'OutputStreamWriter', 'RandomAccessFile', 'DataInputStream', 'DataOutputStream',
+    'ObjectInputStream', 'ObjectOutputStream', 'ZipInputStream', 'ZipOutputStream',
+    'JarInputStream', 'JarOutputStream', 'GZIPInputStream', 'GZIPOutputStream',
+    'FileChannel', 'Socket', 'ServerSocket', 'DatagramSocket',
+]);
+/** Factory / open methods that return closeable resources. */
+const RESOURCE_FACTORY_METHODS = new Set([
+    'openConnection', 'openStream', 'newInputStream', 'newOutputStream',
+    'newBufferedReader', 'newBufferedWriter', 'newByteChannel',
+    'open', 'createReadStream', 'createWriteStream', 'createConnection',
+]);
+/** Methods that release a resource. */
+const CLOSE_METHODS = new Set([
+    'close', 'dispose', 'shutdown', 'disconnect', 'release', 'destroy', 'free',
+    'shutdownNow', 'terminate',
+]);
+export class DoubleClosePass {
+    name = 'double-close';
+    category = 'reliability';
+    run(ctx) {
+        const { graph, code } = ctx;
+        if (ctx.language === 'bash')
+            return { doubleCloses: [] };
+        const file = graph.ir.meta.file;
+        const codeLines = code.split('\n');
+        const doubleCloses = [];
+        for (const call of graph.ir.calls) {
+            const name = call.method_name;
+            const isConstructor = call.is_constructor === true && RESOURCE_CTORS.has(name);
+            const isFactory = !call.is_constructor && RESOURCE_FACTORY_METHODS.has(name);
+            if (!isConstructor && !isFactory)
+                continue;
+            const openLine = call.location.line;
+            const defs = graph.defsAtLine(openLine);
+            if (defs.length === 0)
+                continue;
+            const resourceVar = defs[0].variable;
+            const methodInfo = graph.methodAtLine(openLine);
+            if (!methodInfo)
+                continue;
+            const { start_line: methodStart, end_line: methodEnd } = methodInfo.method;
+            // Collect all close calls on resourceVar within the method
+            const closeCalls = graph.ir.calls.filter(c => CLOSE_METHODS.has(c.method_name) &&
+                c.receiver === resourceVar &&
+                c.location.line > openLine &&
+                c.location.line <= methodEnd);
+            if (closeCalls.length < 2)
+                continue;
+            const closeLines = closeCalls.map(c => c.location.line);
+            // Benign check: skip if all closes are guarded by finally
+            // (common idiom: try { ... } finally { res.close(); } + catch { res.close(); })
+            const allInFinally = closeLines.every(cl => this.isInFinallyBlock(codeLines, cl, methodStart, methodEnd));
+            if (allInFinally)
+                continue;
+            doubleCloses.push({ openLine, closeLines, variable: resourceVar });
+            const snippet = (codeLines[openLine - 1] ?? '').trim();
+            const linesStr = closeLines.join(' and ');
+            ctx.addFinding({
+                id: `double-close-${file}-${openLine}`,
+                pass: this.name,
+                category: this.category,
+                rule_id: this.name,
+                cwe: 'CWE-675',
+                severity: 'medium',
+                level: 'warning',
+                message: `Double close: \`${resourceVar}\` is closed at lines ${linesStr} — ` +
+                    `closing an already-closed resource may throw`,
+                file,
+                line: openLine,
+                snippet,
+                fix: `Close the resource exactly once in a finally block; ` +
+                    `add a null/isClosed guard before the second close if closing on multiple paths`,
+                evidence: { variable: resourceVar, close_lines: closeLines },
+            });
+        }
+        return { doubleCloses };
+    }
+    /** True if the given line is inside a `finally` block in the method. */
+    isInFinallyBlock(lines, targetLine, methodStart, methodEnd) {
+        for (let ln = methodStart; ln <= targetLine && ln <= methodEnd && ln <= lines.length; ln++) {
+            if (/\bfinally\b/.test(lines[ln - 1] ?? ''))
+                return true;
+        }
+        return false;
+    }
+}
+//# sourceMappingURL=double-close-pass.js.map

package/dist/analysis/passes/double-close-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"double-close-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/double-close-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAIH,qDAAqD;AACrD,MAAM,cAAc,GAAwB,IAAI,GAAG,CAAC;IAClD,iBAAiB,EAAE,kBAAkB,EAAE,YAAY,EAAE,YAAY;IACjE,gBAAgB,EAAE,gBAAgB,EAAE,aAAa,EAAE,mBAAmB;IACtE,oBAAoB,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,kBAAkB;IAC/E,mBAAmB,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,iBAAiB;IAC9E,gBAAgB,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,kBAAkB;IAC1E,aAAa,EAAE,QAAQ,EAAE,cAAc,EAAE,gBAAgB;CAC1D,CAAC,CAAC;AAEH,8DAA8D;AAC9D,MAAM,wBAAwB,GAAwB,IAAI,GAAG,CAAC;IAC5D,gBAAgB,EAAE,YAAY,EAAE,gBAAgB,EAAE,iBAAiB;IACnE,mBAAmB,EAAE,mBAAmB,EAAE,gBAAgB;IAC1D,MAAM,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,kBAAkB;CACpE,CAAC,CAAC;AAEH,uCAAuC;AACvC,MAAM,aAAa,GAAwB,IAAI,GAAG,CAAC;IACjD,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,YAAY,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM;IAC1E,aAAa,EAAE,WAAW;CAC3B,CAAC,CAAC;AAMH,MAAM,OAAO,eAAe;IACjB,IAAI,GAAG,cAAc,CAAC;IACtB,QAAQ,GAAG,aAAsB,CAAC;IAE3C,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,GAAG,CAAC;QAE5B,IAAI,GAAG,CAAC,QAAQ,KAAK,MAAM;YAAE,OAAO,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC;QAEzD,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,YAAY,GAAsC,EAAE,CAAC;QAE3D,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAClC,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC;YAC9B,MAAM,aAAa,GAAG,IAAI,CAAC,cAAc,KAAK,IAAI,IAAI,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YAC/E,MAAM,SAAS,GAAG,CAAC,IAAI,CAAC,cAAc,IAAI,wBAAwB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YAC7E,IAAI,CAAC,aAAa,IAAI,CAAC,SAAS;gBAAE,SAAS;YAE3C,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;YACpC,MAAM,IAAI,GAAG,KAAK,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;YACxC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;gBAAE,SAAS;YAChC,MAAM,WAAW,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC;YAErC,MAAM,UAAU,GAAG,KAAK,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;YAChD,IAAI,CAAC,UAAU;gBAAE,SAAS;YAC1B,MAAM,EAAE,UAAU,EAAE,WAAW,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,UAAU,CAAC,MAAM,CAAC;YAE3E,2DAA2D;YAC3D,MAAM,UAAU,GAAG,KAAK,CAAC,EAAE,CAAC,KAAK,CAAC,MAAM,CACtC,CAAC,CAAC,EAAE,CACF,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC;gBAChC,CAAC,CAAC,QAAQ,KAAK,WAAW;gBAC1B,CAAC,CAAC,QAAQ,CAAC,IAAI,GAAG,QAAQ;gBAC1B,CAAC,CAAC,QAAQ,CAAC,IAAI,IAAI,SAAS,CAC/B,CAAC;YAEF,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC;gBAAE,SAAS;YAEpC,MAAM,UAAU,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YAExD,0DAA0D;YAC1D,gFAAgF;YAChF,MAAM,YAAY,GAAG,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,CACzC,IAAI,CAAC,gBAAgB,CAAC,SAAS,EAAE,EAAE,EAAE,WAAW,EAAE,SAAS,CAAC,CAC7D,CAAC;YACF,IAAI,YAAY;gBAAE,SAAS;YAE3B,YAAY,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,WAAW,EAAE,CAAC,CAAC;YAEnE,MAAM,OAAO,GAAG,CAAC,SAAS,CAAC,QAAQ,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YACvD,MAAM,QAAQ,GAAG,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC1C,GAAG,CAAC,UAAU,CAAC;gBACb,EAAE,EAAE,gBAAgB,IAAI,IAAI,QAAQ,EAAE;gBACtC,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,GAAG,EAAE,SAAS;gBACd,QAAQ,EAAE,QAAQ;gBAClB,KAAK,EAAE,SAAS;gBAChB,OAAO,EACL,mBAAmB,WAAW,yBAAyB,QAAQ,KAAK;oBACpE,8CAA8C;gBAChD,IAAI;gBACJ,IAAI,EAAE,QAAQ;gBACd,OAAO;gBACP,GAAG,EACD,sDAAsD;oBACtD,gFAAgF;gBAClF,QAAQ,EAAE,EAAE,QAAQ,EAAE,WAAW,EAAE,WAAW,EAAE,UAAU,EAAE;aAC7D,CAAC,CAAC;QACL,CAAC;QAED,OAAO,EAAE,YAAY,EAAE,CAAC;IAC1B,CAAC;IAED,wEAAwE;IAChE,gBAAgB,CACtB,KAAe,EACf,UAAkB,EAClB,WAAmB,EACnB,SAAiB;QAEjB,KAAK,IAAI,EAAE,GAAG,WAAW,EAAE,EAAE,IAAI,UAAU,IAAI,EAAE,IAAI,SAAS,IAAI,EAAE,IAAI,KAAK,CAAC,MAAM,EAAE,EAAE,EAAE,EAAE,CAAC;YAC3F,IAAI,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;gBAAE,OAAO,IAAI,CAAC;QAC3D,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;CACF"}

package/dist/analysis/passes/missing-guard-dom-pass.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Pass: missing-guard-dom (#53, CWE-285)
+ *
+ * Detects sensitive operations that are not dominated by an authentication
+ * or authorization check on all control-flow paths within the same method.
+ *
+ * Detection strategy:
+ *   1. Identify calls to known authentication methods and sensitive operations.
+ *   2. Build a DominatorGraph from the file-level CFG.
+ *   3. For each sensitive operation, find the CFG block containing it and check
+ *      whether any auth-check block in the same method dominates that block.
+ *   4. If no auth-check block dominates the sensitive-op block → emit finding.
+ *
+ * Language: Java only (other languages handled differently or not yet).
+ * Dedup: at most one finding per method.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface MissingGuardDomResult {
+    findings: number;
+}
+export declare class MissingGuardDomPass implements AnalysisPass<MissingGuardDomResult> {
+    readonly name = "missing-guard-dom";
+    readonly category: "security";
+    run(ctx: PassContext): MissingGuardDomResult;
+}

package/dist/analysis/passes/missing-guard-dom-pass.js

@@ -0,0 +1,99 @@
+/**
+ * Pass: missing-guard-dom (#53, CWE-285)
+ *
+ * Detects sensitive operations that are not dominated by an authentication
+ * or authorization check on all control-flow paths within the same method.
+ *
+ * Detection strategy:
+ *   1. Identify calls to known authentication methods and sensitive operations.
+ *   2. Build a DominatorGraph from the file-level CFG.
+ *   3. For each sensitive operation, find the CFG block containing it and check
+ *      whether any auth-check block in the same method dominates that block.
+ *   4. If no auth-check block dominates the sensitive-op block → emit finding.
+ *
+ * Language: Java only (other languages handled differently or not yet).
+ * Dedup: at most one finding per method.
+ */
+import { DominatorGraph } from '../../graph/dominator-graph.js';
+const AUTH_METHODS = new Set([
+    'authenticate', 'isAuthenticated', 'isAuthorized', 'isAdmin',
+    'checkAuth', 'hasPermission', 'requiresAuth', 'verifyToken',
+    'validateToken', 'checkRole', 'authorize', 'isLoggedIn',
+]);
+const SENSITIVE_METHODS = new Set([
+    'delete', 'deleteById', 'drop', 'truncate', 'executeUpdate',
+    'createUser', 'createAdmin', 'modifyPermission', 'grantRole',
+    'setAdmin', 'elevatePrivilege',
+]);
+export class MissingGuardDomPass {
+    name = 'missing-guard-dom';
+    category = 'security';
+    run(ctx) {
+        const { graph, language } = ctx;
+        if (language !== 'java')
+            return { findings: 0 };
+        const { cfg, calls } = graph.ir;
+        if (cfg.blocks.length === 0 || cfg.edges.length === 0)
+            return { findings: 0 };
+        const dom = new DominatorGraph(cfg);
+        const file = graph.ir.meta.file;
+        // Collect auth-check and sensitive-op call lines from the IR
+        const authCallLines = [];
+        const sensitiveOps = [];
+        for (const call of calls) {
+            if (AUTH_METHODS.has(call.method_name)) {
+                authCallLines.push(call.location.line);
+            }
+            if (SENSITIVE_METHODS.has(call.method_name)) {
+                sensitiveOps.push({ line: call.location.line, method: call.method_name });
+            }
+        }
+        if (sensitiveOps.length === 0)
+            return { findings: 0 };
+        // Helper: find the CFG block whose [start_line, end_line] contains a given line
+        const blockContainingLine = (line) => cfg.blocks.find(b => b.start_line <= line && line <= b.end_line) ?? null;
+        // Emit at most one finding per method to avoid noise
+        const reportedMethods = new Set();
+        let count = 0;
+        for (const op of sensitiveOps) {
+            const opBlock = blockContainingLine(op.line);
+            if (!opBlock)
+                continue;
+            const methodInfo = graph.methodAtLine(op.line);
+            if (!methodInfo)
+                continue;
+            const methodKey = `${methodInfo.type.name}::${methodInfo.method.name}`;
+            if (reportedMethods.has(methodKey))
+                continue;
+            const { start_line, end_line } = methodInfo.method;
+            // Restrict auth checks to those inside the same method
+            const authInMethod = authCallLines.filter(l => l >= start_line && l <= end_line);
+            // Check whether any auth-check block dominates the sensitive-op block
+            const dominated = authInMethod.some(authLine => {
+                const authBlock = blockContainingLine(authLine);
+                return authBlock !== null && dom.dominates(authBlock.id, opBlock.id);
+            });
+            if (!dominated) {
+                reportedMethods.add(methodKey);
+                count++;
+                ctx.addFinding({
+                    id: `missing-guard-dom-${file}-${op.line}`,
+                    pass: this.name,
+                    category: this.category,
+                    rule_id: 'missing-guard-dom',
+                    cwe: 'CWE-285',
+                    severity: 'high',
+                    level: 'error',
+                    message: `Sensitive operation \`${op.method}()\` at line ${op.line} is not dominated ` +
+                        `by an authentication check`,
+                    file,
+                    line: op.line,
+                    fix: `Add authentication/authorization check on all paths leading to line ${op.line}`,
+                    evidence: { method: op.method },
+                });
+            }
+        }
+        return { findings: count };
+    }
+}
+//# sourceMappingURL=missing-guard-dom-pass.js.map

package/dist/analysis/passes/missing-guard-dom-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"missing-guard-dom-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/missing-guard-dom-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAGH,OAAO,EAAE,cAAc,EAAE,MAAM,gCAAgC,CAAC;AAEhE,MAAM,YAAY,GAAwB,IAAI,GAAG,CAAC;IAChD,cAAc,EAAE,iBAAiB,EAAE,cAAc,EAAE,SAAS;IAC5D,WAAW,EAAE,eAAe,EAAE,cAAc,EAAE,aAAa;IAC3D,eAAe,EAAE,WAAW,EAAE,WAAW,EAAE,YAAY;CACxD,CAAC,CAAC;AAEH,MAAM,iBAAiB,GAAwB,IAAI,GAAG,CAAC;IACrD,QAAQ,EAAE,YAAY,EAAE,MAAM,EAAE,UAAU,EAAE,eAAe;IAC3D,YAAY,EAAE,aAAa,EAAE,kBAAkB,EAAE,WAAW;IAC5D,UAAU,EAAE,kBAAkB;CAC/B,CAAC,CAAC;AAMH,MAAM,OAAO,mBAAmB;IACrB,IAAI,GAAG,mBAAmB,CAAC;IAC3B,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAEhC,IAAI,QAAQ,KAAK,MAAM;YAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;QAEhD,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,KAAK,CAAC,EAAE,CAAC;QAChC,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;QAE9E,MAAM,GAAG,GAAG,IAAI,cAAc,CAAC,GAAG,CAAC,CAAC;QACpC,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAEhC,6DAA6D;QAC7D,MAAM,aAAa,GAAa,EAAE,CAAC;QACnC,MAAM,YAAY,GAA4C,EAAE,CAAC;QAEjE,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;gBACvC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YACzC,CAAC;YACD,IAAI,iBAAiB,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;gBAC5C,YAAY,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;YAC5E,CAAC;QACH,CAAC;QAED,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;QAEtD,gFAAgF;QAChF,MAAM,mBAAmB,GAAG,CAAC,IAAY,EAAE,EAAE,CAC3C,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,IAAI,IAAI,IAAI,IAAI,IAAI,CAAC,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC;QAE3E,qDAAqD;QACrD,MAAM,eAAe,GAAG,IAAI,GAAG,EAAU,CAAC;QAC1C,IAAI,KAAK,GAAG,CAAC,CAAC;QAEd,KAAK,MAAM,EAAE,IAAI,YAAY,EAAE,CAAC;YAC9B,MAAM,OAAO,GAAG,mBAAmB,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;YAC7C,IAAI,CAAC,OAAO;gBAAE,SAAS;YAEvB,MAAM,UAAU,GAAG,KAAK,CAAC,YAAY,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;YAC/C,IAAI,CAAC,UAAU;gBAAE,SAAS;YAE1B,MAAM,SAAS,GAAG,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,KAAK,UAAU,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YACvE,IAAI,eAAe,CAAC,GAAG,CAAC,SAAS,CAAC;gBAAE,SAAS;YAE7C,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,UAAU,CAAC,MAAM,CAAC;YAEnD,uDAAuD;YACvD,MAAM,YAAY,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,UAAU,IAAI,CAAC,IAAI,QAAQ,CAAC,CAAC;YAEjF,sEAAsE;YACtE,MAAM,SAAS,GAAG,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE;gBAC7C,MAAM,SAAS,GAAG,mBAAmB,CAAC,QAAQ,CAAC,CAAC;gBAChD,OAAO,SAAS,KAAK,IAAI,IAAI,GAAG,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;YACvE,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,eAAe,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;gBAC/B,KAAK,EAAE,CAAC;gBACR,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,qBAAqB,IAAI,IAAI,EAAE,CAAC,IAAI,EAAE;oBAC1C,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,mBAAmB;oBAC5B,GAAG,EAAE,SAAS;oBACd,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,OAAO;oBACd,OAAO,EACL,yBAAyB,EAAE,CAAC,MAAM,gBAAgB,EAAE,CAAC,IAAI,oBAAoB;wBAC7E,4BAA4B;oBAC9B,IAAI;oBACJ,IAAI,EAAE,EAAE,CAAC,IAAI;oBACb,GAAG,EAAE,uEAAuE,EAAE,CAAC,IAAI,EAAE;oBACrF,QAAQ,EAAE,EAAE,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE;iBAChC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;IAC7B,CAAC;CACF"}

package/dist/analysis/passes/missing-override-pass.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Pass: missing-override (#64)
+ *
+ * Detects Java methods that override a parent class method but lack the
+ * @Override annotation. Without @Override the compiler cannot catch signature
+ * mismatches introduced by a parent-class refactoring.
+ *
+ * Detection strategy:
+ *   1. Build a map of class → method names from all types in the IR.
+ *   2. Build a parent map: class name → direct parent class name (strip generics).
+ *   3. For each class that has a parent in the same file, walk the inheritance
+ *      chain (max 10 hops, cycle guard) to collect all ancestor method names.
+ *   4. For each non-constructor, non-private, non-static, non-abstract method
+ *      whose name appears in the ancestor set — if @Override is absent → finding.
+ *
+ * Language: Java only.
+ * Dedup: at most one finding per class:method pair.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface MissingOverrideResult {
+    findings: number;
+}
+export declare class MissingOverridePass implements AnalysisPass<MissingOverrideResult> {
+    readonly name = "missing-override";
+    readonly category: "maintainability";
+    run(ctx: PassContext): MissingOverrideResult;
+}