circle-ir 3.9.8 → 3.11.0

package/dist/browser/circle-ir.js

@@ -10257,9 +10257,9 @@ var PYTHON_TAINTED_PATTERNS = [
   { pattern: /\brequest\.query_params\b/, sourceType: "http_param" },
   { pattern: /\brequest\.path_params\b/, sourceType: "http_param" }
 ];
-function analyzeTaint(calls, types, config = getDefaultConfig()) {
+function analyzeTaint(calls, types, config = getDefaultConfig(), typeHierarchy) {
   const sources = findSources(calls, types, config.sources);
-  const sinks = findSinks(calls, config.sinks);
+  const sinks = findSinks(calls, config.sinks, typeHierarchy);
   const sanitizers = findSanitizers(calls, types, config.sanitizers);
   return { sources, sinks, sanitizers };
 }
@@ -10465,11 +10465,11 @@ function isParameterizedQueryCall(call, pattern) {
   }
   return false;
 }
-function findSinks(calls, patterns) {
+function findSinks(calls, patterns, typeHierarchy) {
   const sinkMap = /* @__PURE__ */ new Map();
   for (const call of calls) {
     for (const pattern of patterns) {
-      if (matchesSinkPattern(call, pattern)) {
+      if (matchesSinkPattern(call, pattern, typeHierarchy)) {
         if (isParameterizedQueryCall(call, pattern)) {
           continue;
         }
@@ -10483,7 +10483,8 @@ function findSinks(calls, patterns) {
             cwe: pattern.cwe,
             location,
             line: call.location.line,
-            confidence
+            confidence,
+            method: call.method_name
           });
         }
       }
@@ -10560,7 +10561,7 @@ function isJavaScriptTaintedArgument(argExpression, sourcePatterns) {
   }
   return { isTainted: false, sourceType: null };
 }
-function matchesSinkPattern(call, pattern) {
+function matchesSinkPattern(call, pattern, typeHierarchy) {
   const callMethodName = call.method_name;
   const patternMethod = pattern.method;
   let methodMatches = callMethodName === patternMethod;
@@ -10576,6 +10577,9 @@ function matchesSinkPattern(call, pattern) {
       return true;
     }
     if (call.receiver && !receiverMightBeClass(call.receiver, pattern.class)) {
+      if (typeHierarchy && typeHierarchy.couldBeType(call.receiver, pattern.class)) {
+        return true;
+      }
       return false;
     }
     if (!call.receiver) {
@@ -11278,6 +11282,698 @@ var CodeGraph = class {
   }
 };
 
+// src/resolution/type-hierarchy.ts
+var TypeHierarchyResolver = class {
+  // All known types by FQN
+  types = /* @__PURE__ */ new Map();
+  // Simple name to FQN mapping (for resolution)
+  nameToFqn = /* @__PURE__ */ new Map();
+  // Subtype relationships: parent FQN -> child FQNs
+  subtypes = /* @__PURE__ */ new Map();
+  // Implementation relationships: interface FQN -> implementing class FQNs
+  implementations = /* @__PURE__ */ new Map();
+  /**
+   * Add types from a CircleIR analysis result
+   */
+  addFromIR(ir, filePath) {
+    for (const type of ir.types) {
+      this.addType(type, filePath, ir.meta.package || null);
+    }
+  }
+  /**
+   * Add a single type to the hierarchy
+   */
+  addType(type, filePath, defaultPackage = null) {
+    const pkg = type.package || defaultPackage || "";
+    const fqn = pkg ? `${pkg}.${type.name}` : type.name;
+    const node = {
+      name: type.name,
+      fqn,
+      kind: type.kind,
+      extends: type.extends,
+      implements: type.implements,
+      extendsInterfaces: type.kind === "interface" ? type.implements : [],
+      file: filePath,
+      line: type.start_line
+    };
+    this.types.set(fqn, node);
+    if (!this.nameToFqn.has(type.name)) {
+      this.nameToFqn.set(type.name, /* @__PURE__ */ new Set());
+    }
+    this.nameToFqn.get(type.name).add(fqn);
+    if (type.kind === "class" || type.kind === "enum") {
+      if (type.extends) {
+        const parentFqn = this.resolveTypeName(type.extends, pkg);
+        if (!this.subtypes.has(parentFqn)) {
+          this.subtypes.set(parentFqn, /* @__PURE__ */ new Set());
+        }
+        this.subtypes.get(parentFqn).add(fqn);
+      }
+      for (const iface of type.implements) {
+        const ifaceFqn = this.resolveTypeName(iface, pkg);
+        if (!this.implementations.has(ifaceFqn)) {
+          this.implementations.set(ifaceFqn, /* @__PURE__ */ new Set());
+        }
+        this.implementations.get(ifaceFqn).add(fqn);
+      }
+    } else if (type.kind === "interface") {
+      for (const parentIface of type.implements) {
+        const parentFqn = this.resolveTypeName(parentIface, pkg);
+        if (!this.subtypes.has(parentFqn)) {
+          this.subtypes.set(parentFqn, /* @__PURE__ */ new Set());
+        }
+        this.subtypes.get(parentFqn).add(fqn);
+      }
+    }
+  }
+  /**
+   * Get all direct subtypes of a class
+   */
+  getDirectSubtypes(className) {
+    const fqn = this.resolveFqn(className);
+    return Array.from(this.subtypes.get(fqn) || []);
+  }
+  /**
+   * Get all subtypes (transitive) of a class
+   */
+  getAllSubtypes(className) {
+    const fqn = this.resolveFqn(className);
+    const result = /* @__PURE__ */ new Set();
+    const queue = [fqn];
+    while (queue.length > 0) {
+      const current = queue.shift();
+      const children = this.subtypes.get(current);
+      if (children) {
+        for (const child of children) {
+          if (!result.has(child)) {
+            result.add(child);
+            queue.push(child);
+          }
+        }
+      }
+    }
+    return Array.from(result);
+  }
+  /**
+   * Get all direct implementations of an interface
+   */
+  getDirectImplementations(interfaceName) {
+    const fqn = this.resolveFqn(interfaceName);
+    return Array.from(this.implementations.get(fqn) || []);
+  }
+  /**
+   * Get all implementations (including through subinterfaces) of an interface
+   */
+  getAllImplementations(interfaceName) {
+    const fqn = this.resolveFqn(interfaceName);
+    const result = /* @__PURE__ */ new Set();
+    const visited = /* @__PURE__ */ new Set();
+    const queue = [fqn];
+    while (queue.length > 0) {
+      const current = queue.shift();
+      if (visited.has(current)) continue;
+      visited.add(current);
+      const impls = this.implementations.get(current);
+      if (impls) {
+        for (const impl of impls) {
+          result.add(impl);
+          const subtypes = this.getAllSubtypes(impl);
+          for (const subtype of subtypes) {
+            result.add(subtype);
+          }
+        }
+      }
+      const subInterfaces = this.subtypes.get(current);
+      if (subInterfaces) {
+        for (const sub of subInterfaces) {
+          queue.push(sub);
+        }
+      }
+    }
+    return Array.from(result);
+  }
+  /**
+   * Check if a type is a subtype of another (including transitive)
+   */
+  isSubtypeOf(childName, parentName) {
+    const childFqn = this.resolveFqn(childName);
+    const parentFqn = this.resolveFqn(parentName);
+    if (childFqn === parentFqn) return true;
+    const allSubtypes = this.getAllSubtypes(parentFqn);
+    if (allSubtypes.includes(childFqn)) return true;
+    const allImpls = this.getAllImplementations(parentFqn);
+    if (allImpls.includes(childFqn)) return true;
+    return false;
+  }
+  /**
+   * Check if a type implements an interface (directly or through inheritance)
+   * Also handles interface-extends-interface relationships
+   */
+  implementsInterface(typeName, interfaceName) {
+    const typeFqn = this.resolveFqn(typeName);
+    const ifaceFqn = this.resolveFqn(interfaceName);
+    const allImpls = this.getAllImplementations(ifaceFqn);
+    if (allImpls.includes(typeFqn)) return true;
+    const allSubtypes = this.getAllSubtypes(ifaceFqn);
+    if (allSubtypes.includes(typeFqn)) return true;
+    return false;
+  }
+  /**
+   * Get type info by name
+   */
+  getType(name2) {
+    const fqn = this.resolveFqn(name2);
+    return this.types.get(fqn);
+  }
+  /**
+   * Get all types matching a simple name
+   */
+  getTypesByName(simpleName) {
+    const fqns = this.nameToFqn.get(simpleName);
+    if (!fqns) return [];
+    return Array.from(fqns).map((fqn) => this.types.get(fqn)).filter((t) => t !== void 0);
+  }
+  /**
+   * Get the file where a type is defined
+   */
+  getTypeFile(name2) {
+    const type = this.getType(name2);
+    return type?.file;
+  }
+  /**
+   * Check if a receiver type could match a target class
+   * Handles: exact match, subtype, implementation, simple name match
+   */
+  couldBeType(receiverType, targetClass) {
+    if (receiverType === targetClass) return true;
+    const receiverSimple = this.getSimpleName(receiverType);
+    const targetSimple = this.getSimpleName(targetClass);
+    if (receiverSimple === targetSimple) return true;
+    if (this.isSubtypeOf(receiverType, targetClass)) return true;
+    const allSubtypes = this.getAllSubtypes(targetClass);
+    const allImpls = this.getAllImplementations(targetClass);
+    for (const sub of [...allSubtypes, ...allImpls]) {
+      const subSimple = this.getSimpleName(sub);
+      if (subSimple === receiverSimple) return true;
+    }
+    return false;
+  }
+  /**
+   * Export hierarchy data in the CircleIR format
+   */
+  toTypeHierarchyData() {
+    const classes = {};
+    const interfaces = {};
+    for (const [fqn, node] of this.types) {
+      if (node.kind === "class" || node.kind === "enum") {
+        classes[fqn] = {
+          file: node.file,
+          extends: node.extends ? this.resolveTypeName(node.extends, this.getPackage(fqn)) : null,
+          implements: node.implements.map((i2) => this.resolveTypeName(i2, this.getPackage(fqn))),
+          subclasses: this.getDirectSubtypes(fqn)
+        };
+      } else if (node.kind === "interface") {
+        interfaces[fqn] = {
+          file: node.file,
+          extends: node.extendsInterfaces.map((i2) => this.resolveTypeName(i2, this.getPackage(fqn))),
+          implementations: this.getDirectImplementations(fqn)
+        };
+      }
+    }
+    return { classes, interfaces };
+  }
+  /**
+   * Get statistics about the hierarchy
+   */
+  getStats() {
+    let classes = 0, interfaces = 0, enums = 0;
+    for (const node of this.types.values()) {
+      if (node.kind === "class") classes++;
+      else if (node.kind === "interface") interfaces++;
+      else if (node.kind === "enum") enums++;
+    }
+    return { totalTypes: this.types.size, classes, interfaces, enums };
+  }
+  /**
+   * Get all types in the hierarchy
+   */
+  getAllTypes() {
+    return Array.from(this.types.values());
+  }
+  /**
+   * Clear all data
+   */
+  clear() {
+    this.types.clear();
+    this.nameToFqn.clear();
+    this.subtypes.clear();
+    this.implementations.clear();
+  }
+  // --- Private helpers ---
+  /**
+   * Resolve a type name to its FQN
+   */
+  resolveTypeName(name2, currentPackage) {
+    if (name2.includes(".")) return name2;
+    const fqns = this.nameToFqn.get(name2);
+    if (fqns && fqns.size === 1) {
+      return Array.from(fqns)[0];
+    }
+    return currentPackage ? `${currentPackage}.${name2}` : name2;
+  }
+  /**
+   * Resolve a name (simple or FQN) to its FQN
+   */
+  resolveFqn(name2) {
+    if (this.types.has(name2)) return name2;
+    const fqns = this.nameToFqn.get(name2);
+    if (fqns && fqns.size > 0) {
+      return Array.from(fqns)[0];
+    }
+    return name2;
+  }
+  /**
+   * Get simple name from FQN
+   */
+  getSimpleName(name2) {
+    const lastDot = name2.lastIndexOf(".");
+    return lastDot === -1 ? name2 : name2.substring(lastDot + 1);
+  }
+  /**
+   * Get package from FQN
+   */
+  getPackage(fqn) {
+    const lastDot = fqn.lastIndexOf(".");
+    return lastDot === -1 ? "" : fqn.substring(0, lastDot);
+  }
+};
+function createWithJdkTypes() {
+  const resolver = new TypeHierarchyResolver();
+  const jdbcTypes = [
+    {
+      name: "Statement",
+      kind: "interface",
+      package: "java.sql",
+      extends: null,
+      implements: [],
+      annotations: [],
+      methods: [],
+      fields: [],
+      start_line: 0,
+      end_line: 0
+    },
+    {
+      name: "PreparedStatement",
+      kind: "interface",
+      package: "java.sql",
+      extends: null,
+      implements: ["Statement"],
+      annotations: [],
+      methods: [],
+      fields: [],
+      start_line: 0,
+      end_line: 0
+    },
+    {
+      name: "CallableStatement",
+      kind: "interface",
+      package: "java.sql",
+      extends: null,
+      implements: ["PreparedStatement"],
+      annotations: [],
+      methods: [],
+      fields: [],
+      start_line: 0,
+      end_line: 0
+    }
+  ];
+  const ioTypes = [
+    {
+      name: "InputStream",
+      kind: "class",
+      package: "java.io",
+      extends: null,
+      implements: [],
+      annotations: [],
+      methods: [],
+      fields: [],
+      start_line: 0,
+      end_line: 0
+    },
+    {
+      name: "FileInputStream",
+      kind: "class",
+      package: "java.io",
+      extends: "InputStream",
+      implements: [],
+      annotations: [],
+      methods: [],
+      fields: [],
+      start_line: 0,
+      end_line: 0
+    },
+    {
+      name: "OutputStream",
+      kind: "class",
+      package: "java.io",
+      extends: null,
+      implements: [],
+      annotations: [],
+      methods: [],
+      fields: [],
+      start_line: 0,
+      end_line: 0
+    },
+    {
+      name: "FileOutputStream",
+      kind: "class",
+      package: "java.io",
+      extends: "OutputStream",
+      implements: [],
+      annotations: [],
+      methods: [],
+      fields: [],
+      start_line: 0,
+      end_line: 0
+    },
+    {
+      name: "Writer",
+      kind: "class",
+      package: "java.io",
+      extends: null,
+      implements: [],
+      annotations: [],
+      methods: [],
+      fields: [],
+      start_line: 0,
+      end_line: 0
+    },
+    {
+      name: "PrintWriter",
+      kind: "class",
+      package: "java.io",
+      extends: "Writer",
+      implements: [],
+      annotations: [],
+      methods: [],
+      fields: [],
+      start_line: 0,
+      end_line: 0
+    }
+  ];
+  const servletTypes = [
+    {
+      name: "ServletRequest",
+      kind: "interface",
+      package: "javax.servlet",
+      extends: null,
+      implements: [],
+      annotations: [],
+      methods: [],
+      fields: [],
+      start_line: 0,
+      end_line: 0
+    },
+    {
+      name: "HttpServletRequest",
+      kind: "interface",
+      package: "javax.servlet.http",
+      extends: null,
+      implements: ["javax.servlet.ServletRequest"],
+      // FQN for cross-package reference
+      annotations: [],
+      methods: [],
+      fields: [],
+      start_line: 0,
+      end_line: 0
+    },
+    {
+      name: "ServletResponse",
+      kind: "interface",
+      package: "javax.servlet",
+      extends: null,
+      implements: [],
+      annotations: [],
+      methods: [],
+      fields: [],
+      start_line: 0,
+      end_line: 0
+    },
+    {
+      name: "HttpServletResponse",
+      kind: "interface",
+      package: "javax.servlet.http",
+      extends: null,
+      implements: ["javax.servlet.ServletResponse"],
+      // FQN for cross-package reference
+      annotations: [],
+      methods: [],
+      fields: [],
+      start_line: 0,
+      end_line: 0
+    }
+  ];
+  for (const type of [...jdbcTypes, ...ioTypes, ...servletTypes]) {
+    resolver.addType(type, "jdk", type.package);
+  }
+  return resolver;
+}
+
+// src/graph/dominator-graph.ts
+function computeRPO(cfg, entryId) {
+  const outgoing = /* @__PURE__ */ new Map();
+  for (const edge of cfg.edges) {
+    const list = outgoing.get(edge.from) ?? [];
+    list.push(edge.to);
+    outgoing.set(edge.from, list);
+  }
+  const visited = /* @__PURE__ */ new Set();
+  const postOrder = [];
+  const stack = [{ id: entryId, childIndex: 0 }];
+  visited.add(entryId);
+  while (stack.length > 0) {
+    const top = stack[stack.length - 1];
+    const children = outgoing.get(top.id) ?? [];
+    let pushed = false;
+    while (top.childIndex < children.length) {
+      const child = children[top.childIndex++];
+      if (!visited.has(child)) {
+        visited.add(child);
+        stack.push({ id: child, childIndex: 0 });
+        pushed = true;
+        break;
+      }
+    }
+    if (!pushed) {
+      postOrder.push(top.id);
+      stack.pop();
+    }
+  }
+  const rpoOrder = postOrder.reverse();
+  const rpoIndex = /* @__PURE__ */ new Map();
+  for (let i2 = 0; i2 < rpoOrder.length; i2++) {
+    rpoIndex.set(rpoOrder[i2], i2);
+  }
+  return { rpoOrder, rpoIndex };
+}
+function intersect(b1, b2, idom, rpoIndex) {
+  let finger1 = b1;
+  let finger2 = b2;
+  while (finger1 !== finger2) {
+    while ((rpoIndex.get(finger1) ?? Number.MAX_SAFE_INTEGER) > (rpoIndex.get(finger2) ?? Number.MAX_SAFE_INTEGER)) {
+      const parent = idom.get(finger1);
+      if (parent === void 0 || parent === finger1) break;
+      finger1 = parent;
+    }
+    while ((rpoIndex.get(finger2) ?? Number.MAX_SAFE_INTEGER) > (rpoIndex.get(finger1) ?? Number.MAX_SAFE_INTEGER)) {
+      const parent = idom.get(finger2);
+      if (parent === void 0 || parent === finger2) break;
+      finger2 = parent;
+    }
+    if (finger1 === finger2) break;
+    const rpo1 = rpoIndex.get(finger1) ?? Number.MAX_SAFE_INTEGER;
+    const rpo2 = rpoIndex.get(finger2) ?? Number.MAX_SAFE_INTEGER;
+    if (rpo1 === rpo2 && finger1 !== finger2) break;
+  }
+  return finger1;
+}
+function computeIdom(cfg, rpoOrder, rpoIndex, entryId) {
+  const incoming = /* @__PURE__ */ new Map();
+  for (const edge of cfg.edges) {
+    const list = incoming.get(edge.to) ?? [];
+    list.push(edge.from);
+    incoming.set(edge.to, list);
+  }
+  const idom = /* @__PURE__ */ new Map();
+  idom.set(entryId, entryId);
+  let changed = true;
+  while (changed) {
+    changed = false;
+    for (let i2 = 1; i2 < rpoOrder.length; i2++) {
+      const b = rpoOrder[i2];
+      const preds = incoming.get(b) ?? [];
+      let newIdom;
+      for (const p of preds) {
+        if (idom.has(p)) {
+          newIdom = p;
+          break;
+        }
+      }
+      if (newIdom === void 0) continue;
+      for (const p of preds) {
+        if (p === newIdom) continue;
+        if (idom.has(p)) {
+          newIdom = intersect(p, newIdom, idom, rpoIndex);
+        }
+      }
+      if (idom.get(b) !== newIdom) {
+        idom.set(b, newIdom);
+        changed = true;
+      }
+    }
+  }
+  return idom;
+}
+var DominatorGraph = class {
+  idom;
+  rpoIndex;
+  entryId;
+  /** Cached reverse map: blockId → all blockIds it strictly dominates. */
+  _dominated = null;
+  constructor(cfg, entryId) {
+    if (cfg.blocks.length === 0) {
+      this.entryId = entryId ?? 0;
+      this.idom = /* @__PURE__ */ new Map();
+      this.rpoIndex = /* @__PURE__ */ new Map();
+      return;
+    }
+    this.entryId = entryId ?? cfg.blocks.find((b) => b.type === "entry")?.id ?? cfg.blocks.reduce((a, b) => a.id < b.id ? a : b).id;
+    const { rpoOrder, rpoIndex } = computeRPO(cfg, this.entryId);
+    this.rpoIndex = rpoIndex;
+    this.idom = computeIdom(cfg, rpoOrder, rpoIndex, this.entryId);
+    this.idom.delete(this.entryId);
+  }
+  /**
+   * Returns true if block `a` dominates block `b`.
+   * A block dominates itself (reflexive).
+   */
+  dominates(a, b) {
+    if (a === b) return true;
+    return this.strictlyDominates(a, b);
+  }
+  /**
+   * Returns true if block `a` strictly dominates block `b` (a ≠ b and a dom b).
+   */
+  strictlyDominates(a, b) {
+    if (a === b) return false;
+    const visited = /* @__PURE__ */ new Set();
+    let cur = this.idom.get(b);
+    while (cur !== void 0 && !visited.has(cur)) {
+      if (cur === a) return true;
+      visited.add(cur);
+      cur = this.idom.get(cur);
+    }
+    return false;
+  }
+  /**
+   * Returns the immediate dominator of `blockId`, or null for the entry block
+   * (or any block not in the dominator tree).
+   */
+  immediateDominator(blockId) {
+    return this.idom.get(blockId) ?? null;
+  }
+  /**
+   * Returns all block IDs strictly dominated by `blockId`.
+   * (Computed lazily and cached on first call.)
+   */
+  dominated(blockId) {
+    if (!this._dominated) {
+      this._dominated = /* @__PURE__ */ new Map();
+      for (const [child, parent] of this.idom.entries()) {
+        const ancestors = [];
+        const seen = /* @__PURE__ */ new Set();
+        let cur = parent;
+        while (cur !== void 0 && !seen.has(cur)) {
+          seen.add(cur);
+          ancestors.push(cur);
+          cur = this.idom.get(cur);
+        }
+        for (const anc of ancestors) {
+          const list = this._dominated.get(anc) ?? [];
+          list.push(child);
+          this._dominated.set(anc, list);
+        }
+      }
+    }
+    return this._dominated.get(blockId) ?? [];
+  }
+};
+
+// src/graph/exception-flow-graph.ts
+var ExceptionFlowGraph = class {
+  /** All try/catch pairs found in the CFG. */
+  pairs;
+  /** Block IDs that are catch-handler entry blocks. */
+  catchEntryIds;
+  /** Block IDs that are try-body entry blocks. */
+  tryEntryIds;
+  tryCatchMap;
+  // tryEntryId → [catchEntryId, …]
+  catchTryMap;
+  // catchEntryId → tryEntryId
+  constructor(cfg, blockById) {
+    this.pairs = [];
+    this.catchEntryIds = /* @__PURE__ */ new Set();
+    this.tryEntryIds = /* @__PURE__ */ new Set();
+    this.tryCatchMap = /* @__PURE__ */ new Map();
+    this.catchTryMap = /* @__PURE__ */ new Map();
+    for (const edge of cfg.edges) {
+      if (edge.type !== "exception") continue;
+      const tryBlock = blockById.get(edge.from);
+      const catchBlock = blockById.get(edge.to);
+      if (!tryBlock || !catchBlock) continue;
+      this.tryEntryIds.add(edge.from);
+      this.catchEntryIds.add(edge.to);
+      const catches = this.tryCatchMap.get(edge.from) ?? [];
+      catches.push(edge.to);
+      this.tryCatchMap.set(edge.from, catches);
+      this.catchTryMap.set(edge.to, edge.from);
+      this.pairs.push({
+        tryEntryId: edge.from,
+        catchEntryId: edge.to,
+        tryBlock,
+        catchBlock
+      });
+    }
+  }
+  /** True if at least one try/catch pair was found. */
+  get hasTryCatch() {
+    return this.pairs.length > 0;
+  }
+  /** True if the given block ID is a catch-handler entry block. */
+  isCatchEntry(blockId) {
+    return this.catchEntryIds.has(blockId);
+  }
+  /** True if the given block ID is a try-body entry block. */
+  isTryEntry(blockId) {
+    return this.tryEntryIds.has(blockId);
+  }
+  /**
+   * Returns the catch-entry block IDs for the given try-entry block.
+   * Multiple values mean multiple catch clauses for the same try.
+   */
+  catchBlocksFor(tryEntryId) {
+    return this.tryCatchMap.get(tryEntryId) ?? [];
+  }
+  /**
+   * Returns the try-entry block ID corresponding to a catch-entry block,
+   * or `undefined` if the block is not a catch entry.
+   */
+  tryBlockFor(catchEntryId) {
+    return this.catchTryMap.get(catchEntryId);
+  }
+};
+
 // src/graph/analysis-pass.ts
 var AnalysisPipeline = class {
   passes = [];
@@ -16833,7 +17529,9 @@ var TaintMatcherPass = class {
         };
       }
     }
-    const taint = analyzeTaint(calls, types, mergedConfig);
+    const hierarchy = createWithJdkTypes();
+    hierarchy.addFromIR(graph.ir, graph.ir.meta.file);
+    const taint = analyzeTaint(calls, types, mergedConfig, hierarchy);
     const sanitizerMethods = [];
     for (const type of types) {
       for (const method of type.methods) {
@@ -17358,6 +18056,73 @@ var SinkFilterPass = class {
     return { sources, sinks: filtered, sanitizers };
   }
 };
+function evalArithmetic(input) {
+  let pos = 0;
+  function peek() {
+    return input[pos] ?? "";
+  }
+  function consume() {
+    return input[pos++] ?? "";
+  }
+  function skipWs() {
+    while (pos < input.length && input[pos] === " ") pos++;
+  }
+  function parseNumber() {
+    skipWs();
+    let s = "";
+    if (peek() === "-") {
+      s += consume();
+    }
+    while (pos < input.length && /[\d.]/.test(input[pos])) s += consume();
+    if (s === "" || s === "-") return null;
+    const n = parseFloat(s);
+    return isFinite(n) ? n : null;
+  }
+  function parseFactor() {
+    skipWs();
+    if (peek() === "(") {
+      consume();
+      const val = parseExpr();
+      skipWs();
+      if (peek() === ")") consume();
+      return val;
+    }
+    return parseNumber();
+  }
+  function parseTerm() {
+    let left = parseFactor();
+    if (left === null) return null;
+    while (true) {
+      skipWs();
+      const op = peek();
+      if (op !== "*" && op !== "/") break;
+      consume();
+      const right = parseFactor();
+      if (right === null) return null;
+      left = op === "*" ? left * right : right === 0 ? null : left / right;
+      if (left === null) return null;
+    }
+    return left;
+  }
+  function parseExpr() {
+    let left = parseTerm();
+    if (left === null) return null;
+    while (true) {
+      skipWs();
+      const op = peek();
+      if (op !== "+" && op !== "-") break;
+      consume();
+      const right = parseTerm();
+      if (right === null) return null;
+      left = op === "+" ? left + right : left - right;
+    }
+    return left;
+  }
+  if (!/^[\d\s+\-*/().]+$/.test(input)) return null;
+  const result = parseExpr();
+  skipWs();
+  return pos === input.length ? result : null;
+}
 function evaluateSimpleExpression(expr, symbols) {
   let evaluated = expr;
   for (const [name2, val] of symbols) {
@@ -17366,13 +18131,8 @@ function evaluateSimpleExpression(expr, symbols) {
       evaluated = evaluated.replace(regex, String(val.value));
     }
   }
-  try {
-    if (/^[\d\s+\-*/().]+$/.test(evaluated)) {
-      const result = Function('"use strict"; return (' + evaluated + ")")();
-      if (typeof result === "number" && !isNaN(result)) return String(Math.floor(result));
-    }
-  } catch {
-  }
+  const result = evalArithmetic(evaluated);
+  if (result !== null && !isNaN(result)) return String(Math.floor(result));
   return expr;
 }
 function isStringLiteralExpression(expr) {
@@ -17422,7 +18182,8 @@ function filterCleanVariableSinks(sinks, calls, taintedVars, symbols, dfg, sanit
   return sinks.filter((sink) => {
     const callsAtSink = callsByLine.get(sink.line) ?? [];
     const isInSynchronizedBlock = synchronizedLines?.has(sink.line) ?? false;
-    for (const call of callsAtSink) {
+    const relevantCalls = sink.method ? callsAtSink.filter((c) => c.method_name === sink.method) : callsAtSink;
+    for (const call of relevantCalls) {
       let allArgsAreClean = true;
       const methodName = call.in_method;
       for (const arg of call.arguments) {
@@ -17539,8 +18300,8 @@ var TaintPropagationPass = class {
     for (const f of collectionFlows) {
       if (flows.some((x) => x.source_line === f.source_line && x.sink_line === f.sink_line)) continue;
       const flowForCheck = {
-        source: { line: f.source_line, type: f.source_type },
-        sink: { line: f.sink_line, type: f.sink_type },
+        source: { line: f.source_line },
+        sink: { line: f.sink_line },
         path: f.path.map((p) => ({ variable: p.variable, line: p.line }))
       };
       if (isCorrelatedPredicateFP(constProp, flowForCheck)) continue;
@@ -19690,6 +20451,750 @@ var ReactInlineJsxPass = class {
   }
 };
 
+// src/analysis/passes/swallowed-exception-pass.ts
+var MEANINGFUL_ACTION_RE = /\b(throw|raise|log|logger|console\.(error|warn|log|debug|info)|System\.(out|err)\.|print(?:ln|f)?|warn|error|debug|info|fatal|LOGGER|LOG|logging\.(warning|error|debug|info|critical))\b|\breturn\s+\S/;
+var SwallowedExceptionPass = class {
+  name = "swallowed-exception";
+  category = "reliability";
+  run(ctx) {
+    const { graph, code, language } = ctx;
+    if (language === "rust" || language === "bash") {
+      return { swallowed: [] };
+    }
+    const { cfg } = graph.ir;
+    if (cfg.blocks.length === 0) return { swallowed: [] };
+    const exGraph = new ExceptionFlowGraph(cfg, graph.blockById);
+    if (!exGraph.hasTryCatch) return { swallowed: [] };
+    const file = graph.ir.meta.file;
+    const codeLines = code.split("\n");
+    const swallowed = [];
+    const reported = /* @__PURE__ */ new Set();
+    for (const pair of exGraph.pairs) {
+      const catchLine = pair.catchBlock.start_line;
+      if (reported.has(catchLine)) continue;
+      const methodInfo = graph.methodAtLine(catchLine);
+      const scanEnd = methodInfo ? methodInfo.method.end_line : codeLines.length;
+      const catchBodyEnd = this.findCatchBodyEnd(codeLines, catchLine, scanEnd);
+      let hasAction = false;
+      for (let ln = catchLine; ln <= catchBodyEnd && ln <= codeLines.length; ln++) {
+        if (MEANINGFUL_ACTION_RE.test(codeLines[ln - 1] ?? "")) {
+          hasAction = true;
+          break;
+        }
+      }
+      if (!hasAction) {
+        reported.add(catchLine);
+        swallowed.push({ line: catchLine });
+        const snippet = (codeLines[catchLine - 1] ?? "").trim();
+        ctx.addFinding({
+          id: `swallowed-exception-${file}-${catchLine}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: this.name,
+          cwe: "CWE-390",
+          severity: "medium",
+          level: "warning",
+          message: `Swallowed exception: catch block at line ${catchLine} has no throw, log, or return \u2014 the exception is silently discarded`,
+          file,
+          line: catchLine,
+          snippet,
+          fix: "At minimum log the exception, or re-throw it; never silently discard exceptions"
+        });
+      }
+    }
+    return { swallowed };
+  }
+  /**
+   * Walks source lines starting at `startLine` counting brace depth.
+   * Returns the line where the brace depth first returns to zero after
+   * the opening brace (i.e., the closing brace of the catch block).
+   * Capped at `maxLine`.
+   */
+  findCatchBodyEnd(lines, startLine, maxLine) {
+    let depth = 0;
+    let started = false;
+    for (let ln = startLine; ln <= maxLine && ln <= lines.length; ln++) {
+      const text = lines[ln - 1] ?? "";
+      for (const ch of text) {
+        if (ch === "{") {
+          depth++;
+          started = true;
+        } else if (ch === "}" && started) {
+          depth--;
+        }
+      }
+      if (started && depth <= 0) return ln;
+    }
+    return maxLine;
+  }
+};
+
+// src/analysis/passes/broad-catch-pass.ts
+var JAVA_BROAD_RE = /catch\s*\(\s*(Exception|Throwable|RuntimeException|Error)\s/;
+var PYTHON_BROAD_RE = /^\s*except\s*:|except\s+(Exception|BaseException)\b/;
+var BroadCatchPass = class {
+  name = "broad-catch";
+  category = "reliability";
+  run(ctx) {
+    const { graph, code, language } = ctx;
+    if (language !== "java" && language !== "python") {
+      return { broadCatches: [] };
+    }
+    const { cfg } = graph.ir;
+    if (cfg.blocks.length === 0) return { broadCatches: [] };
+    const exGraph = new ExceptionFlowGraph(cfg, graph.blockById);
+    if (!exGraph.hasTryCatch) return { broadCatches: [] };
+    const file = graph.ir.meta.file;
+    const codeLines = code.split("\n");
+    const broadCatches = [];
+    const reported = /* @__PURE__ */ new Set();
+    const pattern = language === "java" ? JAVA_BROAD_RE : PYTHON_BROAD_RE;
+    for (const pair of exGraph.pairs) {
+      const catchLine = pair.catchBlock.start_line;
+      if (reported.has(catchLine)) continue;
+      const lineText = codeLines[catchLine - 1] ?? "";
+      const match = pattern.exec(lineText);
+      if (!match) continue;
+      const caughtType = match[1] ?? "Exception";
+      reported.add(catchLine);
+      broadCatches.push({ line: catchLine, type: caughtType });
+      const snippet = lineText.trim();
+      ctx.addFinding({
+        id: `broad-catch-${file}-${catchLine}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        cwe: "CWE-396",
+        severity: "low",
+        level: "warning",
+        message: `Broad catch: catching \`${caughtType}\` at line ${catchLine} suppresses unexpected errors and hides bugs`,
+        file,
+        line: catchLine,
+        snippet,
+        fix: language === "java" ? `Catch the specific exception types your code can handle (e.g., \`IOException\`, \`SQLException\`)` : `Catch the specific exception types your code can handle (e.g., \`ValueError\`, \`KeyError\`)`,
+        evidence: { caughtType }
+      });
+    }
+    return { broadCatches };
+  }
+};
+
+// src/analysis/passes/unhandled-exception-pass.ts
+var JS_THROW_RE = /^\s*throw\s+/;
+var PYTHON_RAISE_RE = /^\s*raise\b/;
+var UnhandledExceptionPass = class {
+  name = "unhandled-exception";
+  category = "reliability";
+  run(ctx) {
+    const { graph, code, language } = ctx;
+    if (language !== "javascript" && language !== "typescript" && language !== "python") {
+      return { unhandled: [] };
+    }
+    const { cfg } = graph.ir;
+    const file = graph.ir.meta.file;
+    const codeLines = code.split("\n");
+    const exGraph = new ExceptionFlowGraph(cfg, graph.blockById);
+    const coveredRanges = [];
+    for (const pair of exGraph.pairs) {
+      if (pair.catchBlock.start_line > pair.tryBlock.start_line) {
+        coveredRanges.push({
+          start: pair.tryBlock.start_line,
+          end: pair.catchBlock.start_line - 1
+        });
+      }
+    }
+    const catchStarts = new Set(
+      exGraph.pairs.map((p) => p.catchBlock.start_line)
+    );
+    const throwRe = language === "python" ? PYTHON_RAISE_RE : JS_THROW_RE;
+    const unhandled = [];
+    const reportedMethods = /* @__PURE__ */ new Set();
+    for (let ln = 1; ln <= codeLines.length; ln++) {
+      const lineText = codeLines[ln - 1] ?? "";
+      if (!throwRe.test(lineText)) continue;
+      let inCatch = false;
+      for (const cs of catchStarts) {
+        if (ln >= cs) {
+          inCatch = true;
+          break;
+        }
+      }
+      inCatch = false;
+      for (const pair of exGraph.pairs) {
+        if (ln >= pair.catchBlock.start_line) {
+          const mThrow = graph.methodAtLine(ln);
+          const mCatch = graph.methodAtLine(pair.catchBlock.start_line);
+          if (mThrow && mCatch && mThrow.method.start_line === mCatch.method.start_line) {
+            inCatch = true;
+            break;
+          }
+        }
+      }
+      if (inCatch) continue;
+      const isCovered = coveredRanges.some((r) => ln >= r.start && ln <= r.end);
+      if (isCovered) continue;
+      const methodInfo = graph.methodAtLine(ln);
+      const methodKey = methodInfo ? `${methodInfo.method.start_line}-${methodInfo.method.end_line}` : `global-${ln}`;
+      if (reportedMethods.has(methodKey)) continue;
+      reportedMethods.add(methodKey);
+      const methodName = methodInfo?.method.name ?? "<anonymous>";
+      unhandled.push({ line: ln, method: methodName });
+      const snippet = lineText.trim();
+      ctx.addFinding({
+        id: `unhandled-exception-${file}-${ln}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        cwe: "CWE-390",
+        severity: "medium",
+        level: "warning",
+        message: `Unhandled exception: \`throw\` at line ${ln} in \`${methodName}\` is not inside a try/catch \u2014 callers receive an unexpected exception`,
+        file,
+        line: ln,
+        snippet,
+        fix: "Wrap throwing code in a try/catch, or document the exception in the function signature",
+        evidence: { method: methodName }
+      });
+    }
+    return { unhandled };
+  }
+};
+
+// src/analysis/passes/double-close-pass.ts
+var RESOURCE_CTORS2 = /* @__PURE__ */ new Set([
+  "FileInputStream",
+  "FileOutputStream",
+  "FileReader",
+  "FileWriter",
+  "BufferedReader",
+  "BufferedWriter",
+  "PrintWriter",
+  "InputStreamReader",
+  "OutputStreamWriter",
+  "RandomAccessFile",
+  "DataInputStream",
+  "DataOutputStream",
+  "ObjectInputStream",
+  "ObjectOutputStream",
+  "ZipInputStream",
+  "ZipOutputStream",
+  "JarInputStream",
+  "JarOutputStream",
+  "GZIPInputStream",
+  "GZIPOutputStream",
+  "FileChannel",
+  "Socket",
+  "ServerSocket",
+  "DatagramSocket"
+]);
+var RESOURCE_FACTORY_METHODS2 = /* @__PURE__ */ new Set([
+  "openConnection",
+  "openStream",
+  "newInputStream",
+  "newOutputStream",
+  "newBufferedReader",
+  "newBufferedWriter",
+  "newByteChannel",
+  "open",
+  "createReadStream",
+  "createWriteStream",
+  "createConnection"
+]);
+var CLOSE_METHODS2 = /* @__PURE__ */ new Set([
+  "close",
+  "dispose",
+  "shutdown",
+  "disconnect",
+  "release",
+  "destroy",
+  "free",
+  "shutdownNow",
+  "terminate"
+]);
+var DoubleClosePass = class {
+  name = "double-close";
+  category = "reliability";
+  run(ctx) {
+    const { graph, code } = ctx;
+    if (ctx.language === "bash") return { doubleCloses: [] };
+    const file = graph.ir.meta.file;
+    const codeLines = code.split("\n");
+    const doubleCloses = [];
+    for (const call of graph.ir.calls) {
+      const name2 = call.method_name;
+      const isConstructor = call.is_constructor === true && RESOURCE_CTORS2.has(name2);
+      const isFactory = !call.is_constructor && RESOURCE_FACTORY_METHODS2.has(name2);
+      if (!isConstructor && !isFactory) continue;
+      const openLine = call.location.line;
+      const defs = graph.defsAtLine(openLine);
+      if (defs.length === 0) continue;
+      const resourceVar = defs[0].variable;
+      const methodInfo = graph.methodAtLine(openLine);
+      if (!methodInfo) continue;
+      const { start_line: methodStart, end_line: methodEnd } = methodInfo.method;
+      const closeCalls = graph.ir.calls.filter(
+        (c) => CLOSE_METHODS2.has(c.method_name) && c.receiver === resourceVar && c.location.line > openLine && c.location.line <= methodEnd
+      );
+      if (closeCalls.length < 2) continue;
+      const closeLines = closeCalls.map((c) => c.location.line);
+      const allInFinally = closeLines.every(
+        (cl) => this.isInFinallyBlock(codeLines, cl, methodStart, methodEnd)
+      );
+      if (allInFinally) continue;
+      doubleCloses.push({ openLine, closeLines, variable: resourceVar });
+      const snippet = (codeLines[openLine - 1] ?? "").trim();
+      const linesStr = closeLines.join(" and ");
+      ctx.addFinding({
+        id: `double-close-${file}-${openLine}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        cwe: "CWE-675",
+        severity: "medium",
+        level: "warning",
+        message: `Double close: \`${resourceVar}\` is closed at lines ${linesStr} \u2014 closing an already-closed resource may throw`,
+        file,
+        line: openLine,
+        snippet,
+        fix: `Close the resource exactly once in a finally block; add a null/isClosed guard before the second close if closing on multiple paths`,
+        evidence: { variable: resourceVar, close_lines: closeLines }
+      });
+    }
+    return { doubleCloses };
+  }
+  /** True if the given line is inside a `finally` block in the method. */
+  isInFinallyBlock(lines, targetLine, methodStart, methodEnd) {
+    for (let ln = methodStart; ln <= targetLine && ln <= methodEnd && ln <= lines.length; ln++) {
+      if (/\bfinally\b/.test(lines[ln - 1] ?? "")) return true;
+    }
+    return false;
+  }
+};
+
+// src/analysis/passes/use-after-close-pass.ts
+var RESOURCE_CTORS3 = /* @__PURE__ */ new Set([
+  "FileInputStream",
+  "FileOutputStream",
+  "FileReader",
+  "FileWriter",
+  "BufferedReader",
+  "BufferedWriter",
+  "PrintWriter",
+  "InputStreamReader",
+  "OutputStreamWriter",
+  "RandomAccessFile",
+  "DataInputStream",
+  "DataOutputStream",
+  "ObjectInputStream",
+  "ObjectOutputStream",
+  "ZipInputStream",
+  "ZipOutputStream",
+  "JarInputStream",
+  "JarOutputStream",
+  "GZIPInputStream",
+  "GZIPOutputStream",
+  "FileChannel",
+  "Socket",
+  "ServerSocket",
+  "DatagramSocket"
+]);
+var RESOURCE_FACTORY_METHODS3 = /* @__PURE__ */ new Set([
+  "openConnection",
+  "openStream",
+  "newInputStream",
+  "newOutputStream",
+  "newBufferedReader",
+  "newBufferedWriter",
+  "newByteChannel",
+  "open",
+  "createReadStream",
+  "createWriteStream",
+  "createConnection"
+]);
+var CLOSE_METHODS3 = /* @__PURE__ */ new Set([
+  "close",
+  "dispose",
+  "shutdown",
+  "disconnect",
+  "release",
+  "destroy",
+  "free",
+  "shutdownNow",
+  "terminate"
+]);
+var UseAfterClosePass = class {
+  name = "use-after-close";
+  category = "reliability";
+  run(ctx) {
+    const { graph, code } = ctx;
+    if (ctx.language === "bash") return { useAfterCloses: [] };
+    const file = graph.ir.meta.file;
+    const codeLines = code.split("\n");
+    const useAfterCloses = [];
+    for (const call of graph.ir.calls) {
+      const name2 = call.method_name;
+      const isConstructor = call.is_constructor === true && RESOURCE_CTORS3.has(name2);
+      const isFactory = !call.is_constructor && RESOURCE_FACTORY_METHODS3.has(name2);
+      if (!isConstructor && !isFactory) continue;
+      const openLine = call.location.line;
+      const defs = graph.defsAtLine(openLine);
+      if (defs.length === 0) continue;
+      const resourceVar = defs[0].variable;
+      const methodInfo = graph.methodAtLine(openLine);
+      if (!methodInfo) continue;
+      const methodEnd = methodInfo.method.end_line;
+      const firstClose = graph.ir.calls.filter(
+        (c) => CLOSE_METHODS3.has(c.method_name) && c.receiver === resourceVar && c.location.line > openLine && c.location.line <= methodEnd
+      ).sort((a, b) => a.location.line - b.location.line)[0];
+      if (!firstClose) continue;
+      const closeLine = firstClose.location.line;
+      const usesAfterClose = graph.ir.calls.filter(
+        (c) => c.receiver === resourceVar && c.location.line > closeLine && c.location.line <= methodEnd && !CLOSE_METHODS3.has(c.method_name)
+      );
+      for (const use of usesAfterClose) {
+        const useLine = use.location.line;
+        useAfterCloses.push({ openLine, closeLine, useLine, variable: resourceVar });
+        const snippet = (codeLines[useLine - 1] ?? "").trim();
+        ctx.addFinding({
+          id: `use-after-close-${file}-${useLine}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: this.name,
+          cwe: "CWE-672",
+          severity: "high",
+          level: "error",
+          message: `Use after close: \`${resourceVar}.${use.method_name}()\` at line ${useLine} is called after \`${resourceVar}.close()\` at line ${closeLine}`,
+          file,
+          line: useLine,
+          snippet,
+          fix: `Do not use a resource after closing it; keep \`${resourceVar}\` open until all uses are complete`,
+          evidence: { variable: resourceVar, close_line: closeLine, open_line: openLine }
+        });
+      }
+    }
+    return { useAfterCloses };
+  }
+};
+
+// src/analysis/passes/missing-guard-dom-pass.ts
+var AUTH_METHODS = /* @__PURE__ */ new Set([
+  "authenticate",
+  "isAuthenticated",
+  "isAuthorized",
+  "isAdmin",
+  "checkAuth",
+  "hasPermission",
+  "requiresAuth",
+  "verifyToken",
+  "validateToken",
+  "checkRole",
+  "authorize",
+  "isLoggedIn"
+]);
+var SENSITIVE_METHODS = /* @__PURE__ */ new Set([
+  "delete",
+  "deleteById",
+  "drop",
+  "truncate",
+  "executeUpdate",
+  "createUser",
+  "createAdmin",
+  "modifyPermission",
+  "grantRole",
+  "setAdmin",
+  "elevatePrivilege"
+]);
+var MissingGuardDomPass = class {
+  name = "missing-guard-dom";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    if (language !== "java") return { findings: 0 };
+    const { cfg, calls } = graph.ir;
+    if (cfg.blocks.length === 0 || cfg.edges.length === 0) return { findings: 0 };
+    const dom = new DominatorGraph(cfg);
+    const file = graph.ir.meta.file;
+    const authCallLines = [];
+    const sensitiveOps = [];
+    for (const call of calls) {
+      if (AUTH_METHODS.has(call.method_name)) {
+        authCallLines.push(call.location.line);
+      }
+      if (SENSITIVE_METHODS.has(call.method_name)) {
+        sensitiveOps.push({ line: call.location.line, method: call.method_name });
+      }
+    }
+    if (sensitiveOps.length === 0) return { findings: 0 };
+    const blockContainingLine = (line) => cfg.blocks.find((b) => b.start_line <= line && line <= b.end_line) ?? null;
+    const reportedMethods = /* @__PURE__ */ new Set();
+    let count = 0;
+    for (const op of sensitiveOps) {
+      const opBlock = blockContainingLine(op.line);
+      if (!opBlock) continue;
+      const methodInfo = graph.methodAtLine(op.line);
+      if (!methodInfo) continue;
+      const methodKey = `${methodInfo.type.name}::${methodInfo.method.name}`;
+      if (reportedMethods.has(methodKey)) continue;
+      const { start_line, end_line } = methodInfo.method;
+      const authInMethod = authCallLines.filter((l) => l >= start_line && l <= end_line);
+      const dominated = authInMethod.some((authLine) => {
+        const authBlock = blockContainingLine(authLine);
+        return authBlock !== null && dom.dominates(authBlock.id, opBlock.id);
+      });
+      if (!dominated) {
+        reportedMethods.add(methodKey);
+        count++;
+        ctx.addFinding({
+          id: `missing-guard-dom-${file}-${op.line}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: "missing-guard-dom",
+          cwe: "CWE-285",
+          severity: "high",
+          level: "error",
+          message: `Sensitive operation \`${op.method}()\` at line ${op.line} is not dominated by an authentication check`,
+          file,
+          line: op.line,
+          fix: `Add authentication/authorization check on all paths leading to line ${op.line}`,
+          evidence: { method: op.method }
+        });
+      }
+    }
+    return { findings: count };
+  }
+};
+
+// src/analysis/passes/cleanup-verify-pass.ts
+var RESOURCE_CTORS4 = /* @__PURE__ */ new Set([
+  "FileInputStream",
+  "FileOutputStream",
+  "FileReader",
+  "FileWriter",
+  "BufferedReader",
+  "BufferedWriter",
+  "PrintWriter",
+  "InputStreamReader",
+  "OutputStreamWriter",
+  "RandomAccessFile",
+  "DataInputStream",
+  "DataOutputStream",
+  "ObjectInputStream",
+  "ObjectOutputStream",
+  "ZipInputStream",
+  "ZipOutputStream",
+  "JarInputStream",
+  "JarOutputStream",
+  "GZIPInputStream",
+  "GZIPOutputStream",
+  "FileChannel",
+  "Socket",
+  "ServerSocket",
+  "DatagramSocket"
+]);
+var RESOURCE_FACTORY_METHODS4 = /* @__PURE__ */ new Set([
+  "openConnection",
+  "openStream",
+  "newInputStream",
+  "newOutputStream",
+  "newBufferedReader",
+  "newBufferedWriter",
+  "newByteChannel",
+  "open",
+  "createReadStream",
+  "createWriteStream",
+  "createConnection"
+]);
+var CLOSE_METHODS4 = /* @__PURE__ */ new Set([
+  "close",
+  "dispose",
+  "shutdown",
+  "disconnect",
+  "release",
+  "destroy",
+  "free",
+  "shutdownNow",
+  "terminate"
+]);
+function buildPostDomGraph(cfg) {
+  const exitBlock = cfg.blocks.find((b) => b.type === "exit") ?? cfg.blocks.find((b) => !cfg.edges.some((e) => e.from === b.id));
+  if (!exitBlock || cfg.blocks.length === 0) {
+    return new DominatorGraph({ blocks: [], edges: [] });
+  }
+  const reversed = {
+    blocks: cfg.blocks,
+    edges: cfg.edges.map((e) => ({ from: e.to, to: e.from, type: e.type }))
+  };
+  return new DominatorGraph(reversed, exitBlock.id);
+}
+var CleanupVerifyPass = class {
+  name = "cleanup-verify";
+  category = "reliability";
+  run(ctx) {
+    const { graph, language } = ctx;
+    if (language === "rust" || language === "bash") return { findings: 0 };
+    const { cfg, calls } = graph.ir;
+    const file = graph.ir.meta.file;
+    if (cfg.blocks.length === 0) return { findings: 0 };
+    const postDom = buildPostDomGraph(cfg);
+    const blockContainingLine = (line) => cfg.blocks.find((b) => b.start_line <= line && line <= b.end_line) ?? null;
+    let count = 0;
+    for (const call of calls) {
+      const name2 = call.method_name;
+      const isConstructor = call.is_constructor === true && RESOURCE_CTORS4.has(name2);
+      const isFactory = !call.is_constructor && RESOURCE_FACTORY_METHODS4.has(name2);
+      if (!isConstructor && !isFactory) continue;
+      const openLine = call.location.line;
+      const defs = graph.defsAtLine(openLine);
+      if (defs.length === 0) continue;
+      const resourceVar = defs[0].variable;
+      const methodInfo = graph.methodAtLine(openLine);
+      if (!methodInfo) continue;
+      const methodEnd = methodInfo.method.end_line;
+      const closeCall = calls.find(
+        (c) => CLOSE_METHODS4.has(c.method_name) && c.receiver === resourceVar && c.location.line > openLine && c.location.line <= methodEnd
+      );
+      if (!closeCall) continue;
+      const openBlock = blockContainingLine(openLine);
+      const closeBlock = blockContainingLine(closeCall.location.line);
+      if (!openBlock || !closeBlock) continue;
+      if (postDom.dominates(closeBlock.id, openBlock.id)) continue;
+      count++;
+      ctx.addFinding({
+        id: `cleanup-verify-${file}-${openLine}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: "cleanup-verify",
+        cwe: "CWE-772",
+        severity: "medium",
+        level: "warning",
+        message: `Resource \`${resourceVar}\` opened at line ${openLine} may not close on all paths \u2014 close() at line ${closeCall.location.line} does not post-dominate the acquisition`,
+        file,
+        line: openLine,
+        fix: "Use try-with-resources (Java) or a finally block to guarantee cleanup on all paths",
+        evidence: {
+          resource: name2,
+          variable: resourceVar,
+          close_line: closeCall.location.line
+        }
+      });
+    }
+    return { findings: count };
+  }
+};
+
+// src/analysis/passes/missing-override-pass.ts
+var MissingOverridePass = class {
+  name = "missing-override";
+  category = "maintainability";
+  run(ctx) {
+    const { graph, language } = ctx;
+    if (language !== "java") return { findings: 0 };
+    const { types } = graph.ir;
+    const file = graph.ir.meta.file;
+    if (types.length === 0) return { findings: 0 };
+    const methodsByClass = /* @__PURE__ */ new Map();
+    for (const type of types) {
+      methodsByClass.set(type.name, new Set(type.methods.map((m) => m.name)));
+    }
+    const parentMap = /* @__PURE__ */ new Map();
+    for (const type of types) {
+      if (type.extends) {
+        const parent = type.extends.replace(/<[^>]*>/g, "").trim();
+        parentMap.set(type.name, parent);
+      }
+    }
+    if (parentMap.size === 0) return { findings: 0 };
+    const getAncestorMethods = (className) => {
+      const methods = /* @__PURE__ */ new Set();
+      const visited = /* @__PURE__ */ new Set();
+      let current = parentMap.get(className);
+      let hops = 0;
+      while (current && !visited.has(current) && hops < 10) {
+        visited.add(current);
+        const parentMethods = methodsByClass.get(current);
+        if (parentMethods) {
+          for (const m of parentMethods) methods.add(m);
+        }
+        current = parentMap.get(current);
+        hops++;
+      }
+      return methods;
+    };
+    const dedup = /* @__PURE__ */ new Set();
+    let count = 0;
+    for (const type of types) {
+      if (!parentMap.has(type.name)) continue;
+      const ancestorMethods = getAncestorMethods(type.name);
+      if (ancestorMethods.size === 0) continue;
+      for (const method of type.methods) {
+        if (method.name === type.name) continue;
+        if (method.modifiers.includes("private")) continue;
+        if (method.modifiers.includes("static")) continue;
+        if (method.modifiers.includes("abstract")) continue;
+        if (!ancestorMethods.has(method.name)) continue;
+        if (method.annotations.includes("Override")) continue;
+        const key = `${type.name}:${method.name}`;
+        if (dedup.has(key)) continue;
+        dedup.add(key);
+        count++;
+        ctx.addFinding({
+          id: `missing-override-${file}-${method.start_line}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: "missing-override",
+          severity: "low",
+          level: "warning",
+          message: `Method \`${method.name}()\` in \`${type.name}\` overrides a parent method but lacks @Override`,
+          file,
+          line: method.start_line,
+          fix: "Add @Override to make the intent explicit and catch signature mismatches at compile time",
+          evidence: { className: type.name, methodName: method.name }
+        });
+      }
+    }
+    return { findings: count };
+  }
+};
+
+// src/analysis/passes/unused-interface-method-pass.ts
+var UnusedInterfaceMethodPass = class {
+  name = "unused-interface-method";
+  category = "maintainability";
+  run(ctx) {
+    const { graph, language } = ctx;
+    if (language !== "java" && language !== "typescript") return { findings: 0 };
+    const { types, calls } = graph.ir;
+    const file = graph.ir.meta.file;
+    const calledMethods = new Set(calls.map((c) => c.method_name));
+    const dedup = /* @__PURE__ */ new Set();
+    let count = 0;
+    for (const type of types) {
+      if (type.kind !== "interface") continue;
+      for (const method of type.methods) {
+        if (calledMethods.has(method.name)) continue;
+        const key = `${type.name}:${method.name}`;
+        if (dedup.has(key)) continue;
+        dedup.add(key);
+        count++;
+        ctx.addFinding({
+          id: `unused-interface-method-${file}-${method.start_line}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: "unused-interface-method",
+          severity: "low",
+          level: "note",
+          message: `Interface method \`${method.name}()\` in \`${type.name}\` is never called in this file`,
+          file,
+          line: method.start_line,
+          fix: "Remove this method or verify it is used from other files; unused interface methods inflate the public API",
+          evidence: { interfaceName: type.name, methodName: method.name }
+        });
+      }
+    }
+    return { findings: count };
+  }
+};
+
 // src/analysis/metrics/passes/size-metrics-pass.ts
 var SizeMetricsPass = class {
   name = "size-metrics";
@@ -20489,7 +21994,7 @@ async function analyze(code, filePath, language, options = {}) {
     enriched: {}
   });
   const config = options.taintConfig ?? getDefaultConfig();
-  const { results, findings } = new AnalysisPipeline().add(new TaintMatcherPass()).add(new ConstantPropagationPass(tree)).add(new LanguageSourcesPass()).add(new SinkFilterPass()).add(new TaintPropagationPass()).add(new InterproceduralPass()).add(new DeadCodePass()).add(new MissingAwaitPass()).add(new NPlusOnePass()).add(new MissingPublicDocPass()).add(new TodoInProdPass()).add(new StringConcatLoopPass()).add(new SyncIoAsyncPass()).add(new UncheckedReturnPass()).add(new NullDerefPass()).add(new ResourceLeakPass()).add(new VariableShadowingPass()).add(new LeakedGlobalPass()).add(new UnusedVariablePass()).add(new DependencyFanOutPass()).add(new StaleDocRefPass()).add(new InfiniteLoopPass()).add(new DeepInheritancePass()).add(new RedundantLoopPass()).add(new UnboundedCollectionPass()).add(new SerialAwaitPass()).add(new ReactInlineJsxPass()).run(graph, code, language, config);
+  const { results, findings } = new AnalysisPipeline().add(new TaintMatcherPass()).add(new ConstantPropagationPass(tree)).add(new LanguageSourcesPass()).add(new SinkFilterPass()).add(new TaintPropagationPass()).add(new InterproceduralPass()).add(new DeadCodePass()).add(new MissingAwaitPass()).add(new NPlusOnePass()).add(new MissingPublicDocPass()).add(new TodoInProdPass()).add(new StringConcatLoopPass()).add(new SyncIoAsyncPass()).add(new UncheckedReturnPass()).add(new NullDerefPass()).add(new ResourceLeakPass()).add(new VariableShadowingPass()).add(new LeakedGlobalPass()).add(new UnusedVariablePass()).add(new DependencyFanOutPass()).add(new StaleDocRefPass()).add(new InfiniteLoopPass()).add(new DeepInheritancePass()).add(new RedundantLoopPass()).add(new UnboundedCollectionPass()).add(new SerialAwaitPass()).add(new ReactInlineJsxPass()).add(new SwallowedExceptionPass()).add(new BroadCatchPass()).add(new UnhandledExceptionPass()).add(new DoubleClosePass()).add(new UseAfterClosePass()).add(new MissingGuardDomPass()).add(new CleanupVerifyPass()).add(new MissingOverridePass()).add(new UnusedInterfaceMethodPass()).run(graph, code, language, config);
   const sinkFilter = results.get("sink-filter");
   const interProc = results.get("interprocedural");
   const taint = {