cognium-dev 3.28.0 → 3.33.0

package/dist/cli.js

@@ -8990,6 +8990,484 @@ function findChildByTypeGo(node, type) {
   }
   return null;
 }
+// ../circle-ir/dist/core/extractors/runtime-registrations.js
+var HTTP_VERB_METHODS = new Set([
+  "get",
+  "post",
+  "put",
+  "patch",
+  "delete",
+  "head",
+  "options",
+  "all"
+]);
+var MIDDLEWARE_METHODS = new Set(["use"]);
+var EVENT_LISTENER_METHODS = new Set(["on", "once", "ws"]);
+var EXPRESS_RECEIVER_NAMES = new Set([
+  "app",
+  "router",
+  "server",
+  "apiRouter",
+  "fastify",
+  "koa",
+  "express"
+]);
+var FRAMEWORK_MODULE_PATTERNS = [
+  /^express$/,
+  /^@?fastify(\/.*)?$/,
+  /^koa$/,
+  /^restify$/,
+  /^hapi$/,
+  /^@nestjs\/common$/,
+  /^@nestjs\/core$/
+];
+function extractRuntimeRegistrations(tree, cache, language, imports) {
+  if (language === "javascript" || language === "typescript") {
+    return extractJSRuntimeRegistrations(tree, cache, imports);
+  }
+  if (language === "python") {
+    return extractPythonRuntimeRegistrations(tree, cache, imports);
+  }
+  return [];
+}
+function buildHandlerIndex(tree, cache, imports) {
+  const decls = new Map;
+  const recordDeclaration = (name2, node) => {
+    if (!decls.has(name2)) {
+      decls.set(name2, {
+        line: node.startPosition.row + 1,
+        column: node.startPosition.column
+      });
+    }
+  };
+  for (const fn of getNodesFromCache(tree.rootNode, "function_declaration", cache)) {
+    const nameNode = fn.childForFieldName("name");
+    if (nameNode)
+      recordDeclaration(getNodeText(nameNode), fn);
+  }
+  const collectVarDeclarators = (parentType) => {
+    for (const decl of getNodesFromCache(tree.rootNode, parentType, cache)) {
+      for (let i2 = 0;i2 < decl.childCount; i2++) {
+        const child = decl.child(i2);
+        if (!child || child.type !== "variable_declarator")
+          continue;
+        const nameNode = child.childForFieldName("name");
+        const valueNode = child.childForFieldName("value");
+        if (!nameNode || !valueNode)
+          continue;
+        if (valueNode.type === "arrow_function" || valueNode.type === "function_expression" || valueNode.type === "function") {
+          recordDeclaration(getNodeText(nameNode), child);
+        }
+      }
+    }
+  };
+  collectVarDeclarators("lexical_declaration");
+  collectVarDeclarators("variable_declaration");
+  let hasFrameworkImport = false;
+  if (imports) {
+    for (const imp of imports) {
+      const mod = imp.from_package ?? "";
+      if (mod && FRAMEWORK_MODULE_PATTERNS.some((re) => re.test(mod))) {
+        hasFrameworkImport = true;
+        break;
+      }
+    }
+  }
+  return { declarations: decls, hasFrameworkImport };
+}
+function extractJSRuntimeRegistrations(tree, cache, imports) {
+  const out2 = [];
+  const index = buildHandlerIndex(tree, cache, imports);
+  const callExpressions = getNodesFromCache(tree.rootNode, "call_expression", cache);
+  for (const call of callExpressions) {
+    const fnNode = call.childForFieldName("function");
+    if (!fnNode || fnNode.type !== "member_expression")
+      continue;
+    const objectNode = fnNode.childForFieldName("object");
+    const propertyNode = fnNode.childForFieldName("property");
+    if (!objectNode || !propertyNode)
+      continue;
+    const method = getNodeText(propertyNode);
+    const receiver = getNodeText(objectNode);
+    const kind = classifyMethod(method);
+    if (!kind)
+      continue;
+    if (!isExpressShapedReceiver(receiver) && !index.hasFrameworkImport) {
+      continue;
+    }
+    const argsNode = call.childForFieldName("arguments");
+    if (!argsNode)
+      continue;
+    const argNodes = getRealArgs(argsNode);
+    if (argNodes.length === 0)
+      continue;
+    let path;
+    let handlerStart = 0;
+    const first = argNodes[0];
+    if (first.type === "string") {
+      path = stripQuotes(getNodeText(first));
+      handlerStart = 1;
+    } else if (first.type === "template_string" && !hasTemplateSubstitution(first)) {
+      path = stripBackticks(getNodeText(first));
+      handlerStart = 1;
+    }
+    for (let i2 = handlerStart;i2 < argNodes.length; i2++) {
+      const handlerNode = argNodes[i2];
+      const handler = resolveHandler(handlerNode, index);
+      if (!handler)
+        continue;
+      out2.push({
+        kind,
+        framework: inferFramework(receiver, index.hasFrameworkImport),
+        registrar: {
+          method,
+          receiver,
+          line: call.startPosition.row + 1,
+          column: call.startPosition.column
+        },
+        ...path !== undefined ? { path } : {},
+        handler
+      });
+    }
+  }
+  return out2;
+}
+function classifyMethod(method) {
+  if (HTTP_VERB_METHODS.has(method))
+    return "http_route";
+  if (MIDDLEWARE_METHODS.has(method))
+    return "middleware";
+  if (EVENT_LISTENER_METHODS.has(method))
+    return "event_listener";
+  return null;
+}
+function isExpressShapedReceiver(receiver) {
+  if (EXPRESS_RECEIVER_NAMES.has(receiver))
+    return true;
+  if (/(?:Router|App|Server)$/.test(receiver))
+    return true;
+  return false;
+}
+function inferFramework(receiver, hasFrameworkImport) {
+  if (receiver === "fastify")
+    return "fastify";
+  if (receiver === "koa")
+    return "koa";
+  if (receiver === "express")
+    return "express";
+  return hasFrameworkImport ? "express" : "unknown";
+}
+function getRealArgs(argsNode) {
+  const out2 = [];
+  for (let i2 = 0;i2 < argsNode.childCount; i2++) {
+    const child = argsNode.child(i2);
+    if (!child)
+      continue;
+    if (child.type === "(" || child.type === ")" || child.type === ",")
+      continue;
+    out2.push(child);
+  }
+  return out2;
+}
+function stripQuotes(s) {
+  if (s.length >= 2 && (s[0] === '"' || s[0] === "'") && s[s.length - 1] === s[0]) {
+    return s.slice(1, -1);
+  }
+  return s;
+}
+function stripBackticks(s) {
+  if (s.length >= 2 && s[0] === "`" && s[s.length - 1] === "`") {
+    return s.slice(1, -1);
+  }
+  return s;
+}
+function hasTemplateSubstitution(node) {
+  for (let i2 = 0;i2 < node.childCount; i2++) {
+    const child = node.child(i2);
+    if (child && child.type === "template_substitution")
+      return true;
+  }
+  return false;
+}
+function resolveHandler(node, index) {
+  if (node.type === "arrow_function" || node.type === "function_expression" || node.type === "function") {
+    return {
+      name: null,
+      line: node.startPosition.row + 1,
+      column: node.startPosition.column
+    };
+  }
+  if (node.type === "identifier") {
+    const name2 = getNodeText(node);
+    const decl = index.declarations.get(name2);
+    if (decl) {
+      return { name: name2, line: decl.line, column: decl.column };
+    }
+    return {
+      name: name2,
+      line: node.startPosition.row + 1,
+      column: node.startPosition.column
+    };
+  }
+  if (node.type === "member_expression") {
+    return {
+      name: getNodeText(node),
+      line: node.startPosition.row + 1,
+      column: node.startPosition.column
+    };
+  }
+  return null;
+}
+var PY_HTTP_ROUTE_METHODS = new Set([
+  "route",
+  "get",
+  "post",
+  "put",
+  "patch",
+  "delete",
+  "head",
+  "options"
+]);
+var PY_MIDDLEWARE_METHODS = new Set([
+  "before_request",
+  "after_request",
+  "teardown_request",
+  "before_first_request",
+  "teardown_appcontext",
+  "middleware"
+]);
+var PY_EVENT_METHODS = new Set([
+  "errorhandler",
+  "on_event",
+  "exception_handler"
+]);
+var PY_STDLIB_DECORATORS = new Set([
+  "property",
+  "staticmethod",
+  "classmethod",
+  "abstractmethod",
+  "cached_property",
+  "dataclass",
+  "cache",
+  "lru_cache",
+  "singledispatch",
+  "singledispatchmethod",
+  "contextmanager",
+  "asynccontextmanager",
+  "final",
+  "override",
+  "wraps"
+]);
+function summarisePythonImports(imports) {
+  const s = {
+    hasFlask: false,
+    hasFastApi: false,
+    hasCelery: false,
+    hasNumba: false,
+    hasClick: false,
+    hasPytest: false
+  };
+  if (!imports)
+    return s;
+  for (const imp of imports) {
+    const mod = imp.from_package ?? "";
+    if (!mod)
+      continue;
+    if (/^flask(\b|\.)/.test(mod))
+      s.hasFlask = true;
+    if (/^fastapi(\b|\.)/.test(mod) || /^starlette(\b|\.)/.test(mod))
+      s.hasFastApi = true;
+    if (/^celery(\b|\.)/.test(mod))
+      s.hasCelery = true;
+    if (/^numba(\b|\.)/.test(mod))
+      s.hasNumba = true;
+    if (/^click(\b|\.)/.test(mod))
+      s.hasClick = true;
+    if (/^pytest(\b|\.)/.test(mod))
+      s.hasPytest = true;
+  }
+  return s;
+}
+function extractPythonRuntimeRegistrations(tree, cache, imports) {
+  const out2 = [];
+  const importSummary = summarisePythonImports(imports);
+  const decoratedDefs = getNodesFromCache(tree.rootNode, "decorated_definition", cache);
+  for (const dd of decoratedDefs) {
+    let fnNode = null;
+    const decorators = [];
+    for (let i2 = 0;i2 < dd.childCount; i2++) {
+      const child = dd.child(i2);
+      if (!child)
+        continue;
+      if (child.type === "decorator") {
+        decorators.push(child);
+      } else if (child.type === "function_definition" || child.type === "async_function_definition") {
+        fnNode = child;
+      }
+    }
+    if (!fnNode || decorators.length === 0)
+      continue;
+    const handler = pythonHandlerFromFunctionDef(fnNode);
+    if (!handler)
+      continue;
+    for (const dec of decorators) {
+      const parsed = parsePythonDecorator(dec);
+      if (!parsed)
+        continue;
+      const { receiver, method, path, line, column } = parsed;
+      const { kind, framework } = classifyPythonDecorator(receiver, method, importSummary);
+      out2.push({
+        kind,
+        framework,
+        registrar: { method, receiver, line, column },
+        ...path !== undefined ? { path } : {},
+        handler
+      });
+    }
+  }
+  return out2;
+}
+function pythonHandlerFromFunctionDef(fn) {
+  const nameNode = fn.childForFieldName("name");
+  if (!nameNode)
+    return null;
+  return {
+    name: getNodeText(nameNode),
+    line: fn.startPosition.row + 1,
+    column: fn.startPosition.column
+  };
+}
+function parsePythonDecorator(dec) {
+  let target = null;
+  for (let i2 = 0;i2 < dec.childCount; i2++) {
+    const child = dec.child(i2);
+    if (!child || child.type === "@")
+      continue;
+    target = child;
+    break;
+  }
+  if (!target)
+    return null;
+  const line = dec.startPosition.row + 1;
+  const column = dec.startPosition.column;
+  if (target.type === "identifier") {
+    return { receiver: "", method: getNodeText(target), line, column };
+  }
+  if (target.type === "attribute") {
+    const { receiver, method } = splitDottedAttribute(target);
+    return { receiver, method, line, column };
+  }
+  if (target.type === "call") {
+    const fnNode = target.childForFieldName("function");
+    if (!fnNode)
+      return null;
+    let receiver = "";
+    let method = "";
+    if (fnNode.type === "identifier") {
+      method = getNodeText(fnNode);
+    } else if (fnNode.type === "attribute") {
+      const split = splitDottedAttribute(fnNode);
+      receiver = split.receiver;
+      method = split.method;
+    } else {
+      method = getNodeText(fnNode);
+    }
+    const path = extractFirstStringArg(target);
+    return { receiver, method, path, line, column };
+  }
+  return null;
+}
+function splitDottedAttribute(attr) {
+  const objectNode = attr.childForFieldName("object");
+  const attrNode = attr.childForFieldName("attribute");
+  const method = attrNode ? getNodeText(attrNode) : "";
+  const receiver = objectNode ? getNodeText(objectNode) : "";
+  return { receiver, method };
+}
+function extractFirstStringArg(call) {
+  const argsNode = call.childForFieldName("arguments");
+  if (!argsNode)
+    return;
+  for (let i2 = 0;i2 < argsNode.childCount; i2++) {
+    const child = argsNode.child(i2);
+    if (!child)
+      continue;
+    if (child.type === "(" || child.type === ")" || child.type === ",")
+      continue;
+    if (child.type === "string") {
+      return stripPythonStringQuotes(getNodeText(child));
+    }
+    return;
+  }
+  return;
+}
+function stripPythonStringQuotes(s) {
+  const m = s.match(/^[bBrRuUfF]{0,2}(['"])(.*)\1$/s);
+  if (m)
+    return m[2];
+  if (s.length >= 2 && (s[0] === '"' || s[0] === "'") && s[s.length - 1] === s[0]) {
+    return s.slice(1, -1);
+  }
+  return s;
+}
+function classifyPythonDecorator(receiver, method, imp) {
+  if (!receiver && PY_STDLIB_DECORATORS.has(method)) {
+    return { kind: "decorator", framework: "stdlib" };
+  }
+  if (receiver) {
+    const head = receiver.split(".")[0];
+    if (head === "pytest") {
+      return { kind: "decorator", framework: "pytest" };
+    }
+    if (head === "click") {
+      return { kind: "decorator", framework: "click" };
+    }
+    if (head === "numba" || head === "nb") {
+      return { kind: "decorator", framework: "numba" };
+    }
+    if (head === "celery") {
+      return { kind: "decorator", framework: "celery" };
+    }
+  }
+  if (receiver && PY_HTTP_ROUTE_METHODS.has(method)) {
+    const isRoutey = isPyRouterReceiver(receiver);
+    if (isRoutey) {
+      let framework = "unknown";
+      if (imp.hasFlask)
+        framework = "flask";
+      else if (imp.hasFastApi)
+        framework = "fastapi";
+      else if (method === "route")
+        framework = "flask";
+      else
+        framework = "fastapi";
+      return { kind: "http_route", framework };
+    }
+  }
+  if (receiver && PY_MIDDLEWARE_METHODS.has(method)) {
+    return { kind: "middleware", framework: imp.hasFlask ? "flask" : imp.hasFastApi ? "fastapi" : "unknown" };
+  }
+  if (receiver && PY_EVENT_METHODS.has(method)) {
+    return { kind: "event_listener", framework: imp.hasFlask ? "flask" : imp.hasFastApi ? "fastapi" : "unknown" };
+  }
+  if (method === "task" && imp.hasCelery) {
+    return { kind: "decorator", framework: "celery" };
+  }
+  if (!receiver && (method === "login_required" || method === "require_http_methods" || method === "api_view")) {
+    return { kind: "decorator", framework: "django" };
+  }
+  return { kind: "decorator", framework: "unknown" };
+}
+function isPyRouterReceiver(receiver) {
+  const head = receiver.split(".")[0];
+  if (!head)
+    return false;
+  if (["app", "router", "blueprint", "bp", "api", "application"].includes(head))
+    return true;
+  if (/_(router|bp|blueprint|app|api)$/.test(head))
+    return true;
+  return false;
+}
 // ../circle-ir/dist/analysis/config-loader.js
 var DEFAULT_SOURCES = [
   { method: "getParameter", class: "HttpServletRequest", type: "http_param", severity: "high", return_tainted: true },
@@ -9010,6 +9488,9 @@ var DEFAULT_SOURCES = [
   { method: "getContextPath", class: "HttpServletRequest", type: "http_path", severity: "medium", return_tainted: true },
   { method: "getRemoteHost", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
   { method: "getRemoteAddr", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
+  { method: "getPathWithinApplication", class: "WebUtils", type: "http_path", severity: "high", return_tainted: true },
+  { method: "getRequestUri", class: "WebUtils", type: "http_path", severity: "high", return_tainted: true },
+  { method: "decodeRequestString", class: "WebUtils", type: "http_path", severity: "high", return_tainted: true },
   { method: "getProtocol", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
   { method: "getScheme", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
   { method: "getAuthType", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
@@ -9122,6 +9603,11 @@ var DEFAULT_SOURCES = [
   { method: "getContent", class: "Block", type: "io_input", severity: "high", return_tainted: true },
   { method: "getParameters", class: "Block", type: "io_input", severity: "high", return_tainted: true },
   { method: "getRawContent", type: "io_input", severity: "high", return_tainted: true },
+  { method: "get", class: "XWikiRequest", type: "http_param", severity: "high", return_tainted: true },
+  { method: "getParameter", class: "XWikiRequest", type: "http_param", severity: "high", return_tainted: true },
+  { method: "getParameterValues", class: "XWikiRequest", type: "http_param", severity: "high", return_tainted: true },
+  { method: "getParameterMap", class: "XWikiRequest", type: "http_param", severity: "high", return_tainted: true },
+  { method: "getHeader", class: "XWikiRequest", type: "http_header", severity: "high", return_tainted: true },
   { method: "getAttributes", class: "XMLReader", type: "io_input", severity: "high", return_tainted: true },
   { method: "getValue", class: "Attributes", type: "io_input", severity: "high", return_tainted: true },
   { method: "getLocalName", class: "Attributes", type: "io_input", severity: "high", return_tainted: true },
@@ -9307,7 +9793,6 @@ var DEFAULT_SINKS = [
   { method: "start", class: "ProcessBuilder", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [] },
   { method: "ProcessBuilder", class: "constructor", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "command", class: "ProcessBuilder", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "execute", class: "Executor", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "execute", class: "DefaultExecutor", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "CommandLine", class: "constructor", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "parse", class: "CommandLine", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
@@ -9360,15 +9845,14 @@ var DEFAULT_SINKS = [
   { method: "fork", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "popen", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "system", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "execute", class: "Executor", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "setCommandline", class: "Executor", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  { method: "setCommandline", class: "DefaultExecutor", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "parse", class: "CommandLine", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "addArgument", class: "CommandLine", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "waitFor", class: "Process", type: "command_injection", cwe: "CWE-78", severity: "medium", arg_positions: [] },
   { method: "inheritIO", class: "ProcessBuilder", type: "command_injection", cwe: "CWE-78", severity: "medium", arg_positions: [] },
   { method: "redirectOutput", class: "ProcessBuilder", type: "command_injection", cwe: "CWE-78", severity: "medium", arg_positions: [0] },
   { method: "redirectInput", class: "ProcessBuilder", type: "command_injection", cwe: "CWE-78", severity: "medium", arg_positions: [0] },
-  { method: "File", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
+  { method: "File", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0, 1] },
   { method: "FileInputStream", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "FileOutputStream", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "FileReader", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
@@ -9621,6 +10105,8 @@ var DEFAULT_SINKS = [
   { method: "eval", class: "MVEL", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "createValueExpression", class: "ExpressionFactory", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [1] },
   { method: "createMethodExpression", class: "ExpressionFactory", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [1] },
+  { method: "evaluateAttributeExpressions", class: "PropertyValue", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
+  { method: "evaluateAttributeExpressions", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
   { method: "evaluate", class: "GroovyShell", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "parse", class: "GroovyShell", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "parseClass", class: "GroovyClassLoader", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
@@ -9774,6 +10260,21 @@ var DEFAULT_SINKS = [
   { method: "cleanAttributes", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "printXMLElement", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "printXMLStartElement", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "print", class: "WikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "println", class: "WikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "print", class: "DefaultWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "println", class: "DefaultWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "print", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "println", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "printXML", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "printXMLComment", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "print", class: "AnnotatedXHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "println", class: "AnnotatedXHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "printXMLElement", class: "AnnotatedXHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "printXMLStartElement", class: "AnnotatedXHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "render", class: "BlockRenderer", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "render", class: "AbstractBlockRenderer", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "render", class: "DefaultBlockRenderer", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "initialize", class: "HTML5Renderer", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "initialize", class: "XHTMLRenderer", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "beginFormat", class: "HTML5ChainingRenderer", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
@@ -9841,10 +10342,10 @@ var DEFAULT_SINKS = [
   { method: "spawn", class: "child_process", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "spawnSync", class: "child_process", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "exec", type: "command_injection", cwe: "CWE-78", severity: "high", arg_positions: [0] },
-  { method: "execSync", type: "command_injection", cwe: "CWE-78", severity: "high", arg_positions: [0] },
-  { method: "spawn", type: "command_injection", cwe: "CWE-78", severity: "high", arg_positions: [0] },
-  { method: "spawnSync", type: "command_injection", cwe: "CWE-78", severity: "high", arg_positions: [0] },
-  { method: "execFile", type: "command_injection", cwe: "CWE-78", severity: "high", arg_positions: [0] },
+  { method: "execSync", type: "command_injection", cwe: "CWE-78", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "spawn", type: "command_injection", cwe: "CWE-78", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "spawnSync", type: "command_injection", cwe: "CWE-78", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "execFile", type: "command_injection", cwe: "CWE-78", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
   { method: "readFile", class: "fs", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0] },
   { method: "readFileSync", class: "fs", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0] },
   { method: "writeFile", class: "fs", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0] },
@@ -9855,17 +10356,17 @@ var DEFAULT_SINKS = [
   { method: "rmdir", class: "fs", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0] },
   { method: "createReadStream", class: "fs", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0] },
   { method: "createWriteStream", class: "fs", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0] },
-  { method: "query", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  { method: "query", class: "Pool", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  { method: "query", class: "Client", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  { method: "raw", type: "sql_injection", cwe: "CWE-89", severity: "high", arg_positions: [0] },
+  { method: "query", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "query", class: "Pool", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "query", class: "Client", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "raw", type: "sql_injection", cwe: "CWE-89", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
   { method: "setAttribute", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [1] },
   { method: "send", class: "Response", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "write", class: "Response", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "end", class: "Response", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "html", class: "Response", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "render", class: "Response", type: "xss", cwe: "CWE-79", severity: "medium", arg_positions: [1] },
-  { method: "eval", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
+  { method: "eval", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
   { method: "Function", class: "constructor", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "runInContext", class: "vm", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "runInNewContext", class: "vm", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
@@ -9879,7 +10380,7 @@ var DEFAULT_SINKS = [
   { method: "get", class: "axios", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "post", class: "axios", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "request", class: "axios", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
-  { method: "fetch", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
+  { method: "fetch", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
   { method: "request", class: "http", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "get", class: "http", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "request", class: "https", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
@@ -9899,39 +10400,39 @@ var DEFAULT_SINKS = [
   { method: "check_output", class: "subprocess", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "check_call", class: "subprocess", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "Popen", class: "subprocess", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "eval", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
-  { method: "exec", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
-  { method: "compile", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0] },
-  { method: "__import__", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0] },
+  { method: "eval", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["python"] },
+  { method: "exec", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["python"] },
+  { method: "compile", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "__import__", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0], languages: ["python"] },
   { method: "loads", class: "pickle", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0] },
   { method: "load", class: "pickle", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0] },
   { method: "loads", class: "marshal", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0] },
   { method: "load", class: "yaml", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0] },
   { method: "loads", class: "yaml", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0] },
-  { method: "execute", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  { method: "executemany", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  { method: "raw", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  { method: "extra", type: "sql_injection", cwe: "CWE-89", severity: "high", arg_positions: [0] },
-  { method: "open", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
+  { method: "execute", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["python"] },
+  { method: "executemany", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["python"] },
+  { method: "raw", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["python"] },
+  { method: "extra", type: "sql_injection", cwe: "CWE-89", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "open", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0], languages: ["python"] },
   { method: "remove", class: "os", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "unlink", class: "os", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "rmdir", class: "os", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "rmtree", class: "shutil", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0] },
-  { method: "send_file", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "render_template_string", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
-  { method: "Markup", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
-  { method: "mark_safe", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "send_file", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "render_template_string", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "Markup", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "mark_safe", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0], languages: ["python"] },
   { method: "get", class: "requests", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "post", class: "requests", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "urlopen", class: "urllib.request", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
-  { method: "redirect", type: "open_redirect", cwe: "CWE-601", severity: "medium", arg_positions: [0] },
-  { method: "xpath", type: "xpath_injection", cwe: "CWE-643", severity: "high", arg_positions: [0] },
+  { method: "redirect", type: "open_redirect", cwe: "CWE-601", severity: "medium", arg_positions: [0], languages: ["python"] },
+  { method: "xpath", type: "xpath_injection", cwe: "CWE-643", severity: "high", arg_positions: [0], languages: ["python"] },
   { method: "find", class: "etree", type: "xpath_injection", cwe: "CWE-643", severity: "high", arg_positions: [0] },
   { method: "findall", class: "etree", type: "xpath_injection", cwe: "CWE-643", severity: "high", arg_positions: [0] },
   { method: "iterfind", class: "etree", type: "xpath_injection", cwe: "CWE-643", severity: "high", arg_positions: [0] },
   { method: "XPath", class: "lxml", type: "xpath_injection", cwe: "CWE-643", severity: "high", arg_positions: [0] },
   { method: "select", class: "elementpath", type: "xpath_injection", cwe: "CWE-643", severity: "high", arg_positions: [1] },
-  { method: "select", type: "xpath_injection", cwe: "CWE-643", severity: "high", arg_positions: [0] },
+  { method: "select", type: "xpath_injection", cwe: "CWE-643", severity: "high", arg_positions: [0], languages: ["python"] },
   { method: "iter_select", class: "elementpath", type: "xpath_injection", cwe: "CWE-643", severity: "high", arg_positions: [1] },
   { method: "Selector", class: "elementpath", type: "xpath_injection", cwe: "CWE-643", severity: "high", arg_positions: [0] },
   { method: "parse", class: "etree", type: "xxe", cwe: "CWE-611", severity: "high", arg_positions: [0] },
@@ -9997,33 +10498,33 @@ var DEFAULT_SINKS = [
   { method: "new", class: "Command", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "arg", class: "Command", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "args", class: "Command", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "query", class: "Client", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  { method: "execute", class: "Client", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  { method: "query", class: "Pool", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  { method: "execute", class: "Pool", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  { method: "sql_query", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  { method: "raw_sql", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  { method: "execute", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  { method: "query_row", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  { method: "prepare", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
+  { method: "query", class: "Client", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["rust"] },
+  { method: "execute", class: "Client", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["rust"] },
+  { method: "query", class: "Pool", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["rust"] },
+  { method: "execute", class: "Pool", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["rust"] },
+  { method: "sql_query", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["rust"] },
+  { method: "raw_sql", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["rust"] },
+  { method: "execute", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["rust"] },
+  { method: "query_row", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["rust"] },
+  { method: "prepare", class: "Connection", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["rust"] },
   { method: "query", class: "sqlx", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  { method: "prepare", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  { method: "execute", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
-  { method: "query_map", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
+  { method: "prepare", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["rust"] },
+  { method: "execute", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["rust"] },
+  { method: "query_map", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["rust"] },
   { method: "open", class: "File", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "create", class: "File", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "read_dir", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "remove_file", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "remove_dir", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "remove_dir_all", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0] },
-  { method: "copy", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0, 1] },
-  { method: "rename", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0, 1] },
-  { method: "write", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "read_to_string", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "create_dir", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "create_dir_all", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "metadata", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [0] },
-  { method: "symlink_metadata", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [0] },
+  { method: "read_dir", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0], languages: ["rust"] },
+  { method: "remove_file", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0], languages: ["rust"] },
+  { method: "remove_dir", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0], languages: ["rust"] },
+  { method: "remove_dir_all", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0], languages: ["rust"] },
+  { method: "copy", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0, 1], languages: ["rust"] },
+  { method: "rename", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0, 1], languages: ["rust"] },
+  { method: "write", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0], languages: ["rust"] },
+  { method: "read_to_string", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0], languages: ["rust"] },
+  { method: "create_dir", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0], languages: ["rust"] },
+  { method: "create_dir_all", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0], languages: ["rust"] },
+  { method: "metadata", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [0], languages: ["rust"] },
+  { method: "symlink_metadata", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [0], languages: ["rust"] },
   { method: "read_to_string", class: "fs", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "write", class: "fs", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "create_dir_all", class: "fs", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
@@ -10305,9 +10806,9 @@ var PYTHON_TAINTED_PATTERNS = [
   { pattern: /\brequest\.query_params\b/, sourceType: "http_param" },
   { pattern: /\brequest\.path_params\b/, sourceType: "http_param" }
 ];
-function analyzeTaint(calls, types, config = getDefaultConfig(), typeHierarchy) {
+function analyzeTaint(calls, types, config = getDefaultConfig(), typeHierarchy, language) {
   const sources = findSources(calls, types, config.sources);
-  const sinks = findSinks(calls, config.sinks, typeHierarchy);
+  const sinks = findSinks(calls, config.sinks, typeHierarchy, language);
   const sanitizers = findSanitizers(calls, types, config.sanitizers);
   return { sources, sinks, sanitizers };
 }
@@ -10554,11 +11055,11 @@ function isParameterizedQueryCall(call, pattern) {
   }
   return false;
 }
-function findSinks(calls, patterns, typeHierarchy) {
+function findSinks(calls, patterns, typeHierarchy, language) {
   const sinkMap = new Map;
   for (const call of calls) {
     for (const pattern of patterns) {
-      if (matchesSinkPattern(call, pattern, typeHierarchy)) {
+      if (matchesSinkPattern(call, pattern, typeHierarchy, language)) {
         if (isParameterizedQueryCall(call, pattern)) {
           continue;
         }
@@ -10806,7 +11307,12 @@ function isKnownSafeReceiverForMethod(receiver, method, sinkType) {
   }
   return false;
 }
-function matchesSinkPattern(call, pattern, typeHierarchy) {
+function matchesSinkPattern(call, pattern, typeHierarchy, language) {
+  if (pattern.languages && pattern.languages.length > 0 && language !== undefined) {
+    if (!pattern.languages.includes(language)) {
+      return false;
+    }
+  }
   const callMethodName = call.method_name;
   const patternMethod = pattern.method;
   let methodMatches = callMethodName === patternMethod;
@@ -10910,17 +11416,29 @@ function receiverMightBeClass(receiver, className) {
       }
     }
   }
-  if (lowerReceiver.length >= 3 && lowerClass.includes(lowerReceiver)) {
+  const ambiguousIdentifiers = new Set([
+    "executor",
+    "pool",
+    "connection",
+    "manager",
+    "handler",
+    "controller",
+    "task",
+    "thread",
+    "job"
+  ]);
+  const isAmbiguous = ambiguousIdentifiers.has(lowerReceiver);
+  if (!isAmbiguous && lowerReceiver.length >= 3 && lowerClass.includes(lowerReceiver)) {
     if (lowerReceiver.length >= 5 || lowerReceiver.length / lowerClass.length >= 0.4) {
       return true;
     }
   }
-  if (lowerReceiver.length >= 2) {
+  if (!isAmbiguous && lowerReceiver.length >= 2) {
     if (lowerClass.startsWith(lowerReceiver) || lowerClass.endsWith(lowerReceiver)) {
       return true;
     }
   }
-  if (lowerReceiver.length >= 3) {
+  if (!isAmbiguous && lowerReceiver.length >= 3) {
     const words = className.replace(/([a-z])([A-Z])/g, "$1\x00$2").toLowerCase().split("\x00");
     for (const word of words) {
       if (word.startsWith(lowerReceiver) && lowerReceiver.length / word.length >= 0.4) {
@@ -11751,6 +12269,9 @@ var ANTI_SANITIZER_METHODS = new Set([
   "unescapeEcmaScript",
   "unescapeJson",
   "unescapeJava",
+  "getPathWithinApplication",
+  "getRequestUri",
+  "decodeRequestString",
   "unescape",
   "decompress"
 ]);
@@ -11768,7 +12289,10 @@ var PROPAGATOR_METHODS = new Set([
   "format",
   "join",
   "concat",
-  "requireNonNull"
+  "requireNonNull",
+  "getPathWithinApplication",
+  "getRequestUri",
+  "decodeRequestString"
 ]);
 
 // ../circle-ir/dist/analysis/constant-propagation/propagator.js
@@ -17856,7 +18380,7 @@ function extractEventHandlers(elementNode, eventHandlers) {
     const valueNode = findChildByType2(child, "quoted_attribute_value") ?? findChildByType2(child, "attribute_value");
     if (!valueNode)
       continue;
-    const code = stripQuotes(valueNode.text);
+    const code = stripQuotes2(valueNode.text);
     if (code) {
       eventHandlers.push({
         code,
@@ -17889,7 +18413,7 @@ function getAttributeValue(tag, name2) {
     const nameNode = findChildByType2(child, "attribute_name");
     if (nameNode?.text.toLowerCase() === name2) {
       const valueNode = findChildByType2(child, "quoted_attribute_value") ?? findChildByType2(child, "attribute_value");
-      return valueNode ? stripQuotes(valueNode.text) : "";
+      return valueNode ? stripQuotes2(valueNode.text) : "";
     }
   }
   return;
@@ -17902,7 +18426,7 @@ function findChildByType2(node, type) {
   }
   return null;
 }
-function stripQuotes(text) {
+function stripQuotes2(text) {
   if (text.startsWith('"') && text.endsWith('"') || text.startsWith("'") && text.endsWith("'")) {
     return text.slice(1, -1);
   }
@@ -18314,7 +18838,7 @@ class TaintMatcherPass {
     }
     const hierarchy = createWithJdkTypes();
     hierarchy.addFromIR(graph.ir, graph.ir.meta.file);
-    const taint = analyzeTaint(calls, types, mergedConfig, hierarchy);
+    const taint = analyzeTaint(calls, types, mergedConfig, hierarchy, language);
     const sanitizerMethods = [];
     for (const type of types) {
       for (const method of type.methods) {
@@ -24218,7 +24742,7 @@ class SecurityHeadersPass {
 }
 function literalOf(arg) {
   if (arg.literal !== null && arg.literal !== undefined && arg.literal !== "") {
-    return stripQuotes2(arg.literal);
+    return stripQuotes3(arg.literal);
   }
   const expr = arg.expression.trim();
   if (expr.startsWith('"') && expr.endsWith('"') || expr.startsWith("'") && expr.endsWith("'") || expr.startsWith("`") && expr.endsWith("`")) {
@@ -24228,7 +24752,7 @@ function literalOf(arg) {
   }
   return null;
 }
-function stripQuotes2(s) {
+function stripQuotes3(s) {
   if (s.length < 2)
     return s;
   const first = s[0];
@@ -25692,7 +26216,9 @@ function getNodeTypesForLanguage(language) {
         "import_from_statement",
         "assignment",
         "attribute",
-        "subscript"
+        "subscript",
+        "decorated_definition",
+        "decorator"
       ]);
     case "javascript":
     case "typescript":
@@ -25784,6 +26310,7 @@ async function analyze(code, filePath, language, options = {}) {
     const exports = extractExports(types);
     const cfg = buildCFG(tree, language);
     const dfg = buildDFG(tree, nodeCache, language);
+    const runtimeRegistrations = extractRuntimeRegistrations(tree, nodeCache, language, imports);
     const graph = new CodeGraph({
       meta,
       types,
@@ -25910,7 +26437,8 @@ async function analyze(code, filePath, language, options = {}) {
       unresolved,
       enriched,
       findings: findings.length > 0 ? findings : undefined,
-      metrics: { file: filePath, metrics: metricValues }
+      metrics: { file: filePath, metrics: metricValues },
+      runtime_registrations: runtimeRegistrations.length > 0 ? runtimeRegistrations : undefined
     };
   } finally {
     disposeTree(tree);
@@ -26059,7 +26587,7 @@ var colors = {
 };
 
 // src/version.ts
-var version = "3.28.0";
+var version = "3.33.0";
 
 // src/formatters.ts
 var SINK_SEVERITY = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.28.0",
+  "version": "3.33.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.28.0"
+    "circle-ir": "^3.33.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",