cognium-dev 3.30.0 → 3.34.0

package/dist/cli.js

@@ -8990,6 +8990,754 @@ function findChildByTypeGo(node, type) {
   }
   return null;
 }
+// ../circle-ir/dist/core/extractors/runtime-registrations.js
+var HTTP_VERB_METHODS = new Set([
+  "get",
+  "post",
+  "put",
+  "patch",
+  "delete",
+  "head",
+  "options",
+  "all"
+]);
+var MIDDLEWARE_METHODS = new Set(["use"]);
+var EVENT_LISTENER_METHODS = new Set(["on", "once", "ws"]);
+var EXPRESS_RECEIVER_NAMES = new Set([
+  "app",
+  "router",
+  "server",
+  "apiRouter",
+  "fastify",
+  "koa",
+  "express"
+]);
+var FRAMEWORK_MODULE_PATTERNS = [
+  /^express$/,
+  /^@?fastify(\/.*)?$/,
+  /^koa$/,
+  /^restify$/,
+  /^hapi$/,
+  /^@nestjs\/common$/,
+  /^@nestjs\/core$/
+];
+function extractRuntimeRegistrations(tree, cache, language, imports) {
+  if (language === "javascript" || language === "typescript") {
+    return extractJSRuntimeRegistrations(tree, cache, imports);
+  }
+  if (language === "python") {
+    return extractPythonRuntimeRegistrations(tree, cache, imports);
+  }
+  if (language === "rust") {
+    return extractRustRuntimeRegistrations(tree, cache);
+  }
+  return [];
+}
+function buildHandlerIndex(tree, cache, imports) {
+  const decls = new Map;
+  const recordDeclaration = (name2, node) => {
+    if (!decls.has(name2)) {
+      decls.set(name2, {
+        line: node.startPosition.row + 1,
+        column: node.startPosition.column
+      });
+    }
+  };
+  for (const fn of getNodesFromCache(tree.rootNode, "function_declaration", cache)) {
+    const nameNode = fn.childForFieldName("name");
+    if (nameNode)
+      recordDeclaration(getNodeText(nameNode), fn);
+  }
+  const collectVarDeclarators = (parentType) => {
+    for (const decl of getNodesFromCache(tree.rootNode, parentType, cache)) {
+      for (let i2 = 0;i2 < decl.childCount; i2++) {
+        const child = decl.child(i2);
+        if (!child || child.type !== "variable_declarator")
+          continue;
+        const nameNode = child.childForFieldName("name");
+        const valueNode = child.childForFieldName("value");
+        if (!nameNode || !valueNode)
+          continue;
+        if (valueNode.type === "arrow_function" || valueNode.type === "function_expression" || valueNode.type === "function") {
+          recordDeclaration(getNodeText(nameNode), child);
+        }
+      }
+    }
+  };
+  collectVarDeclarators("lexical_declaration");
+  collectVarDeclarators("variable_declaration");
+  let hasFrameworkImport = false;
+  if (imports) {
+    for (const imp of imports) {
+      const mod = imp.from_package ?? "";
+      if (mod && FRAMEWORK_MODULE_PATTERNS.some((re) => re.test(mod))) {
+        hasFrameworkImport = true;
+        break;
+      }
+    }
+  }
+  return { declarations: decls, hasFrameworkImport };
+}
+function extractJSRuntimeRegistrations(tree, cache, imports) {
+  const out2 = [];
+  const index = buildHandlerIndex(tree, cache, imports);
+  const callExpressions = getNodesFromCache(tree.rootNode, "call_expression", cache);
+  for (const call of callExpressions) {
+    const fnNode = call.childForFieldName("function");
+    if (!fnNode || fnNode.type !== "member_expression")
+      continue;
+    const objectNode = fnNode.childForFieldName("object");
+    const propertyNode = fnNode.childForFieldName("property");
+    if (!objectNode || !propertyNode)
+      continue;
+    const method = getNodeText(propertyNode);
+    const receiver = getNodeText(objectNode);
+    const kind = classifyMethod(method);
+    if (!kind)
+      continue;
+    if (!isExpressShapedReceiver(receiver) && !index.hasFrameworkImport) {
+      continue;
+    }
+    const argsNode = call.childForFieldName("arguments");
+    if (!argsNode)
+      continue;
+    const argNodes = getRealArgs(argsNode);
+    if (argNodes.length === 0)
+      continue;
+    let path;
+    let handlerStart = 0;
+    const first = argNodes[0];
+    if (first.type === "string") {
+      path = stripQuotes(getNodeText(first));
+      handlerStart = 1;
+    } else if (first.type === "template_string" && !hasTemplateSubstitution(first)) {
+      path = stripBackticks(getNodeText(first));
+      handlerStart = 1;
+    }
+    for (let i2 = handlerStart;i2 < argNodes.length; i2++) {
+      const handlerNode = argNodes[i2];
+      const handler = resolveHandler(handlerNode, index);
+      if (!handler)
+        continue;
+      out2.push({
+        kind,
+        framework: inferFramework(receiver, index.hasFrameworkImport),
+        registrar: {
+          method,
+          receiver,
+          line: call.startPosition.row + 1,
+          column: call.startPosition.column
+        },
+        ...path !== undefined ? { path } : {},
+        handler
+      });
+    }
+  }
+  return out2;
+}
+function classifyMethod(method) {
+  if (HTTP_VERB_METHODS.has(method))
+    return "http_route";
+  if (MIDDLEWARE_METHODS.has(method))
+    return "middleware";
+  if (EVENT_LISTENER_METHODS.has(method))
+    return "event_listener";
+  return null;
+}
+function isExpressShapedReceiver(receiver) {
+  if (EXPRESS_RECEIVER_NAMES.has(receiver))
+    return true;
+  if (/(?:Router|App|Server)$/.test(receiver))
+    return true;
+  return false;
+}
+function inferFramework(receiver, hasFrameworkImport) {
+  if (receiver === "fastify")
+    return "fastify";
+  if (receiver === "koa")
+    return "koa";
+  if (receiver === "express")
+    return "express";
+  return hasFrameworkImport ? "express" : "unknown";
+}
+function getRealArgs(argsNode) {
+  const out2 = [];
+  for (let i2 = 0;i2 < argsNode.childCount; i2++) {
+    const child = argsNode.child(i2);
+    if (!child)
+      continue;
+    if (child.type === "(" || child.type === ")" || child.type === ",")
+      continue;
+    out2.push(child);
+  }
+  return out2;
+}
+function stripQuotes(s) {
+  if (s.length >= 2 && (s[0] === '"' || s[0] === "'") && s[s.length - 1] === s[0]) {
+    return s.slice(1, -1);
+  }
+  return s;
+}
+function stripBackticks(s) {
+  if (s.length >= 2 && s[0] === "`" && s[s.length - 1] === "`") {
+    return s.slice(1, -1);
+  }
+  return s;
+}
+function hasTemplateSubstitution(node) {
+  for (let i2 = 0;i2 < node.childCount; i2++) {
+    const child = node.child(i2);
+    if (child && child.type === "template_substitution")
+      return true;
+  }
+  return false;
+}
+function resolveHandler(node, index) {
+  if (node.type === "arrow_function" || node.type === "function_expression" || node.type === "function") {
+    return {
+      name: null,
+      line: node.startPosition.row + 1,
+      column: node.startPosition.column
+    };
+  }
+  if (node.type === "identifier") {
+    const name2 = getNodeText(node);
+    const decl = index.declarations.get(name2);
+    if (decl) {
+      return { name: name2, line: decl.line, column: decl.column };
+    }
+    return {
+      name: name2,
+      line: node.startPosition.row + 1,
+      column: node.startPosition.column
+    };
+  }
+  if (node.type === "member_expression") {
+    return {
+      name: getNodeText(node),
+      line: node.startPosition.row + 1,
+      column: node.startPosition.column
+    };
+  }
+  return null;
+}
+var PY_HTTP_ROUTE_METHODS = new Set([
+  "route",
+  "get",
+  "post",
+  "put",
+  "patch",
+  "delete",
+  "head",
+  "options"
+]);
+var PY_MIDDLEWARE_METHODS = new Set([
+  "before_request",
+  "after_request",
+  "teardown_request",
+  "before_first_request",
+  "teardown_appcontext",
+  "middleware"
+]);
+var PY_EVENT_METHODS = new Set([
+  "errorhandler",
+  "on_event",
+  "exception_handler"
+]);
+var PY_STDLIB_DECORATORS = new Set([
+  "property",
+  "staticmethod",
+  "classmethod",
+  "abstractmethod",
+  "cached_property",
+  "dataclass",
+  "cache",
+  "lru_cache",
+  "singledispatch",
+  "singledispatchmethod",
+  "contextmanager",
+  "asynccontextmanager",
+  "final",
+  "override",
+  "wraps"
+]);
+function summarisePythonImports(imports) {
+  const s = {
+    hasFlask: false,
+    hasFastApi: false,
+    hasCelery: false,
+    hasNumba: false,
+    hasClick: false,
+    hasPytest: false
+  };
+  if (!imports)
+    return s;
+  for (const imp of imports) {
+    const mod = imp.from_package ?? "";
+    if (!mod)
+      continue;
+    if (/^flask(\b|\.)/.test(mod))
+      s.hasFlask = true;
+    if (/^fastapi(\b|\.)/.test(mod) || /^starlette(\b|\.)/.test(mod))
+      s.hasFastApi = true;
+    if (/^celery(\b|\.)/.test(mod))
+      s.hasCelery = true;
+    if (/^numba(\b|\.)/.test(mod))
+      s.hasNumba = true;
+    if (/^click(\b|\.)/.test(mod))
+      s.hasClick = true;
+    if (/^pytest(\b|\.)/.test(mod))
+      s.hasPytest = true;
+  }
+  return s;
+}
+function extractPythonRuntimeRegistrations(tree, cache, imports) {
+  const out2 = [];
+  const importSummary = summarisePythonImports(imports);
+  const decoratedDefs = getNodesFromCache(tree.rootNode, "decorated_definition", cache);
+  for (const dd of decoratedDefs) {
+    let fnNode = null;
+    const decorators = [];
+    for (let i2 = 0;i2 < dd.childCount; i2++) {
+      const child = dd.child(i2);
+      if (!child)
+        continue;
+      if (child.type === "decorator") {
+        decorators.push(child);
+      } else if (child.type === "function_definition" || child.type === "async_function_definition") {
+        fnNode = child;
+      }
+    }
+    if (!fnNode || decorators.length === 0)
+      continue;
+    const handler = pythonHandlerFromFunctionDef(fnNode);
+    if (!handler)
+      continue;
+    for (const dec of decorators) {
+      const parsed = parsePythonDecorator(dec);
+      if (!parsed)
+        continue;
+      const { receiver, method, path, line, column } = parsed;
+      const { kind, framework } = classifyPythonDecorator(receiver, method, importSummary);
+      out2.push({
+        kind,
+        framework,
+        registrar: { method, receiver, line, column },
+        ...path !== undefined ? { path } : {},
+        handler
+      });
+    }
+  }
+  return out2;
+}
+function pythonHandlerFromFunctionDef(fn) {
+  const nameNode = fn.childForFieldName("name");
+  if (!nameNode)
+    return null;
+  return {
+    name: getNodeText(nameNode),
+    line: fn.startPosition.row + 1,
+    column: fn.startPosition.column
+  };
+}
+function parsePythonDecorator(dec) {
+  let target = null;
+  for (let i2 = 0;i2 < dec.childCount; i2++) {
+    const child = dec.child(i2);
+    if (!child || child.type === "@")
+      continue;
+    target = child;
+    break;
+  }
+  if (!target)
+    return null;
+  const line = dec.startPosition.row + 1;
+  const column = dec.startPosition.column;
+  if (target.type === "identifier") {
+    return { receiver: "", method: getNodeText(target), line, column };
+  }
+  if (target.type === "attribute") {
+    const { receiver, method } = splitDottedAttribute(target);
+    return { receiver, method, line, column };
+  }
+  if (target.type === "call") {
+    const fnNode = target.childForFieldName("function");
+    if (!fnNode)
+      return null;
+    let receiver = "";
+    let method = "";
+    if (fnNode.type === "identifier") {
+      method = getNodeText(fnNode);
+    } else if (fnNode.type === "attribute") {
+      const split = splitDottedAttribute(fnNode);
+      receiver = split.receiver;
+      method = split.method;
+    } else {
+      method = getNodeText(fnNode);
+    }
+    const path = extractFirstStringArg(target);
+    return { receiver, method, path, line, column };
+  }
+  return null;
+}
+function splitDottedAttribute(attr) {
+  const objectNode = attr.childForFieldName("object");
+  const attrNode = attr.childForFieldName("attribute");
+  const method = attrNode ? getNodeText(attrNode) : "";
+  const receiver = objectNode ? getNodeText(objectNode) : "";
+  return { receiver, method };
+}
+function extractFirstStringArg(call) {
+  const argsNode = call.childForFieldName("arguments");
+  if (!argsNode)
+    return;
+  for (let i2 = 0;i2 < argsNode.childCount; i2++) {
+    const child = argsNode.child(i2);
+    if (!child)
+      continue;
+    if (child.type === "(" || child.type === ")" || child.type === ",")
+      continue;
+    if (child.type === "string") {
+      return stripPythonStringQuotes(getNodeText(child));
+    }
+    return;
+  }
+  return;
+}
+function stripPythonStringQuotes(s) {
+  const m = s.match(/^[bBrRuUfF]{0,2}(['"])(.*)\1$/s);
+  if (m)
+    return m[2];
+  if (s.length >= 2 && (s[0] === '"' || s[0] === "'") && s[s.length - 1] === s[0]) {
+    return s.slice(1, -1);
+  }
+  return s;
+}
+function classifyPythonDecorator(receiver, method, imp) {
+  if (!receiver && PY_STDLIB_DECORATORS.has(method)) {
+    return { kind: "decorator", framework: "stdlib" };
+  }
+  if (receiver) {
+    const head = receiver.split(".")[0];
+    if (head === "pytest") {
+      return { kind: "decorator", framework: "pytest" };
+    }
+    if (head === "click") {
+      return { kind: "decorator", framework: "click" };
+    }
+    if (head === "numba" || head === "nb") {
+      return { kind: "decorator", framework: "numba" };
+    }
+    if (head === "celery") {
+      return { kind: "decorator", framework: "celery" };
+    }
+  }
+  if (receiver && PY_HTTP_ROUTE_METHODS.has(method)) {
+    const isRoutey = isPyRouterReceiver(receiver);
+    if (isRoutey) {
+      let framework = "unknown";
+      if (imp.hasFlask)
+        framework = "flask";
+      else if (imp.hasFastApi)
+        framework = "fastapi";
+      else if (method === "route")
+        framework = "flask";
+      else
+        framework = "fastapi";
+      return { kind: "http_route", framework };
+    }
+  }
+  if (receiver && PY_MIDDLEWARE_METHODS.has(method)) {
+    return { kind: "middleware", framework: imp.hasFlask ? "flask" : imp.hasFastApi ? "fastapi" : "unknown" };
+  }
+  if (receiver && PY_EVENT_METHODS.has(method)) {
+    return { kind: "event_listener", framework: imp.hasFlask ? "flask" : imp.hasFastApi ? "fastapi" : "unknown" };
+  }
+  if (method === "task" && imp.hasCelery) {
+    return { kind: "decorator", framework: "celery" };
+  }
+  if (!receiver && (method === "login_required" || method === "require_http_methods" || method === "api_view")) {
+    return { kind: "decorator", framework: "django" };
+  }
+  return { kind: "decorator", framework: "unknown" };
+}
+function isPyRouterReceiver(receiver) {
+  const head = receiver.split(".")[0];
+  if (!head)
+    return false;
+  if (["app", "router", "blueprint", "bp", "api", "application"].includes(head))
+    return true;
+  if (/_(router|bp|blueprint|app|api)$/.test(head))
+    return true;
+  return false;
+}
+var RUST_STDLIB_TRAITS = new Set([
+  "Display",
+  "Debug",
+  "Write",
+  "From",
+  "Into",
+  "TryFrom",
+  "TryInto",
+  "AsRef",
+  "AsMut",
+  "ToString",
+  "FromStr",
+  "Iterator",
+  "IntoIterator",
+  "FromIterator",
+  "DoubleEndedIterator",
+  "ExactSizeIterator",
+  "FusedIterator",
+  "PartialEq",
+  "Eq",
+  "PartialOrd",
+  "Ord",
+  "Hash",
+  "Default",
+  "Copy",
+  "Clone",
+  "Send",
+  "Sync",
+  "Unpin",
+  "Sized",
+  "Any",
+  "Drop",
+  "Future",
+  "IntoFuture",
+  "Add",
+  "Sub",
+  "Mul",
+  "Div",
+  "Rem",
+  "Neg",
+  "Not",
+  "AddAssign",
+  "SubAssign",
+  "MulAssign",
+  "DivAssign",
+  "RemAssign",
+  "BitAnd",
+  "BitOr",
+  "BitXor",
+  "Shl",
+  "Shr",
+  "Deref",
+  "DerefMut",
+  "Index",
+  "IndexMut",
+  "Fn",
+  "FnMut",
+  "FnOnce",
+  "Error",
+  "Read",
+  "Write",
+  "Seek",
+  "BufRead",
+  "Borrow",
+  "BorrowMut",
+  "ToOwned"
+]);
+var RUST_TRAIT_FRAMEWORK_PREFIXES = [
+  { prefix: /^actix(_web)?(::|$)/, framework: "actix" },
+  { prefix: /^axum(::|$)/, framework: "axum" },
+  { prefix: /^rocket(::|$)/, framework: "rocket" },
+  { prefix: /^tokio(::|$)/, framework: "tokio" },
+  { prefix: /^serde(_\w+)?(::|$)/, framework: "serde" },
+  { prefix: /^std(::|$)/, framework: "stdlib" },
+  { prefix: /^core(::|$)/, framework: "stdlib" },
+  { prefix: /^alloc(::|$)/, framework: "stdlib" }
+];
+function extractRustRuntimeRegistrations(tree, cache) {
+  const regs = [];
+  const implNodes = getNodesFromCache(tree.rootNode, "impl_item", cache);
+  for (const impl of implNodes) {
+    collectRustImplRegistrations(impl, regs);
+  }
+  const macroNodes = getNodesFromCache(tree.rootNode, "macro_invocation", cache);
+  for (const macro of macroNodes) {
+    const rec = parseInventorySubmit(macro);
+    if (rec)
+      regs.push(rec);
+  }
+  const attrNodes = getNodesFromCache(tree.rootNode, "attribute_item", cache);
+  for (const attr of attrNodes) {
+    const rec = parseDistributedSliceAttribute(attr);
+    if (rec)
+      regs.push(rec);
+  }
+  return regs;
+}
+function collectRustImplRegistrations(impl, regs) {
+  const traitNode = impl.childForFieldName("trait");
+  if (!traitNode)
+    return;
+  const typeNode = impl.childForFieldName("type");
+  if (!typeNode)
+    return;
+  const traitText = getNodeText(traitNode).trim();
+  const traitLastSegment = lastRustPathSegment(stripRustGenerics(traitText));
+  const selfType = getNodeText(typeNode).trim();
+  const framework = classifyRustTrait(traitText);
+  const body2 = impl.childForFieldName("body");
+  if (!body2)
+    return;
+  for (let i2 = 0;i2 < body2.childCount; i2++) {
+    const child = body2.child(i2);
+    if (!child || child.type !== "function_item")
+      continue;
+    const nameNode = child.childForFieldName("name");
+    if (!nameNode)
+      continue;
+    const methodName = getNodeText(nameNode);
+    regs.push({
+      kind: "trait_impl",
+      framework,
+      registrar: {
+        method: methodName,
+        receiver: selfType,
+        line: impl.startPosition.row + 1,
+        column: impl.startPosition.column
+      },
+      path: traitLastSegment || traitText,
+      handler: {
+        name: methodName,
+        line: child.startPosition.row + 1,
+        column: child.startPosition.column
+      }
+    });
+  }
+}
+function stripRustGenerics(text) {
+  const idx = text.indexOf("<");
+  return idx >= 0 ? text.slice(0, idx) : text;
+}
+function lastRustPathSegment(path) {
+  const parts2 = path.split("::");
+  return parts2[parts2.length - 1] || path;
+}
+function classifyRustTrait(traitText) {
+  const stripped = stripRustGenerics(traitText).trim();
+  const last = lastRustPathSegment(stripped);
+  if (RUST_STDLIB_TRAITS.has(last))
+    return "stdlib";
+  for (const { prefix, framework } of RUST_TRAIT_FRAMEWORK_PREFIXES) {
+    if (prefix.test(stripped))
+      return framework;
+  }
+  return "unknown";
+}
+function parseInventorySubmit(macro) {
+  const macroName = macro.childForFieldName("macro");
+  if (!macroName)
+    return null;
+  const name2 = getNodeText(macroName).trim();
+  if (name2 !== "inventory::submit" && name2 !== "submit")
+    return null;
+  if (name2 === "submit")
+    return null;
+  let tokenTree = null;
+  for (let i2 = 0;i2 < macro.childCount; i2++) {
+    const c = macro.child(i2);
+    if (c && c.type === "token_tree") {
+      tokenTree = c;
+      break;
+    }
+  }
+  if (!tokenTree)
+    return null;
+  const handlerName = firstIdentifierInTokenTree(tokenTree);
+  return {
+    kind: "trait_impl",
+    framework: "inventory",
+    registrar: {
+      method: "submit",
+      receiver: "inventory",
+      line: macro.startPosition.row + 1,
+      column: macro.startPosition.column
+    },
+    path: "inventory::submit",
+    handler: {
+      name: handlerName,
+      line: tokenTree.startPosition.row + 1,
+      column: tokenTree.startPosition.column
+    }
+  };
+}
+function firstIdentifierInTokenTree(tokenTree) {
+  for (let i2 = 0;i2 < tokenTree.childCount; i2++) {
+    const c = tokenTree.child(i2);
+    if (!c)
+      continue;
+    if (c.type === "identifier" || c.type === "scoped_identifier" || c.type === "type_identifier") {
+      return getNodeText(c).trim();
+    }
+  }
+  return null;
+}
+function parseDistributedSliceAttribute(attrItem) {
+  let attr = null;
+  for (let i2 = 0;i2 < attrItem.childCount; i2++) {
+    const c = attrItem.child(i2);
+    if (c && c.type === "attribute") {
+      attr = c;
+      break;
+    }
+  }
+  if (!attr)
+    return null;
+  const pathNode = attr.child(0);
+  if (!pathNode)
+    return null;
+  const pathText = getNodeText(pathNode).trim();
+  if (pathText !== "linkme::distributed_slice" && pathText !== "distributed_slice")
+    return null;
+  const parent = attrItem.parent;
+  if (!parent)
+    return null;
+  let attrIndex = -1;
+  for (let i2 = 0;i2 < parent.childCount; i2++) {
+    const c = parent.child(i2);
+    if (c && c.id === attrItem.id) {
+      attrIndex = i2;
+      break;
+    }
+  }
+  if (attrIndex < 0)
+    return null;
+  let handlerNode = null;
+  for (let j = attrIndex + 1;j < parent.childCount; j++) {
+    const sib = parent.child(j);
+    if (!sib)
+      continue;
+    if (sib.type === "attribute_item")
+      continue;
+    if (sib.type === "static_item" || sib.type === "function_item") {
+      handlerNode = sib;
+    }
+    break;
+  }
+  if (!handlerNode)
+    return null;
+  const nameNode = handlerNode.childForFieldName("name");
+  const handlerName = nameNode ? getNodeText(nameNode).trim() : null;
+  return {
+    kind: "trait_impl",
+    framework: "linkme",
+    registrar: {
+      method: "distributed_slice",
+      receiver: "linkme",
+      line: attrItem.startPosition.row + 1,
+      column: attrItem.startPosition.column
+    },
+    path: "linkme::distributed_slice",
+    handler: {
+      name: handlerName,
+      line: handlerNode.startPosition.row + 1,
+      column: handlerNode.startPosition.column
+    }
+  };
+}
 // ../circle-ir/dist/analysis/config-loader.js
 var DEFAULT_SOURCES = [
   { method: "getParameter", class: "HttpServletRequest", type: "http_param", severity: "high", return_tainted: true },
@@ -9125,6 +9873,11 @@ var DEFAULT_SOURCES = [
   { method: "getContent", class: "Block", type: "io_input", severity: "high", return_tainted: true },
   { method: "getParameters", class: "Block", type: "io_input", severity: "high", return_tainted: true },
   { method: "getRawContent", type: "io_input", severity: "high", return_tainted: true },
+  { method: "get", class: "XWikiRequest", type: "http_param", severity: "high", return_tainted: true },
+  { method: "getParameter", class: "XWikiRequest", type: "http_param", severity: "high", return_tainted: true },
+  { method: "getParameterValues", class: "XWikiRequest", type: "http_param", severity: "high", return_tainted: true },
+  { method: "getParameterMap", class: "XWikiRequest", type: "http_param", severity: "high", return_tainted: true },
+  { method: "getHeader", class: "XWikiRequest", type: "http_header", severity: "high", return_tainted: true },
   { method: "getAttributes", class: "XMLReader", type: "io_input", severity: "high", return_tainted: true },
   { method: "getValue", class: "Attributes", type: "io_input", severity: "high", return_tainted: true },
   { method: "getLocalName", class: "Attributes", type: "io_input", severity: "high", return_tainted: true },
@@ -9622,6 +10375,8 @@ var DEFAULT_SINKS = [
   { method: "eval", class: "MVEL", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "createValueExpression", class: "ExpressionFactory", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [1] },
   { method: "createMethodExpression", class: "ExpressionFactory", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [1] },
+  { method: "evaluateAttributeExpressions", class: "PropertyValue", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
+  { method: "evaluateAttributeExpressions", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
   { method: "evaluate", class: "GroovyShell", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "parse", class: "GroovyShell", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
   { method: "parseClass", class: "GroovyClassLoader", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
@@ -9775,6 +10530,21 @@ var DEFAULT_SINKS = [
   { method: "cleanAttributes", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "printXMLElement", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "printXMLStartElement", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "print", class: "WikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "println", class: "WikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "print", class: "DefaultWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "println", class: "DefaultWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "print", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "println", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "printXML", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "printXMLComment", class: "XHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "print", class: "AnnotatedXHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "println", class: "AnnotatedXHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "printXMLElement", class: "AnnotatedXHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "printXMLStartElement", class: "AnnotatedXHTMLWikiPrinter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "render", class: "BlockRenderer", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "render", class: "AbstractBlockRenderer", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
+  { method: "render", class: "DefaultBlockRenderer", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "initialize", class: "HTML5Renderer", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "initialize", class: "XHTMLRenderer", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "beginFormat", class: "HTML5ChainingRenderer", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
@@ -17880,7 +18650,7 @@ function extractEventHandlers(elementNode, eventHandlers) {
     const valueNode = findChildByType2(child, "quoted_attribute_value") ?? findChildByType2(child, "attribute_value");
     if (!valueNode)
       continue;
-    const code = stripQuotes(valueNode.text);
+    const code = stripQuotes2(valueNode.text);
     if (code) {
       eventHandlers.push({
         code,
@@ -17913,7 +18683,7 @@ function getAttributeValue(tag, name2) {
     const nameNode = findChildByType2(child, "attribute_name");
     if (nameNode?.text.toLowerCase() === name2) {
       const valueNode = findChildByType2(child, "quoted_attribute_value") ?? findChildByType2(child, "attribute_value");
-      return valueNode ? stripQuotes(valueNode.text) : "";
+      return valueNode ? stripQuotes2(valueNode.text) : "";
     }
   }
   return;
@@ -17926,7 +18696,7 @@ function findChildByType2(node, type) {
   }
   return null;
 }
-function stripQuotes(text) {
+function stripQuotes2(text) {
   if (text.startsWith('"') && text.endsWith('"') || text.startsWith("'") && text.endsWith("'")) {
     return text.slice(1, -1);
   }
@@ -24242,7 +25012,7 @@ class SecurityHeadersPass {
 }
 function literalOf(arg) {
   if (arg.literal !== null && arg.literal !== undefined && arg.literal !== "") {
-    return stripQuotes2(arg.literal);
+    return stripQuotes3(arg.literal);
   }
   const expr = arg.expression.trim();
   if (expr.startsWith('"') && expr.endsWith('"') || expr.startsWith("'") && expr.endsWith("'") || expr.startsWith("`") && expr.endsWith("`")) {
@@ -24252,7 +25022,7 @@ function literalOf(arg) {
   }
   return null;
 }
-function stripQuotes2(s) {
+function stripQuotes3(s) {
   if (s.length < 2)
     return s;
   const first = s[0];
@@ -25705,7 +26475,9 @@ function getNodeTypesForLanguage(language) {
         "use_declaration",
         "let_declaration",
         "field_expression",
-        "scoped_identifier"
+        "scoped_identifier",
+        "attribute_item",
+        "static_item"
       ]);
     case "python":
       return new Set([
@@ -25716,7 +26488,9 @@ function getNodeTypesForLanguage(language) {
         "import_from_statement",
         "assignment",
         "attribute",
-        "subscript"
+        "subscript",
+        "decorated_definition",
+        "decorator"
       ]);
     case "javascript":
     case "typescript":
@@ -25808,6 +26582,7 @@ async function analyze(code, filePath, language, options = {}) {
     const exports = extractExports(types);
     const cfg = buildCFG(tree, language);
     const dfg = buildDFG(tree, nodeCache, language);
+    const runtimeRegistrations = extractRuntimeRegistrations(tree, nodeCache, language, imports);
     const graph = new CodeGraph({
       meta,
       types,
@@ -25934,7 +26709,8 @@ async function analyze(code, filePath, language, options = {}) {
       unresolved,
       enriched,
       findings: findings.length > 0 ? findings : undefined,
-      metrics: { file: filePath, metrics: metricValues }
+      metrics: { file: filePath, metrics: metricValues },
+      runtime_registrations: runtimeRegistrations.length > 0 ? runtimeRegistrations : undefined
     };
   } finally {
     disposeTree(tree);
@@ -26083,7 +26859,7 @@ var colors = {
 };
 
 // src/version.ts
-var version = "3.30.0";
+var version = "3.34.0";
 
 // src/formatters.ts
 var SINK_SEVERITY = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.30.0",
+  "version": "3.34.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.30.0"
+    "circle-ir": "^3.34.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",