cognium-dev 3.59.0 → 3.64.0

package/dist/cli.js

@@ -3612,7 +3612,7 @@ function detectLanguage(tree) {
 }
 function extractTypes(tree, cache, language) {
   const effectiveLanguage = language ?? detectLanguage(tree);
-  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript";
+  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript" || effectiveLanguage === "tsx";
   const isPython = effectiveLanguage === "python";
   const isRust = effectiveLanguage === "rust";
   if (effectiveLanguage === "go") {
@@ -5041,7 +5041,7 @@ function detectLanguageFromTree(tree, cache) {
 function extractCalls(tree, cache, language) {
   const calls = [];
   const detectedLanguage = language ?? detectLanguageFromTree(tree, cache);
-  const isJavaScript = detectedLanguage === "javascript" || detectedLanguage === "typescript";
+  const isJavaScript = detectedLanguage === "javascript" || detectedLanguage === "typescript" || detectedLanguage === "tsx";
   const isPython = detectedLanguage === "python";
   const isRust = detectedLanguage === "rust";
   if (detectedLanguage === "go") {
@@ -5090,8 +5090,149 @@ function extractJavaScriptCalls(tree, cache) {
       calls.push(callInfo);
     }
   }
+  const jsxAttributes = getNodesFromCache(tree.rootNode, "jsx_attribute", cache);
+  for (const attr of jsxAttributes) {
+    const callInfo = extractJSXAttributeSink(attr);
+    if (callInfo) {
+      calls.push(callInfo);
+    }
+  }
+  const assignments = getNodesFromCache(tree.rootNode, "assignment_expression", cache);
+  for (const assign of assignments) {
+    const callInfo = extractDomPropertyAssignmentSink(assign);
+    if (callInfo) {
+      calls.push(callInfo);
+    }
+  }
   return calls;
 }
+var DOM_XSS_ASSIGNMENT_PROPERTIES = new Set([
+  "innerHTML",
+  "outerHTML"
+]);
+function extractDomPropertyAssignmentSink(node) {
+  const leftNode = node.childForFieldName("left");
+  const rightNode = node.childForFieldName("right");
+  if (!leftNode || !rightNode)
+    return null;
+  if (leftNode.type !== "member_expression")
+    return null;
+  const propertyNode = leftNode.childForFieldName("property");
+  const objectNode = leftNode.childForFieldName("object");
+  if (!propertyNode)
+    return null;
+  const propertyName = getNodeText(propertyNode);
+  if (!DOM_XSS_ASSIGNMENT_PROPERTIES.has(propertyName))
+    return null;
+  const receiver = objectNode ? getNodeText(objectNode) : null;
+  const expression = getNodeText(rightNode);
+  const { variable, literal } = analyzeJSArgument(rightNode);
+  const enclosingFunc = findJSEnclosingFunction(node);
+  return {
+    method_name: propertyName,
+    receiver,
+    arguments: [
+      {
+        position: 0,
+        expression,
+        variable,
+        literal
+      }
+    ],
+    location: {
+      line: node.startPosition.row + 1,
+      column: node.startPosition.column
+    },
+    in_method: enclosingFunc,
+    resolved: true,
+    resolution: {
+      status: "resolved",
+      target: `DOM.${propertyName}`
+    }
+  };
+}
+function extractJSXAttributeSink(attr) {
+  let nameNode = null;
+  for (let i2 = 0;i2 < attr.childCount; i2++) {
+    const child = attr.child(i2);
+    if (child && child.type === "property_identifier") {
+      nameNode = child;
+      break;
+    }
+  }
+  if (!nameNode)
+    return null;
+  const attrName = getNodeText(nameNode);
+  if (attrName !== "dangerouslySetInnerHTML")
+    return null;
+  let valueExpr = null;
+  for (let i2 = 0;i2 < attr.childCount; i2++) {
+    const child = attr.child(i2);
+    if (child && child.type === "jsx_expression") {
+      valueExpr = child;
+      break;
+    }
+  }
+  if (!valueExpr)
+    return null;
+  let htmlValue = null;
+  for (let i2 = 0;i2 < valueExpr.childCount; i2++) {
+    const inner = valueExpr.child(i2);
+    if (!inner || inner.type !== "object")
+      continue;
+    for (let j = 0;j < inner.childCount; j++) {
+      const pair = inner.child(j);
+      if (!pair || pair.type !== "pair")
+        continue;
+      const keyNode = pair.childForFieldName("key");
+      if (!keyNode)
+        continue;
+      const keyText = getNodeText(keyNode).replace(/^["']|["']$/g, "");
+      if (keyText === "__html") {
+        htmlValue = pair.childForFieldName("value");
+        break;
+      }
+    }
+    if (htmlValue)
+      break;
+  }
+  if (!htmlValue) {
+    for (let i2 = 0;i2 < valueExpr.childCount; i2++) {
+      const inner = valueExpr.child(i2);
+      if (inner && inner.type !== "{" && inner.type !== "}") {
+        htmlValue = inner;
+        break;
+      }
+    }
+  }
+  if (!htmlValue)
+    return null;
+  const expression = getNodeText(htmlValue);
+  const { variable, literal } = analyzeJSArgument(htmlValue);
+  const enclosingFunc = findJSEnclosingFunction(attr);
+  return {
+    method_name: "dangerouslySetInnerHTML",
+    receiver: null,
+    arguments: [
+      {
+        position: 0,
+        expression,
+        variable,
+        literal
+      }
+    ],
+    location: {
+      line: attr.startPosition.row + 1,
+      column: attr.startPosition.column
+    },
+    in_method: enclosingFunc,
+    resolved: true,
+    resolution: {
+      status: "resolved",
+      target: "react.dangerouslySetInnerHTML"
+    }
+  };
+}
 function buildJSResolutionContext(tree, cache) {
   const context = {
     functionNames: new Set,
@@ -6632,7 +6773,7 @@ function detectLanguage2(tree) {
 }
 function extractImports(tree, language) {
   const effectiveLanguage = language ?? detectLanguage2(tree);
-  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript";
+  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript" || effectiveLanguage === "tsx";
   const isPython = effectiveLanguage === "python";
   const isRust = effectiveLanguage === "rust";
   if (effectiveLanguage === "go") {
@@ -7347,7 +7488,7 @@ function detectLanguage3(tree) {
 }
 function buildCFG(tree, language) {
   const effectiveLanguage = language ?? detectLanguage3(tree);
-  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript";
+  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript" || effectiveLanguage === "tsx";
   const allBlocks = [];
   const allEdges = [];
   let blockIdCounter = 0;
@@ -7928,7 +8069,7 @@ function detectLanguage4(tree) {
 }
 function buildDFG(tree, cache, language) {
   const effectiveLanguage = language ?? detectLanguage4(tree);
-  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript";
+  const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript" || effectiveLanguage === "tsx";
   if (isJavaScript) {
     return buildJavaScriptDFG(tree, cache);
   }
@@ -8749,7 +8890,18 @@ function buildBashDFG(tree) {
       if (varNameNode) {
         const varName = getNodeText(varNameNode);
         if (varName && !varName.startsWith("?") && !varName.startsWith("#")) {
-          const reachingDef = findReachingDef(varName, scopeStack);
+          let reachingDef = findReachingDef(varName, scopeStack);
+          if (reachingDef === null && !positionalParams.includes(varName)) {
+            const def = {
+              id: defIdCounter++,
+              variable: varName,
+              line: 0,
+              kind: "param"
+            };
+            defs.push(def);
+            scopeStack[0].set(varName, def.id);
+            reachingDef = def.id;
+          }
           uses.push({
             id: useIdCounter++,
             variable: varName,
@@ -8762,7 +8914,18 @@ function buildBashDFG(tree) {
       const varNameNode = node.namedChildCount > 0 ? node.namedChild(0) : null;
       if (varNameNode && varNameNode.type === "variable_name") {
         const varName = getNodeText(varNameNode);
-        const reachingDef = findReachingDef(varName, scopeStack);
+        let reachingDef = findReachingDef(varName, scopeStack);
+        if (reachingDef === null && !positionalParams.includes(varName)) {
+          const def = {
+            id: defIdCounter++,
+            variable: varName,
+            line: 0,
+            kind: "param"
+          };
+          defs.push(def);
+          scopeStack[0].set(varName, def.id);
+          reachingDef = def.id;
+        }
         uses.push({
           id: useIdCounter++,
           variable: varName,
@@ -9234,7 +9397,7 @@ var FRAMEWORK_MODULE_PATTERNS = [
   /^@nestjs\/core$/
 ];
 function extractRuntimeRegistrations(tree, cache, language, imports) {
-  if (language === "javascript" || language === "typescript") {
+  if (language === "javascript" || language === "typescript" || language === "tsx") {
     return extractJSRuntimeRegistrations(tree, cache, imports);
   }
   if (language === "python") {
@@ -10171,8 +10334,11 @@ var DEFAULT_SOURCES = [
   { method: "get", class: "cookies", type: "http_cookie", severity: "high", return_tainted: true },
   { property: "json", object: "request", type: "http_body", severity: "high", property_tainted: true },
   { property: "data", object: "request", type: "http_body", severity: "high", property_tainted: true },
+  { property: "stream", object: "request", type: "http_body", severity: "high", property_tainted: true },
   { property: "path", object: "request", type: "http_path", severity: "medium", property_tainted: true },
   { property: "query_string", object: "request", type: "http_query", severity: "high", property_tainted: true },
+  { method: "get_data", class: "request", type: "http_body", severity: "high", return_tainted: true },
+  { method: "get_json", class: "request", type: "http_body", severity: "high", return_tainted: true },
   { method: "get", class: "GET", type: "http_param", severity: "high", return_tainted: true },
   { method: "get", class: "POST", type: "http_param", severity: "high", return_tainted: true },
   { method: "get", class: "META", type: "http_header", severity: "high", return_tainted: true },
@@ -10335,13 +10501,13 @@ var DEFAULT_SINKS = [
   { method: "setExecutable", class: "ExecTask", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "setCommand", class: "ExecTask", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "execute", class: "Java", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "bash", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "shell", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "sh", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "spawn", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "fork", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "popen", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  { method: "system", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  { method: "bash", languages: ["java", "javascript", "typescript", "python", "go", "rust"], type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  { method: "shell", languages: ["java", "javascript", "typescript", "python", "go", "rust"], type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  { method: "sh", languages: ["java", "javascript", "typescript", "python", "go", "rust"], type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  { method: "spawn", languages: ["java", "javascript", "typescript", "python", "go", "rust"], type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  { method: "fork", languages: ["java", "javascript", "typescript", "python", "go", "rust"], type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  { method: "popen", languages: ["java", "javascript", "typescript", "python", "go", "rust"], type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  { method: "system", languages: ["java", "javascript", "typescript", "python", "go", "rust"], type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "setCommandline", class: "DefaultExecutor", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "parse", class: "CommandLine", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "addArgument", class: "CommandLine", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
@@ -10404,6 +10570,9 @@ var DEFAULT_SINKS = [
   { method: "unzip", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0, 1] },
   { method: "extract", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0, 1] },
   { method: "extractAll", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0, 1] },
+  { method: "extractall", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0], languages: ["python"] },
+  { method: "ZipFile", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "send_from_directory", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [1], languages: ["python"] },
   { method: "unjar", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0, 1] },
   { method: "PrintWriter", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "Scanner", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
@@ -11171,10 +11340,22 @@ var DEFAULT_SINKS = [
   { method: "redirect", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [0], languages: ["javascript", "typescript"] },
   { method: "Set", class: "Header", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["go"] },
   { method: "Add", class: "Header", type: "crlf", cwe: "CWE-113", severity: "medium", arg_positions: [1], languages: ["go"] },
-  { method: "assign", class: "Object", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
-  { method: "merge", class: "_", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
-  { method: "extend", class: "_", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
-  { method: "extend", class: "$", type: "mass_assignment", cwe: "CWE-915", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] }
+  { method: "assign", class: "Object", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "defineProperty", class: "Object", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2], languages: ["javascript", "typescript"] },
+  { method: "defineProperties", class: "Object", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1], languages: ["javascript", "typescript"] },
+  { method: "merge", class: "_", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "merge", class: "lodash", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "extend", class: "_", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "extend", class: "lodash", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "defaultsDeep", class: "_", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "defaultsDeep", class: "lodash", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "extend", class: "$", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "extend", class: "jQuery", type: "mass_assignment", cwe: "CWE-1321", severity: "high", arg_positions: [1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "innerHTML", type: "xss", cwe: "CWE-79", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "outerHTML", type: "xss", cwe: "CWE-79", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "unserialize", class: "serialize", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "unserialize", class: "node-serialize", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "unserialize", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], languages: ["javascript", "typescript"] }
 ];
 var DEFAULT_SANITIZERS = [
   { method: "setString", class: "PreparedStatement", removes: ["sql_injection"] },
@@ -11452,7 +11633,8 @@ function findSources(calls, types, patterns, sourceLines, language) {
           location: formatCallLocation(call),
           severity: pattern.severity,
           line: call.location.line,
-          confidence: 1
+          confidence: 1,
+          in_method: call.in_method ?? undefined
         });
       }
     }
@@ -11469,7 +11651,8 @@ function findSources(calls, types, patterns, sourceLines, language) {
                 location: `@${pattern.annotation} ${param.name} in ${method.name}`,
                 severity: pattern.severity,
                 line: paramLine,
-                confidence: 1
+                confidence: 1,
+                in_method: method.name
               });
             }
           }
@@ -11491,7 +11674,8 @@ function findSources(calls, types, patterns, sourceLines, language) {
             location: `@${pattern.method_annotation} ${param.name} in ${method.name}`,
             severity: pattern.severity,
             line: paramLine,
-            confidence: 1
+            confidence: 1,
+            in_method: method.name
           });
         }
       }
@@ -11520,7 +11704,8 @@ function findSources(calls, types, patterns, sourceLines, language) {
           severity: "high",
           line: paramLine,
           confidence: 1,
-          variable: param.name
+          variable: param.name,
+          in_method: method.name
         });
       }
     }
@@ -11541,7 +11726,8 @@ function findSources(calls, types, patterns, sourceLines, language) {
             location: `${param.type || "any"} ${param.name} in ${method.name}`,
             severity: "medium",
             line: paramLine,
-            confidence: param.type ? 0.7 : 0.5
+            confidence: param.type ? 0.7 : 0.5,
+            in_method: method.name
           });
         }
       }
@@ -11561,7 +11747,8 @@ function findSources(calls, types, patterns, sourceLines, language) {
               location: `${arg.expression} in ${call.in_method || "anonymous"}`,
               severity: "high",
               line: call.location.line,
-              confidence: 1
+              confidence: 1,
+              in_method: call.in_method ?? undefined
             });
           }
         }
@@ -11581,7 +11768,8 @@ function findSources(calls, types, patterns, sourceLines, language) {
               location: `${arg.expression} in ${call.in_method || "anonymous"}`,
               severity: "high",
               line: call.location.line,
-              confidence: 1
+              confidence: 1,
+              in_method: call.in_method ?? undefined
             });
           }
           break;
@@ -11614,6 +11802,21 @@ function findSources(calls, types, patterns, sourceLines, language) {
         s.variable = m[1];
     }
   }
+  if (language === "java" && sourceLines) {
+    const JAVA_ASSIGN_LHS = /^\s*(?:(?:final|public|private|protected|static|synchronized|volatile|transient)\s+)*(?:[A-Za-z_][\w.]*(?:\s*<[^=]*>)?(?:\s*\[\s*\])*\s+)?([A-Za-z_]\w*)\s*=(?!=)/;
+    for (const s of result) {
+      if (s.variable && s.variable.length > 0)
+        continue;
+      const lineText = sourceLines[s.line - 1] ?? "";
+      const m = JAVA_ASSIGN_LHS.exec(lineText);
+      if (!m)
+        continue;
+      const rhs = lineText.slice(m[0].length).trimStart();
+      if (/^new\b/.test(rhs))
+        continue;
+      s.variable = m[1];
+    }
+  }
   return result;
 }
 function isInterproceduralTaintableType(typeName) {
@@ -11787,7 +11990,11 @@ function matchesSourcePattern(call, pattern) {
     }
     if (pattern.class && pattern.class !== "constructor") {
       if (call.receiver_type && call.receiver_type === pattern.class) {} else if (call.receiver_type_fqn && call.receiver_type_fqn.endsWith("." + pattern.class)) {} else if (!call.receiver) {
-        return false;
+        const target = call.resolution?.target;
+        const expectedTail = `${pattern.class}.${pattern.method}`;
+        if (target && (target === expectedTail || target.endsWith("." + expectedTail))) {} else {
+          return false;
+        }
       } else if (!receiverMightBeClass(call.receiver, pattern.class)) {
         return false;
       }
@@ -12044,7 +12251,11 @@ function matchesSinkPattern(call, pattern, typeHierarchy, language) {
       }
       return false;
     } else if (!call.receiver && !call.receiver_type) {
-      return false;
+      const target = call.resolution?.target;
+      const expectedTail = `${pattern.class}.${pattern.method}`;
+      if (target && (target === expectedTail || target.endsWith("." + expectedTail))) {} else {
+        return false;
+      }
     }
   }
   if (!pattern.class && call.receiver) {
@@ -15051,6 +15262,9 @@ class DefaultLanguageRegistry {
     }
   }
   get(language) {
+    if (language === "tsx") {
+      return this.plugins.get("javascript");
+    }
     return this.plugins.get(language);
   }
   getForFile(filePath) {
@@ -17244,6 +17458,20 @@ class BashPlugin extends BaseLanguagePlugin {
         cwe: "CWE-918",
         severity: "high",
         argPositions: [0]
+      },
+      {
+        method: "source",
+        type: "path_traversal",
+        cwe: "CWE-98",
+        severity: "critical",
+        argPositions: [0]
+      },
+      {
+        method: ".",
+        type: "path_traversal",
+        cwe: "CWE-98",
+        severity: "critical",
+        argPositions: [0]
       }
     ];
   }
@@ -20337,6 +20565,7 @@ function mergeHtmlResults(htmlMeta, scriptResults, attributeFindings) {
   const allSources = [];
   const allSinks = [];
   const allSanitizers = [];
+  const allFlows = [];
   const allImports = [];
   const allExports = [];
   const allFindings = [];
@@ -20422,6 +20651,14 @@ function mergeHtmlResults(htmlMeta, scriptResults, attributeFindings) {
         line: sanitizer.line + lineShift
       });
     }
+    for (const flow of ir.taint.flows ?? []) {
+      allFlows.push({
+        ...flow,
+        source_line: flow.source_line + lineShift,
+        sink_line: flow.sink_line + lineShift,
+        path: flow.path.map((step) => ({ ...step, line: step.line + lineShift }))
+      });
+    }
     for (const imp of ir.imports) {
       allImports.push({
         ...imp,
@@ -20441,7 +20678,8 @@ function mergeHtmlResults(htmlMeta, scriptResults, attributeFindings) {
   const taint = {
     sources: allSources,
     sinks: allSinks,
-    sanitizers: allSanitizers.length > 0 ? allSanitizers : undefined
+    sanitizers: allSanitizers.length > 0 ? allSanitizers : undefined,
+    flows: allFlows.length > 0 ? allFlows : undefined
   };
   const cfg = {
     blocks: allCfgBlocks,
@@ -20637,6 +20875,7 @@ class LanguageSourcesPass {
     const constProp = ctx.getResult("constant-propagation");
     const additionalSources = [];
     const additionalSinks = [];
+    const additionalSanitizers = [];
     additionalSources.push(...findGetterSources(types, constProp.instanceFieldTaint, code));
     additionalSources.push(...findOopFieldReadSources(types, code, language));
     additionalSources.push(...findJavaScriptAssignmentSources(code, language));
@@ -20690,9 +20929,10 @@ class LanguageSourcesPass {
       for (const finding of bashFindings) {
         ctx.addFinding(finding);
       }
+      additionalSanitizers.push(...findBashRegexAllowlistSanitizers(code));
     }
     attachSourceLineCode(additionalSources, additionalSinks, code);
-    return { additionalSources, additionalSinks, pyTaintedVars, pySanitizedVars, jsTaintedVars };
+    return { additionalSources, additionalSinks, additionalSanitizers, pyTaintedVars, pySanitizedVars, jsTaintedVars };
   }
 }
 function findGetterSources(types, instanceFieldTaint, _sourceCode) {
@@ -20943,62 +21183,62 @@ function buildPythonTaintedVars(sourceCode) {
     const line = lines[i2];
     if (line.trimStart().startsWith("#"))
       continue;
-    const subscriptAssign = line.match(/^\s*(\w+)\[(['"])([^'"]+)\2\]\s*=\s*(.+)$/);
+    const subscriptAssign = line.match(/^\s*([\p{L}\p{N}_]+)\[(['"])([^'"]+)\2\]\s*=\s*(.+)$/u);
     if (subscriptAssign) {
       const [, container, , key, rhs2] = subscriptAssign;
-      const isTaintedRhs = [...tainted.keys()].some((v) => new RegExp(`\\b${v}\\b`).test(rhs2));
+      const isTaintedRhs = [...tainted.keys()].some((v) => new RegExp(`(?<![\\p{L}\\p{N}_])${v}(?![\\p{L}\\p{N}_])`, "u").test(rhs2));
       if (isTaintedRhs)
         containerTainted.set(`${container}['${key}']`, i2 + 1);
       continue;
     }
-    const setCallMatch = line.match(/^\s*(\w+)\.set\s*\(\s*(['"])([^'"]+)\2\s*,\s*(['"])([^'"]+)\4\s*,\s*(.+?)\s*\)$/);
+    const setCallMatch = line.match(/^\s*([\p{L}\p{N}_]+)\.set\s*\(\s*(['"])([^'"]+)\2\s*,\s*(['"])([^'"]+)\4\s*,\s*(.+?)\s*\)$/u);
     if (setCallMatch) {
       const [, obj, , section, , key, rhs2] = setCallMatch;
-      const isTaintedRhs = [...tainted.keys()].some((v) => new RegExp(`\\b${v}\\b`).test(rhs2));
+      const isTaintedRhs = [...tainted.keys()].some((v) => new RegExp(`(?<![\\p{L}\\p{N}_])${v}(?![\\p{L}\\p{N}_])`, "u").test(rhs2));
       if (isTaintedRhs)
         containerTainted.set(`${obj}['${section}']['${key}']`, i2 + 1);
       continue;
     }
-    const containerAppendMatch = line.match(/^\s*(\w+)\.(append|extend|insert|add|push|put|appendleft)\s*\(\s*(.+?)\s*\)\s*$/);
+    const containerAppendMatch = line.match(/^\s*([\p{L}\p{N}_]+)\.(append|extend|insert|add|push|put|appendleft)\s*\(\s*(.+?)\s*\)\s*$/u);
     if (containerAppendMatch) {
       const [, receiver, , argExpr] = containerAppendMatch;
-      const argIsTainted = [...tainted.keys()].some((v) => new RegExp(`\\b${v}\\b`).test(argExpr));
+      const argIsTainted = [...tainted.keys()].some((v) => new RegExp(`(?<![\\p{L}\\p{N}_])${v}(?![\\p{L}\\p{N}_])`, "u").test(argExpr));
       const argIsDirectSource = PYTHON_TAINTED_PATTERNS2.some((p) => p.pattern.test(argExpr));
       if (argIsTainted || argIsDirectSource)
         tainted.set(receiver, tainted.get(receiver) ?? i2 + 1);
       continue;
     }
-    const augAssign = line.match(/^\s*(\w+)\s*\+=\s*(.+)$/);
+    const augAssign = line.match(/^\s*([\p{L}\p{N}_]+)\s*\+=\s*(.+)$/u);
     if (augAssign) {
       const [, augLhs, augRhs] = augAssign;
-      const rhsTainted = [...tainted.keys()].some((v) => new RegExp(`\\b${v}\\b`).test(augRhs));
+      const rhsTainted = [...tainted.keys()].some((v) => new RegExp(`(?<![\\p{L}\\p{N}_])${v}(?![\\p{L}\\p{N}_])`, "u").test(augRhs));
       if (rhsTainted || tainted.has(augLhs))
         tainted.set(augLhs, tainted.get(augLhs) ?? i2 + 1);
       continue;
     }
-    const forLoopMatch = line.match(/^\s*for\s+(\w+)\s+in\s+(.+?)(?:\s*:\s*)?$/);
+    const forLoopMatch = line.match(/^\s*for\s+([\p{L}\p{N}_]+)\s+in\s+(.+?)(?:\s*:\s*)?$/u);
     if (forLoopMatch) {
       const [, iterVar, iterExpr] = forLoopMatch;
       const isDirectSource2 = PYTHON_TAINTED_PATTERNS2.some((p) => p.pattern.test(iterExpr));
-      const isPropagated = [...tainted.keys()].some((v) => new RegExp(`\\b${v}\\b`).test(iterExpr));
+      const isPropagated = [...tainted.keys()].some((v) => new RegExp(`(?<![\\p{L}\\p{N}_])${v}(?![\\p{L}\\p{N}_])`, "u").test(iterExpr));
       if (isDirectSource2 || isPropagated)
         tainted.set(iterVar, i2 + 1);
       continue;
     }
-    const assignMatch = line.match(/^\s*(\w+)\s*=\s*(.+)$/);
+    const assignMatch = line.match(/^\s*([\p{L}\p{N}_]+)\s*=\s*(.+)$/u);
     if (!assignMatch)
       continue;
     const [, lhs, rhs] = assignMatch;
     const isDirectSource = PYTHON_TAINTED_PATTERNS2.some((p) => p.pattern.test(rhs));
     let propagatedFrom;
-    const dictAccessMatch = rhs.trim().match(/^(\w+)\[(['"])([^'"]+)\2\]$/);
+    const dictAccessMatch = rhs.trim().match(/^([\p{L}\p{N}_]+)\[(['"])([^'"]+)\2\]$/u);
     if (dictAccessMatch) {
       const [, container, , key] = dictAccessMatch;
       if (containerTainted.has(`${container}['${key}']`))
         propagatedFrom = `${container}['${key}']`;
     }
     if (!propagatedFrom) {
-      const confGetMatch = rhs.trim().match(/^(\w+)\.get\s*\(\s*(['"])([^'"]+)\2\s*,\s*(['"])([^'"]+)\4\s*\)$/);
+      const confGetMatch = rhs.trim().match(/^([\p{L}\p{N}_]+)\.get\s*\(\s*(['"])([^'"]+)\2\s*,\s*(['"])([^'"]+)\4\s*\)$/u);
       if (confGetMatch) {
         const [, obj, , section, , key] = confGetMatch;
         if (containerTainted.has(`${obj}['${section}']['${key}']`))
@@ -21008,7 +21248,7 @@ function buildPythonTaintedVars(sourceCode) {
     if (!propagatedFrom) {
       const isSafeEnvRead = /\bos\.environ\.get\s*\(/.test(rhs) || /\bos\.getenv\s*\(/.test(rhs);
       if (!isSafeEnvRead)
-        propagatedFrom = [...tainted.keys()].find((v) => new RegExp(`\\b${v}\\b`).test(rhs));
+        propagatedFrom = [...tainted.keys()].find((v) => new RegExp(`(?<![\\p{L}\\p{N}_])${v}(?![\\p{L}\\p{N}_])`, "u").test(rhs));
     }
     if (isDirectSource) {
       tainted.set(lhs, i2 + 1);
@@ -21413,6 +21653,61 @@ function findBashPatternFindings(sourceCode, file) {
   }
   return findings;
 }
+function findBashRegexAllowlistSanitizers(code) {
+  const sanitizers = [];
+  const lines = code.split(`
+`);
+  const guardRe = /^\s*if\s+\[\[\s*!\s*"?\$\{?(\w+)\}?"?\s*=~\s*(\S+)\s*\]\]\s*;\s*then\s+(exit|return|die)\b/;
+  for (let i2 = 0;i2 < lines.length; i2++) {
+    const m = guardRe.exec(lines[i2]);
+    if (!m)
+      continue;
+    const regexLiteral = m[2];
+    if (!isSafeBashAllowlistRegex(regexLiteral))
+      continue;
+    const ifLine1Indexed = i2 + 1;
+    for (let l = ifLine1Indexed + 1;l <= lines.length; l++) {
+      sanitizers.push({
+        type: "regex_allowlist",
+        method: "=~",
+        line: l,
+        sanitizes: [
+          "command_injection",
+          "path_traversal",
+          "sql_injection",
+          "code_injection",
+          "ssrf",
+          "xss",
+          "open_redirect",
+          "log_injection"
+        ]
+      });
+    }
+  }
+  return sanitizers;
+}
+function isSafeBashAllowlistRegex(literal) {
+  if (!literal.startsWith("^") || !literal.endsWith("$"))
+    return false;
+  const body2 = literal.slice(1, -1);
+  if (body2.length === 0)
+    return false;
+  if (body2.includes(".*") || body2.includes(".+"))
+    return false;
+  if (body2.includes("|"))
+    return false;
+  if (/\\\d/.test(body2))
+    return false;
+  const safeToken = /\[[^\]]+\][+*?]?|\\.|[A-Za-z0-9_\-./]|[+*?]/g;
+  let consumed = 0;
+  let match;
+  while ((match = safeToken.exec(body2)) !== null) {
+    if (match.index !== consumed)
+      return false;
+    consumed += match[0].length;
+  }
+  return consumed === body2.length;
+}
 
 // ../circle-ir/dist/analysis/passes/sink-filter-pass.js
 var JS_XSS_SANITIZERS = [
@@ -21449,7 +21744,10 @@ class SinkFilterPass {
         sinks.push(s);
       }
     }
-    const sanitizers = taintMatcher.sanitizers;
+    const sanitizers = [
+      ...taintMatcher.sanitizers,
+      ...langSources.additionalSanitizers ?? []
+    ];
     let filtered = sinks.filter((sink) => !constProp.unreachableLines.has(sink.line));
     filtered = filterCleanArraySinks(filtered, calls, constProp.taintedArrayElements, constProp.symbols);
     filtered = filterCleanVariableSinks(filtered, calls, constProp.tainted, constProp.symbols, dfg, constProp.sanitizedVars, constProp.synchronizedLines, language);
@@ -21924,6 +22222,8 @@ function findInitialTaint(sources, callsByLine, defsByLine) {
     for (const def of defsNextLine) {
       const callsOnSourceLine = callsByLine.get(source.line) ?? [];
       if (callsOnSourceLine.length > 0) {
+        if (source.variable && def.variable !== source.variable)
+          continue;
         tainted.push({
           variable: def.variable,
           defId: def.id,
@@ -21934,6 +22234,21 @@ function findInitialTaint(sources, callsByLine, defsByLine) {
         });
       }
     }
+    if (source.variable) {
+      const paramDefs = defsByLine.get(0) ?? [];
+      for (const def of paramDefs) {
+        if (def.kind === "param" && def.variable === source.variable) {
+          tainted.push({
+            variable: def.variable,
+            defId: def.id,
+            line: def.line,
+            sourceType: source.type,
+            sourceLine: source.line,
+            confidence: source.confidence
+          });
+        }
+      }
+    }
   }
   return tainted;
 }
@@ -22111,13 +22426,13 @@ class TaintPropagationPass {
       confidence: flow.confidence,
       sanitized: flow.sanitized
     }));
-    const arrayFlows = detectArrayElementFlows(calls, sources, sinks, constProp.taintedArrayElements, constProp.unreachableLines) ?? [];
+    const arrayFlows = detectArrayElementFlows(calls, sources, sinks, constProp.taintedArrayElements, constProp.unreachableLines, types) ?? [];
     for (const f of arrayFlows) {
       if (!flows.some((x) => x.source_line === f.source_line && x.sink_line === f.sink_line)) {
         flows.push(f);
       }
     }
-    const collectionFlows = detectCollectionFlows(calls, sources, sinks, constProp.tainted, constProp.unreachableLines, ctx.code) ?? [];
+    const collectionFlows = detectCollectionFlows(calls, sources, sinks, constProp.tainted, constProp.unreachableLines, ctx.code, types) ?? [];
     for (const f of collectionFlows) {
       if (flows.some((x) => x.source_line === f.source_line && x.sink_line === f.sink_line))
         continue;
@@ -22168,7 +22483,7 @@ class TaintPropagationPass {
       flows.push(f);
     }
     const sanitizedNames = constProp.sanitizedVars;
-    const finalFlows = sanitizedNames.size === 0 ? flows : flows.filter((f) => {
+    let finalFlows = sanitizedNames.size === 0 ? flows : flows.filter((f) => {
       if (f.path.length === 0)
         return true;
       const sourceVar = f.path[0].variable;
@@ -22182,10 +22497,60 @@ class TaintPropagationPass {
       }
       return true;
     });
+    if (ctx.language === "java" && typeof ctx.code === "string") {
+      finalFlows = finalFlows.filter((f) => {
+        if (f.sink_type !== "path_traversal" && f.sink_type !== "xxe")
+          return true;
+        if (!isInJavaSanitizedMethod(ctx.code, types, f.sink_line, f.sink_type))
+          return true;
+        return false;
+      });
+    }
     return { flows: finalFlows };
   }
 }
-function detectCollectionFlows(calls, sources, sinks, taintedVars, unreachableLines, code) {
+function isInJavaSanitizedMethod(code, types, sinkLine, sinkType) {
+  if (!types || types.length === 0)
+    return false;
+  let methodStart = -1;
+  let methodEnd = -1;
+  for (const t of types) {
+    for (const m of t.methods) {
+      if (sinkLine >= m.start_line && sinkLine <= m.end_line) {
+        methodStart = m.start_line;
+        methodEnd = m.end_line;
+        break;
+      }
+    }
+    if (methodStart > 0)
+      break;
+  }
+  if (methodStart < 0)
+    return false;
+  const lines = code.split(`
+`);
+  const body2 = lines.slice(methodStart - 1, methodEnd).join(`
+`);
+  if (sinkType === "path_traversal") {
+    if (!/\.getCanonicalPath\s*\(/.test(body2))
+      return false;
+    if (!/\.startsWith\s*\([^)]*getCanonicalPath/.test(body2))
+      return false;
+    if (!/\bthrow\s+new\b/.test(body2))
+      return false;
+    return true;
+  }
+  if (sinkType === "xxe") {
+    const setFeatureRe = /\.setFeature\s*\(\s*"(?:[^"]*disallow-doctype-decl|[^"]*external-general-entities|[^"]*external-parameter-entities|[^"]*load-external-dtd)"/;
+    if (setFeatureRe.test(body2))
+      return true;
+    if (/\.setProperty\s*\([^,]*SUPPORT_DTD[^,]*,\s*false\s*\)/.test(body2))
+      return true;
+    return false;
+  }
+  return false;
+}
+function detectCollectionFlows(calls, sources, sinks, taintedVars, unreachableLines, code, types) {
   const flows = [];
   const callsByLine = new Map;
   for (const call of calls) {
@@ -22206,8 +22571,11 @@ function detectCollectionFlows(calls, sources, sinks, taintedVars, unreachableLi
           const varName = arg.variable;
           const scopedName = call.in_method ? `${call.in_method}:${varName}` : varName;
           if (taintedVars.has(varName) || taintedVars.has(scopedName)) {
-            const source = sources[0];
+            const source = pickScopedSource(sources, sink.line, call.in_method ?? null, types, varName);
             if (source) {
+              if (source.variable && source.variable !== varName && source.in_method && call.in_method && source.in_method !== call.in_method) {
+                continue;
+              }
               if (typeof code === "string" && isReassignedToLiteralBetween(code, varName, source.line, sink.line)) {
                 continue;
               }
@@ -22243,8 +22611,11 @@ function detectCollectionFlows(calls, sources, sinks, taintedVars, unreachableLi
               const collectionVar = match[1];
               const scopedCollection = call.in_method ? `${call.in_method}:${collectionVar}` : collectionVar;
               if (taintedVars.has(collectionVar) || taintedVars.has(scopedCollection)) {
-                const source = sources[0];
+                const source = pickScopedSource(sources, sink.line, call.in_method ?? null, types, collectionVar);
                 if (source) {
+                  if (source.variable && source.variable !== collectionVar && source.in_method && call.in_method && source.in_method !== call.in_method) {
+                    continue;
+                  }
                   if (typeof code === "string" && isReassignedToLiteralBetween(code, collectionVar, source.line, sink.line)) {
                     continue;
                   }
@@ -22270,7 +22641,7 @@ function detectCollectionFlows(calls, sources, sinks, taintedVars, unreachableLi
   }
   return flows;
 }
-function detectArrayElementFlows(calls, sources, sinks, taintedArrayElements, unreachableLines) {
+function detectArrayElementFlows(calls, sources, sinks, taintedArrayElements, unreachableLines, types) {
   const flows = [];
   const callsByLine = new Map;
   for (const call of calls) {
@@ -22295,7 +22666,7 @@ function detectArrayElementFlows(calls, sources, sinks, taintedArrayElements, un
           if (taintedIndices) {
             const isTainted = taintedIndices.has(indexStr) || taintedIndices.has("*");
             if (isTainted) {
-              const source = sources[0];
+              const source = pickScopedSource(sources, sink.line, call.in_method ?? null, types, arrayName);
               if (source) {
                 flows.push({
                   source_line: source.line,
@@ -22399,11 +22770,12 @@ function isReassignedToLiteralBetween(code, variable, srcLine, sinkLine) {
   const strLit = `(?:"[^"\\\\]*(?:\\\\.[^"\\\\]*)*"|'[^'\\\\]*(?:\\\\.[^'\\\\]*)*'|\`[^\`\\\\]*(?:\\\\.[^\`\\\\]*)*\`)`;
   const reNaked = new RegExp(`^\\s*${variable}\\s*(?::?=)\\s*${strLit}\\s*;?\\s*$`);
   const reGuarded = new RegExp(`^\\s*if\\b.*\\b${variable}\\s*=\\s*${strLit}\\s*;?\\s*$`);
+  const reSwitchCase = new RegExp(`^\\s*(?:case\\b.*?|default\\s*):\\s*${variable}\\s*=\\s*${strLit}\\s*;?\\s*(?:break\\s*;?)?\\s*$`);
   for (let i2 = lo;i2 < hi; i2++) {
     const line = lines[i2];
     if (!line)
       continue;
-    if (reNaked.test(line) || reGuarded.test(line))
+    if (reNaked.test(line) || reGuarded.test(line) || reSwitchCase.test(line))
       return true;
   }
   return false;
@@ -22507,7 +22879,7 @@ function detectExpressionScanFlows(calls, sources, sinks, sanitizers, unreachabl
     if (reCache.has(s.variable))
       continue;
     const escaped = s.variable.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-    reCache.set(s.variable, new RegExp(`\\b${escaped}\\b`));
+    reCache.set(s.variable, new RegExp(`(?<![\\p{L}\\p{N}_])${escaped}(?![\\p{L}\\p{N}_])`, "u"));
   }
   const callsByLine = new Map;
   for (const call of calls) {
@@ -22530,6 +22902,9 @@ function detectExpressionScanFlows(calls, sources, sinks, sanitizers, unreachabl
         for (const source of sourcesWithVar) {
           if (source.line >= sink.line)
             continue;
+          if (source.in_method && call.in_method && source.in_method !== call.in_method) {
+            continue;
+          }
           const re = reCache.get(source.variable);
           if (!re || !re.test(expr))
             continue;
@@ -22596,6 +22971,51 @@ function detectExpressionScanFlows(calls, sources, sinks, sanitizers, unreachabl
   }
   return flows;
 }
+function pickScopedSource(sources, sinkLine, methodName, types, taintedVar) {
+  if (sources.length === 0)
+    return;
+  const closestPreceding = (cands) => {
+    let best;
+    for (const s of cands) {
+      if (s.line >= sinkLine)
+        continue;
+      if (!best || s.line > best.line)
+        best = s;
+    }
+    return best;
+  };
+  if (taintedVar) {
+    const byVar = sources.filter((s) => s.variable === taintedVar);
+    const pick = closestPreceding(byVar);
+    if (pick)
+      return pick;
+  }
+  if (methodName && types && types.length > 0) {
+    let methodStart = -1;
+    let methodEnd = -1;
+    for (const t of types) {
+      for (const m of t.methods) {
+        if (m.name === methodName) {
+          methodStart = m.start_line;
+          methodEnd = m.end_line;
+          break;
+        }
+      }
+      if (methodStart > 0)
+        break;
+    }
+    if (methodStart > 0 && methodEnd >= methodStart) {
+      const inScope = sources.filter((s) => s.line >= methodStart && s.line <= methodEnd);
+      const pick = closestPreceding(inScope);
+      if (pick)
+        return pick;
+    }
+  }
+  const globalPick = closestPreceding(sources);
+  if (globalPick)
+    return globalPick;
+  return sources[0];
+}
 
 // ../circle-ir/dist/analysis/interprocedural.js
 function analyzeInterprocedural2(graphOrTypes, callsOrSources, dfgOrSinks, sourcesOrSanitizers, sinksOrOptions, sanitizersArg, optionsArg = {}) {
@@ -22649,6 +23069,13 @@ function analyzeInterprocedural2(graphOrTypes, callsOrSources, dfgOrSinks, sourc
     for (const def of graph.defsAtLine(source.line)) {
       seedIds.add(def.id);
     }
+    if (source.variable) {
+      for (const def of graph.defsAtLine(0)) {
+        if (def.kind === "param" && def.variable === source.variable) {
+          seedIds.add(def.id);
+        }
+      }
+    }
   }
   const taintedDefIds = graph.propagateTaintedDefIds(seedIds);
   const taintedVarsFromCP = options.taintedVariables ?? new Set;
@@ -22789,7 +23216,34 @@ function analyzeInterprocedural2(graphOrTypes, callsOrSources, dfgOrSinks, sourc
     const targetMethod = getMethodNode(methodNodes, call.method_name);
     if (!targetMethod) {
       if (taintedArgPositions.length > 0 && !collectionMethods.has(call.method_name) && !sanitizerMethods.has(call.method_name) && !safeUtilityMethods.has(call.method_name)) {
-        const sink = {
+        const isBash = graph.ir.meta.language === "bash";
+        const bashSafeBuiltins = new Set([
+          "echo",
+          "printf",
+          "test",
+          "[",
+          "[[",
+          "true",
+          "false",
+          ":",
+          "declare",
+          "local",
+          "export",
+          "readonly",
+          "typeset"
+        ]);
+        if (isBash && bashSafeBuiltins.has(call.method_name)) {
+          continue;
+        }
+        const sink = isBash ? {
+          type: "command_injection",
+          cwe: "CWE-78",
+          location: `Tainted data (${taintedArgVars.join(", ")}) passed unquoted to shell utility ${call.method_name}`,
+          line: call.location.line,
+          confidence: 0.6,
+          method: call.method_name,
+          argPositions: taintedArgPositions
+        } : {
           type: "external_taint_escape",
           cwe: "CWE-668",
           location: `Tainted data (${taintedArgVars.join(", ")}) passed to external method ${call.receiver ? call.receiver + "." : ""}${call.method_name}()`,
@@ -23469,6 +23923,7 @@ function isPublicMethod(method, language) {
       return method.modifiers.includes("public");
     case "javascript":
     case "typescript":
+    case "tsx":
       return !method.modifiers.includes("private") && !method.modifiers.includes("protected");
     case "python":
       return !method.name.startsWith("_");
@@ -23488,7 +23943,7 @@ class MissingPublicDocPass {
     if (UTIL_DIR_RE.test(graph.ir.meta.file)) {
       return { missingDocMethods: [], missingDocTypes: [] };
     }
-    if (!["java", "javascript", "typescript", "python"].includes(language)) {
+    if (!["java", "javascript", "typescript", "tsx", "python"].includes(language)) {
       return { missingDocMethods: [], missingDocTypes: [] };
     }
     const lines = code.split(`
@@ -24012,6 +24467,7 @@ function hasDeclKeyword(lineText, language) {
       return /\b(?:int|long|float|double|boolean|byte|char|short|var|final)\b/.test(lineText) || /\b[A-Z]\w*(?:<[^>]*>)?\s+\w/.test(lineText);
     case "javascript":
     case "typescript":
+    case "tsx":
       return /\b(?:let|const|var)\s+[\w{[]/.test(lineText);
     case "rust":
       return /\blet\s+(?:mut\s+)?\w/.test(lineText);
@@ -28518,6 +28974,7 @@ class WeakRandomPass {
         return "Use the `secrets` module (`secrets.token_bytes`, " + "`secrets.token_hex`, `secrets.choice`, `secrets.randbelow`).";
       case "javascript":
       case "typescript":
+      case "tsx":
         return "Use `crypto.randomBytes(n)` (Node.js) or " + "`crypto.getRandomValues(typedArray)` (browser).";
       case "go":
         return "Use `crypto/rand` instead of `math/rand`. Example: " + "`b := make([]byte, 32); _, _ = rand.Read(b)` (where `rand` is `crypto/rand`).";
@@ -28556,7 +29013,7 @@ class WeakRandomPass {
       }
       return null;
     }
-    if (language === "javascript" || language === "typescript") {
+    if (language === "javascript" || language === "typescript" || language === "tsx") {
       if (method === "random" && (receiver === "Math" || receiver.endsWith(".Math"))) {
         return "Math.random";
       }
@@ -30158,6 +30615,7 @@ function getNodeTypesForLanguage(language) {
       ]);
     case "javascript":
     case "typescript":
+    case "tsx":
       return new Set([
         "call_expression",
         "new_expression",
@@ -30170,7 +30628,12 @@ function getNodeTypesForLanguage(language) {
         "import_statement",
         "export_statement",
         "member_expression",
-        "assignment_expression"
+        "assignment_expression",
+        "jsx_element",
+        "jsx_self_closing_element",
+        "jsx_opening_element",
+        "jsx_attribute",
+        "jsx_expression"
       ]);
     case "bash":
       return new Set([
@@ -30234,8 +30697,15 @@ async function analyze(code, filePath, language, options = {}) {
   if (language === "html") {
     return analyzeHtmlFile(code, filePath, options);
   }
-  logger.debug("Analyzing file", { filePath, language, codeLength: code.length });
-  const tree = await parse(code, language);
+  let parseGrammar = language;
+  if (language === "javascript" || language === "typescript") {
+    const lower = filePath.toLowerCase();
+    if (lower.endsWith(".tsx") || lower.endsWith(".jsx")) {
+      parseGrammar = "tsx";
+    }
+  }
+  logger.debug("Analyzing file", { filePath, language, parseGrammar, codeLength: code.length });
+  const tree = await parse(code, parseGrammar);
   try {
     logger.trace("Parsed AST", { rootNodeType: tree.rootNode.type });
     const parseStatus = extractParseStatus(tree);
@@ -30563,7 +31033,7 @@ var colors = {
 };
 
 // src/version.ts
-var version = "3.59.0";
+var version = "3.64.0";
 
 // src/formatters.ts
 var SINK_SEVERITY = {
@@ -30586,7 +31056,11 @@ var SINK_SEVERITY = {
   insecure_cookie: "low",
   trust_boundary: "medium",
   external_taint_escape: "medium",
-  mybatis_mapper_call: "medium"
+  mybatis_mapper_call: "medium",
+  redos: "medium",
+  format_string: "high",
+  crlf: "medium",
+  mass_assignment: "high"
 };
 var SINK_CWE = {
   sql_injection: "CWE-89",
@@ -30608,7 +31082,11 @@ var SINK_CWE = {
   insecure_cookie: "CWE-614",
   trust_boundary: "CWE-501",
   external_taint_escape: "CWE-20",
-  mybatis_mapper_call: "CWE-89"
+  mybatis_mapper_call: "CWE-89",
+  redos: "CWE-1333",
+  format_string: "CWE-134",
+  crlf: "CWE-113",
+  mass_assignment: "CWE-915"
 };
 var VULNERABILITY_HELP = {
   sql_injection: {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.59.0",
+  "version": "3.64.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.59.0"
+    "circle-ir": "^3.64.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",