projscan 4.5.0 → 4.7.0

package/dist/core/dataflowDatabaseSinks.js

@@ -0,0 +1,78 @@
+const DEFAULT_DATABASE_SINKS = new Set(['query', 'execute', '$queryRaw', '$executeRaw', 'raw']);
+const DATABASE_RECEIVERS = new Set([
+    'db',
+    'database',
+    'pool',
+    'client',
+    'connection',
+    'conn',
+    'prisma',
+    'knex',
+    'sequelize',
+    'repository',
+    'repo',
+    'manager',
+    'sql',
+]);
+const DATABASE_MODULE_NAMES = new Set([
+    'db',
+    'database',
+    'sql',
+    'pool',
+    'client',
+    'repository',
+    'repo',
+]);
+const KNOWN_DATABASE_PACKAGES = new Set([
+    'pg',
+    'postgres',
+    'mysql',
+    'mysql2',
+    'sqlite3',
+    'better-sqlite3',
+    'knex',
+    'sequelize',
+    '@prisma/client',
+]);
+export function isDefaultMisidentifiedDatabaseSink(callee, directCallSites, memberCallSites, memberAliases, customSinks, file, graphFile) {
+    if (customSinks.has(callee))
+        return false;
+    if (!DEFAULT_DATABASE_SINKS.has(callee))
+        return false;
+    if (!isJavaScriptLikeFile(file, graphFile.adapterId))
+        return false;
+    if (memberCallSites.some((member) => isDatabaseMemberCall(member, callee)))
+        return false;
+    if (directCallSites.includes(callee) && isImportedDatabaseHelper(callee, graphFile.imports))
+        return false;
+    if (directCallSites.includes(callee) &&
+        memberAliases.some((alias) => isDatabaseMemberAlias(alias, callee)))
+        return false;
+    return true;
+}
+function isDatabaseMemberCall(member, callee) {
+    const parts = member.split('.');
+    if (parts[parts.length - 1] !== callee)
+        return false;
+    const receiver = parts.length >= 2 ? parts[parts.length - 2].toLowerCase() : '';
+    return DATABASE_RECEIVERS.has(receiver);
+}
+function isImportedDatabaseHelper(callee, imports) {
+    return imports.some((imp) => imp.specifiers.includes(callee) && isDatabaseModule(imp.source));
+}
+function isDatabaseModule(source) {
+    if (KNOWN_DATABASE_PACKAGES.has(source))
+        return true;
+    const normalized = source.replace(/\\/g, '/');
+    const last = normalized.split('/').pop() ?? normalized;
+    const basename = last.replace(/\.(?:c|m)?(?:j|t)sx?$/i, '').toLowerCase();
+    return DATABASE_MODULE_NAMES.has(basename);
+}
+function isDatabaseMemberAlias(alias, callee) {
+    const [localName, member] = alias.split('=');
+    return localName === callee && isDatabaseMemberCall(member ?? '', callee);
+}
+function isJavaScriptLikeFile(file, adapterId) {
+    return adapterId === 'javascript' || /\.(?:cjs|mjs|js|jsx|ts|tsx)$/.test(file);
+}
+//# sourceMappingURL=dataflowDatabaseSinks.js.map

package/dist/core/dataflowDatabaseSinks.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dataflowDatabaseSinks.js","sourceRoot":"","sources":["../../src/core/dataflowDatabaseSinks.ts"],"names":[],"mappings":"AAKA,MAAM,sBAAsB,GAAG,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,aAAa,EAAE,KAAK,CAAC,CAAC,CAAC;AAChG,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC;IACjC,IAAI;IACJ,UAAU;IACV,MAAM;IACN,QAAQ;IACR,YAAY;IACZ,MAAM;IACN,QAAQ;IACR,MAAM;IACN,WAAW;IACX,YAAY;IACZ,MAAM;IACN,SAAS;IACT,KAAK;CACN,CAAC,CAAC;AACH,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC;IACpC,IAAI;IACJ,UAAU;IACV,KAAK;IACL,MAAM;IACN,QAAQ;IACR,YAAY;IACZ,MAAM;CACP,CAAC,CAAC;AACH,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAC;IACtC,IAAI;IACJ,UAAU;IACV,OAAO;IACP,QAAQ;IACR,SAAS;IACT,gBAAgB;IAChB,MAAM;IACN,WAAW;IACX,gBAAgB;CACjB,CAAC,CAAC;AAEH,MAAM,UAAU,kCAAkC,CAChD,MAAc,EACd,eAAyB,EACzB,eAAyB,EACzB,aAAuB,EACvB,WAAwB,EACxB,IAAY,EACZ,SAAwC;IAExC,IAAI,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1C,IAAI,CAAC,sBAAsB,CAAC,GAAG,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IACtD,IAAI,CAAC,oBAAoB,CAAC,IAAI,EAAE,SAAS,CAAC,SAAS,CAAC;QAAE,OAAO,KAAK,CAAC;IACnE,IAAI,eAAe,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,oBAAoB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IACzF,IAAI,eAAe,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,wBAAwB,CAAC,MAAM,EAAE,SAAS,CAAC,OAAO,CAAC;QACzF,OAAO,KAAK,CAAC;IACf,IACE,eAAe,CAAC,QAAQ,CAAC,MAAM,CAAC;QAChC,aAAa,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,qBAAqB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAEnE,OAAO,KAAK,CAAC;IACf,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,oBAAoB,CAAC,MAAc,EAAE,MAAc;IAC1D,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAChC,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,KAAK,MAAM;QAAE,OAAO,KAAK,CAAC;IACrD,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAChF,OAAO,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;AAC1C,CAAC;AAED,SAAS,wBAAwB,CAC/B,MAAc,EACd,OAAwD;IAExD,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,gBAAgB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC;AAChG,CAAC;AAED,SAAS,gBAAgB,CAAC,MAAc;IACtC,IAAI,uBAAuB,CAAC,GAAG,CAAC,MAAM,CAAC;QAAE,OAAO,IAAI,CAAC;IACrD,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAC9C,MAAM,IAAI,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,UAAU,CAAC;IACvD,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,wBAAwB,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IAC1E,OAAO,qBAAqB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;AAC7C,CAAC;AAED,SAAS,qBAAqB,CAAC,KAAa,EAAE,MAAc;IAC1D,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC7C,OAAO,SAAS,KAAK,MAAM,IAAI,oBAAoB,CAAC,MAAM,IAAI,EAAE,EAAE,MAAM,CAAC,CAAC;AAC5E,CAAC;AAED,SAAS,oBAAoB,CAAC,IAAY,EAAE,SAAkB;IAC5D,OAAO,SAAS,KAAK,YAAY,IAAI,8BAA8B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACjF,CAAC"}

package/dist/core/dataflowRiskAssembly.d.ts

@@ -0,0 +1,11 @@
+import { type DataflowRiskFilterContext } from './dataflowFilters.js';
+import { type DataflowFunctionIndex } from './dataflowTraversal.js';
+import type { TaintReport } from './taintTypes.js';
+import type { DataflowRisk } from '../types.js';
+export interface DataflowRiskAssemblyOptions {
+    index: DataflowFunctionIndex;
+    taint: TaintReport;
+    filterContext: DataflowRiskFilterContext;
+    maxDepth: number;
+}
+export declare function assembleDataflowRisks({ index, taint, filterContext, maxDepth, }: DataflowRiskAssemblyOptions): DataflowRisk[];

package/dist/core/dataflowRiskAssembly.js

@@ -0,0 +1,117 @@
+import { shouldIncludeDataflowRisk } from './dataflowFilters.js';
+import { compareDataflowRisks, findReachable, uniqueFiles, } from './dataflowTraversal.js';
+export function assembleDataflowRisks({ index, taint, filterContext, maxDepth, }) {
+    const seen = new Set();
+    const risks = [
+        ...taintRisksFromFlows(taint, filterContext, seen),
+        ...bridgeRisksFromIndex(index, filterContext, seen, maxDepth),
+    ];
+    risks.sort(compareDataflowRisks);
+    return risks;
+}
+function taintRisksFromFlows(taint, filterContext, seen) {
+    if (!taint.available)
+        return [];
+    const risks = [];
+    for (const flow of taint.flows) {
+        addFilteredRisk(risks, seen, riskFromTaintFlow(flow), filterContext);
+    }
+    return risks;
+}
+function riskFromTaintFlow(flow) {
+    const kind = flow.path.length === 1 ? 'direct' : 'propagated';
+    const key = `${kind}:${flow.sourceFn}:${flow.sinkFn}:${flow.source}:${flow.sink}:${flow.path.join('>')}`;
+    return {
+        key,
+        kind,
+        severity: 'error',
+        confidence: flow.path.length <= 2 ? 'high' : 'medium',
+        sourceFn: flow.sourceFn,
+        sinkFn: flow.sinkFn,
+        source: flow.source,
+        sink: flow.sink,
+        path: flow.path,
+        pathLength: flow.path.length,
+        files: flow.files,
+    };
+}
+function bridgeRisksFromIndex(index, filterContext, seen, maxDepth) {
+    const risks = [];
+    for (const bridge of index.fns) {
+        const candidate = bridgeRiskCandidate(bridge, index, maxDepth);
+        if (!candidate)
+            continue;
+        addFilteredRisk(risks, seen, candidate.risk, filterContext, candidate.sinkFile);
+    }
+    return risks;
+}
+function bridgeRiskCandidate(bridge, index, maxDepth) {
+    const paths = bridgeReachablePaths(bridge, index, maxDepth);
+    if (!paths)
+        return null;
+    const endpoints = bridgeEndpoints(paths.sourcePath, paths.sinkPath);
+    if (!endpoints)
+        return null;
+    return {
+        risk: bridgeRiskFromPaths(bridge, paths, endpoints),
+        sinkFile: endpoints.sinkNode.file,
+    };
+}
+function bridgeReachablePaths(bridge, index, maxDepth) {
+    if (bridge.hasSource || bridge.hasSink)
+        return null;
+    const sourcePath = findReachable(bridge, index, (node) => node.hasSource, maxDepth);
+    if (!sourcePath)
+        return null;
+    const sinkPath = findReachable(bridge, index, (node) => node.hasSink, maxDepth);
+    if (!sinkPath)
+        return null;
+    return { sourcePath, sinkPath };
+}
+function bridgeEndpoints(sourcePath, sinkPath) {
+    const sourceNode = sourcePath[sourcePath.length - 1];
+    const sinkNode = sinkPath[sinkPath.length - 1];
+    if (sourceNode.id === sinkNode.id)
+        return null;
+    const source = sourceNode.source;
+    const sink = sinkNode.sink;
+    if (!source || !sink)
+        return null;
+    return { sourceNode, sinkNode, source, sink };
+}
+function bridgeRiskFromPaths(bridge, paths, endpoints) {
+    const { sourcePath, sinkPath } = paths;
+    const { sourceNode, sinkNode, source, sink } = endpoints;
+    const key = `bridge:${bridge.id}:${sourceNode.id}:${sinkNode.id}:${source}:${sink}`;
+    return {
+        key,
+        kind: 'bridge',
+        severity: 'error',
+        confidence: sourcePath.length === 2 && sinkPath.length === 2 ? 'high' : 'medium',
+        sourceFn: sourceNode.qualName,
+        sinkFn: sinkNode.qualName,
+        bridgeFn: bridge.qualName,
+        source,
+        sink,
+        path: bridgeRiskPath(bridge, sourcePath, sinkPath),
+        sourcePath: sourcePath.map((node) => node.qualName),
+        sinkPath: sinkPath.map((node) => node.qualName),
+        pathLength: Math.max(sourcePath.length, sinkPath.length),
+        files: uniqueFiles([...sourcePath, ...sinkPath].map((node) => node.file)),
+    };
+}
+function bridgeRiskPath(bridge, sourcePath, sinkPath) {
+    return [
+        bridge.qualName,
+        ...sourcePath.slice(1).map((node) => node.qualName),
+        ...sinkPath.slice(1).map((node) => node.qualName),
+    ];
+}
+function addFilteredRisk(risks, seen, risk, filterContext, sinkFile) {
+    if (seen.has(risk.key))
+        return;
+    seen.add(risk.key);
+    if (shouldIncludeDataflowRisk(risk, filterContext, sinkFile))
+        risks.push(risk);
+}
+//# sourceMappingURL=dataflowRiskAssembly.js.map

package/dist/core/dataflowRiskAssembly.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dataflowRiskAssembly.js","sourceRoot":"","sources":["../../src/core/dataflowRiskAssembly.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,yBAAyB,EAAkC,MAAM,sBAAsB,CAAC;AACjG,OAAO,EACL,oBAAoB,EACpB,aAAa,EACb,WAAW,GAGZ,MAAM,wBAAwB,CAAC;AA4BhC,MAAM,UAAU,qBAAqB,CAAC,EACpC,KAAK,EACL,KAAK,EACL,aAAa,EACb,QAAQ,GACoB;IAC5B,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,MAAM,KAAK,GAAG;QACZ,GAAG,mBAAmB,CAAC,KAAK,EAAE,aAAa,EAAE,IAAI,CAAC;QAClD,GAAG,oBAAoB,CAAC,KAAK,EAAE,aAAa,EAAE,IAAI,EAAE,QAAQ,CAAC;KAC9D,CAAC;IACF,KAAK,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;IACjC,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,mBAAmB,CAC1B,KAAkB,EAClB,aAAwC,EACxC,IAAiB;IAEjB,IAAI,CAAC,KAAK,CAAC,SAAS;QAAE,OAAO,EAAE,CAAC;IAChC,MAAM,KAAK,GAAmB,EAAE,CAAC;IACjC,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;QAC/B,eAAe,CAAC,KAAK,EAAE,IAAI,EAAE,iBAAiB,CAAC,IAAI,CAAC,EAAE,aAAa,CAAC,CAAC;IACvE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAe;IACxC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC;IAC9D,MAAM,GAAG,GAAG,GAAG,IAAI,IAAI,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;IACzG,OAAO;QACL,GAAG;QACH,IAAI;QACJ,QAAQ,EAAE,OAAO;QACjB,UAAU,EAAE,IAAI,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;QACrD,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,UAAU,EAAE,IAAI,CAAC,IAAI,CAAC,MAAM;QAC5B,KAAK,EAAE,IAAI,CAAC,KAAK;KAClB,CAAC;AACJ,CAAC;AAED,SAAS,oBAAoB,CAC3B,KAA4B,EAC5B,aAAwC,EACxC,IAAiB,EACjB,QAAgB;IAEhB,MAAM,KAAK,GAAmB,EAAE,CAAC;IACjC,KAAK,MAAM,MAAM,IAAI,KAAK,CAAC,GAAG,EAAE,CAAC;QAC/B,MAAM,SAAS,GAAG,mBAAmB,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,CAAC,CAAC;QAC/D,IAAI,CAAC,SAAS;YAAE,SAAS;QACzB,eAAe,CAAC,KAAK,EAAE,IAAI,EAAE,SAAS,CAAC,IAAI,EAAE,aAAa,EAAE,SAAS,CAAC,QAAQ,CAAC,CAAC;IAClF,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,mBAAmB,CAC1B,MAA4B,EAC5B,KAA4B,EAC5B,QAAgB;IAEhB,MAAM,KAAK,GAAG,oBAAoB,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,CAAC,CAAC;IAC5D,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,MAAM,SAAS,GAAG,eAAe,CAAC,KAAK,CAAC,UAAU,EAAE,KAAK,CAAC,QAAQ,CAAC,CAAC;IACpE,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC;IAC5B,OAAO;QACL,IAAI,EAAE,mBAAmB,CAAC,MAAM,EAAE,KAAK,EAAE,SAAS,CAAC;QACnD,QAAQ,EAAE,SAAS,CAAC,QAAQ,CAAC,IAAI;KAClC,CAAC;AACJ,CAAC;AAED,SAAS,oBAAoB,CAC3B,MAA4B,EAC5B,KAA4B,EAC5B,QAAgB;IAEhB,IAAI,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IACpD,MAAM,UAAU,GAAG,aAAa,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IACpF,IAAI,CAAC,UAAU;QAAE,OAAO,IAAI,CAAC;IAC7B,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IAChF,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3B,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC;AAClC,CAAC;AAED,SAAS,eAAe,CACtB,UAAkC,EAClC,QAAgC;IAEhC,MAAM,UAAU,GAAG,UAAU,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACrD,MAAM,QAAQ,GAAG,QAAQ,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC/C,IAAI,UAAU,CAAC,EAAE,KAAK,QAAQ,CAAC,EAAE;QAAE,OAAO,IAAI,CAAC;IAC/C,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC;IACjC,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC;IAC3B,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IAClC,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;AAChD,CAAC;AAED,SAAS,mBAAmB,CAC1B,MAA4B,EAC5B,KAA2B,EAC3B,SAA0B;IAE1B,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,KAAK,CAAC;IACvC,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,SAAS,CAAC;IACzD,MAAM,GAAG,GAAG,UAAU,MAAM,CAAC,EAAE,IAAI,UAAU,CAAC,EAAE,IAAI,QAAQ,CAAC,EAAE,IAAI,MAAM,IAAI,IAAI,EAAE,CAAC;IACpF,OAAO;QACL,GAAG;QACH,IAAI,EAAE,QAAQ;QACd,QAAQ,EAAE,OAAO;QACjB,UAAU,EAAE,UAAU,CAAC,MAAM,KAAK,CAAC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;QAChF,QAAQ,EAAE,UAAU,CAAC,QAAQ;QAC7B,MAAM,EAAE,QAAQ,CAAC,QAAQ;QACzB,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,MAAM;QACN,IAAI;QACJ,IAAI,EAAE,cAAc,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,CAAC;QAClD,UAAU,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC;QACnD,QAAQ,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC;QAC/C,UAAU,EAAE,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,EAAE,QAAQ,CAAC,MAAM,CAAC;QACxD,KAAK,EAAE,WAAW,CAAC,CAAC,GAAG,UAAU,EAAE,GAAG,QAAQ,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;KAC1E,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CACrB,MAA4B,EAC5B,UAAkC,EAClC,QAAgC;IAEhC,OAAO;QACL,MAAM,CAAC,QAAQ;QACf,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC;QACnD,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC;KAClD,CAAC;AACJ,CAAC;AAED,SAAS,eAAe,CACtB,KAAqB,EACrB,IAAiB,EACjB,IAAkB,EAClB,aAAwC,EACxC,QAAiB;IAEjB,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO;IAC/B,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACnB,IAAI,yBAAyB,CAAC,IAAI,EAAE,aAAa,EAAE,QAAQ,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACjF,CAAC"}

package/dist/core/dataflowTraversal.d.ts

@@ -0,0 +1,25 @@
+import type { CodeGraph } from './codeGraph.js';
+import type { DataflowRisk } from '../types.js';
+export interface DataflowFunctionNode {
+    id: string;
+    qualName: string;
+    bareName: string;
+    file: string;
+    line: number;
+    callees: string[];
+    references: string[];
+    source: string | null;
+    sink: string | null;
+    hasSource: boolean;
+    hasSink: boolean;
+}
+export interface DataflowFunctionIndex {
+    fns: DataflowFunctionNode[];
+    byBareName: Map<string, DataflowFunctionNode[]>;
+    importedFilesByFile: Map<string, Set<string>>;
+    totalCallSites: number;
+}
+export declare function buildFunctionIndex(graph: CodeGraph, sources: Set<string>, sinks: Set<string>, customSources: Set<string>, customSinks: Set<string>): DataflowFunctionIndex;
+export declare function findReachable(start: DataflowFunctionNode, index: DataflowFunctionIndex, predicate: (node: DataflowFunctionNode) => boolean, maxDepth: number): DataflowFunctionNode[] | null;
+export declare function uniqueFiles(files: string[]): string[];
+export declare function compareDataflowRisks(a: DataflowRisk, b: DataflowRisk): number;

package/dist/core/dataflowTraversal.js

@@ -0,0 +1,200 @@
+import { isDefaultMisidentifiedDatabaseSink } from './dataflowDatabaseSinks.js';
+import { frameworkRequestSourceForFunction } from './frameworkSources.js';
+const CALL_SHAPED_DEFAULT_SOURCES = new Set(['getInput', 'readFile', 'readFileSync', 'stdin']);
+const DEFAULT_HTTP_PROPERTY_SOURCES = new Set(['body', 'query', 'params', 'headers', 'cookies']);
+export function buildFunctionIndex(graph, sources, sinks, customSources, customSinks) {
+    const fns = [];
+    const byBareName = new Map();
+    const importedFilesByFile = buildImportedFilesByFile(graph);
+    let totalCallSites = 0;
+    for (const [file, entry] of graph.files) {
+        for (const fn of entry.functions ?? []) {
+            const node = functionNode(file, entry, fn, sources, sinks, customSources, customSinks);
+            totalCallSites += node.callees.length;
+            fns.push(node);
+            const list = byBareName.get(node.bareName) ?? [];
+            list.push(node);
+            byBareName.set(node.bareName, list);
+        }
+    }
+    return { fns, byBareName, importedFilesByFile, totalCallSites };
+}
+export function findReachable(start, index, predicate, maxDepth) {
+    const visited = new Set([start.id]);
+    let frontier = [{ node: start, path: [start] }];
+    for (let depth = 0; depth < maxDepth; depth++) {
+        const next = [];
+        for (const entry of frontier) {
+            for (const callee of entry.node.callees) {
+                const targets = resolveCalleeTargets(entry.node, callee, index);
+                for (const target of targets) {
+                    if (visited.has(target.id))
+                        continue;
+                    const path = [...entry.path, target];
+                    if (predicate(target))
+                        return path;
+                    visited.add(target.id);
+                    next.push({ node: target, path });
+                }
+            }
+        }
+        if (next.length === 0)
+            return null;
+        frontier = next;
+    }
+    return null;
+}
+export function uniqueFiles(files) {
+    const out = [];
+    const seen = new Set();
+    for (const file of files) {
+        if (seen.has(file))
+            continue;
+        seen.add(file);
+        out.push(file);
+    }
+    return out;
+}
+export function compareDataflowRisks(a, b) {
+    const severityOrder = { error: 0, warning: 1 };
+    const kindOrder = { direct: 0, bridge: 1, propagated: 2 };
+    const severityDelta = severityOrder[a.severity] - severityOrder[b.severity];
+    if (severityDelta !== 0)
+        return severityDelta;
+    const kindDelta = kindOrder[a.kind] - kindOrder[b.kind];
+    if (kindDelta !== 0)
+        return kindDelta;
+    if (a.pathLength !== b.pathLength)
+        return a.pathLength - b.pathLength;
+    return a.key.localeCompare(b.key);
+}
+function buildImportedFilesByFile(graph) {
+    const importedFilesByFile = new Map();
+    for (const [target, importers] of graph.localImporters) {
+        for (const importer of importers) {
+            const targets = importedFilesByFile.get(importer) ?? new Set();
+            targets.add(target);
+            importedFilesByFile.set(importer, targets);
+        }
+    }
+    return importedFilesByFile;
+}
+function functionNode(file, graphFile, fn, sources, sinks, customSources, customSinks) {
+    const callees = fn.callSites ?? [];
+    const directCallSites = fn.directCallSites ?? [];
+    const memberCallSites = fn.memberCallSites ?? [];
+    const memberReferences = fn.memberReferences ?? [];
+    const memberAliases = fn.memberAliases ?? [];
+    const references = fn.references ?? [];
+    const source = frameworkRequestSourceForFunction({
+        file,
+        functionName: fn.name,
+        memberCallSites,
+        memberReferences,
+        parameters: fn.parameters ?? [],
+        enabledSources: sources,
+        references,
+        contextualCallSite: fn.contextualCallSite,
+        imports: graphFile.imports,
+        directCallSites,
+    }) ?? pickSourceHit(callees, references, sources, customSources);
+    const sink = pickSinkHit(callees, directCallSites, memberCallSites, memberAliases, sinks, customSinks, file, graphFile);
+    return {
+        id: `${file}::${fn.name}@${fn.line}`,
+        qualName: fn.name,
+        bareName: bareName(fn.name),
+        file,
+        line: fn.line,
+        callees,
+        references,
+        source,
+        sink,
+        hasSource: source !== null,
+        hasSink: sink !== null,
+    };
+}
+function resolveCalleeTargets(from, callee, index) {
+    const targets = index.byBareName.get(callee) ?? [];
+    if (targets.length === 0)
+        return [];
+    const sameFile = targets.filter((target) => target.file === from.file);
+    if (sameFile.length > 0)
+        return sameFile;
+    const importedFiles = index.importedFilesByFile.get(from.file);
+    if (importedFiles) {
+        const importedTargets = targets.filter((target) => importedFiles.has(target.file));
+        if (importedTargets.length > 0)
+            return importedTargets;
+    }
+    // Bare call names such as RegExp.exec, parse, get, run, and handler are
+    // too collision-prone to join across the whole repository. Keep the
+    // conservative global fallback for distinctive names only.
+    if (isCollisionProneCallee(callee))
+        return [];
+    return targets.length === 1 ? targets : [];
+}
+const COLLISION_PRONE_CALLEES = new Set([
+    'add',
+    'build',
+    'check',
+    'close',
+    'compare',
+    'create',
+    'delete',
+    'exec',
+    'execute',
+    'filter',
+    'find',
+    'get',
+    'handle',
+    'handler',
+    'init',
+    'load',
+    'main',
+    'map',
+    'open',
+    'parse',
+    'read',
+    'reduce',
+    'remove',
+    'resolve',
+    'run',
+    'save',
+    'set',
+    'start',
+    'stop',
+    'update',
+    'validate',
+    'write',
+]);
+function isCollisionProneCallee(callee) {
+    return COLLISION_PRONE_CALLEES.has(callee) || callee.length <= 2;
+}
+function pickSourceHit(callees, references, sources, customSources) {
+    for (const value of references) {
+        if (customSources.has(value))
+            return value;
+        if (sources.has(value) && !DEFAULT_HTTP_PROPERTY_SOURCES.has(value))
+            return value;
+    }
+    for (const value of callees) {
+        if (customSources.has(value) || CALL_SHAPED_DEFAULT_SOURCES.has(value))
+            return value;
+    }
+    return null;
+}
+function pickSinkHit(callees, directCallSites, memberCallSites, memberAliases, sinks, customSinks, file, graphFile) {
+    for (const callee of callees) {
+        if (!sinks.has(callee))
+            continue;
+        if (isDefaultMisidentifiedDatabaseSink(callee, directCallSites, memberCallSites, memberAliases, customSinks, file, graphFile))
+            continue;
+        return callee;
+    }
+    return null;
+}
+function bareName(qualified) {
+    const dot = qualified.lastIndexOf('.');
+    return dot < 0 ? qualified : qualified.slice(dot + 1);
+}
+//# sourceMappingURL=dataflowTraversal.js.map

package/dist/core/dataflowTraversal.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dataflowTraversal.js","sourceRoot":"","sources":["../../src/core/dataflowTraversal.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,kCAAkC,EAAE,MAAM,4BAA4B,CAAC;AAChF,OAAO,EAAE,iCAAiC,EAAE,MAAM,uBAAuB,CAAC;AAwB1E,MAAM,2BAA2B,GAAG,IAAI,GAAG,CAAC,CAAC,UAAU,EAAE,UAAU,EAAE,cAAc,EAAE,OAAO,CAAC,CAAC,CAAC;AAC/F,MAAM,6BAA6B,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC,CAAC;AAEjG,MAAM,UAAU,kBAAkB,CAChC,KAAgB,EAChB,OAAoB,EACpB,KAAkB,EAClB,aAA0B,EAC1B,WAAwB;IAExB,MAAM,GAAG,GAA2B,EAAE,CAAC;IACvC,MAAM,UAAU,GAAG,IAAI,GAAG,EAAkC,CAAC;IAC7D,MAAM,mBAAmB,GAAG,wBAAwB,CAAC,KAAK,CAAC,CAAC;IAC5D,IAAI,cAAc,GAAG,CAAC,CAAC;IACvB,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;QACxC,KAAK,MAAM,EAAE,IAAI,KAAK,CAAC,SAAS,IAAI,EAAE,EAAE,CAAC;YACvC,MAAM,IAAI,GAAG,YAAY,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,aAAa,EAAE,WAAW,CAAC,CAAC;YACvF,cAAc,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC;YACtC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACf,MAAM,IAAI,GAAG,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;YACjD,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAChB,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QACtC,CAAC;IACH,CAAC;IACD,OAAO,EAAE,GAAG,EAAE,UAAU,EAAE,mBAAmB,EAAE,cAAc,EAAE,CAAC;AAClE,CAAC;AAED,MAAM,UAAU,aAAa,CAC3B,KAA2B,EAC3B,KAA4B,EAC5B,SAAkD,EAClD,QAAgB;IAGhB,MAAM,OAAO,GAAG,IAAI,GAAG,CAAS,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC;IAC5C,IAAI,QAAQ,GAAoB,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACjE,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,KAAK,GAAG,QAAQ,EAAE,KAAK,EAAE,EAAE,CAAC;QAC9C,MAAM,IAAI,GAAoB,EAAE,CAAC;QACjC,KAAK,MAAM,KAAK,IAAI,QAAQ,EAAE,CAAC;YAC7B,KAAK,MAAM,MAAM,IAAI,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;gBACxC,MAAM,OAAO,GAAG,oBAAoB,CAAC,KAAK,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;gBAChE,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;oBAC7B,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;wBAAE,SAAS;oBACrC,MAAM,IAAI,GAAG,CAAC,GAAG,KAAK,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;oBACrC,IAAI,SAAS,CAAC,MAAM,CAAC;wBAAE,OAAO,IAAI,CAAC;oBACnC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;oBACvB,IAAI,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;gBACpC,CAAC;YACH,CAAC;QACH,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QACnC,QAAQ,GAAG,IAAI,CAAC;IAClB,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,KAAe;IACzC,MAAM,GAAG,GAAa,EAAE,CAAC;IACzB,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,SAAS;QAC7B,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACf,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjB,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,CAAe,EAAE,CAAe;IACnE,MAAM,aAAa,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;IAC/C,MAAM,SAAS,GAAG,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC;IAC1D,MAAM,aAAa,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;IAC5E,IAAI,aAAa,KAAK,CAAC;QAAE,OAAO,aAAa,CAAC;IAC9C,MAAM,SAAS,GAAG,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IACxD,IAAI,SAAS,KAAK,CAAC;QAAE,OAAO,SAAS,CAAC;IACtC,IAAI,CAAC,CAAC,UAAU,KAAK,CAAC,CAAC,UAAU;QAAE,OAAO,CAAC,CAAC,UAAU,GAAG,CAAC,CAAC,UAAU,CAAC;IACtE,OAAO,CAAC,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;AACpC,CAAC;AAED,SAAS,wBAAwB,CAAC,KAAgB;IAChD,MAAM,mBAAmB,GAAG,IAAI,GAAG,EAAuB,CAAC;IAC3D,KAAK,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,IAAI,KAAK,CAAC,cAAc,EAAE,CAAC;QACvD,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;YACjC,MAAM,OAAO,GAAG,mBAAmB,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,IAAI,GAAG,EAAU,CAAC;YACvE,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YACpB,mBAAmB,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC7C,CAAC;IACH,CAAC;IACD,OAAO,mBAAmB,CAAC;AAC7B,CAAC;AAED,SAAS,YAAY,CACnB,IAAY,EACZ,SAAoB,EACpB,EAAgB,EAChB,OAAoB,EACpB,KAAkB,EAClB,aAA0B,EAC1B,WAAwB;IAExB,MAAM,OAAO,GAAG,EAAE,CAAC,SAAS,IAAI,EAAE,CAAC;IACnC,MAAM,eAAe,GAAG,EAAE,CAAC,eAAe,IAAI,EAAE,CAAC;IACjD,MAAM,eAAe,GAAG,EAAE,CAAC,eAAe,IAAI,EAAE,CAAC;IACjD,MAAM,gBAAgB,GAAG,EAAE,CAAC,gBAAgB,IAAI,EAAE,CAAC;IACnD,MAAM,aAAa,GAAG,EAAE,CAAC,aAAa,IAAI,EAAE,CAAC;IAC7C,MAAM,UAAU,GAAG,EAAE,CAAC,UAAU,IAAI,EAAE,CAAC;IACvC,MAAM,MAAM,GACV,iCAAiC,CAAC;QAChC,IAAI;QACJ,YAAY,EAAE,EAAE,CAAC,IAAI;QACrB,eAAe;QACf,gBAAgB;QAChB,UAAU,EAAE,EAAE,CAAC,UAAU,IAAI,EAAE;QAC/B,cAAc,EAAE,OAAO;QACvB,UAAU;QACV,kBAAkB,EAAE,EAAE,CAAC,kBAAkB;QACzC,OAAO,EAAE,SAAS,CAAC,OAAO;QAC1B,eAAe;KAChB,CAAC,IAAI,aAAa,CAAC,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,aAAa,CAAC,CAAC;IACnE,MAAM,IAAI,GAAG,WAAW,CACtB,OAAO,EACP,eAAe,EACf,eAAe,EACf,aAAa,EACb,KAAK,EACL,WAAW,EACX,IAAI,EACJ,SAAS,CACV,CAAC;IACF,OAAO;QACL,EAAE,EAAE,GAAG,IAAI,KAAK,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC,IAAI,EAAE;QACpC,QAAQ,EAAE,EAAE,CAAC,IAAI;QACjB,QAAQ,EAAE,QAAQ,CAAC,EAAE,CAAC,IAAI,CAAC;QAC3B,IAAI;QACJ,IAAI,EAAE,EAAE,CAAC,IAAI;QACb,OAAO;QACP,UAAU;QACV,MAAM;QACN,IAAI;QACJ,SAAS,EAAE,MAAM,KAAK,IAAI;QAC1B,OAAO,EAAE,IAAI,KAAK,IAAI;KACvB,CAAC;AACJ,CAAC;AAED,SAAS,oBAAoB,CAC3B,IAA0B,EAC1B,MAAc,EACd,KAA4B;IAE5B,MAAM,OAAO,GAAG,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;IACnD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAEpC,MAAM,QAAQ,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,KAAK,IAAI,CAAC,IAAI,CAAC,CAAC;IACvE,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,QAAQ,CAAC;IAEzC,MAAM,aAAa,GAAG,KAAK,CAAC,mBAAmB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/D,IAAI,aAAa,EAAE,CAAC;QAClB,MAAM,eAAe,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,aAAa,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;QACnF,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,eAAe,CAAC;IACzD,CAAC;IAED,wEAAwE;IACxE,oEAAoE;IACpE,2DAA2D;IAC3D,IAAI,sBAAsB,CAAC,MAAM,CAAC;QAAE,OAAO,EAAE,CAAC;IAC9C,OAAO,OAAO,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;AAC7C,CAAC;AAED,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAC;IACtC,KAAK;IACL,OAAO;IACP,OAAO;IACP,OAAO;IACP,SAAS;IACT,QAAQ;IACR,QAAQ;IACR,MAAM;IACN,SAAS;IACT,QAAQ;IACR,MAAM;IACN,KAAK;IACL,QAAQ;IACR,SAAS;IACT,MAAM;IACN,MAAM;IACN,MAAM;IACN,KAAK;IACL,MAAM;IACN,OAAO;IACP,MAAM;IACN,QAAQ;IACR,QAAQ;IACR,SAAS;IACT,KAAK;IACL,MAAM;IACN,KAAK;IACL,OAAO;IACP,MAAM;IACN,QAAQ;IACR,UAAU;IACV,OAAO;CACR,CAAC,CAAC;AAEH,SAAS,sBAAsB,CAAC,MAAc;IAC5C,OAAO,uBAAuB,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,IAAI,CAAC,CAAC;AACnE,CAAC;AAED,SAAS,aAAa,CACpB,OAAiB,EACjB,UAAoB,EACpB,OAAoB,EACpB,aAA0B;IAE1B,KAAK,MAAM,KAAK,IAAI,UAAU,EAAE,CAAC;QAC/B,IAAI,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QAC3C,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,6BAA6B,CAAC,GAAG,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;IACpF,CAAC;IACD,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,IAAI,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,2BAA2B,CAAC,GAAG,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;IACvF,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,WAAW,CAClB,OAAiB,EACjB,eAAyB,EACzB,eAAyB,EACzB,aAAuB,EACvB,KAAkB,EAClB,WAAwB,EACxB,IAAY,EACZ,SAA2F;IAE3F,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC;YAAE,SAAS;QACjC,IACE,kCAAkC,CAChC,MAAM,EACN,eAAe,EACf,eAAe,EACf,aAAa,EACb,WAAW,EACX,IAAI,EACJ,SAAS,CACV;YAED,SAAS;QACX,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,QAAQ,CAAC,SAAiB;IACjC,MAAM,GAAG,GAAG,SAAS,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IACvC,OAAO,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;AACxD,CAAC"}

package/dist/core/fileAccess.d.ts

@@ -0,0 +1,16 @@
+export interface ProjectFileRead {
+    resolvedRoot: string;
+    absolutePath: string;
+    relativePath: string;
+    content: string;
+    sizeBytes: number;
+}
+export type ProjectFileReadResult = {
+    ok: true;
+    file: ProjectFileRead;
+} | {
+    ok: false;
+    relativePath: string;
+    reason: string;
+};
+export declare function readProjectFile(rootPath: string, relOrAbsFile: string): Promise<ProjectFileReadResult>;

package/dist/core/fileAccess.js

@@ -0,0 +1,78 @@
+import fs from 'node:fs/promises';
+import path from 'node:path';
+export async function readProjectFile(rootPath, relOrAbsFile) {
+    // Reject absolute paths up-front. The MCP `projscan_file` tool's docs
+    // describe `path` as "relative to the project root", but the prior
+    // implementation silently honored absolute paths. Refusing them removes
+    // an attack vector where a hostile MCP client passes /etc/passwd directly.
+    if (path.isAbsolute(relOrAbsFile)) {
+        return {
+            ok: false,
+            relativePath: relOrAbsFile,
+            reason: 'Absolute paths are not accepted; pass a path relative to the project root.',
+        };
+    }
+    // Canonicalize BOTH the root and the target via realpath before the
+    // inside-root check. macOS's tmpdir lives at `/var/folders/...` which
+    // is itself a symlink to `/private/var/folders/...`; without canonical-
+    // izing the root, the resolved target's `/private/...` form would fail
+    // the prefix check. Realpath of the root fails ENOENT only if the user
+    // pointed at a non-existent root (caller error); fall back to the
+    // resolved-without-realpath form in that case so the user gets a clear
+    // downstream "File not found" error rather than a misleading "outside
+    // the project root".
+    const resolvedRoot = path.resolve(rootPath);
+    let canonicalRoot = resolvedRoot;
+    try {
+        canonicalRoot = await fs.realpath(resolvedRoot);
+    }
+    catch {
+        // root doesn't exist; use the unresolved form
+    }
+    const absolutePath = path.resolve(canonicalRoot, relOrAbsFile);
+    // Resolve symlinks on the target. Without this, a symlink under the repo
+    // (e.g. `cache/keys.pem` to `/etc/passwd`) passes the prefix check but
+    // reads attacker-chosen content. realpath collapses the symlink so the
+    // inside-root check sees the real target. ENOENT (path doesn't exist)
+    // means fall back to the unresolved path; downstream stat will surface the
+    // real error.
+    let realPath = absolutePath;
+    try {
+        realPath = await fs.realpath(absolutePath);
+    }
+    catch {
+        // missing path; use the unresolved form for the inside-root check.
+        // path.resolve already collapsed any '..' so we won't admit traversal.
+    }
+    if (!isInsideRoot(realPath, canonicalRoot)) {
+        return { ok: false, relativePath: relOrAbsFile, reason: 'File is outside the project root' };
+    }
+    let content;
+    let sizeBytes;
+    try {
+        const stat = await fs.stat(realPath);
+        if (!stat.isFile()) {
+            return { ok: false, relativePath: relOrAbsFile, reason: 'Path is not a file' };
+        }
+        sizeBytes = stat.size;
+        content = await fs.readFile(realPath, 'utf-8');
+    }
+    catch (err) {
+        const reason = err.code === 'ENOENT' ? 'File not found' : String(err);
+        return { ok: false, relativePath: relOrAbsFile, reason };
+    }
+    return {
+        ok: true,
+        file: {
+            resolvedRoot,
+            absolutePath,
+            relativePath: path.relative(canonicalRoot, absolutePath).split(path.sep).join('/'),
+            content,
+            sizeBytes,
+        },
+    };
+}
+function isInsideRoot(absolutePath, resolvedRoot) {
+    return absolutePath === resolvedRoot || absolutePath.startsWith(resolvedRoot + path.sep);
+}
+//# sourceMappingURL=fileAccess.js.map

package/dist/core/fileAccess.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fileAccess.js","sourceRoot":"","sources":["../../src/core/fileAccess.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAClC,OAAO,IAAI,MAAM,WAAW,CAAC;AAc7B,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,QAAgB,EAChB,YAAoB;IAEpB,sEAAsE;IACtE,mEAAmE;IACnE,wEAAwE;IACxE,2EAA2E;IAC3E,IAAI,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAClC,OAAO;YACL,EAAE,EAAE,KAAK;YACT,YAAY,EAAE,YAAY;YAC1B,MAAM,EAAE,4EAA4E;SACrF,CAAC;IACJ,CAAC;IAED,oEAAoE;IACpE,sEAAsE;IACtE,wEAAwE;IACxE,uEAAuE;IACvE,uEAAuE;IACvE,kEAAkE;IAClE,uEAAuE;IACvE,sEAAsE;IACtE,qBAAqB;IACrB,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC5C,IAAI,aAAa,GAAG,YAAY,CAAC;IACjC,IAAI,CAAC;QACH,aAAa,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;IAClD,CAAC;IAAC,MAAM,CAAC;QACP,8CAA8C;IAChD,CAAC;IACD,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC;IAE/D,yEAAyE;IACzE,uEAAuE;IACvE,uEAAuE;IACvE,sEAAsE;IACtE,2EAA2E;IAC3E,cAAc;IACd,IAAI,QAAQ,GAAG,YAAY,CAAC;IAC5B,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC;QACP,mEAAmE;QACnE,uEAAuE;IACzE,CAAC;IAED,IAAI,CAAC,YAAY,CAAC,QAAQ,EAAE,aAAa,CAAC,EAAE,CAAC;QAC3C,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,EAAE,kCAAkC,EAAE,CAAC;IAC/F,CAAC;IAED,IAAI,OAAe,CAAC;IACpB,IAAI,SAAiB,CAAC;IACtB,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACrC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;YACnB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,EAAE,oBAAoB,EAAE,CAAC;QACjF,CAAC;QACD,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC;QACtB,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACjD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,MAAM,GAAI,GAA6B,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjG,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,EAAE,CAAC;IAC3D,CAAC;IAED,OAAO;QACL,EAAE,EAAE,IAAI;QACR,IAAI,EAAE;YACJ,YAAY;YACZ,YAAY;YACZ,YAAY,EAAE,IAAI,CAAC,QAAQ,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC;YAClF,OAAO;YACP,SAAS;SACV;KACF,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,YAAoB,EAAE,YAAoB;IAC9D,OAAO,YAAY,KAAK,YAAY,IAAI,YAAY,CAAC,UAAU,CAAC,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC;AAC3F,CAAC"}

package/dist/core/fileExportTypes.d.ts

@@ -0,0 +1,2 @@
+import type { ExportInfo } from '../types.js';
+export declare function mapExportType(kind: string): ExportInfo['type'];

package/dist/core/fileExportTypes.js

@@ -0,0 +1,16 @@
+export function mapExportType(kind) {
+    switch (kind) {
+        case 'function':
+        case 'class':
+        case 'variable':
+        case 'type':
+        case 'interface':
+        case 'default':
+            return kind;
+        case 'enum':
+            return 'type';
+        default:
+            return 'unknown';
+    }
+}
+//# sourceMappingURL=fileExportTypes.js.map

package/dist/core/fileExportTypes.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fileExportTypes.js","sourceRoot":"","sources":["../../src/core/fileExportTypes.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,aAAa,CAAC,IAAY;IACxC,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,UAAU,CAAC;QAChB,KAAK,OAAO,CAAC;QACb,KAAK,UAAU,CAAC;QAChB,KAAK,MAAM,CAAC;QACZ,KAAK,WAAW,CAAC;QACjB,KAAK,SAAS;YACZ,OAAO,IAAI,CAAC;QACd,KAAK,MAAM;YACT,OAAO,MAAM,CAAC;QAChB;YACE,OAAO,SAAS,CAAC;IACrB,CAAC;AACH,CAAC"}

package/dist/core/fileGraphMetrics.d.ts

@@ -0,0 +1,4 @@
+import type { FileInspection } from '../types.js';
+import type { CodeGraph } from './codeGraph.js';
+export type FileGraphMetrics = Pick<FileInspection, 'cyclomaticComplexity' | 'fanIn' | 'fanOut' | 'functions'>;
+export declare function deriveFileGraphMetrics(graph: CodeGraph, relativePath: string): FileGraphMetrics;

package/dist/core/fileGraphMetrics.js

@@ -0,0 +1,34 @@
+export function deriveFileGraphMetrics(graph, relativePath) {
+    const graphFileEntry = graph.files.get(relativePath);
+    if (!graphFileEntry) {
+        return {
+            cyclomaticComplexity: null,
+            fanIn: null,
+            fanOut: null,
+            functions: undefined,
+        };
+    }
+    let fanOut = 0;
+    for (const importers of graph.localImporters.values()) {
+        if (importers.has(relativePath))
+            fanOut++;
+    }
+    const functions = graphFileEntry.functions && graphFileEntry.functions.length > 0
+        ? [...graphFileEntry.functions]
+            .sort((a, b) => b.cyclomaticComplexity - a.cyclomaticComplexity)
+            .map((f) => ({
+            name: f.name,
+            line: f.line,
+            endLine: f.endLine,
+            cyclomaticComplexity: f.cyclomaticComplexity,
+            fanIn: f.fanIn,
+        }))
+        : undefined;
+    return {
+        cyclomaticComplexity: graphFileEntry.parseOk ? graphFileEntry.cyclomaticComplexity : null,
+        fanIn: graph.localImporters.get(relativePath)?.size ?? 0,
+        fanOut,
+        functions,
+    };
+}
+//# sourceMappingURL=fileGraphMetrics.js.map

package/dist/core/fileGraphMetrics.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fileGraphMetrics.js","sourceRoot":"","sources":["../../src/core/fileGraphMetrics.ts"],"names":[],"mappings":"AAQA,MAAM,UAAU,sBAAsB,CAAC,KAAgB,EAAE,YAAoB;IAC3E,MAAM,cAAc,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IACrD,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,OAAO;YACL,oBAAoB,EAAE,IAAI;YAC1B,KAAK,EAAE,IAAI;YACX,MAAM,EAAE,IAAI;YACZ,SAAS,EAAE,SAAS;SACrB,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,KAAK,MAAM,SAAS,IAAI,KAAK,CAAC,cAAc,CAAC,MAAM,EAAE,EAAE,CAAC;QACtD,IAAI,SAAS,CAAC,GAAG,CAAC,YAAY,CAAC;YAAE,MAAM,EAAE,CAAC;IAC5C,CAAC;IAED,MAAM,SAAS,GACb,cAAc,CAAC,SAAS,IAAI,cAAc,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC;QAC7D,CAAC,CAAC,CAAC,GAAG,cAAc,CAAC,SAAS,CAAC;aAC1B,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,oBAAoB,GAAG,CAAC,CAAC,oBAAoB,CAAC;aAC/D,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACX,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,OAAO,EAAE,CAAC,CAAC,OAAO;YAClB,oBAAoB,EAAE,CAAC,CAAC,oBAAoB;YAC5C,KAAK,EAAE,CAAC,CAAC,KAAK;SACf,CAAC,CAAC;QACP,CAAC,CAAC,SAAS,CAAC;IAEhB,OAAO;QACL,oBAAoB,EAAE,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC,cAAc,CAAC,oBAAoB,CAAC,CAAC,CAAC,IAAI;QACzF,KAAK,EAAE,KAAK,CAAC,cAAc,CAAC,GAAG,CAAC,YAAY,CAAC,EAAE,IAAI,IAAI,CAAC;QACxD,MAAM;QACN,SAAS;KACV,CAAC;AACJ,CAAC"}

package/dist/core/fileInspectionEvidence.d.ts

@@ -0,0 +1,13 @@
+import type { FileEntry, FileHotspot, HotspotReport, Issue } from '../types.js';
+interface FileInspectionEvidenceInput {
+    files: FileEntry[];
+    issues: Issue[];
+    hotspots: HotspotReport | undefined;
+    relativePath: string;
+}
+interface FileInspectionEvidence {
+    hotspot: FileHotspot | null;
+    issues: Issue[];
+}
+export declare function collectFileInspectionEvidence(input: FileInspectionEvidenceInput): FileInspectionEvidence;
+export {};