entrygraph 0.1.30__tar.gz → 0.1.32__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (198) hide show
  1. {entrygraph-0.1.30 → entrygraph-0.1.32}/PKG-INFO +1 -1
  2. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/_version.py +2 -2
  3. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/api.py +14 -1
  4. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/data/sinks/go.toml +6 -1
  5. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/data/sinks/javascript.toml +12 -2
  6. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_reachability.py +24 -0
  7. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_sink_catalog.py +24 -0
  8. {entrygraph-0.1.30 → entrygraph-0.1.32}/.github/workflows/ci.yml +0 -0
  9. {entrygraph-0.1.30 → entrygraph-0.1.32}/.github/workflows/release.yml +0 -0
  10. {entrygraph-0.1.30 → entrygraph-0.1.32}/.gitignore +0 -0
  11. {entrygraph-0.1.30 → entrygraph-0.1.32}/LICENSE +0 -0
  12. {entrygraph-0.1.30 → entrygraph-0.1.32}/README.md +0 -0
  13. {entrygraph-0.1.30 → entrygraph-0.1.32}/RELEASING.md +0 -0
  14. {entrygraph-0.1.30 → entrygraph-0.1.32}/pyproject.toml +0 -0
  15. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/__init__.py +0 -0
  16. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/__main__.py +0 -0
  17. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/cli/__init__.py +0 -0
  18. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/cli/main.py +0 -0
  19. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/cli/render.py +0 -0
  20. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/data/sinks/csharp.toml +0 -0
  21. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/data/sinks/java.toml +0 -0
  22. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/data/sinks/lib_javascript.toml +0 -0
  23. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/data/sinks/lib_python.toml +0 -0
  24. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/data/sinks/php.toml +0 -0
  25. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/data/sinks/python.toml +0 -0
  26. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/data/sinks/ruby.toml +0 -0
  27. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/data/sinks/rust.toml +0 -0
  28. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/db/__init__.py +0 -0
  29. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/db/engine.py +0 -0
  30. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/db/meta.py +0 -0
  31. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/db/models.py +0 -0
  32. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/db/queries.py +0 -0
  33. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/detect/__init__.py +0 -0
  34. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/detect/entrypoints/__init__.py +0 -0
  35. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/detect/entrypoints/base.py +0 -0
  36. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/detect/entrypoints/configs.py +0 -0
  37. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/detect/entrypoints/csharp.py +0 -0
  38. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/detect/entrypoints/golang.py +0 -0
  39. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/detect/entrypoints/java.py +0 -0
  40. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/detect/entrypoints/javascript.py +0 -0
  41. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/detect/entrypoints/php.py +0 -0
  42. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/detect/entrypoints/python.py +0 -0
  43. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/detect/entrypoints/ruby.py +0 -0
  44. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/detect/entrypoints/rust.py +0 -0
  45. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/detect/frameworks.py +0 -0
  46. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/detect/manifests.py +0 -0
  47. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/detect/taint.py +0 -0
  48. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/errors.py +0 -0
  49. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/extract/__init__.py +0 -0
  50. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/extract/base.py +0 -0
  51. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/extract/csharp.py +0 -0
  52. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/extract/golang.py +0 -0
  53. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/extract/ir.py +0 -0
  54. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/extract/java.py +0 -0
  55. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/extract/javascript.py +0 -0
  56. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/extract/php.py +0 -0
  57. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/extract/python.py +0 -0
  58. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/extract/registry.py +0 -0
  59. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/extract/ruby.py +0 -0
  60. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/extract/rust.py +0 -0
  61. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/fs/__init__.py +0 -0
  62. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/fs/hashing.py +0 -0
  63. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/fs/lang.py +0 -0
  64. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/fs/walker.py +0 -0
  65. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/graph/__init__.py +0 -0
  66. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/graph/adjacency.py +0 -0
  67. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/graph/cte.py +0 -0
  68. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/graph/scoring.py +0 -0
  69. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/kinds.py +0 -0
  70. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/parsing/__init__.py +0 -0
  71. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/parsing/parsers.py +0 -0
  72. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/parsing/queries.py +0 -0
  73. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/pipeline/__init__.py +0 -0
  74. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/pipeline/scanner.py +0 -0
  75. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/pipeline/worker.py +0 -0
  76. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/pipeline/writer.py +0 -0
  77. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/py.typed +0 -0
  78. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/queries/csharp/calls.scm +0 -0
  79. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/queries/csharp/definitions.scm +0 -0
  80. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/queries/csharp/imports.scm +0 -0
  81. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/queries/go/calls.scm +0 -0
  82. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/queries/go/definitions.scm +0 -0
  83. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/queries/go/imports.scm +0 -0
  84. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/queries/java/calls.scm +0 -0
  85. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/queries/java/definitions.scm +0 -0
  86. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/queries/java/imports.scm +0 -0
  87. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/queries/javascript/calls.scm +0 -0
  88. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/queries/javascript/definitions.scm +0 -0
  89. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/queries/javascript/imports.scm +0 -0
  90. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/queries/php/calls.scm +0 -0
  91. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/queries/php/definitions.scm +0 -0
  92. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/queries/php/imports.scm +0 -0
  93. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/queries/python/calls.scm +0 -0
  94. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/queries/python/definitions.scm +0 -0
  95. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/queries/python/imports.scm +0 -0
  96. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/queries/ruby/calls.scm +0 -0
  97. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/queries/ruby/definitions.scm +0 -0
  98. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/queries/ruby/imports.scm +0 -0
  99. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/queries/rust/calls.scm +0 -0
  100. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/queries/rust/definitions.scm +0 -0
  101. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/queries/rust/imports.scm +0 -0
  102. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/resolve/__init__.py +0 -0
  103. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/resolve/externals.py +0 -0
  104. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/resolve/hierarchy.py +0 -0
  105. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/resolve/resolver.py +0 -0
  106. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/resolve/symbol_table.py +0 -0
  107. {entrygraph-0.1.30 → entrygraph-0.1.32}/src/entrygraph/results.py +0 -0
  108. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/conftest.py +0 -0
  109. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/csharp/aspnet_app/Controllers/ReportsController.cs +0 -0
  110. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/csharp/aspnet_app/Program.cs +0 -0
  111. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/csharp/aspnet_app/Services/ReportService.cs +0 -0
  112. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/csharp/aspnet_app/app.csproj +0 -0
  113. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/csharp/minimalapi_app/Program.cs +0 -0
  114. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/csharp/minimalapi_app/app.csproj +0 -0
  115. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/go/gin_app/go.mod +0 -0
  116. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/go/gin_app/main.go +0 -0
  117. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/go/gin_app/service.go +0 -0
  118. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/go/nethttp_app/go.mod +0 -0
  119. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/go/nethttp_app/main.go +0 -0
  120. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/java/methodref_app/pom.xml +0 -0
  121. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/java/methodref_app/src/main/java/com/example/App.java +0 -0
  122. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/java/spring_app/pom.xml +0 -0
  123. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/java/spring_app/src/main/java/com/example/Application.java +0 -0
  124. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/java/spring_app/src/main/java/com/example/ReportRunner.java +0 -0
  125. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/java/spring_app/src/main/java/com/example/ReportService.java +0 -0
  126. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/java/spring_app/src/main/java/com/example/UserController.java +0 -0
  127. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/javascript/commonjs_app/server.js +0 -0
  128. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/javascript/express_app/package.json +0 -0
  129. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/javascript/express_app/src/routes.js +0 -0
  130. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/javascript/express_app/src/services.js +0 -0
  131. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/php/laravel_app/app/Http/Controllers/ReportController.php +0 -0
  132. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/php/laravel_app/artisan +0 -0
  133. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/php/laravel_app/composer.json +0 -0
  134. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/php/laravel_app/routes/web.php +0 -0
  135. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/python/chained_sinks/app.py +0 -0
  136. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/python/flask_app/app/__init__.py +0 -0
  137. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/python/flask_app/app/db.py +0 -0
  138. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/python/flask_app/app/routes.py +0 -0
  139. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/python/flask_app/app/services.py +0 -0
  140. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/python/flask_app/cli.py +0 -0
  141. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/python/flask_app/requirements.txt +0 -0
  142. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/python/fuzzy_sink/app.py +0 -0
  143. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/python/heal_fidelity/caller.py +0 -0
  144. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/python/heal_fidelity/worker.py +0 -0
  145. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/python/may_continue/app.py +0 -0
  146. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/python/sanitizer/app.py +0 -0
  147. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/python/taint_source/handler.py +0 -0
  148. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/ruby/sinatra_app/Gemfile +0 -0
  149. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/ruby/sinatra_app/app.rb +0 -0
  150. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/ruby/sinatra_app/services/runner.rb +0 -0
  151. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/rust/axum_app/Cargo.toml +0 -0
  152. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/rust/axum_app/src/handlers.rs +0 -0
  153. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/rust/axum_app/src/main.rs +0 -0
  154. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/rust/axum_callback_app/Cargo.toml +0 -0
  155. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/rust/axum_callback_app/src/main.rs +0 -0
  156. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/rust/scoped_sink_app/Cargo.toml +0 -0
  157. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/fixtures/rust/scoped_sink_app/src/main.rs +0 -0
  158. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_api.py +0 -0
  159. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_cli.py +0 -0
  160. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_commonjs.py +0 -0
  161. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_csharp_callbacks.py +0 -0
  162. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_cte_bounds.py +0 -0
  163. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_engine_pragmas.py +0 -0
  164. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_entrypoint_expansion.py +0 -0
  165. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_entrypoints.py +0 -0
  166. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_extract_csharp.py +0 -0
  167. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_extract_go.py +0 -0
  168. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_extract_java.py +0 -0
  169. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_extract_javascript.py +0 -0
  170. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_extract_php.py +0 -0
  171. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_extract_python.py +0 -0
  172. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_extract_ruby.py +0 -0
  173. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_extract_rust.py +0 -0
  174. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_frameworks.py +0 -0
  175. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_fuzzy_sink.py +0 -0
  176. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_go_callbacks.py +0 -0
  177. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_hardening.py +0 -0
  178. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_heal_fidelity.py +0 -0
  179. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_incremental.py +0 -0
  180. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_indexer.py +0 -0
  181. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_java_callbacks.py +0 -0
  182. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_lang.py +0 -0
  183. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_manifests.py +0 -0
  184. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_may_continue.py +0 -0
  185. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_models.py +0 -0
  186. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_pool.py +0 -0
  187. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_registry_cache.py +0 -0
  188. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_render.py +0 -0
  189. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_resolver.py +0 -0
  190. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_rust_callbacks.py +0 -0
  191. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_rust_scoped_sinks.py +0 -0
  192. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_sanitizer_languages.py +0 -0
  193. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_scoring.py +0 -0
  194. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_taint.py +0 -0
  195. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_taint_sanitizers.py +0 -0
  196. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_taint_sources.py +0 -0
  197. {entrygraph-0.1.30 → entrygraph-0.1.32}/tests/test_walker.py +0 -0
  198. {entrygraph-0.1.30 → entrygraph-0.1.32}/uv.lock +0 -0
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.4
2
2
  Name: entrygraph
3
- Version: 0.1.30
3
+ Version: 0.1.32
4
4
  Summary: Language-agnostic code graph: query symbols, entrypoints, and source-to-sink call paths from a SQLite index
5
5
  Project-URL: Repository, https://github.com/brettbergin/entrygraph
6
6
  Author-email: Brett Bergin <brettberginbc@yahoo.com>
@@ -18,7 +18,7 @@ version_tuple: tuple[int | str, ...]
18
18
  commit_id: str | None
19
19
  __commit_id__: str | None
20
20
 
21
- __version__ = version = '0.1.30'
22
- __version_tuple__ = version_tuple = (0, 1, 30)
21
+ __version__ = version = '0.1.32'
22
+ __version_tuple__ = version_tuple = (0, 1, 32)
23
23
 
24
24
  __commit_id__ = commit_id = None
@@ -26,7 +26,7 @@ from entrygraph.errors import (
26
26
  )
27
27
  from entrygraph.graph.adjacency import AdjacencyCache
28
28
  from entrygraph.graph.scoring import is_constant_args, score_path
29
- from entrygraph.kinds import Confidence
29
+ from entrygraph.kinds import Confidence, EntrypointKind
30
30
  from entrygraph.results import (
31
31
  CallPath,
32
32
  DetectedFramework,
@@ -507,6 +507,19 @@ class CodeGraph:
507
507
  )
508
508
  ).scalars()
509
509
  ids |= set(rows)
510
+ if source_category == "http_input":
511
+ # Every HTTP route handler receives attacker-controlled request
512
+ # data, so the handler itself is an http_input source. This covers
513
+ # frameworks whose request access is a property read (Express
514
+ # `req.body`, Symfony `$request->get`) rather than a catalog-matched
515
+ # call, which otherwise yield zero source edges (F-H9) — Express/
516
+ # Symfony apps could never produce a taint path.
517
+ ep_rows = session.execute(
518
+ select(models.Entrypoint.symbol_id).where(
519
+ models.Entrypoint.kind == EntrypointKind.HTTP_ROUTE
520
+ )
521
+ ).scalars()
522
+ ids |= set(ep_rows)
510
523
  return ids
511
524
 
512
525
  def _sink_ids(self, session: Session, sink, sink_category: str | None) -> set[int]:
@@ -23,7 +23,12 @@ id = "go.sql-query"
23
23
  category = "sql"
24
24
  severity = "medium"
25
25
  callee = "go:*.{Query,QueryRow,Exec,QueryContext,ExecContext,QueryRowContext}"
26
- description = "SQL statement execution (receiver-agnostic; database/sql)"
26
+ # Receiver-agnostic `.Query`/`.Exec` collide with non-SQL APIs (net/url
27
+ # `URL.Query()`, gin `c.Query("id")`, which take no arg or a constant). Require the
28
+ # argument to show string concatenation or fmt.Sprintf — the SQL-injection signal.
29
+ # A constant or parameterized ($1/?) query is not flagged.
30
+ require_arg_hint = "\\+|Sprintf"
31
+ description = "SQL statement execution (receiver-agnostic, dynamic-arg; database/sql)"
27
32
 
28
33
  [[sink]]
29
34
  id = "go.file-write"
@@ -13,7 +13,12 @@ description = "Child process execution"
13
13
  id = "js.command-exec.member"
14
14
  category = "command_exec"
15
15
  severity = "high"
16
- callee = "js:*.{exec,execSync,spawn,spawnSync}"
16
+ # `exec` is deliberately excluded from this unknown-receiver wildcard: it collides
17
+ # with RegExp.prototype.exec (a very common false positive), and real child_process
18
+ # exec — destructured `const {exec}` or aliased `cp.exec` — resolves to
19
+ # js:child_process.exec via the import map and is caught by the specific sink above.
20
+ # execSync/spawn/spawnSync have no built-in method collision, so they stay.
21
+ callee = "js:*.{execSync,spawn,spawnSync}"
17
22
  description = "Child process execution (member call)"
18
23
 
19
24
  [[sink]]
@@ -28,7 +33,12 @@ id = "js.sql-query"
28
33
  category = "sql"
29
34
  severity = "medium"
30
35
  callee = "js:*.{query,execute,raw}"
31
- description = "SQL query execution (receiver-agnostic)"
36
+ # Receiver-agnostic `.query`/`.execute` collide with non-SQL APIs (DOM/tRPC/nock
37
+ # `.query`, `URL.query`). Require the argument to show string concatenation or
38
+ # template interpolation — the actual SQL-injection signal — mirroring the knex/
39
+ # sequelize lib patterns. A constant or parameterized query is not flagged.
40
+ require_arg_hint = "\\+|\\$\\{|`"
41
+ description = "SQL query execution (receiver-agnostic, dynamic-arg)"
32
42
 
33
43
  [[sink]]
34
44
  id = "js.file-write"
@@ -146,3 +146,27 @@ def test_dfs_reports_truncation_when_budget_is_spent(monkeypatch):
146
146
  result = cache.paths({1}, {3}, max_paths=10)
147
147
  assert result == [] # budget spent before reaching the sink
148
148
  assert result.truncated is True
149
+
150
+
151
+ def test_http_route_handler_is_an_http_input_source(tmp_path):
152
+ # Express reads request data as a property (`req.body`), not a catalog-matched
153
+ # call, so it produces no source edge — the handler itself must count as an
154
+ # http_input source or the app can never yield a taint path (#34 / F-H9).
155
+ src = tmp_path / "src"
156
+ src.mkdir(parents=True)
157
+ (tmp_path / "package.json").write_text('{"name":"app","dependencies":{"express":"^4"}}')
158
+ (src / "app.js").write_text(
159
+ 'const express = require("express");\n'
160
+ 'const { exec } = require("child_process");\n'
161
+ "const app = express();\n"
162
+ "function runReport(req, res) {\n"
163
+ " const name = req.body.name;\n" # property-read source (not a call)
164
+ ' exec("report " + name);\n' # command_exec sink
165
+ "}\n"
166
+ 'app.post("/reports", runReport);\n'
167
+ )
168
+ graph = CodeGraph.index(tmp_path, db=tmp_path / "g.db")
169
+ paths = graph.paths(source_category="http_input", sink_category="command_exec")
170
+ graph.close()
171
+ chains = [[s.qname for s in p.symbols] for p in paths]
172
+ assert ["app.runReport", "js:child_process.exec"] in chains
@@ -49,3 +49,27 @@ def test_spot_check_new_sinks(registry):
49
49
  def test_categories_are_queryable(registry):
50
50
  for category in ("ssrf", "xxe", "weak_crypto", "path_traversal", "jndi"):
51
51
  assert registry.ids_for_category(category), f"no sinks for {category}"
52
+
53
+
54
+ def test_regexp_exec_is_not_a_command_sink(registry):
55
+ # `js:*.exec` collided with RegExp.prototype.exec. Real child_process exec
56
+ # resolves to js:child_process.exec (imported/aliased) and stays tagged; the
57
+ # bare unknown-receiver `.exec` no longer matches command_exec.
58
+ assert registry.match("js:child_process.exec", "('ls ' + x)") == "js.command-exec.child_process"
59
+ assert registry.match("js:*.exec", "(input)") is None
60
+ # sibling child-process methods with no built-in collision still match
61
+ assert registry.match("js:*.spawn", "(cmd)") == "js.command-exec.member"
62
+ assert registry.match("js:*.execSync", "(cmd)") == "js.command-exec.member"
63
+
64
+
65
+ def test_receiver_agnostic_sql_requires_dynamic_arg(registry):
66
+ # `*.Query`/`*.query` collided with url.Query()/gin c.Query()/DOM .query.
67
+ # Only a concatenated or interpolated argument (the injection signal) tags.
68
+ assert registry.match("go:*.Exec", '("ALTER DATABASE COLLATE " + c)') == "go.sql-query"
69
+ assert registry.match("go:*.Query", "()") is None # url.Query()
70
+ assert registry.match("go:*.Query", '("offset")') is None # gin c.Query("offset")
71
+ assert (
72
+ registry.match("go:*.Exec", '(ctx, "UPDATE t SET k = ? WHERE id = ?")') is None
73
+ ) # param'd
74
+ assert registry.match("js:*.query", "('SELECT * FROM t WHERE id = ' + id)") == "js.sql-query"
75
+ assert registry.match("js:*.query", "({ where: { id } })") is None # ORM/tRPC object arg
File without changes
File without changes
File without changes
File without changes
File without changes
File without changes