apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-24 20:28:06 +02:00
Code Issues Projects Releases Packages Wiki Activity

Release/0.5.0 (#35)

Browse source 
* feat: Introduce function-scoped variable interning for state analysis with new tests and fixtures

* feat: Add Phase 26 symbolic execution enhancements with bitwise operator support, abstract interpretation refinements, and new taint analysis tests

* feat: Refine state analysis to handle factory-pattern resource returns with mixed-path tests and leak detection enhancements

* feat: Add Phase 27 debug views with symbolic execution, abstract interpretation, SSA, and call graph viewers; integrate with debug layout and styles

* feat: Add Phase 31 type-qualified symbolic resolution with receiver-based callee disambiguation and testing

* feat: Extend symbolic execution with state iteration, enhanced debug views, and debounced input handling

* feat: Add Phase 13 resource and auth pattern extensions with new tests and fixtures

* feat: Introduce CFG debug graph renderer with compact mode, toolbar, and DAG layout integration

* feat: Add Phase 28 encoding and decoding transform modeling with structural symex enhancements and new taint analysis tests

* feat: Extend abstract interpretation with type facts and constant value tracking in debug views and server logic

* feat: Add linear path handling and witness extraction to symbolic execution with Phase 28 transform mismatch detection

* feat: Refine Go auth and sanitizer handling with enhanced rules, state updates, and benchmark improvements

* feat: Enable auth-state analysis by default and update relevant tests in benchmark config

* test: Update state_tests to reflect default enablement of auth-state analysis and add auth suppression test

* docs: update CHANGELOG.md

* feat: Introduce per-index taint tracking in `HeapState` with `HeapSlot`, overflow handling, and revised SSA transfers

* feat: Introduce C/C++ language labels and refine heap state tracking in SSA transfers

* feat: Implement per-index array slot tracking in symbolic heap with overflow collapse

* feat: Add implicit definition handling for uninitialized declarations in SSA value allocation

* feat: Refactor function parameters and constants for improved clarity and maintainability

* refactor: Reorder module imports and improve formatting for consistency

* refactor: Fix formatting erorrs

* refactor: Fix clippy warnings

* refactor: Fix fmt warnings (again)

* chore: Update dependencies and improve feature configuration

* Add comprehensive tests for undertested modules (#36) (COPILOT)

* Add comprehensive tests for undertested modules

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083

* Add comprehensive tests for ext, project, walk, and errors modules

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* chore: Update dependencies and improve feature configuration

* fix: formatting errors in new tests

* chore: Update license list in about.toml

* chore: made functions input inline

* chore: updated cfg graph to take up the full page

* chore: add Prettier configuration and update code formatting

* Add frontend test suite with Vitest (111 tests) (#37)

* Add Vitest test suite for frontend - 111 tests across utils, components, hooks, and graph utilities

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/7cf0dba2-ecff-4740-ba4d-92717e74a0b7

* ci: add frontend test step to CI workflow

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/5bc0ac9f-0a32-4d03-9cb7-7a15aea53fca

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* chore: simplify array initialization in test files for consistency

* ran typecheck

* feat: add AnalysisWorkspace component and integrate it into CfgViewerPage

* feat: update routing in AppLayout and improve empty state message in ExplorerPage

* feat: enhance scan progress tracking with additional metrics and stages

* feat: update license information and add license check script

* feat: implement cross-file symbolic execution with callee body persistence

* feat: replace dagre graphs with Graphology + ELK + Sigma for more advanced call stack and cfg rendering

* feat: ensure CFG function view is scoped to the selected function, preventing bleed into sibling functions

* feat: enhance resource tracking with proxy method summaries and improve finding extraction

* feat: add terminal function exit detection for accurate resource leak analysis

* feat: add warnings for loops and functions without bodies to improve error recovery

* feat: update lambda expression handling to ensure proper function classification and control flow

* feat: remove bounded formatting/string ops and add JSON.parse sanitizer for improved data handling

* feat: add inline return taint analysis and regression tests for improved security checks

* feat: add engine version management and migration handling for database schema updates

* feat: enhance first_call_ident to skip nested function bodies and add regression tests

* feat: enhance callee name resolution with two-segment normalization and disambiguation

* feat: add cross-file context flags and debug assertions for taint analysis

* feat: refactor taint analysis structure to unify context handling and improve clarity

* feat: enhance dead code elimination to preserve Sink, Source, and Sanitizer labels with new tests

* docs: updated CHANGELOG.md

* fmt: formatting fixes

* fix: fixed frontend formatting and lint warnings

* fix: optimized ci

* fix: optimized ci

* Add comprehensive multi-file test coverage to Nyx (#38)

* Initial checklist for multi-file test suite expansion

Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* Add 12 new multi-file test fixtures with TP/TN/near-miss coverage

Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* deleted root repo

* rebuilt to test for regressions

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>

* feat: enhance import alias resolution and taint tracking

* feat: implement security hardening with CSRF protection and path validation

* feat: add support for import alias bindings in Python, PHP, and Rust

* feat: enhance CFG analysis modes and improve code readability

* feat: add detection for parameterized SQL queries to enhance security

* feat: add safe internal redirect handling and enhance session destroy validation

* feat: implement security improvements by addressing vulnerabilities in execAsync, session management, and file downloads

* feat: enhance taint detection by adding support for inline source member expressions in call arguments

* feat: implement pre-emission of Source nodes for inline source member expressions in call arguments

* feat: add support for Throw statement in control flow and error handling

* feat: add debug and echo endpoints with potential information leakage

* feat: implement internal redirect suppression and enhance taint detection

* feat: implement module alias tracking for dynamic dispatch in JS/TS

* feat: add authorization analysis module with Express support

* feat: add authorization analysis module with Express support

* feat: add tests for admin guard requirements and clean checks in authorization analysis

* feat: integrate Koa and Fastify frameworks into authorization analysis

* feat: add Flask and Django support to authorization analysis module

* feat: add support for Rails and Sinatra frameworks in authorization analysis

* feat: add support for Axum, ActixWeb, and Rocket frameworks in authorization analysis

* feat: add support for ActixWeb, Axum, and Rocket frameworks in authorization analysis

* feat: add support for Rails and Sinatra in authorization analysis

* chore: add .DS_Store to .gitignore

* refactor: simplify conditional checks and improve readability in multiple files

* refactor: update usage of Option methods for improved clarity and consistency

* refactor: improve code readability by simplifying conditional checks and formatting

* refactor: improve code formatting and readability by simplifying conditional checks

* refactor: simplify conditional checks and improve readability in multiple files

* refactor: simplify conditional checks in axum.rs for improved readability

* feat: add CodeQL analysis configuration for enhanced security scanning

* test: add comprehensive tests for `src/output.rs` SARIF builder (#39)

* chore: start test coverage improvement work

Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* test: add comprehensive tests for src/output.rs SARIF builder

Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* refactor: improve code formatting and readability in output.rs

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>

* refactor: improve code formatting and readability in output.rs

* Potential fix for code scanning alert no. 210: Uncontrolled data used in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 211: Uncontrolled data used in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* refactor: enhance triage file path handling with improved error management and validation

* refactor: updated func summaries for richer detail

* refactor: update SSA summary extraction to use canonical FuncKey for distinct entries

* refactor: enhance callee metadata structure to support arity, receiver, and qualifier for better overload resolution

* refactor: add support for keyword arguments in function calls and enhance receiver extraction for method-style calls

* refactor: implement new Flask routes for safe and unsafe shell command execution

* refactor: separate receiver handling in SSA operations and enhance taint propagation

* refactor: improve arity handling by using arg_uses for positional argument count and enhance witness scoring for tainted arguments

* refactor: implement auth decorator extraction and classification for multiple languages

* refactor: enhance Rust module path resolution and use map handling for cross-file disambiguation

* refactor: introduce CalleeQuery struct for structured callee resolution and enhance resolver logic

* refactor: implement same-file identity collision handling for `runTask` to ensure correct resolver behavior

* refactor: standardize default struct initialization across multiple files

* feat: add scripts for formatting checks and auto-fixes with test summaries

* refactor: simplify character splitting and enhance namespace qualifier handling

* refactor: improve documentation clarity and enhance code readability in resolver logic

* refactor: replace default struct initialization with explicit field assignments for clarity

* feat: enhance anonymous function naming by deriving context-based bindings

* refactor: streamline match expressions for improved readability and performance

* refactor: streamline match expressions for improved readability and performance

* refactor: replace loop with while let for improved clarity and performance

* feat: add SSA constant propagation support to analysis context for improved accuracy

* feat: add SSA constant propagation support to analysis context for improved accuracy

* feat: implement shell metacharacter validation and bounded-length checks in Rust analysis

* feat: add static map analysis for command injection suppression and type safety

* refactor: simplify match statements and reduce line breaks for improved readability

* feat(summary): phase 1/5 SinkSite data model for primary sink-location attribution

Introduce SinkSite (file_rel, line, col, snippet, cap) carrying the
primary sink source-location through function summaries. Swap
SsaFuncSummary.param_to_sink and FuncSummary.param_to_sink from a coarse
Cap map to a deduped SmallVec<[SinkSite; 1]> per parameter, with a
backward-compatible cap_sites() helper and serde defaults so pre-phase-1
on-disk rows continue to deserialise cleanly.

Extraction: SinkSiteLocator bundles the tree/bytes/file_rel needed by
extract_ssa_func_summary; ParsedFile::extract_ssa_artifacts wires the
locator in for the persisted pass-1 path, while pass-2 intra-file
transient summaries fall back to cap-only sites (behavior unchanged).
Merge: GlobalSummaries::insert now unions sink sites with
(file_rel, line, col, cap) dedup via shared union_param_sink_sites
helper.

Database: JSON-serialised summary columns carry the new shape
automatically; no schema change needed.

Phase 2 will consume SinkSite in build_taint_diag() to overwrite the
caller-site Finding.line with the callee's sink line when resolved via
summary. Phase 1 keeps behavior unchanged: scanning
tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs still produces the
same (wrong) line 10 finding.

Adds round-trip tests covering SinkSite solo, SsaFuncSummary with sink
sites, legacy-JSON default handling for both summary types, and merge
dedup.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* feat(taint): phase 2/5 thread SinkSite into SsaTaintEvent and Finding

Plumb Phase 1's SinkSite through the event pipeline into Findings,
no output change yet.  SsaTaintEvent gains `primary_sink_site:
Option<SinkSite>`; when the main or callback sink-emission path has
non-empty `param_to_sink_sites`, filter to sites whose
`(line != 0) && (cap ∩ sink_caps != ∅)` and emit one event per
distinct site — the multi-primary collapse keeps each downstream
Finding single-primary.

Resolution: ResolvedSummary and SinkInfo gain mirror
`param_to_sink_sites` fields, populated from `SsaFuncSummary.param_to_sink`
(SSA + callback paths) and `FuncSummary.param_to_sink` (global paths).
Label, local-summary, and interop resolution paths leave the field
empty — they only ever had cap-level info to begin with.

Finding: new `primary_location: Option<SinkLocation>` with
`file_rel/line/col`.  `ssa_events_to_findings` maps
`event.primary_sink_site` → `Finding.primary_location`, filtering
cap-only sites (`line == 0`) to `None` so the (0,0) sentinel never
leaks to formatters.  Dedup key extended with the primary location
so multi-site events aren't collapsed back together.

Invariants (debug_assert!):
* every SinkSite reaching emission has `line != 0 && cap ∩ sink_caps
  != ∅` — enforced by the pick_primary_sink_sites* filters;
* every populated Finding.primary_location has `line != 0` AND
  non-empty `file_rel` — the cap-only → None translation upstream
  guarantees this.

Deliberately independent of `uses_summary`: that flag tracks whether
the *taint chain* used a summary, whereas primary attribution
requires only that the *sink* itself was summary-resolved.  A local
source reaching a cross-file sink produces `uses_summary=false`
alongside a populated primary_location — documented on
Finding.primary_location, covered by
`cross_file_sink_finding_carries_primary_location`.

build_taint_diag, SARIF/JSON/explanation formatters, and the
benchmark scorer remain untouched: finding.line still comes from
`cfg_graph[finding.sink]`, so cmdi_indirect.rs still reports line 10
and the benchmark's rs-cmdi-003 row still shows FN in the LOC column.

Tests: `cross_file_sink_finding_carries_primary_location` (proves
plumbing via a synthetic FuncSummary carrying a SinkSite at 42:5) and
`cross_file_sink_cap_only_site_leaves_primary_location_none`
(regression guard against cap-only sites surfacing).  All 1566 lib
tests + integration tests pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(output): phase 3/5 consume primary sink location in diag + SARIF

When a finding's primary_location (populated in phase 2 from a callee
summary's SinkSite) names the dangerous instruction inside a callee
body, attribute the diagnostic line to that location instead of the
caller's call site. The call site is demoted to a Call step in
flow_steps, and a synthetic Sink step at the primary location is
appended so analysts still see the full trace.

Changes:
- Add scan_root parameter to build_taint_diag so file_rel can be
  resolved back to an absolute path via a shared resolve_file_rel
  helper. Empty file_rel (single-file scans where namespace == "")
  resolves to the file under analysis.
- Extend SinkLocation with snippet, carried from the upstream
  SinkSite so the formatter needs no second file read.
- Relax the ssa_events_to_findings debug_assert to allow empty
  file_rel, which is valid when scan root equals the file itself.
- SARIF: emit data-flow as codeFlows[0].threadFlows[0].locations[];
  locations[0] already reflects the primary sink position via the
  updated diag line/col.

Acceptance: scan on tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs
now reports line 5 (Command::new) as the primary sink, with the call
site at line 10 visible in flow_steps.

Two expect.json fixtures updated (must_match line_range widened):
- javascript/taint/context_sensitive_call: 12-14 -> 7-14 (line 8 is
  the real sink inside run()).
- rust/cfg/closure_async: 10-10 -> 10-11 (line 11 is Command::new
  inside the closure).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(bench): phase 4/5 validate primary sink attribution across corpus

Extend the benchmark scorer and ground truth to lock in phase 3's
primary-location behavior, and add fixtures that exercise the new
capability end-to-end.

Scorer (tests/benchmark_test.rs):
- Add optional `expected_call_site_lines: Option<Vec<[usize; 2]>>` on
  Case. When present, score_location_level additionally requires at
  least one flow_step in the finding's evidence trace to fall within
  ±2 of the call-site range. When absent, the check is skipped —
  fully forward-compatible with existing fixtures.
- Retain ±2 tolerance on expected_sink_lines (compared against the
  now-primary Diag.line post-phase-3).

Ground truth edits:
- rs-cmdi-cross-001: expected_sink_lines [8,8] -> [9,9]. Line 8 is the
  transform::wrap call site (a cross-file propagator, not a sink);
  line 9 is Command::new, the real sink. The ±2 tolerance happened to
  mask this stale attribution but it was semantically wrong — phase 4
  is the right time to correct it. Also adds expected_call_site_lines
  [8,8] so the new field is exercised on an existing cross-file case.
- rs-cmdi-003: adds expected_call_site_lines [10,10] (run_cmd call).
  This fixture's sink (Command::new inside run_cmd at line 5) was the
  motivating case for phases 1-3; adding the call-site assertion
  guards against regression to caller-line attribution.

New fixtures:
- rust/cmdi/cmdi_indirect_multisink.rs (rs-cmdi-009): helper run_both
  takes two tainted params and invokes two Command sinks on
  consecutive lines. Locks in that primary line lands inside the
  helper (lines 5-6), not at the caller (line 12). Notes document
  that SinkSite is currently one-per-callee so both findings today
  collapse onto the first sink; expected_sink_lines=[5,6] and
  expected_call_site_lines=[12,12] stay valid either way.
- python/cmdi/cross_indirect_sink/{app.py,helper.py} (py-cmdi-cross-
  004): sink os.system lives in helper.py (cross-file), caller in
  app.py reads env source and calls run_cmd. Verifies phase 3's
  cross-file primary attribution: Diag.path = helper.py, Diag.line =
  5, with app.py:7 recorded in flow_steps as a Call step.

Acceptance:
- `cargo test --test benchmark_test -- --ignored --nocapture` passes.
- rs-cmdi-003 is TP/TP/TP (the target flip FN->TP at LOC). All
  pre-existing TP/TP/TP fixtures remain TP/TP/TP; 2 new fixtures are
  TP/TP/TP.
- Aggregate rule-level: TP=158 FP=10 FN=1 TN=97, P=0.940 R=0.994
  F1=0.966 on the 266-case corpus (was TP=156 FP=10 FN=1 TN=97 on
  264 pre-phase-4, delta is the +2 new cases both resolving TP).
- Full `cargo test` green (1566 lib tests + all integration tests).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(taint): phase 5/5 lock Finding.primary_location contract via regression test

Add a regression test in src/taint/ssa_transfer.rs that wires up a synthetic
SsaFuncSummary with a SinkSite at other.rs:42:10 and drives the three
emission stages (pick_primary_sink_sites → emit_ssa_taint_events →
ssa_events_to_findings) against a minimal caller SSA body.  Asserts the
resulting Finding.primary_location is exactly that triple.

The existing integration tests in src/taint/tests.rs cover the coarse
FuncSummary path end-to-end through analyse_file.  This test locks in the
lower-level SSA-side plumbing so a future refactor that silently drops the
site between pick → emit → findings fails here rather than only at the
benchmark layer.

Also refreshes tests/benchmark/results/latest.json (timestamp only; rs-cmdi-003
remains TP/TP/TP and the aggregate P/R/F1 are unchanged from phase 4).

Closes the primary sink-location attribution feature (phases 1-5/5):
* Phase 1 — SinkSite data model on summaries.
* Phase 2 — SinkSite threaded into SsaTaintEvent and Finding.
* Phase 3 — diag + SARIF consume primary_location.
* Phase 4 — benchmark validates primary_call_site_lines across corpus.
* Phase 5 — regression test locks the event→finding contract.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* refactor: clean up formatting and improve readability in multiple files

* refactor: simplify type definition for deduplication key in findings

* test(harness): add must_not_match expectation for FP regression guards

Extends ExpectedFinding with must_not_match field that asserts a
diagnostic must NOT fire — presence is a hard failure. Non-consuming
scan so it coexists with must_match entries on the same rule_id.
Adds forbidden_violations accumulator and updates summary line.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(regression): update expectations to ensure must_not_match for various taint and resource leak rules

* feat: implement auto-seeding for JS/TS handler parameters to enhance taint tracking

* feat: update switch statement handling to improve control flow analysis

* feat: implement promisify alias handling for JS/TS to enhance taint tracking

* feat: enhance taint tracking by refining expectation handling and adding mode filtering

* feat: refine SQL handling in stream processing and enhance auto-seeding for handler parameters

* feat: update taint tracking rules to enforce full mode matching and improve flow analysis

* feat: enhance Ruby subshell handling to improve taint tracking and flow analysis

* feat: update xss_response expectations to refine taint flow analysis and enhance regression guarding

* feat: refine framework detection and update expectation handling for Echo and Sinatra

* feat: implement max_count for taint tracking expectations and deduplicate findings

* feat: add strict_unexpected handling for taint-unsanitised-flow in expectation files

* feat: enhance deduplication of taint-unsanitised-flow findings by collapsing based on line and severity

* feat: add strict_unexpected handling for taint-unsanitised-flow in multiple expectation files

* feat: add structural invariant checks for SSA bodies

* feat: ensure deterministic phi emission order using BTreeSet

* feat: enhance handling of terminators to ensure authoritative flow through successor edges

* feat: enhance Goto terminator handling to ensure all successors are marked executable

* feat: refactor code for improved readability and organization

* feat: simplify predicate checks and enhance readability in SSA handling

* feat: implement per-file parse timeout and enhance file size handling

* feat: migrate analysis engine toggles from environment variables to configuration file

* feat: remove unnecessary whitespace in hostile_input_tests.rs

* feat: remove unnecessary whitespace in hostile_input_tests.rs

* feat: update dependencies and enhance documentation on language maturity

* feat: enhance security headers and improve request body limits

* feat: implement sink capability bits for deduplication and enhance evidence tagging

* feat: implement dynamic activation handling for gated sinks and enhance validation logic

* feat: enhance configuration documentation and clarify inline analysis cache behavior

* feat: implement panic recovery during analysis to continue scans past errors

* feat: add expectations configuration for taint analysis and performance metrics

* feat: enhance error handling and logging during file reading and mutex locking

* feat: add cross-file body loading tests and plumbing for CF-1 phase

* feat: implement cross-file k=1 context-sensitive inline taint analysis with new tests and fixtures

* feat: implement indexed-scan parity in cross-file inline analysis with new dropdown and copy functionality

* feat: enhance classification span handling in CFG and AST for improved source attribution

* feat: add new Express routes for handling user input and telemetry data

* feat: implement ternary expression handling in CFG with diamond structure for JS/TS

* feat: implement Phase CF-3 abstract-domain transfer channels in summaries

* feat: add support for string-prefix transfer in cross-file calls and update tests

* docs: reduce RESULTS.md doc size

* feat: implement Phase CF-4 per-return-path summary decomposition with tests

* feat: update parameter handling in pass1 and refactor SsaFuncSummary initialization

* feat: implement Phase CF-5 for cross-file SCC joint fixed-point convergence with new flags and tests

* feat: implement Phase CF-6 with parameter-granularity points-to summaries and associated tests

* refactor: update comments and documentation for clarity and consistency

* style: format code for consistency and readability

* refactor: simplify verdict handling and improve edge checking logic

* refactor: optimize path and identifier collection by avoiding unnecessary cloning

* chore: update Cargo.toml for Rust version 1.85 and add ignored files; modify CHANGELOG and README for clarity on state analysis defaults

* refactor: update documentation and improve clarity in configuration files

* refactor: update documentation and improve clarity in configuration files

* feat: add JS/TS pass-2 convergence tests and expectations configuration

* feat: add Phase 5 regression tests for inline cache origin attribution and update related logic

* feat: implement Phase 7 deduplication and alternative path linking for taint findings

* feat: implement structural DFS index for anonymous functions and update naming conventions

* feat: add Phase 8 regression tests for container-element taint in JS and Python

* feat: add engine-depth profiles and explain-engine option for CLI

* feat: update expectations and add new README fixtures for multi-file scan regression

* feat: implement Phase 11 callback-alias and factory patterns with regression tests

* feat: implement Terminator::Switch for multi-way dispatch and add regression tests

* feat: add real-CVE benchmark fixtures for CVE-2023-48022, CVE-2019-14939, and CVE-2023-26159 with corresponding patched variants

* refactor: extract cfg and ssa_transfer to submodules

* refactor: cargo fmt

* refactor: remove unnecessary blank line in cfg_tests.rs

* refactor: remove unnecessary planning file

* chore: update Rust version to 1.88 and bump dependencies in Cargo files

* feat: enhance triage UI with new layout and controls, update README for clarity

* feat: enhance triage UI with new layout and controls, update README for clarity

* chore: remove outdated section from README for version 0.5.0

* docs: improve clarity and consistency in README content

* chore: add "GPL-3.0-or-later" to license options in about.toml

* chore: update license handling in about.toml and check-licenses.mjs

* style: format code for improved readability in TriagePage component

* style: format code for improved readability in TriagePage component

* chore: enhance license handling and improve body_id scoping in seed lookup

* feat: introduce owner and parent body IDs for enhanced seed scoping

* feat: implement direction-aware engine provenance with new CLI flag for strict CI gating

* feat: add Undef SSA operation for improved control-flow handling

* style: improve code formatting for consistency and readability in multiple files

* feat: add 16-function chain SCC across multiple files for enhanced analysis

* style: simplify code formatting for improved readability in multiple files

* fix: update CapHitReason default implementation and improve README clarity

* docs: enhance README with detailed explanations of taint analysis and limitations

* docs: refine README for clarity and consistency in taint analysis section

* style: improve code formatting for better readability in NewScanModal and scans

* fix: update cargo-about command to use --offline for deterministic license generation

* fix: update cargo-about command to use --offline for deterministic license generation

* ci: add step to prime cargo registry cache for deterministic license generation

* feat: add support for non-sink collections in authorization analysis

* feat: enhance authorization checks with row-level ownership equality and binding tracking

* feat: implement self-scoped user handling and enhance ownership checks

* refactor: simplify assertions and formatting in authorization analysis tests

* fix: normalize line endings in THIRDPARTY-LICENSES.html generation and update README with AI disclosure

* docs: update AI disclosure section for clarity and conciseness

* feat: add AI Contribution Policy and update contributing guidelines for AI assistance disclosure

* feat: enhance authorization analysis with SSA-derived variable type classification

* feat: implement auth_finding_to_diag function for enhanced security diagnostics

* feat: add args_value_refs to CallSite struct for enhanced argument tracking

* feat: add args_value_refs to CallSite struct for enhanced argument tracking

* feat: add direction-aware engine provenance with LossDirection classification and new CLI flag

* feat: simplify strip_cap_from_call_args call by removing unnecessary line breaks

* feat: enhance error message handling in cli_validation_tests for better Windows compatibility

* feat: optimize release profile settings in Cargo.toml and update CodeQL configuration

* feat: enhance release build process with SBOM generation and SLSA provenance

* feat: update actions/checkout and actions/setup-node to v6, enhance CLI options, and improve auth-check summaries

* feat: introduce PathFact handling for path safety checks and rejection logic

* feat: introduce PathFact handling for path safety checks and rejection logic

* feat: update benchmark data and enhance path sanitization logic with new safety checks

* feat: document AI assistance in frontend UI development and human review process

* feat: add return path facts for enhanced path safety checks and update documentation

* chore: update release date for version 0.5.0 in CHANGELOG.md

* chore: clean up ci.yml by removing outdated comments and clarifying steps

* feat: implement cross-language path sanitizers and validators for enhanced security

* feat: enhance SSA value usage tracking by including block terminators and improve path safety checks

* feat: enhance switch statement handling by adding per-case path constraints and support for exclusive cases

* refactor: simplify conditional formatting and improve code readability in executor and lower modules

* feat: add vulnerable examples for various languages demonstrating authentication and sanitization issues

* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers

* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers

* feat: add transform classifiers for Java, Go, and Ruby with corresponding tests

* refactor: clarify comments on reassign-to-constant idiom and sink behavior in guards.rs

---------

Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Eli Peter 2026-04-25 17:59:11 -04:00 committed by GitHub
parent c4ce08b452
commit 41128177d2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2144 changed files with 201812 additions and 8927 deletions
Download patch file Download diff file Expand all files Collapse all files

10
tests/fixtures/real_world/java/cfg/catch_finally.expect.json vendored
View file

@ -18,6 +18,16 @@
],
"evidence_contains": [],
"notes": "processLeaky throws on line 26 without closing fis \u2014 resource leaked on exception path"
},
{
"rule_id": "taint-unsanitised-flow",
"severity": "HIGH",
"must_not_match": true,
"line_range": [
10,
11
],
"notes": "e.getMessage() → System.err.println is standard error handling, not a security issue — must NOT fire (regression guard for known-safe callee exclusion)"
}
]
}

39
tests/fixtures/real_world/java/cfg/lambda_streams.expect.json vendored
View file

@ -1,5 +1,5 @@
{
"description": "Stream operations with SQL concat in map and exec in forEach lambda",
"description": "Stream operations with SQL concat in map lambda and exec in forEach lambda — both sinks must fire from inside lambda bodies",
"tags": [
"cfg",
"sqli",
@ -14,24 +14,47 @@
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": false,
"must_match": true,
"modes": ["full"],
"line_range": [
10,
17
18,
25
],
"evidence_contains": [],
"notes": "cmd parameter inside lambda flows to Runtime.exec \u2014 scanner may not track taint through lambda bodies"
"notes": "cmd lambda parameter (handler-param name) auto-seeded as UserInput flows to Runtime.exec inside forEach lambda body"
},
{
"rule_id": "java.sqli.execute_concat",
"severity": null,
"must_match": false,
"must_match": true,
"line_range": [
6,
10
16
],
"evidence_contains": [],
"notes": "SQL string concatenation inside stream map lambda \u2014 AST pattern may not match inside lambda context"
"notes": "SQL string concatenation inside executeQuery call inside stream map lambda body — AST pattern descends into lambda bodies"
},
{
"rule_id": "java.cmdi.runtime_exec",
"severity": "HIGH",
"must_match": true,
"line_range": [
22,
22
],
"evidence_contains": [],
"notes": "Runtime.getRuntime().exec(cmd) inside forEach lambda; AST pattern correctly matches the exec call"
},
{
"rule_id": "cfg-unguarded-sink",
"severity": "MEDIUM",
"must_match": false,
"line_range": [
22,
22
],
"evidence_contains": [],
"notes": "structural: cfg-unguarded-sink on Runtime.exec sink inside forEach lambda"
}
]
}

11
tests/fixtures/real_world/java/cfg/lambda_streams.java vendored
View file

@ -1,11 +1,18 @@
import java.sql.*;
import java.util.*;
import java.util.stream.*;
public class StreamProcessor {
public List<String> filterUnsafe(List<String> inputs) {
public List<String> filterUnsafe(Statement stmt, List<String> inputs) throws SQLException {
return inputs.stream()
.filter(s -> !s.isEmpty())
.map(s -> "SELECT * FROM users WHERE name = '" + s + "'")
.map(s -> {
try {
stmt.executeQuery("SELECT * FROM users WHERE name = '" + s + "'");
} catch (SQLException e) {
}
return s;
})
.collect(Collectors.toList());
}

39
tests/fixtures/real_world/java/cfg/lambda_taint.expect.json vendored Normal file
View file

@ -0,0 +1,39 @@
{
"description": "Lambda return should not kill parent function control flow; taint from req.getParameter must reach Runtime.exec after lambda",
"tags": [
"cfg",
"cmdi",
"lambda",
"taint"
],
"modes": [
"full"
],
"expected": [
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": true,
"line_range": [
5,
12
],
"evidence_contains": [
"req.getParameter",
"Runtime.exec"
],
"notes": "req.getParameter flows to Runtime.exec past lambda with internal return — lambda isolation prevents return from killing parent CFG"
},
{
"rule_id": "java.cmdi.runtime_exec",
"severity": "HIGH",
"must_match": true,
"line_range": [
12,
12
],
"evidence_contains": [],
"notes": "AST pattern match on Runtime.getRuntime().exec()"
}
]
}

14
tests/fixtures/real_world/java/cfg/lambda_taint.java vendored Normal file
View file

@ -0,0 +1,14 @@
import javax.servlet.http.*;
public class LambdaTaint {
public void handle(HttpServletRequest req, HttpServletResponse resp) throws Exception {
String input = req.getParameter("cmd");
// Lambda should isolate taint return inside lambda should NOT
// kill the parent function's control flow
java.util.Arrays.asList("a").forEach(x -> {
if (x.equals("skip")) return; // lambda-local return
});
// This sink should still be reachable
Runtime.getRuntime().exec(input);
}
}

33
tests/fixtures/real_world/java/cfg/switch_expressions.expect.json vendored
View file

@ -17,7 +17,7 @@
9
],
"evidence_contains": [],
"notes": "input parameter flows into Runtime.exec \u2014 depends on whether scanner models method params as taint sources"
"notes": "input parameter flows into Runtime.exec depends on whether scanner models method params as taint sources"
},
{
"rule_id": "cfg-unguarded-sink",
@ -29,6 +29,37 @@
],
"evidence_contains": [],
"notes": "No validation of input before exec call in exec case"
},
{
"rule_id": "java.cmdi.runtime_exec",
"severity": "HIGH",
"must_match": true,
"line_range": [
7,
7
],
"evidence_contains": [],
"notes": "Runtime.getRuntime().exec(input) in exec case of switch; AST pattern correctly matches"
},
{
"rule_id": "cfg-unreachable-sink",
"severity": "MEDIUM",
"must_not_match": true,
"line_range": [
11,
11
],
"notes": "Case body is reachable via switch — cfg-unreachable-sink must NOT fire (regression guard)"
},
{
"rule_id": "cfg-unreachable-sink",
"severity": "MEDIUM",
"must_not_match": true,
"line_range": [
15,
15
],
"notes": "Regression guard: System.out.println(input) in case 'log' is reachable via switch dispatch; cfg-unreachable-sink must NOT fire (catches regressions in Java switch_expression CFG handling)"
}
]
}

32
tests/fixtures/real_world/java/mixed/deser_cmdi.expect.json vendored
View file

@ -32,6 +32,38 @@
],
"evidence_contains": [],
"notes": "Deserialized command string from request input flows into Runtime.exec"
},
{
"rule_id": "java.cmdi.runtime_exec",
"severity": "HIGH",
"must_match": true,
"line_range": [
9,
9
],
"evidence_contains": [],
"notes": "Runtime.getRuntime().exec(command) with deserialized input; AST pattern correctly matches"
},
{
"rule_id": "java.xss.getwriter_print",
"severity": "MEDIUM",
"must_not_match": true,
"line_range": [
11,
11
],
"notes": "response.getWriter().println(\"Done\") — constant string, Layer B suppresses (regression guard)"
},
{
"rule_id": "taint-unsanitised-flow",
"severity": "MEDIUM",
"must_match": true,
"line_range": [
8,
9
],
"evidence_contains": [],
"notes": "readObject() result cast to String flows directly to Runtime.exec \u2014 additional taint path for deserialized command"
}
]
}

32
tests/fixtures/real_world/java/mixed/servlet_full.expect.json vendored
View file

@ -56,6 +56,38 @@
],
"evidence_contains": [],
"notes": "FileInputStream opened on line 23 but never closed"
},
{
"rule_id": "java.cmdi.runtime_exec",
"severity": "HIGH",
"must_match": true,
"line_range": [
14,
14
],
"evidence_contains": [],
"notes": "Runtime.getRuntime().exec(input) in exec branch; AST pattern correctly matches"
},
{
"rule_id": "taint-unsanitised-flow",
"severity": "HIGH",
"must_match": true,
"line_range": [
20,
20
],
"evidence_contains": [],
"notes": "source at 11:9 (request.getParameter(\"input\")) flows through SQL query (line 17) into result set output at out.println(rs.getString(1)); second-order taint via tainted query results"
},
{
"rule_id": "java.xss.getwriter_print",
"severity": "MEDIUM",
"must_not_match": true,
"line_range": [
26,
26
],
"notes": "response.getWriter().println(new String(data)) — file-read data, Layer B suppresses (regression guard)"
}
]
}

2
tests/fixtures/real_world/java/state/branch_close.expect.json vendored
View file

@ -11,7 +11,7 @@
{
"rule_id": "state-resource-leak-possible",
"severity": null,
"must_match": false,
"must_match": true,
"line_range": [
3,
13

2
tests/fixtures/real_world/java/state/connection_lifecycle.expect.json vendored
View file

@ -12,7 +12,7 @@
{
"rule_id": "state-resource-leak",
"severity": null,
"must_match": false,
"must_match": true,
"line_range": [
3,
10

4
tests/fixtures/real_world/java/state/double_close.expect.json vendored
View file

@ -12,7 +12,7 @@
{
"rule_id": "state-double-close",
"severity": null,
"must_match": false,
"must_match": true,
"line_range": [
3,
9
@ -23,7 +23,7 @@
{
"rule_id": "state-use-after-close",
"severity": null,
"must_match": false,
"must_match": true,
"line_range": [
9,
16

2
tests/fixtures/real_world/java/state/stream_lifecycle.expect.json vendored
View file

@ -11,7 +11,7 @@
{
"rule_id": "state-resource-leak",
"severity": null,
"must_match": false,
"must_match": true,
"line_range": [
3,
11

15
tests/fixtures/real_world/java/taint/cast_to_string_still_tainted.expect.json vendored Normal file
View file

@ -0,0 +1,15 @@
{
"description": "Casting user input to String does not sanitize it — SQL injection finding must still be reported (negative regression test for type-flow)",
"tags": ["taint", "type-flow", "cast", "sqli", "negative-regression"],
"modes": ["full"],
"expected": [
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": true,
"line_range": [6, 10],
"evidence_contains": [],
"notes": "req.getParameter(\"name\") cast to String still flows into stmt.executeQuery — String cast must not suppress taint"
}
]
}

12
tests/fixtures/real_world/java/taint/cast_to_string_still_tainted.java vendored Normal file
View file

@ -0,0 +1,12 @@
import java.sql.*;
import javax.servlet.http.*;
public class CastStillTainted extends HttpServlet {
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws Exception {
Object input = req.getParameter("name");
String name = (String) input;
Connection conn = DriverManager.getConnection("jdbc:sqlite:app.db");
Statement stmt = conn.createStatement();
stmt.executeQuery("SELECT * FROM users WHERE name = '" + name + "'");
}
}

23
tests/fixtures/real_world/java/taint/catch_param_sink.expect.json vendored Normal file
View file

@ -0,0 +1,23 @@
{
"description": "Catch parameter is conservatively tainted: e flows to response.getWriter().println",
"tags": ["taint", "try-catch", "catch-param"],
"modes": ["full"],
"expected": [
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": true,
"line_range": [5, 12],
"evidence_contains": [],
"notes": "catch(Exception e) binds e as tainted; e flows to println sink via catch parameter"
},
{
"rule_id": "java.xss.getwriter_print",
"severity": "MEDIUM",
"must_match": true,
"line_range": [10, 10],
"evidence_contains": [],
"notes": "response.getWriter().println() in catch block — AST pattern detects potential XSS via error response"
}
]
}

13
tests/fixtures/real_world/java/taint/catch_param_sink.java vendored Normal file
View file

@ -0,0 +1,13 @@
import java.sql.*;
import javax.servlet.http.*;
public class CatchParamHandler extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws Exception {
try {
dangerousOperation();
} catch (Exception e) {
response.getWriter().println("Error: " + e);
}
}
}

14
tests/fixtures/real_world/java/taint/cmdi_processbuilder.expect.json vendored
View file

@ -1,5 +1,5 @@
{
"description": "HttpServletRequest parameters flow into ProcessBuilder constructor \u2014 command injection via user-controlled program and arguments",
"description": "HttpServletRequest parameters flow into ProcessBuilder constructor command injection via user-controlled program and arguments",
"tags": [
"taint",
"cmdi",
@ -8,17 +8,21 @@
"modes": [
"full"
],
"strict_unexpected": [
"taint-unsanitised-flow"
],
"expected": [
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"severity": "HIGH",
"must_match": true,
"line_range": [
5,
13
10,
10
],
"evidence_contains": [],
"notes": "request.getParameter(\"program\") and request.getParameter(\"arg\") flow into new ProcessBuilder(program, arg)"
"notes": "request.getParameter source flows into new ProcessBuilder(program, arg) on line 10. After dedup exactly one finding survives at line 10 (scanner keeps the tightest-source flow — arg at 8:9 has smaller source→sink line distance than program at 7:9).",
"max_count": 1
}
]
}

13
tests/fixtures/real_world/java/taint/cmdi_runtime.expect.json vendored
View file

@ -1,5 +1,5 @@
{
"description": "HttpServletRequest.getParameter flows directly to Runtime.exec \u2014 classic command injection",
"description": "HttpServletRequest.getParameter flows directly to Runtime.exec classic command injection",
"tags": [
"taint",
"cmdi",
@ -30,6 +30,17 @@
],
"evidence_contains": [],
"notes": "No validation or auth check before exec call"
},
{
"rule_id": "java.cmdi.runtime_exec",
"severity": "HIGH",
"must_match": true,
"line_range": [
8,
8
],
"evidence_contains": [],
"notes": "Runtime.getRuntime().exec(cmd) with user-controlled cmd from request.getParameter; AST pattern correctly matches"
}
]
}

26
tests/fixtures/real_world/java/taint/collection_add_sqli.expect.json vendored Normal file
View file

@ -0,0 +1,26 @@
{
"description": "SQL injection via ArrayList.add: user input added to collection then retrieved and passed to executeQuery",
"tags": [
"taint",
"sqli",
"java",
"collection",
"container"
],
"modes": [
"full"
],
"expected": [
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": true,
"line_range": [
8,
15
],
"evidence_contains": [],
"notes": "req.getParameter('input') added to ArrayList then retrieved via get(0) and passed to executeQuery; requires Java CallMethod container propagation"
}
]
}

15
tests/fixtures/real_world/java/taint/collection_add_sqli.java vendored Normal file
View file

@ -0,0 +1,15 @@
import java.util.ArrayList;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServlet;
import java.sql.Statement;
public class CollectionHandler extends HttpServlet {
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws Exception {
ArrayList<String> parts = new ArrayList<>();
parts.add(req.getParameter("input"));
String query = parts.get(0);
Statement stmt = getConnection().createStatement();
stmt.executeQuery(query);
}
}

17
tests/fixtures/real_world/java/taint/deser_ois.expect.json vendored
View file

@ -24,13 +24,26 @@
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": false,
"must_match": true,
"line_range": [
5,
10
],
"modes": ["full"],
"evidence_contains": [],
"notes": "request.getInputStream() flows into ObjectInputStream.readObject \u2014 taint may not track through constructor chain"
"notes": "request.getInputStream() flows through ObjectInputStream constructor into ois.readObject (full mode only)"
},
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": true,
"line_range": [
11,
11
],
"modes": ["full"],
"evidence_contains": [],
"notes": "Second flow: ois.readObject() source at 8:9 flows to out.println on line 11 (full mode only)"
}
]
}

31
tests/fixtures/real_world/java/taint/deser_readobject_dual.expect.json vendored Normal file
View file

@ -0,0 +1,31 @@
{
"description": "Deserialization + command injection: readObject (Source+Sink) flows to Runtime.exec",
"tags": ["taint", "deser", "cmdi", "multi-label"],
"modes": ["full"],
"expected": [
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": true,
"line_range": [1, 8],
"evidence_contains": [],
"notes": "readObject has dual Source+Sink(DESERIALIZE) labels; Source taints obj, which flows to Runtime.exec"
},
{
"rule_id": "java.deser.readobject",
"severity": "HIGH",
"must_match": true,
"line_range": [5, 5],
"evidence_contains": [],
"notes": "AST pattern detects ois.readObject() — deserialization of untrusted data"
},
{
"rule_id": "java.cmdi.runtime_exec",
"severity": "HIGH",
"must_match": true,
"line_range": [6, 6],
"evidence_contains": [],
"notes": "AST pattern detects Runtime.getRuntime().exec() — command injection sink"
}
]
}

8
tests/fixtures/real_world/java/taint/deser_readobject_dual.java vendored Normal file
View file

@ -0,0 +1,8 @@
import java.io.*;
public class DeserDual {
public void process(InputStream userStream) throws Exception {
ObjectInputStream ois = new ObjectInputStream(userStream);
Object obj = ois.readObject();
Runtime.getRuntime().exec(obj.toString());
}
}

28
tests/fixtures/real_world/java/taint/heap_collection_alias.expect.json vendored Normal file
View file

@ -0,0 +1,28 @@
{
"description": "SQL injection through ArrayList alias: a and b share the same collection, taint added via a flows to sink via b.get(0)",
"tags": [
"taint",
"sqli",
"servlet",
"collection",
"container",
"alias",
"heap"
],
"modes": [
"full"
],
"expected": [
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": true,
"line_range": [
6,
13
],
"evidence_contains": [],
"notes": "heap identity: b = a makes both point to same ArrayList, add through a visible at load through b"
}
]
}

14
tests/fixtures/real_world/java/taint/heap_collection_alias.java vendored Normal file
View file

@ -0,0 +1,14 @@
import java.util.ArrayList;
import javax.servlet.http.*;
import java.sql.*;
public class HeapAlias extends HttpServlet {
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws Exception {
ArrayList<String> a = new ArrayList<>();
ArrayList<String> b = a;
a.add(req.getParameter("input"));
String val = b.get(0);
Statement stmt = DriverManager.getConnection("jdbc:test").createStatement();
stmt.executeQuery("SELECT * FROM t WHERE x = '" + val + "'");
}
}

15
tests/fixtures/real_world/java/taint/infeasible_equality.expect.json vendored Normal file
View file

@ -0,0 +1,15 @@
{
"description": "Infeasible nested equality: action.equals('view') AND action.equals('delete') is contradictory. Only the outer exec should produce a finding.",
"tags": ["taint", "constraint", "infeasible", "equality"],
"modes": ["full"],
"expected": [
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": true,
"line_range": [7, 15],
"evidence_contains": [],
"notes": "req.getParameter flows to outer Runtime.exec — reachable path"
}
]
}

16
tests/fixtures/real_world/java/taint/infeasible_equality.java vendored Normal file
View file

@ -0,0 +1,16 @@
import javax.servlet.http.*;
import java.io.*;
public class InfeasibleEquality extends HttpServlet {
protected void doGet(HttpServletRequest req, HttpServletResponse resp)
throws IOException {
String action = req.getParameter("action");
if (action.equals("view")) {
if (action.equals("delete")) {
// Infeasible: action.equals("view") AND action.equals("delete")
Runtime.getRuntime().exec(action);
}
}
Runtime.getRuntime().exec(action);
}
}

6
tests/fixtures/real_world/java/taint/instanceof_guard_sqli.expect.json vendored Normal file
View file

@ -0,0 +1,6 @@
{
"description": "instanceof Integer guard with early return narrows input to Integer before SQL concatenation — type-flow constraint solving should suppress taint finding",
"tags": ["taint", "type-flow", "instanceof", "sqli", "safe"],
"modes": ["full"],
"expected": []
}

15
tests/fixtures/real_world/java/taint/instanceof_guard_sqli.java vendored Normal file
View file

@ -0,0 +1,15 @@
import java.sql.*;
import javax.servlet.http.*;
public class InstanceofGuard extends HttpServlet {
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws Exception {
Object input = req.getParameter("id");
if (!(input instanceof Integer)) {
resp.sendError(400);
return;
}
Connection conn = DriverManager.getConnection("jdbc:sqlite:app.db");
Statement stmt = conn.createStatement();
stmt.executeQuery("SELECT * FROM users WHERE id = " + input);
}
}

15
tests/fixtures/real_world/java/taint/instanceof_wrong_branch.expect.json vendored Normal file
View file

@ -0,0 +1,15 @@
{
"description": "instanceof on the true branch does not narrow the false/continuation branch — SQL injection finding must still be reported (negative regression test for type-flow)",
"tags": ["taint", "type-flow", "instanceof", "sqli", "negative-regression"],
"modes": ["full"],
"expected": [
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": false,
"line_range": [6, 13],
"evidence_contains": [],
"notes": "req.getParameter(\"id\") is only narrowed inside the if-true branch — on continuation after the if block, input is NOT narrowed and flows into stmt.executeQuery. Currently suppressed by type-flow solver (known limitation: instanceof narrowing leaks to post-merge path)."
}
]
}

15
tests/fixtures/real_world/java/taint/instanceof_wrong_branch.java vendored Normal file
View file

@ -0,0 +1,15 @@
import java.sql.*;
import javax.servlet.http.*;
public class InstanceofWrongBranch extends HttpServlet {
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws Exception {
Object input = req.getParameter("id");
if (input instanceof Integer) {
// Safe branch type narrowed here, but we're on the OTHER branch
}
// This is the continuation input is NOT narrowed to Integer here
Connection conn = DriverManager.getConnection("jdbc:sqlite:app.db");
Statement stmt = conn.createStatement();
stmt.executeQuery("SELECT * FROM users WHERE id = " + input);
}
}

15
tests/fixtures/real_world/java/taint/jackson_deser.expect.json vendored Normal file
View file

@ -0,0 +1,15 @@
{
"description": "Jackson ObjectMapper.readValue as dual Source+Sink(DESERIALIZE); tainted data flows to Runtime.exec",
"tags": ["taint", "deser", "cmdi", "multi-label", "jackson"],
"modes": ["full"],
"expected": [
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": true,
"line_range": [6, 11],
"evidence_contains": [],
"notes": "ObjectMapper.readValue (Source) taints data, which flows to Runtime.exec (SHELL_ESCAPE sink)"
}
]
}

12
tests/fixtures/real_world/java/taint/jackson_deser.java vendored Normal file
View file

@ -0,0 +1,12 @@
import javax.servlet.http.*;
import java.io.*;
import com.fasterxml.jackson.databind.ObjectMapper;
public class JacksonDeser extends HttpServlet {
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws IOException {
ObjectMapper mapper = new ObjectMapper();
Object data = mapper.readValue(request.getInputStream(), Object.class);
Runtime.getRuntime().exec(data.toString());
}
}

15
tests/fixtures/real_world/java/taint/jndi_injection.expect.json vendored Normal file
View file

@ -0,0 +1,15 @@
{
"description": "JNDI injection: user-controlled input flows to ctx.lookup()",
"tags": ["taint", "jndi", "servlet"],
"modes": ["full"],
"expected": [
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": true,
"line_range": [6, 11],
"evidence_contains": [],
"notes": "getParameter(\"resource\") flows to ctx.lookup() without validation"
}
]
}

12
tests/fixtures/real_world/java/taint/jndi_injection.java vendored Normal file
View file

@ -0,0 +1,12 @@
import javax.naming.InitialContext;
import javax.servlet.http.*;
import java.io.*;
public class JndiServlet extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws Exception {
String name = request.getParameter("resource");
InitialContext ctx = new InitialContext();
Object result = ctx.lookup(name);
}
}

25
tests/fixtures/real_world/java/taint/multi_method_xss.expect.json vendored Normal file
View file

@ -0,0 +1,25 @@
{
"description": "Multi-method XSS: request.getParameter flows through processInput helper to println output",
"tags": [
"taint",
"xss",
"servlet",
"inter-method"
],
"modes": [
"full"
],
"expected": [
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": false,
"line_range": [
9,
14
],
"evidence_contains": [],
"notes": "request.getParameter flows to println via processInput; must_match false because SSA may not track inter-method taint within the same class"
}
]
}

15
tests/fixtures/real_world/java/taint/multi_method_xss.java vendored Normal file
View file

@ -0,0 +1,15 @@
import javax.servlet.http.*;
import java.io.*;
public class MultiMethodXss extends HttpServlet {
private String processInput(String raw) {
return "<b>" + raw + "</b>";
}
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws IOException {
String name = request.getParameter("name");
String formatted = processInput(name);
response.getWriter().println(formatted);
}
}

15
tests/fixtures/real_world/java/taint/reassignment_compound.expect.json vendored Normal file
View file

@ -0,0 +1,15 @@
{
"description": "Compound assignment preserves taint: source concatenated with literal still carries taint to Runtime.exec sink.",
"tags": ["taint", "reassignment", "compound"],
"modes": ["full"],
"expected": [
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": true,
"line_range": [1, 9],
"evidence_contains": [],
"notes": "request.getParameter flows through cmd + suffix concatenation into Runtime.exec"
}
]
}

9
tests/fixtures/real_world/java/taint/reassignment_compound.java vendored Normal file
View file

@ -0,0 +1,9 @@
import javax.servlet.http.*;
public class ReassignmentCompound extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse resp) throws Exception {
String cmd = request.getParameter("cmd");
cmd = cmd + " safe";
Runtime.getRuntime().exec(cmd);
}
}

11
tests/fixtures/real_world/java/taint/reflection.expect.json vendored
View file

@ -30,6 +30,17 @@
],
"evidence_contains": [],
"notes": "request.getParameter(\"class\") flows directly into Class.forName(className)"
},
{
"rule_id": "taint-unsanitised-flow",
"severity": "HIGH",
"must_match": true,
"line_range": [
12,
12
],
"evidence_contains": [],
"notes": "source at 7:9 (request.getParameter(\"class\")) flows through Class.forName -> newInstance -> instance to out.println on line 12; user-controlled class info reflected to response"
}
]
}

15
tests/fixtures/real_world/java/taint/response_entity_xss.expect.json vendored Normal file
View file

@ -0,0 +1,15 @@
{
"description": "ResponseEntity constructed with user input — hierarchy resolves ResponseEntity to HttpResponse, XSS finding expected",
"tags": ["taint", "type-flow", "java", "xss"],
"modes": ["full"],
"expected": [
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": false,
"line_range": [6, 9],
"evidence_contains": [],
"notes": "request.getParameter flows to ResponseEntity constructor; must_match false pending verification that ResponseEntity is recognized as a response sink"
}
]
}

10
tests/fixtures/real_world/java/taint/response_entity_xss.java vendored Normal file
View file

@ -0,0 +1,10 @@
import javax.servlet.http.HttpServletRequest;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
public class UserController {
public ResponseEntity<String> greet(HttpServletRequest request) {
String name = request.getParameter("name");
return new ResponseEntity<>(name, HttpStatus.OK);
}
}

6
tests/fixtures/real_world/java/taint/safe_constant_args.expect.json vendored Normal file
View file

@ -0,0 +1,6 @@
{
"description": "println/print called with only hardcoded string literals — no taint source.",
"tags": ["taint", "negative", "xss"],
"modes": ["full"],
"expected": []
}

7
tests/fixtures/real_world/java/taint/safe_constant_args.java vendored Normal file
View file

@ -0,0 +1,7 @@
public class safe_constant_args {
public static void main(String[] args) {
System.out.println("Hello, world!");
System.out.print("Status: OK");
System.out.println(" - Done");
}
}

6
tests/fixtures/real_world/java/taint/safe_esapi_sanitized.expect.json vendored Normal file
View file

@ -0,0 +1,6 @@
{
"description": "ESAPI Encoder.encodeForHTML and Validator.getValidInput sanitize tainted servlet input before println sink",
"tags": ["taint", "negative", "xss", "sanitizer", "esapi"],
"modes": ["full"],
"expected": []
}

18
tests/fixtures/real_world/java/taint/safe_esapi_sanitized.java vendored Normal file
View file

@ -0,0 +1,18 @@
import javax.servlet.http.*;
import java.io.*;
public class SafeEsapiSanitized extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws IOException {
String name = request.getParameter("name");
String safe = Encoder.encodeForHTML(name);
response.getWriter().println(safe);
}
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws IOException {
String id = request.getParameter("id");
String validated = Validator.getValidInput("id", id, "SafeString", 100, false);
response.getWriter().println(validated);
}
}

12
tests/fixtures/real_world/java/taint/safe_no_source.expect.json vendored Normal file
View file

@ -0,0 +1,12 @@
{
"description": "println fed by locally-constructed strings \u2014 no taint source involved.",
"tags": [
"taint",
"negative",
"xss"
],
"modes": [
"full"
],
"expected": []
}

8
tests/fixtures/real_world/java/taint/safe_no_source.java vendored Normal file
View file

@ -0,0 +1,8 @@
public class safe_no_source {
public static void main(String[] args) {
String greeting = "Hello";
String name = "World";
String message = greeting + ", " + name + "!";
System.out.println(message);
}
}

14
tests/fixtures/real_world/java/taint/safe_parameterized_query.expect.json vendored Normal file
View file

@ -0,0 +1,14 @@
{
"description": "Safe parameterized SQL query: user input bound via PreparedStatement placeholder, no SQL injection",
"tags": [
"taint",
"sqli",
"servlet",
"safe",
"parameterized"
],
"modes": [
"full"
],
"expected": []
}

15
tests/fixtures/real_world/java/taint/safe_parameterized_query.java vendored Normal file
View file

@ -0,0 +1,15 @@
import javax.servlet.http.*;
import java.sql.*;
import java.io.*;
public class SafeParameterizedQuery extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws IOException, SQLException {
String id = request.getParameter("id");
Connection conn = DriverManager.getConnection("jdbc:sqlite:test.db");
PreparedStatement stmt = conn.prepareStatement("SELECT * FROM users WHERE id = ?");
stmt.setString(1, id);
ResultSet rs = stmt.executeQuery();
response.getWriter().println(rs.getString("name"));
}
}

6
tests/fixtures/real_world/java/taint/safe_reassigned_const.expect.json vendored Normal file
View file

@ -0,0 +1,6 @@
{
"description": "Source from request.getParameter killed by constant reassignment before reaching Runtime.exec sink.",
"tags": ["taint", "negative", "reassignment", "safe"],
"modes": ["full"],
"expected": []
}

9
tests/fixtures/real_world/java/taint/safe_reassigned_const.java vendored Normal file
View file

@ -0,0 +1,9 @@
import javax.servlet.http.*;
public class SafeReassignedConst extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse resp) throws Exception {
String cmd = request.getParameter("cmd");
cmd = "safe";
Runtime.getRuntime().exec(cmd);
}
}

6
tests/fixtures/real_world/java/taint/safe_sanitized_flow.expect.json vendored Normal file
View file

@ -0,0 +1,6 @@
{
"description": "System.getenv source flows through HtmlUtils.htmlEscape (HTML_ESCAPE sanitizer) before reaching println sink — taint should be cleared.",
"tags": ["taint", "negative", "xss", "sanitizer"],
"modes": ["full"],
"expected": []
}

11
tests/fixtures/real_world/java/taint/safe_sanitized_flow.java vendored Normal file
View file

@ -0,0 +1,11 @@
import org.springframework.web.util.HtmlUtils;
public class safe_sanitized_flow {
public static void main(String[] args) {
String name = System.getenv("USER_NAME");
if (name != null) {
String safe = HtmlUtils.htmlEscape(name);
System.out.println("Hello, " + safe);
}
}
}

6
tests/fixtures/real_world/java/taint/safe_spring_patterns.expect.json vendored Normal file
View file

@ -0,0 +1,6 @@
{
"description": "Safe Spring/JPA/JNDI patterns with constant arguments — no taint source.",
"tags": ["taint", "negative", "spring"],
"modes": ["full"],
"expected": []
}

19
tests/fixtures/real_world/java/taint/safe_spring_patterns.java vendored Normal file
View file

@ -0,0 +1,19 @@
import javax.naming.InitialContext;
public class SafeSpringPatterns {
private Object jdbcTemplate;
private Object entityManager;
public void safeQuery() {
Object result = jdbcTemplate.query("SELECT * FROM users WHERE id = ?");
}
public void safeJpql() {
Object result = entityManager.createQuery("SELECT u FROM User u");
}
public void safeLookup() throws Exception {
InitialContext ctx = new InitialContext();
Object ds = ctx.lookup("java:comp/env/jdbc/mydb");
}
}

6
tests/fixtures/real_world/java/taint/safe_ssrf_hardcoded.expect.json vendored Normal file
View file

@ -0,0 +1,6 @@
{
"description": "SSRF negative: hardcoded URL to openConnection() — no taint source, no finding expected",
"tags": ["taint", "ssrf", "negative"],
"modes": ["full"],
"expected": []
}

11
tests/fixtures/real_world/java/taint/safe_ssrf_hardcoded.java vendored Normal file
View file

@ -0,0 +1,11 @@
import java.net.URL;
import java.io.InputStream;
public class safe_ssrf_hardcoded {
public static void main(String[] args) throws Exception {
URL url = new URL("https://api.example.com/health");
InputStream stream = url.openStream();
stream.read();
stream.close();
}
}

6
tests/fixtures/real_world/java/taint/safe_system_out.expect.json vendored Normal file
View file

@ -0,0 +1,6 @@
{
"description": "System.out.println and System.err.println are console output, not HTTP response sinks — no XSS finding expected",
"tags": ["taint", "negative", "xss", "type-aware"],
"modes": ["full"],
"expected": []
}

9
tests/fixtures/real_world/java/taint/safe_system_out.java vendored Normal file
View file

@ -0,0 +1,9 @@
import javax.servlet.http.HttpServletRequest;
public class SystemOutSafe {
public void doGet(HttpServletRequest request) {
String name = request.getParameter("name");
System.out.println(name);
System.err.println(name);
}
}

23
tests/fixtures/real_world/java/taint/spring_sqli.expect.json vendored Normal file
View file

@ -0,0 +1,23 @@
{
"description": "SQL injection via Spring JdbcTemplate and JPA EntityManager with user input",
"tags": ["taint", "sqli", "spring"],
"modes": ["full"],
"expected": [
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": true,
"line_range": [8, 13],
"evidence_contains": [],
"notes": "getParameter(\"name\") concatenated into SQL string passed to jdbcTemplate.query()"
},
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": true,
"line_range": [15, 20],
"evidence_contains": [],
"notes": "getParameter(\"id\") concatenated into SQL string passed to entityManager.createNativeQuery()"
}
]
}

21
tests/fixtures/real_world/java/taint/spring_sqli.java vendored Normal file
View file

@ -0,0 +1,21 @@
import javax.servlet.http.*;
import java.io.*;
public class SpringController extends HttpServlet {
private Object jdbcTemplate;
private Object entityManager;
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws IOException {
String name = request.getParameter("name");
String query = "SELECT * FROM users WHERE name = '" + name + "'";
Object result = jdbcTemplate.query(query);
}
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws IOException {
String id = request.getParameter("id");
String sql = "SELECT * FROM accounts WHERE id = " + id;
Object result = entityManager.createNativeQuery(sql);
}
}

11
tests/fixtures/real_world/java/taint/sqli_concat.expect.json vendored
View file

@ -30,6 +30,17 @@
],
"evidence_contains": [],
"notes": "request.getParameter(\"id\") concatenated into SQL query string passed to executeQuery"
},
{
"rule_id": "taint-unsanitised-flow",
"severity": "HIGH",
"must_match": true,
"line_range": [
16,
16
],
"evidence_contains": [],
"notes": "source at 10:9 (request.getParameter(\"id\")) flows through tainted SQL query (line 12) into result set output at out.println(rs.getString(\"name\")); second-order taint via query results"
}
]
}

23
tests/fixtures/real_world/java/taint/ssrf_url_connect.expect.json vendored Normal file
View file

@ -0,0 +1,23 @@
{
"description": "SSRF: user-controlled URL from getParameter flows to openConnection()",
"tags": ["taint", "ssrf", "servlet"],
"modes": ["full"],
"expected": [
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": true,
"line_range": [6, 11],
"evidence_contains": [],
"notes": "getParameter(\"url\") flows to url.openConnection() without URL validation"
},
{
"rule_id": "state-resource-leak",
"severity": "MEDIUM",
"must_match": false,
"line_range": [6, 11],
"evidence_contains": [],
"notes": "noise: state-resource-leak on HttpURLConnection"
}
]
}

12
tests/fixtures/real_world/java/taint/ssrf_url_connect.java vendored Normal file
View file

@ -0,0 +1,12 @@
import java.net.URL;
import java.net.HttpURLConnection;
import javax.servlet.http.HttpServletRequest;
public class ProxyServlet {
public void doGet(HttpServletRequest request) throws Exception {
String target = request.getParameter("url");
URL url = new URL(target);
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
conn.getInputStream();
}
}

39
tests/fixtures/real_world/java/taint/try_catch_sqli.expect.json vendored Normal file
View file

@ -0,0 +1,39 @@
{
"description": "SQL injection in try block and tainted error message in catch block via exception path",
"tags": ["taint", "sqli", "try-catch", "exception-path"],
"modes": ["full"],
"expected": [
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": true,
"line_range": [5, 13],
"evidence_contains": [],
"notes": "request.getParameter flows to executeQuery via string concat — SQL injection in try body"
},
{
"rule_id": "java.sqli.execute_concat",
"severity": "MEDIUM",
"must_match": true,
"line_range": [10, 10],
"evidence_contains": [],
"notes": "AST pattern detects executeQuery with string concatenation — SQL injection"
},
{
"rule_id": "java.xss.getwriter_print",
"severity": "MEDIUM",
"must_match": true,
"line_range": [12, 12],
"evidence_contains": [],
"notes": "response.getWriter().println() with user input — reflected XSS via error response"
},
{
"rule_id": "taint-unsanitised-flow",
"severity": "HIGH",
"must_match": true,
"line_range": [7, 12],
"evidence_contains": [],
"notes": "request.getParameter flows to response.getWriter().println — user input reflected in error response"
}
]
}

15
tests/fixtures/real_world/java/taint/try_catch_sqli.java vendored Normal file
View file

@ -0,0 +1,15 @@
import java.sql.*;
import javax.servlet.http.*;
public class TryCatchSqlHandler extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws Exception {
String userInput = request.getParameter("id");
try {
Statement stmt = connection.createStatement();
stmt.executeQuery("SELECT * FROM users WHERE id = " + userInput);
} catch (SQLException e) {
response.getWriter().println("Error: " + userInput);
}
}
}

15
tests/fixtures/real_world/java/taint/type_receiver_ssrf.expect.json vendored Normal file
View file

@ -0,0 +1,15 @@
{
"description": "SSRF via type-qualified receiver: HttpClient.newHttpClient() types client as HttpClient, so client.send resolves to HttpClient.send SSRF sink",
"tags": ["taint", "ssrf", "type-aware"],
"modes": ["full"],
"expected": [
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": true,
"line_range": [4, 10],
"evidence_contains": [],
"notes": "request.getParameter(\"url\") flows to client.send — SSRF detected via type-qualified receiver resolution (HttpClient.send)"
}
]
}

11
tests/fixtures/real_world/java/taint/type_receiver_ssrf.java vendored Normal file
View file

@ -0,0 +1,11 @@
import javax.servlet.http.HttpServletRequest;
public class TypeReceiverSsrf {
public void doGet(HttpServletRequest request) throws Exception {
String target = request.getParameter("url");
java.net.http.HttpClient client = java.net.http.HttpClient.newHttpClient();
java.net.http.HttpRequest req = java.net.http.HttpRequest.newBuilder()
.uri(java.net.URI.create(target)).build();
client.send(req, java.net.http.HttpResponse.BodyHandlers.ofString());
}
}

15
tests/fixtures/real_world/java/taint/unsafe_response_print.expect.json vendored Normal file
View file

@ -0,0 +1,15 @@
{
"description": "XSS via response.getWriter().println — must still detect even with System.out suppression",
"tags": ["taint", "xss", "servlet", "type-aware"],
"modes": ["full"],
"expected": [
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": true,
"line_range": [5, 11],
"evidence_contains": [],
"notes": "request.getParameter flows to out.println via response.getWriter() — XSS sink"
}
]
}

11
tests/fixtures/real_world/java/taint/unsafe_response_print.java vendored Normal file
View file

@ -0,0 +1,11 @@
import java.io.*;
import javax.servlet.http.*;
public class UnsafeResponsePrint extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws IOException {
String name = request.getParameter("name");
PrintWriter out = response.getWriter();
out.println("<h1>Hello " + name + "</h1>");
}
}

22
tests/fixtures/real_world/java/taint/xss_response.expect.json vendored
View file

@ -19,6 +19,28 @@
],
"evidence_contains": [],
"notes": "request.getParameter(\"name\") flows directly into out.println without escaping in doGet"
},
{
"rule_id": "taint-unsanitised-flow",
"severity": "HIGH",
"must_match": false,
"line_range": [
17,
17
],
"evidence_contains": [],
"notes": "source at 14:9 (request.getParameter(\"name\") in doPost) reported flowing to out.println on line 17; however line 15 sanitizes via .replace(\"<\",\"&lt;\").replace(\">\",\"&gt;\") so this is FP — scanner fails to recognize manual HTML entity escaping as sanitization"
},
{
"rule_id": "taint-unsanitised-flow (source 7:",
"severity": "HIGH",
"must_not_match": true,
"line_range": [
17,
17
],
"evidence_contains": [],
"notes": "regression guard: the doGet source at 7:9 must never flow to line 17 (inside doPost). Cross-method taint leakage was historically caused by same-name variable conflation across sibling methods sharing a module-level CFG; body separation must keep sibling methods' SSA state isolated."
}
]
}