Critical bug fixes and recall improvements (#68)

tests/fixtures/fp_guards/php_drupal_prepare_statement/App.php

@@ -0,0 +1,40 @@
+<?php
+// Drupal Database\Connection convention: `prepareStatement` returns a
+// statement object that carries the SQL template; binding happens
+// separately via `$stmt->execute($values, $opts)` with values shipped
+// out of band.  The structural cfg-unguarded-sink rule must treat
+// `prepareStatement` as a SQL_QUERY sanitizer the same way it treats
+// `prepare`, otherwise every Drupal Query subclass surfaces an FP at
+// the execute call.
+
+class DrupalQueryWrapper
+{
+    private $connection;
+    private $queryOptions;
+
+    public function execute()
+    {
+        $stmt = $this->connection->prepareStatement((string) $this, $this->queryOptions, true);
+        try {
+            $stmt->execute([], $this->queryOptions);
+            return $stmt->rowCount();
+        } catch (\Exception $e) {
+            $this->connection->exceptionHandler()->handleExecutionException($e, $stmt, [], $this->queryOptions);
+        }
+
+        return null;
+    }
+
+    public function executeUpdate($values)
+    {
+        $stmt = $this->connection->prepareStatement((string) $this, $this->queryOptions, true);
+        try {
+            $stmt->execute($values, $this->queryOptions);
+            return $stmt->rowCount();
+        } catch (\Exception $e) {
+            $this->connection->exceptionHandler()->handleExecutionException($e, $stmt, $values, $this->queryOptions);
+        }
+
+        return null;
+    }
+}

tests/fixtures/fp_guards/php_drupal_prepare_statement/expectations.json

@@ -0,0 +1,17 @@
+{
+  "required_findings": [],
+  "forbidden_findings": [
+    { "id_prefix": "cfg-unguarded-sink" },
+    { "id_prefix": "taint-unsanitised-flow" }
+  ],
+  "noise_budget": {
+    "max_total_findings": 0,
+    "max_high_findings": 0
+  },
+  "performance_expectations": {
+    "max_ms_no_index": 1000,
+    "max_ms_index_cold": 1500,
+    "max_ms_index_warm": 500,
+    "ci_mode": "lenient"
+  }
+}