Added Cap::DATA_EXFIL and taint fp and fn fixes on real repos (#59)

* feat: Enhance data exfiltration detection with source sensitivity gating for cookies and headers

* feat: Implement cross-file data exfiltration detection with parameter-specific gate filters

* feat: Add calibration tests and refine DATA_EXFIL severity scoring logic

* feat: Introduce per-detector configuration for data exfiltration suppression

* feat: Enhance DATA_EXFIL findings with destination field tracking in diagnostics and SARIF output

* feat: Add tainted body and URL handling for data exfiltration detection

* feat: Add integration tests and fixtures for DATA_EXFIL and SSRF detection in Go

* feat: Add Java integration tests and fixtures for DATA_EXFIL detection across multiple HTTP clients

* feat: Add synthetic externals handling for closure-captured variables in SSA

* feat: Implement closure-based suppression for resource leak findings

* feat: Add regression guards for shell-injection and taint propagation in for-of destructure patterns

* feat: Implement constructor cap narrowing for data exfiltration detection in HTTP request builders

* feat: Add gated sinks for data exfiltration detection in C and C++ using curl_easy_setopt

* feat: Implement DATA_EXFIL cap parity for backwards analysis and add integration tests

* feat: Add data exfiltration sinks for various languages and enhance documentation

* refactor: Simplify formatting and improve readability in various files

* refactor: Improve readability by simplifying conditional statements and adding clippy linting

* docs: Update CHANGELOG and comments for data exfiltration features and configuration

* docs: Clarify configuration instructions for data exfiltration trusted destinations

* docs: Enhance comments for evidence routing logic in data exfiltration

tests/fixtures/cross_file_python_data_exfil/caller_body_tainted.py

@@ -0,0 +1,18 @@
+"""Tainted body, fixed URL: DATA_EXFIL must fire on the body flow.  The
+session cookie is a Sensitive-tier source, so taint carries the
+DATA_EXFIL bit through to the wrapper's body-gate.  SSRF must NOT fire —
+the URL is a hardcoded literal and the cap-vs-position split keeps the
+body's taint from leaking onto the URL's gate.
+"""
+from flask import Flask, session
+
+from helper import forward
+
+app = Flask(__name__)
+
+
+@app.route('/sync')
+def sync():
+    sid = session.get('user_token')
+    forward('https://analytics.internal/track', {'session': sid})
+    return '', 204

tests/fixtures/cross_file_python_data_exfil/caller_url_tainted.py

@@ -0,0 +1,17 @@
+"""Tainted URL, fixed body: SSRF must fire on the URL flow.  DATA_EXFIL
+must NOT fire — the body is a literal dict, not a sensitive source, and
+the cap-vs-position split through the wrapper's summary keeps the URL's
+taint from leaking onto the body's gate.
+"""
+from flask import Flask, request
+
+from helper import forward
+
+app = Flask(__name__)
+
+
+@app.route('/proxy', methods=['POST'])
+def proxy():
+    tainted_url = request.args.get('url')
+    forward(tainted_url, {'event': 'proxy_call'})
+    return '', 204

tests/fixtures/cross_file_python_data_exfil/expectations.json

@@ -0,0 +1,22 @@
+{
+  "required_findings": [
+    { "id_prefix": "taint-unsanitised-flow", "min_count": 1 },
+    { "id_prefix": "taint-data-exfiltration", "min_count": 1 }
+  ],
+  "forbidden_findings": [
+    {
+      "id_prefix": "taint-data-exfiltration",
+      "file_glob": "**/caller_url_tainted.py"
+    },
+    {
+      "id_prefix": "taint-unsanitised-flow",
+      "file_glob": "**/caller_body_tainted.py"
+    }
+  ],
+  "performance_expectations": {
+    "max_ms_no_index": 1500,
+    "max_ms_index_cold": 2000,
+    "max_ms_index_warm": 800,
+    "ci_mode": "lenient"
+  }
+}

tests/fixtures/cross_file_python_data_exfil/helper.py

@@ -0,0 +1,12 @@
+"""Wrapper around requests.post whose two parameters target distinct
+gated-sink classes on the inner call: `url` is the SSRF gate's destination
+(arg 0); `body` is the DATA_EXFIL gate's payload (json kwarg).  Pass-1 SSA
+summary extraction lifts the per-position cap split into
+`param_to_gate_filters` so cross-file callers can attribute SSRF vs
+DATA_EXFIL per argument.
+"""
+import requests
+
+
+def forward(url, body):
+    requests.post(url, json=body)