Python fp and docs updtes (#58)

* refactor: Update comments for clarity and add expectations.json files for performance metrics

* feat: Implement FP guard for JS/TS local-collection receivers to suppress missing ownership checks

* feat: Enhance Rust parameter handling to classify local collections and prevent false ownership checks

* refactor: Simplify code formatting for better readability in multiple files

* refactor: Improve UTF-8 sequence length handling and enhance clarity in loop iteration

* feat: Update Java and Python patterns to include new security rules

* refactor: Improve comment clarity and consistency across multiple Rust files

* refactor: Simplify code formatting for improved readability in integration tests and module files

* refactor: Improve comment formatting and enhance clarity in assertions across multiple files

tests/fixtures/patterns/java/negative.java

@@ -1,5 +1,9 @@
 import java.sql.*;
 import java.security.SecureRandom;
+import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.LoaderOptions;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
+import org.apache.commons.text.StringSubstitutor;
 
 class Negative {
     // Safe: parameterized query
@@ -19,4 +23,17 @@ class Negative {
     void safeLiteralQuery(Statement stmt) throws Exception {
         stmt.executeQuery("SELECT COUNT(*) FROM users");
     }
+
+    // Safe: SnakeYAML 2.0 / explicit SafeConstructor — CVE-2022-1471 fix shape.
+    void safeSnakeyamlSafeConstructor(String body) {
+        LoaderOptions opts = new LoaderOptions();
+        Yaml yaml = new Yaml(new SafeConstructor(opts));
+        Object data = yaml.load(body);
+    }
+
+    // Safe: empty StringSubstitutor — no interpolator factory — CVE-2022-42889 fix shape.
+    String safeStringSubstitutorPassthrough(String input) {
+        StringSubstitutor s = new StringSubstitutor();
+        return s.replace(input);
+    }
 }

tests/fixtures/patterns/java/positive.java

@@ -1,6 +1,8 @@
 import java.io.*;
 import java.util.Random;
 import java.security.MessageDigest;
+import org.yaml.snakeyaml.Yaml;
+import org.apache.commons.text.StringSubstitutor;
 
 class Positive {
     // java.deser.readobject
@@ -45,4 +47,16 @@ class Positive {
     void triggerGetWriterPrint(javax.servlet.http.HttpServletResponse resp) throws Exception {
         resp.getWriter().println("<html>" + "data" + "</html>");
     }
+
+    // java.deser.snakeyaml_unsafe_constructor — CVE-2022-1471 regression guard.
+    void triggerSnakeyamlUnsafeConstructor() throws Exception {
+        Yaml yaml = new Yaml();
+        Object data = yaml.load("payload");
+    }
+
+    // java.code_exec.text4shell_interpolator — CVE-2022-42889 regression guard.
+    String triggerText4ShellInterpolator(String input) {
+        StringSubstitutor s = StringSubstitutor.createInterpolator();
+        return s.replace(input);
+    }
 }

tests/fixtures/patterns/python/positive.py

@@ -42,6 +42,14 @@ def trigger_yaml(data):
 def trigger_sql_concat(cursor, user):
     cursor.execute("SELECT * FROM users WHERE name = '" + user + "'")
 
+# py.sqli.execute_format (f-string variant)
+def trigger_sql_fstring(cursor, user):
+    cursor.execute(f"SELECT * FROM users WHERE name = '{user}'")
+
+# py.sqli.text_format
+def trigger_sqlalchemy_text_fstring(connection, user):
+    connection.execute(text(f"SELECT * FROM users WHERE name = '{user}'"))
+
 # py.crypto.md5
 def trigger_md5(data):
     hashlib.md5(data)