/** * @fileoverview Interprocedural Analyzer for Cross-Function Data Flow Analysis * @module @nahisaho/musubix-security/analyzers/sast/interprocedural-analyzer * @trace DES-SEC2-SAST-004, REQ-SEC2-SAST-004 */ import type { Vulnerability, Severity, SourceLocation } from '../../types/vulnerability.js'; /** * Interprocedural analysis result */ export interface InterproceduralResult { vulnerabilities: InterproceduralVulnerability[]; callGraph: CallGraph; dataFlowPaths: DataFlowPath[]; analysisMetrics: AnalysisMetrics; } /** * Interprocedural vulnerability */ export interface InterproceduralVulnerability { id: string; type: 'taint-propagation' | 'privilege-escalation' | 'data-leakage' | 'injection'; severity: Severity; entryPoint: SourceLocation; sinkPoint: SourceLocation; dataFlowPath: DataFlowPath; description: string; recommendation: string; confidence: number; } /** * Call graph */ export interface CallGraph { nodes: CallGraphNode[]; edges: CallGraphEdge[]; entryPoints: string[]; sinks: string[]; } /** * Call graph node */ export interface CallGraphNode { id: string; name: string; file: string; line: number; type: 'function' | 'method' | 'constructor' | 'callback' | 'anonymous'; isAsync: boolean; parameters: ParameterInfo[]; returnType?: string; modifiers: string[]; } /** * Call graph edge */ export interface CallGraphEdge { source: string; target: string; callSite: SourceLocation; callType: 'direct' | 'indirect' | 'virtual' | 'callback'; arguments: ArgumentBinding[]; } /** * Parameter information */ export interface ParameterInfo { name: string; index: number; type?: string; isTainted: boolean; taintSource?: string; } /** * Argument binding */ export interface ArgumentBinding { parameterIndex: number; expression: string; isTainted: boolean; taintSource?: string; } /** * Data flow path */ export interface DataFlowPath { id: string; source: DataFlowNode; sink: DataFlowNode; intermediateNodes: DataFlowNode[]; taintType: string; confidence: number; isSanitized: boolean; sanitizationPoint?: DataFlowNode; } /** * Data flow node */ export interface DataFlowNode { id: string; expression: string; location: SourceLocation; nodeType: 'source' | 'sink' | 'transform' | 'sanitizer' | 'propagator'; taintState: 'tainted' | 'sanitized' | 'unknown'; } /** * Analysis metrics */ export interface AnalysisMetrics { totalFunctions: number; totalCallSites: number; analysisDepth: number; executionTime: number; nodesVisited: number; pathsAnalyzed: number; } /** * Analysis options */ export interface InterproceduralOptions { /** Maximum call depth to analyze */ maxDepth?: number; /** Analysis timeout in milliseconds */ timeout?: number; /** Maximum nodes to visit */ maxNodes?: number; /** Enable context-sensitive analysis */ contextSensitive?: boolean; /** Track implicit data flows */ trackImplicitFlows?: boolean; /** Custom source definitions */ customSources?: TaintSourceDef[]; /** Custom sink definitions */ customSinks?: TaintSinkDef[]; /** Custom sanitizer definitions */ customSanitizers?: SanitizerDef[]; } /** * Taint source definition */ export interface TaintSourceDef { pattern: RegExp; type: string; description: string; } /** * Taint sink definition */ export interface TaintSinkDef { pattern: RegExp; type: string; vulnerabilityType: string; severity: Severity; } /** * Sanitizer definition */ export interface SanitizerDef { pattern: RegExp; sanitizes: string[]; } /** * Interprocedural Analyzer * @trace DES-SEC2-SAST-004 */ export declare class InterproceduralAnalyzer { private options; private sources; private sinks; private sanitizers; private callGraph; private visitedNodes; private analysisStartTime; constructor(options?: InterproceduralOptions); /** * Analyze code for interprocedural vulnerabilities * @trace REQ-SEC2-SAST-004 */ analyze(code: string, filePath: string): Promise; /** * Build call graph from code */ buildCallGraph(code: string, filePath: string): CallGraph; /** * Track data flow across functions */ trackDataFlow(code: string, filePath: string): DataFlowPath[]; /** * Detect vulnerabilities from data flow paths */ private detectVulnerabilities; /** * Find taint sources in code */ private findTaintSources; /** * Find taint sinks in code */ private findTaintSinks; /** * Trace flow from source to sinks */ private traceFlowToSinks; /** * Find intermediate nodes between source and sink */ private findIntermediateNodes; /** * Find sanitization point in intermediate nodes */ private findSanitizationPoint; /** * Calculate path confidence */ private calculatePathConfidence; /** * Check if analysis should stop */ private shouldStopAnalysis; /** * Determine node type */ private determineNodeType; /** * Parse function parameters */ private parseParameters; /** * Extract function modifiers */ private extractModifiers; /** * Check if function is an entry point */ private isEntryPoint; /** * Check if function is a sink */ private isSinkFunction; /** * Extract function body */ private extractFunctionBody; /** * Determine call type */ private determineCallType; /** * Parse arguments at call site */ private parseArguments; /** * Generate vulnerability description */ private generateDescription; /** * Generate recommendation */ private generateRecommendation; /** * Convert results to standard vulnerability format */ toVulnerabilities(result: InterproceduralResult): Vulnerability[]; /** * Get CWE IDs for vulnerability type */ private getCWEsForType; /** * Get OWASP IDs for vulnerability type */ private getOWASPForType; } /** * Create interprocedural analyzer instance */ export declare function createInterproceduralAnalyzer(options?: InterproceduralOptions): InterproceduralAnalyzer; //# sourceMappingURL=interprocedural-analyzer.d.ts.map