Summary
Overhaul the taint analysis stack: consolidate 4 overlapping engines into 1 unified cross-file inter-procedural engine, add persistence (stored injection) modeling, add library method approximation system, and add debug-trace tooling. Target: 5+ hops cross-file (currently 1 hop), 50%+ false-positive reduction with LLM validator.
Worker consensus (6 reports)
| Worker |
Source |
Contribution |
| OpenTaint |
update!/CodeLens_vs_OpenTaint_Upgrade_Analysis.md A1 |
Unify ast_taint_engine.py (3,756 LOC) + crossfile_taint_engine.py (946 LOC) into 1 pipeline. Taint path 5 hops cross-file. --max-depth N flag. Benchmark: detect +3 previously-missed findings in vulnerable_app/. |
| OpenTaint |
same file A2 |
Persistence / stored injection modeling — taint reaching DB/file/cache sink is tagged persisted_taint, resumed when read from persistence source. |
| OpenTaint |
same file A3 |
Library method approximation system — passThrough YAML + dataflow Python plugin for Promise.then, Optional.map, Map.computeIfAbsent, _.get. ~30 built-in approximations. |
| OpenTaint |
same file A4 |
Debug-trace taint engine — codelens debug-rule <rule-id> emits SARIF codeFlows with kinds: ["taint_fact"]. Auto-classify kill cause: missing_approximation, rule_defect, engine_issue. |
| OpenTaint |
same file F1 |
Consolidate taint engine (remove duplication) — audit 4 engines (ast_taint_engine, crossfile_taint_engine, dataflow_engine, semantic_engine), deprecate semantic_engine, consolidate crossfile_taint_engine into ast_taint_engine. |
| Opengrep |
update!/CodeLens_Opengrep_Upgrade_Analysis.md #44 |
Intrafile cross-function taint (signature extraction) — extract per-function taint signature, topological sort, replay signature at call site (no re-analysis). 2x faster than inline approach. |
| Opengrep |
same file #56 |
Guarded taint signatures (branch-condition guards) — attach branch condition to taint effect, evaluate at call site. |
| Opengrep |
same file #61 |
Shape inference for taint propagation — infer variable shape (list, dict, set, object) for accurate propagation through dict[key], list.append(item). |
| RepoAudit |
update!/CodeLens_Upgrade_Issues_from_RepoAudit.md CL-038 |
LLM dataflow explorer (intra-procedural path analysis) — LLM traces dataflow per-path within single function (path-sensitive). |
| RepoAudit |
same file CL-039 |
LLM path validator (inter-procedural feasibility check) — validates candidate buggy paths, returns is_reachable: bool + explanation. Target 50%+ FP reduction. |
| RepoAudit |
same file CL-040 |
Bug type-specific detectors (NPD, MLK, UAF, SQLi, XSS, CMD, PATH) — refactor YAML rules into per-bug-type Python classes. |
Proposed phased scope
Phase 1 — Consolidation (P1, 2 weeks, depends on F1)
- Audit 4 engines, document behavior + coverage
- Deprecate
semantic_engine.py with warning
- Consolidate
crossfile_taint_engine.py into ast_taint_engine.py
Phase 2 — Unified cross-file engine (P1, 3-4 weeks)
- Single pipeline reaching 5+ hops cross-file
--max-depth N flag (default 5)
- Taint path rendering:
file_a.py:handler → request.args → file_b.py:sanitize → file_c.py:db.execute
- Benchmark: detect +3 findings in
vulnerable_app/ that current engine misses
Phase 3 — Signature extraction for performance (P2, 2 weeks)
- Per-function taint signature:
{params_tainted, returns_tainted, fields_tainted, sinks_reached}
- Topological sort call graph, replay signature at call site
- Target: 2x faster than inline on 50+ function files
Phase 4 — Persistence modeling (P2, 2 weeks)
persistence_sinks / persistence_sources config in YAML rules
- Taint tag
persisted_taint, resumed on read from persistence source
- Test fixture:
benchmarks/fixtures/vulnerable_app/src/stored_injection.py
Phase 5 — Library method approximation (P2, 4-5 weeks)
- New
scripts/approximations/{passthrough,dataflow}/ directories
- PassThrough YAML: simple from→to copy (e.g.
Promise.then from $0 to return)
- Dataflow Python plugin: complex (lambda/callback/async, returns
TaintResult(propagate_to, confidence))
- ~30 built-in approximations for common library methods
--track-external-methods emits dropped-methods.yaml + approximated-methods.yaml
Phase 6 — Debug-trace tool (P2, 3 weeks, depends on Phase 5)
codelens debug-rule <rule-id> command
- SARIF
codeFlows with kinds: ["taint_fact"]
- Auto-classify kill cause
Phase 7 — LLM validator (optional, P2, 4-6 weeks, depends on separate LLM integration issue)
- LLM dataflow explorer (RepoAudit CL-038) + path validator (CL-039)
- Target 50%+ FP reduction
- Behind
--llm-validate opt-in flag (cost concern)
Acceptance criteria
License note
OpenTaint is GPL-3.0 — design influenced but no code copy. RepoAudit is Purdue Non-Commercial — design influenced, reimplement from scratch.
Summary
Overhaul the taint analysis stack: consolidate 4 overlapping engines into 1 unified cross-file inter-procedural engine, add persistence (stored injection) modeling, add library method approximation system, and add debug-trace tooling. Target: 5+ hops cross-file (currently 1 hop), 50%+ false-positive reduction with LLM validator.
Worker consensus (6 reports)
update!/CodeLens_vs_OpenTaint_Upgrade_Analysis.mdA1ast_taint_engine.py(3,756 LOC) +crossfile_taint_engine.py(946 LOC) into 1 pipeline. Taint path 5 hops cross-file.--max-depth Nflag. Benchmark: detect +3 previously-missed findings invulnerable_app/.persisted_taint, resumed when read from persistence source.Promise.then,Optional.map,Map.computeIfAbsent,_.get. ~30 built-in approximations.codelens debug-rule <rule-id>emits SARIFcodeFlowswithkinds: ["taint_fact"]. Auto-classify kill cause:missing_approximation,rule_defect,engine_issue.ast_taint_engine,crossfile_taint_engine,dataflow_engine,semantic_engine), deprecatesemantic_engine, consolidatecrossfile_taint_engineintoast_taint_engine.update!/CodeLens_Opengrep_Upgrade_Analysis.md#44dict[key],list.append(item).update!/CodeLens_Upgrade_Issues_from_RepoAudit.mdCL-038is_reachable: bool+ explanation. Target 50%+ FP reduction.Proposed phased scope
Phase 1 — Consolidation (P1, 2 weeks, depends on F1)
semantic_engine.pywith warningcrossfile_taint_engine.pyintoast_taint_engine.pyPhase 2 — Unified cross-file engine (P1, 3-4 weeks)
--max-depth Nflag (default 5)file_a.py:handler → request.args → file_b.py:sanitize → file_c.py:db.executevulnerable_app/that current engine missesPhase 3 — Signature extraction for performance (P2, 2 weeks)
{params_tainted, returns_tainted, fields_tainted, sinks_reached}Phase 4 — Persistence modeling (P2, 2 weeks)
persistence_sinks/persistence_sourcesconfig in YAML rulespersisted_taint, resumed on read from persistence sourcebenchmarks/fixtures/vulnerable_app/src/stored_injection.pyPhase 5 — Library method approximation (P2, 4-5 weeks)
scripts/approximations/{passthrough,dataflow}/directoriesPromise.thenfrom$0toreturn)TaintResult(propagate_to, confidence))--track-external-methodsemitsdropped-methods.yaml+approximated-methods.yamlPhase 6 — Debug-trace tool (P2, 3 weeks, depends on Phase 5)
codelens debug-rule <rule-id>commandcodeFlowswithkinds: ["taint_fact"]Phase 7 — LLM validator (optional, P2, 4-6 weeks, depends on separate LLM integration issue)
--llm-validateopt-in flag (cost concern)Acceptance criteria
semantic_engine.pydeprecated, no behavior regressionvulnerable_app/benchmarkPromise.thentaint propagation works in JS/TScodelens debug-ruleoutput usable for rule authoringvulnerable_app/benchmarkLicense note
OpenTaint is GPL-3.0 — design influenced but no code copy. RepoAudit is Purdue Non-Commercial — design influenced, reimplement from scratch.