v0.5.1

What's new since v0.5.0

Kotlin — 10th supported language

Full Kotlin support via tree-sitter-kotlin-sg. 10 security rules targeting JVM APIs: SQL injection, command injection, unsafe deserialization, SSRF, path traversal, weak crypto, hardcoded secrets, XXE, CORS wildcard, and ScriptEngine eval.

9 new taint rules: SSTI, XPath, LDAP injection

Every taint language (Python, JS, Go) now covers three additional sink categories:

• Server-Side Template Injection — py/taint-ssti, js/taint-ssti, go/taint-ssti (CWE-1336)
• XPath injection — py/taint-xpath-injection, js/taint-xpath-injection, go/taint-xpath-injection (CWE-643)
• LDAP injection — py/taint-ldap-injection, js/taint-ldap-injection, go/taint-ldap-injection (CWE-90)

Python taint improvements

• % operator propagation: "SELECT %s" % user_input now detected
• .format() propagation: "SELECT {}".format(user_input) now detected
• Tuple/list literal propagation: "... %s" % (clean, tainted) now detected
• os.environ.get() now recognized as a taint source

Performance

• Lock-free parallel scanner: replaced Mutex<Vec<Finding>> with par_iter().flat_map().collect(), eliminating lock contention

Totals

• 134 built-in rules across 10 languages
• 275 tests all passing

Upgrading

npx foxguard@0.5.1 .

What's Changed

• feat(py): propagate taint through % formatting, .format(), and tuple/list literals by @peaktwilight in #75
• perf: lock-free parallel scanner via flat_map/collect by @peaktwilight in #76
• feat(go): add SSTI, XPath, LDAP taint rules by @peaktwilight in #78
• feat(js): add SSTI, XPath, LDAP taint rules by @peaktwilight in #79
• feat(py): add SSTI, XPath, LDAP taint rules and os.environ.get source by @peaktwilight in #80
• feat: add Kotlin as 10th supported language with 10 security rules by @peaktwilight in #81

Full Changelog: v0.5.0...v0.5.1