v0.6.1

Precision & quality release

25 commits since v0.6.0 focused on precision, quality, and developer experience.

New rules & sources

• Kotlin taint rules: kt/taint-sql-injection, kt/taint-command-injection, kt/taint-ssrf with Ktor + Spring Boot sources
• NoSQL injection: py/taint-nosql-injection, js/taint-nosql-injection, go/taint-nosql-injection for MongoDB
• XXE taint: py/taint-xxe, js/taint-xxe with defusedxml sanitizer support
• Log injection: py/taint-log-injection, js/taint-log-injection, go/taint-log-injection
• Deserialization: js/no-unsafe-deserialization, go/no-unsafe-deserialization
• JWT: py/jwt-no-verify, py/jwt-hardcoded-secret, go/jwt-no-verify, go/jwt-hardcoded-secret
• Java XSS, C# path traversal, Ruby SSRF + path traversal, Go path traversal taint
• Framework sources: Koa, NestJS (JS), Echo/Fiber/Chi (Go), Tornado/Bottle (Python)

Taint engine fixes

• Python walrus operator (:=) now tracked
• JS await expressions no longer break taint chain
• Go type assertions preserve taint
• JS spread elements (...arr) propagate taint
• Python comprehensions propagate taint
• Ternary/conditional expressions propagate taint in Python + JS
• JS export default functions now included in cross-file summaries

Precision improvements (false positive reduction)

• LDAP rules: .search()/.bind() no longer match String.search()/Function.bind()
• NoSQL rules: .find() restricted to MongoDB collection patterns, not Array.find()
• Log injection: .error()/.log() restricted to console.* to avoid generic method FPs
• Ruby system("literal") no longer fires
• NoSQL severity downgraded from Critical → High
• Sanitizers now match fix suggestions: shlex.quote, DOMPurify.sanitize, shellescape, html.escape, encodeURIComponent all recognized
• Fix suggestions always visible (not gated behind --explain)
• Noise path exclusions: /spec/, /__tests__/, /__snapshots__/, /generated/, /gen/, /stubs/

Refactoring

• impl_rule! macro eliminates 1,665 lines of boilerplate across 174 rules
• Single-pass language partition in scanner (was 3 separate filter passes)
• Integration tests organized into 12 language-grouped modules

Totals

• 174 built-in rules across 10 languages
• 337 tests all passing
• Cross-file taint for Python, JavaScript, Go

Upgrading

npx foxguard@0.6.1 .

What's Changed

• feat(js): add Koa and NestJS taint sources (refs #95) by @peaktwilight in #99
• feat: add log injection taint rules for Python, JS, Go (refs #91) by @peaktwilight in #101
• feat: propagate taint through ternary/conditional expressions (refs #93) by @peaktwilight in #100
• feat: add XXE taint rules for Python and JavaScript (refs #92) by @peaktwilight in #103
• feat: add deserialization rules for JS/Go and JWT rules for Python/Go (refs #94, #98) by @peaktwilight in #106
• feat(py): propagate taint through list/dict/set comprehensions (refs #96) by @peaktwilight in #107
• feat: add NoSQL injection taint rules for Python, JS, Go (refs #97) by @peaktwilight in #108
• fix: handle walrus operator, await expressions, and Go type assertions in taint engines (refs #109, #110, #113) by @peaktwilight in #115
• feat(go): add path traversal taint rule (refs #114) by @peaktwilight in #116
• fix(js): handle export default in cross-file taint analysis (refs #112) by @peaktwilight in #117
• feat(kt): add SQL injection, command injection, and SSRF taint rules (refs #111) by @peaktwilight in #118
• fix: JS spread taint, noise path exclusions, always-visible fix suggestions (refs #119, #121, #122) by @peaktwilight in #125
• feat: add Java XSS and C# path traversal rules (refs #123, #124) by @peaktwilight in #126
• feat(rb): add SSRF and path traversal rules (refs #120) by @peaktwilight in #127
• feat(go): add Echo, Fiber, Chi framework taint sources (refs #129) by @peaktwilight in #131
• feat(py): track with-statement bindings and add Tornado/Bottle taint sources (refs #128, #130) by @peaktwilight in #132
• fix: restrict log injection matchers and downgrade NoSQL severity (refs #134, #135) by @peaktwilight in #137
• fix: restrict LDAP sink matchers to avoid String.search/Function.bind false positives (refs #133, #136) by @peaktwilight in #138
• fix: add missing sanitizers (shlex.quote, DOMPurify, etc.) to taint rules (refs #139) by @peaktwilight in #143
• fix: Ruby command injection literal check + restrict NoSQL find matcher (refs #140, #141) by @peaktwilight in #144
• refactor: single-pass language partition in scanner + fix XSS severity consistency (refs #146, #147) by @peaktwilight in #149
• refactor: add impl_rule! macro to reduce rule boilerplate (refs #145) by @peaktwilight in #150
• refactor: organize integration tests into language-grouped modules (refs #148) by @peaktwilight in #151

Full Changelog: v0.6.0...v0.6.1