v0.11.0 — near-miss sanitizer detection
The most dangerous vulnerabilities are not the unsanitized ones — they are the ones the developer believes are sanitized but are not. With scan --src <dir>, findings are now flagged when the path passes an attempted-but-incorrect sanitization:
- Insufficient —
name.replaceAll("'", "")before a SQL sink does not prevent injection (backslash escaping, encodings, SQL functions). - Blacklist —
input.replace("<script>", "")before an HTML sink is trivially bypassed (<scr<script>ipt>). - Discarded result —
htmlEscape(input)is called but its return value is ignored while the originalinputis written. - Wrong context —
htmlEscape(url)beforeresponse.sendRedirect(...). The taint engine alone treats this as sanitized, so without the near-miss layer it is a false negative — a flow other free tools miss entirely.
Shown in the console as (near-miss sanitizer) with the reason, and in SARIF under result.properties.nearMiss. The first three are real flows the engine already reports, so the annotation is advisory and adds no false positives; the wrong-context case is the one new detection the layer contributes.
Benchmark grows to 37 cases (34 vulnerable, 3 safe): 33/33 by the taint engine, 34 with the near-miss layer, 0 false positives.
Most free SAST tools stop tracking when they see any transformation on the path, assuming it sanitized. This does the opposite — it asks whether the sanitization is real.