Skip to content

Client analyses (taint + slicing) as SDG queries over program_graphs #3

Description

@rahlk

Establishes the SDK side of the analyzer/SDK boundary now standard across the codeanalyzer-* family (cldk-forge PR #7; reference instantiation codellm-devkit/codeanalyzer-java#171). The analyzers are pure graph providers — they emit the dependence graph (SDG with transitive SUMMARY edges) and nothing more. Client analyses (taint, slicing) live here, in the TypeScript SDK.

This is the destination for the taint/slicing work being removed from the analyzer scope of codeanalyzer-typescript#2. That issue keeps the Jelly integration and the SDG construction (the graph substrate); the taint query, the sources/sinks/sanitizers model packs, and the taint_flows output move here.

Scope

  1. Graph models for analysis.json's program_graphs section (CFG/PDG/SDG, (signature, node_id) keys), mirroring the shared cross-language shapes.
  2. Backward/forward slicing as reverse reachability over CDG ∪ DDG ∪ PARAM_* ∪ SUMMARY, context-sensitive via the two-phase HRB traversal (SUMMARY edges carry across calls).
  3. Taint as labeled reachability: seed at sources, propagate along dependence edges, block/flag at sanitizers on the path, report source→sink flows; witness paths reconstructed lazily over reverse value-flow edges with the model id per hop.
  4. Sources/sinks/sanitizers/library models as data — JSON spec + JSON Schema, precedence built-in pack < config file < inline. The relational-summary/model-pack format from the analyzer spike moves here.
  5. taint_flows / slice-result as SDK output ({ source, sink, rule, sanitized, path }), not analyzer output.
  6. Facade methods on CLDK.for("typescript")'s query surface: slice + taint.
  7. Surface graph over-approximations in results (ENTRY-anchored PARAM arity, missing SUMMARY edges before they land, heap precision capped by Jelly's Andersen solve).

Gates

  • Slice: exact hand-computed node set; no callee-internal leakage (SUMMARY edges proven used).
  • Taint: one source→sink flow found; the same flow with a sanitizer interposed reported sanitized; witness path names every hop.

Contract references: cldk-forge cldk-sdk-frontend (SKILL.md § Client analyses, sdk-testing.md § 3b).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions