Skip to content

codegraph exports: false-positive cross-language consumer attribution via name-based fallback matching #1783

Description

@carlos-alm

Context

Discovered during Titan audit (phase: gauntlet, date: 2026-07-02).

Description

codegraph exports produces a false-positive cross-language consumer attribution: the load export in tests/benchmarks/resolution/tracer/loader-hooks.mjs (a JS ESM loader hook) is reported as consumed by tests/benchmarks/resolution/tracer/ruby-tracer.rb (line 0). Manually verified ruby-tracer.rb only calls the Ruby builtin Kernel#load at line 80 — an unrelated call in a different language with no import relationship to the JS file. This looks like a name-based fallback in consumer/import resolution matching identically-named calls across languages/files with no static import edge between them.

Side effect: the real (dynamic, node:module register()-based) consumer in loader-hook.mjs is invisible to static resolution, so this export presents as having exactly one consumer, and that one consumer is bogus.

Additional Context

Repro:

codegraph exports tests/benchmarks/resolution/tracer/loader-hooks.mjs -T --json
grep -n load tests/benchmarks/resolution/tracer/ruby-tracer.rb

Source

  • Titan phase: gauntlet
  • Severity: bug
  • Category: codegraph

Metadata

Metadata

Assignees

No one assigned

    Labels

    titan-auditIssues discovered during Titan audit

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions