Skip to content

feat(query): sink_pattern() AST attribute-chain matcher #218

Description

@rahlk

sink_pattern("request.env[*].sudo().*") — an AST/token-level attribute-chain matcher usable inside .reachable_to(pa.callsites(sink_pattern(...))) (#155 §3).

The escape hatch for dynamic-dispatch-heavy code (ORMs, message buses) where the resolved call graph cannot see the sinks. Matches are labeled structural by definition. Also bridges Bandit-/Semgrep-style pattern rules into CLDK without re-implementing them.

Part of #155. Branch: feat/issue-<n>.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions