feat(dsl): 3-tier VDG local analysis replacing line-proximity (PR-04) (#595)

Part 4/8 of V5 QueryType × VDG Integration. CFG-aware VDG → Flat VDG → Line-proximity fallback.

Author: shivasurya

sast-engine/dsl/bridge_test.go

@@ -204,3 +204,92 @@ func TestNewDataflowExecutor_InitializesDefaults(t *testing.T) {
 		t.Error("CallGraph should be set")
 	}
 }
+
+func TestConfidenceForMethod(t *testing.T) {
+	executor := NewDataflowExecutor(&DataflowIR{}, core.NewCallGraph())
+
+	tests := []struct {
+		method   string
+		expected float64
+	}{
+		{"cfg_vdg", 0.95},
+		{"flat_vdg", 0.85},
+		{"interprocedural_vdg", 0.80},
+		{"line_proximity", 0.50},
+		{"unknown", 0.60},
+	}
+
+	for _, tc := range tests {
+		got := executor.confidenceForMethod(tc.method)
+		if got != tc.expected {
+			t.Errorf("confidenceForMethod(%q) = %v, want %v", tc.method, got, tc.expected)
+		}
+	}
+}
+
+func TestExecuteLocal_LegacyFallback(t *testing.T) {
+	// No Statements populated → should fall back to line_proximity
+	cg := core.NewCallGraph()
+	cg.CallSites["test.handler"] = []core.CallSite{
+		{Target: "os.getenv", Location: core.Location{Line: 1}},
+		{Target: "eval", Location: core.Location{Line: 5}},
+	}
+	// Intentionally NOT setting cg.Statements
+
+	ir := &DataflowIR{
+		Sources:    toRawMessages(CallMatcherIR{Type: "call_matcher", Patterns: []string{"os.getenv"}}),
+		Sinks:      toRawMessages(CallMatcherIR{Type: "call_matcher", Patterns: []string{"eval"}}),
+		Sanitizers: emptyRawMessages(),
+		Scope:      "local",
+	}
+
+	executor := NewDataflowExecutor(ir, cg)
+	detections := executor.executeLocal()
+
+	if len(detections) != 1 {
+		t.Fatalf("expected 1 detection from legacy fallback, got %d", len(detections))
+	}
+	if detections[0].MatchMethod != "line_proximity" {
+		t.Errorf("expected MatchMethod 'line_proximity', got %q", detections[0].MatchMethod)
+	}
+	if detections[0].Confidence != 0.50 {
+		t.Errorf("expected Confidence 0.50, got %v", detections[0].Confidence)
+	}
+}
+
+func TestExecuteLocal_VDGAnalysis(t *testing.T) {
+	// With Statements populated → should use VDG
+	funcFQN := "test.module.handler"
+	cg := core.NewCallGraph()
+	cg.CallSites[funcFQN] = []core.CallSite{
+		{Target: "os.getenv", Location: core.Location{Line: 1}},
+		{Target: "eval", Location: core.Location{Line: 2}},
+	}
+	cg.Statements[funcFQN] = []*core.Statement{
+		makeTestAssignStmt(1, "x", "os.getenv", []string{}),
+		makeTestCallStmt(2, "eval", []string{"x"}),
+	}
+
+	ir := &DataflowIR{
+		Sources:    toRawMessages(CallMatcherIR{Type: "call_matcher", Patterns: []string{"os.getenv"}}),
+		Sinks:      toRawMessages(CallMatcherIR{Type: "call_matcher", Patterns: []string{"eval"}}),
+		Sanitizers: emptyRawMessages(),
+		Scope:      "local",
+	}
+
+	executor := NewDataflowExecutor(ir, cg)
+	detections := executor.executeLocal()
+
+	if len(detections) != 1 {
+		t.Fatalf("expected 1 detection from VDG, got %d", len(detections))
+	}
+	if detections[0].MatchMethod != "flat_vdg" {
+		t.Errorf("expected MatchMethod 'flat_vdg', got %q", detections[0].MatchMethod)
+	}
+	if detections[0].Confidence != 0.85 {
+		t.Errorf("expected Confidence 0.85, got %v", detections[0].Confidence)
+	}
+	if detections[0].TaintedVar == "" {
+		t.Error("expected TaintedVar to be set")
+	}
+}

sast-engine/dsl/dataflow_executor.go

@@ -41,11 +41,13 @@ func (e *DataflowExecutor) Execute() []DataflowDetection {
 	return e.executeGlobal()
 }
 
-// executeLocal performs intra-procedural taint analysis.
+// executeLocal performs intra-procedural taint analysis with 3-tier fallback:
+// Tier 1: CFG-aware VDG (highest confidence) — uses control flow graph + variable dependency graph
+// Tier 2: Flat VDG — uses variable dependency graph without CFG
+// Tier 3: Line-number proximity (legacy fallback) — when no statements available.
 func (e *DataflowExecutor) executeLocal() []DataflowDetection {
 	detections := []DataflowDetection{}
 
-	// Resolve matchers polymorphically.
 	sourceCalls := e.resolveMatchers(e.IR.Sources)
 	if len(sourceCalls) == 0 {
 		e.Diagnostics.Addf("debug", "dataflow", "0 sources found, skipping local analysis")
@@ -60,45 +62,123 @@ func (e *DataflowExecutor) executeLocal() []DataflowDetection {
 
 	sanitizerCalls := e.resolveMatchers(e.IR.Sanitizers)
 
-	// For local scope, check if source and sink are in the same function.
+	sourcePatterns := e.extractTargetPatterns(sourceCalls)
+	sinkPatterns := e.extractTargetPatterns(sinkCalls)
+	sanitizerPatterns := e.extractTargetPatterns(sanitizerCalls)
+
+	candidateFuncs := e.findFunctionsWithSourcesAndSinks(sourceCalls, sinkCalls)
+
+	for _, funcFQN := range candidateFuncs {
+		stmts := e.getStatementsForFunction(funcFQN)
+		if len(stmts) == 0 {
+			// Tier 3: Legacy line-number proximity (no statements available)
+			e.executeLocalLegacy(funcFQN, sourceCalls, sinkCalls, sanitizerCalls, &detections)
+			continue
+		}
+
+		// Tier 1: CFG-aware VDG
+		analysisMethod := "flat_vdg"
+		var summary *core.TaintSummary
+
+		if raw, exists := e.CallGraph.CFGs[funcFQN]; exists {
+			if cfGraph, ok := raw.(*cfg.ControlFlowGraph); ok {
+				if rawBS, bsExists := e.CallGraph.CFGBlockStatements[funcFQN]; bsExists {
+					if blockStmts, bsOK := rawBS.(cfg.BlockStatements); bsOK && len(blockStmts) > 0 {
+						summary = taint.AnalyzeWithCFG(funcFQN, cfGraph, blockStmts,
+							sourcePatterns, sinkPatterns, sanitizerPatterns)
+						analysisMethod = "cfg_vdg"
+					}
+				}
+			}
+		}
+
+		// Tier 2: Flat VDG (if Tier 1 found no detections)
+		if summary == nil || !summary.HasDetections() {
+			summary = taint.AnalyzeWithVDG(funcFQN, stmts,
+				sourcePatterns, sinkPatterns, sanitizerPatterns)
+			analysisMethod = "flat_vdg"
+		}
+
+		if summary != nil {
+			for _, det := range summary.Detections {
+				detections = append(detections, DataflowDetection{
+					FunctionFQN: funcFQN,
+					SourceLine:  int(det.SourceLine),
+					SinkLine:    int(det.SinkLine),
+					TaintedVar:  det.SourceVar,
+					SinkCall:    det.SinkCall,
+					Confidence:  e.confidenceForMethod(analysisMethod),
+					Sanitized:   false,
+					Scope:       "local",
+					MatchMethod: analysisMethod,
+				})
+			}
+		}
+	}
+
+	return detections
+}
+
+// confidenceForMethod returns the confidence score for a given analysis method.
+func (e *DataflowExecutor) confidenceForMethod(method string) float64 {
+	switch method {
+	case "cfg_vdg":
+		return 0.95
+	case "flat_vdg":
+		return 0.85
+	case "interprocedural_vdg":
+		return 0.80
+	case "line_proximity":
+		return 0.50
+	default:
+		return 0.60
+	}
+}
+
+// executeLocalLegacy performs line-number proximity analysis (Tier 3 fallback).
+// Used when no statements are available for a function.
+func (e *DataflowExecutor) executeLocalLegacy(
+	funcFQN string,
+	sourceCalls, sinkCalls, sanitizerCalls []CallSiteMatch,
+	detections *[]DataflowDetection,
+) {
 	for _, source := range sourceCalls {
+		if source.FunctionFQN != funcFQN {
+			continue
+		}
 		for _, sink := range sinkCalls {
-			if source.FunctionFQN != sink.FunctionFQN {
+			if sink.FunctionFQN != funcFQN {
 				continue
 			}
 
 			hasSanitizer := false
-			for _, sanitizer := range sanitizerCalls {
-				if sanitizer.FunctionFQN == source.FunctionFQN {
-					if (sanitizer.Line > source.Line && sanitizer.Line < sink.Line) ||
-						(sanitizer.Line > sink.Line && sanitizer.Line < source.Line) {
+			for _, san := range sanitizerCalls {
+				if san.FunctionFQN == funcFQN {
+					if (san.Line > source.Line && san.Line < sink.Line) ||
+						(san.Line > sink.Line && san.Line < source.Line) {
 						hasSanitizer = true
 						break
 					}
 				}
 			}
-
 			if hasSanitizer {
 				continue
 			}
 
-			detection := DataflowDetection{
-				FunctionFQN:  source.FunctionFQN,
+			*detections = append(*detections, DataflowDetection{
+				FunctionFQN:  funcFQN,
 				SourceLine:   source.Line,
 				SourceColumn: source.CallSite.Location.Column,
 				SinkLine:     sink.Line,
 				SinkColumn:   sink.CallSite.Location.Column,
 				SinkCall:     sink.CallSite.Target,
-				Confidence:   e.Config.getLocalScopeConfidence(),
+				Confidence:   0.50,
 				Sanitized:    false,
 				Scope:        "local",
-			}
-
-			detections = append(detections, detection)
+				MatchMethod:  "line_proximity",
+			})
 		}
 	}
-
-	return detections
 }
 
 // executeGlobal performs inter-procedural taint analysis.

sast-engine/dsl/dataflow_executor_test.go

@@ -63,7 +63,8 @@ func TestDataflowExecutor_Local(t *testing.T) {
 		assert.Equal(t, 10, detections[0].SinkLine)
 		assert.Equal(t, "execute", detections[0].SinkCall)
 		assert.Equal(t, "local", detections[0].Scope)
-		assert.Equal(t, 0.7, detections[0].Confidence)
+		assert.Equal(t, 0.50, detections[0].Confidence)
+		assert.Equal(t, "line_proximity", detections[0].MatchMethod)
 		assert.False(t, detections[0].Sanitized)
 	})
 

sast-engine/dsl/dataflow_executor_vdg_test.go

@@ -162,10 +162,8 @@ func TestVDGIntegration_Case4_SanitizerKills(t *testing.T) {
 	}
 }
 
-// TestVDGIntegration_Case5_UnrelatedVars tests: x = source(); sink(y) -> NO DETECT
-// Skip: requires VDG variable tracking (PR-04). Line-proximity executor detects this as a false positive.
+// TestVDGIntegration_Case5_UnrelatedVars tests: x = source(); sink(y) -> NO DETECT.
 func TestVDGIntegration_Case5_UnrelatedVars(t *testing.T) {
-	t.Skip("Requires VDG variable tracking (PR-04): line-proximity cannot distinguish unrelated variables")
 
 	funcFQN := "test.module.case_unrelated"
 	stmts := []*core.Statement{
@@ -193,10 +191,8 @@ func TestVDGIntegration_Case5_UnrelatedVars(t *testing.T) {
 	}
 }
 
-// TestVDGIntegration_Case6_ReassignmentKills tests: x = source(); x = "safe"; sink(x) -> NO DETECT
-// Skip: requires VDG variable tracking (PR-04). Line-proximity executor cannot track reassignment.
+// TestVDGIntegration_Case6_ReassignmentKills tests: x = source(); x = "safe"; sink(x) -> NO DETECT.
 func TestVDGIntegration_Case6_ReassignmentKills(t *testing.T) {
-	t.Skip("Requires VDG variable tracking (PR-04): line-proximity cannot track reassignment kills")
 
 	funcFQN := "test.module.case_reassign"
 	stmts := []*core.Statement{
@@ -331,7 +327,6 @@ func TestVDGIntegration_Scorecard(t *testing.T) {
 				{Target: "eval", Location: core.Location{Line: 2}},
 			},
 			expectDetected: false,
-			skip:           "Requires VDG variable tracking (PR-04)",
 		},
 		{
 			name: "6. Reassignment kills taint",
@@ -345,7 +340,6 @@ func TestVDGIntegration_Scorecard(t *testing.T) {
 				{Target: "eval", Location: core.Location{Line: 3}},
 			},
 			expectDetected: false,
-			skip:           "Requires VDG variable tracking (PR-04)",
 		},
 		{
 			name: "7. Multi-hop transitive flow",