Accuracy Gains: Enhancements in False Positive Reduction and New True Positive Coverage

False Positive Reduction

JavaScript — SQL Injection: Added Find_Parameterized_SQL_Strings() exclusion at the sink level — queries built with parameterized strings are no longer flagged, removing a common FP class in Node.js apps.
Python — Code Injection: Pandas sinks are now excluded from the generic Code Injection sink list (Find_Pandas_Code_Injection_Outputs subtracted before flow calculation), preventing Pandas eval() / query() flows from being incorrectly reported as general code injection. Sanitizer support also added via Find_Code_Injection_Sanitizers().
JavaScript — Stored XSS: Stored input source detection unified into NodeJS_Find_Stored_Inputs() helper (excluding local inputs), replacing an explicit fragmented list of DB output methods — improves precision of stored flow tracking and reduces noise from local variable sources.
iOS — Third Party Keyboard: Find_Swift_Third_Party_Keyboard_Enabled refactored to use a new Find_Swift_Third_Party_Keyboard_Safe_Application_Methods helper for proper exclusion of safe methods, reducing FPs where the keyboard restriction was correctly implemented.

Server-Side Template Injection (Critical): New query for Go html/template / text/template unsafe construction — previously undetected attack surface.
LDAP Injection & Stored LDAP Injection (High): New queries; Go LDAP libraries had no coverage in v974.
XPath Injection & Stored XPath Injection (Medium): New queries with dedicated sink and sanitizer helpers.
Dangerous File Inclusion & Stored variant (High/Medium): plugin.Open and template.ParseFiles now tracked as sinks.
20+ medium/low-visibility checks (CSRF, Insecure TLS, Cookie Overly Broad Path, Heap Inspection, Missing Framing Policy, Insufficient Session Expiration, Off-by-One Error, etc.): Go was missing these checks that already existed in other languages.

Pandas Code Injection & Stored variant (Critical): pandas.DataFrame.query() and pandas.eval() are now tracked as code injection sinks — data analysis pipelines passing user input to these methods are now detected.
FastAPI Sources: New Find_FastAPI_Inputs / Find_FastAPI_Outputs helpers mean FastAPI route parameters are now correctly identified as taint sources for all vulnerability queries.

Privacy_Violation_in_LLM, PCI_Data_Exposure_to_LLM, Secret_Leak_to_LLM: New queries detecting PII/secrets/PCI data flowing to LLM APIs (OpenAI, Anthropic Claude, GitHub Copilot, Google Gemini) — a previously uncovered data exfiltration channel.

Weak_Post_Quantum_Cryptography: Detects use of quantum-vulnerable algorithms (RSA, ECDSA, AES, SHA-1/2/3) where PQC-safe alternatives are required.
Compliant_Post_Quantum_Cryptography: Confirms correct use of PQC-safe algorithms (ML-KEM, ML-DSA) for compliance verification.

Go — ORM coverage: 5 previously unsupported database frameworks now covered (GORM, Meddler, PostgreSQL driver, standard database/sql, Cassandra improvements). SQL Injection queries through these ORMs were producing no results in v974.
JavaScript — Stored sources: NodeJS_Find_Inputs() now includes NodeJS_Find_Stored_Inputs() (replaces NodeJS_Find_Read()), meaning all queries that call this helper gain stored-source taint tracking automatically.
Python — Stored sources: Find_Inputs() now includes Find_Stored_Inputs(), extending stored-source coverage to all Python queries depending on this helper.
PHP — CLI inputs: Find_Local_Inputs (renamed from Find_Interactive_Local_Inputs) no longer gates CLI input sources behind the useConsoleInputs flag — argv, stdin, readline are always tracked, closing a gap in CLI PHP application coverage.
Rust — Stored local inputs: New Find_Stored_Local_Inputs helper; Find_Stored_Inputs now conditionally includes it, correctly separating remote-stored from local-stored input sources for more accurate taint scoping.
Common — Hardcoded secrets: Find_Secret_Info, Find_General_Tokens, Find_Hardcoded_Key_Sanitizers updated with broader token/secret patterns, improving detection rate for hardcoded key and cryptographic key queries across all languages.

JavaScript — Privacy_Violation_in_JWT: Moved from Low_Visibility → Medium_Threat.
Go — PCI_Data_Exposure_in_JWT, Privacy_Violation_in_JWT, Secret_Leak_in_JWT: Moved from Low_Visibility → Medium_Threat.
Lua — PCI_Data_Exposure_in_JWT, Privacy_Violation_in_JWT: Moved from Low_Visibility → Medium_Threat.

In this section: