feat(taint): register source/sink models for more languages (currently JS/TS only)

[magyargergo]

Summary

The taint layer runs for every --pdg language but only JS/TS have registered source/sink models. Add per-language taint source/sink specs so cross-language security flows light up.

Background

Cross-language PDG validation (PR #2197): the taint solver ran on all 12 languages, but TAINTED findings were emitted only where a model exists —

• express (JS): 34 TAINTED findings
• every other language (python, java, go, c#, php, ruby, rust, swift, kotlin, dart, c/c++): 0 findings, taint=0ms — no model registered.

The engine (per-function summaries, interprocedural fixpoint, TAINTED/TAINT_PATH emit, explain) is implemented and language-agnostic — it just needs per-language source/sink/sanitizer specs (see getSourceSinkConfig / registerBuiltinTaintModels).

Proposed work

• Register taint models for additional ecosystems: HTTP request params (sources), SQL / command-exec / file-path / template sinks, and per-ecosystem sanitizers. Start with python + java (highest-value security surfaces).

Acceptance

• python + java models registered with unit fixtures showing real source→sink flows.
• Non-zero TAINTED findings on representative real repos (e.g. a Flask app, a Spring app) in the validation harness.

Surfaced by #2195 cross-language validation. Refs #2195.

[azizur100389]

I’d like to take a conservative first slice here: Python taint models first, focused on common request-parameter sources and high-confidence SQL/command/path sinks, with fixtures proving real source-to-sink flows and avoiding broad sanitizer guesses. If that lands cleanly, Java can follow as a separate PR.

[magyargergo]

I’d like to take a conservative first slice here: Python taint models first, focused on common request-parameter sources and high-confidence SQL/command/path sinks, with fixtures proving real source-to-sink flows and avoiding broad sanitizer guesses. If that lands cleanly, Java can follow as a separate PR.

Can you please create a subticket for this? 🙏

[azizur100389]

Created the focused subticket here: #2252. I’ll target the Python-only slice there and leave Java / broader language coverage under the parent follow-up scope.

[azizur100389]

Created the focused Java taint subticket here: #2261. I’ll target the conservative Java call-result source and high-confidence sink slice there, following the merged Python work from #2253.