seqra · misonijnik · May 22, 2026
diff --git a/core/opentaint-config/config/config/jar-split/ant-1.10.14.yaml b/core/opentaint-config/config/config/jar-split/ant-1.10.14.yaml
@@ -0,0 +1,13 @@
+passThrough:
+# Apache Ant: FileSet.setDir(File) / setFile(File) — the file argument
+# is stored on the FileSet instance, so a subsequent
+# `copy.addFileset(fs)` sink that requires a tainted $FILE detects
+# the flow.
+- function: org.apache.tools.ant.types.FileSet#setDir
+  copy:
+  - from: arg(0)
+    to: this
+- function: org.apache.tools.ant.types.FileSet#setFile
+  copy:
+  - from: arg(0)
+    to: this
diff --git a/core/opentaint-config/config/config/jar-split/commons-codec-1.16.0.yaml b/core/opentaint-config/config/config/jar-split/commons-codec-1.16.0.yaml
@@ -0,0 +1,16 @@
+passThrough:
+# Apache Commons Codec — Base64 encode/decode just re-codes bytes
+# without disturbing the underlying tainted data, so taint should
+# flow from input to output.
+- function: org.apache.commons.codec.binary.Base64#encodeBase64String
+  copy:
+  - from: arg(0)
+    to: result
+- function: org.apache.commons.codec.binary.Base64#encodeBase64
+  copy:
+  - from: arg(0)
+    to: result
+- function: org.apache.commons.codec.binary.Base64#decodeBase64
+  copy:
+  - from: arg(0)
+    to: result
diff --git a/core/opentaint-config/config/config/jar-split/commons-io-2.15.1.yaml b/core/opentaint-config/config/config/jar-split/commons-io-2.15.1.yaml
@@ -0,0 +1,8 @@
+passThrough:
+# Apache Commons IO: IOUtils.toString(InputStream|Reader|URL, ...) just
+# reads bytes/chars from its input and produces a String — taint flows
+# from the input source argument to the resulting String.
+- function: org.apache.commons.io.IOUtils#toString
+  copy:
+  - from: arg(0)
+    to: result
diff --git a/core/opentaint-config/config/config/jar-split/groovy-3.0.21.yaml b/core/opentaint-config/config/config/jar-split/groovy-3.0.21.yaml
@@ -0,0 +1,9 @@
+passThrough:
+# Groovy compiler: CompilationUnit.addSource(name, source) — the
+# source text becomes part of the CompilationUnit instance that's
+# later compiled by .compile(), so the source-text argument taints
+# the unit.
+- function: org.codehaus.groovy.control.CompilationUnit#addSource
+  copy:
+  - from: arg(1)
+    to: this
diff --git a/core/opentaint-config/config/config/jar-split/httpcore5-5.2.4.yaml b/core/opentaint-config/config/config/jar-split/httpcore5-5.2.4.yaml
@@ -0,0 +1,7 @@
+passThrough:
+# Apache HttpComponents 5 — String-arg wrapper constructor that the
+# SSRF sink rules use as an inline taint carrier.
+- function: org.apache.hc.core5.http.io.entity.StringEntity#<init>
+  copy:
+  - from: arg(*)
+    to: this
diff --git a/core/opentaint-config/config/config/jar-split/jenkins-core-2.426.3.yaml b/core/opentaint-config/config/config/jar-split/jenkins-core-2.426.3.yaml
@@ -0,0 +1,7 @@
+passThrough:
+# hudson.FilePath wrapper constructor — taint flows from any
+# String/File/URL argument into the constructed FilePath instance.
+- function: hudson.FilePath#<init>
+  copy:
+  - from: arg(*)
+    to: this
diff --git a/core/opentaint-config/config/config/jar-split/mvel2-2.5.2.Final.yaml b/core/opentaint-config/config/config/jar-split/mvel2-2.5.2.Final.yaml
@@ -0,0 +1,26 @@
+passThrough:
+# MVEL compile / executeExpression chain — compileExpression(expr)
+# returns a Serializable that's later passed to executeExpression /
+# MVELRuntime.execute as a tainted compiled program. The compile
+# methods just pass the input expression text through to the result.
+- function: org.mvel2.MVEL#compileExpression
+  copy:
+  - from: arg(0)
+    to: result
+- function: org.mvel2.MVEL#compileSetExpression
+  copy:
+  - from: arg(0)
+    to: result
+- function: org.mvel2.MVEL#compileGetExpression
+  copy:
+  - from: arg(0)
+    to: result
+# JSR-223 ScriptEngine compile / compiledScript
+- function: org.mvel2.jsr223.MvelScriptEngine#compile
+  copy:
+  - from: arg(0)
+    to: result
+- function: org.mvel2.jsr223.MvelScriptEngine#compiledScript
+  copy:
+  - from: arg(0)
+    to: result
diff --git a/core/opentaint-config/config/config/jar-split/okhttp-4.12.0.yaml b/core/opentaint-config/config/config/jar-split/okhttp-4.12.0.yaml
@@ -0,0 +1,16 @@
+passThrough:
+# OkHttp Request.Builder — `new Request.Builder().url($X).build()` chain.
+# `.url()` mutates the builder and returns it (taint flows arg→this and
+# arg→result and this→result so the chain propagates through `.build()`).
+- function: okhttp3.Request$Builder#url
+  copy:
+  - from: arg(0)
+    to: result
+  - from: arg(0)
+    to: this
+  - from: this
+    to: result
+- function: okhttp3.Request$Builder#build
+  copy:
+  - from: this
+    to: result
diff --git a/core/opentaint-config/config/config/jar-split/spring-jdbc-5.3.39.yaml b/core/opentaint-config/config/config/jar-split/spring-jdbc-5.3.39.yaml
@@ -0,0 +1,9 @@
+passThrough:
+# Spring JDBC: NamedParameterUtils.parseSqlStatement(sql) returns a
+# ParsedSql wrapping the original SQL, which is then passed to
+# (Named)JdbcTemplate query/update sinks. The parse step itself just
+# preserves taint into the result.
+- function: org.springframework.jdbc.core.namedparam.NamedParameterUtils#parseSqlStatement
+  copy:
+  - from: arg(0)
+    to: result
diff --git a/core/opentaint-config/config/config/jar-split/spring-ldap-core-2.4.1.yaml b/core/opentaint-config/config/config/jar-split/spring-ldap-core-2.4.1.yaml
@@ -0,0 +1,109 @@
+passThrough:
+# Spring LDAP query builder chain:
+#   LdapQueryBuilder.query().base(dn).where(attr).is(val) ... -> LdapQuery
+#
+# The chain mixes the public LdapQueryBuilder/ConditionCriteria/
+# ContainerCriteria interfaces with the package-private
+# DefaultConditionCriteria / DefaultContainerCriteria impls. The
+# analyzer's chain-split sees the impl-class call sites, so both
+# interface and impl entries are needed.
+#
+# The direct `arg(0) → result` form is what actually propagates taint
+# through the chain; the two-step `arg(0)→this` + `this→result` form
+# alone wasn't enough (the chain has too many implicit intermediates
+# for two-step propagation to reach end-to-end without the direct
+# shortcut).
+- function: org.springframework.ldap.query.LdapQueryBuilder#base
+  copy:
+  - from: arg(0)
+    to: result
+  - from: arg(0)
+    to: this
+  - from: this
+    to: result
+- function: org.springframework.ldap.query.LdapQueryBuilder#where
+  copy:
+  - from: arg(0)
+    to: result
+  - from: arg(0)
+    to: this
+  - from: this
+    to: result
+- function: org.springframework.ldap.query.LdapQueryBuilder#filter
+  copy:
+  - from: arg(0)
+    to: result
+  - from: arg(0)
+    to: this
+  - from: this
+    to: result
+- function: org.springframework.ldap.query.ConditionCriteria#is
+  copy:
+  - from: arg(0)
+    to: result
+  - from: arg(0)
+    to: this
+  - from: this
+    to: result
+- function: org.springframework.ldap.query.ConditionCriteria#like
+  copy:
+  - from: arg(0)
+    to: result
+  - from: arg(0)
+    to: this
+  - from: this
+    to: result
+- function: org.springframework.ldap.query.ConditionCriteria#whitespaceWildcardsLike
+  copy:
+  - from: arg(0)
+    to: result
+  - from: arg(0)
+    to: this
+  - from: this
+    to: result
+- function: org.springframework.ldap.query.ContainerCriteria#and
+  copy:
+  - from: this
+    to: result
+- function: org.springframework.ldap.query.ContainerCriteria#or
+  copy:
+  - from: this
+    to: result
+- function: org.springframework.ldap.query.DefaultConditionCriteria#is
+  copy:
+  - from: arg(0)
+    to: this
+  - from: arg(0)
+    to: result
+  - from: this
+    to: result
+- function: org.springframework.ldap.query.DefaultConditionCriteria#like
+  copy:
+  - from: arg(0)
+    to: this
+  - from: arg(0)
+    to: result
+  - from: this
+    to: result
+- function: org.springframework.ldap.query.DefaultConditionCriteria#whitespaceWildcardsLike
+  copy:
+  - from: arg(0)
+    to: this
+  - from: arg(0)
+    to: result
+  - from: this
+    to: result
+- function: org.springframework.ldap.query.DefaultContainerCriteria#and
+  copy:
+  - from: this
+    to: result
+- function: org.springframework.ldap.query.DefaultContainerCriteria#or
+  copy:
+  - from: this
+    to: result
+- function: org.springframework.ldap.query.DefaultContainerCriteria#append
+  copy:
+  - from: arg(0)
+    to: this
+  - from: this
+    to: result
diff --git a/core/opentaint-config/config/config/jar-split/spring-web-5.3.39.yaml b/core/opentaint-config/config/config/jar-split/spring-web-5.3.39.yaml
@@ -0,0 +1,16 @@
+passThrough:
+# Spring RequestEntity static factories + builder .build() — used by
+# the SSRF rule's chained-builder pattern:
+#   RequestEntity.get(URI.create($X)).build()
+- function: org.springframework.http.RequestEntity#get
+  copy:
+  - from: arg(0)
+    to: result
+- function: org.springframework.http.RequestEntity$BodyBuilder#build
+  copy:
+  - from: this
+    to: result
+- function: org.springframework.http.RequestEntity$HeadersBuilder#build
+  copy:
+  - from: this
+    to: result
diff --git a/core/opentaint-config/config/config/jar-split/unboundid-ldapsdk-6.0.11.yaml b/core/opentaint-config/config/config/jar-split/unboundid-ldapsdk-6.0.11.yaml
@@ -0,0 +1,5 @@
+passThrough:
+- function: com.unboundid.ldap.sdk.SearchRequest#<init>
+  copy:
+  - from: arg(*)
+    to: this
diff --git a/core/opentaint-config/config/config/jar-split/velocity-engine-core-2.3.yaml b/core/opentaint-config/config/config/jar-split/velocity-engine-core-2.3.yaml
@@ -0,0 +1,13 @@
+passThrough:
+# Apache Velocity: VelocityContext.put($k, $v) and the AbstractContext
+# super-class — taint flows from the value argument into the context
+# instance so a tainted value carried into the context reaches a
+# subsequent VelocityEngine.evaluate / Template.merge sink.
+- function: org.apache.velocity.VelocityContext#put
+  copy:
+  - from: arg(1)
+    to: this
+- function: org.apache.velocity.context.AbstractContext#put
+  copy:
+  - from: arg(1)
+    to: this
diff --git a/core/opentaint-config/config/config/stdlib.yaml b/core/opentaint-config/config/config/stdlib.yaml
@@ -21358,3 +21358,90 @@ passThrough:
     to:
     - this
     - .java.io.InputStream#<rule-storage>#java.lang.Object
+
+# ── Collection / Iterator / Iterable / Enumeration ─────────────────────
+- function: java.util.Collection#iterator
+  copy:
+  - from: this
+    to: result
+- function: java.lang.Iterable#iterator
+  copy:
+  - from: this
+    to: result
+- function: java.util.Iterator#next
+  copy:
+  - from: this
+    to: result
+- function: java.util.Enumeration#nextElement
+  copy:
+  - from: this
+    to: result
+
+# ── java.lang.String#getBytes (String → byte[]) ────────────────────────
+- function: java.lang.String#getBytes
+  copy:
+  - from: this
+    to: result
+
+# ── java.util.Base64$Encoder ──────────────────────────────────────────
+- function: java.util.Base64$Encoder#encodeToString
+  copy:
+  - from: arg(0)
+    to: result
+- function: java.util.Base64$Encoder#encode
+  copy:
+  - from: arg(0)
+    to: result
+
+# ── java.net.URL (String) constructor (direct arg→this; the existing
+#    URL#<init>(String) entry uses arg(*) which doesn't apply consistently
+#    enough for tests like UnsafeStaplerServeFileServlet) ────────────────
+- function: java.net.URL#<init>
+  signature: (java.lang.String) void
+  copy:
+  - from: arg(0)
+    to: this
+
+# ── java.net.URI ──────────────────────────────────────────────────────
+- function: java.net.URI#create
+  copy:
+  - from: arg(0)
+    to: result
+
+# ── javax.management JMX (stdlib management API) ───────────────────────
+- function: javax.management.remote.JMXServiceURL#<init>
+  copy:
+  - from: arg(*)
+    to: this
+- function: javax.management.remote.JMXConnectorFactory#newJMXConnector
+  copy:
+  - from: arg(0)
+    to: result
+
+# ── javax.xml.transform.stream.StreamSource ────────────────────────────
+- function: javax.xml.transform.stream.StreamSource#<init>
+  copy:
+  - from: arg(*)
+    to: this
+
+# ── java.net.http.HttpRequest$Builder (Java 11+ HttpClient) ───────────
+- function: java.net.http.HttpRequest#newBuilder
+  copy:
+  - from: arg(0)
+    to: result
+- function: java.net.http.HttpRequest$Builder#uri
+  copy:
+  - from: arg(0)
+    to: result
+  - from: arg(0)
+    to: this
+  - from: this
+    to: result
+- function: java.net.http.HttpRequest$Builder#build
+  copy:
+  - from: this
+    to: result
+- function: java.net.http.HttpRequest$Builder#GET
+  copy:
+  - from: this
+    to: result