Add echo framework support

[CrackTC]

Summary by Sourcery

Add Echo framework entrypoint and middleware taint collection support and improve Go analyzer import resolution and entrypoint handling.

New Features:

• Introduce an Echo entrypoint collection checker to discover Echo HTTP handlers and middleware as taint analysis entrypoints.
• Add shared utilities for flattening union values and processing entrypoints and taint sources used by Go taint checkers.

Enhancements:

• Extend the Go analyzer to cache function closure evaluation in call processing and to normalize default import names via a configurable known-package mapping.
• Refactor existing Go RESTful entrypoint collection to reuse the new shared entrypoint/taint processing utility and support additional package variants.

---

Note

Adds Echo framework support for Go (entrypoint collection + taint rules), refactors shared taint utils, and improves Go analyzer import handling and call processing.

• Go Taint Checkers:
  • Echo support: New checker/taint/go/echo-entrypoint-collect-checker.ts to collect Echo routes/middlewares and register taint sources/entrypoints.
  • Restful checker: Refactored to use shared utility and register known package names.
  • Main entrypoint: Adjust import to updated entrypoint util export.
• Shared Utils:
  • New checker/taint/go/util.ts with flattenUnionValues and processEntryPointAndTaintSource for deduped entrypoint/taint handling.
• Config:
  • Register echo-entrypoint-collect-checker in resource/checker/checker-config.json and include in taint-flow-golang-default pack.
  • Extend Go rules (resource/example-rule-config/rule_config_go.json): add Echo echo.Context.Bind as source and Echo sinks (Context.Render, HTML, JSON).
• Analyzer/Engine:
  • Analyzer.processCallExpression now accepts cached fclos; Go analyzer passes it to avoid recomputation.
  • GoAnalyzer: add registerKnownPackageNames and use it to fix default import names; minor call/var-decl logic updates.

^{Written by Cursor Bugbot for commit 9bd06c4. This will update automatically on new commits. Configure here.}

[sourcery-ai]

Reviewer's Guide

Adds first-class support for the Go Echo web framework by introducing an echo entrypoint collector and shared taint/entrypoint utilities, generalizing Go analyzer import handling, and refactoring existing RESTful and main entrypoint checkers to use the new utilities.

Sequence diagram for EchoEntrypointCollectChecker handling Echo route registration

sequenceDiagram
  actor Dev
  participant GoRuntime
  participant Analyzer
  participant CheckerManager
  participant EchoEntrypointCollectChecker as EchoChecker
  participant TaintUtil as processEntryPointAndTaintSource
  participant IntroduceTaint
  participant EntryPointUtil as completeEntryPoint

  Dev->>GoRuntime: Start Echo server (e.g. e.GET("/path", handler, middlewares...))
  GoRuntime->>Analyzer: Analyze CallExpression for e.GET
  Analyzer->>CheckerManager: checkAtFunctionCallBefore(info with fclos, argvalues)
  CheckerManager->>EchoChecker: triggerAtFunctionCallBefore(analyzer, scope, node, state, info)

  EchoChecker->>EchoChecker: verify object._qid matches github.com/labstack/echo/v4.New()
  EchoChecker->>EchoChecker: switch property.name (e.g. GET)
  EchoChecker->>processEntryPointAndTaintSource: with handler argvalues[1], source 0

  processEntryPointAndTaintSource->>processEntryPointAndTaintSource: flattenUnionValues([entryPointUnitValue]) and filter fclos
  processEntryPointAndTaintSource->>processEntryPointAndTaintSource: deduplicate via processedRouteRegistry
  processEntryPointAndTaintSource->>IntroduceTaint: introduceFuncArgTaintBySelfCollection(entryPointFuncValue, state, analyzer, source, GO_INPUT)
  processEntryPointAndTaintSource->>completeEntryPoint: completeEntryPoint(entryPointFuncValue)
  completeEntryPoint-->>processEntryPointAndTaintSource: entryPoint
  processEntryPointAndTaintSource->>Analyzer: push entryPoint into analyzer.entryPoints

  EchoChecker->>EchoChecker: handleMiddlewareArgs for remaining middleware args
  EchoChecker-->>CheckerManager: return
  CheckerManager-->>Analyzer: return
  Analyzer-->>GoRuntime: continue analysis

Loading

Class diagram for updated Go analyzer and Echo/RESTful entrypoint checkers

classDiagram

class Analyzer {
  +processCallExpression(scope, node, state, cachedFclos)
}

class GoAnalyzer {
  +static knownPackageName : Record~string, string~
  +static registerKnownPackageNames(knownPackageName : Record~string, string~)
  +processCallExpression(scope, node, state, fclos)
}

class Checker {
}

class RestfulEntrypointCollectChecker {
  +processedRouteRegistry : Set~string~
  +constructor(resultManager)
  +triggerAtFunctionCallBefore(analyzer, scope, node, state, info)
}

class EchoEntrypointCollectChecker {
  +processedRouteRegistry : Set~string~
  +constructor(resultManager)
  +triggerAtFunctionCallBefore(analyzer, scope, node, state, info)
  +triggerAtSymbolInterpretOfEntryPointAfter(analyzer, scope, node, state, info)
  +triggerAtAssignment(analyzer, scope, node, state, info)
  +handleConfigObjectCollection(analyzer, state, symbol)
  +handleKnownEchoMiddlewares(analyzer, state, symbol)
  +handleCustomMiddleware(analyzer, scope, state, middlewareFunctionValue)
  +handleMiddlewareArgs(analyzer, scope, state, list)
}

class TaintEntryPointUtil {
  +flattenUnionValues(list : Array~Unit~) Array~Unit~
  +processEntryPointAndTaintSource(analyzer, state, processedRouteRegistry : Set~string~, entryPointUnitValue : Unit, source : string)
}

Analyzer <|-- GoAnalyzer
Checker <|-- RestfulEntrypointCollectChecker
Checker <|-- EchoEntrypointCollectChecker

GoAnalyzer ..> TaintEntryPointUtil : uses
RestfulEntrypointCollectChecker ..> TaintEntryPointUtil : uses
EchoEntrypointCollectChecker ..> TaintEntryPointUtil : uses

GoAnalyzer ..> Checker : interacts

Loading

File-Level Changes

Change	Details	Files
Refactor RESTful entrypoint collection to use shared taint/entrypoint utilities and support multiple go-restful package paths.	Import shared processEntryPointAndTaintSource helper and GoAnalyzer into the RESTful entrypoint checker. Register go-restful module-to-package name mappings on GoAnalyzer in the checker constructor. Tighten route registry matching to require the first argument to exist and delegate taint + entrypoint registration to the shared helper. Type processedRouteRegistry as a Set.	src/checker/taint/go/restful-entrypoint-collect-checker.ts
Extend the Go analyzer core to accept cached function closures for call expressions and to support configurable mappings from module paths to package names for default imports.	Update GoAnalyzer.processCallExpression to pass through a cached fclos to the base Analyzer implementation. Add a static knownPackageName map and registerKnownPackageNames method to GoAnalyzer for module-to-package name mapping. Adjust import-variable resolution to first apply knownPackageName for default imports (using node._meta.isDefaultImport) and then fall back to existing package-name resolution logic. Generalize Analyzer.processCallExpression to take an optional cachedFclos parameter and use it instead of recomputing the callee value when provided.	src/engine/analyzer/golang/common/go-analyzer.ts src/engine/analyzer/common/analyzer.ts
Introduce a shared Go taint/entrypoint utility module to flatten union values and register entrypoints plus taint sources in a reusable way.	Add flattenUnionValues to normalize and flatten union Units into a flat list of fclos/symbol/object Units, recursing unions. Add processEntryPointAndTaintSource helper that deduplicates functions via location hash, introduces taint to specific argument positions, and pushes completed entrypoints onto the analyzer. Refactor existing code to use the new helper rather than duplicating taint + entrypoint logic.	src/checker/taint/go/util.ts src/checker/taint/go/restful-entrypoint-collect-checker.ts
Add a comprehensive Echo entrypoint/middleware collector that detects handlers and taint sources across routes, middlewares, configuration objects, and framework extension points.	Create EchoEntrypointCollectChecker that registers known Echo-related package names with GoAnalyzer and maintains a processedRouteRegistry for deduplication. Hook into triggerAtFunctionCallBefore to recognize route registration methods on echo.Echo instances (HTTP verbs, RouteNotFound, Match, Add, Group, Host, File, FileFS, Use, Pre) and extract handlers and middleware functions using processEntryPointAndTaintSource and flattenUnionValues. Hook into triggerAtAssignment to detect assignment of key Echo fields (HTTPErrorHandler, Binder.Bind, Renderer.Render, Filesystem.Open) and treat them as entrypoints with appropriate taint source indices. Implement handleConfigObjectCollection and a ConfigObjectCollectionTable describing which fields on various WithConfig middleware config structs contain handler-like functions and their taint argument positions. Implement handleKnownEchoMiddlewares to recognize calls into known middleware packages (echo/middleware, echo-jwt, echo-contrib/) and extract handler functions from both direct arguments and nested config objects, including nested Balancer/Transport/Store/Filesystem structures where relevant. Implement handleCustomMiddleware to execute user-defined middleware closures and treat their returned handler as an entrypoint, and handleMiddlewareArgs to coordinate flattening, known-middleware handling, and custom fclos handling. Clear processedRouteRegistry when exiting main entry points in triggerAtSymbolInterpretOfEntryPointAfter.	src/checker/taint/go/echo-entrypoint-collect-checker.ts
Minor cleanup and import change in Go main entrypoint checker.	Change completeEntryPoint import from destructured require to default require to match new util module structure. Remove an unused lodash floor import from the common Analyzer file.	src/checker/taint/go/main-entrypoint-collect-checker.ts src/engine/analyzer/common/analyzer.ts

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[gemini-code-assist]

Summary of Changes

Hello @CrackTC, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly expands the analysis capabilities by adding comprehensive support for the Echo Go web framework. It enables the system to automatically detect and analyze potential security vulnerabilities by identifying entry points and taint sources within Echo applications. The changes also include a refactoring of existing entry point collection logic into reusable utilities and enhancements to the core Go analyzer for more accurate package import handling.

Highlights

• Echo Framework Support: Introduced a new checker (echo-entrypoint-collect-checker) to identify entry points and taint sources specifically for applications built with the Go Echo web framework.
• Configuration Updates: The new Echo checker has been integrated into the system's configuration files (checker-config.json and checker-pack-config.json).
• New Taint Source Rule: A new rule was added to rule_config_go.json to mark the echo.Context.Bind function as a taint source.
• Code Refactoring & Utility: Common logic for processing entry points and taint sources was extracted into a new utility file (src/checker/taint/go/util.ts) and is now used by both the new Echo checker and the existing go-restful checker.
• Go Analyzer Enhancements: The Go analyzer was improved to better handle package imports by allowing registration of known package names and caching function closures (fclos) during call expression processing.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

• In flattenUnionValues and processEntryPointAndTaintSource, there are no guards for undefined or unexpected vtypes, so calls like processEntryPointAndTaintSource(..., argvalues[2], ...) or flattenUnionValues(list) where list contains non-union/fclos/symbol/object values can throw at runtime; consider short-circuiting on falsy inputs and skipping unknown vtypes instead of throwing.
• Several places in the Echo checker (e.g., handleKnownEchoMiddlewares, triggerAtAssignment) index into symbol.arguments[...] or nested field properties without checking that the argument exists, which can fail for partially-specified calls; adding length/null checks before access would make the logic more robust.
• In handleCustomMiddleware, you assume middlewareFunctionValue.fdef is present before calling processAndCallFuncDef; it would be safer to check for fdef and skip or log when it is missing to avoid errors on unexpected middleware values.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In `flattenUnionValues` and `processEntryPointAndTaintSource`, there are no guards for `undefined` or unexpected `vtype`s, so calls like `processEntryPointAndTaintSource(..., argvalues[2], ...)` or `flattenUnionValues(list)` where `list` contains non-union/fclos/symbol/object values can throw at runtime; consider short-circuiting on falsy inputs and skipping unknown vtypes instead of throwing.
- Several places in the Echo checker (e.g., `handleKnownEchoMiddlewares`, `triggerAtAssignment`) index into `symbol.arguments[...]` or nested `field` properties without checking that the argument exists, which can fail for partially-specified calls; adding length/null checks before access would make the logic more robust.
- In `handleCustomMiddleware`, you assume `middlewareFunctionValue.fdef` is present before calling `processAndCallFuncDef`; it would be safer to check for `fdef` and skip or log when it is missing to avoid errors on unexpected middleware values.

## Individual Comments

### Comment 1
<location> `src/checker/taint/go/util.ts:10-19` </location>
<code_context>
+ *
+ * @param list
+ */
+export function flattenUnionValues(list: Array<Unit>): Array<Unit> {
+  return list.flatMap((unit) => {
+    switch (unit.vtype) {
+      case 'union':
+        return flattenUnionValues(unit.value)
+      case 'fclos':
+      case 'symbol':
+      case 'object':
+        return [unit]
+      default:
+        throw new Error(`flattenUnionValues: Unknown type ${unit.vtype}`)
+    }
</code_context>

<issue_to_address>
**issue:** flattenUnionValues throws on unknown vtype, which can make the whole analysis brittle.

Because this helper throws on any unrecognised `unit.vtype`, the checker can crash whenever union values contain other valid types (e.g. literals, `UndefinedValue`) or when new vtypes are added. Instead of throwing, consider ignoring non-relevant vtypes (or logging and skipping them) so union flattening degrades gracefully and the echo/restful detection remains robust as the value lattice evolves.
</issue_to_address>

### Comment 2
<location> `src/checker/taint/go/util.ts:37-40` </location>
<code_context>
+  analyzer: any,
+  state: any,
+  processedRouteRegistry: Set<string>,
+  entryPointUnitValue: Unit,
+  source: string
+) {
+  flattenUnionValues([entryPointUnitValue])
+    .filter((val) => val.vtype === 'fclos')
+    .forEach((entryPointFuncValue) => {
</code_context>

<issue_to_address>
**issue (bug_risk):** processEntryPointAndTaintSource assumes entryPointUnitValue is always defined, which may not hold at all call sites.

Some callers (e.g. `EchoEntrypointCollectChecker`, `RestfulEntrypointCollectChecker`) pass positions like `argvalues[1]` / `argvalues[2]` and also slice argument arrays without bounds checks, so `entryPointUnitValue` may be `undefined`. In that case `flattenUnionValues([entryPointUnitValue])` will fail because it expects a `Unit`. Consider either early-returning when `entryPointUnitValue` is missing/invalid or updating `flattenUnionValues` to safely handle `undefined` entries.
</issue_to_address>

### Comment 3
<location> `src/checker/taint/go/echo-entrypoint-collect-checker.ts:231-226` </location>
<code_context>
+      case 'File':
+        this.handleMiddlewareArgs(analyzer, scope, state, argvalues.slice(2))
+        break
+      case 'FileFS':
+        flattenUnionValues([argvalues[2]]).forEach((fs) => {
+          processEntryPointAndTaintSource(analyzer, state, processedRouteRegistry, fs.field.Open, '0')
+        })
+        this.handleMiddlewareArgs(analyzer, scope, state, argvalues.slice(3))
+        break
+      case 'Host':
</code_context>

<issue_to_address>
**issue (bug_risk):** FileFS handling assumes the third argument is always present and shaped as expected.

In the `FileFS` branch, `flattenUnionValues([argvalues[2]])` and `fs.field.Open` will throw if fewer than three args are passed or if the third arg isn’t an object with a `field` property. Please add defensive checks around `argvalues[2]` (and its expected shape) before calling `flattenUnionValues` and accessing `.field.Open`.
</issue_to_address>

### Comment 4
<location> `src/checker/taint/go/echo-entrypoint-collect-checker.ts:339-347` </location>
<code_context>
+      case 'KeyAuth':
+        processEntryPointAndTaintSource(analyzer, state, processedRouteRegistry, symbol.arguments[0], '0, 1')
+        break
+      case 'WithConfig':
+        flattenUnionValues([symbol.arguments[0]]).forEach((middlewareConfig) => {
+          const tokenLookupFuncs = middlewareConfig.field.TokenLookupFuncs
+          if (!tokenLookupFuncs) return
+          Object.values(tokenLookupFuncs.value).forEach((v) => {
+            processEntryPointAndTaintSource(analyzer, state, processedRouteRegistry, v as Unit, '0')
+          })
+        })
+        this.handleConfigObjectCollection(analyzer, state, symbol)
+        break
+      case 'NewMiddlewareWithConfig':
</code_context>

<issue_to_address>
**issue (bug_risk):** Some middleware config handlers assume `middlewareConfig.field` is always defined.

In this and similar cases (`NewMiddlewareWithConfig`, `MiddlewareWithConfig`, etc.), `middlewareConfig.field` is accessed (`TokenLookupFuncs` / `LabelFuncs` / `Store`) without checking that `field` exists. If the config is partially constructed or from a mismatched library version, `field` could be `undefined` and cause a crash. Please add a guard on `middlewareConfig.field` (or use optional chaining) before dereferencing it.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[gemini-code-assist]

Code Review

This pull request introduces support for the Echo web framework in the Go taint analyzer, which is a great addition. The implementation includes a new checker for Echo entry points and middleware, along with necessary configuration updates. I appreciate the refactoring work to create shared utilities (util.ts), which improves code reuse and maintainability by centralizing logic previously duplicated in the go-restful checker. The optimizations in the core analyzer to cache function closure evaluation are also a welcome improvement.

I've found a few potential null-reference issues in the new Echo checker that could cause the analyzer to crash. I've left specific suggestions to fix them. Overall, this is a solid contribution.

[cursor]

This PR is being reviewed by Cursor Bugbot

Details

Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.