Releases, comparisons, and technical notes on taint data flow analysis.
We're releasing skills that pair an LLM agent with OpenTaint's taint engine. The agent maps the attack surface, models the missing library methods, writes project-specific rules, and can confirm each finding with a real exploit — then the deterministic engine re-scans for the price of CPU, on every future commit.
AST-pattern matchers miss what Spring's architecture creates: data flows that cross class boundaries through injected beans, API calls whose danger is decided at bean wiring time, and endpoints linked only through JPA persistence. OpenTaint traces tainted data through every layer, from injected services to database storage to dangerous API calls, distinguishing raw columns from sanitized ones.
We tested Semgrep, CodeQL, and OpenTaint on five progressively harder XSS cases in a Java Spring application — from direct returns to builder patterns with virtual dispatch — to show where each tool's analysis model hits its limit.
