Struct SinkSite 

pub struct SinkSite {

    pub sink_shape: SinkShape,
    pub callee_path: String,
    pub arg_index: u32,
    pub arg_is_non_literal: bool,
    pub arg_kind: SinkArgKind,
    pub arg_literal: Option<SinkLiteralValue>,
    pub regex_pattern: Option<String>,
    pub object_properties: Vec<SinkObjectProperty>,
    pub object_property_keys: Vec<String>,
    pub object_property_keys_complete: bool,
    pub arg_idents: Vec<String>,
    pub arg_source_paths: Vec<String>,
    pub span_start: u32,
    pub span_end: u32,
    pub url_arg_literal: Option<String>,
}

A captured sink site. The visitor records every existing non-literal call / member-assign / member-call / tagged-template / jsx-attr sink site, and a small allowlist of literal-aware sites where the literal value is the signal. It knows nothing about CWE categories.

Fields

sink_shape: SinkShape

The syntactic shape of the sink site.

callee_path: String

The flattened dotted/bare callee or member path.

arg_index: u32

The positional argument index. For zero-argument captures this is 0.

arg_is_non_literal: bool

Whether the relevant argument is non-literal. Existing non-literal catalogue rows require this to remain true.

arg_kind: SinkArgKind

The finer-grained shape of the captured argument. Lets the catalogue require unsafe shapes (concat / template-with-substitution / literal / no-arg) and exclude safe ones (object literal, the parameterized form). See SinkArgKind.

arg_literal: Option<SinkLiteralValue>

Literal argument value for literal-aware rows.

regex_pattern: Option<String>

Risky regex fragment for structural ReDoS candidates.

object_properties: Vec<SinkObjectProperty>

Static object-literal properties for option-object rows.

object_property_keys: Vec<String>

Static top-level object-literal keys, including keys whose values are not literal. Used by missing-option rows that only need key presence.

object_property_keys_complete: bool

Whether object_property_keys is complete. False for non-object arguments and object literals with spread or non-static keys, where a missing-key claim would be speculative.

arg_idents: Vec<String>

Identifier names referenced anywhere inside the captured non-literal sink argument, or contextual names for zero-argument captures such as a token-like Math.random() assignment target. Deduped in source order. Used by the analyze layer to back-trace the sink argument to a known untrusted source or to apply narrow context gates. Intra-module, name-based, conservative; it is never a taint proof.

arg_source_paths: Vec<String>

Flattened static member paths referenced inside the captured non-literal sink argument. Includes both the full path and source-object path for leaf reads (process.env.SECRET records process.env.SECRET and process.env) so direct source expressions can be matched without an intermediate local binding.

span_start: u32

Byte offset of the sink span start. Stored as u32 (not Span) so the struct is bitcode-encodable and can be persisted directly in the cache.

span_end: u32

Byte offset of the sink span end.

url_arg_literal: Option<String>

The arg-0 URL string literal of a network-shaped call (fetch, axios.*, got, …), captured so the secret-to-network category (#890) can carry a destination-host signal on its candidate: Some(literal) when the destination is a static string literal (almost always intended auth, e.g. the credential’s own provider), None when it is dynamic (the suspicious case). None for non-call sinks and calls with no arg 0.

Implementations

impl SinkSite

pub fn span(&self) -> Span

Reconstruct the source span from the stored byte offsets.

Trait Implementations

impl Clone for SinkSite

fn clone(&self) -> SinkSite

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for SinkSite

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl<'__de> Decode<'__de> for SinkSite

where '__de:,

impl<'de> Deserialize<'de> for SinkSite

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>

where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer.

impl Encode for SinkSite

impl Serialize for SinkSite

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>

where __S: Serializer,

Serialize this value into the given Serde serializer.