| Taint analysis (source/sink/sanitizer modeling) | T1190 | CWE-20 | references/taint-engines-static-analysis.md | scripts/taint_trace.py |
| CodeQL/Semgrep/Joern engine orchestration + merge | T1190 | CWE-20 | references/taint-engines-static-analysis.md | scripts/sast_runner.py, scripts/joern_taint.sc |
| SQL injection (raw/ORM/identifier/2nd-order/NoSQL) | T1190 | CWE-89 | references/injection-source-patterns.md | scripts/taint_trace.py |
| OS command / argument injection | T1059 | CWE-78 / CWE-88 | references/injection-source-patterns.md | scripts/taint_trace.py |
| Server-side template injection | T1190 | CWE-1336 | references/injection-source-patterns.md | scripts/taint_trace.py |
| Path traversal | T1083 | CWE-22 | references/injection-source-patterns.md | scripts/taint_trace.py |
| SSRF (tainted server-side URL) | T1190 | CWE-918 | references/injection-source-patterns.md | scripts/taint_trace.py |
| Integer overflow -> heap/stack overflow | T1203 | CWE-190 / CWE-787 | references/memory-safety-c-cpp.md | scripts/joern_taint.sc |
| Use-after-free / double-free | T1203 | CWE-416 / CWE-415 | references/memory-safety-c-cpp.md | scripts/joern_taint.sc |
| Unbounded copy / NULL deref | T1203 | CWE-120 / CWE-476 | references/memory-safety-c-cpp.md | scripts/joern_taint.sc |
| Insecure deserialization + gadget preconditions | T1059 | CWE-502 | references/deserialization-prototype-pollution.md | scripts/deser_gadget_scan.py |
| Prototype pollution -> gadget -> RCE | T1059.007 | CWE-1321 | references/deserialization-prototype-pollution.md | scripts/deser_gadget_scan.py |
| Hardcoded secrets / high-entropy literals | T1552.001 | CWE-798 / CWE-321 | references/secrets-crypto-authz-concurrency.md | scripts/secret_crypto_audit.py |
| Weak / misused cryptography | T1600 | CWE-327 / CWE-328 / CWE-330 / CWE-347 | references/secrets-crypto-authz-concurrency.md | scripts/secret_crypto_audit.py |
| Broken authorization / IDOR / BOLA | T1190 | CWE-639 / CWE-862 | references/secrets-crypto-authz-concurrency.md | scripts/secret_crypto_audit.py |
| TOCTOU / race condition | T1190 | CWE-367 / CWE-362 | references/secrets-crypto-authz-concurrency.md | scripts/secret_crypto_audit.py |
| Known-CVE dependency (SCA) | T1195.001 | CWE-1395 / CWE-1104 | references/supply-chain-dependency-audit.md | scripts/dep_audit.py |
| Malicious package / install worm / typosquat | T1195.002 | CWE-506 / CWE-829 / CWE-1357 | references/supply-chain-dependency-audit.md | scripts/dep_audit.py |
| Variant hunting — one finding -> all siblings, root-cause clustered | T1190 | CWE-20 | references/variant-hunting.md | scripts/variant_hunt.py |
| Path feasibility — branch guards -> tri-state SAT/UNSAT (Z3 optional) | T1190 | CWE-20 | references/taint-engines-static-analysis.md | scripts/path_conditions.py |
| Evidence grounding + FP gate (structured proof, EVD citations) | T1190 | CWE-20 | references/finding-validation-runtime.md | scripts/validate_findings.py, scripts/evidence_kit.py |
| Runtime reachability confirmation (Frida sink-executed) | T1190 | CWE-20 | references/dynamic-instrumentation.md | scripts/merge_runtime_evidence.py |