Problem
Getter/setter callables are stored under access-qualified map keys, but the embedded TSCallable.signature is left unqualified. This violates the otherwise central identity invariant that a callable's map key byte-matches its signature and the IDs used by call edges.
It also permits a getter and setter for the same property to advertise the same embedded signature even though their map keys differ.
Reproduction
OWASP Juice Shop 6244c59, current v1 JSON output:
- 11 getter records have a map key ending in
#get;
- all 11 embedded
signature values omit #get.
Example shape:
{
"SomeClass.value#get": {
"kind": "getter",
"accessor_kind": "getter",
"signature": "SomeClass.value"
}
}
The implementation makes the mismatch explicit in src/syntactic_analysis/builders.ts:
const r = buildCallable(g, g, "getter", root);
if (r) methods[`${r.sig}#get`] = r.callable;
The setter branch has the same form with #set.
Expected behavior
A callable has one canonical ID. Its container key, embedded signature, callsite resolution, call-graph endpoint, cache identity, and Neo4j signature must agree exactly.
Acceptance criteria
- Pick one canonical accessor identity strategy:
- include
#get / #set in both key and embedded signature; or
- represent accessors without suffixes using a collision-safe alternative.
- Ensure getter and setter declarations for the same property remain distinct.
- Update caller/callee canonicalization and Neo4j projection to use the same ID.
- Add a regression fixture containing both
get value() and set value(...) and assert:
- map key equals
callable.signature for both;
- IDs are distinct;
- any accessor-related graph references target the corresponding declared ID;
- eager and cached output use identical IDs.
Problem
Getter/setter callables are stored under access-qualified map keys, but the embedded
TSCallable.signatureis left unqualified. This violates the otherwise central identity invariant that a callable's map key byte-matches itssignatureand the IDs used by call edges.It also permits a getter and setter for the same property to advertise the same embedded signature even though their map keys differ.
Reproduction
OWASP Juice Shop
6244c59, current v1 JSON output:#get;signaturevalues omit#get.Example shape:
{ "SomeClass.value#get": { "kind": "getter", "accessor_kind": "getter", "signature": "SomeClass.value" } }The implementation makes the mismatch explicit in
src/syntactic_analysis/builders.ts:The setter branch has the same form with
#set.Expected behavior
A callable has one canonical ID. Its container key, embedded
signature, callsite resolution, call-graph endpoint, cache identity, and Neo4j signature must agree exactly.Acceptance criteria
#get/#setin both key and embedded signature; orget value()andset value(...)and assert:callable.signaturefor both;