Official catalog of sources, sinks, and sanitizers per language for RootCause. Parsers and database queries use these files (merged with built-in entries) to identify user/untrusted input and dangerous operations.
From the scanner directory (rust-sast):
rootcause catalog install https://github.com/rootcausesca/catalog
# or from a local copy:
rootcause catalog install ./catalog --name official| File | Language | Notes |
|---|---|---|
python.yml |
Python | Flask, Django, stdlib |
java.yml |
Java | Servlet, Jakarta, JDBC |
php.yml |
PHP | Superglobals _POST, _GET (parser normalizes without $) |
rust.yml |
Rust | Minimal base |
javascript.yml |
JavaScript | Browser & Node (e.g. document, eval, innerHTML) |
typescript.yml |
TypeScript | Same as JS + TS-specific patterns |
go.yml |
Go | http.Request, exec.Command, etc. |
ruby.yml |
Ruby | params, Rack::Request, exec, eval |
Each file has three optional lists: sources, sinks, sanitizers. Entries ending with * use prefix matching (e.g. request.headers* matches request.headers.get).
See docs/catalogs.md in the scanner repo for the full spec and examples.
manifest.toml describes this catalog (name, version, origin). It is optional; the scanner does not require it for loading the YAML files.