fix(sonar): S5998 ReDoS regex bounds + S3077 AtomicReference for thread safety + S6856 bind path variable

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: aksOps

src/main/java/io/github/randomcodespace/iq/api/TopologyController.java

@@ -20,6 +20,7 @@
 import java.nio.file.Path;
 import java.util.List;
 import java.util.Map;
+import java.util.concurrent.atomic.AtomicReference;
 
 /**
  * REST API controller for service topology queries.
@@ -32,8 +33,8 @@ public class TopologyController {
     private final TopologyService topologyService;
     private final GraphStore graphStore;
     private final CodeIqConfig config;
-    private volatile List<CodeNode> cachedNodes;
-    private volatile List<CodeEdge> cachedEdges;
+    private final AtomicReference<List<CodeNode>> cachedNodes = new AtomicReference<>();
+    private final AtomicReference<List<CodeEdge>> cachedEdges = new AtomicReference<>();
 
     public TopologyController(TopologyService topologyService,
                               @Autowired(required = false) GraphStore graphStore,
@@ -65,15 +66,16 @@ private boolean hasNeo4jData() {
      * Load data from Neo4j if available, otherwise from H2 cache.
      */
     private synchronized void ensureDataLoaded() {
-        if (cachedNodes != null) return;
+        if (cachedNodes.get() != null) return;
 
         // Try Neo4j first (has enriched data with SERVICE nodes)
         if (hasNeo4jData()) {
-            cachedNodes = graphStore.findAll();
+            List<CodeNode> nodes = graphStore.findAll();
+            cachedNodes.set(nodes);
             // Collect edges from all nodes' relationship lists
-            cachedEdges = cachedNodes.stream()
+            cachedEdges.set(nodes.stream()
                     .flatMap(n -> n.getEdges().stream())
-                    .toList();
+                    .toList());
             return;
         }
 
@@ -83,89 +85,91 @@ private synchronized void ensureDataLoaded() {
         Path h2File = root.resolve(config.getCacheDir()).resolve("analysis-cache.mv.db");
         if (!Files.exists(h2File)) return;
         try (AnalysisCache cache = new AnalysisCache(cachePath)) {
-            cachedNodes = cache.loadAllNodes();
-            cachedEdges = cache.loadAllEdges();
+            cachedNodes.set(cache.loadAllNodes());
+            cachedEdges.set(cache.loadAllEdges());
         }
     }
 
     /**
      * Invalidate the in-memory cache (e.g. after re-analysis).
      */
     public synchronized void invalidateCache() {
-        cachedNodes = null;
-        cachedEdges = null;
+        cachedNodes.set(null);
+        cachedEdges.set(null);
         neo4jHasData = null;
     }
 
     @GetMapping
     public Map<String, Object> getTopology() {
         ensureDataLoaded();
-        requireCache();
-        return topologyService.getTopology(cachedNodes, cachedEdges);
+        List<CodeNode> nodes = requireCache();
+        return topologyService.getTopology(nodes, cachedEdges.get());
     }
 
     @GetMapping("/services/{name}")
     public Map<String, Object> serviceDetail(@PathVariable String name) {
         ensureDataLoaded();
-        requireCache();
-        return topologyService.serviceDetail(name, cachedNodes, cachedEdges);
+        List<CodeNode> nodes = requireCache();
+        return topologyService.serviceDetail(name, nodes, cachedEdges.get());
     }
 
     @GetMapping("/services/{name}/deps")
     public Map<String, Object> serviceDependencies(@PathVariable String name) {
         ensureDataLoaded();
-        requireCache();
-        return topologyService.serviceDependencies(name, cachedNodes, cachedEdges);
+        List<CodeNode> nodes = requireCache();
+        return topologyService.serviceDependencies(name, nodes, cachedEdges.get());
     }
 
     @GetMapping("/services/{name}/dependents")
     public Map<String, Object> serviceDependents(@PathVariable String name) {
         ensureDataLoaded();
-        requireCache();
-        return topologyService.serviceDependents(name, cachedNodes, cachedEdges);
+        List<CodeNode> nodes = requireCache();
+        return topologyService.serviceDependents(name, nodes, cachedEdges.get());
     }
 
     @GetMapping("/blast-radius/{nodeId}")
     public Map<String, Object> blastRadius(@PathVariable String nodeId) {
         ensureDataLoaded();
-        requireCache();
-        return topologyService.blastRadius(nodeId, cachedNodes, cachedEdges);
+        List<CodeNode> nodes = requireCache();
+        return topologyService.blastRadius(nodeId, nodes, cachedEdges.get());
     }
 
     @GetMapping("/path")
     public List<Map<String, Object>> findPath(
             @RequestParam("from") String source,
             @RequestParam("to") String target) {
         ensureDataLoaded();
-        requireCache();
-        return topologyService.findPath(source, target, cachedNodes, cachedEdges);
+        List<CodeNode> nodes = requireCache();
+        return topologyService.findPath(source, target, nodes, cachedEdges.get());
     }
 
     @GetMapping("/bottlenecks")
     public List<Map<String, Object>> findBottlenecks() {
         ensureDataLoaded();
-        requireCache();
-        return topologyService.findBottlenecks(cachedNodes, cachedEdges);
+        List<CodeNode> nodes = requireCache();
+        return topologyService.findBottlenecks(nodes, cachedEdges.get());
     }
 
     @GetMapping("/circular")
     public List<List<String>> findCircularDeps() {
         ensureDataLoaded();
-        requireCache();
-        return topologyService.findCircularDeps(cachedNodes, cachedEdges);
+        List<CodeNode> nodes = requireCache();
+        return topologyService.findCircularDeps(nodes, cachedEdges.get());
     }
 
     @GetMapping("/dead")
     public List<Map<String, Object>> findDeadServices() {
         ensureDataLoaded();
-        requireCache();
-        return topologyService.findDeadServices(cachedNodes, cachedEdges);
+        List<CodeNode> nodes = requireCache();
+        return topologyService.findDeadServices(nodes, cachedEdges.get());
     }
 
-    private void requireCache() {
-        if (cachedNodes == null) {
+    private List<CodeNode> requireCache() {
+        List<CodeNode> nodes = cachedNodes.get();
+        if (nodes == null) {
             throw new ResponseStatusException(HttpStatus.NOT_FOUND,
                     "No analysis cache found. Run analyze first.");
         }
+        return nodes;
     }
 }

src/main/java/io/github/randomcodespace/iq/detector/java/JdbcDetector.java

@@ -33,7 +33,7 @@ public class JdbcDetector extends AbstractRegexDetector {
     private static final Pattern DRIVER_MANAGER_RE = Pattern.compile(
             "DriverManager\\s*\\.\\s*getConnection\\s*\\(\\s*\"(jdbc:[^\"]+)\"");
     private static final Pattern JDBC_TEMPLATE_RE = Pattern.compile(
-            "(?:private|protected|public|final|\\s)+"
+            "(?:private|protected|public|final)\\s+"
                     + "(?:final\\s+)?"
                     + "(JdbcTemplate|NamedParameterJdbcTemplate|JdbcClient)"
                     + "\\s+\\w+");

src/main/java/io/github/randomcodespace/iq/detector/java/RawSqlDetector.java

@@ -27,14 +27,14 @@ public class RawSqlDetector extends AbstractRegexDetector {
 
     private static final Pattern CLASS_RE = Pattern.compile("(?:public\\s+)?class\\s+(\\w+)");
     private static final Pattern QUERY_ANNO_RE = Pattern.compile(
-            "@Query\\s*\\(\\s*(?:value\\s*=\\s*)?\"((?:[^\"\\\\]|\\\\.)*)\"", Pattern.DOTALL);
+            "@Query\\s*\\(\\s*(?:value\\s*=\\s*)?\"([^\"\\\\]*(?:\\\\.[^\"\\\\]*)*)\"", Pattern.DOTALL);
     private static final Pattern NATIVE_QUERY_RE = Pattern.compile("nativeQuery\\s*=\\s*true");
     private static final Pattern JDBC_TEMPLATE_RE = Pattern.compile(
             "(?:jdbcTemplate|namedParameterJdbcTemplate|JdbcTemplate)\\s*\\."
                     + "(?:query|queryForObject|queryForList|queryForMap|update|execute|batchUpdate)"
-                    + "\\s*\\(\\s*\"((?:[^\"\\\\]|\\\\.)*)\"", Pattern.DOTALL);
+                    + "\\s*\\(\\s*\"([^\"\\\\]*(?:\\\\.[^\"\\\\]*)*)\"", Pattern.DOTALL);
     private static final Pattern EM_QUERY_RE = Pattern.compile(
-            "(?:entityManager|em)\\s*\\.(?:createNativeQuery|createQuery)\\s*\\(\\s*\"((?:[^\"\\\\]|\\\\.)*)\"",
+            "(?:entityManager|em)\\s*\\.(?:createNativeQuery|createQuery)\\s*\\(\\s*\"([^\"\\\\]*(?:\\\\.[^\"\\\\]*)*)\"",
             Pattern.DOTALL);
     private static final Pattern TABLE_REF_RE = Pattern.compile(
             "\\b(?:FROM|JOIN|INTO|UPDATE|TABLE)\\s+(\\w+)", Pattern.CASE_INSENSITIVE);

src/main/java/io/github/randomcodespace/iq/detector/typescript/NestJSControllerDetector.java

@@ -41,11 +41,11 @@ public class NestJSControllerDetector extends AbstractAntlrDetector {
     private static final Pattern NESTJS_IMPORT = Pattern.compile("from\\s+['\"]@nestjs/");
 
     private static final Pattern CONTROLLER_PATTERN = Pattern.compile(
-            "@Controller\\(\\s*['\"`]?([^'\"`\\)\\s]*)['\"`]?\\s*\\)(?:\\s*@\\w+\\([^)]*\\))*\\s*\\n\\s*(?:export\\s+)?class\\s+(\\w+)"
+            "@Controller\\(\\s*['\"`]?([^'\"`\\)\\s]*)['\"`]?\\s*\\)(?:\\s*@\\w+\\([^)]{0,200}\\))*\\s*\\n\\s*(?:export\\s+)?class\\s+(\\w+)"
     );
 
     private static final Pattern ROUTE_PATTERN = Pattern.compile(
-            "@(Get|Post|Put|Delete|Patch|Options|Head)\\(\\s*['\"`]?([^'\"`\\)\\s]*)['\"`]?\\s*\\)(?:\\s*@\\w+\\([^)]*\\))*\\s*\\n\\s*(?:async\\s+)?(\\w+)"
+            "@(Get|Post|Put|Delete|Patch|Options|Head)\\(\\s*['\"`]?([^'\"`\\)\\s]*)['\"`]?\\s*\\)(?:\\s*@\\w+\\([^)]{0,200}\\))*\\s*\\n\\s*(?:async\\s+)?(\\w+)"
     );
 
     @Override

src/main/java/io/github/randomcodespace/iq/web/SpaController.java

@@ -4,6 +4,7 @@
 import org.springframework.context.annotation.Profile;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
 
 /**
  * Catch-all controller that forwards unmatched routes to index.html
@@ -40,7 +41,7 @@ public String forward() {
      * Does NOT match /api/**, /mcp/**, /actuator/**, or static assets.
      */
     @GetMapping("/{path:[^\\.]*}")
-    public String catchAll() {
+    public String catchAll(@PathVariable String path) {
         return "forward:/index.html";
     }
 }