Is this an overlooked call edge?

[Hellozaq]

First of all, thank you very much for your work.

When I run jelly in foxx-framework@0.3.6, I found that there is no call edge between "yargs@5.0.0:yargs.js:13:1:Yargs" and "yargs@5.0.0:yargs.js:678:3:parseArgs", and there is also no call edge between "yargs@5.0.0:yargs.js:13:1:Yargs" and "yargs@5.0.0:yargs.js:664:10:", "yargs@5.0.0:yargs.js:386:16:", "yargs@5.0.0:yargs.js:501:19:", which are containing "parseArgs".

Is this an overlooked call edge?

[Hellozaq]

The source of this problem is that when I tried to replicate the security scanning experiment in the paper "Modular Call Graph Construction for Security Scanning of Node.js Applications", I marked the location of vulnerability "CVE-2020-7608" in "foxx-framework@0.3.6" as "yargs-parser@3.2.0:index.js:7:1:parse", but found that it was unreachable. However, the result of JAM in the paper were reachable, and I actually checked the source code and it was indeed reachable.

[amoeller]

Seems to work fine when I try. I can't reproduce your problems without more detailed knowledge of what you are doing. And I'm sorry I don't have time to help anytime soon.