In system for enabling static vulnerability analysis of a software/web application that includes an indirectly modeled language portion and a directly modeled language portion, an indirectly modeled language information extractor select nodes of certain types from a syntax tree corresponding to the indirectly modeled language source code. Generally, the types of nodes that are selected are relevant to taint propagation. For one or more of the selected nodes, one or more statements corresponding to one or more of a type of the node, an input to the node, and an object associated with the node are generated. A static analyzer configured for a directly modeled language may perform vulnerability analysis of the software/web application using the generated statements.