@clear-capabilities/agentic-security-scanner 0.78.0 → 0.80.0

package/src/ir/.agentic-security/streak.json

@@ -1,21 +1,20 @@
 {
-  "firstScanDate": "2026-05-26T15:14:23.942Z",
-  "lastScanDate": "2026-05-27T02:22:42.227Z",
-  "totalScans": 30,
+  "firstScanDate": "2026-05-28T18:59:26.568Z",
+  "lastScanDate": "2026-05-29T06:24:38.574Z",
+  "totalScans": 7,
   "daysCleanCritical": 2,
-  "lastCleanDate": "2026-05-27",
+  "lastCleanDate": "2026-05-29",
   "lastCriticalDate": null,
   "hasEverHadCritical": false,
   "bestDaysCleanCritical": 2,
-  "totalFindingsAtFirstScan": 13,
-  "totalFindingsAtLastScan": 16,
+  "totalFindingsAtFirstScan": 16,
+  "totalFindingsAtLastScan": 17,
   "totalFixesInferred": 0,
   "lastGrade": "B",
-  "bestGrade": "A-",
+  "bestGrade": "B",
   "launchCheckPassedAt": null,
   "achievements": [
-    "first-scan",
-    "scan-veteran-25"
+    "first-scan"
   ],
   "previousGrade": "B"
 }

package/src/ir/callgraph.js

@@ -8,11 +8,25 @@
 //   4. Anything else → unresolved; the dataflow engine treats the callee as
 //      an opaque sink for taint.
 
-export function buildCallGraph(perFileIR) {
-  // perFileIR is { [file]: parseJsFile output }
-  const functions = new Map(); // qid → FunctionIR
-  const byNameInFile = new Map(); // file → Map<name, qid>
-  const classMethods = new Map(); // 'ClassName.method' → qid
+export function buildCallGraph(perFileIR, fileContents) {
+  const functions = new Map();
+  const byNameInFile = new Map();
+  const classMethods = new Map();
+  // Re-export resolution: track `export { x } from './y'` and `module.exports = require('./y')`
+  const reexportMap = new Map();
+  if (fileContents) {
+    for (const [file, code] of Object.entries(fileContents)) {
+      if (!code || typeof code !== 'string') continue;
+      for (const m of code.matchAll(/export\s*\{\s*([^}]+)\s*\}\s*from\s*['"]([^'"]+)['"]/g)) {
+        const names = m[1].split(',').map(n => n.trim().split(/\s+as\s+/));
+        for (const [orig, alias] of names) {
+          reexportMap.set(`${file}::${alias || orig}`, { sourceFile: m[2], sourceName: orig.trim() });
+        }
+      }
+      const cjsReexport = code.match(/module\.exports\s*=\s*require\s*\(\s*['"]([^'"]+)['"]\s*\)/);
+      if (cjsReexport) reexportMap.set(`${file}::*`, { sourceFile: cjsReexport[1], sourceName: '*' });
+    }
+  }
 
   for (const file of Object.keys(perFileIR || {})) {
     const ir = perFileIR[file];
@@ -21,7 +35,6 @@ export function buildCallGraph(perFileIR) {
     for (const fn of ir.functions) {
       functions.set(fn.qid, fn);
       byNameInFile.get(file).set(fn.name, fn.qid);
-      // Class methods: qid carries the class name as the scope.
       const m = fn.qid.match(/::([A-Z]\w*)::(\w+)@/);
       if (m) classMethods.set(`${m[1]}.${m[2]}`, fn.qid);
     }
@@ -56,7 +69,6 @@ export function buildCallGraph(perFileIR) {
   // ClassName.method falls back).
   function resolve(name) {
     if (!name || typeof name !== 'string') return null;
-    // Direct ident match — search every file's same-file map.
     for (const m of byNameInFile.values()) {
       if (m.has(name)) return m.get(name);
     }
@@ -67,6 +79,14 @@ export function buildCallGraph(perFileIR) {
         if (m.has(tail)) return m.get(tail);
       }
     }
+    // Follow re-exports: if name was re-exported from another file, resolve there
+    for (const [key, { sourceName }] of reexportMap) {
+      if (key.endsWith(`::${name}`) || (sourceName === name)) {
+        for (const m of byNameInFile.values()) {
+          if (m.has(sourceName)) return m.get(sourceName);
+        }
+      }
+    }
     return null;
   }
   return { functions, edges, callersOf, resolve };

package/src/ir/cpp-preprocessor.js

@@ -0,0 +1,142 @@
+// Lightweight C/C++ preprocessor — Recommendation #8 of the SCA/SAST plan.
+//
+// Resolves `#include` + `#define BUF[N]` patterns across header files so
+// the strcpy-destination-size guard (cpp.js#_classifyDestBuffer) can find
+// buffer-size declarations declared in a sibling .h.
+//
+// Scope (v1, intentionally narrow):
+//   - `#include "local.h"` resolved relative to the source file
+//     (`#include <…>` system headers NOT resolved — they're too noisy
+//     and don't carry security signal at this layer)
+//   - `#define IDENT VALUE` — single-line object-like macros only;
+//     function-like macros (`#define X(a,b) ...`) ignored in v1
+//   - `typedef char BufT[N];` — alias expansion when N is literal
+//
+// What's intentionally OUT of scope:
+//   - Multi-step macro expansion (cascade of #define A B / #define B C / use A)
+//   - Conditional compilation (#ifdef / #if / #else): we union all branches
+//   - Token-pasting (##) and stringification (#)
+//   - Compiler -D flags (would require build-system integration)
+//
+// The goal is not to be a complete preprocessor; it's to recover the
+// 80% of fixed-buffer-size context that Juliet C/C++ tests scatter across
+// `header.h` (with `#define BUFSIZE 1024`) and `source.c` (with
+// `char buf[BUFSIZE]; strcpy(buf, src);`).
+//
+// Output: { defines: Map<name, value>, typedefs: Map<name, {kind,size}>,
+//           includes: string[] }
+// where size is a literal integer when resolvable, null otherwise.
+
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+
+const _MAX_INCLUDE_DEPTH = 4;     // refuse pathological recursion
+const _MAX_LINES_PER_FILE = 10_000; // skip auto-generated huge headers
+
+function _parseDefines(content) {
+  const defines = new Map();
+  for (const m of content.matchAll(/^\s*#\s*define\s+([A-Za-z_]\w*)\s+(.+?)(?:$|\/\*|\/\/)/gm)) {
+    const name = m[1];
+    let val = m[2].trim();
+    // Strip trailing line continuation backslashes.
+    val = val.replace(/\\\s*$/, '').trim();
+    // Skip function-like macros for v1.
+    if (val.startsWith('(') && /\b[A-Za-z_]\w*\s*\(/.test(val)) continue;
+    defines.set(name, val);
+  }
+  return defines;
+}
+
+function _parseTypedefs(content) {
+  const typedefs = new Map();
+  // typedef char BufT[1024];  / typedef unsigned char Bytes[256];
+  for (const m of content.matchAll(/typedef\s+(?:unsigned\s+|signed\s+)?(?:char|wchar_t|int8_t|uint8_t)\s+([A-Za-z_]\w*)\s*\[\s*([A-Za-z_]\w*|\d+)\s*\]\s*;/g)) {
+    const name = m[1];
+    const sizeTxt = m[2];
+    let size = null;
+    if (/^\d+$/.test(sizeTxt)) size = parseInt(sizeTxt, 10);
+    typedefs.set(name, { kind: 'char-array', size, sizeExpr: sizeTxt });
+  }
+  return typedefs;
+}
+
+function _parseIncludes(content) {
+  const includes = [];
+  for (const m of content.matchAll(/^\s*#\s*include\s+"([^"]+)"/gm)) {
+    includes.push(m[1]);
+  }
+  return includes;
+}
+
+function _resolveSize(sizeExpr, defines) {
+  if (/^\d+$/.test(sizeExpr)) return parseInt(sizeExpr, 10);
+  const macro = defines.get(sizeExpr);
+  if (macro && /^\d+$/.test(macro)) return parseInt(macro, 10);
+  return null;
+}
+
+/**
+ * Recursively preprocess a single source file by walking its #includes.
+ * Returns the merged define table + typedef table + flat list of resolved
+ * include paths. Cycles are detected via the `visited` set.
+ */
+export function preprocessFile(sourcePath, opts = {}) {
+  const visited = opts.visited || new Set();
+  const depth = opts.depth || 0;
+  const result = { defines: new Map(), typedefs: new Map(), includes: [] };
+
+  const abs = path.resolve(sourcePath);
+  if (visited.has(abs)) return result;
+  visited.add(abs);
+  if (depth > _MAX_INCLUDE_DEPTH) return result;
+
+  let content;
+  try { content = fs.readFileSync(abs, 'utf8'); }
+  catch { return result; }
+  if (content.split('\n').length > _MAX_LINES_PER_FILE) return result;
+
+  // First pass on this file's own contents.
+  const localDefines = _parseDefines(content);
+  const localTypedefs = _parseTypedefs(content);
+  const includes = _parseIncludes(content);
+
+  // Recursive merge — header values are merged BEFORE local ones so that
+  // a local #undef + redefine could in principle override (we don't model
+  // #undef, but this ordering is the correct future-extension point).
+  const dir = path.dirname(abs);
+  for (const inc of includes) {
+    const child = preprocessFile(path.join(dir, inc), { visited, depth: depth + 1 });
+    for (const [k, v] of child.defines) if (!result.defines.has(k)) result.defines.set(k, v);
+    for (const [k, v] of child.typedefs) if (!result.typedefs.has(k)) result.typedefs.set(k, v);
+    result.includes.push(...child.includes, inc);
+  }
+  for (const [k, v] of localDefines) result.defines.set(k, v);
+  for (const [k, v] of localTypedefs) result.typedefs.set(k, v);
+
+  // Final pass — resolve typedef sizes that referenced a macro.
+  for (const [name, td] of result.typedefs) {
+    if (td.size === null && td.sizeExpr) {
+      const resolved = _resolveSize(td.sizeExpr, result.defines);
+      if (resolved !== null) result.typedefs.set(name, { ...td, size: resolved });
+    }
+  }
+  return result;
+}
+
+/**
+ * Resolve a buffer-size expression in the context of a preprocessed file.
+ * Accepts either a literal integer string or a macro name. Returns the
+ * integer size, or null if unresolvable.
+ */
+export function resolveSize(sizeExpr, preprocessed) {
+  return _resolveSize(sizeExpr, preprocessed.defines || new Map());
+}
+
+/**
+ * Resolve a typedef name to its size, if it's a char-array typedef.
+ */
+export function resolveTypedef(name, preprocessed) {
+  return preprocessed.typedefs.get(name) || null;
+}
+
+export const _internals = { _parseDefines, _parseTypedefs, _parseIncludes };