@contrast/assess 1.42.0 → 1.44.0

package/lib/dataflow/sinks/install/mssql.js

@@ -24,7 +24,7 @@ const {
     UNTRUSTED,
   },
   Rule: { SQL_INJECTION: ruleId },
-  isString
+  isString,
 } = require('@contrast/common');
 const { createModuleLabel } = require('../../propagation/common');
 const { patchType, filterSafeTags } = require('../common');
@@ -44,7 +44,7 @@ const safeTags = [
  * }} core
  * @returns {import('@contrast/common').Installable}
  */
-module.exports = function(core) {
+module.exports = function (core) {
   const {
     depHooks,
     patcher,
@@ -74,8 +74,8 @@ module.exports = function(core) {
       const event = createSinkEvent({
         name,
         moduleName: 'mssql',
-        methodName: `PreparedStatement.prototype.${method}`,
-        context: `mssql.PreparedStatement.${method}('${strInfo.value}')`,
+        methodName: `${obj}.prototype.${method}`,
+        context: `mssql.${obj}.${method}('${strInfo.value}')`,
         history: [strInfo],
         object: {
           value: `[${createModuleLabel('mssql', version)}].${obj}`,
@@ -91,7 +91,7 @@ module.exports = function(core) {
         source: 'P0',
         stacktraceOpts: {
           contructorOpt: data.hooked,
-          prependFrames: [data.orig]
+          prependFrames: [data.orig],
         },
       });
 
@@ -109,7 +109,7 @@ module.exports = function(core) {
         strInfo: {
           tags: strInfo.tags,
           value: strInfo.value,
-        }
+        },
       });
     }
   };
@@ -117,7 +117,7 @@ module.exports = function(core) {
   core.assess.dataflow.sinks.mssql = {
     install() {
       depHooks.resolve(
-        { name: 'mssql', version: '<12', file: 'lib/base/prepared-statement.js' },
+        { name: 'mssql', version: '>7 <12', file: 'lib/base/prepared-statement.js' },
         (PreparedStatement, version) => {
           patcher.patch(PreparedStatement.prototype, 'prepare', {
             name: 'PreparedStatement.prototype.prepare',
@@ -133,7 +133,7 @@ module.exports = function(core) {
       );
 
       depHooks.resolve(
-        { name: 'mssql', version: '<12', file: 'lib/base/request.js' },
+        { name: 'mssql', version: '>7 <12', file: 'lib/base/request.js' },
         (Request, version) => {
           patcher.patch(Request.prototype, 'batch', {
             name: 'Request.prototype.batch',

package/lib/dataflow/sinks/install/mssql.test.js

@@ -1,7 +1,7 @@
 'use strict';
 
 const {
-  DataflowTag: { UNTRUSTED, SQL_ENCODED }
+  DataflowTag: { UNTRUSTED, SQL_ENCODED },
 } = require('@contrast/common');
 const { expect } = require('chai');
 const sinon = require('sinon');
@@ -11,12 +11,12 @@ describe('assess dataflow sinks mssql', function () {
   let core, simulateRequestScope, trackString, tracker, reportFindings, reportSafePositive;
 
   class PreparedStatement {
-    prepare() { }
+    prepare() {}
   }
 
   class Request {
-    batch() { }
-    query() { }
+    batch() {}
+    query() {}
   }
 
   beforeEach(function () {
@@ -93,8 +93,8 @@ describe('assess dataflow sinks mssql', function () {
             sinkEvent: {
               name,
               moduleName: 'mssql',
-              methodName: `PreparedStatement.prototype.${method}`,
-              context: `mssql.PreparedStatement.${method}('${value}')`,
+              methodName: `${subject.name}.prototype.${method}`,
+              context: `mssql.${subject.name}.${method}('${value}')`,
               object: {
                 value: sinon.match(subject.name),
                 tracked: false,
@@ -121,13 +121,11 @@ describe('assess dataflow sinks mssql', function () {
           expect(reportSafePositive).to.have.been.calledWithMatch({
             name,
             ruleId: 'sql-injection',
-            safeTags: [
-              SQL_ENCODED,
-            ],
+            safeTags: [SQL_ENCODED],
             strInfo: {
               tags: strInfo.tags,
               value: strInfo.value,
-            }
+            },
           });
         });
       });

package/lib/sampler/common.test.js

@@ -80,7 +80,7 @@ function initMockCore() {
       assess: {},
       // mocks
       messages: new EventEmitter(),
-      logger: mocks.logger(),
+      logger: mocks.logger()
     };
     // use actual config so we can get dynamic effective values with TS message
     // updates (mock doesn't). we can also test new effective config mappings.

package/lib/sampler/index.test.js

@@ -236,7 +236,7 @@ function initMockCore() {
       assess: {},
       // mocks
       messages: new EventEmitter(),
-      logger: mocks.logger(),
+      logger: mocks.logger()
     };
     // use actual config so we can get dynamic effective values with TS message
     // updates (mock doesn't). we can also test new effective config mappings.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.42.0",
+  "version": "1.44.0",
   "description": "Contrast service providing framework-agnostic Assess support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -17,17 +17,17 @@
     "test": "../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.27.0",
-    "@contrast/config": "1.37.0",
-    "@contrast/core": "1.42.0",
-    "@contrast/dep-hooks": "1.11.0",
+    "@contrast/common": "1.29.0",
+    "@contrast/config": "1.39.0",
+    "@contrast/core": "1.44.0",
+    "@contrast/dep-hooks": "1.13.0",
     "@contrast/distringuish": "^5.1.0",
-    "@contrast/instrumentation": "1.21.0",
-    "@contrast/logger": "1.15.0",
-    "@contrast/patcher": "1.14.0",
-    "@contrast/rewriter": "1.18.0",
-    "@contrast/route-coverage": "1.32.0",
-    "@contrast/scopes": "1.12.0",
+    "@contrast/instrumentation": "1.23.0",
+    "@contrast/logger": "1.17.0",
+    "@contrast/patcher": "1.16.0",
+    "@contrast/rewriter": "1.20.0",
+    "@contrast/route-coverage": "1.34.0",
+    "@contrast/scopes": "1.14.0",
     "semver": "^7.6.0"
   }
 }