npm - circle-ir - Versions diffs - 3.51.0 → 3.52.0 - Mend

circle-ir 3.51.0 → 3.52.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (30) hide show

package/dist/analysis/config-loader.d.ts.map +1 -1
package/dist/analysis/config-loader.js +9 -19
package/dist/analysis/config-loader.js.map +1 -1
package/dist/analysis/passes/insecure-cookie-pass.d.ts +23 -23
package/dist/analysis/passes/insecure-cookie-pass.d.ts.map +1 -1
package/dist/analysis/passes/insecure-cookie-pass.js +169 -79
package/dist/analysis/passes/insecure-cookie-pass.js.map +1 -1
package/dist/analysis/passes/tls-verify-disabled-pass.d.ts +52 -0
package/dist/analysis/passes/tls-verify-disabled-pass.d.ts.map +1 -0
package/dist/analysis/passes/tls-verify-disabled-pass.js +247 -0
package/dist/analysis/passes/tls-verify-disabled-pass.js.map +1 -0
package/dist/analysis/passes/weak-crypto-pass.d.ts +49 -0
package/dist/analysis/passes/weak-crypto-pass.d.ts.map +1 -0
package/dist/analysis/passes/weak-crypto-pass.js +223 -0
package/dist/analysis/passes/weak-crypto-pass.js.map +1 -0
package/dist/analysis/passes/weak-hash-pass.d.ts +45 -0
package/dist/analysis/passes/weak-hash-pass.d.ts.map +1 -0
package/dist/analysis/passes/weak-hash-pass.js +150 -0
package/dist/analysis/passes/weak-hash-pass.js.map +1 -0
package/dist/analysis/passes/weak-random-pass.d.ts +53 -0
package/dist/analysis/passes/weak-random-pass.d.ts.map +1 -0
package/dist/analysis/passes/weak-random-pass.js +181 -0
package/dist/analysis/passes/weak-random-pass.js.map +1 -0
package/dist/analyzer.d.ts.map +1 -1
package/dist/analyzer.js +12 -0
package/dist/analyzer.js.map +1 -1
package/dist/browser/circle-ir.js +747 -50
package/dist/core/circle-ir-core.cjs +9 -19
package/dist/core/circle-ir-core.js +9 -19
package/package.json +1 -1

package/dist/analysis/passes/tls-verify-disabled-pass.js ADDED Viewed

@@ -0,0 +1,247 @@
+/**
+ * Pass: tls-verify-disabled (CWE-295, category: security)
+ *
+ * Pattern pass — flags places where TLS certificate / hostname verification
+ * is explicitly disabled. This is a *configuration* vulnerability (the bad
+ * value is hard-coded, no taint flow is involved).
+ *
+ * Detection per language:
+ *   Go:
+ *     - `&tls.Config{InsecureSkipVerify: true}` (composite literal)
+ *     - Detected via call argument scan: when the receiver is `tls` and
+ *       call/composite contains literal `InsecureSkipVerify: true`, OR via
+ *       a syntactic text scan (composite literals are not always emitted
+ *       as calls in IR).
+ *   Python:
+ *     - `requests.get|post|put|delete|patch|head|options|request(..., verify=False)`
+ *     - `ssl._create_unverified_context()` / `ssl._create_default_https_context = ssl._create_unverified_context`
+ *     - `urllib3.disable_warnings(InsecureRequestWarning)` — best-effort hint
+ *     - `httpx.Client(verify=False)` / `httpx.get(..., verify=False)`
+ *   JavaScript / TypeScript:
+ *     - `{ rejectUnauthorized: false }` in https.request / fetch options /
+ *       node-fetch / axios — text scan on arg expressions
+ *     - `https.Agent({ rejectUnauthorized: false })`
+ *     - `process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'` (assignment;
+ *       detected via call to property assignment — best-effort)
+ *   Java:
+ *     - Custom `HostnameVerifier` that returns true unconditionally
+ *       (lambdas `(h, s) -> true` / anonymous classes) — detected via
+ *       textual scan on setHostnameVerifier arg expression.
+ *     - `setHostnameVerifier(NoopHostnameVerifier.INSTANCE)` /
+ *       `setHostnameVerifier(new AllowAllHostnameVerifier())`
+ *
+ * Aligned with: gosec G402 (Go), Bandit B501/B502/B504/B505 (Python).
+ */
+// Python HTTP libraries whose calls accept a verify=False kwarg.
+const PY_HTTP_METHODS = new Set([
+    'get', 'post', 'put', 'delete', 'patch', 'head', 'options', 'request',
+    'send',
+]);
+const PY_HTTP_RECEIVERS = new Set([
+    'requests', 'httpx',
+]);
+const VERIFY_FALSE_RE = /\bverify\s*=\s*False\b/;
+const REJECT_UNAUTHORIZED_FALSE_RE = /\brejectUnauthorized\s*:\s*false\b/;
+const INSECURE_SKIP_VERIFY_TRUE_RE = /\bInsecureSkipVerify\s*:\s*true\b/;
+const HOSTNAME_LAMBDA_TRUE_RE = /\(\s*\w+\s*,\s*\w+\s*\)\s*->\s*true\b/;
+const ALLOW_ALL_HOSTNAME_VERIFIERS = new Set([
+    'NoopHostnameVerifier.INSTANCE',
+    'new AllowAllHostnameVerifier()',
+    'new NoopHostnameVerifier()',
+]);
+export class TlsVerifyDisabledPass {
+    name = 'tls-verify-disabled';
+    category = 'security';
+    run(ctx) {
+        const { graph, language, code } = ctx;
+        const file = graph.ir.meta.file;
+        const findings = [];
+        // Call-based detection (most precise — uses arg.expression text).
+        for (const call of graph.ir.calls) {
+            const det = this.detectCall(call, language);
+            if (!det)
+                continue;
+            const line = call.location.line;
+            findings.push({ line, language, ...det });
+            ctx.addFinding({
+                id: `${this.name}-${file}-${line}-${det.pattern}`,
+                pass: this.name,
+                category: this.category,
+                rule_id: this.name,
+                cwe: 'CWE-295',
+                severity: 'high',
+                level: 'error',
+                message: `TLS certificate verification disabled via \`${det.pattern}\` in ` +
+                    `\`${det.api}\`. The connection becomes vulnerable to active ` +
+                    'man-in-the-middle attacks — any attacker on the network path can ' +
+                    'present a forged certificate.',
+                file,
+                line,
+                fix: this.fixFor(language, det.pattern),
+                evidence: { ...det, language },
+            });
+        }
+        // Source-text scan for composite-literal / module-level patterns that
+        // do not surface as IR calls (Go `tls.Config{}`, Python ssl globals,
+        // Node `NODE_TLS_REJECT_UNAUTHORIZED`).
+        for (const extra of this.detectSourceText(code, language)) {
+            const dupKey = `${extra.line}-${extra.pattern}`;
+            if (findings.some((f) => `${f.line}-${f.pattern}` === dupKey))
+                continue;
+            findings.push({ ...extra, language });
+            ctx.addFinding({
+                id: `${this.name}-${file}-${extra.line}-${extra.pattern}`,
+                pass: this.name,
+                category: this.category,
+                rule_id: this.name,
+                cwe: 'CWE-295',
+                severity: 'high',
+                level: 'error',
+                message: `TLS certificate verification disabled via \`${extra.pattern}\` ` +
+                    `(${extra.api}). Vulnerable to active man-in-the-middle.`,
+                file,
+                line: extra.line,
+                fix: this.fixFor(language, extra.pattern),
+                evidence: { ...extra, language },
+            });
+        }
+        return { findings };
+    }
+    detectCall(call, language) {
+        const method = call.method_name;
+        const receiver = call.receiver ?? '';
+        if (language === 'python') {
+            // requests.get(..., verify=False) etc.
+            if (PY_HTTP_RECEIVERS.has(receiver) && PY_HTTP_METHODS.has(method)) {
+                for (const arg of call.arguments) {
+                    const expr = (arg.expression ?? '').trim();
+                    if (VERIFY_FALSE_RE.test(expr)) {
+                        return { pattern: 'verify=False', api: `${receiver}.${method}` };
+                    }
+                }
+            }
+            // ssl._create_unverified_context()
+            if (method === '_create_unverified_context' && receiver === 'ssl') {
+                return { pattern: 'ssl._create_unverified_context', api: 'ssl._create_unverified_context()' };
+            }
+            // httpx.Client(verify=False) — same shape via constructor; receiver is module.
+            if (receiver === 'httpx' && method === 'Client') {
+                for (const arg of call.arguments) {
+                    if (VERIFY_FALSE_RE.test(arg.expression ?? '')) {
+                        return { pattern: 'verify=False', api: 'httpx.Client' };
+                    }
+                }
+            }
+            return null;
+        }
+        if (language === 'javascript' || language === 'typescript') {
+            // axios.create({httpsAgent: new https.Agent({rejectUnauthorized: false})}),
+            // https.request({rejectUnauthorized: false}, ...), fetch(url, {agent: ...})
+            // We do an arg-expression text scan because the option commonly appears
+            // inside an inline object literal.
+            //
+            // The JS plugin sometimes surfaces `new https.Agent(...)` with
+            // method_name='https.Agent' and receiver=null (rather than receiver='https',
+            // method='Agent'). Accept the trailing segment of the dotted name too.
+            const lastSeg = method.includes('.') ? method.split('.').pop() ?? '' : method;
+            const arglooks = method === 'request' || method === 'get' || method === 'post' ||
+                method === 'create' || method === 'Agent' || method === 'fetch' ||
+                lastSeg === 'Agent' || lastSeg === 'request' || lastSeg === 'create';
+            if (arglooks) {
+                for (const arg of call.arguments) {
+                    if (REJECT_UNAUTHORIZED_FALSE_RE.test(arg.expression ?? '')) {
+                        return { pattern: 'rejectUnauthorized: false', api: `${receiver || '(global)'}.${method}` };
+                    }
+                }
+            }
+            return null;
+        }
+        if (language === 'java') {
+            // someConn.setHostnameVerifier((h, s) -> true)
+            if (method === 'setHostnameVerifier') {
+                const arg = call.arguments.find((a) => a.position === 0);
+                const expr = (arg?.expression ?? '').trim();
+                if (HOSTNAME_LAMBDA_TRUE_RE.test(expr)) {
+                    return { pattern: '(h,s) -> true', api: 'setHostnameVerifier' };
+                }
+                for (const v of ALLOW_ALL_HOSTNAME_VERIFIERS) {
+                    if (expr === v || expr.replace(/\s+/g, '') === v.replace(/\s+/g, '')) {
+                        return { pattern: v, api: 'setHostnameVerifier' };
+                    }
+                }
+            }
+            return null;
+        }
+        return null;
+    }
+    detectSourceText(code, language) {
+        const out = [];
+        const lines = code.split('\n');
+        if (language === 'go') {
+            // Look for `InsecureSkipVerify: true` literal anywhere — overwhelmingly
+            // appears in tls.Config{} composite literals.
+            for (let i = 0; i < lines.length; i++) {
+                if (INSECURE_SKIP_VERIFY_TRUE_RE.test(lines[i])) {
+                    out.push({
+                        line: i + 1,
+                        pattern: 'InsecureSkipVerify: true',
+                        api: 'tls.Config',
+                    });
+                }
+            }
+        }
+        if (language === 'python') {
+            for (let i = 0; i < lines.length; i++) {
+                const l = lines[i];
+                if (/ssl\._create_default_https_context\s*=\s*ssl\._create_unverified_context/.test(l)) {
+                    out.push({
+                        line: i + 1,
+                        pattern: 'ssl._create_default_https_context = _create_unverified_context',
+                        api: 'ssl module override',
+                    });
+                }
+            }
+        }
+        if (language === 'javascript' || language === 'typescript') {
+            for (let i = 0; i < lines.length; i++) {
+                const l = lines[i];
+                if (/process\.env\.NODE_TLS_REJECT_UNAUTHORIZED\s*=\s*['"]0['"]/.test(l)) {
+                    out.push({
+                        line: i + 1,
+                        pattern: 'NODE_TLS_REJECT_UNAUTHORIZED=0',
+                        api: 'process.env',
+                    });
+                }
+            }
+        }
+        return out;
+    }
+    fixFor(language, pattern) {
+        if (pattern.includes('InsecureSkipVerify')) {
+            return 'Remove `InsecureSkipVerify: true` — let Go verify the cert. If ' +
+                'you need to trust a private CA, set `RootCAs` to a `*x509.CertPool` ' +
+                'containing that CA.';
+        }
+        if (pattern.includes('verify=False')) {
+            return 'Remove `verify=False`. To trust a private CA, pass `verify=\'/path/to/ca.pem\'`.';
+        }
+        if (pattern.includes('rejectUnauthorized')) {
+            return 'Remove `rejectUnauthorized: false`. To trust a private CA, set the ' +
+                '`ca` option to the CA cert(s). Never disable TLS verification globally.';
+        }
+        if (pattern.includes('NODE_TLS_REJECT_UNAUTHORIZED')) {
+            return 'Remove the `NODE_TLS_REJECT_UNAUTHORIZED=0` assignment — it globally ' +
+                'disables TLS verification for every outbound HTTPS request.';
+        }
+        if (language === 'java') {
+            return 'Do not use an always-true HostnameVerifier or AllowAllHostnameVerifier. ' +
+                'Use the JVM\'s default verifier; for self-signed certs add the cert to a ' +
+                'custom TrustManager that validates the chain.';
+        }
+        if (pattern.includes('ssl._create_unverified_context')) {
+            return 'Do not use `_create_unverified_context()`. Use `ssl.create_default_context()`.';
+        }
+        return 'Restore TLS certificate and hostname verification.';
+    }
+}
+//# sourceMappingURL=tls-verify-disabled-pass.js.map

package/dist/analysis/passes/tls-verify-disabled-pass.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"tls-verify-disabled-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/tls-verify-disabled-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AAKH,iEAAiE;AACjE,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC;IAC9B,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS;IACrE,MAAM;CACP,CAAC,CAAC;AACH,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC;IAChC,UAAU,EAAE,OAAO;CACpB,CAAC,CAAC;AAEH,MAAM,eAAe,GAAG,wBAAwB,CAAC;AACjD,MAAM,4BAA4B,GAAG,oCAAoC,CAAC;AAC1E,MAAM,4BAA4B,GAAG,mCAAmC,CAAC;AACzE,MAAM,uBAAuB,GAAG,uCAAuC,CAAC;AACxE,MAAM,4BAA4B,GAAG,IAAI,GAAG,CAAC;IAC3C,+BAA+B;IAC/B,gCAAgC;IAChC,4BAA4B;CAC7B,CAAC,CAAC;AAWH,MAAM,OAAO,qBAAqB;IACvB,IAAI,GAAG,qBAAqB,CAAC;IAC7B,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,GAAG,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,QAAQ,GAAwC,EAAE,CAAC;QAEzD,kEAAkE;QAClE,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAClC,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;YAC5C,IAAI,CAAC,GAAG;gBAAE,SAAS;YAEnB,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;YAChC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,GAAG,EAAE,CAAC,CAAC;YAE1C,GAAG,CAAC,UAAU,CAAC;gBACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,GAAG,CAAC,OAAO,EAAE;gBACjD,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,GAAG,EAAE,SAAS;gBACd,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,OAAO;gBACd,OAAO,EACL,+CAA+C,GAAG,CAAC,OAAO,QAAQ;oBAClE,KAAK,GAAG,CAAC,GAAG,kDAAkD;oBAC9D,mEAAmE;oBACnE,+BAA+B;gBACjC,IAAI;gBACJ,IAAI;gBACJ,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,GAAG,CAAC,OAAO,CAAC;gBACvC,QAAQ,EAAE,EAAE,GAAG,GAAG,EAAE,QAAQ,EAAE;aAC/B,CAAC,CAAC;QACL,CAAC;QAED,sEAAsE;QACtE,qEAAqE;QACrE,wCAAwC;QACxC,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,gBAAgB,CAAC,IAAI,EAAE,QAAQ,CAAC,EAAE,CAAC;YAC1D,MAAM,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;YAChD,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,OAAO,EAAE,KAAK,MAAM,CAAC;gBAAE,SAAS;YACxE,QAAQ,CAAC,IAAI,CAAC,EAAE,GAAG,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;YACtC,GAAG,CAAC,UAAU,CAAC;gBACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,OAAO,EAAE;gBACzD,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,GAAG,EAAE,SAAS;gBACd,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,OAAO;gBACd,OAAO,EACL,+CAA+C,KAAK,CAAC,OAAO,KAAK;oBACjE,IAAI,KAAK,CAAC,GAAG,4CAA4C;gBAC3D,IAAI;gBACJ,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,OAAO,CAAC;gBACzC,QAAQ,EAAE,EAAE,GAAG,KAAK,EAAE,QAAQ,EAAE;aACjC,CAAC,CAAC;QACL,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,CAAC;IACtB,CAAC;IAEO,UAAU,CAAC,IAAc,EAAE,QAAgB;QAIjD,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC;QAChC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;QAErC,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,uCAAuC;YACvC,IAAI,iBAAiB,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,eAAe,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;gBACnE,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;oBACjC,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;oBAC3C,IAAI,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC/B,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,GAAG,EAAE,GAAG,QAAQ,IAAI,MAAM,EAAE,EAAE,CAAC;oBACnE,CAAC;gBACH,CAAC;YACH,CAAC;YACD,mCAAmC;YACnC,IAAI,MAAM,KAAK,4BAA4B,IAAI,QAAQ,KAAK,KAAK,EAAE,CAAC;gBAClE,OAAO,EAAE,OAAO,EAAE,gCAAgC,EAAE,GAAG,EAAE,kCAAkC,EAAE,CAAC;YAChG,CAAC;YACD,+EAA+E;YAC/E,IAAI,QAAQ,KAAK,OAAO,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;gBAChD,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;oBACjC,IAAI,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC,EAAE,CAAC;wBAC/C,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,GAAG,EAAE,cAAc,EAAE,CAAC;oBAC1D,CAAC;gBACH,CAAC;YACH,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC3D,4EAA4E;YAC5E,4EAA4E;YAC5E,wEAAwE;YACxE,mCAAmC;YACnC,EAAE;YACF,+DAA+D;YAC/D,6EAA6E;YAC7E,uEAAuE;YACvE,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC;YAC9E,MAAM,QAAQ,GACZ,MAAM,KAAK,SAAS,IAAI,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM;gBAC7D,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,OAAO,IAAI,MAAM,KAAK,OAAO;gBAC/D,OAAO,KAAK,OAAO,IAAI,OAAO,KAAK,SAAS,IAAI,OAAO,KAAK,QAAQ,CAAC;YACvE,IAAI,QAAQ,EAAE,CAAC;gBACb,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;oBACjC,IAAI,4BAA4B,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC,EAAE,CAAC;wBAC5D,OAAO,EAAE,OAAO,EAAE,2BAA2B,EAAE,GAAG,EAAE,GAAG,QAAQ,IAAI,UAAU,IAAI,MAAM,EAAE,EAAE,CAAC;oBAC9F,CAAC;gBACH,CAAC;YACH,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YACxB,+CAA+C;YAC/C,IAAI,MAAM,KAAK,qBAAqB,EAAE,CAAC;gBACrC,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;gBACzD,MAAM,IAAI,GAAG,CAAC,GAAG,EAAE,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC5C,IAAI,uBAAuB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACvC,OAAO,EAAE,OAAO,EAAE,eAAe,EAAE,GAAG,EAAE,qBAAqB,EAAE,CAAC;gBAClE,CAAC;gBACD,KAAK,MAAM,CAAC,IAAI,4BAA4B,EAAE,CAAC;oBAC7C,IAAI,IAAI,KAAK,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,EAAE,CAAC;wBACrE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,GAAG,EAAE,qBAAqB,EAAE,CAAC;oBACpD,CAAC;gBACH,CAAC;YACH,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,gBAAgB,CAAC,IAAY,EAAE,QAAgB;QAGrD,MAAM,GAAG,GAA0D,EAAE,CAAC;QACtE,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAE/B,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;YACtB,wEAAwE;YACxE,8CAA8C;YAC9C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,IAAI,4BAA4B,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBAChD,GAAG,CAAC,IAAI,CAAC;wBACP,IAAI,EAAE,CAAC,GAAG,CAAC;wBACX,OAAO,EAAE,0BAA0B;wBACnC,GAAG,EAAE,YAAY;qBAClB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACnB,IAAI,0EAA0E,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;oBACvF,GAAG,CAAC,IAAI,CAAC;wBACP,IAAI,EAAE,CAAC,GAAG,CAAC;wBACX,OAAO,EAAE,gEAAgE;wBACzE,GAAG,EAAE,qBAAqB;qBAC3B,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC3D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACnB,IAAI,4DAA4D,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;oBACzE,GAAG,CAAC,IAAI,CAAC;wBACP,IAAI,EAAE,CAAC,GAAG,CAAC;wBACX,OAAO,EAAE,gCAAgC;wBACzC,GAAG,EAAE,aAAa;qBACnB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,GAAG,CAAC;IACb,CAAC;IAEO,MAAM,CAAC,QAAgB,EAAE,OAAe;QAC9C,IAAI,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAAC,EAAE,CAAC;YAC3C,OAAO,iEAAiE;gBACtE,sEAAsE;gBACtE,qBAAqB,CAAC;QAC1B,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;YACrC,OAAO,kFAAkF,CAAC;QAC5F,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAAC,EAAE,CAAC;YAC3C,OAAO,qEAAqE;gBAC1E,yEAAyE,CAAC;QAC9E,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,8BAA8B,CAAC,EAAE,CAAC;YACrD,OAAO,uEAAuE;gBAC5E,6DAA6D,CAAC;QAClE,CAAC;QACD,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YACxB,OAAO,0EAA0E;gBAC/E,2EAA2E;gBAC3E,+CAA+C,CAAC;QACpD,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,gCAAgC,CAAC,EAAE,CAAC;YACvD,OAAO,gFAAgF,CAAC;QAC1F,CAAC;QACD,OAAO,oDAAoD,CAAC;IAC9D,CAAC;CACF"}

package/dist/analysis/passes/weak-crypto-pass.d.ts ADDED Viewed

@@ -0,0 +1,49 @@
+/**
+ * Pass: weak-crypto (CWE-327, category: security)
+ *
+ * Pattern pass — flags use of cryptographically weak symmetric ciphers
+ * (DES, 3DES, RC2, RC4, Blowfish), ECB mode, weak RSA key sizes (< 2048),
+ * and weak AES modes. Like weak-hash, the vulnerability is the *constant
+ * algorithm string* (or key-size argument), not data flow.
+ *
+ * Detection per language:
+ *   Java:
+ *     - `Cipher.getInstance("DES"|"DES/...")` / `"RC4"` / `"RC2"` / `"Blowfish"`
+ *     - `Cipher.getInstance(".../ECB/...")` — ECB mode
+ *     - `KeyGenerator.getInstance("DES"|"RC4"|"Blowfish")`
+ *     - `KeyPairGenerator.getInstance("RSA")` followed by `initialize(<2048)`
+ *       (the `.initialize(int)` literal under 2048 is detected directly when
+ *       the receiver class is a generator)
+ *   Python:
+ *     - `Crypto.Cipher.DES.new(...)` / `Crypto.Cipher.ARC4.new(...)` /
+ *       `Crypto.Cipher.Blowfish.new(...)` (pycryptodome / pycrypto)
+ *     - `cryptography.hazmat.primitives.ciphers.algorithms.{TripleDES,Blowfish,ARC4,IDEA,SEED,CAST5}`
+ *     - `AES.new(key, AES.MODE_ECB)` — ECB mode argument
+ *   JavaScript / TypeScript:
+ *     - `crypto.createCipher(...)` (deprecated; always weak)
+ *     - `crypto.createCipheriv("des-..."|"rc4"|"bf-..."|"des-ede"|".*-ecb")`
+ *   Go:
+ *     - `des.NewCipher(...)` / `des.NewTripleDESCipher(...)` / `rc4.NewCipher(...)`
+ *       (from `crypto/des` and `crypto/rc4`)
+ *     - `cipher.NewECBEncrypter(...)` (custom ECB wrappers — best-effort)
+ *
+ * Aligned with: gosec G401/G405, Bandit B304/B305/B306, OWASP Benchmark `crypto` category.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface WeakCryptoResult {
+    findings: Array<{
+        line: number;
+        language: string;
+        issue: 'weak-cipher' | 'ecb-mode' | 'deprecated-api';
+        detail: string;
+        api: string;
+    }>;
+}
+export declare class WeakCryptoPass implements AnalysisPass<WeakCryptoResult> {
+    readonly name = "weak-crypto";
+    readonly category: "security";
+    run(ctx: PassContext): WeakCryptoResult;
+    private buildMessage;
+    private detect;
+}
+//# sourceMappingURL=weak-crypto-pass.d.ts.map

package/dist/analysis/passes/weak-crypto-pass.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"weak-crypto-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/weak-crypto-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AA4C9E,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,KAAK,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,KAAK,EAAE,aAAa,GAAG,UAAU,GAAG,gBAAgB,CAAC;QACrD,MAAM,EAAE,MAAM,CAAC;QACf,GAAG,EAAE,MAAM,CAAC;KACb,CAAC,CAAC;CACJ;AAED,qBAAa,cAAe,YAAW,YAAY,CAAC,gBAAgB,CAAC;IACnE,QAAQ,CAAC,IAAI,iBAAiB;IAC9B,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,gBAAgB;IAmCvC,OAAO,CAAC,YAAY;IAwBpB,OAAO,CAAC,MAAM;CA2Gf"}

package/dist/analysis/passes/weak-crypto-pass.js ADDED Viewed

@@ -0,0 +1,223 @@
+/**
+ * Pass: weak-crypto (CWE-327, category: security)
+ *
+ * Pattern pass — flags use of cryptographically weak symmetric ciphers
+ * (DES, 3DES, RC2, RC4, Blowfish), ECB mode, weak RSA key sizes (< 2048),
+ * and weak AES modes. Like weak-hash, the vulnerability is the *constant
+ * algorithm string* (or key-size argument), not data flow.
+ *
+ * Detection per language:
+ *   Java:
+ *     - `Cipher.getInstance("DES"|"DES/...")` / `"RC4"` / `"RC2"` / `"Blowfish"`
+ *     - `Cipher.getInstance(".../ECB/...")` — ECB mode
+ *     - `KeyGenerator.getInstance("DES"|"RC4"|"Blowfish")`
+ *     - `KeyPairGenerator.getInstance("RSA")` followed by `initialize(<2048)`
+ *       (the `.initialize(int)` literal under 2048 is detected directly when
+ *       the receiver class is a generator)
+ *   Python:
+ *     - `Crypto.Cipher.DES.new(...)` / `Crypto.Cipher.ARC4.new(...)` /
+ *       `Crypto.Cipher.Blowfish.new(...)` (pycryptodome / pycrypto)
+ *     - `cryptography.hazmat.primitives.ciphers.algorithms.{TripleDES,Blowfish,ARC4,IDEA,SEED,CAST5}`
+ *     - `AES.new(key, AES.MODE_ECB)` — ECB mode argument
+ *   JavaScript / TypeScript:
+ *     - `crypto.createCipher(...)` (deprecated; always weak)
+ *     - `crypto.createCipheriv("des-..."|"rc4"|"bf-..."|"des-ede"|".*-ecb")`
+ *   Go:
+ *     - `des.NewCipher(...)` / `des.NewTripleDESCipher(...)` / `rc4.NewCipher(...)`
+ *       (from `crypto/des` and `crypto/rc4`)
+ *     - `cipher.NewECBEncrypter(...)` (custom ECB wrappers — best-effort)
+ *
+ * Aligned with: gosec G401/G405, Bandit B304/B305/B306, OWASP Benchmark `crypto` category.
+ */
+// Weak symmetric ciphers (algorithm name set, lowercased).
+const WEAK_CIPHER_BASES = new Set([
+    'des', '3des', 'desede', 'tripledes',
+    'rc2', 'rc4', 'arc4',
+    'blowfish', 'bf',
+    'idea', 'seed', 'cast5',
+]);
+// Java cipher transformation regex: "ALG/MODE/PADDING"; we look at base and mode.
+function classifyJavaCipherSpec(spec) {
+    const parts = spec.split('/').map((p) => p.trim().toLowerCase());
+    const base = parts[0] ?? '';
+    const mode = parts[1] ?? '';
+    const result = {};
+    if (WEAK_CIPHER_BASES.has(base))
+        result.weakBase = base;
+    if (mode === 'ecb')
+        result.ecb = true;
+    // Java default when only base is given is ECB (Cipher.getInstance("AES") == AES/ECB/PKCS5).
+    if (parts.length === 1 && base === 'aes')
+        result.ecb = true;
+    return result;
+}
+function stripQuotes(s) {
+    const t = s.trim();
+    if ((t.startsWith('"') && t.endsWith('"')) ||
+        (t.startsWith("'") && t.endsWith("'")) ||
+        (t.startsWith('`') && t.endsWith('`'))) {
+        return t.slice(1, -1);
+    }
+    return t;
+}
+function literalAlgo(call, position) {
+    const arg = call.arguments.find((a) => a.position === position);
+    if (!arg)
+        return null;
+    const raw = arg.literal ?? arg.expression ?? '';
+    const cleaned = stripQuotes(raw);
+    return cleaned || null;
+}
+export class WeakCryptoPass {
+    name = 'weak-crypto';
+    category = 'security';
+    run(ctx) {
+        const { graph, language } = ctx;
+        const file = graph.ir.meta.file;
+        const findings = [];
+        for (const call of graph.ir.calls) {
+            const detections = this.detect(call, language);
+            for (const det of detections) {
+                const line = call.location.line;
+                findings.push({ line, language, ...det });
+                const message = this.buildMessage(det);
+                ctx.addFinding({
+                    id: `${this.name}-${file}-${line}-${det.issue}`,
+                    pass: this.name,
+                    category: this.category,
+                    rule_id: this.name,
+                    cwe: 'CWE-327',
+                    severity: 'high',
+                    level: 'error',
+                    message,
+                    file,
+                    line,
+                    fix: 'Use AES-GCM (authenticated) or ChaCha20-Poly1305. Avoid DES, ' +
+                        '3DES, RC2, RC4, Blowfish, and ECB mode. For asymmetric encryption ' +
+                        'use RSA-OAEP with ≥2048-bit keys or modern curve-based schemes.',
+                    evidence: { ...det, language },
+                });
+            }
+        }
+        return { findings };
+    }
+    buildMessage(det) {
+        switch (det.issue) {
+            case 'weak-cipher':
+                return (`Weak symmetric cipher \`${det.detail.toUpperCase()}\` used via ` +
+                    `\`${det.api}\`. DES, 3DES, RC2, RC4, Blowfish, and IDEA/SEED/CAST5 ` +
+                    'are deprecated and broken at modern key sizes.');
+            case 'ecb-mode':
+                return (`ECB block-cipher mode used via \`${det.api}\` (\`${det.detail}\`). ` +
+                    'ECB leaks plaintext structure (identical blocks → identical ciphertext) ' +
+                    'and is not semantically secure.');
+            case 'deprecated-api':
+                return (`Deprecated crypto API \`${det.api}\` used (no IV: \`${det.detail}\`). ` +
+                    'This API derives the key/IV from a password in an insecure way.');
+            default:
+                return `Weak cryptography: ${det.detail} (${det.api})`;
+        }
+    }
+    detect(call, language) {
+        const method = call.method_name;
+        const receiver = call.receiver ?? '';
+        const out = [];
+        if (language === 'java') {
+            // Cipher.getInstance(...) / KeyGenerator.getInstance(...)
+            const isCipherFactory = method === 'getInstance' &&
+                (receiver === 'Cipher' || receiver.endsWith('.Cipher') ||
+                    receiver === 'KeyGenerator' || receiver.endsWith('.KeyGenerator'));
+            if (isCipherFactory) {
+                const spec = literalAlgo(call, 0);
+                if (spec) {
+                    const { weakBase, ecb } = classifyJavaCipherSpec(spec);
+                    const api = `${receiver}.getInstance`;
+                    if (weakBase)
+                        out.push({ issue: 'weak-cipher', detail: weakBase, api });
+                    if (ecb)
+                        out.push({ issue: 'ecb-mode', detail: spec, api });
+                }
+            }
+            return out;
+        }
+        if (language === 'python') {
+            // Crypto.Cipher.DES.new(...) / ARC4.new(...) / Blowfish.new(...)
+            // pycryptodome receiver shape: `Crypto.Cipher.DES` or just `DES` (after import).
+            if (method === 'new') {
+                const rcvLower = receiver.toLowerCase();
+                const lastSeg = rcvLower.split('.').pop() ?? rcvLower;
+                if (WEAK_CIPHER_BASES.has(lastSeg)) {
+                    out.push({ issue: 'weak-cipher', detail: lastSeg, api: `${receiver}.new` });
+                }
+                // AES.new(key, AES.MODE_ECB) — ECB mode argument
+                if (lastSeg === 'aes' || lastSeg.endsWith('.aes')) {
+                    const mode = call.arguments.find((a) => a.position === 1);
+                    const modeExpr = (mode?.expression ?? '').trim();
+                    if (/\bMODE_ECB\b/.test(modeExpr)) {
+                        out.push({ issue: 'ecb-mode', detail: 'AES.MODE_ECB', api: `${receiver}.new` });
+                    }
+                }
+            }
+            // cryptography.hazmat ciphers — algorithms.TripleDES(key) / Blowfish(key) / ARC4(key) / IDEA(key) / SEED(key) / CAST5(key)
+            // Receiver here is `algorithms` (or full path); method is the algo name.
+            const isHazmatAlgos = receiver === 'algorithms' || receiver.endsWith('.algorithms');
+            if (isHazmatAlgos) {
+                const m = method.toLowerCase();
+                const normalized = m === 'tripledes' ? '3des' : m;
+                if (WEAK_CIPHER_BASES.has(normalized)) {
+                    out.push({ issue: 'weak-cipher', detail: normalized, api: `algorithms.${method}` });
+                }
+            }
+            return out;
+        }
+        if (language === 'javascript' || language === 'typescript') {
+            // crypto.createCipher(...) — deprecated, always weak (no IV).
+            if (method === 'createCipher' && receiver === 'crypto') {
+                const algo = literalAlgo(call, 0) ?? '<unknown>';
+                out.push({ issue: 'deprecated-api', detail: algo, api: 'crypto.createCipher' });
+            }
+            // crypto.createCipheriv("des-..."|"rc4"|"...-ecb"|...)
+            if (method === 'createCipheriv' && receiver === 'crypto') {
+                const algo = literalAlgo(call, 0);
+                if (algo) {
+                    const lower = algo.toLowerCase();
+                    // Split on dashes: "aes-128-ecb", "des-ede3-cbc", "rc4", "bf-cbc"
+                    const parts = lower.split('-');
+                    const base = parts[0];
+                    const mode = parts[parts.length - 1];
+                    let normalizedBase = base;
+                    if (base === 'bf')
+                        normalizedBase = 'blowfish';
+                    if (base === 'desede' || base === 'des-ede3' || base === 'des3')
+                        normalizedBase = '3des';
+                    if (WEAK_CIPHER_BASES.has(normalizedBase)) {
+                        out.push({ issue: 'weak-cipher', detail: normalizedBase, api: 'crypto.createCipheriv' });
+                    }
+                    if (mode === 'ecb') {
+                        out.push({ issue: 'ecb-mode', detail: lower, api: 'crypto.createCipheriv' });
+                    }
+                }
+            }
+            return out;
+        }
+        if (language === 'go') {
+            // crypto/des: des.NewCipher / des.NewTripleDESCipher
+            if (receiver === 'des' && (method === 'NewCipher' || method === 'NewTripleDESCipher')) {
+                const base = method === 'NewTripleDESCipher' ? '3des' : 'des';
+                out.push({ issue: 'weak-cipher', detail: base, api: `des.${method}` });
+            }
+            // crypto/rc4: rc4.NewCipher
+            if (receiver === 'rc4' && method === 'NewCipher') {
+                out.push({ issue: 'weak-cipher', detail: 'rc4', api: 'rc4.NewCipher' });
+            }
+            // ECB mode wrappers — cipher.NewECBEncrypter / NewECBDecrypter (custom helpers
+            // — Go stdlib intentionally omits ECB, so any such call is suspect).
+            if ((method === 'NewECBEncrypter' || method === 'NewECBDecrypter') && receiver === 'cipher') {
+                out.push({ issue: 'ecb-mode', detail: method, api: `cipher.${method}` });
+            }
+            return out;
+        }
+        return out;
+    }
+}
+//# sourceMappingURL=weak-crypto-pass.js.map

package/dist/analysis/passes/weak-crypto-pass.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"weak-crypto-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/weak-crypto-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAKH,2DAA2D;AAC3D,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC;IAChC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,WAAW;IACpC,KAAK,EAAE,KAAK,EAAE,MAAM;IACpB,UAAU,EAAE,IAAI;IAChB,MAAM,EAAE,MAAM,EAAE,OAAO;CACxB,CAAC,CAAC;AAEH,kFAAkF;AAClF,SAAS,sBAAsB,CAAC,IAAY;IAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC;IACjE,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAC5B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAC5B,MAAM,MAAM,GAAyC,EAAE,CAAC;IACxD,IAAI,iBAAiB,CAAC,GAAG,CAAC,IAAI,CAAC;QAAE,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC;IACxD,IAAI,IAAI,KAAK,KAAK;QAAE,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC;IACtC,4FAA4F;IAC5F,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,IAAI,KAAK,KAAK;QAAE,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC;IAC5D,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,WAAW,CAAC,CAAS;IAC5B,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IACnB,IACE,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EACtC,CAAC;QACD,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IACxB,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,SAAS,WAAW,CAAC,IAAc,EAAE,QAAgB;IACnD,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC;IAChE,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC;IAChD,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;IACjC,OAAO,OAAO,IAAI,IAAI,CAAC;AACzB,CAAC;AAYD,MAAM,OAAO,cAAc;IAChB,IAAI,GAAG,aAAa,CAAC;IACrB,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAChC,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,QAAQ,GAAiC,EAAE,CAAC;QAElD,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAClC,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;YAC/C,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;gBAC7B,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;gBAChC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,GAAG,EAAE,CAAC,CAAC;gBAE1C,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;gBACvC,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,GAAG,CAAC,KAAK,EAAE;oBAC/C,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;oBAClB,GAAG,EAAE,SAAS;oBACd,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,OAAO;oBACd,OAAO;oBACP,IAAI;oBACJ,IAAI;oBACJ,GAAG,EACD,+DAA+D;wBAC/D,oEAAoE;wBACpE,iEAAiE;oBACnE,QAAQ,EAAE,EAAE,GAAG,GAAG,EAAE,QAAQ,EAAE;iBAC/B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,CAAC;IACtB,CAAC;IAEO,YAAY,CAAC,GAAmD;QACtE,QAAQ,GAAG,CAAC,KAAK,EAAE,CAAC;YAClB,KAAK,aAAa;gBAChB,OAAO,CACL,2BAA2B,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,cAAc;oBACjE,KAAK,GAAG,CAAC,GAAG,yDAAyD;oBACrE,gDAAgD,CACjD,CAAC;YACJ,KAAK,UAAU;gBACb,OAAO,CACL,oCAAoC,GAAG,CAAC,GAAG,SAAS,GAAG,CAAC,MAAM,OAAO;oBACrE,0EAA0E;oBAC1E,iCAAiC,CAClC,CAAC;YACJ,KAAK,gBAAgB;gBACnB,OAAO,CACL,2BAA2B,GAAG,CAAC,GAAG,qBAAqB,GAAG,CAAC,MAAM,OAAO;oBACxE,iEAAiE,CAClE,CAAC;YACJ;gBACE,OAAO,sBAAsB,GAAG,CAAC,MAAM,KAAK,GAAG,CAAC,GAAG,GAAG,CAAC;QAC3D,CAAC;IACH,CAAC;IAEO,MAAM,CAAC,IAAc,EAAE,QAAgB;QAK7C,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC;QAChC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;QACrC,MAAM,GAAG,GAAiG,EAAE,CAAC;QAE7G,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YACxB,0DAA0D;YAC1D,MAAM,eAAe,GACnB,MAAM,KAAK,aAAa;gBACxB,CAAC,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC;oBACrD,QAAQ,KAAK,cAAc,IAAI,QAAQ,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,CAAC;YACtE,IAAI,eAAe,EAAE,CAAC;gBACpB,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;gBAClC,IAAI,IAAI,EAAE,CAAC;oBACT,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC;oBACvD,MAAM,GAAG,GAAG,GAAG,QAAQ,cAAc,CAAC;oBACtC,IAAI,QAAQ;wBAAE,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC;oBACxE,IAAI,GAAG;wBAAE,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC;gBAC9D,CAAC;YACH,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;QAED,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,iEAAiE;YACjE,iFAAiF;YACjF,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;gBACrB,MAAM,QAAQ,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;gBACxC,MAAM,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,QAAQ,CAAC;gBACtD,IAAI,iBAAiB,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;oBACnC,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,QAAQ,MAAM,EAAE,CAAC,CAAC;gBAC9E,CAAC;gBACD,iDAAiD;gBACjD,IAAI,OAAO,KAAK,KAAK,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;oBAClD,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;oBAC1D,MAAM,QAAQ,GAAG,CAAC,IAAI,EAAE,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;oBACjD,IAAI,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;wBAClC,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,cAAc,EAAE,GAAG,EAAE,GAAG,QAAQ,MAAM,EAAE,CAAC,CAAC;oBAClF,CAAC;gBACH,CAAC;YACH,CAAC;YACD,2HAA2H;YAC3H,yEAAyE;YACzE,MAAM,aAAa,GAAG,QAAQ,KAAK,YAAY,IAAI,QAAQ,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;YACpF,IAAI,aAAa,EAAE,CAAC;gBAClB,MAAM,CAAC,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;gBAC/B,MAAM,UAAU,GAAG,CAAC,KAAK,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;gBAClD,IAAI,iBAAiB,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;oBACtC,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,EAAE,cAAc,MAAM,EAAE,EAAE,CAAC,CAAC;gBACtF,CAAC;YACH,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;QAED,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC3D,8DAA8D;YAC9D,IAAI,MAAM,KAAK,cAAc,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBACvD,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,WAAW,CAAC;gBACjD,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,qBAAqB,EAAE,CAAC,CAAC;YAClF,CAAC;YACD,uDAAuD;YACvD,IAAI,MAAM,KAAK,gBAAgB,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBACzD,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;gBAClC,IAAI,IAAI,EAAE,CAAC;oBACT,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;oBACjC,kEAAkE;oBAClE,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;oBAC/B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;oBACtB,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;oBACrC,IAAI,cAAc,GAAG,IAAI,CAAC;oBAC1B,IAAI,IAAI,KAAK,IAAI;wBAAE,cAAc,GAAG,UAAU,CAAC;oBAC/C,IAAI,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,UAAU,IAAI,IAAI,KAAK,MAAM;wBAAE,cAAc,GAAG,MAAM,CAAC;oBACzF,IAAI,iBAAiB,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,CAAC;wBAC1C,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,cAAc,EAAE,GAAG,EAAE,uBAAuB,EAAE,CAAC,CAAC;oBAC3F,CAAC;oBACD,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;wBACnB,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,uBAAuB,EAAE,CAAC,CAAC;oBAC/E,CAAC;gBACH,CAAC;YACH,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;QAED,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;YACtB,qDAAqD;YACrD,IAAI,QAAQ,KAAK,KAAK,IAAI,CAAC,MAAM,KAAK,WAAW,IAAI,MAAM,KAAK,oBAAoB,CAAC,EAAE,CAAC;gBACtF,MAAM,IAAI,GAAG,MAAM,KAAK,oBAAoB,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC;gBAC9D,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,MAAM,EAAE,EAAE,CAAC,CAAC;YACzE,CAAC;YACD,4BAA4B;YAC5B,IAAI,QAAQ,KAAK,KAAK,IAAI,MAAM,KAAK,WAAW,EAAE,CAAC;gBACjD,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,eAAe,EAAE,CAAC,CAAC;YAC1E,CAAC;YACD,+EAA+E;YAC/E,qEAAqE;YACrE,IAAI,CAAC,MAAM,KAAK,iBAAiB,IAAI,MAAM,KAAK,iBAAiB,CAAC,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBAC5F,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,MAAM,EAAE,EAAE,CAAC,CAAC;YAC3E,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;QAED,OAAO,GAAG,CAAC;IACb,CAAC;CACF"}

package/dist/analysis/passes/weak-hash-pass.d.ts ADDED Viewed

@@ -0,0 +1,45 @@
+/**
+ * Pass: weak-hash (CWE-328, category: security)
+ *
+ * Pattern pass — flags use of cryptographically broken hash algorithms
+ * (MD2, MD4, MD5, SHA-1) for security purposes. The vulnerability is
+ * the *constant algorithm string*, not data flow: `MessageDigest.getInstance("MD5")`
+ * is always vulnerable regardless of input. Therefore this is implemented
+ * as call-site literal inspection, not as a taint sink.
+ *
+ * Detection per language:
+ *   Java:
+ *     - `MessageDigest.getInstance("MD5"|"SHA-1"|"SHA1"|"MD2"|"MD4")`
+ *     - `DigestUtils.md5(...)` / `md5Hex(...)` / `sha1(...)` / `sha1Hex(...)`
+ *       (Apache Commons Codec — method name encodes the algorithm)
+ *   Python:
+ *     - `hashlib.md5(...)` / `hashlib.sha1(...)` / `hashlib.md4(...)` / `hashlib.new("md5", ...)`
+ *   JavaScript / TypeScript:
+ *     - `crypto.createHash('md5'|'sha1'|'md4'|'md2')`
+ *     - `crypto.createHmac('md5'|'sha1', key)`
+ *   Go:
+ *     - `md5.New()` / `md5.Sum(...)` / `sha1.New()` / `sha1.Sum(...)`
+ *       (from `crypto/md5` and `crypto/sha1` packages)
+ *
+ * Aligned with: gosec G401, Bandit B303/B304, OWASP Benchmark `hash` category.
+ *
+ * Replaces (and supersedes) the broken taint-sink registration
+ * `{method:'getInstance', class:'MessageDigest', type:'weak_hash'}` that
+ * could never fire on a literal algorithm name.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface WeakHashResult {
+    findings: Array<{
+        line: number;
+        language: string;
+        algorithm: string;
+        api: string;
+    }>;
+}
+export declare class WeakHashPass implements AnalysisPass<WeakHashResult> {
+    readonly name = "weak-hash";
+    readonly category: "security";
+    run(ctx: PassContext): WeakHashResult;
+    private detect;
+}
+//# sourceMappingURL=weak-hash-pass.d.ts.map

package/dist/analysis/passes/weak-hash-pass.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"weak-hash-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/weak-hash-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAoB9E,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,KAAK,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,SAAS,EAAE,MAAM,CAAC;QAClB,GAAG,EAAE,MAAM,CAAC;KACb,CAAC,CAAC;CACJ;AAsBD,qBAAa,YAAa,YAAW,YAAY,CAAC,cAAc,CAAC;IAC/D,QAAQ,CAAC,IAAI,eAAe;IAC5B,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,cAAc;IAsCrC,OAAO,CAAC,MAAM;CA6Df"}