circle-ir 3.51.0 → 3.53.0

package/dist/analysis/passes/tls-verify-disabled-pass.js

@@ -0,0 +1,247 @@
+/**
+ * Pass: tls-verify-disabled (CWE-295, category: security)
+ *
+ * Pattern pass — flags places where TLS certificate / hostname verification
+ * is explicitly disabled. This is a *configuration* vulnerability (the bad
+ * value is hard-coded, no taint flow is involved).
+ *
+ * Detection per language:
+ *   Go:
+ *     - `&tls.Config{InsecureSkipVerify: true}` (composite literal)
+ *     - Detected via call argument scan: when the receiver is `tls` and
+ *       call/composite contains literal `InsecureSkipVerify: true`, OR via
+ *       a syntactic text scan (composite literals are not always emitted
+ *       as calls in IR).
+ *   Python:
+ *     - `requests.get|post|put|delete|patch|head|options|request(..., verify=False)`
+ *     - `ssl._create_unverified_context()` / `ssl._create_default_https_context = ssl._create_unverified_context`
+ *     - `urllib3.disable_warnings(InsecureRequestWarning)` — best-effort hint
+ *     - `httpx.Client(verify=False)` / `httpx.get(..., verify=False)`
+ *   JavaScript / TypeScript:
+ *     - `{ rejectUnauthorized: false }` in https.request / fetch options /
+ *       node-fetch / axios — text scan on arg expressions
+ *     - `https.Agent({ rejectUnauthorized: false })`
+ *     - `process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'` (assignment;
+ *       detected via call to property assignment — best-effort)
+ *   Java:
+ *     - Custom `HostnameVerifier` that returns true unconditionally
+ *       (lambdas `(h, s) -> true` / anonymous classes) — detected via
+ *       textual scan on setHostnameVerifier arg expression.
+ *     - `setHostnameVerifier(NoopHostnameVerifier.INSTANCE)` /
+ *       `setHostnameVerifier(new AllowAllHostnameVerifier())`
+ *
+ * Aligned with: gosec G402 (Go), Bandit B501/B502/B504/B505 (Python).
+ */
+// Python HTTP libraries whose calls accept a verify=False kwarg.
+const PY_HTTP_METHODS = new Set([
+    'get', 'post', 'put', 'delete', 'patch', 'head', 'options', 'request',
+    'send',
+]);
+const PY_HTTP_RECEIVERS = new Set([
+    'requests', 'httpx',
+]);
+const VERIFY_FALSE_RE = /\bverify\s*=\s*False\b/;
+const REJECT_UNAUTHORIZED_FALSE_RE = /\brejectUnauthorized\s*:\s*false\b/;
+const INSECURE_SKIP_VERIFY_TRUE_RE = /\bInsecureSkipVerify\s*:\s*true\b/;
+const HOSTNAME_LAMBDA_TRUE_RE = /\(\s*\w+\s*,\s*\w+\s*\)\s*->\s*true\b/;
+const ALLOW_ALL_HOSTNAME_VERIFIERS = new Set([
+    'NoopHostnameVerifier.INSTANCE',
+    'new AllowAllHostnameVerifier()',
+    'new NoopHostnameVerifier()',
+]);
+export class TlsVerifyDisabledPass {
+    name = 'tls-verify-disabled';
+    category = 'security';
+    run(ctx) {
+        const { graph, language, code } = ctx;
+        const file = graph.ir.meta.file;
+        const findings = [];
+        // Call-based detection (most precise — uses arg.expression text).
+        for (const call of graph.ir.calls) {
+            const det = this.detectCall(call, language);
+            if (!det)
+                continue;
+            const line = call.location.line;
+            findings.push({ line, language, ...det });
+            ctx.addFinding({
+                id: `${this.name}-${file}-${line}-${det.pattern}`,
+                pass: this.name,
+                category: this.category,
+                rule_id: this.name,
+                cwe: 'CWE-295',
+                severity: 'high',
+                level: 'error',
+                message: `TLS certificate verification disabled via \`${det.pattern}\` in ` +
+                    `\`${det.api}\`. The connection becomes vulnerable to active ` +
+                    'man-in-the-middle attacks — any attacker on the network path can ' +
+                    'present a forged certificate.',
+                file,
+                line,
+                fix: this.fixFor(language, det.pattern),
+                evidence: { ...det, language },
+            });
+        }
+        // Source-text scan for composite-literal / module-level patterns that
+        // do not surface as IR calls (Go `tls.Config{}`, Python ssl globals,
+        // Node `NODE_TLS_REJECT_UNAUTHORIZED`).
+        for (const extra of this.detectSourceText(code, language)) {
+            const dupKey = `${extra.line}-${extra.pattern}`;
+            if (findings.some((f) => `${f.line}-${f.pattern}` === dupKey))
+                continue;
+            findings.push({ ...extra, language });
+            ctx.addFinding({
+                id: `${this.name}-${file}-${extra.line}-${extra.pattern}`,
+                pass: this.name,
+                category: this.category,
+                rule_id: this.name,
+                cwe: 'CWE-295',
+                severity: 'high',
+                level: 'error',
+                message: `TLS certificate verification disabled via \`${extra.pattern}\` ` +
+                    `(${extra.api}). Vulnerable to active man-in-the-middle.`,
+                file,
+                line: extra.line,
+                fix: this.fixFor(language, extra.pattern),
+                evidence: { ...extra, language },
+            });
+        }
+        return { findings };
+    }
+    detectCall(call, language) {
+        const method = call.method_name;
+        const receiver = call.receiver ?? '';
+        if (language === 'python') {
+            // requests.get(..., verify=False) etc.
+            if (PY_HTTP_RECEIVERS.has(receiver) && PY_HTTP_METHODS.has(method)) {
+                for (const arg of call.arguments) {
+                    const expr = (arg.expression ?? '').trim();
+                    if (VERIFY_FALSE_RE.test(expr)) {
+                        return { pattern: 'verify=False', api: `${receiver}.${method}` };
+                    }
+                }
+            }
+            // ssl._create_unverified_context()
+            if (method === '_create_unverified_context' && receiver === 'ssl') {
+                return { pattern: 'ssl._create_unverified_context', api: 'ssl._create_unverified_context()' };
+            }
+            // httpx.Client(verify=False) — same shape via constructor; receiver is module.
+            if (receiver === 'httpx' && method === 'Client') {
+                for (const arg of call.arguments) {
+                    if (VERIFY_FALSE_RE.test(arg.expression ?? '')) {
+                        return { pattern: 'verify=False', api: 'httpx.Client' };
+                    }
+                }
+            }
+            return null;
+        }
+        if (language === 'javascript' || language === 'typescript') {
+            // axios.create({httpsAgent: new https.Agent({rejectUnauthorized: false})}),
+            // https.request({rejectUnauthorized: false}, ...), fetch(url, {agent: ...})
+            // We do an arg-expression text scan because the option commonly appears
+            // inside an inline object literal.
+            //
+            // The JS plugin sometimes surfaces `new https.Agent(...)` with
+            // method_name='https.Agent' and receiver=null (rather than receiver='https',
+            // method='Agent'). Accept the trailing segment of the dotted name too.
+            const lastSeg = method.includes('.') ? method.split('.').pop() ?? '' : method;
+            const arglooks = method === 'request' || method === 'get' || method === 'post' ||
+                method === 'create' || method === 'Agent' || method === 'fetch' ||
+                lastSeg === 'Agent' || lastSeg === 'request' || lastSeg === 'create';
+            if (arglooks) {
+                for (const arg of call.arguments) {
+                    if (REJECT_UNAUTHORIZED_FALSE_RE.test(arg.expression ?? '')) {
+                        return { pattern: 'rejectUnauthorized: false', api: `${receiver || '(global)'}.${method}` };
+                    }
+                }
+            }
+            return null;
+        }
+        if (language === 'java') {
+            // someConn.setHostnameVerifier((h, s) -> true)
+            if (method === 'setHostnameVerifier') {
+                const arg = call.arguments.find((a) => a.position === 0);
+                const expr = (arg?.expression ?? '').trim();
+                if (HOSTNAME_LAMBDA_TRUE_RE.test(expr)) {
+                    return { pattern: '(h,s) -> true', api: 'setHostnameVerifier' };
+                }
+                for (const v of ALLOW_ALL_HOSTNAME_VERIFIERS) {
+                    if (expr === v || expr.replace(/\s+/g, '') === v.replace(/\s+/g, '')) {
+                        return { pattern: v, api: 'setHostnameVerifier' };
+                    }
+                }
+            }
+            return null;
+        }
+        return null;
+    }
+    detectSourceText(code, language) {
+        const out = [];
+        const lines = code.split('\n');
+        if (language === 'go') {
+            // Look for `InsecureSkipVerify: true` literal anywhere — overwhelmingly
+            // appears in tls.Config{} composite literals.
+            for (let i = 0; i < lines.length; i++) {
+                if (INSECURE_SKIP_VERIFY_TRUE_RE.test(lines[i])) {
+                    out.push({
+                        line: i + 1,
+                        pattern: 'InsecureSkipVerify: true',
+                        api: 'tls.Config',
+                    });
+                }
+            }
+        }
+        if (language === 'python') {
+            for (let i = 0; i < lines.length; i++) {
+                const l = lines[i];
+                if (/ssl\._create_default_https_context\s*=\s*ssl\._create_unverified_context/.test(l)) {
+                    out.push({
+                        line: i + 1,
+                        pattern: 'ssl._create_default_https_context = _create_unverified_context',
+                        api: 'ssl module override',
+                    });
+                }
+            }
+        }
+        if (language === 'javascript' || language === 'typescript') {
+            for (let i = 0; i < lines.length; i++) {
+                const l = lines[i];
+                if (/process\.env\.NODE_TLS_REJECT_UNAUTHORIZED\s*=\s*['"]0['"]/.test(l)) {
+                    out.push({
+                        line: i + 1,
+                        pattern: 'NODE_TLS_REJECT_UNAUTHORIZED=0',
+                        api: 'process.env',
+                    });
+                }
+            }
+        }
+        return out;
+    }
+    fixFor(language, pattern) {
+        if (pattern.includes('InsecureSkipVerify')) {
+            return 'Remove `InsecureSkipVerify: true` — let Go verify the cert. If ' +
+                'you need to trust a private CA, set `RootCAs` to a `*x509.CertPool` ' +
+                'containing that CA.';
+        }
+        if (pattern.includes('verify=False')) {
+            return 'Remove `verify=False`. To trust a private CA, pass `verify=\'/path/to/ca.pem\'`.';
+        }
+        if (pattern.includes('rejectUnauthorized')) {
+            return 'Remove `rejectUnauthorized: false`. To trust a private CA, set the ' +
+                '`ca` option to the CA cert(s). Never disable TLS verification globally.';
+        }
+        if (pattern.includes('NODE_TLS_REJECT_UNAUTHORIZED')) {
+            return 'Remove the `NODE_TLS_REJECT_UNAUTHORIZED=0` assignment — it globally ' +
+                'disables TLS verification for every outbound HTTPS request.';
+        }
+        if (language === 'java') {
+            return 'Do not use an always-true HostnameVerifier or AllowAllHostnameVerifier. ' +
+                'Use the JVM\'s default verifier; for self-signed certs add the cert to a ' +
+                'custom TrustManager that validates the chain.';
+        }
+        if (pattern.includes('ssl._create_unverified_context')) {
+            return 'Do not use `_create_unverified_context()`. Use `ssl.create_default_context()`.';
+        }
+        return 'Restore TLS certificate and hostname verification.';
+    }
+}
+//# sourceMappingURL=tls-verify-disabled-pass.js.map

package/dist/analysis/passes/tls-verify-disabled-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tls-verify-disabled-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/tls-verify-disabled-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AAKH,iEAAiE;AACjE,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC;IAC9B,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS;IACrE,MAAM;CACP,CAAC,CAAC;AACH,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC;IAChC,UAAU,EAAE,OAAO;CACpB,CAAC,CAAC;AAEH,MAAM,eAAe,GAAG,wBAAwB,CAAC;AACjD,MAAM,4BAA4B,GAAG,oCAAoC,CAAC;AAC1E,MAAM,4BAA4B,GAAG,mCAAmC,CAAC;AACzE,MAAM,uBAAuB,GAAG,uCAAuC,CAAC;AACxE,MAAM,4BAA4B,GAAG,IAAI,GAAG,CAAC;IAC3C,+BAA+B;IAC/B,gCAAgC;IAChC,4BAA4B;CAC7B,CAAC,CAAC;AAWH,MAAM,OAAO,qBAAqB;IACvB,IAAI,GAAG,qBAAqB,CAAC;IAC7B,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,GAAG,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,QAAQ,GAAwC,EAAE,CAAC;QAEzD,kEAAkE;QAClE,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAClC,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;YAC5C,IAAI,CAAC,GAAG;gBAAE,SAAS;YAEnB,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;YAChC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,GAAG,EAAE,CAAC,CAAC;YAE1C,GAAG,CAAC,UAAU,CAAC;gBACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,GAAG,CAAC,OAAO,EAAE;gBACjD,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,GAAG,EAAE,SAAS;gBACd,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,OAAO;gBACd,OAAO,EACL,+CAA+C,GAAG,CAAC,OAAO,QAAQ;oBAClE,KAAK,GAAG,CAAC,GAAG,kDAAkD;oBAC9D,mEAAmE;oBACnE,+BAA+B;gBACjC,IAAI;gBACJ,IAAI;gBACJ,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,GAAG,CAAC,OAAO,CAAC;gBACvC,QAAQ,EAAE,EAAE,GAAG,GAAG,EAAE,QAAQ,EAAE;aAC/B,CAAC,CAAC;QACL,CAAC;QAED,sEAAsE;QACtE,qEAAqE;QACrE,wCAAwC;QACxC,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,gBAAgB,CAAC,IAAI,EAAE,QAAQ,CAAC,EAAE,CAAC;YAC1D,MAAM,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;YAChD,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,OAAO,EAAE,KAAK,MAAM,CAAC;gBAAE,SAAS;YACxE,QAAQ,CAAC,IAAI,CAAC,EAAE,GAAG,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;YACtC,GAAG,CAAC,UAAU,CAAC;gBACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,OAAO,EAAE;gBACzD,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,GAAG,EAAE,SAAS;gBACd,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,OAAO;gBACd,OAAO,EACL,+CAA+C,KAAK,CAAC,OAAO,KAAK;oBACjE,IAAI,KAAK,CAAC,GAAG,4CAA4C;gBAC3D,IAAI;gBACJ,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,OAAO,CAAC;gBACzC,QAAQ,EAAE,EAAE,GAAG,KAAK,EAAE,QAAQ,EAAE;aACjC,CAAC,CAAC;QACL,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,CAAC;IACtB,CAAC;IAEO,UAAU,CAAC,IAAc,EAAE,QAAgB;QAIjD,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC;QAChC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;QAErC,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,uCAAuC;YACvC,IAAI,iBAAiB,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,eAAe,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;gBACnE,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;oBACjC,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;oBAC3C,IAAI,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC/B,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,GAAG,EAAE,GAAG,QAAQ,IAAI,MAAM,EAAE,EAAE,CAAC;oBACnE,CAAC;gBACH,CAAC;YACH,CAAC;YACD,mCAAmC;YACnC,IAAI,MAAM,KAAK,4BAA4B,IAAI,QAAQ,KAAK,KAAK,EAAE,CAAC;gBAClE,OAAO,EAAE,OAAO,EAAE,gCAAgC,EAAE,GAAG,EAAE,kCAAkC,EAAE,CAAC;YAChG,CAAC;YACD,+EAA+E;YAC/E,IAAI,QAAQ,KAAK,OAAO,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;gBAChD,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;oBACjC,IAAI,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC,EAAE,CAAC;wBAC/C,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,GAAG,EAAE,cAAc,EAAE,CAAC;oBAC1D,CAAC;gBACH,CAAC;YACH,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC3D,4EAA4E;YAC5E,4EAA4E;YAC5E,wEAAwE;YACxE,mCAAmC;YACnC,EAAE;YACF,+DAA+D;YAC/D,6EAA6E;YAC7E,uEAAuE;YACvE,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC;YAC9E,MAAM,QAAQ,GACZ,MAAM,KAAK,SAAS,IAAI,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM;gBAC7D,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,OAAO,IAAI,MAAM,KAAK,OAAO;gBAC/D,OAAO,KAAK,OAAO,IAAI,OAAO,KAAK,SAAS,IAAI,OAAO,KAAK,QAAQ,CAAC;YACvE,IAAI,QAAQ,EAAE,CAAC;gBACb,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;oBACjC,IAAI,4BAA4B,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC,EAAE,CAAC;wBAC5D,OAAO,EAAE,OAAO,EAAE,2BAA2B,EAAE,GAAG,EAAE,GAAG,QAAQ,IAAI,UAAU,IAAI,MAAM,EAAE,EAAE,CAAC;oBAC9F,CAAC;gBACH,CAAC;YACH,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YACxB,+CAA+C;YAC/C,IAAI,MAAM,KAAK,qBAAqB,EAAE,CAAC;gBACrC,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;gBACzD,MAAM,IAAI,GAAG,CAAC,GAAG,EAAE,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC5C,IAAI,uBAAuB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACvC,OAAO,EAAE,OAAO,EAAE,eAAe,EAAE,GAAG,EAAE,qBAAqB,EAAE,CAAC;gBAClE,CAAC;gBACD,KAAK,MAAM,CAAC,IAAI,4BAA4B,EAAE,CAAC;oBAC7C,IAAI,IAAI,KAAK,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,EAAE,CAAC;wBACrE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,GAAG,EAAE,qBAAqB,EAAE,CAAC;oBACpD,CAAC;gBACH,CAAC;YACH,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,gBAAgB,CAAC,IAAY,EAAE,QAAgB;QAGrD,MAAM,GAAG,GAA0D,EAAE,CAAC;QACtE,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAE/B,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;YACtB,wEAAwE;YACxE,8CAA8C;YAC9C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,IAAI,4BAA4B,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBAChD,GAAG,CAAC,IAAI,CAAC;wBACP,IAAI,EAAE,CAAC,GAAG,CAAC;wBACX,OAAO,EAAE,0BAA0B;wBACnC,GAAG,EAAE,YAAY;qBAClB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACnB,IAAI,0EAA0E,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;oBACvF,GAAG,CAAC,IAAI,CAAC;wBACP,IAAI,EAAE,CAAC,GAAG,CAAC;wBACX,OAAO,EAAE,gEAAgE;wBACzE,GAAG,EAAE,qBAAqB;qBAC3B,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC3D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACnB,IAAI,4DAA4D,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;oBACzE,GAAG,CAAC,IAAI,CAAC;wBACP,IAAI,EAAE,CAAC,GAAG,CAAC;wBACX,OAAO,EAAE,gCAAgC;wBACzC,GAAG,EAAE,aAAa;qBACnB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,GAAG,CAAC;IACb,CAAC;IAEO,MAAM,CAAC,QAAgB,EAAE,OAAe;QAC9C,IAAI,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAAC,EAAE,CAAC;YAC3C,OAAO,iEAAiE;gBACtE,sEAAsE;gBACtE,qBAAqB,CAAC;QAC1B,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;YACrC,OAAO,kFAAkF,CAAC;QAC5F,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAAC,EAAE,CAAC;YAC3C,OAAO,qEAAqE;gBAC1E,yEAAyE,CAAC;QAC9E,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,8BAA8B,CAAC,EAAE,CAAC;YACrD,OAAO,uEAAuE;gBAC5E,6DAA6D,CAAC;QAClE,CAAC;QACD,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YACxB,OAAO,0EAA0E;gBAC/E,2EAA2E;gBAC3E,+CAA+C,CAAC;QACpD,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,gCAAgC,CAAC,EAAE,CAAC;YACvD,OAAO,gFAAgF,CAAC;QAC1F,CAAC;QACD,OAAO,oDAAoD,CAAC;IAC9D,CAAC;CACF"}

package/dist/analysis/passes/weak-crypto-pass.d.ts

@@ -0,0 +1,59 @@
+/**
+ * Pass: weak-crypto (CWE-327 / CWE-329 / CWE-321 / CWE-326, category: security)
+ *
+ * Pattern pass — flags use of cryptographically weak symmetric ciphers
+ * (DES, 3DES, RC2, RC4, Blowfish), ECB mode, weak RSA key sizes (< 2048),
+ * static/zero IVs (CWE-329), hardcoded symmetric keys (CWE-321), and weak
+ * AES modes. Like weak-hash, the vulnerability is the *constant algorithm
+ * string*, *constant IV bytes*, *literal key material*, or *key-size
+ * argument*, not data flow.
+ *
+ * Detection per language:
+ *   Java:
+ *     - `Cipher.getInstance("DES"|"DES/...")` / `"RC4"` / `"RC2"` / `"Blowfish"`
+ *     - `Cipher.getInstance(".../ECB/...")` — ECB mode
+ *     - `KeyGenerator.getInstance("DES"|"RC4"|"Blowfish")`
+ *     - `new IvParameterSpec(new byte[N])` / `new IvParameterSpec(literalBytes)`
+ *       — static/zero IV (CWE-329, issue #87)
+ *     - `new SecretKeySpec("literal".getBytes(), ...)` — hardcoded symmetric
+ *       key (CWE-321, issue #87)
+ *     - `KeyPairGenerator.initialize(<2048)` — weak RSA key size (CWE-326,
+ *       issue #87). Detected by literal `< 2048` argument on `initialize`
+ *       calls whose receiver is a `KeyPairGenerator` (best-effort: matches
+ *       any `*.initialize(int)` where the literal is below 2048, since
+ *       2048+ is also the minimum for DSA / DH and 256+ is correct for EC).
+ *   Python:
+ *     - `Crypto.Cipher.DES.new(...)` / `Crypto.Cipher.ARC4.new(...)` /
+ *       `Crypto.Cipher.Blowfish.new(...)` (pycryptodome / pycrypto)
+ *     - `cryptography.hazmat.primitives.ciphers.algorithms.{TripleDES,Blowfish,ARC4,IDEA,SEED,CAST5}`
+ *     - `AES.new(key, AES.MODE_ECB)` — ECB mode argument
+ *   JavaScript / TypeScript:
+ *     - `crypto.createCipher(...)` (deprecated; always weak)
+ *     - `crypto.createCipheriv("des-..."|"rc4"|"bf-..."|"des-ede"|".*-ecb")`
+ *   Go:
+ *     - `des.NewCipher(...)` / `des.NewTripleDESCipher(...)` / `rc4.NewCipher(...)`
+ *       (from `crypto/des` and `crypto/rc4`)
+ *     - `cipher.NewECBEncrypter(...)` (custom ECB wrappers — best-effort)
+ *
+ * Aligned with: gosec G401/G405, Bandit B304/B305/B306, OWASP Benchmark `crypto` category.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export type WeakCryptoIssue = 'weak-cipher' | 'ecb-mode' | 'deprecated-api' | 'static-iv' | 'hardcoded-key' | 'weak-rsa-key';
+export interface WeakCryptoResult {
+    findings: Array<{
+        line: number;
+        language: string;
+        issue: WeakCryptoIssue;
+        detail: string;
+        api: string;
+    }>;
+}
+export declare class WeakCryptoPass implements AnalysisPass<WeakCryptoResult> {
+    readonly name = "weak-crypto";
+    readonly category: "security";
+    run(ctx: PassContext): WeakCryptoResult;
+    private buildMessage;
+    private buildFix;
+    private detect;
+}
+//# sourceMappingURL=weak-crypto-pass.d.ts.map

package/dist/analysis/passes/weak-crypto-pass.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"weak-crypto-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/weak-crypto-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAkI9E,MAAM,MAAM,eAAe,GACvB,aAAa,GACb,UAAU,GACV,gBAAgB,GAChB,WAAW,GACX,eAAe,GACf,cAAc,CAAC;AAYnB,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,KAAK,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,KAAK,EAAE,eAAe,CAAC;QACvB,MAAM,EAAE,MAAM,CAAC;QACf,GAAG,EAAE,MAAM,CAAC;KACb,CAAC,CAAC;CACJ;AAED,qBAAa,cAAe,YAAW,YAAY,CAAC,gBAAgB,CAAC;IACnE,QAAQ,CAAC,IAAI,iBAAiB;IAC9B,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,gBAAgB;IAgCvC,OAAO,CAAC,YAAY;IA0CpB,OAAO,CAAC,QAAQ;IA2BhB,OAAO,CAAC,MAAM;CAqJf"}