circle-ir 3.51.0 → 3.53.0

package/dist/browser/circle-ir.js

@@ -10621,6 +10621,13 @@ var DEFAULT_SOURCES = [
   { method: "getFileName", class: "BodyPart", type: "file_input", severity: "high", return_tainted: true },
   { method: "getFileName", class: "MimeBodyPart", type: "file_input", severity: "high", return_tainted: true },
   { method: "getDisposition", class: "Part", type: "file_input", severity: "medium", return_tainted: true },
+  // Archive entry names (Zip-Slip / Tar-Slip CWE-22, issue #52)
+  // entry.getName() returns a path that may contain ../ — flowing into File()/FileOutputStream()
+  // is a classic Zip-Slip vulnerability.
+  { method: "getName", class: "ZipEntry", type: "file_input", severity: "high", return_tainted: true },
+  { method: "getName", class: "ZipArchiveEntry", type: "file_input", severity: "high", return_tainted: true },
+  { method: "getName", class: "TarArchiveEntry", type: "file_input", severity: "high", return_tainted: true },
+  { method: "getName", class: "ArchiveEntry", type: "file_input", severity: "high", return_tainted: true },
   // Command line arguments
   { method: "getArgs", type: "io_input", severity: "high", return_tainted: true },
   { method: "getOptionValue", class: "CommandLine", type: "io_input", severity: "high", return_tainted: true },
@@ -11055,7 +11062,7 @@ var DEFAULT_SINKS = [
   { method: "staticFileLocation", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   // Zip/archive handling
   { method: "getEntry", class: "ZipFile", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "getName", class: "ZipEntry", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [] },
+  // ZipEntry.getName moved to file_sources.yaml as a taint SOURCE (type=archive_entry, issue #52)
   // Resource loading classes (various frameworks)
   { method: "ClassPathResource", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "FileSystemResource", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
@@ -11532,26 +11539,16 @@ var DEFAULT_SINKS = [
   { method: "get", class: "WebClient", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [] },
   { method: "post", class: "WebClient", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [] },
   // =============================================================================
-  // Weak Cryptography Sinks (no taint flow required - presence alone is vulnerability)
+  // Config / Absence Vulnerabilities (handled by dedicated pattern passes)
   // =============================================================================
-  // Weak Random (CWE-330) - java.util.Random is not cryptographically secure
-  { method: "Random", class: "constructor", type: "weak_random", cwe: "CWE-330", severity: "medium", arg_positions: [] },
-  { method: "nextInt", class: "Random", type: "weak_random", cwe: "CWE-330", severity: "medium", arg_positions: [] },
-  { method: "nextLong", class: "Random", type: "weak_random", cwe: "CWE-330", severity: "medium", arg_positions: [] },
-  { method: "nextFloat", class: "Random", type: "weak_random", cwe: "CWE-330", severity: "medium", arg_positions: [] },
-  { method: "nextDouble", class: "Random", type: "weak_random", cwe: "CWE-330", severity: "medium", arg_positions: [] },
-  { method: "nextBoolean", class: "Random", type: "weak_random", cwe: "CWE-330", severity: "medium", arg_positions: [] },
-  { method: "nextBytes", class: "Random", type: "weak_random", cwe: "CWE-330", severity: "medium", arg_positions: [] },
-  // Weak Hash (CWE-328) - MD5/SHA1 are cryptographically broken
-  // Note: Detection requires checking algorithm argument - handled in runner
-  { method: "getInstance", class: "MessageDigest", type: "weak_hash", cwe: "CWE-328", severity: "medium", arg_positions: [0] },
-  // Weak Crypto (CWE-327) - DES/RC4/Blowfish are weak ciphers
-  // Note: Detection requires checking algorithm argument - handled in runner
-  { method: "getInstance", class: "Cipher", type: "weak_crypto", cwe: "CWE-327", severity: "high", arg_positions: [0] },
-  { method: "getInstance", class: "KeyGenerator", type: "weak_crypto", cwe: "CWE-327", severity: "high", arg_positions: [0] },
-  // Insecure Cookie (CWE-614) - cookies without secure/httpOnly flags
-  // Note: Detection requires checking if setSecure(true)/setHttpOnly(true) called - handled in runner
-  { method: "Cookie", class: "constructor", type: "insecure_cookie", cwe: "CWE-614", severity: "medium", arg_positions: [] },
+  // weak_random  → WeakRandomPass        (src/analysis/passes/weak-random-pass.ts)
+  // weak_hash    → WeakHashPass          (src/analysis/passes/weak-hash-pass.ts)
+  // weak_crypto  → WeakCryptoPass        (src/analysis/passes/weak-crypto-pass.ts)
+  // insecure_cookie → InsecureCookiePass (src/analysis/passes/insecure-cookie-pass.ts)
+  // tls_verify_disabled → TlsVerifyDisabledPass
+  // These patterns are detected by call-site literal inspection, not taint flow,
+  // so they are NOT registered here as sinks (they could never match a "tainted
+  // value flowing into a sink" because the bad value is a hard-coded constant).
   // Trust Boundary (CWE-501) - using untrusted data as session attribute NAME
   // The vulnerability is attacker controlling which key to use, not the value
   { method: "setAttribute", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0] },
@@ -12748,10 +12745,11 @@ function matchesSourcePattern(call, pattern) {
       return false;
     }
     if (pattern.class && pattern.class !== "constructor") {
-      if (!call.receiver) {
+      if (call.receiver_type && call.receiver_type === pattern.class) {
+      } else if (call.receiver_type_fqn && call.receiver_type_fqn.endsWith("." + pattern.class)) {
+      } else if (!call.receiver) {
         return false;
-      }
-      if (!receiverMightBeClass(call.receiver, pattern.class)) {
+      } else if (!receiverMightBeClass(call.receiver, pattern.class)) {
         return false;
       }
     }
@@ -13009,13 +13007,14 @@ function matchesSinkPattern(call, pattern, typeHierarchy, language) {
     if (pattern.class === "constructor") {
       return true;
     }
-    if (call.receiver && !receiverMightBeClass(call.receiver, pattern.class)) {
+    if (call.receiver_type && call.receiver_type === pattern.class) {
+    } else if (call.receiver_type_fqn && call.receiver_type_fqn.endsWith("." + pattern.class)) {
+    } else if (call.receiver && !receiverMightBeClass(call.receiver, pattern.class)) {
       if (typeHierarchy && typeHierarchy.couldBeType(call.receiver, pattern.class)) {
         return true;
       }
       return false;
-    }
-    if (!call.receiver) {
+    } else if (!call.receiver && !call.receiver_type) {
       return false;
     }
   }
@@ -27081,59 +27080,851 @@ var COOKIE_RESPONSE_RECEIVERS = /* @__PURE__ */ new Set([
 ]);
 var SECURE_TRUE_RE = /\bsecure\s*:\s*true\b/;
 var HTTPONLY_TRUE_RE = /\bhttpOnly\s*:\s*true\b/i;
+var PY_SET_COOKIE_RECEIVERS = /* @__PURE__ */ new Set([
+  "response",
+  "resp",
+  "res"
+]);
+var PY_SECURE_TRUE_RE = /\bsecure\s*=\s*True\b/;
+var PY_HTTPONLY_TRUE_RE = /\bhttponly\s*=\s*True\b/i;
+var JAVA_SET_SECURE_TRUE_RE = /\.setSecure\s*\(\s*true\s*\)/;
+var JAVA_SET_HTTPONLY_TRUE_RE = /\.setHttpOnly\s*\(\s*true\s*\)/;
 var InsecureCookiePass = class {
   name = "insecure-cookie";
   category = "security";
   run(ctx) {
-    const { graph, language } = ctx;
-    if (language !== "javascript" && language !== "typescript") {
-      return { insecureCookies: [] };
-    }
+    const { graph, language, code } = ctx;
     const file = graph.ir.meta.file;
     const insecureCookies = [];
+    if (language === "javascript" || language === "typescript") {
+      for (const call of graph.ir.calls) {
+        const det = this.detectJs(call);
+        if (!det) continue;
+        insecureCookies.push(det);
+        this.emit(ctx, file, det, "js");
+      }
+    } else if (language === "python") {
+      for (const call of graph.ir.calls) {
+        const det = this.detectPython(call);
+        if (!det) continue;
+        insecureCookies.push(det);
+        this.emit(ctx, file, det, "python");
+      }
+    } else if (language === "java") {
+      const hasSetSecureTrue = JAVA_SET_SECURE_TRUE_RE.test(code);
+      const hasSetHttpOnlyTrue = JAVA_SET_HTTPONLY_TRUE_RE.test(code);
+      for (const call of graph.ir.calls) {
+        const det = this.detectJavaCookieCtor(call, hasSetSecureTrue, hasSetHttpOnlyTrue);
+        if (!det) continue;
+        insecureCookies.push(det);
+        this.emit(ctx, file, det, "java");
+      }
+    }
+    return { insecureCookies };
+  }
+  // ---------------- JS / TS ----------------
+  detectJs(call) {
+    if (call.method_name !== "cookie") return null;
+    const receiver = call.receiver ?? "";
+    if (!COOKIE_RESPONSE_RECEIVERS.has(receiver)) return null;
+    if (call.arguments.length < 2) return null;
+    const opts = call.arguments.find((a) => a.position === 2);
+    const optsExpr = (opts?.expression ?? "").trim();
+    const optionsPresent = optsExpr.length > 0;
+    const missingSecure = !SECURE_TRUE_RE.test(optsExpr);
+    const missingHttpOnly = !HTTPONLY_TRUE_RE.test(optsExpr);
+    if (!missingSecure && !missingHttpOnly) return null;
+    return {
+      line: call.location.line,
+      receiver,
+      missingSecure,
+      missingHttpOnly,
+      optionsPresent
+    };
+  }
+  // ---------------- Python ----------------
+  detectPython(call) {
+    if (call.method_name !== "set_cookie") return null;
+    const receiver = call.receiver ?? "";
+    if (!PY_SET_COOKIE_RECEIVERS.has(receiver)) return null;
+    const argsBlob = call.arguments.map((a) => a.expression ?? "").join(", ");
+    const missingSecure = !PY_SECURE_TRUE_RE.test(argsBlob);
+    const missingHttpOnly = !PY_HTTPONLY_TRUE_RE.test(argsBlob);
+    if (!missingSecure && !missingHttpOnly) return null;
+    return {
+      line: call.location.line,
+      receiver,
+      missingSecure,
+      missingHttpOnly,
+      optionsPresent: call.arguments.length >= 2
+    };
+  }
+  // ---------------- Java ----------------
+  detectJavaCookieCtor(call, hasSetSecureTrue, hasSetHttpOnlyTrue) {
+    if (call.method_name !== "Cookie") return null;
+    const looksLikeCtor = call.is_constructor || !call.receiver && call.receiver_type === "Cookie" || (call.resolution?.target ?? "").endsWith(".<init>");
+    if (!looksLikeCtor) return null;
+    if (call.arguments.length < 2) return null;
+    const missingSecure = !hasSetSecureTrue;
+    const missingHttpOnly = !hasSetHttpOnlyTrue;
+    if (!missingSecure && !missingHttpOnly) return null;
+    return {
+      line: call.location.line,
+      receiver: "new Cookie",
+      missingSecure,
+      missingHttpOnly,
+      optionsPresent: false
+    };
+  }
+  emit(ctx, file, det, flavor) {
+    const missing = [];
+    if (det.missingSecure) missing.push(flavor === "js" ? "`secure: true`" : flavor === "python" ? "`secure=True`" : "`setSecure(true)`");
+    if (det.missingHttpOnly) missing.push(flavor === "js" ? "`httpOnly: true`" : flavor === "python" ? "`httponly=True`" : "`setHttpOnly(true)`");
+    const fix = flavor === "js" ? 'Pass `{ secure: true, httpOnly: true, sameSite: "lax" }` as the third argument to `res.cookie()`.' : flavor === "python" ? 'Pass `secure=True, httponly=True, samesite="Lax"` to `response.set_cookie(...)`.' : "After constructing the cookie, call `cookie.setSecure(true)` and `cookie.setHttpOnly(true)` before adding it to the response.";
+    ctx.addFinding({
+      id: `${this.name}-${file}-${det.line}`,
+      pass: this.name,
+      category: this.category,
+      rule_id: this.name,
+      cwe: "CWE-614",
+      severity: "medium",
+      level: "warning",
+      message: `Cookie set without ${missing.join(" and ")} \u2014 vulnerable to cleartext transmission (CWE-614) and client-side JS access (CWE-1004).`,
+      file,
+      line: det.line,
+      fix,
+      evidence: {
+        receiver: det.receiver,
+        options_present: det.optionsPresent,
+        missing_secure: det.missingSecure,
+        missing_http_only: det.missingHttpOnly
+      }
+    });
+  }
+};
+
+// src/analysis/passes/weak-hash-pass.ts
+var WEAK_HASH_NAMES = /* @__PURE__ */ new Set([
+  "md2",
+  "md4",
+  "md5",
+  "sha-1",
+  "sha1"
+]);
+var COMMONS_DIGEST_METHODS = /* @__PURE__ */ new Set([
+  "md2",
+  "md2Hex",
+  "md5",
+  "md5Hex",
+  "sha1",
+  "sha1Hex",
+  // Apache Commons also has the misnamed `sha(...)` which is SHA-1
+  "sha",
+  "shaHex"
+]);
+var PY_HASHLIB_WEAK = /* @__PURE__ */ new Set(["md5", "sha1", "md4", "md2", "new"]);
+function stripQuotes4(s) {
+  const trimmed = s.trim();
+  if (trimmed.startsWith('"') && trimmed.endsWith('"') || trimmed.startsWith("'") && trimmed.endsWith("'") || trimmed.startsWith("`") && trimmed.endsWith("`")) {
+    return trimmed.slice(1, -1);
+  }
+  return trimmed;
+}
+function literalAlgo(call, position) {
+  const arg = call.arguments.find((a) => a.position === position);
+  if (!arg) return null;
+  const raw = arg.literal ?? arg.expression ?? "";
+  const cleaned = stripQuotes4(raw).toLowerCase();
+  return cleaned || null;
+}
+var WeakHashPass = class {
+  name = "weak-hash";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
     for (const call of graph.ir.calls) {
-      if (call.method_name !== "cookie") continue;
-      const receiver = call.receiver ?? "";
-      if (!COOKIE_RESPONSE_RECEIVERS.has(receiver)) continue;
-      if (call.arguments.length < 2) continue;
-      const opts = call.arguments.find((a) => a.position === 2);
-      const optsExpr = (opts?.expression ?? "").trim();
-      const optionsPresent = optsExpr.length > 0;
-      const missingSecure = !SECURE_TRUE_RE.test(optsExpr);
-      const missingHttpOnly = !HTTPONLY_TRUE_RE.test(optsExpr);
-      if (!missingSecure && !missingHttpOnly) continue;
+      const detection = this.detect(call, language);
+      if (!detection) continue;
+      const { algorithm, api } = detection;
       const line = call.location.line;
-      insecureCookies.push({
+      findings.push({ line, language, algorithm, api });
+      ctx.addFinding({
+        id: `${this.name}-${file}-${line}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        cwe: "CWE-328",
+        severity: "medium",
+        level: "warning",
+        message: `Weak hash algorithm \`${algorithm.toUpperCase()}\` used via \`${api}\`. MD2/MD4/MD5/SHA-1 are cryptographically broken and must not be used for passwords, signatures, integrity checks, or anywhere collision resistance is required.`,
+        file,
         line,
-        receiver,
-        missingSecure,
-        missingHttpOnly,
-        optionsPresent
+        fix: "Use SHA-256 or stronger (SHA-384, SHA-512, SHA-3). For passwords, use a password-hashing function: bcrypt, scrypt, Argon2, or PBKDF2.",
+        evidence: { algorithm, api, language }
       });
-      const missing = [];
-      if (missingSecure) missing.push("`secure: true`");
-      if (missingHttpOnly) missing.push("`httpOnly: true`");
+    }
+    return { findings };
+  }
+  detect(call, language) {
+    const method = call.method_name;
+    const receiver = call.receiver ?? "";
+    if (language === "java") {
+      if (method === "getInstance" && (receiver === "MessageDigest" || receiver.endsWith(".MessageDigest"))) {
+        const algo = literalAlgo(call, 0);
+        if (algo && WEAK_HASH_NAMES.has(algo)) {
+          return { algorithm: algo, api: "MessageDigest.getInstance" };
+        }
+      }
+      if (COMMONS_DIGEST_METHODS.has(method) && (receiver === "DigestUtils" || receiver.endsWith(".DigestUtils"))) {
+        const algoFromMethod = method.toLowerCase().replace(/hex$/, "");
+        const normalized = algoFromMethod === "sha" ? "sha1" : algoFromMethod;
+        return { algorithm: normalized, api: `DigestUtils.${method}` };
+      }
+      return null;
+    }
+    if (language === "python") {
+      if ((receiver === "hashlib" || receiver.endsWith(".hashlib")) && PY_HASHLIB_WEAK.has(method)) {
+        if (method === "new") {
+          const algo = literalAlgo(call, 0);
+          if (algo && WEAK_HASH_NAMES.has(algo)) {
+            return { algorithm: algo, api: "hashlib.new" };
+          }
+          return null;
+        }
+        return { algorithm: method, api: `hashlib.${method}` };
+      }
+      return null;
+    }
+    if (language === "javascript" || language === "typescript") {
+      if ((method === "createHash" || method === "createHmac") && receiver === "crypto") {
+        const algo = literalAlgo(call, 0);
+        if (algo && WEAK_HASH_NAMES.has(algo)) {
+          return { algorithm: algo, api: `crypto.${method}` };
+        }
+      }
+      return null;
+    }
+    if (language === "go") {
+      const isWeakPkg = receiver === "md5" || receiver === "sha1";
+      if (isWeakPkg && (method === "New" || method === "Sum")) {
+        return { algorithm: receiver, api: `${receiver}.${method}` };
+      }
+      return null;
+    }
+    return null;
+  }
+};
+
+// src/analysis/passes/weak-crypto-pass.ts
+var WEAK_CIPHER_BASES = /* @__PURE__ */ new Set([
+  "des",
+  "3des",
+  "desede",
+  "tripledes",
+  "rc2",
+  "rc4",
+  "arc4",
+  "blowfish",
+  "bf",
+  "idea",
+  "seed",
+  "cast5"
+]);
+function classifyJavaCipherSpec(spec) {
+  const parts2 = spec.split("/").map((p) => p.trim().toLowerCase());
+  const base = parts2[0] ?? "";
+  const mode = parts2[1] ?? "";
+  const result = {};
+  if (WEAK_CIPHER_BASES.has(base)) result.weakBase = base;
+  if (mode === "ecb") result.ecb = true;
+  if (parts2.length === 1 && base === "aes") result.ecb = true;
+  return result;
+}
+function stripQuotes5(s) {
+  const t = s.trim();
+  if (t.startsWith('"') && t.endsWith('"') || t.startsWith("'") && t.endsWith("'") || t.startsWith("`") && t.endsWith("`")) {
+    return t.slice(1, -1);
+  }
+  return t;
+}
+function literalAlgo2(call, position) {
+  const arg = call.arguments.find((a) => a.position === position);
+  if (!arg) return null;
+  const raw = arg.literal ?? arg.expression ?? "";
+  const cleaned = stripQuotes5(raw);
+  return cleaned || null;
+}
+function detectStaticIvJava(call) {
+  const arg = call.arguments.find((a) => a.position === 0);
+  if (!arg) return null;
+  const expr = (arg.literal ?? arg.expression ?? "").trim();
+  if (!expr) return null;
+  if (/^new\s+byte\s*\[[^\]]*\]\s*$/.test(expr)) {
+    return `zero-filled ${expr}`;
+  }
+  if (/^new\s+byte\s*\[\s*\]\s*\{[^}]*\}\s*$/.test(expr)) {
+    return `literal byte[] initializer`;
+  }
+  if (/^"[^"]*"\.getBytes\s*\(/.test(expr)) {
+    return `literal string .getBytes()`;
+  }
+  if (/^"[^"]*"$/.test(expr)) {
+    return `literal string`;
+  }
+  return null;
+}
+function isJavaCtor(call, className) {
+  if (call.is_constructor === true) return true;
+  if (call.receiver) return false;
+  if (call.receiver_type === className) return true;
+  if ((call.receiver_type_fqn ?? "").endsWith("." + className)) return true;
+  return false;
+}
+function detectHardcodedKeyJava(call) {
+  const arg = call.arguments.find((a) => a.position === 0);
+  if (!arg) return null;
+  const expr = (arg.literal ?? arg.expression ?? "").trim();
+  if (!expr) return null;
+  if (/^"[^"]*"\.getBytes\s*\(/.test(expr)) return `literal string .getBytes()`;
+  if (/^new\s+byte\s*\[\s*\]\s*\{[^}]*\}\s*$/.test(expr)) return `literal byte[] initializer`;
+  if (/^"[^"]*"$/.test(expr)) return `literal string`;
+  return null;
+}
+var ISSUE_CWE = {
+  "weak-cipher": "CWE-327",
+  "ecb-mode": "CWE-327",
+  "deprecated-api": "CWE-327",
+  "static-iv": "CWE-329",
+  "hardcoded-key": "CWE-321",
+  "weak-rsa-key": "CWE-326"
+};
+var WeakCryptoPass = class {
+  name = "weak-crypto";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    for (const call of graph.ir.calls) {
+      const detections = this.detect(call, language);
+      for (const det of detections) {
+        const line = call.location.line;
+        findings.push({ line, language, ...det });
+        const message = this.buildMessage(det);
+        ctx.addFinding({
+          id: `${this.name}-${file}-${line}-${det.issue}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: this.name,
+          cwe: ISSUE_CWE[det.issue],
+          severity: "high",
+          level: "error",
+          message,
+          file,
+          line,
+          fix: this.buildFix(det.issue),
+          evidence: { ...det, language }
+        });
+      }
+    }
+    return { findings };
+  }
+  buildMessage(det) {
+    switch (det.issue) {
+      case "weak-cipher":
+        return `Weak symmetric cipher \`${det.detail.toUpperCase()}\` used via \`${det.api}\`. DES, 3DES, RC2, RC4, Blowfish, and IDEA/SEED/CAST5 are deprecated and broken at modern key sizes.`;
+      case "ecb-mode":
+        return `ECB block-cipher mode used via \`${det.api}\` (\`${det.detail}\`). ECB leaks plaintext structure (identical blocks \u2192 identical ciphertext) and is not semantically secure.`;
+      case "deprecated-api":
+        return `Deprecated crypto API \`${det.api}\` used (no IV: \`${det.detail}\`). This API derives the key/IV from a password in an insecure way.`;
+      case "static-iv":
+        return `Static or zero-valued IV passed to \`${det.api}\` (\`${det.detail}\`). Reusing a fixed IV with CBC/CTR/GCM breaks confidentiality and, for GCM, can leak the authentication key.`;
+      case "hardcoded-key":
+        return `Hardcoded symmetric key material passed to \`${det.api}\` (\`${det.detail}\`). Keys embedded in source code are trivially recoverable from binaries and shared across deployments \u2014 they provide no confidentiality.`;
+      case "weak-rsa-key":
+        return `Weak RSA key size \`${det.detail}\` requested via \`${det.api}\`. RSA keys below 2048 bits are factorable and not compliant with NIST SP 800-57 / FIPS 186-5.`;
+      default:
+        return `Weak cryptography: ${det.detail} (${det.api})`;
+    }
+  }
+  buildFix(issue) {
+    switch (issue) {
+      case "static-iv":
+        return "Generate a fresh random IV per message using SecureRandom: `byte[] iv = new byte[12]; SecureRandom.getInstanceStrong().nextBytes(iv); new IvParameterSpec(iv);` and prepend it to the ciphertext.";
+      case "hardcoded-key":
+        return "Load the key from a secure key management system (HSM, KMS, Vault) or platform keystore. Never embed key material in source code.";
+      case "weak-rsa-key":
+        return "Initialize KeyPairGenerator with at least 2048 bits (preferably 3072 or 4096) for RSA, or switch to EC keys (P-256+).";
+      default:
+        return "Use AES-GCM (authenticated) or ChaCha20-Poly1305. Avoid DES, 3DES, RC2, RC4, Blowfish, and ECB mode. For asymmetric encryption use RSA-OAEP with \u22652048-bit keys or modern curve-based schemes.";
+    }
+  }
+  detect(call, language) {
+    const method = call.method_name;
+    const receiver = call.receiver ?? "";
+    const out2 = [];
+    if (language === "java") {
+      const isCipherFactory = method === "getInstance" && (receiver === "Cipher" || receiver.endsWith(".Cipher") || receiver === "KeyGenerator" || receiver.endsWith(".KeyGenerator"));
+      if (isCipherFactory) {
+        const spec = literalAlgo2(call, 0);
+        if (spec) {
+          const { weakBase, ecb } = classifyJavaCipherSpec(spec);
+          const api = `${receiver}.getInstance`;
+          if (weakBase) out2.push({ issue: "weak-cipher", detail: weakBase, api });
+          if (ecb) out2.push({ issue: "ecb-mode", detail: spec, api });
+        }
+      }
+      if (method === "IvParameterSpec" && isJavaCtor(call, "IvParameterSpec")) {
+        const ivDetail = detectStaticIvJava(call);
+        if (ivDetail) {
+          out2.push({ issue: "static-iv", detail: ivDetail, api: "new IvParameterSpec" });
+        }
+      }
+      if (method === "SecretKeySpec" && isJavaCtor(call, "SecretKeySpec")) {
+        const keyDetail = detectHardcodedKeyJava(call);
+        if (keyDetail) {
+          out2.push({ issue: "hardcoded-key", detail: keyDetail, api: "new SecretKeySpec" });
+        }
+      }
+      if (method === "initialize") {
+        const isKpg = call.receiver_type === "KeyPairGenerator" || (call.receiver_type_fqn ?? "").endsWith(".KeyPairGenerator");
+        if (isKpg) {
+          const sizeArg = call.arguments.find((a) => a.position === 0);
+          const expr = (sizeArg?.literal ?? sizeArg?.expression ?? "").trim();
+          const n = parseInt(expr, 10);
+          if (Number.isFinite(n) && n > 0 && n < 2048) {
+            out2.push({
+              issue: "weak-rsa-key",
+              detail: String(n),
+              api: "KeyPairGenerator.initialize"
+            });
+          }
+        }
+      }
+      return out2;
+    }
+    if (language === "python") {
+      if (method === "new") {
+        const rcvLower = receiver.toLowerCase();
+        const lastSeg = rcvLower.split(".").pop() ?? rcvLower;
+        if (WEAK_CIPHER_BASES.has(lastSeg)) {
+          out2.push({ issue: "weak-cipher", detail: lastSeg, api: `${receiver}.new` });
+        }
+        if (lastSeg === "aes" || lastSeg.endsWith(".aes")) {
+          const mode = call.arguments.find((a) => a.position === 1);
+          const modeExpr = (mode?.expression ?? "").trim();
+          if (/\bMODE_ECB\b/.test(modeExpr)) {
+            out2.push({ issue: "ecb-mode", detail: "AES.MODE_ECB", api: `${receiver}.new` });
+          }
+        }
+      }
+      const isHazmatAlgos = receiver === "algorithms" || receiver.endsWith(".algorithms");
+      if (isHazmatAlgos) {
+        const m = method.toLowerCase();
+        const normalized = m === "tripledes" ? "3des" : m;
+        if (WEAK_CIPHER_BASES.has(normalized)) {
+          out2.push({ issue: "weak-cipher", detail: normalized, api: `algorithms.${method}` });
+        }
+      }
+      return out2;
+    }
+    if (language === "javascript" || language === "typescript") {
+      if (method === "createCipher" && receiver === "crypto") {
+        const algo = literalAlgo2(call, 0) ?? "<unknown>";
+        out2.push({ issue: "deprecated-api", detail: algo, api: "crypto.createCipher" });
+      }
+      if (method === "createCipheriv" && receiver === "crypto") {
+        const algo = literalAlgo2(call, 0);
+        if (algo) {
+          const lower = algo.toLowerCase();
+          const parts2 = lower.split("-");
+          const base = parts2[0];
+          const mode = parts2[parts2.length - 1];
+          let normalizedBase = base;
+          if (base === "bf") normalizedBase = "blowfish";
+          if (base === "desede" || base === "des-ede3" || base === "des3") normalizedBase = "3des";
+          if (WEAK_CIPHER_BASES.has(normalizedBase)) {
+            out2.push({ issue: "weak-cipher", detail: normalizedBase, api: "crypto.createCipheriv" });
+          }
+          if (mode === "ecb") {
+            out2.push({ issue: "ecb-mode", detail: lower, api: "crypto.createCipheriv" });
+          }
+        }
+      }
+      return out2;
+    }
+    if (language === "go") {
+      if (receiver === "des" && (method === "NewCipher" || method === "NewTripleDESCipher")) {
+        const base = method === "NewTripleDESCipher" ? "3des" : "des";
+        out2.push({ issue: "weak-cipher", detail: base, api: `des.${method}` });
+      }
+      if (receiver === "rc4" && method === "NewCipher") {
+        out2.push({ issue: "weak-cipher", detail: "rc4", api: "rc4.NewCipher" });
+      }
+      if ((method === "NewECBEncrypter" || method === "NewECBDecrypter") && receiver === "cipher") {
+        out2.push({ issue: "ecb-mode", detail: method, api: `cipher.${method}` });
+      }
+      return out2;
+    }
+    return out2;
+  }
+};
+
+// src/analysis/passes/weak-random-pass.ts
+var JAVA_RANDOM_METHODS = /* @__PURE__ */ new Set([
+  "nextInt",
+  "nextLong",
+  "nextFloat",
+  "nextDouble",
+  "nextBoolean",
+  "nextBytes",
+  "nextGaussian",
+  "ints",
+  "longs",
+  "doubles"
+]);
+var PY_RANDOM_FUNCS = /* @__PURE__ */ new Set([
+  "random",
+  "randint",
+  "choice",
+  "uniform",
+  "shuffle",
+  "getrandbits",
+  "sample",
+  "choices",
+  "randrange",
+  "seed",
+  "gauss",
+  "normalvariate",
+  "expovariate",
+  "paretovariate",
+  "weibullvariate",
+  "triangular",
+  "lognormvariate",
+  "vonmisesvariate",
+  "betavariate",
+  "gammavariate"
+]);
+var GO_RAND_FUNCS = /* @__PURE__ */ new Set([
+  "Int",
+  "Intn",
+  "Int31",
+  "Int31n",
+  "Int63",
+  "Int63n",
+  "Float32",
+  "Float64",
+  "NormFloat64",
+  "ExpFloat64",
+  "Perm",
+  "Shuffle",
+  "Read",
+  "Uint32",
+  "Uint64",
+  "Seed",
+  "New",
+  "NewSource"
+]);
+var WeakRandomPass = class {
+  name = "weak-random";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    for (const call of graph.ir.calls) {
+      const api = this.detect(call, language, ctx);
+      if (!api) continue;
+      const line = call.location.line;
+      findings.push({ line, language, api });
       ctx.addFinding({
         id: `${this.name}-${file}-${line}`,
         pass: this.name,
         category: this.category,
         rule_id: this.name,
-        cwe: "CWE-614",
+        cwe: "CWE-330",
         severity: "medium",
         level: "warning",
-        message: `Cookie set without ${missing.join(" and ")} \u2014 vulnerable to cleartext transmission (CWE-614) and client-side JS access (CWE-1004).`,
+        message: `Non-cryptographic random generator \`${api}\` used. The output of this PRNG is predictable and must not be used for security-sensitive values (tokens, session IDs, keys, salts, password reset codes, OTPs).`,
         file,
         line,
-        fix: 'Pass `{ secure: true, httpOnly: true, sameSite: "lax" }` as the third argument to `res.cookie()`.',
-        evidence: {
-          receiver,
-          options_present: optionsPresent,
-          missing_secure: missingSecure,
-          missing_http_only: missingHttpOnly
+        fix: this.fixFor(language),
+        evidence: { api, language }
+      });
+    }
+    return { findings };
+  }
+  fixFor(language) {
+    switch (language) {
+      case "java":
+        return "Use `java.security.SecureRandom`. Example: `SecureRandom sr = new SecureRandom(); byte[] b = new byte[32]; sr.nextBytes(b);`";
+      case "python":
+        return "Use the `secrets` module (`secrets.token_bytes`, `secrets.token_hex`, `secrets.choice`, `secrets.randbelow`).";
+      case "javascript":
+      case "typescript":
+        return "Use `crypto.randomBytes(n)` (Node.js) or `crypto.getRandomValues(typedArray)` (browser).";
+      case "go":
+        return "Use `crypto/rand` instead of `math/rand`. Example: `b := make([]byte, 32); _, _ = rand.Read(b)` (where `rand` is `crypto/rand`).";
+      default:
+        return "Use a cryptographically secure random generator from your standard library.";
+    }
+  }
+  detect(call, language, ctx) {
+    const method = call.method_name;
+    const receiver = call.receiver ?? "";
+    if (language === "java") {
+      if (call.is_constructor) {
+        const ctor = method;
+        if (ctor === "Random") return "new Random";
+        if (ctor === "SplittableRandom") return "new SplittableRandom";
+      }
+      if (method === "random" && (receiver === "Math" || receiver.endsWith(".Math"))) {
+        return "Math.random";
+      }
+      if (JAVA_RANDOM_METHODS.has(method)) {
+        const rt = call.receiver_type ?? "";
+        if (rt === "Random" || rt === "SplittableRandom" || rt === "ThreadLocalRandom") {
+          return `${rt}.${method}`;
         }
+      }
+      if (JAVA_RANDOM_METHODS.has(method) && /ThreadLocalRandom\.current\(\)/.test(receiver)) {
+        return `ThreadLocalRandom.current.${method}`;
+      }
+      return null;
+    }
+    if (language === "python") {
+      if ((receiver === "random" || receiver.endsWith(".random")) && PY_RANDOM_FUNCS.has(method)) {
+        return `random.${method}`;
+      }
+      return null;
+    }
+    if (language === "javascript" || language === "typescript") {
+      if (method === "random" && (receiver === "Math" || receiver.endsWith(".Math"))) {
+        return "Math.random";
+      }
+      return null;
+    }
+    if (language === "go") {
+      if (receiver === "rand" && GO_RAND_FUNCS.has(method)) {
+        if (this.goMathRandIsActive(ctx)) {
+          return `rand.${method}`;
+        }
+      }
+      return null;
+    }
+    return null;
+  }
+  /**
+   * Returns true when `math/rand` is the active `rand` identifier in this
+   * file (i.e. `math/rand` imported unaliased; `crypto/rand` is either not
+   * imported or imported under an alias).
+   */
+  goMathRandIsActive(ctx) {
+    const imports = ctx.graph.ir.imports ?? [];
+    let mathRandUnaliased = false;
+    let cryptoRandUnaliased = false;
+    for (const imp of imports) {
+      const pkg = imp.from_package ?? imp.imported_name;
+      const alias = imp.alias;
+      if (pkg === "math/rand" && (!alias || alias === "rand")) {
+        mathRandUnaliased = true;
+      }
+      if (pkg === "crypto/rand" && (!alias || alias === "rand")) {
+        cryptoRandUnaliased = true;
+      }
+    }
+    return mathRandUnaliased && !cryptoRandUnaliased;
+  }
+};
+
+// src/analysis/passes/tls-verify-disabled-pass.ts
+var PY_HTTP_METHODS = /* @__PURE__ */ new Set([
+  "get",
+  "post",
+  "put",
+  "delete",
+  "patch",
+  "head",
+  "options",
+  "request",
+  "send"
+]);
+var PY_HTTP_RECEIVERS = /* @__PURE__ */ new Set([
+  "requests",
+  "httpx"
+]);
+var VERIFY_FALSE_RE = /\bverify\s*=\s*False\b/;
+var REJECT_UNAUTHORIZED_FALSE_RE = /\brejectUnauthorized\s*:\s*false\b/;
+var INSECURE_SKIP_VERIFY_TRUE_RE = /\bInsecureSkipVerify\s*:\s*true\b/;
+var HOSTNAME_LAMBDA_TRUE_RE = /\(\s*\w+\s*,\s*\w+\s*\)\s*->\s*true\b/;
+var ALLOW_ALL_HOSTNAME_VERIFIERS = /* @__PURE__ */ new Set([
+  "NoopHostnameVerifier.INSTANCE",
+  "new AllowAllHostnameVerifier()",
+  "new NoopHostnameVerifier()"
+]);
+var TlsVerifyDisabledPass = class {
+  name = "tls-verify-disabled";
+  category = "security";
+  run(ctx) {
+    const { graph, language, code } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    for (const call of graph.ir.calls) {
+      const det = this.detectCall(call, language);
+      if (!det) continue;
+      const line = call.location.line;
+      findings.push({ line, language, ...det });
+      ctx.addFinding({
+        id: `${this.name}-${file}-${line}-${det.pattern}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        cwe: "CWE-295",
+        severity: "high",
+        level: "error",
+        message: `TLS certificate verification disabled via \`${det.pattern}\` in \`${det.api}\`. The connection becomes vulnerable to active man-in-the-middle attacks \u2014 any attacker on the network path can present a forged certificate.`,
+        file,
+        line,
+        fix: this.fixFor(language, det.pattern),
+        evidence: { ...det, language }
       });
     }
-    return { insecureCookies };
+    for (const extra of this.detectSourceText(code, language)) {
+      const dupKey = `${extra.line}-${extra.pattern}`;
+      if (findings.some((f) => `${f.line}-${f.pattern}` === dupKey)) continue;
+      findings.push({ ...extra, language });
+      ctx.addFinding({
+        id: `${this.name}-${file}-${extra.line}-${extra.pattern}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        cwe: "CWE-295",
+        severity: "high",
+        level: "error",
+        message: `TLS certificate verification disabled via \`${extra.pattern}\` (${extra.api}). Vulnerable to active man-in-the-middle.`,
+        file,
+        line: extra.line,
+        fix: this.fixFor(language, extra.pattern),
+        evidence: { ...extra, language }
+      });
+    }
+    return { findings };
+  }
+  detectCall(call, language) {
+    const method = call.method_name;
+    const receiver = call.receiver ?? "";
+    if (language === "python") {
+      if (PY_HTTP_RECEIVERS.has(receiver) && PY_HTTP_METHODS.has(method)) {
+        for (const arg of call.arguments) {
+          const expr = (arg.expression ?? "").trim();
+          if (VERIFY_FALSE_RE.test(expr)) {
+            return { pattern: "verify=False", api: `${receiver}.${method}` };
+          }
+        }
+      }
+      if (method === "_create_unverified_context" && receiver === "ssl") {
+        return { pattern: "ssl._create_unverified_context", api: "ssl._create_unverified_context()" };
+      }
+      if (receiver === "httpx" && method === "Client") {
+        for (const arg of call.arguments) {
+          if (VERIFY_FALSE_RE.test(arg.expression ?? "")) {
+            return { pattern: "verify=False", api: "httpx.Client" };
+          }
+        }
+      }
+      return null;
+    }
+    if (language === "javascript" || language === "typescript") {
+      const lastSeg = method.includes(".") ? method.split(".").pop() ?? "" : method;
+      const arglooks = method === "request" || method === "get" || method === "post" || method === "create" || method === "Agent" || method === "fetch" || lastSeg === "Agent" || lastSeg === "request" || lastSeg === "create";
+      if (arglooks) {
+        for (const arg of call.arguments) {
+          if (REJECT_UNAUTHORIZED_FALSE_RE.test(arg.expression ?? "")) {
+            return { pattern: "rejectUnauthorized: false", api: `${receiver || "(global)"}.${method}` };
+          }
+        }
+      }
+      return null;
+    }
+    if (language === "java") {
+      if (method === "setHostnameVerifier") {
+        const arg = call.arguments.find((a) => a.position === 0);
+        const expr = (arg?.expression ?? "").trim();
+        if (HOSTNAME_LAMBDA_TRUE_RE.test(expr)) {
+          return { pattern: "(h,s) -> true", api: "setHostnameVerifier" };
+        }
+        for (const v of ALLOW_ALL_HOSTNAME_VERIFIERS) {
+          if (expr === v || expr.replace(/\s+/g, "") === v.replace(/\s+/g, "")) {
+            return { pattern: v, api: "setHostnameVerifier" };
+          }
+        }
+      }
+      return null;
+    }
+    return null;
+  }
+  detectSourceText(code, language) {
+    const out2 = [];
+    const lines = code.split("\n");
+    if (language === "go") {
+      for (let i2 = 0; i2 < lines.length; i2++) {
+        if (INSECURE_SKIP_VERIFY_TRUE_RE.test(lines[i2])) {
+          out2.push({
+            line: i2 + 1,
+            pattern: "InsecureSkipVerify: true",
+            api: "tls.Config"
+          });
+        }
+      }
+    }
+    if (language === "python") {
+      for (let i2 = 0; i2 < lines.length; i2++) {
+        const l = lines[i2];
+        if (/ssl\._create_default_https_context\s*=\s*ssl\._create_unverified_context/.test(l)) {
+          out2.push({
+            line: i2 + 1,
+            pattern: "ssl._create_default_https_context = _create_unverified_context",
+            api: "ssl module override"
+          });
+        }
+      }
+    }
+    if (language === "javascript" || language === "typescript") {
+      for (let i2 = 0; i2 < lines.length; i2++) {
+        const l = lines[i2];
+        if (/process\.env\.NODE_TLS_REJECT_UNAUTHORIZED\s*=\s*['"]0['"]/.test(l)) {
+          out2.push({
+            line: i2 + 1,
+            pattern: "NODE_TLS_REJECT_UNAUTHORIZED=0",
+            api: "process.env"
+          });
+        }
+      }
+    }
+    return out2;
+  }
+  fixFor(language, pattern) {
+    if (pattern.includes("InsecureSkipVerify")) {
+      return "Remove `InsecureSkipVerify: true` \u2014 let Go verify the cert. If you need to trust a private CA, set `RootCAs` to a `*x509.CertPool` containing that CA.";
+    }
+    if (pattern.includes("verify=False")) {
+      return "Remove `verify=False`. To trust a private CA, pass `verify='/path/to/ca.pem'`.";
+    }
+    if (pattern.includes("rejectUnauthorized")) {
+      return "Remove `rejectUnauthorized: false`. To trust a private CA, set the `ca` option to the CA cert(s). Never disable TLS verification globally.";
+    }
+    if (pattern.includes("NODE_TLS_REJECT_UNAUTHORIZED")) {
+      return "Remove the `NODE_TLS_REJECT_UNAUTHORIZED=0` assignment \u2014 it globally disables TLS verification for every outbound HTTPS request.";
+    }
+    if (language === "java") {
+      return "Do not use an always-true HostnameVerifier or AllowAllHostnameVerifier. Use the JVM's default verifier; for self-signed certs add the cert to a custom TrustManager that validates the chain.";
+    }
+    if (pattern.includes("ssl._create_unverified_context")) {
+      return "Do not use `_create_unverified_context()`. Use `ssl.create_default_context()`.";
+    }
+    return "Restore TLS certificate and hostname verification.";
   }
 };
 
@@ -28034,6 +28825,10 @@ async function analyze(code, filePath, language, options = {}) {
     if (!disabledPasses.has("security-headers")) pipeline.add(new SecurityHeadersPass(passOpts.securityHeaders));
     if (!disabledPasses.has("spring4shell")) pipeline.add(new Spring4ShellPass());
     if (!disabledPasses.has("insecure-cookie")) pipeline.add(new InsecureCookiePass());
+    if (!disabledPasses.has("weak-hash")) pipeline.add(new WeakHashPass());
+    if (!disabledPasses.has("weak-crypto")) pipeline.add(new WeakCryptoPass());
+    if (!disabledPasses.has("weak-random")) pipeline.add(new WeakRandomPass());
+    if (!disabledPasses.has("tls-verify-disabled")) pipeline.add(new TlsVerifyDisabledPass());
     const { results, findings } = pipeline.run(graph, code, language, config);
     const sinkFilter = results.get("sink-filter");
     const interProc = results.get("interprocedural");