npm - circle-ir - Versions diffs - 3.52.0 → 3.54.0 - Mend

circle-ir 3.52.0 → 3.54.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (31) hide show

package/configs/sinks/path.yaml +0 -16
package/configs/sources/file_sources.yaml +32 -0
package/dist/analysis/config-loader.d.ts.map +1 -1
package/dist/analysis/config-loader.js +59 -1
package/dist/analysis/config-loader.js.map +1 -1
package/dist/analysis/passes/jwt-verify-disabled-pass.d.ts +45 -0
package/dist/analysis/passes/jwt-verify-disabled-pass.d.ts.map +1 -0
package/dist/analysis/passes/jwt-verify-disabled-pass.js +164 -0
package/dist/analysis/passes/jwt-verify-disabled-pass.js.map +1 -0
package/dist/analysis/passes/weak-crypto-pass.d.ts +17 -7
package/dist/analysis/passes/weak-crypto-pass.d.ts.map +1 -1
package/dist/analysis/passes/weak-crypto-pass.js +179 -10
package/dist/analysis/passes/weak-crypto-pass.js.map +1 -1
package/dist/analysis/rules.d.ts.map +1 -1
package/dist/analysis/rules.js +18 -0
package/dist/analysis/rules.js.map +1 -1
package/dist/analysis/taint-matcher.d.ts.map +1 -1
package/dist/analysis/taint-matcher.js +28 -13
package/dist/analysis/taint-matcher.js.map +1 -1
package/dist/analysis/taint-propagation.d.ts.map +1 -1
package/dist/analysis/taint-propagation.js +1 -0
package/dist/analysis/taint-propagation.js.map +1 -1
package/dist/analyzer.d.ts.map +1 -1
package/dist/analyzer.js +3 -0
package/dist/analyzer.js.map +1 -1
package/dist/browser/circle-ir.js +269 -11
package/dist/core/circle-ir-core.cjs +71 -9
package/dist/core/circle-ir-core.js +71 -9
package/dist/types/index.d.ts +1 -1
package/dist/types/index.d.ts.map +1 -1
package/package.json +1 -1

package/dist/analysis/passes/jwt-verify-disabled-pass.d.ts ADDED Viewed

@@ -0,0 +1,45 @@
+/**
+ * Pass: jwt-verify-disabled (CWE-347, category: security)
+ *
+ * Pattern pass — flags places where JWT signature verification is explicitly
+ * disabled or set to the `none` algorithm. This is a configuration
+ * vulnerability (the bad value is a hard-coded constant), not a taint flow.
+ *
+ * Detection per language:
+ *   Python (PyJWT):
+ *     - `jwt.decode(token, ..., options={"verify_signature": False})`
+ *     - `jwt.decode(token, ..., verify=False)`         — pre-2.0 PyJWT
+ *     - `jwt.decode(token, ..., algorithms=["none"])`  — accepts unsigned tokens
+ *   JavaScript / TypeScript (jsonwebtoken):
+ *     - `jwt.verify(token, secret, { algorithms: ['none'] })`
+ *     - `jwt.verify(token, null, ...)` / `jwt.verify(token, '', ...)` — empty key
+ *     - `jwt.verify(token, secret, { verify: false })` (rare)
+ *   Java (auth0 java-jwt):
+ *     - `JWT.require(Algorithm.none())`               — accepts `alg:none` tokens
+ *   Java (jjwt 0.x):
+ *     - `Jwts.parser().setSigningKey(...).parse(...)` — `parse` returns Jwt<?,?>
+ *       without enforcing the signature; `parseClaimsJws()` is the safe form
+ *
+ * Aligned with: CWE-347, OWASP API Security Top 10 (API2:2023 broken auth),
+ * Bandit B701 (jinja2_autoescape is unrelated — JWT has no direct Bandit rule
+ * but PyJWT documents this as misuse).
+ *
+ * Issue: #86, Sprint 5.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface JwtVerifyDisabledResult {
+    findings: Array<{
+        line: number;
+        language: string;
+        pattern: string;
+        api: string;
+    }>;
+}
+export declare class JwtVerifyDisabledPass implements AnalysisPass<JwtVerifyDisabledResult> {
+    readonly name = "jwt-verify-disabled";
+    readonly category: "security";
+    run(ctx: PassContext): JwtVerifyDisabledResult;
+    private detect;
+    private fixFor;
+}
+//# sourceMappingURL=jwt-verify-disabled-pass.d.ts.map

package/dist/analysis/passes/jwt-verify-disabled-pass.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"jwt-verify-disabled-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/jwt-verify-disabled-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAmB9E,MAAM,WAAW,uBAAuB;IACtC,QAAQ,EAAE,KAAK,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,OAAO,EAAE,MAAM,CAAC;QAChB,GAAG,EAAE,MAAM,CAAC;KACb,CAAC,CAAC;CACJ;AAED,qBAAa,qBACX,YAAW,YAAY,CAAC,uBAAuB,CAAC;IAEhD,QAAQ,CAAC,IAAI,yBAAyB;IACtC,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,uBAAuB;IAkC9C,OAAO,CAAC,MAAM;IA6Ed,OAAO,CAAC,MAAM;CA2Bf"}

package/dist/analysis/passes/jwt-verify-disabled-pass.js ADDED Viewed

@@ -0,0 +1,164 @@
+/**
+ * Pass: jwt-verify-disabled (CWE-347, category: security)
+ *
+ * Pattern pass — flags places where JWT signature verification is explicitly
+ * disabled or set to the `none` algorithm. This is a configuration
+ * vulnerability (the bad value is a hard-coded constant), not a taint flow.
+ *
+ * Detection per language:
+ *   Python (PyJWT):
+ *     - `jwt.decode(token, ..., options={"verify_signature": False})`
+ *     - `jwt.decode(token, ..., verify=False)`         — pre-2.0 PyJWT
+ *     - `jwt.decode(token, ..., algorithms=["none"])`  — accepts unsigned tokens
+ *   JavaScript / TypeScript (jsonwebtoken):
+ *     - `jwt.verify(token, secret, { algorithms: ['none'] })`
+ *     - `jwt.verify(token, null, ...)` / `jwt.verify(token, '', ...)` — empty key
+ *     - `jwt.verify(token, secret, { verify: false })` (rare)
+ *   Java (auth0 java-jwt):
+ *     - `JWT.require(Algorithm.none())`               — accepts `alg:none` tokens
+ *   Java (jjwt 0.x):
+ *     - `Jwts.parser().setSigningKey(...).parse(...)` — `parse` returns Jwt<?,?>
+ *       without enforcing the signature; `parseClaimsJws()` is the safe form
+ *
+ * Aligned with: CWE-347, OWASP API Security Top 10 (API2:2023 broken auth),
+ * Bandit B701 (jinja2_autoescape is unrelated — JWT has no direct Bandit rule
+ * but PyJWT documents this as misuse).
+ *
+ * Issue: #86, Sprint 5.
+ */
+// `verify_signature: False` inside an `options=` dict literal.
+const PY_VERIFY_SIGNATURE_FALSE_RE = /["']verify_signature["']\s*:\s*False\b/;
+// `verify=False` kwarg (pre-2.0 PyJWT).
+const PY_VERIFY_KW_FALSE_RE = /\bverify\s*=\s*False\b/;
+// `algorithms=['none', ...]` or `algorithms=("none",)` — case-insensitive.
+const PY_ALG_NONE_RE = /\balgorithms\s*=\s*[\[\(]\s*["']none["']/i;
+// JS `algorithms: ['none']` inside an options literal.
+const JS_ALG_NONE_RE = /\balgorithms\s*:\s*\[\s*["']none["']/i;
+export class JwtVerifyDisabledPass {
+    name = 'jwt-verify-disabled';
+    category = 'security';
+    run(ctx) {
+        const { graph, language } = ctx;
+        const file = graph.ir.meta.file;
+        const findings = [];
+        for (const call of graph.ir.calls) {
+            const detections = this.detect(call, language);
+            for (const det of detections) {
+                const line = call.location.line;
+                findings.push({ line, language, ...det });
+                ctx.addFinding({
+                    id: `${this.name}-${file}-${line}-${det.pattern}`,
+                    pass: this.name,
+                    category: this.category,
+                    rule_id: this.name,
+                    cwe: 'CWE-347',
+                    severity: 'critical',
+                    level: 'error',
+                    message: `JWT signature verification disabled via \`${det.pattern}\` in ` +
+                        `\`${det.api}\`. Any attacker can forge a token with arbitrary ` +
+                        'claims (user id, roles, expiry) since the signature is not ' +
+                        'checked.',
+                    file,
+                    line,
+                    fix: this.fixFor(language),
+                    evidence: { ...det, language },
+                });
+            }
+        }
+        return { findings };
+    }
+    detect(call, language) {
+        const method = call.method_name;
+        const receiver = call.receiver ?? '';
+        const out = [];
+        if (language === 'python') {
+            // PyJWT: jwt.decode(token, key, options={...}, algorithms=[...], verify=...)
+            if (receiver === 'jwt' && method === 'decode') {
+                for (const arg of call.arguments) {
+                    const expr = (arg.expression ?? '').trim();
+                    if (!expr)
+                        continue;
+                    if (PY_VERIFY_SIGNATURE_FALSE_RE.test(expr)) {
+                        out.push({ pattern: 'verify_signature: False', api: 'jwt.decode' });
+                    }
+                    if (PY_VERIFY_KW_FALSE_RE.test(expr)) {
+                        out.push({ pattern: 'verify=False', api: 'jwt.decode' });
+                    }
+                    if (PY_ALG_NONE_RE.test(expr)) {
+                        out.push({ pattern: "algorithms=['none']", api: 'jwt.decode' });
+                    }
+                }
+            }
+            return out;
+        }
+        if (language === 'javascript' || language === 'typescript') {
+            // jsonwebtoken: jwt.verify(token, secret, options)
+            if (receiver === 'jwt' && method === 'verify') {
+                // Inspect option literal for algorithms:['none'] or verify:false.
+                for (const arg of call.arguments) {
+                    const expr = (arg.expression ?? '').trim();
+                    if (!expr)
+                        continue;
+                    if (JS_ALG_NONE_RE.test(expr)) {
+                        out.push({ pattern: "algorithms: ['none']", api: 'jwt.verify' });
+                    }
+                    if (/\bverify\s*:\s*false\b/i.test(expr)) {
+                        out.push({ pattern: 'verify: false', api: 'jwt.verify' });
+                    }
+                }
+                // Empty / null key as 2nd arg.
+                const keyArg = call.arguments.find((a) => a.position === 1);
+                const keyExpr = (keyArg?.expression ?? keyArg?.literal ?? '').trim();
+                if (keyExpr === 'null' || keyExpr === 'undefined' ||
+                    keyExpr === '""' || keyExpr === "''" || keyExpr === '``') {
+                    out.push({ pattern: `empty key (${keyExpr || 'missing'})`, api: 'jwt.verify' });
+                }
+            }
+            return out;
+        }
+        if (language === 'java') {
+            // auth0 java-jwt: JWT.require(Algorithm.none())
+            // The argument expression text contains `Algorithm.none()`.
+            if (method === 'require' &&
+                (receiver === 'JWT' || receiver.endsWith('.JWT'))) {
+                const arg = call.arguments.find((a) => a.position === 0);
+                const expr = (arg?.expression ?? '').trim();
+                if (/\bAlgorithm\s*\.\s*none\s*\(/.test(expr)) {
+                    out.push({ pattern: 'Algorithm.none()', api: 'JWT.require' });
+                }
+            }
+            // jjwt 0.x: Jwts.parser()...parse(token) — unsafe (no signature check)
+            // vs parseClaimsJws / parseSignedClaims which do verify.
+            if (method === 'parse' && receiver.includes('parser')) {
+                // Match shapes like `Jwts.parser().setSigningKey(k).parse(t)` where
+                // the receiver chain ends in `parser()` and `.parse()` is invoked.
+                // The exact receiver string emitted by the Java plugin varies; we
+                // match `parser()` substring in the receiver expression as a
+                // best-effort signal.
+                out.push({ pattern: 'parse() instead of parseClaimsJws()', api: 'Jwts.parser().parse' });
+            }
+            return out;
+        }
+        return out;
+    }
+    fixFor(language) {
+        if (language === 'python') {
+            return ('Always pass `options={"verify_signature": True}` (the default in ' +
+                'PyJWT 2.0+) and a concrete `algorithms=["HS256"|"RS256"]` list. ' +
+                'Never accept `none`.');
+        }
+        if (language === 'javascript' || language === 'typescript') {
+            return ('Call `jwt.verify(token, secret, { algorithms: ["HS256" | "RS256"] })` ' +
+                'with a non-empty key. Never use `algorithms: ["none"]` or pass ' +
+                'null/empty as the secret.');
+        }
+        if (language === 'java') {
+            return ('For auth0/java-jwt: use `JWT.require(Algorithm.HMAC256(secret))` or ' +
+                'an RSA algorithm. For jjwt: call `parseClaimsJws(token)` (signature ' +
+                'enforced) rather than `parse(token)` (signature ignored).');
+        }
+        return ('Enforce JWT signature verification with a concrete algorithm ' +
+            '(HS256/RS256/ES256). Never accept `alg: none`.');
+    }
+}
+//# sourceMappingURL=jwt-verify-disabled-pass.js.map

package/dist/analysis/passes/jwt-verify-disabled-pass.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"jwt-verify-disabled-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/jwt-verify-disabled-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAKH,+DAA+D;AAC/D,MAAM,4BAA4B,GAChC,wCAAwC,CAAC;AAC3C,wCAAwC;AACxC,MAAM,qBAAqB,GAAG,wBAAwB,CAAC;AACvD,2EAA2E;AAC3E,MAAM,cAAc,GAAG,2CAA2C,CAAC;AAEnE,uDAAuD;AACvD,MAAM,cAAc,GAAG,uCAAuC,CAAC;AAgB/D,MAAM,OAAO,qBAAqB;IAGvB,IAAI,GAAG,qBAAqB,CAAC;IAC7B,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAChC,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,QAAQ,GAAwC,EAAE,CAAC;QAEzD,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAClC,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;YAC/C,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;gBAC7B,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;gBAChC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,GAAG,EAAE,CAAC,CAAC;gBAC1C,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,GAAG,CAAC,OAAO,EAAE;oBACjD,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;oBAClB,GAAG,EAAE,SAAS;oBACd,QAAQ,EAAE,UAAU;oBACpB,KAAK,EAAE,OAAO;oBACd,OAAO,EACL,6CAA6C,GAAG,CAAC,OAAO,QAAQ;wBAChE,KAAK,GAAG,CAAC,GAAG,oDAAoD;wBAChE,6DAA6D;wBAC7D,UAAU;oBACZ,IAAI;oBACJ,IAAI;oBACJ,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC;oBAC1B,QAAQ,EAAE,EAAE,GAAG,GAAG,EAAE,QAAQ,EAAE;iBAC/B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,CAAC;IACtB,CAAC;IAEO,MAAM,CAAC,IAAc,EAAE,QAAgB;QAC7C,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC;QAChC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;QACrC,MAAM,GAAG,GAAgB,EAAE,CAAC;QAE5B,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,6EAA6E;YAC7E,IAAI,QAAQ,KAAK,KAAK,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;gBAC9C,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;oBACjC,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;oBAC3C,IAAI,CAAC,IAAI;wBAAE,SAAS;oBACpB,IAAI,4BAA4B,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC5C,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,yBAAyB,EAAE,GAAG,EAAE,YAAY,EAAE,CAAC,CAAC;oBACtE,CAAC;oBACD,IAAI,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBACrC,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,cAAc,EAAE,GAAG,EAAE,YAAY,EAAE,CAAC,CAAC;oBAC3D,CAAC;oBACD,IAAI,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC9B,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,qBAAqB,EAAE,GAAG,EAAE,YAAY,EAAE,CAAC,CAAC;oBAClE,CAAC;gBACH,CAAC;YACH,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;QAED,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC3D,mDAAmD;YACnD,IAAI,QAAQ,KAAK,KAAK,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;gBAC9C,kEAAkE;gBAClE,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;oBACjC,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;oBAC3C,IAAI,CAAC,IAAI;wBAAE,SAAS;oBACpB,IAAI,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC9B,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,sBAAsB,EAAE,GAAG,EAAE,YAAY,EAAE,CAAC,CAAC;oBACnE,CAAC;oBACD,IAAI,yBAAyB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBACzC,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,eAAe,EAAE,GAAG,EAAE,YAAY,EAAE,CAAC,CAAC;oBAC5D,CAAC;gBACH,CAAC;gBACD,+BAA+B;gBAC/B,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;gBAC5D,MAAM,OAAO,GAAG,CAAC,MAAM,EAAE,UAAU,IAAI,MAAM,EAAE,OAAO,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBACrE,IAAI,OAAO,KAAK,MAAM,IAAI,OAAO,KAAK,WAAW;oBAC7C,OAAO,KAAK,IAAI,IAAI,OAAO,KAAK,IAAI,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;oBAC7D,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,cAAc,OAAO,IAAI,SAAS,GAAG,EAAE,GAAG,EAAE,YAAY,EAAE,CAAC,CAAC;gBAClF,CAAC;YACH,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;QAED,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YACxB,gDAAgD;YAChD,4DAA4D;YAC5D,IAAI,MAAM,KAAK,SAAS;gBACpB,CAAC,QAAQ,KAAK,KAAK,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC;gBACtD,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;gBACzD,MAAM,IAAI,GAAG,CAAC,GAAG,EAAE,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC5C,IAAI,8BAA8B,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC9C,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,kBAAkB,EAAE,GAAG,EAAE,aAAa,EAAE,CAAC,CAAC;gBAChE,CAAC;YACH,CAAC;YACD,uEAAuE;YACvE,yDAAyD;YACzD,IAAI,MAAM,KAAK,OAAO,IAAI,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACtD,oEAAoE;gBACpE,mEAAmE;gBACnE,kEAAkE;gBAClE,6DAA6D;gBAC7D,sBAAsB;gBACtB,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,qCAAqC,EAAE,GAAG,EAAE,qBAAqB,EAAE,CAAC,CAAC;YAC3F,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;QAED,OAAO,GAAG,CAAC;IACb,CAAC;IAEO,MAAM,CAAC,QAAgB;QAC7B,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,OAAO,CACL,mEAAmE;gBACnE,kEAAkE;gBAClE,sBAAsB,CACvB,CAAC;QACJ,CAAC;QACD,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC3D,OAAO,CACL,wEAAwE;gBACxE,iEAAiE;gBACjE,2BAA2B,CAC5B,CAAC;QACJ,CAAC;QACD,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YACxB,OAAO,CACL,sEAAsE;gBACtE,sEAAsE;gBACtE,2DAA2D,CAC5D,CAAC;QACJ,CAAC;QACD,OAAO,CACL,+DAA+D;YAC/D,gDAAgD,CACjD,CAAC;IACJ,CAAC;CACF"}

package/dist/analysis/passes/weak-crypto-pass.d.ts CHANGED Viewed

@@ -1,19 +1,27 @@
 /**
- * Pass: weak-crypto (CWE-327, category: security)
+ * Pass: weak-crypto (CWE-327 / CWE-329 / CWE-321 / CWE-326, category: security)
  *
  * Pattern pass — flags use of cryptographically weak symmetric ciphers
  * (DES, 3DES, RC2, RC4, Blowfish), ECB mode, weak RSA key sizes (< 2048),
- * and weak AES modes. Like weak-hash, the vulnerability is the *constant
- * algorithm string* (or key-size argument), not data flow.
+ * static/zero IVs (CWE-329), hardcoded symmetric keys (CWE-321), and weak
+ * AES modes. Like weak-hash, the vulnerability is the *constant algorithm
+ * string*, *constant IV bytes*, *literal key material*, or *key-size
+ * argument*, not data flow.
  *
  * Detection per language:
  *   Java:
  *     - `Cipher.getInstance("DES"|"DES/...")` / `"RC4"` / `"RC2"` / `"Blowfish"`
  *     - `Cipher.getInstance(".../ECB/...")` — ECB mode
  *     - `KeyGenerator.getInstance("DES"|"RC4"|"Blowfish")`
- *     - `KeyPairGenerator.getInstance("RSA")` followed by `initialize(<2048)`
- *       (the `.initialize(int)` literal under 2048 is detected directly when
- *       the receiver class is a generator)
+ *     - `new IvParameterSpec(new byte[N])` / `new IvParameterSpec(literalBytes)`
+ *       — static/zero IV (CWE-329, issue #87)
+ *     - `new SecretKeySpec("literal".getBytes(), ...)` — hardcoded symmetric
+ *       key (CWE-321, issue #87)
+ *     - `KeyPairGenerator.initialize(<2048)` — weak RSA key size (CWE-326,
+ *       issue #87). Detected by literal `< 2048` argument on `initialize`
+ *       calls whose receiver is a `KeyPairGenerator` (best-effort: matches
+ *       any `*.initialize(int)` where the literal is below 2048, since
+ *       2048+ is also the minimum for DSA / DH and 256+ is correct for EC).
  *   Python:
  *     - `Crypto.Cipher.DES.new(...)` / `Crypto.Cipher.ARC4.new(...)` /
  *       `Crypto.Cipher.Blowfish.new(...)` (pycryptodome / pycrypto)
@@ -30,11 +38,12 @@
  * Aligned with: gosec G401/G405, Bandit B304/B305/B306, OWASP Benchmark `crypto` category.
  */
 import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export type WeakCryptoIssue = 'weak-cipher' | 'ecb-mode' | 'deprecated-api' | 'static-iv' | 'hardcoded-key' | 'weak-rsa-key';
 export interface WeakCryptoResult {
     findings: Array<{
         line: number;
         language: string;
-        issue: 'weak-cipher' | 'ecb-mode' | 'deprecated-api';
+        issue: WeakCryptoIssue;
         detail: string;
         api: string;
     }>;
@@ -44,6 +53,7 @@ export declare class WeakCryptoPass implements AnalysisPass<WeakCryptoResult> {
     readonly category: "security";
     run(ctx: PassContext): WeakCryptoResult;
     private buildMessage;
+    private buildFix;
     private detect;
 }
 //# sourceMappingURL=weak-crypto-pass.d.ts.map

package/dist/analysis/passes/weak-crypto-pass.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"weak-crypto-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/weak-crypto-pass.ts"],"names":[],"mappings":"AAAA~~;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG~~;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;~~AA4C9E~~,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,KAAK,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,KAAK,EAAE,~~aAAa~~,~~GAAG,UAAU,GAAG,gBAAgB,~~CAAC;~~QACrD~~,MAAM,EAAE,MAAM,CAAC;QACf,GAAG,EAAE,MAAM,CAAC;KACb,CAAC,CAAC;CACJ;AAED,qBAAa,cAAe,YAAW,YAAY,CAAC,gBAAgB,CAAC;IACnE,QAAQ,CAAC,IAAI,iBAAiB;IAC9B,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,gBAAgB;~~IAmCvC~~,OAAO,CAAC,YAAY;~~IAwBpB~~,OAAO,CAAC,MAAM;~~CA2Gf~~"}
1	+ {"version":3,"file":"weak-crypto-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/weak-crypto-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAkI9E,MAAM,MAAM,eAAe,GACvB,aAAa,GACb,UAAU,GACV,gBAAgB,GAChB,WAAW,GACX,eAAe,GACf,cAAc,CAAC;AAYnB,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,KAAK,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,KAAK,EAAE,eAAe,CAAC;QACvB,MAAM,EAAE,MAAM,CAAC;QACf,GAAG,EAAE,MAAM,CAAC;KACb,CAAC,CAAC;CACJ;AAED,qBAAa,cAAe,YAAW,YAAY,CAAC,gBAAgB,CAAC;IACnE,QAAQ,CAAC,IAAI,iBAAiB;IAC9B,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,gBAAgB;IAgCvC,OAAO,CAAC,YAAY;IA0CpB,OAAO,CAAC,QAAQ;IA2BhB,OAAO,CAAC,MAAM;CAqJf"}

package/dist/analysis/passes/weak-crypto-pass.js CHANGED Viewed

@@ -1,19 +1,27 @@
 /**
- * Pass: weak-crypto (CWE-327, category: security)
+ * Pass: weak-crypto (CWE-327 / CWE-329 / CWE-321 / CWE-326, category: security)
  *
  * Pattern pass — flags use of cryptographically weak symmetric ciphers
  * (DES, 3DES, RC2, RC4, Blowfish), ECB mode, weak RSA key sizes (< 2048),
- * and weak AES modes. Like weak-hash, the vulnerability is the *constant
- * algorithm string* (or key-size argument), not data flow.
+ * static/zero IVs (CWE-329), hardcoded symmetric keys (CWE-321), and weak
+ * AES modes. Like weak-hash, the vulnerability is the *constant algorithm
+ * string*, *constant IV bytes*, *literal key material*, or *key-size
+ * argument*, not data flow.
  *
  * Detection per language:
  *   Java:
  *     - `Cipher.getInstance("DES"|"DES/...")` / `"RC4"` / `"RC2"` / `"Blowfish"`
  *     - `Cipher.getInstance(".../ECB/...")` — ECB mode
  *     - `KeyGenerator.getInstance("DES"|"RC4"|"Blowfish")`
- *     - `KeyPairGenerator.getInstance("RSA")` followed by `initialize(<2048)`
- *       (the `.initialize(int)` literal under 2048 is detected directly when
- *       the receiver class is a generator)
+ *     - `new IvParameterSpec(new byte[N])` / `new IvParameterSpec(literalBytes)`
+ *       — static/zero IV (CWE-329, issue #87)
+ *     - `new SecretKeySpec("literal".getBytes(), ...)` — hardcoded symmetric
+ *       key (CWE-321, issue #87)
+ *     - `KeyPairGenerator.initialize(<2048)` — weak RSA key size (CWE-326,
+ *       issue #87). Detected by literal `< 2048` argument on `initialize`
+ *       calls whose receiver is a `KeyPairGenerator` (best-effort: matches
+ *       any `*.initialize(int)` where the literal is below 2048, since
+ *       2048+ is also the minimum for DSA / DH and 256+ is correct for EC).
  *   Python:
  *     - `Crypto.Cipher.DES.new(...)` / `Crypto.Cipher.ARC4.new(...)` /
  *       `Crypto.Cipher.Blowfish.new(...)` (pycryptodome / pycrypto)
@@ -68,6 +76,102 @@ function literalAlgo(call, position) {
     const cleaned = stripQuotes(raw);
     return cleaned || null;
 }
+/**
+ * Detect a static or zero IV passed to `new IvParameterSpec(...)`.
+ *
+ * Patterns flagged (returns a human-readable detail string):
+ *   - `new byte[N]`               → "zero-filled byte[N]"
+ *   - `new byte[]{0x00, 0x01,…}`  → "literal byte[] {…}"
+ *   - `"literal".getBytes()`      → "literal string getBytes()"
+ *   - bare string literal         → "literal string"
+ *
+ * Returns null when the IV argument is a variable / method call whose
+ * value cannot be determined as a constant.
+ */
+function detectStaticIvJava(call) {
+    const arg = call.arguments.find((a) => a.position === 0);
+    if (!arg)
+        return null;
+    const expr = (arg.literal ?? arg.expression ?? '').trim();
+    if (!expr)
+        return null;
+    // `new byte[16]` / `new byte[BLOCK_SIZE]` — zero-initialised array literal.
+    // Java initialises primitive arrays to zero, so a fresh `new byte[N]`
+    // (without an immediate assignment of random bytes) is always a zero IV.
+    if (/^new\s+byte\s*\[[^\]]*\]\s*$/.test(expr)) {
+        return `zero-filled ${expr}`;
+    }
+    // `new byte[]{0x00, …}` — literal byte array initializer.
+    if (/^new\s+byte\s*\[\s*\]\s*\{[^}]*\}\s*$/.test(expr)) {
+        return `literal byte[] initializer`;
+    }
+    // `"…".getBytes()` / `"…".getBytes("UTF-8")` — constant string source.
+    if (/^"[^"]*"\.getBytes\s*\(/.test(expr)) {
+        return `literal string .getBytes()`;
+    }
+    // Bare string literal (rare for IvParameterSpec but possible via overload).
+    if (/^"[^"]*"$/.test(expr)) {
+        return `literal string`;
+    }
+    return null;
+}
+/**
+ * Detect a hardcoded symmetric key passed to `new SecretKeySpec(...)`.
+ *
+ * Patterns flagged:
+ *   - `"literalKey".getBytes()`   → "literal string .getBytes()"
+ *   - `"literalKey".getBytes("…")`
+ *   - `new byte[]{0x00, …}`       → "literal byte[] initializer"
+ *   - bare string literal         → "literal string"
+ *
+ * Returns null when the key argument is a variable, method call, or any
+ * other non-literal expression.
+ */
+/**
+ * Recognise a Java constructor call to `new ClassName(...)`.
+ *
+ * The Java language plugin emits constructor calls as `CallInfo` with:
+ *   method_name    === ClassName
+ *   receiver       === null
+ *   receiver_type  === ClassName (or FQN tail)
+ *
+ * Match on that shape, plus the explicit `is_constructor` flag when set.
+ */
+function isJavaCtor(call, className) {
+    if (call.is_constructor === true)
+        return true;
+    if (call.receiver)
+        return false;
+    if (call.receiver_type === className)
+        return true;
+    if ((call.receiver_type_fqn ?? '').endsWith('.' + className))
+        return true;
+    return false;
+}
+function detectHardcodedKeyJava(call) {
+    const arg = call.arguments.find((a) => a.position === 0);
+    if (!arg)
+        return null;
+    const expr = (arg.literal ?? arg.expression ?? '').trim();
+    if (!expr)
+        return null;
+    if (/^"[^"]*"\.getBytes\s*\(/.test(expr))
+        return `literal string .getBytes()`;
+    if (/^new\s+byte\s*\[\s*\]\s*\{[^}]*\}\s*$/.test(expr))
+        return `literal byte[] initializer`;
+    if (/^"[^"]*"$/.test(expr))
+        return `literal string`;
+    return null;
+}
+/** Map issue kind → CWE identifier. */
+const ISSUE_CWE = {
+    'weak-cipher': 'CWE-327',
+    'ecb-mode': 'CWE-327',
+    'deprecated-api': 'CWE-327',
+    'static-iv': 'CWE-329',
+    'hardcoded-key': 'CWE-321',
+    'weak-rsa-key': 'CWE-326',
+};
 export class WeakCryptoPass {
     name = 'weak-crypto';
     category = 'security';
@@ -86,15 +190,13 @@ export class WeakCryptoPass {
                     pass: this.name,
                     category: this.category,
                     rule_id: this.name,
-                    cwe: 'CWE-327',
+                    cwe: ISSUE_CWE[det.issue],
                     severity: 'high',
                     level: 'error',
                     message,
                     file,
                     line,
-                    fix: 'Use AES-GCM (authenticated) or ChaCha20-Poly1305. Avoid DES, ' +
-                        '3DES, RC2, RC4, Blowfish, and ECB mode. For asymmetric encryption ' +
-                        'use RSA-OAEP with ≥2048-bit keys or modern curve-based schemes.',
+                    fix: this.buildFix(det.issue),
                     evidence: { ...det, language },
                 });
             }
@@ -114,10 +216,40 @@ export class WeakCryptoPass {
             case 'deprecated-api':
                 return (`Deprecated crypto API \`${det.api}\` used (no IV: \`${det.detail}\`). ` +
                     'This API derives the key/IV from a password in an insecure way.');
+            case 'static-iv':
+                return (`Static or zero-valued IV passed to \`${det.api}\` (\`${det.detail}\`). ` +
+                    'Reusing a fixed IV with CBC/CTR/GCM breaks confidentiality and, for ' +
+                    'GCM, can leak the authentication key.');
+            case 'hardcoded-key':
+                return (`Hardcoded symmetric key material passed to \`${det.api}\` (\`${det.detail}\`). ` +
+                    'Keys embedded in source code are trivially recoverable from binaries ' +
+                    'and shared across deployments — they provide no confidentiality.');
+            case 'weak-rsa-key':
+                return (`Weak RSA key size \`${det.detail}\` requested via \`${det.api}\`. ` +
+                    'RSA keys below 2048 bits are factorable and not compliant with ' +
+                    'NIST SP 800-57 / FIPS 186-5.');
             default:
                 return `Weak cryptography: ${det.detail} (${det.api})`;
         }
     }
+    buildFix(issue) {
+        switch (issue) {
+            case 'static-iv':
+                return ('Generate a fresh random IV per message using SecureRandom: ' +
+                    '`byte[] iv = new byte[12]; SecureRandom.getInstanceStrong().nextBytes(iv); ' +
+                    'new IvParameterSpec(iv);` and prepend it to the ciphertext.');
+            case 'hardcoded-key':
+                return ('Load the key from a secure key management system (HSM, KMS, ' +
+                    'Vault) or platform keystore. Never embed key material in source code.');
+            case 'weak-rsa-key':
+                return ('Initialize KeyPairGenerator with at least 2048 bits (preferably ' +
+                    '3072 or 4096) for RSA, or switch to EC keys (P-256+).');
+            default:
+                return ('Use AES-GCM (authenticated) or ChaCha20-Poly1305. Avoid DES, ' +
+                    '3DES, RC2, RC4, Blowfish, and ECB mode. For asymmetric encryption ' +
+                    'use RSA-OAEP with ≥2048-bit keys or modern curve-based schemes.');
+        }
+    }
     detect(call, language) {
         const method = call.method_name;
         const receiver = call.receiver ?? '';
@@ -138,6 +270,43 @@ export class WeakCryptoPass {
                         out.push({ issue: 'ecb-mode', detail: spec, api });
                 }
             }
+            // new IvParameterSpec(...) — issue #87 (CWE-329 static IV)
+            // Java constructor IR shape: method_name === 'IvParameterSpec',
+            // receiver === null, receiver_type === 'IvParameterSpec'. The
+            // is_constructor flag is not always populated by the Java plugin,
+            // so detect by class-name match.
+            if (method === 'IvParameterSpec' && isJavaCtor(call, 'IvParameterSpec')) {
+                const ivDetail = detectStaticIvJava(call);
+                if (ivDetail) {
+                    out.push({ issue: 'static-iv', detail: ivDetail, api: 'new IvParameterSpec' });
+                }
+            }
+            // new SecretKeySpec(literal.getBytes(), "ALG") — issue #87 (CWE-321 hardcoded key)
+            if (method === 'SecretKeySpec' && isJavaCtor(call, 'SecretKeySpec')) {
+                const keyDetail = detectHardcodedKeyJava(call);
+                if (keyDetail) {
+                    out.push({ issue: 'hardcoded-key', detail: keyDetail, api: 'new SecretKeySpec' });
+                }
+            }
+            // kpg.initialize(<2048) — issue #87 (CWE-326 weak RSA key size)
+            // KeyPairGenerator instance method. Receiver_type === 'KeyPairGenerator'
+            // when the language plugin resolves it (post receiver-type matcher fix #52).
+            if (method === 'initialize') {
+                const isKpg = call.receiver_type === 'KeyPairGenerator' ||
+                    (call.receiver_type_fqn ?? '').endsWith('.KeyPairGenerator');
+                if (isKpg) {
+                    const sizeArg = call.arguments.find((a) => a.position === 0);
+                    const expr = (sizeArg?.literal ?? sizeArg?.expression ?? '').trim();
+                    const n = parseInt(expr, 10);
+                    if (Number.isFinite(n) && n > 0 && n < 2048) {
+                        out.push({
+                            issue: 'weak-rsa-key',
+                            detail: String(n),
+                            api: 'KeyPairGenerator.initialize',
+                        });
+                    }
+                }
+            }
             return out;
         }
         if (language === 'python') {

package/dist/analysis/passes/weak-crypto-pass.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"weak-crypto-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/weak-crypto-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAKH,2DAA2D;AAC3D,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC;IAChC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,WAAW;IACpC,KAAK,EAAE,KAAK,EAAE,MAAM;IACpB,UAAU,EAAE,IAAI;IAChB,MAAM,EAAE,MAAM,EAAE,OAAO;CACxB,CAAC,CAAC;AAEH,kFAAkF;AAClF,SAAS,sBAAsB,CAAC,IAAY;IAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC;IACjE,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAC5B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAC5B,MAAM,MAAM,GAAyC,EAAE,CAAC;IACxD,IAAI,iBAAiB,CAAC,GAAG,CAAC,IAAI,CAAC;QAAE,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC;IACxD,IAAI,IAAI,KAAK,KAAK;QAAE,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC;IACtC,4FAA4F;IAC5F,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,IAAI,KAAK,KAAK;QAAE,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC;IAC5D,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,WAAW,CAAC,CAAS;IAC5B,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IACnB,IACE,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EACtC,CAAC;QACD,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IACxB,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,SAAS,WAAW,CAAC,IAAc,EAAE,QAAgB;IACnD,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC;IAChE,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC;IAChD,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;IACjC,OAAO,OAAO,IAAI,IAAI,CAAC;AACzB,CAAC;AAYD,MAAM,OAAO,cAAc;IAChB,IAAI,GAAG,aAAa,CAAC;IACrB,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAChC,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,QAAQ,GAAiC,EAAE,CAAC;QAElD,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAClC,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;YAC/C,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;gBAC7B,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;gBAChC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,GAAG,EAAE,CAAC,CAAC;gBAE1C,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;gBACvC,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,GAAG,CAAC,KAAK,EAAE;oBAC/C,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;oBAClB,GAAG,EAAE,SAAS;oBACd,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,OAAO;oBACd,OAAO;oBACP,IAAI;oBACJ,IAAI;oBACJ,GAAG,EACD,+DAA+D;wBAC/D,oEAAoE;wBACpE,iEAAiE;oBACnE,QAAQ,EAAE,EAAE,GAAG,GAAG,EAAE,QAAQ,EAAE;iBAC/B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,CAAC;IACtB,CAAC;IAEO,YAAY,CAAC,GAAmD;QACtE,QAAQ,GAAG,CAAC,KAAK,EAAE,CAAC;YAClB,KAAK,aAAa;gBAChB,OAAO,CACL,2BAA2B,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,cAAc;oBACjE,KAAK,GAAG,CAAC,GAAG,yDAAyD;oBACrE,gDAAgD,CACjD,CAAC;YACJ,KAAK,UAAU;gBACb,OAAO,CACL,oCAAoC,GAAG,CAAC,GAAG,SAAS,GAAG,CAAC,MAAM,OAAO;oBACrE,0EAA0E;oBAC1E,iCAAiC,CAClC,CAAC;YACJ,KAAK,gBAAgB;gBACnB,OAAO,CACL,2BAA2B,GAAG,CAAC,GAAG,qBAAqB,GAAG,CAAC,MAAM,OAAO;oBACxE,iEAAiE,CAClE,CAAC;YACJ;gBACE,OAAO,sBAAsB,GAAG,CAAC,MAAM,KAAK,GAAG,CAAC,GAAG,GAAG,CAAC;QAC3D,CAAC;IACH,CAAC;IAEO,MAAM,CAAC,IAAc,EAAE,QAAgB;QAK7C,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC;QAChC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;QACrC,MAAM,GAAG,GAAiG,EAAE,CAAC;QAE7G,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YACxB,0DAA0D;YAC1D,MAAM,eAAe,GACnB,MAAM,KAAK,aAAa;gBACxB,CAAC,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC;oBACrD,QAAQ,KAAK,cAAc,IAAI,QAAQ,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,CAAC;YACtE,IAAI,eAAe,EAAE,CAAC;gBACpB,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;gBAClC,IAAI,IAAI,EAAE,CAAC;oBACT,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC;oBACvD,MAAM,GAAG,GAAG,GAAG,QAAQ,cAAc,CAAC;oBACtC,IAAI,QAAQ;wBAAE,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC;oBACxE,IAAI,GAAG;wBAAE,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC;gBAC9D,CAAC;YACH,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;QAED,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,iEAAiE;YACjE,iFAAiF;YACjF,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;gBACrB,MAAM,QAAQ,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;gBACxC,MAAM,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,QAAQ,CAAC;gBACtD,IAAI,iBAAiB,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;oBACnC,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,QAAQ,MAAM,EAAE,CAAC,CAAC;gBAC9E,CAAC;gBACD,iDAAiD;gBACjD,IAAI,OAAO,KAAK,KAAK,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;oBAClD,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;oBAC1D,MAAM,QAAQ,GAAG,CAAC,IAAI,EAAE,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;oBACjD,IAAI,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;wBAClC,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,cAAc,EAAE,GAAG,EAAE,GAAG,QAAQ,MAAM,EAAE,CAAC,CAAC;oBAClF,CAAC;gBACH,CAAC;YACH,CAAC;YACD,2HAA2H;YAC3H,yEAAyE;YACzE,MAAM,aAAa,GAAG,QAAQ,KAAK,YAAY,IAAI,QAAQ,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;YACpF,IAAI,aAAa,EAAE,CAAC;gBAClB,MAAM,CAAC,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;gBAC/B,MAAM,UAAU,GAAG,CAAC,KAAK,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;gBAClD,IAAI,iBAAiB,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;oBACtC,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,EAAE,cAAc,MAAM,EAAE,EAAE,CAAC,CAAC;gBACtF,CAAC;YACH,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;QAED,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC3D,8DAA8D;YAC9D,IAAI,MAAM,KAAK,cAAc,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBACvD,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,WAAW,CAAC;gBACjD,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,qBAAqB,EAAE,CAAC,CAAC;YAClF,CAAC;YACD,uDAAuD;YACvD,IAAI,MAAM,KAAK,gBAAgB,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBACzD,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;gBAClC,IAAI,IAAI,EAAE,CAAC;oBACT,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;oBACjC,kEAAkE;oBAClE,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;oBAC/B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;oBACtB,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;oBACrC,IAAI,cAAc,GAAG,IAAI,CAAC;oBAC1B,IAAI,IAAI,KAAK,IAAI;wBAAE,cAAc,GAAG,UAAU,CAAC;oBAC/C,IAAI,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,UAAU,IAAI,IAAI,KAAK,MAAM;wBAAE,cAAc,GAAG,MAAM,CAAC;oBACzF,IAAI,iBAAiB,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,CAAC;wBAC1C,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,cAAc,EAAE,GAAG,EAAE,uBAAuB,EAAE,CAAC,CAAC;oBAC3F,CAAC;oBACD,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;wBACnB,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,uBAAuB,EAAE,CAAC,CAAC;oBAC/E,CAAC;gBACH,CAAC;YACH,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;QAED,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;YACtB,qDAAqD;YACrD,IAAI,QAAQ,KAAK,KAAK,IAAI,CAAC,MAAM,KAAK,WAAW,IAAI,MAAM,KAAK,oBAAoB,CAAC,EAAE,CAAC;gBACtF,MAAM,IAAI,GAAG,MAAM,KAAK,oBAAoB,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC;gBAC9D,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,MAAM,EAAE,EAAE,CAAC,CAAC;YACzE,CAAC;YACD,4BAA4B;YAC5B,IAAI,QAAQ,KAAK,KAAK,IAAI,MAAM,KAAK,WAAW,EAAE,CAAC;gBACjD,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,eAAe,EAAE,CAAC,CAAC;YAC1E,CAAC;YACD,+EAA+E;YAC/E,qEAAqE;YACrE,IAAI,CAAC,MAAM,KAAK,iBAAiB,IAAI,MAAM,KAAK,iBAAiB,CAAC,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBAC5F,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,MAAM,EAAE,EAAE,CAAC,CAAC;YAC3E,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;QAED,OAAO,GAAG,CAAC;IACb,CAAC;CACF"}
1	+ {"version":3,"file":"weak-crypto-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/weak-crypto-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAKH,2DAA2D;AAC3D,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC;IAChC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,WAAW;IACpC,KAAK,EAAE,KAAK,EAAE,MAAM;IACpB,UAAU,EAAE,IAAI;IAChB,MAAM,EAAE,MAAM,EAAE,OAAO;CACxB,CAAC,CAAC;AAEH,kFAAkF;AAClF,SAAS,sBAAsB,CAAC,IAAY;IAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC;IACjE,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAC5B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAC5B,MAAM,MAAM,GAAyC,EAAE,CAAC;IACxD,IAAI,iBAAiB,CAAC,GAAG,CAAC,IAAI,CAAC;QAAE,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC;IACxD,IAAI,IAAI,KAAK,KAAK;QAAE,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC;IACtC,4FAA4F;IAC5F,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,IAAI,KAAK,KAAK;QAAE,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC;IAC5D,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,WAAW,CAAC,CAAS;IAC5B,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IACnB,IACE,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EACtC,CAAC;QACD,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IACxB,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,SAAS,WAAW,CAAC,IAAc,EAAE,QAAgB;IACnD,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC;IAChE,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC;IAChD,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;IACjC,OAAO,OAAO,IAAI,IAAI,CAAC;AACzB,CAAC;AAED;;;;;;;;;;;GAWG;AACH,SAAS,kBAAkB,CAAC,IAAc;IACxC,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;IACzD,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IAC1D,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IAEvB,4EAA4E;IAC5E,sEAAsE;IACtE,yEAAyE;IACzE,IAAI,8BAA8B,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC9C,OAAO,eAAe,IAAI,EAAE,CAAC;IAC/B,CAAC;IAED,0DAA0D;IAC1D,IAAI,uCAAuC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACvD,OAAO,4BAA4B,CAAC;IACtC,CAAC;IAED,uEAAuE;IACvE,IAAI,yBAAyB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACzC,OAAO,4BAA4B,CAAC;IACtC,CAAC;IAED,4EAA4E;IAC5E,IAAI,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3B,OAAO,gBAAgB,CAAC;IAC1B,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;;;GAWG;AACH;;;;;;;;;GASG;AACH,SAAS,UAAU,CAAC,IAAc,EAAE,SAAiB;IACnD,IAAI,IAAI,CAAC,cAAc,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IAC9C,IAAI,IAAI,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAC;IAChC,IAAI,IAAI,CAAC,aAAa,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC;IAClD,IAAI,CAAC,IAAI,CAAC,iBAAiB,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,GAAG,GAAG,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAC1E,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,sBAAsB,CAAC,IAAc;IAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;IACzD,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IAC1D,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IAEvB,IAAI,yBAAyB,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,4BAA4B,CAAC;IAC9E,IAAI,uCAAuC,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,4BAA4B,CAAC;IAC5F,IAAI,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,gBAAgB,CAAC;IAEpD,OAAO,IAAI,CAAC;AACd,CAAC;AAUD,uCAAuC;AACvC,MAAM,SAAS,GAAoC;IACjD,aAAa,EAAE,SAAS;IACxB,UAAU,EAAE,SAAS;IACrB,gBAAgB,EAAE,SAAS;IAC3B,WAAW,EAAE,SAAS;IACtB,eAAe,EAAE,SAAS;IAC1B,cAAc,EAAE,SAAS;CAC1B,CAAC;AAYF,MAAM,OAAO,cAAc;IAChB,IAAI,GAAG,aAAa,CAAC;IACrB,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAChC,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,QAAQ,GAAiC,EAAE,CAAC;QAElD,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAClC,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;YAC/C,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;gBAC7B,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;gBAChC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,GAAG,EAAE,CAAC,CAAC;gBAE1C,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;gBACvC,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,GAAG,CAAC,KAAK,EAAE;oBAC/C,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;oBAClB,GAAG,EAAE,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC;oBACzB,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,OAAO;oBACd,OAAO;oBACP,IAAI;oBACJ,IAAI;oBACJ,GAAG,EAAE,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC;oBAC7B,QAAQ,EAAE,EAAE,GAAG,GAAG,EAAE,QAAQ,EAAE;iBAC/B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,CAAC;IACtB,CAAC;IAEO,YAAY,CAAC,GAA4D;QAC/E,QAAQ,GAAG,CAAC,KAAK,EAAE,CAAC;YAClB,KAAK,aAAa;gBAChB,OAAO,CACL,2BAA2B,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,cAAc;oBACjE,KAAK,GAAG,CAAC,GAAG,yDAAyD;oBACrE,gDAAgD,CACjD,CAAC;YACJ,KAAK,UAAU;gBACb,OAAO,CACL,oCAAoC,GAAG,CAAC,GAAG,SAAS,GAAG,CAAC,MAAM,OAAO;oBACrE,0EAA0E;oBAC1E,iCAAiC,CAClC,CAAC;YACJ,KAAK,gBAAgB;gBACnB,OAAO,CACL,2BAA2B,GAAG,CAAC,GAAG,qBAAqB,GAAG,CAAC,MAAM,OAAO;oBACxE,iEAAiE,CAClE,CAAC;YACJ,KAAK,WAAW;gBACd,OAAO,CACL,wCAAwC,GAAG,CAAC,GAAG,SAAS,GAAG,CAAC,MAAM,OAAO;oBACzE,sEAAsE;oBACtE,uCAAuC,CACxC,CAAC;YACJ,KAAK,eAAe;gBAClB,OAAO,CACL,gDAAgD,GAAG,CAAC,GAAG,SAAS,GAAG,CAAC,MAAM,OAAO;oBACjF,uEAAuE;oBACvE,kEAAkE,CACnE,CAAC;YACJ,KAAK,cAAc;gBACjB,OAAO,CACL,uBAAuB,GAAG,CAAC,MAAM,sBAAsB,GAAG,CAAC,GAAG,MAAM;oBACpE,iEAAiE;oBACjE,8BAA8B,CAC/B,CAAC;YACJ;gBACE,OAAO,sBAAsB,GAAG,CAAC,MAAM,KAAK,GAAG,CAAC,GAAG,GAAG,CAAC;QAC3D,CAAC;IACH,CAAC;IAEO,QAAQ,CAAC,KAAsB;QACrC,QAAQ,KAAK,EAAE,CAAC;YACd,KAAK,WAAW;gBACd,OAAO,CACL,6DAA6D;oBAC7D,6EAA6E;oBAC7E,6DAA6D,CAC9D,CAAC;YACJ,KAAK,eAAe;gBAClB,OAAO,CACL,8DAA8D;oBAC9D,uEAAuE,CACxE,CAAC;YACJ,KAAK,cAAc;gBACjB,OAAO,CACL,kEAAkE;oBAClE,uDAAuD,CACxD,CAAC;YACJ;gBACE,OAAO,CACL,+DAA+D;oBAC/D,oEAAoE;oBACpE,iEAAiE,CAClE,CAAC;QACN,CAAC;IACH,CAAC;IAEO,MAAM,CAAC,IAAc,EAAE,QAAgB;QAK7C,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC;QAChC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;QACrC,MAAM,GAAG,GAAmE,EAAE,CAAC;QAE/E,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YACxB,0DAA0D;YAC1D,MAAM,eAAe,GACnB,MAAM,KAAK,aAAa;gBACxB,CAAC,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC;oBACrD,QAAQ,KAAK,cAAc,IAAI,QAAQ,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,CAAC;YACtE,IAAI,eAAe,EAAE,CAAC;gBACpB,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;gBAClC,IAAI,IAAI,EAAE,CAAC;oBACT,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC;oBACvD,MAAM,GAAG,GAAG,GAAG,QAAQ,cAAc,CAAC;oBACtC,IAAI,QAAQ;wBAAE,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC;oBACxE,IAAI,GAAG;wBAAE,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC;gBAC9D,CAAC;YACH,CAAC;YAED,2DAA2D;YAC3D,gEAAgE;YAChE,8DAA8D;YAC9D,kEAAkE;YAClE,iCAAiC;YACjC,IAAI,MAAM,KAAK,iBAAiB,IAAI,UAAU,CAAC,IAAI,EAAE,iBAAiB,CAAC,EAAE,CAAC;gBACxE,MAAM,QAAQ,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC;gBAC1C,IAAI,QAAQ,EAAE,CAAC;oBACb,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,qBAAqB,EAAE,CAAC,CAAC;gBACjF,CAAC;YACH,CAAC;YAED,mFAAmF;YACnF,IAAI,MAAM,KAAK,eAAe,IAAI,UAAU,CAAC,IAAI,EAAE,eAAe,CAAC,EAAE,CAAC;gBACpE,MAAM,SAAS,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC;gBAC/C,IAAI,SAAS,EAAE,CAAC;oBACd,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,MAAM,EAAE,SAAS,EAAE,GAAG,EAAE,mBAAmB,EAAE,CAAC,CAAC;gBACpF,CAAC;YACH,CAAC;YAED,gEAAgE;YAChE,yEAAyE;YACzE,6EAA6E;YAC7E,IAAI,MAAM,KAAK,YAAY,EAAE,CAAC;gBAC5B,MAAM,KAAK,GACT,IAAI,CAAC,aAAa,KAAK,kBAAkB;oBACzC,CAAC,IAAI,CAAC,iBAAiB,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC;gBAC/D,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;oBAC7D,MAAM,IAAI,GAAG,CAAC,OAAO,EAAE,OAAO,IAAI,OAAO,EAAE,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;oBACpE,MAAM,CAAC,GAAG,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;oBAC7B,IAAI,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,IAAI,EAAE,CAAC;wBAC5C,GAAG,CAAC,IAAI,CAAC;4BACP,KAAK,EAAE,cAAc;4BACrB,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;4BACjB,GAAG,EAAE,6BAA6B;yBACnC,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;YAED,OAAO,GAAG,CAAC;QACb,CAAC;QAED,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,iEAAiE;YACjE,iFAAiF;YACjF,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;gBACrB,MAAM,QAAQ,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;gBACxC,MAAM,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,QAAQ,CAAC;gBACtD,IAAI,iBAAiB,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;oBACnC,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,QAAQ,MAAM,EAAE,CAAC,CAAC;gBAC9E,CAAC;gBACD,iDAAiD;gBACjD,IAAI,OAAO,KAAK,KAAK,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;oBAClD,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;oBAC1D,MAAM,QAAQ,GAAG,CAAC,IAAI,EAAE,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;oBACjD,IAAI,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;wBAClC,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,cAAc,EAAE,GAAG,EAAE,GAAG,QAAQ,MAAM,EAAE,CAAC,CAAC;oBAClF,CAAC;gBACH,CAAC;YACH,CAAC;YACD,2HAA2H;YAC3H,yEAAyE;YACzE,MAAM,aAAa,GAAG,QAAQ,KAAK,YAAY,IAAI,QAAQ,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;YACpF,IAAI,aAAa,EAAE,CAAC;gBAClB,MAAM,CAAC,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;gBAC/B,MAAM,UAAU,GAAG,CAAC,KAAK,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;gBAClD,IAAI,iBAAiB,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;oBACtC,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,EAAE,cAAc,MAAM,EAAE,EAAE,CAAC,CAAC;gBACtF,CAAC;YACH,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;QAED,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC3D,8DAA8D;YAC9D,IAAI,MAAM,KAAK,cAAc,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBACvD,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,WAAW,CAAC;gBACjD,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,qBAAqB,EAAE,CAAC,CAAC;YAClF,CAAC;YACD,uDAAuD;YACvD,IAAI,MAAM,KAAK,gBAAgB,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBACzD,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;gBAClC,IAAI,IAAI,EAAE,CAAC;oBACT,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;oBACjC,kEAAkE;oBAClE,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;oBAC/B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;oBACtB,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;oBACrC,IAAI,cAAc,GAAG,IAAI,CAAC;oBAC1B,IAAI,IAAI,KAAK,IAAI;wBAAE,cAAc,GAAG,UAAU,CAAC;oBAC/C,IAAI,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,UAAU,IAAI,IAAI,KAAK,MAAM;wBAAE,cAAc,GAAG,MAAM,CAAC;oBACzF,IAAI,iBAAiB,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,CAAC;wBAC1C,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,cAAc,EAAE,GAAG,EAAE,uBAAuB,EAAE,CAAC,CAAC;oBAC3F,CAAC;oBACD,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;wBACnB,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,uBAAuB,EAAE,CAAC,CAAC;oBAC/E,CAAC;gBACH,CAAC;YACH,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;QAED,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;YACtB,qDAAqD;YACrD,IAAI,QAAQ,KAAK,KAAK,IAAI,CAAC,MAAM,KAAK,WAAW,IAAI,MAAM,KAAK,oBAAoB,CAAC,EAAE,CAAC;gBACtF,MAAM,IAAI,GAAG,MAAM,KAAK,oBAAoB,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC;gBAC9D,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,MAAM,EAAE,EAAE,CAAC,CAAC;YACzE,CAAC;YACD,4BAA4B;YAC5B,IAAI,QAAQ,KAAK,KAAK,IAAI,MAAM,KAAK,WAAW,EAAE,CAAC;gBACjD,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,eAAe,EAAE,CAAC,CAAC;YAC1E,CAAC;YACD,+EAA+E;YAC/E,qEAAqE;YACrE,IAAI,CAAC,MAAM,KAAK,iBAAiB,IAAI,MAAM,KAAK,iBAAiB,CAAC,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBAC5F,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,MAAM,EAAE,EAAE,CAAC,CAAC;YAC3E,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;QAED,OAAO,GAAG,CAAC;IACb,CAAC;CACF"}

package/dist/analysis/rules.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"rules.d.ts","sourceRoot":"","sources":["../../src/analysis/rules.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAM5D,6DAA6D;AAC7D,eAAO,MAAM,cAAc,EAAE,QAAQ,EAKpC,CAAC;AAEF,wCAAwC;AACxC,eAAO,MAAM,UAAU,EAAE,QAAQ,EAOhC,CAAC;AAEF,0DAA0D;AAC1D,eAAO,MAAM,qBAAqB,UAIjC,CAAC;AAMF,MAAM,WAAW,QAAQ;IACvB,wCAAwC;IACxC,IAAI,EAAE,MAAM,CAAC;IACb,sCAAsC;IACtC,gBAAgB,EAAE,MAAM,CAAC;IACzB,uCAAuC;IACvC,eAAe,EAAE,MAAM,CAAC;IACxB,2BAA2B;IAC3B,WAAW,EAAE,MAAM,CAAC;IACpB,sDAAsD;IACtD,SAAS,EAAE,MAAM,CAAC;IAClB,8BAA8B;IAC9B,aAAa,EAAE,QAAQ,CAAC;IACxB,qBAAqB;IACrB,GAAG,EAAE,MAAM,CAAC;CACb;AAED;;GAEG;AACH,eAAO,MAAM,gBAAgB,EAAE,MAAM,CAAC,QAAQ,EAAE,QAAQ,~~CAqLvD~~,CAAC;AAMF;;GAEG;AACH,wBAAgB,WAAW,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM,GAAG,QAAQ,CAgBjE;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM,GAAG,MAAM,CAElE;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM,GAAG,QAAQ,CAEtE;AAED;;GAEG;AACH,wBAAgB,MAAM,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM,GAAG,MAAM,CAE1D;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM,GAAG,OAAO,CAEnE;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM,GAAG,OAAO,CAE/D;AAqBD;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAE/D;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM,GAAG,MAAM,CAOtE;AAMD,MAAM,WAAW,eAAe;IAC9B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,QAAQ,GAAG,MAAM,CAAC;IAC5B,UAAU,EAAE,OAAO,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,eAAe,GAAG,QAAQ,CA2CpE"}
1	+ {"version":3,"file":"rules.d.ts","sourceRoot":"","sources":["../../src/analysis/rules.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAM5D,6DAA6D;AAC7D,eAAO,MAAM,cAAc,EAAE,QAAQ,EAKpC,CAAC;AAEF,wCAAwC;AACxC,eAAO,MAAM,UAAU,EAAE,QAAQ,EAOhC,CAAC;AAEF,0DAA0D;AAC1D,eAAO,MAAM,qBAAqB,UAIjC,CAAC;AAMF,MAAM,WAAW,QAAQ;IACvB,wCAAwC;IACxC,IAAI,EAAE,MAAM,CAAC;IACb,sCAAsC;IACtC,gBAAgB,EAAE,MAAM,CAAC;IACzB,uCAAuC;IACvC,eAAe,EAAE,MAAM,CAAC;IACxB,2BAA2B;IAC3B,WAAW,EAAE,MAAM,CAAC;IACpB,sDAAsD;IACtD,SAAS,EAAE,MAAM,CAAC;IAClB,8BAA8B;IAC9B,aAAa,EAAE,QAAQ,CAAC;IACxB,qBAAqB;IACrB,GAAG,EAAE,MAAM,CAAC;CACb;AAED;;GAEG;AACH,eAAO,MAAM,gBAAgB,EAAE,MAAM,CAAC,QAAQ,EAAE,QAAQ,CAuMvD,CAAC;AAMF;;GAEG;AACH,wBAAgB,WAAW,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM,GAAG,QAAQ,CAgBjE;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM,GAAG,MAAM,CAElE;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM,GAAG,QAAQ,CAEtE;AAED;;GAEG;AACH,wBAAgB,MAAM,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM,GAAG,MAAM,CAE1D;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM,GAAG,OAAO,CAEnE;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM,GAAG,OAAO,CAE/D;AAqBD;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAE/D;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM,GAAG,MAAM,CAOtE;AAMD,MAAM,WAAW,eAAe;IAC9B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,QAAQ,GAAG,MAAM,CAAC;IAC5B,UAAU,EAAE,OAAO,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,eAAe,GAAG,QAAQ,CA2CpE"}

package/dist/analysis/rules.js CHANGED Viewed

@@ -204,6 +204,24 @@ export const RULE_DEFINITIONS = {
         severityLevel: 'medium',
         cwe: 'CWE-668',
     },
+    redos: {
+        name: 'Regular Expression DoS (ReDoS)',
+        shortDescription: 'User-controlled regex pattern reaches a regex engine',
+        fullDescription: 'The application compiles or matches a regular expression whose pattern comes from user input. A crafted catastrophic-backtracking pattern (e.g. `(a+)+$`) can cause the engine to consume exponential CPU and stall the request thread, leading to denial of service.',
+        remediation: 'Never compile a regex from untrusted input. Either pre-compile a fixed pattern, validate the user-supplied pattern against an allowlist, use a non-backtracking engine (Go `regexp`, Rust `regex`, `re2`), or impose a wall-clock timeout on the match.',
+        cvssScore: '7.5',
+        severityLevel: 'high',
+        cwe: 'CWE-1333',
+    },
+    format_string: {
+        name: 'Format-String Injection',
+        shortDescription: 'User-controlled format string reaches a formatter',
+        fullDescription: 'The application uses user-controlled input as the format string passed to a formatter (`String.format`, `str.format`, `printf`, `Formatter.format`). Format-string controls allow attackers to leak information (`%s` index out of bounds, exception message disclosure) or, in C-style runtimes, write to arbitrary memory (`%n`).',
+        remediation: 'Always pass a constant format string and supply user input as a value argument. Never let untrusted data become the format string itself.',
+        cvssScore: '7.5',
+        severityLevel: 'high',
+        cwe: 'CWE-134',
+    },
     mybatis_mapper_call: {
         name: 'MyBatis Mapper Method Call',
         shortDescription: 'Tainted argument passed to a MyBatis mapper interface method',