circle-ir 3.77.0 → 3.80.0

package/dist/browser/circle-ir.js

@@ -11736,10 +11736,17 @@ var DEFAULT_SINKS = [
   // These patterns are detected by call-site literal inspection, not taint flow,
   // so they are NOT registered here as sinks (they could never match a "tainted
   // value flowing into a sink" because the bad value is a hard-coded constant).
-  // Trust Boundary (CWE-501) - using untrusted data as session attribute NAME
-  // The vulnerability is attacker controlling which key to use, not the value
-  { method: "setAttribute", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0] },
-  { method: "putValue", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0] },
+  // Trust Boundary (CWE-501) — tainted VALUE crossing into shared session
+  // state. OWASP/CWE-501 treats `session.setAttribute("k", taintedValue)` as
+  // the violation: untrusted data enters server-side state where downstream
+  // code reads it as if trusted. Both arg positions are flagged so either a
+  // tainted key (rare) or tainted value (the OWASP shape, 83 cases) trips
+  // the sink. (cognium-dev #117)
+  { method: "setAttribute", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0, 1] },
+  { method: "putValue", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0, 1] },
+  // ServletContext + request scopes — same trust-boundary semantics.
+  { method: "setAttribute", class: "ServletContext", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0, 1] },
+  { method: "setAttribute", class: "HttpServletRequest", type: "trust_boundary", cwe: "CWE-501", severity: "low", arg_positions: [0, 1] },
   // Additional XSS patterns (JDOM/XML output)
   { method: "outputElementContent", class: "XMLOutputter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "output", class: "XMLOutputter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
@@ -28683,6 +28690,23 @@ var PROVIDER_PATTERNS = [
     fix: "Revoke the npm token at https://www.npmjs.com/settings/<user>/tokens and load from environment."
   }
 ];
+var CRED_KEYWORD_RE = /\b([A-Za-z_$][\w$]*?(?:password|passwd|secret|api[_-]?key|auth[_-]?token|private[_-]?key|access[_-]?key)[\w$]*?)\s*[:=]\s*["'`]([^"'`\s$][^"'`\n]{2,})["'`]/i;
+var CRED_DYNAMIC_VALUE_RE = /\$\{|process\.env|os\.environ|os\.Getenv|System\.getenv/;
+var CRED_FUNCTION_DECL_RE = /\b(?:function|func|def|fn)\s+\w+\s*\(/;
+var CRED_COMPARISON_RE = /(?:===?|!==?|>=|<=|<>)\s*["'`]/;
+function isLikelyCredentialAssignment(line) {
+  if (CRED_FUNCTION_DECL_RE.test(line)) return null;
+  if (CRED_COMPARISON_RE.test(line)) return null;
+  const m = line.match(CRED_KEYWORD_RE);
+  if (!m) return null;
+  const name2 = m[1];
+  const value = m[2];
+  if (PLACEHOLDER_RE.test(value)) return null;
+  if (CRED_DYNAMIC_VALUE_RE.test(value)) return null;
+  if (value.length < 3) return null;
+  if (isAllSameChar(value)) return null;
+  return { name: name2, value };
+}
 var STRING_LITERAL_RE = /(["'`])((?:\\.|(?!\1).){8,200})\1/g;
 var BASE64ISH_RE = /^[A-Za-z0-9+/=_-]+$/;
 var HEXISH_RE = /^[a-fA-F0-9]+$/;
@@ -28774,6 +28798,31 @@ var ScanSecretsPass = class {
         break;
       }
     }
+    for (let i2 = 0; i2 < lines.length; i2++) {
+      const lineText = lines[i2];
+      const lineNum = i2 + 1;
+      const hit = isLikelyCredentialAssignment(lineText);
+      if (!hit) continue;
+      const key = `${lineNum}:hardcoded-credential`;
+      if (seen.has(key)) continue;
+      seen.add(key);
+      ctx.addFinding({
+        id: `hardcoded-credential-${file}-${lineNum}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: "hardcoded-credential",
+        cwe: "CWE-798",
+        severity: "high",
+        level: "error",
+        message: `Hardcoded credential: \`${hit.name}\` assigned a literal value`,
+        file,
+        line: lineNum,
+        snippet: lineText.trim().substring(0, 120),
+        fix: "Move the credential to an environment variable or secrets manager; never commit live secrets to source control.",
+        evidence: { kind: "named-credential", name: hit.name }
+      });
+      providerFindings += 1;
+    }
     for (let i2 = 0; i2 < lines.length; i2++) {
       const lineText = lines[i2];
       const lineNum = i2 + 1;
@@ -29141,8 +29190,10 @@ var InsecureCookiePass = class {
   }
   // ---------------- Java ----------------
   detectJavaCookieCtor(call, hasSetSecureTrue, hasSetHttpOnlyTrue) {
-    if (call.method_name !== "Cookie") return null;
-    const looksLikeCtor = call.is_constructor || !call.receiver && call.receiver_type === "Cookie" || (call.resolution?.target ?? "").endsWith(".<init>");
+    const method = call.method_name ?? "";
+    const isCookieCtor = method === "Cookie" || method.endsWith(".Cookie");
+    if (!isCookieCtor) return null;
+    const looksLikeCtor = call.is_constructor || !call.receiver && (call.receiver_type === "Cookie" || (call.receiver_type ?? "").endsWith(".Cookie")) || (call.resolution?.target ?? "").endsWith(".<init>");
     if (!looksLikeCtor) return null;
     if (call.arguments.length < 2) return null;
     const missingSecure = !hasSetSecureTrue;
@@ -29202,6 +29253,17 @@ var COMMONS_DIGEST_METHODS = /* @__PURE__ */ new Set([
   "sha",
   "shaHex"
 ]);
+var COMMONS_DIGEST_GETTERS = {
+  getMd2Digest: "md2",
+  getMd5Digest: "md5",
+  getSha1Digest: "sha1",
+  getShaDigest: "sha1"
+};
+var COMMONS_ALGO_CONSTANTS = {
+  "MessageDigestAlgorithms.MD2": "md2",
+  "MessageDigestAlgorithms.MD5": "md5",
+  "MessageDigestAlgorithms.SHA_1": "sha1"
+};
 var PY_HASHLIB_WEAK = /* @__PURE__ */ new Set(["md5", "sha1", "md4", "md2", "new"]);
 function stripQuotes4(s) {
   const trimmed = s.trim();
@@ -29217,15 +29279,58 @@ function literalAlgo(call, position) {
   const cleaned = stripQuotes4(raw).toLowerCase();
   return cleaned || null;
 }
+function resolveJavaAlgo(call, position, constProp, javaBindings) {
+  const arg = call.arguments.find((a) => a.position === position);
+  if (!arg) return null;
+  if (arg.literal) {
+    const cleaned = stripQuotes4(arg.literal).toLowerCase();
+    if (cleaned) return cleaned;
+  }
+  const expr = (arg.expression ?? "").trim();
+  if (expr.startsWith('"') || expr.startsWith("`") || expr.startsWith("'")) {
+    const cleaned = stripQuotes4(expr).toLowerCase();
+    if (cleaned) return cleaned;
+  }
+  if (COMMONS_ALGO_CONSTANTS[expr]) return COMMONS_ALGO_CONSTANTS[expr];
+  const tail = expr.split(".").slice(-2).join(".");
+  if (COMMONS_ALGO_CONSTANTS[tail]) return COMMONS_ALGO_CONSTANTS[tail];
+  if (arg.variable && constProp) {
+    const sym = constProp.symbols?.get(arg.variable);
+    if (sym && sym.type === "string" && typeof sym.value === "string") {
+      const cleaned = stripQuotes4(sym.value).toLowerCase();
+      if (cleaned) return cleaned;
+    }
+  }
+  if (arg.variable) {
+    const bound = javaBindings.get(arg.variable);
+    if (bound) {
+      const cleaned = stripQuotes4(bound).toLowerCase();
+      if (cleaned) return cleaned;
+    }
+  }
+  return null;
+}
+function scanJavaStringBindings(code) {
+  const out2 = /* @__PURE__ */ new Map();
+  if (!code) return out2;
+  const re = /^[ \t]*(?:(?:public|private|protected|static|final|volatile)\s+){0,5}String\s+([A-Za-z_][A-Za-z0-9_]*)\s*=\s*("[^"]*")\s*;/gm;
+  let m;
+  while ((m = re.exec(code)) !== null) {
+    if (m[1] && m[2]) out2.set(m[1], m[2]);
+  }
+  return out2;
+}
 var WeakHashPass = class {
   name = "weak-hash";
   category = "security";
   run(ctx) {
-    const { graph, language } = ctx;
+    const { graph, language, code } = ctx;
     const file = graph.ir.meta.file;
     const findings = [];
+    const constProp = ctx.hasResult("constant-propagation") ? ctx.getResult("constant-propagation") : null;
+    const javaBindings = language === "java" ? scanJavaStringBindings(code) : /* @__PURE__ */ new Map();
     for (const call of graph.ir.calls) {
-      const detection = this.detect(call, language);
+      const detection = this.detect(call, language, constProp, javaBindings);
       if (!detection) continue;
       const { algorithm, api } = detection;
       const line = call.location.line;
@@ -29247,12 +29352,12 @@ var WeakHashPass = class {
     }
     return { findings };
   }
-  detect(call, language) {
+  detect(call, language, constProp, javaBindings) {
     const method = call.method_name;
     const receiver = call.receiver ?? "";
     if (language === "java") {
       if (method === "getInstance" && (receiver === "MessageDigest" || receiver.endsWith(".MessageDigest"))) {
-        const algo = literalAlgo(call, 0);
+        const algo = resolveJavaAlgo(call, 0, constProp, javaBindings);
         if (algo && WEAK_HASH_NAMES.has(algo)) {
           return { algorithm: algo, api: "MessageDigest.getInstance" };
         }
@@ -29262,6 +29367,9 @@ var WeakHashPass = class {
         const normalized = algoFromMethod === "sha" ? "sha1" : algoFromMethod;
         return { algorithm: normalized, api: `DigestUtils.${method}` };
       }
+      if (COMMONS_DIGEST_GETTERS[method] && (receiver === "DigestUtils" || receiver.endsWith(".DigestUtils"))) {
+        return { algorithm: COMMONS_DIGEST_GETTERS[method], api: `DigestUtils.${method}` };
+      }
       return null;
     }
     if (language === "python") {
@@ -29544,8 +29652,9 @@ var WeakCryptoPass = class {
     const receiver = call.receiver ?? "";
     const out2 = [];
     if (language === "java") {
-      const isCipherFactory = method === "getInstance" && (receiver === "Cipher" || receiver.endsWith(".Cipher") || receiver === "KeyGenerator" || receiver.endsWith(".KeyGenerator"));
-      if (isCipherFactory) {
+      const isCipherInstance = method === "getInstance" && (receiver === "Cipher" || receiver.endsWith(".Cipher"));
+      const isKeyGenInstance = method === "getInstance" && (receiver === "KeyGenerator" || receiver.endsWith(".KeyGenerator"));
+      if (isCipherInstance) {
         const spec = literalAlgo2(call, 0);
         if (spec) {
           const { weakBase, ecb } = classifyJavaCipherSpec(spec);
@@ -29553,6 +29662,13 @@ var WeakCryptoPass = class {
           if (weakBase) out2.push({ issue: "weak-cipher", detail: weakBase, api });
           if (ecb) out2.push({ issue: "ecb-mode", detail: spec, api });
         }
+      } else if (isKeyGenInstance) {
+        const spec = literalAlgo2(call, 0);
+        if (spec) {
+          const { weakBase } = classifyJavaCipherSpec(spec);
+          const api = `${receiver}.getInstance`;
+          if (weakBase) out2.push({ issue: "weak-cipher", detail: weakBase, api });
+        }
       }
       if (method === "IvParameterSpec" && isJavaCtor(call, "IvParameterSpec")) {
         const ivDetail = detectStaticIvJava(call);

package/dist/core/circle-ir-core.cjs

@@ -11118,10 +11118,17 @@ var DEFAULT_SINKS = [
   // These patterns are detected by call-site literal inspection, not taint flow,
   // so they are NOT registered here as sinks (they could never match a "tainted
   // value flowing into a sink" because the bad value is a hard-coded constant).
-  // Trust Boundary (CWE-501) - using untrusted data as session attribute NAME
-  // The vulnerability is attacker controlling which key to use, not the value
-  { method: "setAttribute", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0] },
-  { method: "putValue", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0] },
+  // Trust Boundary (CWE-501) — tainted VALUE crossing into shared session
+  // state. OWASP/CWE-501 treats `session.setAttribute("k", taintedValue)` as
+  // the violation: untrusted data enters server-side state where downstream
+  // code reads it as if trusted. Both arg positions are flagged so either a
+  // tainted key (rare) or tainted value (the OWASP shape, 83 cases) trips
+  // the sink. (cognium-dev #117)
+  { method: "setAttribute", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0, 1] },
+  { method: "putValue", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0, 1] },
+  // ServletContext + request scopes — same trust-boundary semantics.
+  { method: "setAttribute", class: "ServletContext", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0, 1] },
+  { method: "setAttribute", class: "HttpServletRequest", type: "trust_boundary", cwe: "CWE-501", severity: "low", arg_positions: [0, 1] },
   // Additional XSS patterns (JDOM/XML output)
   { method: "outputElementContent", class: "XMLOutputter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "output", class: "XMLOutputter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },

package/dist/core/circle-ir-core.js

@@ -11052,10 +11052,17 @@ var DEFAULT_SINKS = [
   // These patterns are detected by call-site literal inspection, not taint flow,
   // so they are NOT registered here as sinks (they could never match a "tainted
   // value flowing into a sink" because the bad value is a hard-coded constant).
-  // Trust Boundary (CWE-501) - using untrusted data as session attribute NAME
-  // The vulnerability is attacker controlling which key to use, not the value
-  { method: "setAttribute", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0] },
-  { method: "putValue", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0] },
+  // Trust Boundary (CWE-501) — tainted VALUE crossing into shared session
+  // state. OWASP/CWE-501 treats `session.setAttribute("k", taintedValue)` as
+  // the violation: untrusted data enters server-side state where downstream
+  // code reads it as if trusted. Both arg positions are flagged so either a
+  // tainted key (rare) or tainted value (the OWASP shape, 83 cases) trips
+  // the sink. (cognium-dev #117)
+  { method: "setAttribute", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0, 1] },
+  { method: "putValue", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0, 1] },
+  // ServletContext + request scopes — same trust-boundary semantics.
+  { method: "setAttribute", class: "ServletContext", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0, 1] },
+  { method: "setAttribute", class: "HttpServletRequest", type: "trust_boundary", cwe: "CWE-501", severity: "low", arg_positions: [0, 1] },
   // Additional XSS patterns (JDOM/XML output)
   { method: "outputElementContent", class: "XMLOutputter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "output", class: "XMLOutputter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "circle-ir",
-  "version": "3.77.0",
+  "version": "3.80.0",
   "description": "High-performance Static Application Security Testing (SAST) library for detecting security vulnerabilities through taint analysis",
   "main": "dist/index.js",
   "module": "dist/index.js",