circle-ir 3.79.0 → 3.80.0

package/dist/analysis/passes/insecure-cookie-pass.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"insecure-cookie-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/insecure-cookie-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAqB9E,MAAM,WAAW,oBAAoB;IACnC,eAAe,EAAE,KAAK,CAAC;QACrB,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,aAAa,EAAE,OAAO,CAAC;QACvB,eAAe,EAAE,OAAO,CAAC;QACzB,cAAc,EAAE,OAAO,CAAC;KACzB,CAAC,CAAC;CACJ;AAED,qBAAa,kBAAmB,YAAW,YAAY,CAAC,oBAAoB,CAAC;IAC3E,QAAQ,CAAC,IAAI,qBAAqB;IAClC,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,oBAAoB;IAqC3C,OAAO,CAAC,QAAQ;IA2BhB,OAAO,CAAC,YAAY;IAuBpB,OAAO,CAAC,oBAAoB;IA8B5B,OAAO,CAAC,IAAI;CAwCb"}
+{"version":3,"file":"insecure-cookie-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/insecure-cookie-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAqB9E,MAAM,WAAW,oBAAoB;IACnC,eAAe,EAAE,KAAK,CAAC;QACrB,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,aAAa,EAAE,OAAO,CAAC;QACvB,eAAe,EAAE,OAAO,CAAC;QACzB,cAAc,EAAE,OAAO,CAAC;KACzB,CAAC,CAAC;CACJ;AAED,qBAAa,kBAAmB,YAAW,YAAY,CAAC,oBAAoB,CAAC;IAC3E,QAAQ,CAAC,IAAI,qBAAqB;IAClC,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,oBAAoB;IAqC3C,OAAO,CAAC,QAAQ;IA2BhB,OAAO,CAAC,YAAY;IAuBpB,OAAO,CAAC,oBAAoB;IAoC5B,OAAO,CAAC,IAAI;CAwCb"}

package/dist/analysis/passes/insecure-cookie-pass.js

@@ -137,13 +137,18 @@ export class InsecureCookiePass {
     }
     // ---------------- Java ----------------
     detectJavaCookieCtor(call, hasSetSecureTrue, hasSetHttpOnlyTrue) {
-        // Java constructor: method_name === 'Cookie', receiver is null,
-        // receiver_type === 'Cookie' (set by the Java plugin). Some plugins
-        // also set call.is_constructor — accept any of the indicators.
-        if (call.method_name !== 'Cookie')
+        // Java constructor: method_name === 'Cookie' for unqualified `new Cookie(...)`,
+        // or a fully-qualified form like `javax.servlet.http.Cookie` /
+        // `jakarta.servlet.http.Cookie` when the user writes
+        // `new javax.servlet.http.Cookie(...)` without the import. OWASP Java
+        // benchmark cases use the FQ shape exclusively (cognium-dev #118).
+        const method = call.method_name ?? '';
+        const isCookieCtor = method === 'Cookie' ||
+            method.endsWith('.Cookie');
+        if (!isCookieCtor)
             return null;
         const looksLikeCtor = call.is_constructor ||
-            (!call.receiver && call.receiver_type === 'Cookie') ||
+            (!call.receiver && (call.receiver_type === 'Cookie' || (call.receiver_type ?? '').endsWith('.Cookie'))) ||
             (call.resolution?.target ?? '').endsWith('.<init>');
         if (!looksLikeCtor)
             return null;

package/dist/analysis/passes/insecure-cookie-pass.js.map

@@ -1 +1 @@
-{"version":3,"file":"insecure-cookie-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/insecure-cookie-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAKH,gCAAgC;AAChC,MAAM,yBAAyB,GAAG,IAAI,GAAG,CAAC;IACxC,KAAK,EAAE,UAAU,EAAE,OAAO;CAC3B,CAAC,CAAC;AACH,MAAM,cAAc,GAAK,uBAAuB,CAAC;AACjD,MAAM,gBAAgB,GAAG,0BAA0B,CAAC;AAEpD,+BAA+B;AAC/B,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAC;IACtC,UAAU,EAAE,MAAM,EAAE,KAAK;CAC1B,CAAC,CAAC;AACH,MAAM,iBAAiB,GAAK,uBAAuB,CAAC;AACpD,MAAM,mBAAmB,GAAG,0BAA0B,CAAC;AAEvD,6BAA6B;AAC7B,MAAM,uBAAuB,GAAK,8BAA8B,CAAC;AACjE,MAAM,yBAAyB,GAAG,gCAAgC,CAAC;AAYnE,MAAM,OAAO,kBAAkB;IACpB,IAAI,GAAG,iBAAiB,CAAC;IACzB,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,GAAG,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,eAAe,GAA4C,EAAE,CAAC;QAEpE,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC3D,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;gBAClC,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;gBAChC,IAAI,CAAC,GAAG;oBAAE,SAAS;gBACnB,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBAC1B,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;YAClC,CAAC;QACH,CAAC;aAAM,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YACjC,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;gBAClC,MAAM,GAAG,GAAG,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;gBACpC,IAAI,CAAC,GAAG;oBAAE,SAAS;gBACnB,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBAC1B,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,QAAQ,CAAC,CAAC;YACtC,CAAC;QACH,CAAC;aAAM,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YAC/B,yEAAyE;YACzE,+EAA+E;YAC/E,kEAAkE;YAClE,MAAM,gBAAgB,GAAK,uBAAuB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC9D,MAAM,kBAAkB,GAAG,yBAAyB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAChE,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;gBAClC,MAAM,GAAG,GAAG,IAAI,CAAC,oBAAoB,CAAC,IAAI,EAAE,gBAAgB,EAAE,kBAAkB,CAAC,CAAC;gBAClF,IAAI,CAAC,GAAG;oBAAE,SAAS;gBACnB,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBAC1B,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC;YACpC,CAAC;QACH,CAAC;QAED,OAAO,EAAE,eAAe,EAAE,CAAC;IAC7B,CAAC;IAED,4CAA4C;IACpC,QAAQ,CAAC,IAAc;QAC7B,IAAI,IAAI,CAAC,WAAW,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC;QAC/C,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;QACrC,IAAI,CAAC,yBAAyB,CAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,IAAI,CAAC;QAE1D,6DAA6D;QAC7D,mEAAmE;QACnE,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QAE3C,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;QAC1D,MAAM,QAAQ,GAAG,CAAC,IAAI,EAAE,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QACjD,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;QAE3C,MAAM,aAAa,GAAK,CAAC,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACvD,MAAM,eAAe,GAAG,CAAC,gBAAgB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACzD,IAAI,CAAC,aAAa,IAAI,CAAC,eAAe;YAAE,OAAO,IAAI,CAAC;QAEpD,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI;YACxB,QAAQ;YACR,aAAa;YACb,eAAe;YACf,cAAc;SACf,CAAC;IACJ,CAAC;IAED,2CAA2C;IACnC,YAAY,CAAC,IAAc;QACjC,IAAI,IAAI,CAAC,WAAW,KAAK,YAAY;YAAE,OAAO,IAAI,CAAC;QACnD,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;QACrC,IAAI,CAAC,uBAAuB,CAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,IAAI,CAAC;QAExD,wEAAwE;QACxE,iDAAiD;QACjD,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAE1E,MAAM,aAAa,GAAK,CAAC,iBAAiB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC1D,MAAM,eAAe,GAAG,CAAC,mBAAmB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC5D,IAAI,CAAC,aAAa,IAAI,CAAC,eAAe;YAAE,OAAO,IAAI,CAAC;QAEpD,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI;YACxB,QAAQ;YACR,aAAa;YACb,eAAe;YACf,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,IAAI,CAAC;SAC3C,CAAC;IACJ,CAAC;IAED,yCAAyC;IACjC,oBAAoB,CAC1B,IAAc,EACd,gBAAyB,EACzB,kBAA2B;QAE3B,gEAAgE;QAChE,oEAAoE;QACpE,+DAA+D;QAC/D,IAAI,IAAI,CAAC,WAAW,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC;QAC/C,MAAM,aAAa,GACjB,IAAI,CAAC,cAAc;YACnB,CAAC,CAAC,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,aAAa,KAAK,QAAQ,CAAC;YACnD,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QACtD,IAAI,CAAC,aAAa;YAAE,OAAO,IAAI,CAAC;QAChC,+BAA+B;QAC/B,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QAE3C,MAAM,aAAa,GAAK,CAAC,gBAAgB,CAAC;QAC1C,MAAM,eAAe,GAAG,CAAC,kBAAkB,CAAC;QAC5C,IAAI,CAAC,aAAa,IAAI,CAAC,eAAe;YAAE,OAAO,IAAI,CAAC;QAEpD,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI;YACxB,QAAQ,EAAE,YAAY;YACtB,aAAa;YACb,eAAe;YACf,cAAc,EAAE,KAAK;SACtB,CAAC;IACJ,CAAC;IAEO,IAAI,CACV,GAAgB,EAChB,IAAY,EACZ,GAAoD,EACpD,MAAgC;QAEhC,MAAM,OAAO,GAAa,EAAE,CAAC;QAC7B,IAAI,GAAG,CAAC,aAAa;YAAI,OAAO,CAAC,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC;QACxI,IAAI,GAAG,CAAC,eAAe;YAAE,OAAO,CAAC,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,qBAAqB,CAAC,CAAC;QAE9I,MAAM,GAAG,GACP,MAAM,KAAK,IAAI;YACb,CAAC,CAAC,mGAAmG;YACrG,CAAC,CAAC,MAAM,KAAK,QAAQ;gBACnB,CAAC,CAAC,kFAAkF;gBACpF,CAAC,CAAC,+HAA+H,CAAC;QAExI,GAAG,CAAC,UAAU,CAAC;YACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,GAAG,CAAC,IAAI,EAAE;YACtC,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,OAAO,EAAE,IAAI,CAAC,IAAI;YAClB,GAAG,EAAE,SAAS;YACd,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,SAAS;YAChB,OAAO,EACL,sBAAsB,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,mBAAmB;gBAC9D,6DAA6D;gBAC7D,aAAa;YACf,IAAI;YACJ,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,GAAG;YACH,QAAQ,EAAE;gBACR,QAAQ,EAAE,GAAG,CAAC,QAAQ;gBACtB,eAAe,EAAE,GAAG,CAAC,cAAc;gBACnC,cAAc,EAAE,GAAG,CAAC,aAAa;gBACjC,iBAAiB,EAAE,GAAG,CAAC,eAAe;aACvC;SACF,CAAC,CAAC;IACL,CAAC;CACF"}
+{"version":3,"file":"insecure-cookie-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/insecure-cookie-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAKH,gCAAgC;AAChC,MAAM,yBAAyB,GAAG,IAAI,GAAG,CAAC;IACxC,KAAK,EAAE,UAAU,EAAE,OAAO;CAC3B,CAAC,CAAC;AACH,MAAM,cAAc,GAAK,uBAAuB,CAAC;AACjD,MAAM,gBAAgB,GAAG,0BAA0B,CAAC;AAEpD,+BAA+B;AAC/B,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAC;IACtC,UAAU,EAAE,MAAM,EAAE,KAAK;CAC1B,CAAC,CAAC;AACH,MAAM,iBAAiB,GAAK,uBAAuB,CAAC;AACpD,MAAM,mBAAmB,GAAG,0BAA0B,CAAC;AAEvD,6BAA6B;AAC7B,MAAM,uBAAuB,GAAK,8BAA8B,CAAC;AACjE,MAAM,yBAAyB,GAAG,gCAAgC,CAAC;AAYnE,MAAM,OAAO,kBAAkB;IACpB,IAAI,GAAG,iBAAiB,CAAC;IACzB,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,GAAG,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,eAAe,GAA4C,EAAE,CAAC;QAEpE,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC3D,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;gBAClC,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;gBAChC,IAAI,CAAC,GAAG;oBAAE,SAAS;gBACnB,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBAC1B,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;YAClC,CAAC;QACH,CAAC;aAAM,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YACjC,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;gBAClC,MAAM,GAAG,GAAG,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;gBACpC,IAAI,CAAC,GAAG;oBAAE,SAAS;gBACnB,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBAC1B,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,QAAQ,CAAC,CAAC;YACtC,CAAC;QACH,CAAC;aAAM,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YAC/B,yEAAyE;YACzE,+EAA+E;YAC/E,kEAAkE;YAClE,MAAM,gBAAgB,GAAK,uBAAuB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC9D,MAAM,kBAAkB,GAAG,yBAAyB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAChE,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;gBAClC,MAAM,GAAG,GAAG,IAAI,CAAC,oBAAoB,CAAC,IAAI,EAAE,gBAAgB,EAAE,kBAAkB,CAAC,CAAC;gBAClF,IAAI,CAAC,GAAG;oBAAE,SAAS;gBACnB,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBAC1B,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC;YACpC,CAAC;QACH,CAAC;QAED,OAAO,EAAE,eAAe,EAAE,CAAC;IAC7B,CAAC;IAED,4CAA4C;IACpC,QAAQ,CAAC,IAAc;QAC7B,IAAI,IAAI,CAAC,WAAW,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC;QAC/C,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;QACrC,IAAI,CAAC,yBAAyB,CAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,IAAI,CAAC;QAE1D,6DAA6D;QAC7D,mEAAmE;QACnE,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QAE3C,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;QAC1D,MAAM,QAAQ,GAAG,CAAC,IAAI,EAAE,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QACjD,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;QAE3C,MAAM,aAAa,GAAK,CAAC,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACvD,MAAM,eAAe,GAAG,CAAC,gBAAgB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACzD,IAAI,CAAC,aAAa,IAAI,CAAC,eAAe;YAAE,OAAO,IAAI,CAAC;QAEpD,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI;YACxB,QAAQ;YACR,aAAa;YACb,eAAe;YACf,cAAc;SACf,CAAC;IACJ,CAAC;IAED,2CAA2C;IACnC,YAAY,CAAC,IAAc;QACjC,IAAI,IAAI,CAAC,WAAW,KAAK,YAAY;YAAE,OAAO,IAAI,CAAC;QACnD,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;QACrC,IAAI,CAAC,uBAAuB,CAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,IAAI,CAAC;QAExD,wEAAwE;QACxE,iDAAiD;QACjD,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAE1E,MAAM,aAAa,GAAK,CAAC,iBAAiB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC1D,MAAM,eAAe,GAAG,CAAC,mBAAmB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC5D,IAAI,CAAC,aAAa,IAAI,CAAC,eAAe;YAAE,OAAO,IAAI,CAAC;QAEpD,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI;YACxB,QAAQ;YACR,aAAa;YACb,eAAe;YACf,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,IAAI,CAAC;SAC3C,CAAC;IACJ,CAAC;IAED,yCAAyC;IACjC,oBAAoB,CAC1B,IAAc,EACd,gBAAyB,EACzB,kBAA2B;QAE3B,gFAAgF;QAChF,+DAA+D;QAC/D,qDAAqD;QACrD,sEAAsE;QACtE,mEAAmE;QACnE,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC;QACtC,MAAM,YAAY,GAChB,MAAM,KAAK,QAAQ;YACnB,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QAC7B,IAAI,CAAC,YAAY;YAAE,OAAO,IAAI,CAAC;QAC/B,MAAM,aAAa,GACjB,IAAI,CAAC,cAAc;YACnB,CAAC,CAAC,IAAI,CAAC,QAAQ,IAAI,CAAC,IAAI,CAAC,aAAa,KAAK,QAAQ,IAAI,CAAC,IAAI,CAAC,aAAa,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC;YACvG,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QACtD,IAAI,CAAC,aAAa;YAAE,OAAO,IAAI,CAAC;QAChC,+BAA+B;QAC/B,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QAE3C,MAAM,aAAa,GAAK,CAAC,gBAAgB,CAAC;QAC1C,MAAM,eAAe,GAAG,CAAC,kBAAkB,CAAC;QAC5C,IAAI,CAAC,aAAa,IAAI,CAAC,eAAe;YAAE,OAAO,IAAI,CAAC;QAEpD,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI;YACxB,QAAQ,EAAE,YAAY;YACtB,aAAa;YACb,eAAe;YACf,cAAc,EAAE,KAAK;SACtB,CAAC;IACJ,CAAC;IAEO,IAAI,CACV,GAAgB,EAChB,IAAY,EACZ,GAAoD,EACpD,MAAgC;QAEhC,MAAM,OAAO,GAAa,EAAE,CAAC;QAC7B,IAAI,GAAG,CAAC,aAAa;YAAI,OAAO,CAAC,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC;QACxI,IAAI,GAAG,CAAC,eAAe;YAAE,OAAO,CAAC,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,qBAAqB,CAAC,CAAC;QAE9I,MAAM,GAAG,GACP,MAAM,KAAK,IAAI;YACb,CAAC,CAAC,mGAAmG;YACrG,CAAC,CAAC,MAAM,KAAK,QAAQ;gBACnB,CAAC,CAAC,kFAAkF;gBACpF,CAAC,CAAC,+HAA+H,CAAC;QAExI,GAAG,CAAC,UAAU,CAAC;YACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,GAAG,CAAC,IAAI,EAAE;YACtC,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,OAAO,EAAE,IAAI,CAAC,IAAI;YAClB,GAAG,EAAE,SAAS;YACd,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,SAAS;YAChB,OAAO,EACL,sBAAsB,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,mBAAmB;gBAC9D,6DAA6D;gBAC7D,aAAa;YACf,IAAI;YACJ,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,GAAG;YACH,QAAQ,EAAE;gBACR,QAAQ,EAAE,GAAG,CAAC,QAAQ;gBACtB,eAAe,EAAE,GAAG,CAAC,cAAc;gBACnC,cAAc,EAAE,GAAG,CAAC,aAAa;gBACjC,iBAAiB,EAAE,GAAG,CAAC,eAAe;aACvC;SACF,CAAC,CAAC;IACL,CAAC;CACF"}

package/dist/analysis/passes/scan-secrets-pass.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"scan-secrets-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/scan-secrets-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AA2M9E,MAAM,WAAW,qBAAqB;IACpC,wEAAwE;IACxE,gBAAgB,EAAE,MAAM,CAAC;IACzB,eAAe,EAAE,MAAM,CAAC;CACzB;AAED,qBAAa,eAAgB,YAAW,YAAY,CAAC,qBAAqB,CAAC;IACzE,QAAQ,CAAC,IAAI,kBAAkB;IAC/B,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,qBAAqB;IAoG5C,mEAAmE;IACnE,OAAO,CAAC,WAAW;IAanB;;;;;OAKG;IACH,OAAO,CAAC,iBAAiB;CAO1B"}
+{"version":3,"file":"scan-secrets-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/scan-secrets-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAqQ9E,MAAM,WAAW,qBAAqB;IACpC,wEAAwE;IACxE,gBAAgB,EAAE,MAAM,CAAC;IACzB,eAAe,EAAE,MAAM,CAAC;CACzB;AAED,qBAAa,eAAgB,YAAW,YAAY,CAAC,qBAAqB,CAAC;IACzE,QAAQ,CAAC,IAAI,kBAAkB;IAC/B,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,qBAAqB;IAqI5C,mEAAmE;IACnE,OAAO,CAAC,WAAW;IAanB;;;;;OAKG;IACH,OAAO,CAAC,iBAAiB;CAO1B"}

package/dist/analysis/passes/scan-secrets-pass.js

@@ -139,6 +139,63 @@ const PROVIDER_PATTERNS = [
     },
 ];
 // ---------------------------------------------------------------------------
+// Named-credential patterns (layer 1b)
+//
+// Catches config-style constant assignments where the LHS identifier carries
+// a credential keyword (PASSWORD / SECRET / TOKEN / API_KEY / PRIVATE_KEY /
+// ACCESS_KEY) and the RHS is a non-trivial string literal. Covers the cases
+// the provider-prefix layer misses (custom passwords like
+// "Pr0d-DB-pass!2024") and the entropy layer misses (low-entropy English /
+// punctuation-heavy values that fail the base64-ish / hex-ish gate).
+//
+// Cross-language: works on Python / JS / TS / Java / Go / Rust because it
+// operates on raw line text and only requires the LHS-keyword → `=`/`:` →
+// quoted-literal shape, which is shared across all six. The Bash detector
+// in language-sources-pass.ts already covers shell-syntax assignments.
+//
+// FP guards:
+//   - Skip placeholder values (changeme / your-key-here / etc).
+//   - Skip empty / single-char values.
+//   - Skip values that are obviously dynamic (env-var refs, function calls,
+//     concatenation, template-literal interpolation).
+//   - Skip lines that look like function / method declarations (parameter
+//     names with credential keywords are common: `func setPassword(pw string)`).
+//   - Skip lines that look like comparisons (`==`, `===`, `!=`).
+//
+// (cognium-dev #109 — CWE-260 hardcoded credential in config files.)
+// ---------------------------------------------------------------------------
+const CRED_KEYWORD_RE = /\b([A-Za-z_$][\w$]*?(?:password|passwd|secret|api[_-]?key|auth[_-]?token|private[_-]?key|access[_-]?key)[\w$]*?)\s*[:=]\s*["'`]([^"'`\s$][^"'`\n]{2,})["'`]/i;
+const CRED_DYNAMIC_VALUE_RE = /\$\{|process\.env|os\.environ|os\.Getenv|System\.getenv/;
+const CRED_FUNCTION_DECL_RE = /\b(?:function|func|def|fn)\s+\w+\s*\(/;
+const CRED_COMPARISON_RE = /(?:===?|!==?|>=|<=|<>)\s*["'`]/;
+/** Variable / parameter / field declarations whose IDENTIFIER carries the credential keyword. */
+function isLikelyCredentialAssignment(line) {
+    // Skip function declarations: `def login(password): ...`, `func auth(token string) {`
+    if (CRED_FUNCTION_DECL_RE.test(line))
+        return null;
+    // Skip equality comparisons that happen to involve a string literal.
+    if (CRED_COMPARISON_RE.test(line))
+        return null;
+    const m = line.match(CRED_KEYWORD_RE);
+    if (!m)
+        return null;
+    const name = m[1];
+    const value = m[2];
+    // Reject placeholder / dynamic values (the entropy layer's denylist
+    // also catches these; duplicated here so this layer is self-contained).
+    if (PLACEHOLDER_RE.test(value))
+        return null;
+    if (CRED_DYNAMIC_VALUE_RE.test(value))
+        return null;
+    // Single-char / obviously-empty values.
+    if (value.length < 3)
+        return null;
+    // Reject all-same-char (e.g. "xxx", "----").
+    if (isAllSameChar(value))
+        return null;
+    return { name, value };
+}
+// ---------------------------------------------------------------------------
 // Entropy patterns (layer 2)
 // ---------------------------------------------------------------------------
 /**
@@ -263,6 +320,37 @@ export class ScanSecretsPass {
                 break;
             }
         }
+        // Layer 1b: named-credential constant assignments (config-style).
+        // Operates line-by-line on raw source text; cross-language by construction
+        // (PASSWORD/SECRET/TOKEN/API_KEY/PRIVATE_KEY/ACCESS_KEY identifier =
+        // quoted literal). FP guards in `isLikelyCredentialAssignment`.
+        for (let i = 0; i < lines.length; i++) {
+            const lineText = lines[i];
+            const lineNum = i + 1;
+            const hit = isLikelyCredentialAssignment(lineText);
+            if (!hit)
+                continue;
+            const key = `${lineNum}:hardcoded-credential`;
+            if (seen.has(key))
+                continue;
+            seen.add(key);
+            ctx.addFinding({
+                id: `hardcoded-credential-${file}-${lineNum}`,
+                pass: this.name,
+                category: this.category,
+                rule_id: 'hardcoded-credential',
+                cwe: 'CWE-798',
+                severity: 'high',
+                level: 'error',
+                message: `Hardcoded credential: \`${hit.name}\` assigned a literal value`,
+                file,
+                line: lineNum,
+                snippet: lineText.trim().substring(0, 120),
+                fix: 'Move the credential to an environment variable or secrets manager; never commit live secrets to source control.',
+                evidence: { kind: 'named-credential', name: hit.name },
+            });
+            providerFindings += 1;
+        }
         // Layer 2: Shannon-entropy scan on string literals.
         for (let i = 0; i < lines.length; i++) {
             const lineText = lines[i];

package/dist/analysis/passes/scan-secrets-pass.js.map

@@ -1 +1 @@
-{"version":3,"file":"scan-secrets-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/scan-secrets-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAKH,8EAA8E;AAC9E,2BAA2B;AAC3B,8EAA8E;AAE9E,0EAA0E;AAC1E,MAAM,YAAY,GAAG,2FAA2F,CAAC;AACjH,MAAM,gBAAgB,GAAG,gFAAgF,CAAC;AAE1G,SAAS,UAAU,CAAC,IAAY;IAC9B,OAAO,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAChE,CAAC;AAiBD,MAAM,iBAAiB,GAAsB;IAC3C;QACE,IAAI,EAAE,gBAAgB;QACtB,KAAK,EAAE,sBAAsB;QAC7B,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,sGAAsG;KAC5G;IACD;QACE,IAAI,EAAE,8BAA8B;QACpC,KAAK,EAAE,yBAAyB;QAChC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,wGAAwG;KAC9G;IACD;QACE,IAAI,EAAE,oBAAoB;QAC1B,KAAK,EAAE,yBAAyB;QAChC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,kEAAkE;KACxE;IACD;QACE,IAAI,EAAE,6BAA6B;QACnC,KAAK,EAAE,yBAAyB;QAChC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,kFAAkF;KACxF;IACD;QACE,IAAI,EAAE,+BAA+B;QACrC,KAAK,EAAE,yBAAyB;QAChC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,oFAAoF;KAC1F;IACD;QACE,IAAI,EAAE,sBAAsB;QAC5B,KAAK,EAAE,yBAAyB;QAChC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,2EAA2E;KACjF;IACD;QACE,IAAI,EAAE,wBAAwB;QAC9B,KAAK,EAAE,8BAA8B;QACrC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,0FAA0F;KAChG;IACD;QACE,IAAI,EAAE,6BAA6B;QACnC,KAAK,EAAE,8BAA8B;QACrC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS;QAClC,GAAG,EAAE,oIAAoI;KAC1I;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,KAAK,EAAE,wBAAwB;QAC/B,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,0FAA0F;KAChG;IACD;QACE,IAAI,EAAE,mBAAmB;QACzB,KAAK,EAAE,+BAA+B;QACtC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,oEAAoE;KAC1E;IACD;QACE,IAAI,EAAE,aAAa;QACnB,KAAK,EAAE,kCAAkC;QACzC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,mDAAmD;KACzD;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,KAAK,EAAE,2BAA2B;QAClC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,+EAA+E;KACrF;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,KAAK,EAAE,sEAAsE;QAC7E,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,sGAAsG;KAC5G;IACD;QACE,IAAI,EAAE,iBAAiB;QACvB,KAAK,EAAE,6DAA6D;QACpE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,qIAAqI;KAC3I;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,KAAK,EAAE,yBAAyB;QAChC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,iGAAiG;KACvG;CACF,CAAC;AAEF,8EAA8E;AAC9E,6BAA6B;AAC7B,8EAA8E;AAE9E;;;;;;;GAOG;AACH,MAAM,iBAAiB,GAAG,oCAAoC,CAAC;AAE/D,MAAM,YAAY,GAAG,qBAAqB,CAAC;AAC3C,MAAM,SAAS,GAAG,gBAAgB,CAAC;AACnC,MAAM,OAAO,GAAG,iEAAiE,CAAC;AAElF,MAAM,cAAc,GAClB,qOAAqO,CAAC;AAExO,4GAA4G;AAC5G,SAAS,eAAe,CAAC,CAAS;IAChC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC;IACnB,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE;QAAE,OAAO,KAAK,CAAC;IACnD,OAAO,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAC3B,CAAC;AAED,SAAS,aAAa,CAAC,CAAS;IAC9B,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAC/B,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IACtB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;IACvE,OAAO,IAAI,CAAC;AACd,CAAC;AAED,0FAA0F;AAC1F,SAAS,eAAe,CAAC,CAAS;IAChC,mEAAmE;IACnE,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACtD,IAAI,CAAC;QACH,OAAO,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,uFAAuF;AACvF,SAAS,mBAAmB,CAAC,CAAS;IACpC,MAAM,OAAO,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC;IACnC,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAC3B,MAAM,OAAO,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IACpC,OAAO,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;AAC5D,CAAC;AAED,SAAS,cAAc,CAAC,CAAS;IAC/B,MAAM,IAAI,GAAG,IAAI,GAAG,EAAkB,CAAC;IACvC,KAAK,MAAM,EAAE,IAAI,CAAC;QAAE,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1D,MAAM,GAAG,GAAG,CAAC,CAAC,MAAM,CAAC;IACrB,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;QAC9B,MAAM,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;QAClB,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACxB,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,kGAAkG;AAClG,MAAM,kBAAkB,GAAG,8DAA8D,CAAC;AAE1F,8EAA8E;AAC9E,oDAAoD;AACpD,8EAA8E;AAE9E,MAAM,YAAY,GAAG,2CAA2C,CAAC;AACjE,MAAM,kBAAkB,GAAG,+CAA+C,CAAC;AAY3E,MAAM,OAAO,eAAe;IACjB,IAAI,GAAG,cAAc,CAAC;IACtB,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAEpC,IAAI,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACrB,OAAO,EAAE,gBAAgB,EAAE,CAAC,EAAE,eAAe,EAAE,CAAC,EAAE,CAAC;QACrD,CAAC;QAED,MAAM,KAAK,GAAG,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,EAAE,IAAI,EAAE,CAAC;QACxC,mEAAmE;QACnE,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;QAC/B,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;YACtB,IAAI,CAAC,CAAC,IAAI,KAAK,IAAI;gBAAE,SAAS;YAC9B,IAAI,CAAC,CAAC,OAAO,KAAK,sBAAsB,IAAI,CAAC,CAAC,OAAO,KAAK,8BAA8B,EAAE,CAAC;gBACzF,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;YACrC,CAAC;QACH,CAAC;QAED,IAAI,gBAAgB,GAAG,CAAC,CAAC;QACzB,IAAI,eAAe,GAAG,CAAC,CAAC;QAExB,6CAA6C;QAC7C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAC1B,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC;YACtB,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;gBACxC,MAAM,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBACvC,IAAI,CAAC,CAAC;oBAAE,SAAS;gBAEjB,MAAM,GAAG,GAAG,GAAG,OAAO,uBAAuB,CAAC;gBAC9C,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;oBAAE,SAAS;gBAC5B,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBAEd,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,wBAAwB,IAAI,IAAI,OAAO,EAAE;oBAC7C,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,sBAAsB;oBAC/B,GAAG,EAAE,SAAS;oBACd,QAAQ,EAAE,OAAO,CAAC,QAAQ;oBAC1B,KAAK,EAAE,OAAO,CAAC,KAAK;oBACpB,OAAO,EAAE,yBAAyB,OAAO,CAAC,IAAI,WAAW;oBACzD,IAAI;oBACJ,IAAI,EAAE,OAAO;oBACb,OAAO,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;oBAC1C,GAAG,EAAE,OAAO,CAAC,GAAG;oBAChB,QAAQ,EAAE,EAAE,QAAQ,EAAE,OAAO,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE;iBACnE,CAAC,CAAC;gBACH,gBAAgB,IAAI,CAAC,CAAC;gBACtB,sEAAsE;gBACtE,4DAA4D;gBAC5D,MAAM;YACR,CAAC;QACH,CAAC;QAED,oDAAoD;QACpD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAC1B,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC;YAEtB,IAAI,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAAE,SAAS;YAC1C,IAAI,kBAAkB,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAAE,SAAS;YAEhD,2DAA2D;YAC3D,iBAAiB,CAAC,SAAS,GAAG,CAAC,CAAC;YAChC,IAAI,KAA6B,CAAC;YAClC,OAAO,CAAC,KAAK,GAAG,iBAAiB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAC3D,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACvB,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC;oBAAE,SAAS;gBACvC,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,KAAK,EAAE,QAAQ,CAAC;oBAAE,SAAS;gBAEvD,MAAM,GAAG,GAAG,GAAG,OAAO,+BAA+B,CAAC;gBACtD,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;oBAAE,SAAS;gBAC5B,kEAAkE;gBAClE,8CAA8C;gBAC9C,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,OAAO,uBAAuB,CAAC;oBAAE,SAAS;gBAC1D,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBAEd,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,gCAAgC,IAAI,IAAI,OAAO,EAAE;oBACrD,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,8BAA8B;oBACvC,GAAG,EAAE,SAAS;oBACd,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,SAAS;oBAChB,OAAO,EAAE,2DAA2D,KAAK,CAAC,MAAM,SAAS;oBACzF,IAAI;oBACJ,IAAI,EAAE,OAAO;oBACb,OAAO,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;oBAC1C,GAAG,EAAE,0LAA0L;oBAC/L,QAAQ,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE;iBACpD,CAAC,CAAC;gBACH,eAAe,IAAI,CAAC,CAAC;YACvB,CAAC;QACH,CAAC;QAED,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,CAAC;IAC/C,CAAC;IAED,mEAAmE;IAC3D,WAAW,CAAC,CAAS;QAC3B,IAAI,CAAC,CAAC,MAAM,GAAG,EAAE,IAAI,CAAC,CAAC,MAAM,GAAG,GAAG;YAAE,OAAO,KAAK,CAAC;QAClD,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QAC9D,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QAClC,IAAI,eAAe,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QACrC,IAAI,aAAa,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QACnC,IAAI,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QACzC,sEAAsE;QACtE,wCAAwC;QACxC,IAAI,mBAAmB,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QACzC,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;OAKG;IACK,iBAAiB,CAAC,KAAa,EAAE,QAAgB;QACvD,MAAM,KAAK,GAAG,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACpC,MAAM,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAC1D,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAC;QACxD,MAAM,CAAC,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;QAChC,OAAO,CAAC,IAAI,SAAS,CAAC;IACxB,CAAC;CACF"}
+{"version":3,"file":"scan-secrets-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/scan-secrets-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAKH,8EAA8E;AAC9E,2BAA2B;AAC3B,8EAA8E;AAE9E,0EAA0E;AAC1E,MAAM,YAAY,GAAG,2FAA2F,CAAC;AACjH,MAAM,gBAAgB,GAAG,gFAAgF,CAAC;AAE1G,SAAS,UAAU,CAAC,IAAY;IAC9B,OAAO,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAChE,CAAC;AAiBD,MAAM,iBAAiB,GAAsB;IAC3C;QACE,IAAI,EAAE,gBAAgB;QACtB,KAAK,EAAE,sBAAsB;QAC7B,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,sGAAsG;KAC5G;IACD;QACE,IAAI,EAAE,8BAA8B;QACpC,KAAK,EAAE,yBAAyB;QAChC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,wGAAwG;KAC9G;IACD;QACE,IAAI,EAAE,oBAAoB;QAC1B,KAAK,EAAE,yBAAyB;QAChC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,kEAAkE;KACxE;IACD;QACE,IAAI,EAAE,6BAA6B;QACnC,KAAK,EAAE,yBAAyB;QAChC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,kFAAkF;KACxF;IACD;QACE,IAAI,EAAE,+BAA+B;QACrC,KAAK,EAAE,yBAAyB;QAChC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,oFAAoF;KAC1F;IACD;QACE,IAAI,EAAE,sBAAsB;QAC5B,KAAK,EAAE,yBAAyB;QAChC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,2EAA2E;KACjF;IACD;QACE,IAAI,EAAE,wBAAwB;QAC9B,KAAK,EAAE,8BAA8B;QACrC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,0FAA0F;KAChG;IACD;QACE,IAAI,EAAE,6BAA6B;QACnC,KAAK,EAAE,8BAA8B;QACrC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS;QAClC,GAAG,EAAE,oIAAoI;KAC1I;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,KAAK,EAAE,wBAAwB;QAC/B,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,0FAA0F;KAChG;IACD;QACE,IAAI,EAAE,mBAAmB;QACzB,KAAK,EAAE,+BAA+B;QACtC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,oEAAoE;KAC1E;IACD;QACE,IAAI,EAAE,aAAa;QACnB,KAAK,EAAE,kCAAkC;QACzC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,mDAAmD;KACzD;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,KAAK,EAAE,2BAA2B;QAClC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,+EAA+E;KACrF;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,KAAK,EAAE,sEAAsE;QAC7E,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,sGAAsG;KAC5G;IACD;QACE,IAAI,EAAE,iBAAiB;QACvB,KAAK,EAAE,6DAA6D;QACpE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,qIAAqI;KAC3I;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,KAAK,EAAE,yBAAyB;QAChC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,iGAAiG;KACvG;CACF,CAAC;AAEF,8EAA8E;AAC9E,uCAAuC;AACvC,EAAE;AACF,6EAA6E;AAC7E,4EAA4E;AAC5E,4EAA4E;AAC5E,0DAA0D;AAC1D,2EAA2E;AAC3E,qEAAqE;AACrE,EAAE;AACF,0EAA0E;AAC1E,0EAA0E;AAC1E,0EAA0E;AAC1E,uEAAuE;AACvE,EAAE;AACF,aAAa;AACb,gEAAgE;AAChE,uCAAuC;AACvC,4EAA4E;AAC5E,sDAAsD;AACtD,0EAA0E;AAC1E,iFAAiF;AACjF,iEAAiE;AACjE,EAAE;AACF,qEAAqE;AACrE,8EAA8E;AAE9E,MAAM,eAAe,GACnB,8JAA8J,CAAC;AAEjK,MAAM,qBAAqB,GAAG,yDAAyD,CAAC;AACxF,MAAM,qBAAqB,GAAG,uCAAuC,CAAC;AACtE,MAAM,kBAAkB,GAAG,gCAAgC,CAAC;AAE5D,iGAAiG;AACjG,SAAS,4BAA4B,CAAC,IAAY;IAChD,sFAAsF;IACtF,IAAI,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAClD,qEAAqE;IACrE,IAAI,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAE/C,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;IACtC,IAAI,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACpB,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAClB,MAAM,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAEnB,oEAAoE;IACpE,wEAAwE;IACxE,IAAI,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC5C,IAAI,qBAAqB,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACnD,wCAAwC;IACxC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAClC,6CAA6C;IAC7C,IAAI,aAAa,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAEtC,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;AACzB,CAAC;AAED,8EAA8E;AAC9E,6BAA6B;AAC7B,8EAA8E;AAE9E;;;;;;;GAOG;AACH,MAAM,iBAAiB,GAAG,oCAAoC,CAAC;AAE/D,MAAM,YAAY,GAAG,qBAAqB,CAAC;AAC3C,MAAM,SAAS,GAAG,gBAAgB,CAAC;AACnC,MAAM,OAAO,GAAG,iEAAiE,CAAC;AAElF,MAAM,cAAc,GAClB,qOAAqO,CAAC;AAExO,4GAA4G;AAC5G,SAAS,eAAe,CAAC,CAAS;IAChC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC;IACnB,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE;QAAE,OAAO,KAAK,CAAC;IACnD,OAAO,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAC3B,CAAC;AAED,SAAS,aAAa,CAAC,CAAS;IAC9B,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAC/B,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IACtB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;IACvE,OAAO,IAAI,CAAC;AACd,CAAC;AAED,0FAA0F;AAC1F,SAAS,eAAe,CAAC,CAAS;IAChC,mEAAmE;IACnE,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACtD,IAAI,CAAC;QACH,OAAO,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,uFAAuF;AACvF,SAAS,mBAAmB,CAAC,CAAS;IACpC,MAAM,OAAO,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC;IACnC,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAC3B,MAAM,OAAO,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IACpC,OAAO,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;AAC5D,CAAC;AAED,SAAS,cAAc,CAAC,CAAS;IAC/B,MAAM,IAAI,GAAG,IAAI,GAAG,EAAkB,CAAC;IACvC,KAAK,MAAM,EAAE,IAAI,CAAC;QAAE,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1D,MAAM,GAAG,GAAG,CAAC,CAAC,MAAM,CAAC;IACrB,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;QAC9B,MAAM,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;QAClB,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACxB,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,kGAAkG;AAClG,MAAM,kBAAkB,GAAG,8DAA8D,CAAC;AAE1F,8EAA8E;AAC9E,oDAAoD;AACpD,8EAA8E;AAE9E,MAAM,YAAY,GAAG,2CAA2C,CAAC;AACjE,MAAM,kBAAkB,GAAG,+CAA+C,CAAC;AAY3E,MAAM,OAAO,eAAe;IACjB,IAAI,GAAG,cAAc,CAAC;IACtB,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAEpC,IAAI,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACrB,OAAO,EAAE,gBAAgB,EAAE,CAAC,EAAE,eAAe,EAAE,CAAC,EAAE,CAAC;QACrD,CAAC;QAED,MAAM,KAAK,GAAG,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,EAAE,IAAI,EAAE,CAAC;QACxC,mEAAmE;QACnE,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;QAC/B,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;YACtB,IAAI,CAAC,CAAC,IAAI,KAAK,IAAI;gBAAE,SAAS;YAC9B,IAAI,CAAC,CAAC,OAAO,KAAK,sBAAsB,IAAI,CAAC,CAAC,OAAO,KAAK,8BAA8B,EAAE,CAAC;gBACzF,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;YACrC,CAAC;QACH,CAAC;QAED,IAAI,gBAAgB,GAAG,CAAC,CAAC;QACzB,IAAI,eAAe,GAAG,CAAC,CAAC;QAExB,6CAA6C;QAC7C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAC1B,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC;YACtB,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;gBACxC,MAAM,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBACvC,IAAI,CAAC,CAAC;oBAAE,SAAS;gBAEjB,MAAM,GAAG,GAAG,GAAG,OAAO,uBAAuB,CAAC;gBAC9C,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;oBAAE,SAAS;gBAC5B,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBAEd,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,wBAAwB,IAAI,IAAI,OAAO,EAAE;oBAC7C,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,sBAAsB;oBAC/B,GAAG,EAAE,SAAS;oBACd,QAAQ,EAAE,OAAO,CAAC,QAAQ;oBAC1B,KAAK,EAAE,OAAO,CAAC,KAAK;oBACpB,OAAO,EAAE,yBAAyB,OAAO,CAAC,IAAI,WAAW;oBACzD,IAAI;oBACJ,IAAI,EAAE,OAAO;oBACb,OAAO,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;oBAC1C,GAAG,EAAE,OAAO,CAAC,GAAG;oBAChB,QAAQ,EAAE,EAAE,QAAQ,EAAE,OAAO,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE;iBACnE,CAAC,CAAC;gBACH,gBAAgB,IAAI,CAAC,CAAC;gBACtB,sEAAsE;gBACtE,4DAA4D;gBAC5D,MAAM;YACR,CAAC;QACH,CAAC;QAED,kEAAkE;QAClE,2EAA2E;QAC3E,qEAAqE;QACrE,gEAAgE;QAChE,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAC1B,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC;YAEtB,MAAM,GAAG,GAAG,4BAA4B,CAAC,QAAQ,CAAC,CAAC;YACnD,IAAI,CAAC,GAAG;gBAAE,SAAS;YAEnB,MAAM,GAAG,GAAG,GAAG,OAAO,uBAAuB,CAAC;YAC9C,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;gBAAE,SAAS;YAC5B,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAEd,GAAG,CAAC,UAAU,CAAC;gBACb,EAAE,EAAE,wBAAwB,IAAI,IAAI,OAAO,EAAE;gBAC7C,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,OAAO,EAAE,sBAAsB;gBAC/B,GAAG,EAAE,SAAS;gBACd,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,OAAO;gBACd,OAAO,EAAE,2BAA2B,GAAG,CAAC,IAAI,6BAA6B;gBACzE,IAAI;gBACJ,IAAI,EAAE,OAAO;gBACb,OAAO,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;gBAC1C,GAAG,EAAE,iHAAiH;gBACtH,QAAQ,EAAE,EAAE,IAAI,EAAE,kBAAkB,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE;aACvD,CAAC,CAAC;YACH,gBAAgB,IAAI,CAAC,CAAC;QACxB,CAAC;QAED,oDAAoD;QACpD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAC1B,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC;YAEtB,IAAI,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAAE,SAAS;YAC1C,IAAI,kBAAkB,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAAE,SAAS;YAEhD,2DAA2D;YAC3D,iBAAiB,CAAC,SAAS,GAAG,CAAC,CAAC;YAChC,IAAI,KAA6B,CAAC;YAClC,OAAO,CAAC,KAAK,GAAG,iBAAiB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAC3D,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACvB,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC;oBAAE,SAAS;gBACvC,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,KAAK,EAAE,QAAQ,CAAC;oBAAE,SAAS;gBAEvD,MAAM,GAAG,GAAG,GAAG,OAAO,+BAA+B,CAAC;gBACtD,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;oBAAE,SAAS;gBAC5B,kEAAkE;gBAClE,8CAA8C;gBAC9C,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,OAAO,uBAAuB,CAAC;oBAAE,SAAS;gBAC1D,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBAEd,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,gCAAgC,IAAI,IAAI,OAAO,EAAE;oBACrD,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,8BAA8B;oBACvC,GAAG,EAAE,SAAS;oBACd,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,SAAS;oBAChB,OAAO,EAAE,2DAA2D,KAAK,CAAC,MAAM,SAAS;oBACzF,IAAI;oBACJ,IAAI,EAAE,OAAO;oBACb,OAAO,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;oBAC1C,GAAG,EAAE,0LAA0L;oBAC/L,QAAQ,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE;iBACpD,CAAC,CAAC;gBACH,eAAe,IAAI,CAAC,CAAC;YACvB,CAAC;QACH,CAAC;QAED,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,CAAC;IAC/C,CAAC;IAED,mEAAmE;IAC3D,WAAW,CAAC,CAAS;QAC3B,IAAI,CAAC,CAAC,MAAM,GAAG,EAAE,IAAI,CAAC,CAAC,MAAM,GAAG,GAAG;YAAE,OAAO,KAAK,CAAC;QAClD,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QAC9D,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QAClC,IAAI,eAAe,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QACrC,IAAI,aAAa,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QACnC,IAAI,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QACzC,sEAAsE;QACtE,wCAAwC;QACxC,IAAI,mBAAmB,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QACzC,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;OAKG;IACK,iBAAiB,CAAC,KAAa,EAAE,QAAgB;QACvD,MAAM,KAAK,GAAG,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACpC,MAAM,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAC1D,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAC;QACxD,MAAM,CAAC,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;QAChC,OAAO,CAAC,IAAI,SAAS,CAAC;IACxB,CAAC;CACF"}

package/dist/browser/circle-ir.js

@@ -11736,10 +11736,17 @@ var DEFAULT_SINKS = [
   // These patterns are detected by call-site literal inspection, not taint flow,
   // so they are NOT registered here as sinks (they could never match a "tainted
   // value flowing into a sink" because the bad value is a hard-coded constant).
-  // Trust Boundary (CWE-501) - using untrusted data as session attribute NAME
-  // The vulnerability is attacker controlling which key to use, not the value
-  { method: "setAttribute", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0] },
-  { method: "putValue", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0] },
+  // Trust Boundary (CWE-501) — tainted VALUE crossing into shared session
+  // state. OWASP/CWE-501 treats `session.setAttribute("k", taintedValue)` as
+  // the violation: untrusted data enters server-side state where downstream
+  // code reads it as if trusted. Both arg positions are flagged so either a
+  // tainted key (rare) or tainted value (the OWASP shape, 83 cases) trips
+  // the sink. (cognium-dev #117)
+  { method: "setAttribute", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0, 1] },
+  { method: "putValue", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0, 1] },
+  // ServletContext + request scopes — same trust-boundary semantics.
+  { method: "setAttribute", class: "ServletContext", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0, 1] },
+  { method: "setAttribute", class: "HttpServletRequest", type: "trust_boundary", cwe: "CWE-501", severity: "low", arg_positions: [0, 1] },
   // Additional XSS patterns (JDOM/XML output)
   { method: "outputElementContent", class: "XMLOutputter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "output", class: "XMLOutputter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
@@ -28683,6 +28690,23 @@ var PROVIDER_PATTERNS = [
     fix: "Revoke the npm token at https://www.npmjs.com/settings/<user>/tokens and load from environment."
   }
 ];
+var CRED_KEYWORD_RE = /\b([A-Za-z_$][\w$]*?(?:password|passwd|secret|api[_-]?key|auth[_-]?token|private[_-]?key|access[_-]?key)[\w$]*?)\s*[:=]\s*["'`]([^"'`\s$][^"'`\n]{2,})["'`]/i;
+var CRED_DYNAMIC_VALUE_RE = /\$\{|process\.env|os\.environ|os\.Getenv|System\.getenv/;
+var CRED_FUNCTION_DECL_RE = /\b(?:function|func|def|fn)\s+\w+\s*\(/;
+var CRED_COMPARISON_RE = /(?:===?|!==?|>=|<=|<>)\s*["'`]/;
+function isLikelyCredentialAssignment(line) {
+  if (CRED_FUNCTION_DECL_RE.test(line)) return null;
+  if (CRED_COMPARISON_RE.test(line)) return null;
+  const m = line.match(CRED_KEYWORD_RE);
+  if (!m) return null;
+  const name2 = m[1];
+  const value = m[2];
+  if (PLACEHOLDER_RE.test(value)) return null;
+  if (CRED_DYNAMIC_VALUE_RE.test(value)) return null;
+  if (value.length < 3) return null;
+  if (isAllSameChar(value)) return null;
+  return { name: name2, value };
+}
 var STRING_LITERAL_RE = /(["'`])((?:\\.|(?!\1).){8,200})\1/g;
 var BASE64ISH_RE = /^[A-Za-z0-9+/=_-]+$/;
 var HEXISH_RE = /^[a-fA-F0-9]+$/;
@@ -28774,6 +28798,31 @@ var ScanSecretsPass = class {
         break;
       }
     }
+    for (let i2 = 0; i2 < lines.length; i2++) {
+      const lineText = lines[i2];
+      const lineNum = i2 + 1;
+      const hit = isLikelyCredentialAssignment(lineText);
+      if (!hit) continue;
+      const key = `${lineNum}:hardcoded-credential`;
+      if (seen.has(key)) continue;
+      seen.add(key);
+      ctx.addFinding({
+        id: `hardcoded-credential-${file}-${lineNum}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: "hardcoded-credential",
+        cwe: "CWE-798",
+        severity: "high",
+        level: "error",
+        message: `Hardcoded credential: \`${hit.name}\` assigned a literal value`,
+        file,
+        line: lineNum,
+        snippet: lineText.trim().substring(0, 120),
+        fix: "Move the credential to an environment variable or secrets manager; never commit live secrets to source control.",
+        evidence: { kind: "named-credential", name: hit.name }
+      });
+      providerFindings += 1;
+    }
     for (let i2 = 0; i2 < lines.length; i2++) {
       const lineText = lines[i2];
       const lineNum = i2 + 1;
@@ -29141,8 +29190,10 @@ var InsecureCookiePass = class {
   }
   // ---------------- Java ----------------
   detectJavaCookieCtor(call, hasSetSecureTrue, hasSetHttpOnlyTrue) {
-    if (call.method_name !== "Cookie") return null;
-    const looksLikeCtor = call.is_constructor || !call.receiver && call.receiver_type === "Cookie" || (call.resolution?.target ?? "").endsWith(".<init>");
+    const method = call.method_name ?? "";
+    const isCookieCtor = method === "Cookie" || method.endsWith(".Cookie");
+    if (!isCookieCtor) return null;
+    const looksLikeCtor = call.is_constructor || !call.receiver && (call.receiver_type === "Cookie" || (call.receiver_type ?? "").endsWith(".Cookie")) || (call.resolution?.target ?? "").endsWith(".<init>");
     if (!looksLikeCtor) return null;
     if (call.arguments.length < 2) return null;
     const missingSecure = !hasSetSecureTrue;

package/dist/core/circle-ir-core.cjs

@@ -11118,10 +11118,17 @@ var DEFAULT_SINKS = [
   // These patterns are detected by call-site literal inspection, not taint flow,
   // so they are NOT registered here as sinks (they could never match a "tainted
   // value flowing into a sink" because the bad value is a hard-coded constant).
-  // Trust Boundary (CWE-501) - using untrusted data as session attribute NAME
-  // The vulnerability is attacker controlling which key to use, not the value
-  { method: "setAttribute", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0] },
-  { method: "putValue", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0] },
+  // Trust Boundary (CWE-501) — tainted VALUE crossing into shared session
+  // state. OWASP/CWE-501 treats `session.setAttribute("k", taintedValue)` as
+  // the violation: untrusted data enters server-side state where downstream
+  // code reads it as if trusted. Both arg positions are flagged so either a
+  // tainted key (rare) or tainted value (the OWASP shape, 83 cases) trips
+  // the sink. (cognium-dev #117)
+  { method: "setAttribute", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0, 1] },
+  { method: "putValue", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0, 1] },
+  // ServletContext + request scopes — same trust-boundary semantics.
+  { method: "setAttribute", class: "ServletContext", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0, 1] },
+  { method: "setAttribute", class: "HttpServletRequest", type: "trust_boundary", cwe: "CWE-501", severity: "low", arg_positions: [0, 1] },
   // Additional XSS patterns (JDOM/XML output)
   { method: "outputElementContent", class: "XMLOutputter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "output", class: "XMLOutputter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },

package/dist/core/circle-ir-core.js

@@ -11052,10 +11052,17 @@ var DEFAULT_SINKS = [
   // These patterns are detected by call-site literal inspection, not taint flow,
   // so they are NOT registered here as sinks (they could never match a "tainted
   // value flowing into a sink" because the bad value is a hard-coded constant).
-  // Trust Boundary (CWE-501) - using untrusted data as session attribute NAME
-  // The vulnerability is attacker controlling which key to use, not the value
-  { method: "setAttribute", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0] },
-  { method: "putValue", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0] },
+  // Trust Boundary (CWE-501) — tainted VALUE crossing into shared session
+  // state. OWASP/CWE-501 treats `session.setAttribute("k", taintedValue)` as
+  // the violation: untrusted data enters server-side state where downstream
+  // code reads it as if trusted. Both arg positions are flagged so either a
+  // tainted key (rare) or tainted value (the OWASP shape, 83 cases) trips
+  // the sink. (cognium-dev #117)
+  { method: "setAttribute", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0, 1] },
+  { method: "putValue", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0, 1] },
+  // ServletContext + request scopes — same trust-boundary semantics.
+  { method: "setAttribute", class: "ServletContext", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0, 1] },
+  { method: "setAttribute", class: "HttpServletRequest", type: "trust_boundary", cwe: "CWE-501", severity: "low", arg_positions: [0, 1] },
   // Additional XSS patterns (JDOM/XML output)
   { method: "outputElementContent", class: "XMLOutputter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "output", class: "XMLOutputter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "circle-ir",
-  "version": "3.79.0",
+  "version": "3.80.0",
   "description": "High-performance Static Application Security Testing (SAST) library for detecting security vulnerabilities through taint analysis",
   "main": "dist/index.js",
   "module": "dist/index.js",