circle-ir 3.79.0 → 3.81.0

package/dist/browser/circle-ir.js

@@ -11377,7 +11377,12 @@ var DEFAULT_SINKS = [
   // Class-less XSS patterns for cases where receiver type is inferred
   { method: "println", type: "xss", cwe: "CWE-79", severity: "medium", arg_positions: [0] },
   { method: "print", type: "xss", cwe: "CWE-79", severity: "medium", arg_positions: [0] },
-  { method: "write", type: "xss", cwe: "CWE-79", severity: "medium", arg_positions: [0] },
+  // NOTE: the unscoped { method: 'write', type: 'xss' } entry was removed in
+  // Sprint 28 (#110). It mistyped every non-XSS .write() across all languages
+  // (fs.writeFile, open().write, bcrypt callbacks, credential file writes,
+  // node ClientRequest.write, etc.) as xss. Real HTML writers are covered
+  // by class-scoped entries: PrintWriter.write (line 843), ServletOutputStream.write
+  // (line 849), JspWriter.write (xss.yaml), Response.write (nodejs.json).
   { method: "append", class: "StringBuilder", type: "xss", cwe: "CWE-79", severity: "medium", arg_positions: [0] },
   { method: "append", class: "StringBuffer", type: "xss", cwe: "CWE-79", severity: "medium", arg_positions: [0] },
   // Wiki/CMS XSS sinks (JSPWiki, Confluence, etc.)
@@ -11736,10 +11741,17 @@ var DEFAULT_SINKS = [
   // These patterns are detected by call-site literal inspection, not taint flow,
   // so they are NOT registered here as sinks (they could never match a "tainted
   // value flowing into a sink" because the bad value is a hard-coded constant).
-  // Trust Boundary (CWE-501) - using untrusted data as session attribute NAME
-  // The vulnerability is attacker controlling which key to use, not the value
-  { method: "setAttribute", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0] },
-  { method: "putValue", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0] },
+  // Trust Boundary (CWE-501) — tainted VALUE crossing into shared session
+  // state. OWASP/CWE-501 treats `session.setAttribute("k", taintedValue)` as
+  // the violation: untrusted data enters server-side state where downstream
+  // code reads it as if trusted. Both arg positions are flagged so either a
+  // tainted key (rare) or tainted value (the OWASP shape, 83 cases) trips
+  // the sink. (cognium-dev #117)
+  { method: "setAttribute", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0, 1] },
+  { method: "putValue", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0, 1] },
+  // ServletContext + request scopes — same trust-boundary semantics.
+  { method: "setAttribute", class: "ServletContext", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0, 1] },
+  { method: "setAttribute", class: "HttpServletRequest", type: "trust_boundary", cwe: "CWE-501", severity: "low", arg_positions: [0, 1] },
   // Additional XSS patterns (JDOM/XML output)
   { method: "outputElementContent", class: "XMLOutputter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "output", class: "XMLOutputter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
@@ -28683,6 +28695,23 @@ var PROVIDER_PATTERNS = [
     fix: "Revoke the npm token at https://www.npmjs.com/settings/<user>/tokens and load from environment."
   }
 ];
+var CRED_KEYWORD_RE = /\b([A-Za-z_$][\w$]*?(?:password|passwd|secret|api[_-]?key|auth[_-]?token|private[_-]?key|access[_-]?key)[\w$]*?)\s*[:=]\s*["'`]([^"'`\s$][^"'`\n]{2,})["'`]/i;
+var CRED_DYNAMIC_VALUE_RE = /\$\{|process\.env|os\.environ|os\.Getenv|System\.getenv/;
+var CRED_FUNCTION_DECL_RE = /\b(?:function|func|def|fn)\s+\w+\s*\(/;
+var CRED_COMPARISON_RE = /(?:===?|!==?|>=|<=|<>)\s*["'`]/;
+function isLikelyCredentialAssignment(line) {
+  if (CRED_FUNCTION_DECL_RE.test(line)) return null;
+  if (CRED_COMPARISON_RE.test(line)) return null;
+  const m = line.match(CRED_KEYWORD_RE);
+  if (!m) return null;
+  const name2 = m[1];
+  const value = m[2];
+  if (PLACEHOLDER_RE.test(value)) return null;
+  if (CRED_DYNAMIC_VALUE_RE.test(value)) return null;
+  if (value.length < 3) return null;
+  if (isAllSameChar(value)) return null;
+  return { name: name2, value };
+}
 var STRING_LITERAL_RE = /(["'`])((?:\\.|(?!\1).){8,200})\1/g;
 var BASE64ISH_RE = /^[A-Za-z0-9+/=_-]+$/;
 var HEXISH_RE = /^[a-fA-F0-9]+$/;
@@ -28774,6 +28803,31 @@ var ScanSecretsPass = class {
         break;
       }
     }
+    for (let i2 = 0; i2 < lines.length; i2++) {
+      const lineText = lines[i2];
+      const lineNum = i2 + 1;
+      const hit = isLikelyCredentialAssignment(lineText);
+      if (!hit) continue;
+      const key = `${lineNum}:hardcoded-credential`;
+      if (seen.has(key)) continue;
+      seen.add(key);
+      ctx.addFinding({
+        id: `hardcoded-credential-${file}-${lineNum}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: "hardcoded-credential",
+        cwe: "CWE-798",
+        severity: "high",
+        level: "error",
+        message: `Hardcoded credential: \`${hit.name}\` assigned a literal value`,
+        file,
+        line: lineNum,
+        snippet: lineText.trim().substring(0, 120),
+        fix: "Move the credential to an environment variable or secrets manager; never commit live secrets to source control.",
+        evidence: { kind: "named-credential", name: hit.name }
+      });
+      providerFindings += 1;
+    }
     for (let i2 = 0; i2 < lines.length; i2++) {
       const lineText = lines[i2];
       const lineNum = i2 + 1;
@@ -29141,8 +29195,10 @@ var InsecureCookiePass = class {
   }
   // ---------------- Java ----------------
   detectJavaCookieCtor(call, hasSetSecureTrue, hasSetHttpOnlyTrue) {
-    if (call.method_name !== "Cookie") return null;
-    const looksLikeCtor = call.is_constructor || !call.receiver && call.receiver_type === "Cookie" || (call.resolution?.target ?? "").endsWith(".<init>");
+    const method = call.method_name ?? "";
+    const isCookieCtor = method === "Cookie" || method.endsWith(".Cookie");
+    if (!isCookieCtor) return null;
+    const looksLikeCtor = call.is_constructor || !call.receiver && (call.receiver_type === "Cookie" || (call.receiver_type ?? "").endsWith(".Cookie")) || (call.resolution?.target ?? "").endsWith(".<init>");
     if (!looksLikeCtor) return null;
     if (call.arguments.length < 2) return null;
     const missingSecure = !hasSetSecureTrue;
@@ -29930,6 +29986,560 @@ var WeakRandomPass = class {
   }
 };
 
+// src/analysis/passes/_credential-helpers.ts
+var CRED_KEYWORD_RE2 = /(?:password|passwd|pwd|secret|api[_-]?key|auth[_-]?token|private[_-]?key|access[_-]?key|credential)/i;
+function isCredentialIdentifier(name2) {
+  if (!name2) return false;
+  if (name2.length < 3) return false;
+  return CRED_KEYWORD_RE2.test(name2);
+}
+function argLooksLikeCredential(arg) {
+  if (!arg) return false;
+  if (arg.variable && isCredentialIdentifier(arg.variable)) return true;
+  const expr = (arg.expression ?? "").trim();
+  if (!expr) return false;
+  const head = expr.split(/[.\s(]/, 1)[0] ?? "";
+  return isCredentialIdentifier(head);
+}
+function stripQuotes6(s) {
+  const t = s.trim();
+  if (t.startsWith('"') && t.endsWith('"') || t.startsWith("'") && t.endsWith("'") || t.startsWith("`") && t.endsWith("`")) {
+    return t.slice(1, -1);
+  }
+  return t;
+}
+function literalAt(call, position) {
+  const arg = call.arguments.find((a) => a.position === position);
+  if (!arg) return null;
+  const raw = arg.literal ?? arg.expression ?? "";
+  const trimmed = raw.trim();
+  if (trimmed.startsWith('"') || trimmed.startsWith("'") || trimmed.startsWith("`")) {
+    return stripQuotes6(trimmed);
+  }
+  if (arg.literal) return stripQuotes6(arg.literal);
+  return null;
+}
+function isHashFunctionCall(call) {
+  const method = call.method_name ?? "";
+  const receiver = call.receiver ?? "";
+  const recvLower = receiver.toLowerCase();
+  if (recvLower === "bcrypt" || recvLower.endsWith(".bcrypt")) {
+    return method === "hashpw" || method === "hash" || method === "hashSync" || method === "GenerateFromPassword" || method === "generate_password_hash";
+  }
+  if (recvLower === "argon2" || recvLower.endsWith(".argon2")) {
+    return method === "hash" || method === "Hash" || method === "PasswordHash";
+  }
+  if (recvLower === "hashlib") return true;
+  if (recvLower === "passlib" || recvLower.includes("passlib.hash")) return true;
+  if (method === "PBKDF2HMAC" || method === "derive") return true;
+  if (recvLower === "crypto") {
+    return method === "createHash" || method === "createHmac" || method === "pbkdf2" || method === "pbkdf2Sync" || method === "scrypt" || method === "scryptSync";
+  }
+  if (receiver === "MessageDigest" || receiver.endsWith(".MessageDigest")) {
+    return method === "getInstance" || method === "update" || method === "digest";
+  }
+  if (receiver === "DigestUtils" || receiver.endsWith(".DigestUtils")) {
+    return true;
+  }
+  if (receiver === "SecretKeyFactory" || receiver.endsWith(".SecretKeyFactory")) {
+    return method === "getInstance" || method === "generateSecret";
+  }
+  if (method === "PBEKeySpec") return true;
+  if (receiver === "md5" || receiver === "sha1" || receiver === "sha256" || receiver === "sha512" || receiver === "sha3" || receiver.endsWith("/md5") || receiver.endsWith("/sha1") || receiver.endsWith("/sha256") || receiver.endsWith("/sha512")) {
+    return method === "New" || method === "Sum" || method === "New224" || method === "New384";
+  }
+  const m = method.toLowerCase();
+  if (m === "hash" || m === "hashpw" || m === "hashsync" || m === "pbkdf2" || m === "pbkdf2sync" || m === "scrypt" || m === "scryptsync") return true;
+  return false;
+}
+function priorHashOf(varName, priorCalls) {
+  for (const c of priorCalls) {
+    if (!isHashFunctionCall(c)) continue;
+    for (const a of c.arguments) {
+      if (a.variable === varName) return true;
+      const head = (a.expression ?? "").trim().split(/[.\s(]/, 1)[0];
+      if (head === varName) return true;
+    }
+  }
+  return false;
+}
+
+// src/analysis/passes/weak-password-hash-pass.ts
+var FAST_HASH_NAMES = /* @__PURE__ */ new Set([
+  "sha224",
+  "sha-224",
+  "sha256",
+  "sha-256",
+  "sha384",
+  "sha-384",
+  "sha512",
+  "sha-512",
+  "sha3",
+  "sha-3",
+  "sha3-256",
+  "sha3-512"
+  // MD/SHA1 are covered by weak-hash; not duplicating here.
+]);
+var BCRYPT_MIN_COST = 10;
+var PBKDF2_MIN_ITERATIONS = 1e5;
+function intLiteral(s) {
+  if (s == null) return null;
+  const t = s.trim();
+  if (!/^-?\d+$/.test(t)) return null;
+  const n = parseInt(t, 10);
+  return Number.isFinite(n) ? n : null;
+}
+function pyKwargInt(call, name2) {
+  for (const a of call.arguments) {
+    const expr = (a.expression ?? "").trim();
+    const m = expr.match(new RegExp(`^${name2}\\s*=\\s*(-?\\d+)$`));
+    if (m) return parseInt(m[1], 10);
+  }
+  return null;
+}
+var WeakPasswordHashPass = class {
+  name = "weak-password-hash";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    for (const call of graph.ir.calls) {
+      const detection = this.detect(call, language);
+      if (!detection) continue;
+      const { kind, api } = detection;
+      const line = call.location.line;
+      findings.push({ line, language, kind, api });
+      const message = kind === "fast-unsalted-hash" ? `Fast/unsalted hash \`${api}\` applied to a password. General-purpose hashes (SHA-256/512) are unsuitable for password storage.` : kind === "low-bcrypt-cost" ? `bcrypt called with insufficient cost factor (< ${BCRYPT_MIN_COST}).` : `PBKDF2 called with insufficient iteration count (< ${PBKDF2_MIN_ITERATIONS}).`;
+      ctx.addFinding({
+        id: `${this.name}-${file}-${line}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        cwe: "CWE-916",
+        severity: "high",
+        level: "warning",
+        message,
+        file,
+        line,
+        fix: "Use a memory-hard password-hashing function with appropriate cost: Argon2id (recommended), bcrypt (cost \u2265 12), scrypt, or PBKDF2 with \u2265 600k iterations.",
+        evidence: { kind, api, language }
+      });
+    }
+    return { findings };
+  }
+  detect(call, language) {
+    const method = call.method_name ?? "";
+    const receiver = call.receiver ?? "";
+    const recvLower = receiver.toLowerCase();
+    if (recvLower === "bcrypt" || recvLower.endsWith(".bcrypt")) {
+      if (method === "gensalt") {
+        const rounds = pyKwargInt(call, "rounds");
+        if (rounds !== null && rounds < BCRYPT_MIN_COST) {
+          return { kind: "low-bcrypt-cost", api: "bcrypt.gensalt" };
+        }
+      }
+      if (method === "hash" || method === "hashSync") {
+        const cost = intLiteral(literalAt(call, 1));
+        if (cost !== null && cost < BCRYPT_MIN_COST) {
+          return { kind: "low-bcrypt-cost", api: `bcrypt.${method}` };
+        }
+      }
+      if (method === "GenerateFromPassword") {
+        const arg1 = call.arguments.find((a) => a.position === 1);
+        const expr = (arg1?.expression ?? "").trim();
+        const n = intLiteral(expr);
+        if (n !== null && n < BCRYPT_MIN_COST) {
+          return { kind: "low-bcrypt-cost", api: "bcrypt.GenerateFromPassword" };
+        }
+        if (expr === "bcrypt.MinCost") {
+          return { kind: "low-bcrypt-cost", api: "bcrypt.GenerateFromPassword" };
+        }
+      }
+    }
+    if (method === "PBKDF2HMAC") {
+      const iters = pyKwargInt(call, "iterations");
+      if (iters !== null && iters < PBKDF2_MIN_ITERATIONS) {
+        return { kind: "low-pbkdf2-iterations", api: "PBKDF2HMAC" };
+      }
+    }
+    if ((method === "pbkdf2" || method === "pbkdf2Sync") && (recvLower === "crypto" || recvLower.endsWith(".crypto"))) {
+      const iters = intLiteral(literalAt(call, 2));
+      if (iters !== null && iters < PBKDF2_MIN_ITERATIONS) {
+        return { kind: "low-pbkdf2-iterations", api: `crypto.${method}` };
+      }
+    }
+    if (method === "PBEKeySpec" && language === "java") {
+      const iters = intLiteral(literalAt(call, 2));
+      if (iters !== null && iters < PBKDF2_MIN_ITERATIONS) {
+        return { kind: "low-pbkdf2-iterations", api: "PBEKeySpec" };
+      }
+    }
+    if (language === "python" && (recvLower === "hashlib" || recvLower.endsWith(".hashlib"))) {
+      if (FAST_HASH_NAMES.has(method.toLowerCase())) {
+        if (argLooksLikeCredential(call.arguments.find((a) => a.position === 0))) {
+          return { kind: "fast-unsalted-hash", api: `hashlib.${method}` };
+        }
+      }
+      if (method === "new") {
+        const algo = literalAt(call, 0)?.toLowerCase() ?? "";
+        if (FAST_HASH_NAMES.has(algo) && argLooksLikeCredential(call.arguments.find((a) => a.position === 1))) {
+          return { kind: "fast-unsalted-hash", api: `hashlib.new(${algo})` };
+        }
+      }
+    }
+    if ((language === "javascript" || language === "typescript") && method === "update") {
+      const recvExpr = (receiver ?? "").toLowerCase();
+      const hashLike = recvExpr.includes("hash") || recvExpr.includes("createhash") || recvExpr.includes("sha") || recvExpr.includes("md");
+      if (hashLike && argLooksLikeCredential(call.arguments.find((a) => a.position === 0))) {
+        return { kind: "fast-unsalted-hash", api: "crypto.createHash().update" };
+      }
+    }
+    if (language === "java" && method === "update") {
+      const recvName = (receiver ?? "").toLowerCase();
+      const looksLikeDigest = recvName.includes("digest") || recvName.includes("md") || recvName.includes("hash");
+      if (looksLikeDigest && argLooksLikeCredential(call.arguments.find((a) => a.position === 0))) {
+        return { kind: "fast-unsalted-hash", api: "MessageDigest.update" };
+      }
+    }
+    if (language === "go") {
+      const isFastPkg = receiver === "sha256" || receiver === "sha512" || receiver === "sha3" || receiver === "sha224";
+      if (isFastPkg && (method === "Sum256" || method === "Sum512" || method === "Sum224" || method === "Sum384" || method === "Sum")) {
+        const expr = (call.arguments.find((a) => a.position === 0)?.expression ?? "").trim();
+        const inner = expr.replace(/^\[\]byte\s*\(\s*/, "").replace(/\s*\)\s*$/, "");
+        if (argLooksLikeCredential({ position: 0, expression: inner, variable: inner })) {
+          return { kind: "fast-unsalted-hash", api: `${receiver}.${method}` };
+        }
+      }
+    }
+    return null;
+  }
+};
+
+// src/analysis/passes/weak-password-encoding-pass.ts
+function isBasicAuthContext(call, code) {
+  const line = call.location.line;
+  if (line < 1) return false;
+  const lines = code.split("\n");
+  const start2 = Math.max(0, line - 2);
+  const end = Math.min(lines.length, line + 1);
+  const window2 = lines.slice(start2, end).join("\n");
+  return /["'`]Basic\s/i.test(window2);
+}
+var WeakPasswordEncodingPass = class {
+  name = "weak-password-encoding";
+  category = "security";
+  run(ctx) {
+    const { graph, language, code } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    for (const call of graph.ir.calls) {
+      const api = this.detect(call, language);
+      if (!api) continue;
+      if (isBasicAuthContext(call, code)) continue;
+      const line = call.location.line;
+      findings.push({ line, language, api });
+      ctx.addFinding({
+        id: `${this.name}-${file}-${line}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        cwe: "CWE-261",
+        severity: "medium",
+        level: "warning",
+        message: `Credential encoded via \`${api}\` \u2014 encoding is NOT encryption. Base64/hex provide no confidentiality; anyone with the encoded value can decode it.`,
+        file,
+        line,
+        fix: "For storage, use a password hash (Argon2id / bcrypt). For transport, use TLS. For symmetric secrecy, use authenticated encryption (AES-GCM).",
+        evidence: { api, language }
+      });
+    }
+    return { findings };
+  }
+  detect(call, language) {
+    const method = call.method_name ?? "";
+    const receiver = call.receiver ?? "";
+    const recvLower = receiver.toLowerCase();
+    const arg0 = call.arguments.find((a) => a.position === 0);
+    if (language === "python") {
+      if (recvLower === "base64" && (method === "b64encode" || method === "urlsafe_b64encode" || method === "standard_b64encode")) {
+        if (argLooksLikeCredential(arg0)) return `base64.${method}`;
+      }
+      if (recvLower === "binascii" && method === "hexlify") {
+        if (argLooksLikeCredential(arg0)) return "binascii.hexlify";
+      }
+    }
+    if (language === "javascript" || language === "typescript") {
+      if (method === "toString") {
+        const encoding = literalAt(call, 0);
+        if (encoding === "base64" || encoding === "hex" || encoding === "base64url") {
+          const recv = (receiver ?? "").toLowerCase();
+          if (recv.includes("buffer.from") && /(?:password|passwd|pwd|secret|api[_-]?key|auth[_-]?token|private[_-]?key|access[_-]?key|credential)/i.test(receiver ?? "")) {
+            return `Buffer.from().toString('${encoding}')`;
+          }
+        }
+      }
+      if (method === "btoa" && receiver === "") {
+        if (argLooksLikeCredential(arg0)) return "btoa";
+      }
+    }
+    if (language === "java") {
+      if (method === "encodeToString") {
+        const recv = (receiver ?? "").toLowerCase();
+        if (recv.includes("encoder") || recv.includes("base64")) {
+          const expr = (arg0?.expression ?? "").trim();
+          const head = expr.split(/[.\s(]/, 1)[0] ?? "";
+          if (argLooksLikeCredential({ position: 0, expression: head, variable: head })) {
+            return "Base64.encodeToString";
+          }
+        }
+      }
+      if (method === "encodeHexString" && (receiver === "Hex" || receiver.endsWith(".Hex"))) {
+        const expr = (arg0?.expression ?? "").trim();
+        const head = expr.split(/[.\s(]/, 1)[0] ?? "";
+        if (argLooksLikeCredential({ position: 0, expression: head, variable: head })) {
+          return "Hex.encodeHexString";
+        }
+      }
+    }
+    if (language === "go") {
+      if (method === "EncodeToString") {
+        const recv = (receiver ?? "").toLowerCase();
+        if (recv.includes("base64") || recv.includes("hex") || recv.includes("encoding")) {
+          const expr = (arg0?.expression ?? "").trim();
+          const inner = expr.replace(/^\[\]byte\s*\(\s*/, "").replace(/\s*\)\s*$/, "");
+          const head = inner.split(/[.\s(]/, 1)[0] ?? "";
+          if (argLooksLikeCredential({ position: 0, expression: head, variable: head })) {
+            return recv.includes("hex") ? "hex.EncodeToString" : "base64.EncodeToString";
+          }
+        }
+      }
+    }
+    return null;
+  }
+};
+
+// src/analysis/passes/plaintext-password-storage-pass.ts
+function isWriteStorageCall(call, language) {
+  const method = call.method_name ?? "";
+  const receiver = call.receiver ?? "";
+  const recvLower = receiver.toLowerCase();
+  if (language === "python") {
+    if (method === "write" || method === "writelines") {
+      return { credPos: 0, api: `<file>.${method}` };
+    }
+    if ((recvLower === "pickle" || recvLower === "json" || recvLower === "yaml") && (method === "dump" || method === "dumps")) {
+      return { credPos: 0, api: `${receiver}.${method}` };
+    }
+    if (recvLower === "redis" && (method === "set" || method === "setex" || method === "hset")) {
+      return { credPos: 1, api: `redis.${method}` };
+    }
+  }
+  if (language === "javascript" || language === "typescript") {
+    if ((recvLower === "fs" || recvLower.endsWith(".fs")) && (method === "writeFile" || method === "writeFileSync" || method === "appendFile" || method === "appendFileSync")) {
+      return { credPos: 1, api: `fs.${method}` };
+    }
+    if ((recvLower === "localstorage" || recvLower === "sessionstorage") && method === "setItem") {
+      return { credPos: 1, api: `${receiver}.setItem` };
+    }
+    if (recvLower === "redis" && (method === "set" || method === "setex" || method === "hset")) {
+      return { credPos: 1, api: `redis.${method}` };
+    }
+  }
+  if (language === "java") {
+    if ((receiver === "Files" || receiver.endsWith(".Files")) && (method === "write" || method === "writeString")) {
+      return { credPos: 1, api: `Files.${method}` };
+    }
+    if (method === "write") {
+      const lc = (receiver ?? "").toLowerCase();
+      if (lc.includes("writer") || lc.includes("file") || lc.includes("stream")) {
+        return { credPos: 0, api: `${receiver}.write` };
+      }
+    }
+  }
+  if (language === "go") {
+    if (receiver === "os" || receiver.endsWith("/os")) {
+      if (method === "WriteFile") return { credPos: 1, api: "os.WriteFile" };
+    }
+    if (receiver === "ioutil" || receiver.endsWith("/ioutil")) {
+      if (method === "WriteFile") return { credPos: 1, api: "ioutil.WriteFile" };
+    }
+    if (method === "WriteString" || method === "Write") {
+      return { credPos: 0, api: `<file>.${method}` };
+    }
+  }
+  return null;
+}
+var PlaintextPasswordStoragePass = class {
+  name = "plaintext-password-storage";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    const callsByScope = /* @__PURE__ */ new Map();
+    for (const call of graph.ir.calls) {
+      const scope = call.in_method ?? "<top>";
+      const arr = callsByScope.get(scope) ?? [];
+      arr.push(call);
+      callsByScope.set(scope, arr);
+    }
+    for (const call of graph.ir.calls) {
+      const spec = isWriteStorageCall(call, language);
+      if (!spec) continue;
+      const credArg = call.arguments.find((a) => a.position === spec.credPos);
+      if (!credArg) continue;
+      if (!argLooksLikeCredential(credArg)) continue;
+      const identExpr = (credArg.expression ?? "").trim();
+      const head = identExpr.split(/[.\s(]/, 1)[0] ?? "";
+      const identifier = credArg.variable ?? head;
+      if (!identifier) continue;
+      const scope = call.in_method ?? "<top>";
+      const scopeCalls = callsByScope.get(scope) ?? [];
+      const prior = scopeCalls.filter((c) => c.location.line < call.location.line);
+      if (priorHashOf(identifier, prior)) continue;
+      if (/\b(?:hashpw|hash|sha\d+|md5|bcrypt|argon2|pbkdf2|digest)\b/i.test(credArg.expression ?? "")) {
+        continue;
+      }
+      const line = call.location.line;
+      findings.push({ line, language, api: spec.api, identifier });
+      ctx.addFinding({
+        id: `${this.name}-${file}-${line}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        cwe: "CWE-256",
+        severity: "high",
+        level: "warning",
+        message: `Credential \`${identifier}\` written in plaintext via \`${spec.api}\`. Passwords / secrets must be hashed (Argon2id, bcrypt) before storage.`,
+        file,
+        line,
+        fix: "Hash the credential with Argon2id / bcrypt before writing it to disk, cookie, KV store, or database.",
+        evidence: { identifier, api: spec.api, language }
+      });
+    }
+    return { findings };
+  }
+};
+
+// src/analysis/passes/cleartext-credential-transport-pass.ts
+var LOCALHOST_RE = /^(?:localhost|127\.0\.0\.1|0\.0\.0\.0)(?::\d+)?$/i;
+function isInsecureHttpUrl(urlLiteral) {
+  if (!urlLiteral) return false;
+  if (!/^http:\/\//i.test(urlLiteral)) return false;
+  const rest = urlLiteral.slice("http://".length);
+  const host = rest.split("/", 1)[0] ?? "";
+  if (LOCALHOST_RE.test(host)) return false;
+  return true;
+}
+function anyArgCarriesCredential(call, startPos) {
+  for (const a of call.arguments) {
+    if (a.position < startPos) continue;
+    if (argLooksLikeCredential(a)) return true;
+    const expr = (a.expression ?? "").trim();
+    if (!expr) continue;
+    if (/(?:["'`]?(?:password|passwd|pwd|secret|api[_-]?key|auth[_-]?token|credential)["'`]?\s*[:=])/i.test(expr)) {
+      return true;
+    }
+    if (/\b(?:password|passwd|pwd|secret|api_key|api-key|apiKey|auth_token|authToken|credential)\w*\b/i.test(expr)) {
+      return true;
+    }
+  }
+  return false;
+}
+var CleartextCredentialTransportPass = class {
+  name = "cleartext-credential-transport";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    for (const call of graph.ir.calls) {
+      const detection = this.detect(call, language);
+      if (!detection) continue;
+      const { api, url } = detection;
+      const line = call.location.line;
+      findings.push({ line, language, api, url });
+      ctx.addFinding({
+        id: `${this.name}-${file}-${line}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        cwe: "CWE-523",
+        severity: "high",
+        level: "error",
+        message: `Credentials transmitted to \`${url}\` over HTTP via \`${api}\`. Cleartext transport exposes credentials to network observers.`,
+        file,
+        line,
+        fix: "Use HTTPS (https://) for all endpoints that receive credentials. For internal traffic, terminate TLS at the service boundary.",
+        evidence: { api, url, language }
+      });
+    }
+    return { findings };
+  }
+  detect(call, language) {
+    const method = call.method_name ?? "";
+    const receiver = call.receiver ?? "";
+    const recvLower = receiver.toLowerCase();
+    if (language === "python") {
+      if ((recvLower === "requests" || recvLower === "httpx" || recvLower.endsWith(".requests") || recvLower.endsWith(".httpx")) && (method === "post" || method === "put" || method === "patch" || method === "request")) {
+        const url = literalAt(call, method === "request" ? 1 : 0);
+        if (isInsecureHttpUrl(url) && anyArgCarriesCredential(call, 1)) {
+          return { api: `${receiver}.${method}`, url };
+        }
+      }
+      if (method === "urlopen" && recvLower.includes("urllib")) {
+        const url = literalAt(call, 0);
+        if (isInsecureHttpUrl(url) && anyArgCarriesCredential(call, 1)) {
+          return { api: "urllib.request.urlopen", url };
+        }
+      }
+    }
+    if (language === "javascript" || language === "typescript") {
+      if ((recvLower === "axios" || recvLower.endsWith(".axios")) && (method === "post" || method === "put" || method === "patch" || method === "request")) {
+        const url = literalAt(call, 0);
+        if (isInsecureHttpUrl(url) && anyArgCarriesCredential(call, 1)) {
+          return { api: `axios.${method}`, url };
+        }
+      }
+      if (method === "fetch" && receiver === "") {
+        const url = literalAt(call, 0);
+        if (isInsecureHttpUrl(url) && anyArgCarriesCredential(call, 1)) {
+          return { api: "fetch", url };
+        }
+      }
+      if (method === "request" && (recvLower === "http" || recvLower.endsWith(".http"))) {
+        const url = literalAt(call, 0);
+        if (isInsecureHttpUrl(url) && anyArgCarriesCredential(call, 1)) {
+          return { api: "http.request", url };
+        }
+      }
+    }
+    if (language === "java" && method === "URL" && receiver === "") {
+      const url = literalAt(call, 0);
+      if (!isInsecureHttpUrl(url)) return null;
+      const scope = call.in_method ?? null;
+      if (!scope) return null;
+      return null;
+    }
+    if (language === "go") {
+      if (method === "Post" && (receiver === "http" || receiver.endsWith("/http"))) {
+        const url = literalAt(call, 0);
+        if (isInsecureHttpUrl(url) && anyArgCarriesCredential(call, 1)) {
+          return { api: "http.Post", url };
+        }
+      }
+      if (method === "NewRequest" && (receiver === "http" || receiver.endsWith("/http"))) {
+        const url = literalAt(call, 1);
+        if (isInsecureHttpUrl(url) && anyArgCarriesCredential(call, 2)) {
+          return { api: "http.NewRequest", url };
+        }
+      }
+    }
+    return null;
+  }
+};
+
 // src/analysis/passes/tls-verify-disabled-pass.ts
 var PY_HTTP_METHODS = /* @__PURE__ */ new Set([
   "get",
@@ -31968,6 +32578,10 @@ async function analyze(code, filePath, language, options = {}) {
     if (!disabledPasses.has("weak-hash")) pipeline.add(new WeakHashPass());
     if (!disabledPasses.has("weak-crypto")) pipeline.add(new WeakCryptoPass());
     if (!disabledPasses.has("weak-random")) pipeline.add(new WeakRandomPass());
+    if (!disabledPasses.has("weak-password-hash")) pipeline.add(new WeakPasswordHashPass());
+    if (!disabledPasses.has("weak-password-encoding")) pipeline.add(new WeakPasswordEncodingPass());
+    if (!disabledPasses.has("plaintext-password-storage")) pipeline.add(new PlaintextPasswordStoragePass());
+    if (!disabledPasses.has("cleartext-credential-transport")) pipeline.add(new CleartextCredentialTransportPass());
     if (!disabledPasses.has("tls-verify-disabled")) pipeline.add(new TlsVerifyDisabledPass());
     if (!disabledPasses.has("module-side-effect")) pipeline.add(new ModuleSideEffectPass());
     if (!disabledPasses.has("cache-no-vary")) pipeline.add(new CacheNoVaryPass());