circle-ir 3.80.0 → 3.81.0

package/dist/analysis/passes/plaintext-password-storage-pass.js

@@ -0,0 +1,159 @@
+/**
+ * Pass: plaintext-password-storage (CWE-256, category: security)
+ *
+ * Detects writing a credential-named identifier to a persistent store
+ * (file, KV store, cookie, database) without first passing it through a
+ * cryptographic hash / KDF.
+ *
+ * Detection per language:
+ *   Python:
+ *     - `open(...).write(password)` / `f.write(password)`
+ *     - `pickle.dump(password, ...)` / `json.dump(...)` / `yaml.dump(...)`
+ *     - `redis.set(key, password)`
+ *   JS/TS:
+ *     - `fs.writeFile|writeFileSync|appendFile(path, password)`
+ *     - `localStorage.setItem(key, password)` / `sessionStorage.setItem`
+ *     - `redis.set(key, password)`
+ *   Java:
+ *     - `Files.write|writeString(path, password)`
+ *     - `FileWriter.write(password)`
+ *   Go:
+ *     - `os.WriteFile(name, []byte(password), ...)`
+ *     - `f.WriteString(password)` / `f.Write([]byte(password))`
+ *
+ * Heuristic for "not hashed": intraprocedural — walk all calls earlier
+ * in the same `in_method` scope; if any of them is a known hash/KDF
+ * (see _credential-helpers `isHashFunctionCall`) and consumes the
+ * credential identifier, suppress.
+ *
+ * This is intentionally lightweight (no full DFG); FP risk skewed toward
+ * recall loss for cross-function hashing (controller → service.hash →
+ * repo.store), which is acceptable for v1.
+ */
+import { argLooksLikeCredential, priorHashOf, } from './_credential-helpers.js';
+function isWriteStorageCall(call, language) {
+    const method = call.method_name ?? '';
+    const receiver = call.receiver ?? '';
+    const recvLower = receiver.toLowerCase();
+    if (language === 'python') {
+        // open(...).write(pw) — receiver is a file handle; we approximate by
+        // method name `write` and check arg credential below.
+        if (method === 'write' || method === 'writelines') {
+            return { credPos: 0, api: `<file>.${method}` };
+        }
+        if ((recvLower === 'pickle' || recvLower === 'json' || recvLower === 'yaml') &&
+            (method === 'dump' || method === 'dumps')) {
+            return { credPos: 0, api: `${receiver}.${method}` };
+        }
+        if (recvLower === 'redis' && (method === 'set' || method === 'setex' || method === 'hset')) {
+            return { credPos: 1, api: `redis.${method}` };
+        }
+    }
+    if (language === 'javascript' || language === 'typescript') {
+        if ((recvLower === 'fs' || recvLower.endsWith('.fs')) &&
+            (method === 'writeFile' || method === 'writeFileSync' ||
+                method === 'appendFile' || method === 'appendFileSync')) {
+            return { credPos: 1, api: `fs.${method}` };
+        }
+        if ((recvLower === 'localstorage' || recvLower === 'sessionstorage') &&
+            method === 'setItem') {
+            return { credPos: 1, api: `${receiver}.setItem` };
+        }
+        if (recvLower === 'redis' && (method === 'set' || method === 'setex' || method === 'hset')) {
+            return { credPos: 1, api: `redis.${method}` };
+        }
+    }
+    if (language === 'java') {
+        if ((receiver === 'Files' || receiver.endsWith('.Files')) &&
+            (method === 'write' || method === 'writeString')) {
+            return { credPos: 1, api: `Files.${method}` };
+        }
+        // FileWriter.write(pw) — instance call, single arg.
+        if (method === 'write') {
+            // Heuristic: receiver name contains "writer" / "file" / "stream".
+            const lc = (receiver ?? '').toLowerCase();
+            if (lc.includes('writer') || lc.includes('file') || lc.includes('stream')) {
+                return { credPos: 0, api: `${receiver}.write` };
+            }
+        }
+    }
+    if (language === 'go') {
+        if (receiver === 'os' || receiver.endsWith('/os')) {
+            if (method === 'WriteFile')
+                return { credPos: 1, api: 'os.WriteFile' };
+        }
+        if (receiver === 'ioutil' || receiver.endsWith('/ioutil')) {
+            if (method === 'WriteFile')
+                return { credPos: 1, api: 'ioutil.WriteFile' };
+        }
+        if (method === 'WriteString' || method === 'Write') {
+            return { credPos: 0, api: `<file>.${method}` };
+        }
+    }
+    return null;
+}
+export class PlaintextPasswordStoragePass {
+    name = 'plaintext-password-storage';
+    category = 'security';
+    run(ctx) {
+        const { graph, language } = ctx;
+        const file = graph.ir.meta.file;
+        const findings = [];
+        // Group calls by in_method for cheap prior-hash lookup.
+        const callsByScope = new Map();
+        for (const call of graph.ir.calls) {
+            const scope = call.in_method ?? '<top>';
+            const arr = callsByScope.get(scope) ?? [];
+            arr.push(call);
+            callsByScope.set(scope, arr);
+        }
+        for (const call of graph.ir.calls) {
+            const spec = isWriteStorageCall(call, language);
+            if (!spec)
+                continue;
+            const credArg = call.arguments.find((a) => a.position === spec.credPos);
+            if (!credArg)
+                continue;
+            if (!argLooksLikeCredential(credArg))
+                continue;
+            // Resolve the credential identifier name.
+            const identExpr = (credArg.expression ?? '').trim();
+            const head = identExpr.split(/[.\s(]/, 1)[0] ?? '';
+            const identifier = credArg.variable ?? head;
+            if (!identifier)
+                continue;
+            // Suppress if the identifier was hashed earlier in the same scope.
+            const scope = call.in_method ?? '<top>';
+            const scopeCalls = callsByScope.get(scope) ?? [];
+            const prior = scopeCalls.filter((c) => c.location.line < call.location.line);
+            if (priorHashOf(identifier, prior))
+                continue;
+            // Suppress if the credArg expression itself contains a hash call
+            // inline: `f.write(bcrypt.hashpw(pw))`.
+            if (/\b(?:hashpw|hash|sha\d+|md5|bcrypt|argon2|pbkdf2|digest)\b/i
+                .test(credArg.expression ?? '')) {
+                continue;
+            }
+            const line = call.location.line;
+            findings.push({ line, language, api: spec.api, identifier });
+            ctx.addFinding({
+                id: `${this.name}-${file}-${line}`,
+                pass: this.name,
+                category: this.category,
+                rule_id: this.name,
+                cwe: 'CWE-256',
+                severity: 'high',
+                level: 'warning',
+                message: `Credential \`${identifier}\` written in plaintext via \`${spec.api}\`. ` +
+                    'Passwords / secrets must be hashed (Argon2id, bcrypt) before storage.',
+                file,
+                line,
+                fix: 'Hash the credential with Argon2id / bcrypt before writing it to ' +
+                    'disk, cookie, KV store, or database.',
+                evidence: { identifier, api: spec.api, language },
+            });
+        }
+        return { findings };
+    }
+}
+//# sourceMappingURL=plaintext-password-storage-pass.js.map

package/dist/analysis/passes/plaintext-password-storage-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"plaintext-password-storage-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/plaintext-password-storage-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AAIH,OAAO,EACL,sBAAsB,EACtB,WAAW,GACZ,MAAM,0BAA0B,CAAC;AAkBlC,SAAS,kBAAkB,CACzB,IAAc,EACd,QAAgB;IAEhB,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC;IACtC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;IACrC,MAAM,SAAS,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;IAEzC,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1B,qEAAqE;QACrE,sDAAsD;QACtD,IAAI,MAAM,KAAK,OAAO,IAAI,MAAM,KAAK,YAAY,EAAE,CAAC;YAClD,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,GAAG,EAAE,UAAU,MAAM,EAAE,EAAE,CAAC;QACjD,CAAC;QACD,IAAI,CAAC,SAAS,KAAK,QAAQ,IAAI,SAAS,KAAK,MAAM,IAAI,SAAS,KAAK,MAAM,CAAC;YACxE,CAAC,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,OAAO,CAAC,EAAE,CAAC;YAC9C,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,GAAG,EAAE,GAAG,QAAQ,IAAI,MAAM,EAAE,EAAE,CAAC;QACtD,CAAC;QACD,IAAI,SAAS,KAAK,OAAO,IAAI,CAAC,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,OAAO,IAAI,MAAM,KAAK,MAAM,CAAC,EAAE,CAAC;YAC3F,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,GAAG,EAAE,SAAS,MAAM,EAAE,EAAE,CAAC;QAChD,CAAC;IACH,CAAC;IAED,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;QAC3D,IAAI,CAAC,SAAS,KAAK,IAAI,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YACjD,CAAC,MAAM,KAAK,WAAW,IAAI,MAAM,KAAK,eAAe;gBACpD,MAAM,KAAK,YAAY,IAAI,MAAM,KAAK,gBAAgB,CAAC,EAAE,CAAC;YAC7D,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,GAAG,EAAE,MAAM,MAAM,EAAE,EAAE,CAAC;QAC7C,CAAC;QACD,IAAI,CAAC,SAAS,KAAK,cAAc,IAAI,SAAS,KAAK,gBAAgB,CAAC;YAChE,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,GAAG,EAAE,GAAG,QAAQ,UAAU,EAAE,CAAC;QACpD,CAAC;QACD,IAAI,SAAS,KAAK,OAAO,IAAI,CAAC,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,OAAO,IAAI,MAAM,KAAK,MAAM,CAAC,EAAE,CAAC;YAC3F,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,GAAG,EAAE,SAAS,MAAM,EAAE,EAAE,CAAC;QAChD,CAAC;IACH,CAAC;IAED,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;QACxB,IAAI,CAAC,QAAQ,KAAK,OAAO,IAAI,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACrD,CAAC,MAAM,KAAK,OAAO,IAAI,MAAM,KAAK,aAAa,CAAC,EAAE,CAAC;YACrD,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,GAAG,EAAE,SAAS,MAAM,EAAE,EAAE,CAAC;QAChD,CAAC;QACD,oDAAoD;QACpD,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;YACvB,kEAAkE;YAClE,MAAM,EAAE,GAAG,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;YAC1C,IAAI,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC1E,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,GAAG,EAAE,GAAG,QAAQ,QAAQ,EAAE,CAAC;YAClD,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;QACtB,IAAI,QAAQ,KAAK,IAAI,IAAI,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAClD,IAAI,MAAM,KAAK,WAAW;gBAAE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,GAAG,EAAE,cAAc,EAAE,CAAC;QACzE,CAAC;QACD,IAAI,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YAC1D,IAAI,MAAM,KAAK,WAAW;gBAAE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,GAAG,EAAE,kBAAkB,EAAE,CAAC;QAC7E,CAAC;QACD,IAAI,MAAM,KAAK,aAAa,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;YACnD,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,GAAG,EAAE,UAAU,MAAM,EAAE,EAAE,CAAC;QACjD,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,OAAO,4BAA4B;IAG9B,IAAI,GAAG,4BAA4B,CAAC;IACpC,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAChC,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,QAAQ,GAA+C,EAAE,CAAC;QAEhE,wDAAwD;QACxD,MAAM,YAAY,GAAG,IAAI,GAAG,EAAsB,CAAC;QACnD,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAClC,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,IAAI,OAAO,CAAC;YACxC,MAAM,GAAG,GAAG,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;YAC1C,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACf,YAAY,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC/B,CAAC;QAED,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAClC,MAAM,IAAI,GAAG,kBAAkB,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;YAChD,IAAI,CAAC,IAAI;gBAAE,SAAS;YAEpB,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,IAAI,CAAC,OAAO,CAAC,CAAC;YACxE,IAAI,CAAC,OAAO;gBAAE,SAAS;YACvB,IAAI,CAAC,sBAAsB,CAAC,OAAO,CAAC;gBAAE,SAAS;YAE/C,0CAA0C;YAC1C,MAAM,SAAS,GAAG,CAAC,OAAO,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YACpD,MAAM,IAAI,GAAG,SAAS,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACnD,MAAM,UAAU,GAAG,OAAO,CAAC,QAAQ,IAAI,IAAI,CAAC;YAC5C,IAAI,CAAC,UAAU;gBAAE,SAAS;YAE1B,mEAAmE;YACnE,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,IAAI,OAAO,CAAC;YACxC,MAAM,UAAU,GAAG,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;YACjD,MAAM,KAAK,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YAC7E,IAAI,WAAW,CAAC,UAAU,EAAE,KAAK,CAAC;gBAAE,SAAS;YAE7C,iEAAiE;YACjE,wCAAwC;YACxC,IAAI,6DAA6D;iBAC1D,IAAI,CAAC,OAAO,CAAC,UAAU,IAAI,EAAE,CAAC,EAAE,CAAC;gBACtC,SAAS;YACX,CAAC;YAED,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;YAChC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,UAAU,EAAE,CAAC,CAAC;YAE7D,GAAG,CAAC,UAAU,CAAC;gBACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,EAAE;gBAClC,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,GAAG,EAAE,SAAS;gBACd,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,SAAS;gBAChB,OAAO,EACL,gBAAgB,UAAU,iCAAiC,IAAI,CAAC,GAAG,MAAM;oBACzE,uEAAuE;gBACzE,IAAI;gBACJ,IAAI;gBACJ,GAAG,EACD,kEAAkE;oBAClE,sCAAsC;gBACxC,QAAQ,EAAE,EAAE,UAAU,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE;aAClD,CAAC,CAAC;QACL,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,CAAC;IACtB,CAAC;CACF"}

package/dist/analysis/passes/weak-password-encoding-pass.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Pass: weak-password-encoding (CWE-261, category: security)
+ *
+ * Detects use of an encoding (base64 / hex) on a credential-named identifier.
+ * Encoding is NOT encryption — base64-encoding a password before storing or
+ * transmitting it provides no confidentiality. Common anti-pattern.
+ *
+ * Detection per language:
+ *   Python:
+ *     - `base64.b64encode(password)` / `.urlsafe_b64encode(...)`
+ *     - `binascii.hexlify(password)`
+ *   JS/TS:
+ *     - `Buffer.from(password).toString('base64')` / `.toString('hex')`
+ *     - `btoa(password)`
+ *   Java:
+ *     - `Base64.getEncoder().encodeToString(passwordBytes)`
+ *     - `Base64.getUrlEncoder().encodeToString(...)`
+ *     - `Hex.encodeHexString(passwordBytes)`
+ *   Go:
+ *     - `base64.StdEncoding.EncodeToString(passwordBytes)`
+ *     - `hex.EncodeToString(...)`
+ *
+ * FP-guard: skip when the encoded value is part of an HTTP Basic auth
+ * header construction (`"Basic " + base64(...)`) — that IS the spec.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface WeakPasswordEncodingResult {
+    findings: Array<{
+        line: number;
+        language: string;
+        api: string;
+    }>;
+}
+export declare class WeakPasswordEncodingPass implements AnalysisPass<WeakPasswordEncodingResult> {
+    readonly name = "weak-password-encoding";
+    readonly category: "security";
+    run(ctx: PassContext): WeakPasswordEncodingResult;
+    private detect;
+}
+//# sourceMappingURL=weak-password-encoding-pass.d.ts.map

package/dist/analysis/passes/weak-password-encoding-pass.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"weak-password-encoding-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/weak-password-encoding-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAO9E,MAAM,WAAW,0BAA0B;IACzC,QAAQ,EAAE,KAAK,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,GAAG,EAAE,MAAM,CAAC;KACb,CAAC,CAAC;CACJ;AAcD,qBAAa,wBAAyB,YAAW,YAAY,CAAC,0BAA0B,CAAC;IACvF,QAAQ,CAAC,IAAI,4BAA4B;IACzC,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,0BAA0B;IAoCjD,OAAO,CAAC,MAAM;CAsFf"}

package/dist/analysis/passes/weak-password-encoding-pass.js

@@ -0,0 +1,157 @@
+/**
+ * Pass: weak-password-encoding (CWE-261, category: security)
+ *
+ * Detects use of an encoding (base64 / hex) on a credential-named identifier.
+ * Encoding is NOT encryption — base64-encoding a password before storing or
+ * transmitting it provides no confidentiality. Common anti-pattern.
+ *
+ * Detection per language:
+ *   Python:
+ *     - `base64.b64encode(password)` / `.urlsafe_b64encode(...)`
+ *     - `binascii.hexlify(password)`
+ *   JS/TS:
+ *     - `Buffer.from(password).toString('base64')` / `.toString('hex')`
+ *     - `btoa(password)`
+ *   Java:
+ *     - `Base64.getEncoder().encodeToString(passwordBytes)`
+ *     - `Base64.getUrlEncoder().encodeToString(...)`
+ *     - `Hex.encodeHexString(passwordBytes)`
+ *   Go:
+ *     - `base64.StdEncoding.EncodeToString(passwordBytes)`
+ *     - `hex.EncodeToString(...)`
+ *
+ * FP-guard: skip when the encoded value is part of an HTTP Basic auth
+ * header construction (`"Basic " + base64(...)`) — that IS the spec.
+ */
+import { argLooksLikeCredential, literalAt, } from './_credential-helpers.js';
+function isBasicAuthContext(call, code) {
+    // Look at the source line for "Basic " literal nearby — heuristic
+    // for HTTP Basic auth construction where base64 is part of the spec.
+    const line = call.location.line;
+    if (line < 1)
+        return false;
+    const lines = code.split('\n');
+    const start = Math.max(0, line - 2);
+    const end = Math.min(lines.length, line + 1);
+    const window = lines.slice(start, end).join('\n');
+    return /["'`]Basic\s/i.test(window);
+}
+export class WeakPasswordEncodingPass {
+    name = 'weak-password-encoding';
+    category = 'security';
+    run(ctx) {
+        const { graph, language, code } = ctx;
+        const file = graph.ir.meta.file;
+        const findings = [];
+        for (const call of graph.ir.calls) {
+            const api = this.detect(call, language);
+            if (!api)
+                continue;
+            if (isBasicAuthContext(call, code))
+                continue;
+            const line = call.location.line;
+            findings.push({ line, language, api });
+            ctx.addFinding({
+                id: `${this.name}-${file}-${line}`,
+                pass: this.name,
+                category: this.category,
+                rule_id: this.name,
+                cwe: 'CWE-261',
+                severity: 'medium',
+                level: 'warning',
+                message: `Credential encoded via \`${api}\` — encoding is NOT encryption. ` +
+                    'Base64/hex provide no confidentiality; anyone with the encoded value can decode it.',
+                file,
+                line,
+                fix: 'For storage, use a password hash (Argon2id / bcrypt). ' +
+                    'For transport, use TLS. For symmetric secrecy, use authenticated encryption (AES-GCM).',
+                evidence: { api, language },
+            });
+        }
+        return { findings };
+    }
+    detect(call, language) {
+        const method = call.method_name ?? '';
+        const receiver = call.receiver ?? '';
+        const recvLower = receiver.toLowerCase();
+        const arg0 = call.arguments.find((a) => a.position === 0);
+        if (language === 'python') {
+            // base64.b64encode(password)
+            if (recvLower === 'base64' &&
+                (method === 'b64encode' || method === 'urlsafe_b64encode' ||
+                    method === 'standard_b64encode')) {
+                if (argLooksLikeCredential(arg0))
+                    return `base64.${method}`;
+            }
+            // binascii.hexlify(password)
+            if (recvLower === 'binascii' && method === 'hexlify') {
+                if (argLooksLikeCredential(arg0))
+                    return 'binascii.hexlify';
+            }
+        }
+        if (language === 'javascript' || language === 'typescript') {
+            // Buffer.from(password).toString('base64')
+            if (method === 'toString') {
+                const encoding = literalAt(call, 0);
+                if (encoding === 'base64' || encoding === 'hex' || encoding === 'base64url') {
+                    // Receiver expression should look like `Buffer.from(<credential>)`.
+                    // Conservative: check if receiver text contains "Buffer.from" and a
+                    // credential keyword.
+                    const recv = (receiver ?? '').toLowerCase();
+                    if (recv.includes('buffer.from') &&
+                        /(?:password|passwd|pwd|secret|api[_-]?key|auth[_-]?token|private[_-]?key|access[_-]?key|credential)/i
+                            .test(receiver ?? '')) {
+                        return `Buffer.from().toString('${encoding}')`;
+                    }
+                }
+            }
+            // btoa(password)
+            if (method === 'btoa' && receiver === '') {
+                if (argLooksLikeCredential(arg0))
+                    return 'btoa';
+            }
+        }
+        if (language === 'java') {
+            // Base64.getEncoder().encodeToString(passwordBytes)
+            // Or Base64.getUrlEncoder().encodeToString(...).
+            if (method === 'encodeToString') {
+                const recv = (receiver ?? '').toLowerCase();
+                if (recv.includes('encoder') || recv.includes('base64')) {
+                    // arg[0] expr typically looks like `password.getBytes()`.
+                    const expr = (arg0?.expression ?? '').trim();
+                    const head = expr.split(/[.\s(]/, 1)[0] ?? '';
+                    if (argLooksLikeCredential({ position: 0, expression: head, variable: head })) {
+                        return 'Base64.encodeToString';
+                    }
+                }
+            }
+            // Hex.encodeHexString(passwordBytes)
+            if (method === 'encodeHexString' &&
+                (receiver === 'Hex' || receiver.endsWith('.Hex'))) {
+                const expr = (arg0?.expression ?? '').trim();
+                const head = expr.split(/[.\s(]/, 1)[0] ?? '';
+                if (argLooksLikeCredential({ position: 0, expression: head, variable: head })) {
+                    return 'Hex.encodeHexString';
+                }
+            }
+        }
+        if (language === 'go') {
+            // base64.StdEncoding.EncodeToString(passwordBytes)
+            if (method === 'EncodeToString') {
+                const recv = (receiver ?? '').toLowerCase();
+                if (recv.includes('base64') || recv.includes('hex') ||
+                    recv.includes('encoding')) {
+                    const expr = (arg0?.expression ?? '').trim();
+                    // Strip `[]byte(...)` wrapper.
+                    const inner = expr.replace(/^\[\]byte\s*\(\s*/, '').replace(/\s*\)\s*$/, '');
+                    const head = inner.split(/[.\s(]/, 1)[0] ?? '';
+                    if (argLooksLikeCredential({ position: 0, expression: head, variable: head })) {
+                        return recv.includes('hex') ? 'hex.EncodeToString' : 'base64.EncodeToString';
+                    }
+                }
+            }
+        }
+        return null;
+    }
+}
+//# sourceMappingURL=weak-password-encoding-pass.js.map

package/dist/analysis/passes/weak-password-encoding-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"weak-password-encoding-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/weak-password-encoding-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAIH,OAAO,EACL,sBAAsB,EACtB,SAAS,GACV,MAAM,0BAA0B,CAAC;AAUlC,SAAS,kBAAkB,CAAC,IAAc,EAAE,IAAY;IACtD,kEAAkE;IAClE,qEAAqE;IACrE,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;IAChC,IAAI,IAAI,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAC3B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC/B,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,GAAG,CAAC,CAAC,CAAC;IACpC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,IAAI,GAAG,CAAC,CAAC,CAAC;IAC7C,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAClD,OAAO,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;AACtC,CAAC;AAED,MAAM,OAAO,wBAAwB;IAC1B,IAAI,GAAG,wBAAwB,CAAC;IAChC,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,GAAG,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,QAAQ,GAA2C,EAAE,CAAC;QAE5D,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAClC,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;YACxC,IAAI,CAAC,GAAG;gBAAE,SAAS;YACnB,IAAI,kBAAkB,CAAC,IAAI,EAAE,IAAI,CAAC;gBAAE,SAAS;YAE7C,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;YAChC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC;YAEvC,GAAG,CAAC,UAAU,CAAC;gBACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,EAAE;gBAClC,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,GAAG,EAAE,SAAS;gBACd,QAAQ,EAAE,QAAQ;gBAClB,KAAK,EAAE,SAAS;gBAChB,OAAO,EACL,4BAA4B,GAAG,mCAAmC;oBAClE,qFAAqF;gBACvF,IAAI;gBACJ,IAAI;gBACJ,GAAG,EACD,wDAAwD;oBACxD,wFAAwF;gBAC1F,QAAQ,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE;aAC5B,CAAC,CAAC;QACL,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,CAAC;IACtB,CAAC;IAEO,MAAM,CAAC,IAAc,EAAE,QAAgB;QAC7C,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC;QACtC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;QACrC,MAAM,SAAS,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;QAEzC,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;QAE1D,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,6BAA6B;YAC7B,IAAI,SAAS,KAAK,QAAQ;gBACtB,CAAC,MAAM,KAAK,WAAW,IAAI,MAAM,KAAK,mBAAmB;oBACxD,MAAM,KAAK,oBAAoB,CAAC,EAAE,CAAC;gBACtC,IAAI,sBAAsB,CAAC,IAAI,CAAC;oBAAE,OAAO,UAAU,MAAM,EAAE,CAAC;YAC9D,CAAC;YACD,6BAA6B;YAC7B,IAAI,SAAS,KAAK,UAAU,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;gBACrD,IAAI,sBAAsB,CAAC,IAAI,CAAC;oBAAE,OAAO,kBAAkB,CAAC;YAC9D,CAAC;QACH,CAAC;QAED,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC3D,2CAA2C;YAC3C,IAAI,MAAM,KAAK,UAAU,EAAE,CAAC;gBAC1B,MAAM,QAAQ,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;gBACpC,IAAI,QAAQ,KAAK,QAAQ,IAAI,QAAQ,KAAK,KAAK,IAAI,QAAQ,KAAK,WAAW,EAAE,CAAC;oBAC5E,oEAAoE;oBACpE,oEAAoE;oBACpE,sBAAsB;oBACtB,MAAM,IAAI,GAAG,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;oBAC5C,IAAI,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC;wBAC5B,sGAAsG;6BACnG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC,EAAE,CAAC;wBAC5B,OAAO,2BAA2B,QAAQ,IAAI,CAAC;oBACjD,CAAC;gBACH,CAAC;YACH,CAAC;YACD,iBAAiB;YACjB,IAAI,MAAM,KAAK,MAAM,IAAI,QAAQ,KAAK,EAAE,EAAE,CAAC;gBACzC,IAAI,sBAAsB,CAAC,IAAI,CAAC;oBAAE,OAAO,MAAM,CAAC;YAClD,CAAC;QACH,CAAC;QAED,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YACxB,oDAAoD;YACpD,iDAAiD;YACjD,IAAI,MAAM,KAAK,gBAAgB,EAAE,CAAC;gBAChC,MAAM,IAAI,GAAG,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;gBAC5C,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACxD,0DAA0D;oBAC1D,MAAM,IAAI,GAAG,CAAC,IAAI,EAAE,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;oBAC7C,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;oBAC9C,IAAI,sBAAsB,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;wBAC9E,OAAO,uBAAuB,CAAC;oBACjC,CAAC;gBACH,CAAC;YACH,CAAC;YACD,qCAAqC;YACrC,IAAI,MAAM,KAAK,iBAAiB;gBAC5B,CAAC,QAAQ,KAAK,KAAK,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC;gBACtD,MAAM,IAAI,GAAG,CAAC,IAAI,EAAE,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC7C,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC9C,IAAI,sBAAsB,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;oBAC9E,OAAO,qBAAqB,CAAC;gBAC/B,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;YACtB,mDAAmD;YACnD,IAAI,MAAM,KAAK,gBAAgB,EAAE,CAAC;gBAChC,MAAM,IAAI,GAAG,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;gBAC5C,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;oBAC/C,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;oBAC9B,MAAM,IAAI,GAAG,CAAC,IAAI,EAAE,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;oBAC7C,+BAA+B;oBAC/B,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,mBAAmB,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;oBAC7E,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;oBAC/C,IAAI,sBAAsB,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;wBAC9E,OAAO,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,uBAAuB,CAAC;oBAC/E,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;CACF"}

package/dist/analysis/passes/weak-password-hash-pass.d.ts

@@ -0,0 +1,49 @@
+/**
+ * Pass: weak-password-hash (CWE-916, category: security)
+ *
+ * Detects use of a fast / unsalted hash, or a KDF with insufficient
+ * computational cost, applied to a credential-named identifier.
+ *
+ * Distinct from `weak-hash` (CWE-328):
+ *   - `weak-hash` flags broken algorithms (MD2/MD4/MD5/SHA-1) at any call site.
+ *   - `weak-password-hash` flags algorithm/cost choices that are SAFE for
+ *     general digests but UNSAFE for password storage (e.g. plain SHA-256
+ *     of a password, bcrypt cost < 10, PBKDF2 iterations < 100k).
+ *
+ * Detection per language:
+ *   Python:
+ *     - `hashlib.sha256(password)` / `.sha512(...)` / etc. where the
+ *       argument is a credential-named identifier.
+ *     - `bcrypt.hashpw(pw, bcrypt.gensalt(rounds=N))` where N < 10.
+ *     - `PBKDF2HMAC(..., iterations=N).derive(pw)` where N < 100000.
+ *   JS/TS:
+ *     - `crypto.createHash('sha256').update(password).digest()`.
+ *     - `bcrypt.hash(pw, N)` / `bcrypt.hashSync(pw, N)` where N < 10.
+ *     - `crypto.pbkdf2Sync(pw, salt, N, ...)` where N < 100000.
+ *   Java:
+ *     - `MessageDigest.getInstance("SHA-256")` followed by `.update(pw)` —
+ *       conservative: detect `MessageDigest.getInstance` + `.update(credIdent)`
+ *       on any non-broken algorithm. (Broken algos already flagged by weak-hash.)
+ *     - `PBEKeySpec(pw, salt, N, ...)` where N < 100000.
+ *   Go:
+ *     - `sha256.Sum256([]byte(password))`, `sha512.Sum512([]byte(password))`.
+ *     - `bcrypt.GenerateFromPassword(pw, cost)` where cost < 10.
+ *
+ * Aligned with: OWASP ASVS 2.4.1, NIST SP 800-63B §5.1.1.2, gosec G401-style.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface WeakPasswordHashResult {
+    findings: Array<{
+        line: number;
+        language: string;
+        kind: 'fast-unsalted-hash' | 'low-bcrypt-cost' | 'low-pbkdf2-iterations';
+        api: string;
+    }>;
+}
+export declare class WeakPasswordHashPass implements AnalysisPass<WeakPasswordHashResult> {
+    readonly name = "weak-password-hash";
+    readonly category: "security";
+    run(ctx: PassContext): WeakPasswordHashResult;
+    private detect;
+}
+//# sourceMappingURL=weak-password-hash-pass.d.ts.map

package/dist/analysis/passes/weak-password-hash-pass.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"weak-password-hash-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/weak-password-hash-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAmB9E,MAAM,WAAW,sBAAsB;IACrC,QAAQ,EAAE,KAAK,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,IAAI,EAAE,oBAAoB,GAAG,iBAAiB,GAAG,uBAAuB,CAAC;QACzE,GAAG,EAAE,MAAM,CAAC;KACb,CAAC,CAAC;CACJ;AAsBD,qBAAa,oBAAqB,YAAW,YAAY,CAAC,sBAAsB,CAAC;IAC/E,QAAQ,CAAC,IAAI,wBAAwB;IACrC,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,sBAAsB;IA0C7C,OAAO,CAAC,MAAM;CAyIf"}