cognium-dev 3.23.2 → 3.23.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli.js +22 -1
- package/package.json +2 -2
package/dist/cli.js
CHANGED
|
@@ -9017,6 +9017,7 @@ var DEFAULT_SOURCES = [
|
|
|
9017
9017
|
{ annotation: "FormParam", type: "http_param", severity: "high", param_tainted: true },
|
|
9018
9018
|
{ annotation: "PathParam", type: "http_path", severity: "medium", param_tainted: true },
|
|
9019
9019
|
{ annotation: "HeaderParam", type: "http_header", severity: "high", param_tainted: true },
|
|
9020
|
+
{ method_annotation: "DataBoundConstructor", type: "http_param", severity: "high" },
|
|
9020
9021
|
{ method: "getenv", class: "System", type: "env_input", severity: "medium", return_tainted: true },
|
|
9021
9022
|
{ method: "getProperty", class: "System", type: "env_input", severity: "medium", return_tainted: true },
|
|
9022
9023
|
{ method: "getInitParameter", class: "ServletConfig", type: "http_param", severity: "medium", return_tainted: true },
|
|
@@ -10324,6 +10325,26 @@ function findSources(calls, types, patterns) {
|
|
|
10324
10325
|
}
|
|
10325
10326
|
}
|
|
10326
10327
|
}
|
|
10328
|
+
for (const type of types) {
|
|
10329
|
+
for (const method of type.methods) {
|
|
10330
|
+
for (const pattern of patterns) {
|
|
10331
|
+
if (!pattern.method_annotation)
|
|
10332
|
+
continue;
|
|
10333
|
+
if (!matchesAnnotation(method.annotations, pattern.method_annotation))
|
|
10334
|
+
continue;
|
|
10335
|
+
for (const param of method.parameters) {
|
|
10336
|
+
const paramLine = param.line ?? method.start_line;
|
|
10337
|
+
sources.push({
|
|
10338
|
+
type: pattern.type,
|
|
10339
|
+
location: `@${pattern.method_annotation} ${param.name} in ${method.name}`,
|
|
10340
|
+
severity: pattern.severity,
|
|
10341
|
+
line: paramLine,
|
|
10342
|
+
confidence: 1
|
|
10343
|
+
});
|
|
10344
|
+
}
|
|
10345
|
+
}
|
|
10346
|
+
}
|
|
10347
|
+
}
|
|
10327
10348
|
const RUST_EXTRACTOR_TYPES = /^(?:Json|Form|Query|Path|Extension|Multipart)(?:<|$)|^(?:Body|Bytes)$/;
|
|
10328
10349
|
for (const type of types) {
|
|
10329
10350
|
for (const method of type.methods) {
|
|
@@ -25714,7 +25735,7 @@ var colors = {
|
|
|
25714
25735
|
};
|
|
25715
25736
|
|
|
25716
25737
|
// src/version.ts
|
|
25717
|
-
var version = "3.23.
|
|
25738
|
+
var version = "3.23.4";
|
|
25718
25739
|
|
|
25719
25740
|
// src/formatters.ts
|
|
25720
25741
|
var SINK_SEVERITY = {
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "cognium-dev",
|
|
3
|
-
"version": "3.23.
|
|
3
|
+
"version": "3.23.4",
|
|
4
4
|
"description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
|
|
5
5
|
"main": "dist/index.js",
|
|
6
6
|
"types": "dist/index.d.ts",
|
|
@@ -65,7 +65,7 @@
|
|
|
65
65
|
"registry": "https://registry.npmjs.org/"
|
|
66
66
|
},
|
|
67
67
|
"dependencies": {
|
|
68
|
-
"circle-ir": "^3.23.
|
|
68
|
+
"circle-ir": "^3.23.4"
|
|
69
69
|
},
|
|
70
70
|
"devDependencies": {
|
|
71
71
|
"@types/node": "^25.5.0",
|