cognium-dev 3.27.1 → 3.28.0

package/dist/cli.js

@@ -3261,6 +3261,7 @@ var parserInitialized = false;
 var parserInitializing = null;
 var loadedLanguages = new Map;
 var loadingLanguages = new Map;
+var cachedParsers = new Map;
 var configuredLanguagePaths = {};
 var configuredLanguageModules = {};
 async function initParser(options = {}) {
@@ -3330,9 +3331,14 @@ async function loadLanguage(language, wasmPath) {
   return loadPromise;
 }
 async function createParser(language) {
+  const cached = cachedParsers.get(language);
+  if (cached) {
+    return cached;
+  }
   const lang = await loadLanguage(language);
   const parser = new Parser;
   parser.setLanguage(lang);
+  cachedParsers.set(language, parser);
   return parser;
 }
 async function parse(code, language) {
@@ -3343,6 +3349,13 @@ async function parse(code, language) {
   }
   return tree;
 }
+function disposeTree(tree) {
+  if (!tree)
+    return;
+  try {
+    tree.delete();
+  } catch {}
+}
 function walkTree(node, visitor) {
   visitor(node);
   for (let i2 = 0;i2 < node.childCount; i2++) {
@@ -25761,194 +25774,202 @@ async function analyze(code, filePath, language, options = {}) {
   }
   logger.debug("Analyzing file", { filePath, language, codeLength: code.length });
   const tree = await parse(code, language);
-  logger.trace("Parsed AST", { rootNodeType: tree.rootNode.type });
-  const nodeCache = collectAllNodes(tree.rootNode, getNodeTypesForLanguage(language));
-  const meta = extractMeta(code, tree, filePath, language);
-  const types = extractTypes(tree, nodeCache, language);
-  const calls = extractCalls(tree, nodeCache, language);
-  const imports = extractImports(tree, language);
-  const exports = extractExports(types);
-  const cfg = buildCFG(tree, language);
-  const dfg = buildDFG(tree, nodeCache, language);
-  const graph = new CodeGraph({
-    meta,
-    types,
-    calls,
-    cfg,
-    dfg,
-    taint: { sources: [], sinks: [], sanitizers: [] },
-    imports,
-    exports,
-    unresolved: [],
-    enriched: {}
-  });
-  const config = options.taintConfig ?? getDefaultConfig();
-  const disabledPasses = new Set(options.disabledPasses ?? []);
-  const passOpts = options.passOptions ?? {};
-  const pipeline = new AnalysisPipeline;
-  pipeline.add(new TaintMatcherPass);
-  pipeline.add(new ConstantPropagationPass(tree));
-  pipeline.add(new LanguageSourcesPass);
-  pipeline.add(new SinkFilterPass);
-  pipeline.add(new TaintPropagationPass);
-  pipeline.add(new InterproceduralPass);
-  if (!disabledPasses.has("scan-secrets"))
-    pipeline.add(new ScanSecretsPass);
-  if (!disabledPasses.has("dead-code"))
-    pipeline.add(new DeadCodePass);
-  if (!disabledPasses.has("missing-await"))
-    pipeline.add(new MissingAwaitPass);
-  if (!disabledPasses.has("n-plus-one"))
-    pipeline.add(new NPlusOnePass);
-  if (!disabledPasses.has("missing-public-doc"))
-    pipeline.add(new MissingPublicDocPass);
-  if (!disabledPasses.has("todo-in-prod"))
-    pipeline.add(new TodoInProdPass);
-  if (!disabledPasses.has("string-concat-loop"))
-    pipeline.add(new StringConcatLoopPass);
-  if (!disabledPasses.has("sync-io-async"))
-    pipeline.add(new SyncIoAsyncPass);
-  if (!disabledPasses.has("unchecked-return"))
-    pipeline.add(new UncheckedReturnPass);
-  if (!disabledPasses.has("null-deref"))
-    pipeline.add(new NullDerefPass);
-  if (!disabledPasses.has("resource-leak"))
-    pipeline.add(new ResourceLeakPass);
-  if (!disabledPasses.has("variable-shadowing"))
-    pipeline.add(new VariableShadowingPass);
-  if (!disabledPasses.has("leaked-global"))
-    pipeline.add(new LeakedGlobalPass);
-  if (!disabledPasses.has("unused-variable"))
-    pipeline.add(new UnusedVariablePass);
-  if (!disabledPasses.has("dependency-fan-out"))
-    pipeline.add(new DependencyFanOutPass(passOpts.dependencyFanOut));
-  if (!disabledPasses.has("stale-doc-ref"))
-    pipeline.add(new StaleDocRefPass);
-  if (!disabledPasses.has("infinite-loop"))
-    pipeline.add(new InfiniteLoopPass);
-  if (!disabledPasses.has("deep-inheritance"))
-    pipeline.add(new DeepInheritancePass);
-  if (!disabledPasses.has("redundant-loop-computation"))
-    pipeline.add(new RedundantLoopPass);
-  if (!disabledPasses.has("unbounded-collection"))
-    pipeline.add(new UnboundedCollectionPass(passOpts.unboundedCollection));
-  if (!disabledPasses.has("serial-await"))
-    pipeline.add(new SerialAwaitPass);
-  if (!disabledPasses.has("react-inline-jsx"))
-    pipeline.add(new ReactInlineJsxPass);
-  if (!disabledPasses.has("swallowed-exception"))
-    pipeline.add(new SwallowedExceptionPass);
-  if (!disabledPasses.has("broad-catch"))
-    pipeline.add(new BroadCatchPass);
-  if (!disabledPasses.has("unhandled-exception"))
-    pipeline.add(new UnhandledExceptionPass);
-  if (!disabledPasses.has("double-close"))
-    pipeline.add(new DoubleClosePass);
-  if (!disabledPasses.has("use-after-close"))
-    pipeline.add(new UseAfterClosePass);
-  if (!disabledPasses.has("cleanup-verify"))
-    pipeline.add(new CleanupVerifyPass);
-  if (!disabledPasses.has("missing-override"))
-    pipeline.add(new MissingOverridePass);
-  if (!disabledPasses.has("unused-interface-method"))
-    pipeline.add(new UnusedInterfaceMethodPass);
-  if (!disabledPasses.has("blocking-main-thread"))
-    pipeline.add(new BlockingMainThreadPass);
-  if (!disabledPasses.has("excessive-allocation"))
-    pipeline.add(new ExcessiveAllocationPass);
-  if (!disabledPasses.has("missing-stream"))
-    pipeline.add(new MissingStreamPass);
-  if (!disabledPasses.has("god-class"))
-    pipeline.add(new GodClassPass);
-  if (!disabledPasses.has("naming-convention"))
-    pipeline.add(new NamingConventionPass(passOpts.namingConvention));
-  if (!disabledPasses.has("security-headers"))
-    pipeline.add(new SecurityHeadersPass(passOpts.securityHeaders));
-  const { results, findings } = pipeline.run(graph, code, language, config);
-  const sinkFilter = results.get("sink-filter");
-  const interProc = results.get("interprocedural");
-  const taint = {
-    sources: sinkFilter.sources,
-    sinks: [...sinkFilter.sinks, ...interProc.additionalSinks],
-    sanitizers: sinkFilter.sanitizers,
-    flows: interProc.additionalFlows,
-    interprocedural: interProc.interprocedural
-  };
-  const unresolved = detectUnresolved(calls, types, dfg);
-  const enriched = buildEnriched(types, calls, taint.sources, taint.sinks);
-  const metricValues = new MetricRunner().run({ meta, types, calls, cfg, dfg, taint, imports, exports, unresolved, enriched }, code, language);
-  logger.debug("Analysis complete", {
-    filePath,
-    finalSources: taint.sources.length,
-    finalSinks: taint.sinks.length,
-    flows: taint.flows?.length ?? 0,
-    unresolvedItems: unresolved.length
-  });
-  return {
-    meta,
-    types,
-    calls,
-    cfg,
-    dfg,
-    taint,
-    imports,
-    exports,
-    unresolved,
-    enriched,
-    findings: findings.length > 0 ? findings : undefined,
-    metrics: { file: filePath, metrics: metricValues }
-  };
+  try {
+    logger.trace("Parsed AST", { rootNodeType: tree.rootNode.type });
+    const nodeCache = collectAllNodes(tree.rootNode, getNodeTypesForLanguage(language));
+    const meta = extractMeta(code, tree, filePath, language);
+    const types = extractTypes(tree, nodeCache, language);
+    const calls = extractCalls(tree, nodeCache, language);
+    const imports = extractImports(tree, language);
+    const exports = extractExports(types);
+    const cfg = buildCFG(tree, language);
+    const dfg = buildDFG(tree, nodeCache, language);
+    const graph = new CodeGraph({
+      meta,
+      types,
+      calls,
+      cfg,
+      dfg,
+      taint: { sources: [], sinks: [], sanitizers: [] },
+      imports,
+      exports,
+      unresolved: [],
+      enriched: {}
+    });
+    const config = options.taintConfig ?? getDefaultConfig();
+    const disabledPasses = new Set(options.disabledPasses ?? []);
+    const passOpts = options.passOptions ?? {};
+    const pipeline = new AnalysisPipeline;
+    pipeline.add(new TaintMatcherPass);
+    pipeline.add(new ConstantPropagationPass(tree));
+    pipeline.add(new LanguageSourcesPass);
+    pipeline.add(new SinkFilterPass);
+    pipeline.add(new TaintPropagationPass);
+    pipeline.add(new InterproceduralPass);
+    if (!disabledPasses.has("scan-secrets"))
+      pipeline.add(new ScanSecretsPass);
+    if (!disabledPasses.has("dead-code"))
+      pipeline.add(new DeadCodePass);
+    if (!disabledPasses.has("missing-await"))
+      pipeline.add(new MissingAwaitPass);
+    if (!disabledPasses.has("n-plus-one"))
+      pipeline.add(new NPlusOnePass);
+    if (!disabledPasses.has("missing-public-doc"))
+      pipeline.add(new MissingPublicDocPass);
+    if (!disabledPasses.has("todo-in-prod"))
+      pipeline.add(new TodoInProdPass);
+    if (!disabledPasses.has("string-concat-loop"))
+      pipeline.add(new StringConcatLoopPass);
+    if (!disabledPasses.has("sync-io-async"))
+      pipeline.add(new SyncIoAsyncPass);
+    if (!disabledPasses.has("unchecked-return"))
+      pipeline.add(new UncheckedReturnPass);
+    if (!disabledPasses.has("null-deref"))
+      pipeline.add(new NullDerefPass);
+    if (!disabledPasses.has("resource-leak"))
+      pipeline.add(new ResourceLeakPass);
+    if (!disabledPasses.has("variable-shadowing"))
+      pipeline.add(new VariableShadowingPass);
+    if (!disabledPasses.has("leaked-global"))
+      pipeline.add(new LeakedGlobalPass);
+    if (!disabledPasses.has("unused-variable"))
+      pipeline.add(new UnusedVariablePass);
+    if (!disabledPasses.has("dependency-fan-out"))
+      pipeline.add(new DependencyFanOutPass(passOpts.dependencyFanOut));
+    if (!disabledPasses.has("stale-doc-ref"))
+      pipeline.add(new StaleDocRefPass);
+    if (!disabledPasses.has("infinite-loop"))
+      pipeline.add(new InfiniteLoopPass);
+    if (!disabledPasses.has("deep-inheritance"))
+      pipeline.add(new DeepInheritancePass);
+    if (!disabledPasses.has("redundant-loop-computation"))
+      pipeline.add(new RedundantLoopPass);
+    if (!disabledPasses.has("unbounded-collection"))
+      pipeline.add(new UnboundedCollectionPass(passOpts.unboundedCollection));
+    if (!disabledPasses.has("serial-await"))
+      pipeline.add(new SerialAwaitPass);
+    if (!disabledPasses.has("react-inline-jsx"))
+      pipeline.add(new ReactInlineJsxPass);
+    if (!disabledPasses.has("swallowed-exception"))
+      pipeline.add(new SwallowedExceptionPass);
+    if (!disabledPasses.has("broad-catch"))
+      pipeline.add(new BroadCatchPass);
+    if (!disabledPasses.has("unhandled-exception"))
+      pipeline.add(new UnhandledExceptionPass);
+    if (!disabledPasses.has("double-close"))
+      pipeline.add(new DoubleClosePass);
+    if (!disabledPasses.has("use-after-close"))
+      pipeline.add(new UseAfterClosePass);
+    if (!disabledPasses.has("cleanup-verify"))
+      pipeline.add(new CleanupVerifyPass);
+    if (!disabledPasses.has("missing-override"))
+      pipeline.add(new MissingOverridePass);
+    if (!disabledPasses.has("unused-interface-method"))
+      pipeline.add(new UnusedInterfaceMethodPass);
+    if (!disabledPasses.has("blocking-main-thread"))
+      pipeline.add(new BlockingMainThreadPass);
+    if (!disabledPasses.has("excessive-allocation"))
+      pipeline.add(new ExcessiveAllocationPass);
+    if (!disabledPasses.has("missing-stream"))
+      pipeline.add(new MissingStreamPass);
+    if (!disabledPasses.has("god-class"))
+      pipeline.add(new GodClassPass);
+    if (!disabledPasses.has("naming-convention"))
+      pipeline.add(new NamingConventionPass(passOpts.namingConvention));
+    if (!disabledPasses.has("security-headers"))
+      pipeline.add(new SecurityHeadersPass(passOpts.securityHeaders));
+    const { results, findings } = pipeline.run(graph, code, language, config);
+    const sinkFilter = results.get("sink-filter");
+    const interProc = results.get("interprocedural");
+    const taint = {
+      sources: sinkFilter.sources,
+      sinks: [...sinkFilter.sinks, ...interProc.additionalSinks],
+      sanitizers: sinkFilter.sanitizers,
+      flows: interProc.additionalFlows,
+      interprocedural: interProc.interprocedural
+    };
+    const unresolved = detectUnresolved(calls, types, dfg);
+    const enriched = buildEnriched(types, calls, taint.sources, taint.sinks);
+    const metricValues = new MetricRunner().run({ meta, types, calls, cfg, dfg, taint, imports, exports, unresolved, enriched }, code, language);
+    logger.debug("Analysis complete", {
+      filePath,
+      finalSources: taint.sources.length,
+      finalSinks: taint.sinks.length,
+      flows: taint.flows?.length ?? 0,
+      unresolvedItems: unresolved.length
+    });
+    return {
+      meta,
+      types,
+      calls,
+      cfg,
+      dfg,
+      taint,
+      imports,
+      exports,
+      unresolved,
+      enriched,
+      findings: findings.length > 0 ? findings : undefined,
+      metrics: { file: filePath, metrics: metricValues }
+    };
+  } finally {
+    disposeTree(tree);
+  }
 }
 async function analyzeHtmlFile(code, filePath, options) {
   logger.debug("Analyzing HTML file", { filePath, codeLength: code.length });
   const tree = await parse(code, "html");
-  const meta = extractMeta(code, tree, filePath, "html");
-  const { scriptBlocks, eventHandlers } = extractHtmlContent(tree.rootNode);
-  logger.debug("HTML extraction", {
-    filePath,
-    inlineScripts: scriptBlocks.filter((b) => b.kind === "inline").length,
-    externalScripts: scriptBlocks.filter((b) => b.kind === "external-src").length,
-    eventHandlers: eventHandlers.length
-  });
-  const scriptResults = [];
-  for (const block of scriptBlocks) {
-    if (block.kind !== "inline" || !block.code.trim())
-      continue;
-    const scriptLang = block.scriptType === "ts" || block.scriptType === "typescript" || block.scriptType === "text/typescript" ? "typescript" : "javascript";
-    try {
-      const ir = await analyze(block.code, filePath, scriptLang, options);
-      scriptResults.push({ ir, lineOffset: block.lineOffset });
-    } catch (e) {
-      logger.warn("Failed to analyze script block", {
-        filePath,
-        lineOffset: block.lineOffset,
-        error: e instanceof Error ? e.message : String(e)
-      });
+  try {
+    const meta = extractMeta(code, tree, filePath, "html");
+    const { scriptBlocks, eventHandlers } = extractHtmlContent(tree.rootNode);
+    logger.debug("HTML extraction", {
+      filePath,
+      inlineScripts: scriptBlocks.filter((b) => b.kind === "inline").length,
+      externalScripts: scriptBlocks.filter((b) => b.kind === "external-src").length,
+      eventHandlers: eventHandlers.length
+    });
+    const scriptResults = [];
+    for (const block of scriptBlocks) {
+      if (block.kind !== "inline" || !block.code.trim())
+        continue;
+      const scriptLang = block.scriptType === "ts" || block.scriptType === "typescript" || block.scriptType === "text/typescript" ? "typescript" : "javascript";
+      try {
+        const ir = await analyze(block.code, filePath, scriptLang, options);
+        scriptResults.push({ ir, lineOffset: block.lineOffset });
+      } catch (e) {
+        logger.warn("Failed to analyze script block", {
+          filePath,
+          lineOffset: block.lineOffset,
+          error: e instanceof Error ? e.message : String(e)
+        });
+      }
     }
-  }
-  for (const handler of eventHandlers) {
-    const wrappedCode = `function __${handler.eventName}_handler() { ${handler.code} }`;
-    try {
-      const ir = await analyze(wrappedCode, filePath, "javascript", options);
-      scriptResults.push({ ir, lineOffset: handler.line });
-    } catch (e) {
-      logger.warn("Failed to analyze event handler", {
-        filePath,
-        eventName: handler.eventName,
-        line: handler.line,
-        error: e instanceof Error ? e.message : String(e)
-      });
+    for (const handler of eventHandlers) {
+      const wrappedCode = `function __${handler.eventName}_handler() { ${handler.code} }`;
+      try {
+        const ir = await analyze(wrappedCode, filePath, "javascript", options);
+        scriptResults.push({ ir, lineOffset: handler.line });
+      } catch (e) {
+        logger.warn("Failed to analyze event handler", {
+          filePath,
+          eventName: handler.eventName,
+          line: handler.line,
+          error: e instanceof Error ? e.message : String(e)
+        });
+      }
     }
+    const attributeFindings = runHtmlAttributeSecurityChecks(tree.rootNode, filePath);
+    const result = mergeHtmlResults(meta, scriptResults, attributeFindings);
+    logger.debug("HTML analysis complete", {
+      filePath,
+      scriptBlocks: scriptResults.length,
+      attributeFindings: attributeFindings.length,
+      totalFindings: result.findings?.length ?? 0
+    });
+    return result;
+  } finally {
+    disposeTree(tree);
   }
-  const attributeFindings = runHtmlAttributeSecurityChecks(tree.rootNode, filePath);
-  const result = mergeHtmlResults(meta, scriptResults, attributeFindings);
-  logger.debug("HTML analysis complete", {
-    filePath,
-    scriptBlocks: scriptResults.length,
-    attributeFindings: attributeFindings.length,
-    totalFindings: result.findings?.length ?? 0
-  });
-  return result;
 }
 async function analyzeProject(files, options = {}) {
   const fileAnalyses = [];
@@ -26038,7 +26059,7 @@ var colors = {
 };
 
 // src/version.ts
-var version = "3.27.1";
+var version = "3.28.0";
 
 // src/formatters.ts
 var SINK_SEVERITY = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.27.1",
+  "version": "3.28.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.27.1"
+    "circle-ir": "^3.28.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",