cognium-dev 3.33.0 → 3.34.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/dist/cli.js +274 -2
  2. package/package.json +2 -2
package/dist/cli.js CHANGED
@@ -9028,6 +9028,9 @@ function extractRuntimeRegistrations(tree, cache, language, imports) {
9028
9028
  if (language === "python") {
9029
9029
  return extractPythonRuntimeRegistrations(tree, cache, imports);
9030
9030
  }
9031
+ if (language === "rust") {
9032
+ return extractRustRuntimeRegistrations(tree, cache);
9033
+ }
9031
9034
  return [];
9032
9035
  }
9033
9036
  function buildHandlerIndex(tree, cache, imports) {
@@ -9468,6 +9471,273 @@ function isPyRouterReceiver(receiver) {
9468
9471
  return true;
9469
9472
  return false;
9470
9473
  }
9474
+ var RUST_STDLIB_TRAITS = new Set([
9475
+ "Display",
9476
+ "Debug",
9477
+ "Write",
9478
+ "From",
9479
+ "Into",
9480
+ "TryFrom",
9481
+ "TryInto",
9482
+ "AsRef",
9483
+ "AsMut",
9484
+ "ToString",
9485
+ "FromStr",
9486
+ "Iterator",
9487
+ "IntoIterator",
9488
+ "FromIterator",
9489
+ "DoubleEndedIterator",
9490
+ "ExactSizeIterator",
9491
+ "FusedIterator",
9492
+ "PartialEq",
9493
+ "Eq",
9494
+ "PartialOrd",
9495
+ "Ord",
9496
+ "Hash",
9497
+ "Default",
9498
+ "Copy",
9499
+ "Clone",
9500
+ "Send",
9501
+ "Sync",
9502
+ "Unpin",
9503
+ "Sized",
9504
+ "Any",
9505
+ "Drop",
9506
+ "Future",
9507
+ "IntoFuture",
9508
+ "Add",
9509
+ "Sub",
9510
+ "Mul",
9511
+ "Div",
9512
+ "Rem",
9513
+ "Neg",
9514
+ "Not",
9515
+ "AddAssign",
9516
+ "SubAssign",
9517
+ "MulAssign",
9518
+ "DivAssign",
9519
+ "RemAssign",
9520
+ "BitAnd",
9521
+ "BitOr",
9522
+ "BitXor",
9523
+ "Shl",
9524
+ "Shr",
9525
+ "Deref",
9526
+ "DerefMut",
9527
+ "Index",
9528
+ "IndexMut",
9529
+ "Fn",
9530
+ "FnMut",
9531
+ "FnOnce",
9532
+ "Error",
9533
+ "Read",
9534
+ "Write",
9535
+ "Seek",
9536
+ "BufRead",
9537
+ "Borrow",
9538
+ "BorrowMut",
9539
+ "ToOwned"
9540
+ ]);
9541
+ var RUST_TRAIT_FRAMEWORK_PREFIXES = [
9542
+ { prefix: /^actix(_web)?(::|$)/, framework: "actix" },
9543
+ { prefix: /^axum(::|$)/, framework: "axum" },
9544
+ { prefix: /^rocket(::|$)/, framework: "rocket" },
9545
+ { prefix: /^tokio(::|$)/, framework: "tokio" },
9546
+ { prefix: /^serde(_\w+)?(::|$)/, framework: "serde" },
9547
+ { prefix: /^std(::|$)/, framework: "stdlib" },
9548
+ { prefix: /^core(::|$)/, framework: "stdlib" },
9549
+ { prefix: /^alloc(::|$)/, framework: "stdlib" }
9550
+ ];
9551
+ function extractRustRuntimeRegistrations(tree, cache) {
9552
+ const regs = [];
9553
+ const implNodes = getNodesFromCache(tree.rootNode, "impl_item", cache);
9554
+ for (const impl of implNodes) {
9555
+ collectRustImplRegistrations(impl, regs);
9556
+ }
9557
+ const macroNodes = getNodesFromCache(tree.rootNode, "macro_invocation", cache);
9558
+ for (const macro of macroNodes) {
9559
+ const rec = parseInventorySubmit(macro);
9560
+ if (rec)
9561
+ regs.push(rec);
9562
+ }
9563
+ const attrNodes = getNodesFromCache(tree.rootNode, "attribute_item", cache);
9564
+ for (const attr of attrNodes) {
9565
+ const rec = parseDistributedSliceAttribute(attr);
9566
+ if (rec)
9567
+ regs.push(rec);
9568
+ }
9569
+ return regs;
9570
+ }
9571
+ function collectRustImplRegistrations(impl, regs) {
9572
+ const traitNode = impl.childForFieldName("trait");
9573
+ if (!traitNode)
9574
+ return;
9575
+ const typeNode = impl.childForFieldName("type");
9576
+ if (!typeNode)
9577
+ return;
9578
+ const traitText = getNodeText(traitNode).trim();
9579
+ const traitLastSegment = lastRustPathSegment(stripRustGenerics(traitText));
9580
+ const selfType = getNodeText(typeNode).trim();
9581
+ const framework = classifyRustTrait(traitText);
9582
+ const body2 = impl.childForFieldName("body");
9583
+ if (!body2)
9584
+ return;
9585
+ for (let i2 = 0;i2 < body2.childCount; i2++) {
9586
+ const child = body2.child(i2);
9587
+ if (!child || child.type !== "function_item")
9588
+ continue;
9589
+ const nameNode = child.childForFieldName("name");
9590
+ if (!nameNode)
9591
+ continue;
9592
+ const methodName = getNodeText(nameNode);
9593
+ regs.push({
9594
+ kind: "trait_impl",
9595
+ framework,
9596
+ registrar: {
9597
+ method: methodName,
9598
+ receiver: selfType,
9599
+ line: impl.startPosition.row + 1,
9600
+ column: impl.startPosition.column
9601
+ },
9602
+ path: traitLastSegment || traitText,
9603
+ handler: {
9604
+ name: methodName,
9605
+ line: child.startPosition.row + 1,
9606
+ column: child.startPosition.column
9607
+ }
9608
+ });
9609
+ }
9610
+ }
9611
+ function stripRustGenerics(text) {
9612
+ const idx = text.indexOf("<");
9613
+ return idx >= 0 ? text.slice(0, idx) : text;
9614
+ }
9615
+ function lastRustPathSegment(path) {
9616
+ const parts2 = path.split("::");
9617
+ return parts2[parts2.length - 1] || path;
9618
+ }
9619
+ function classifyRustTrait(traitText) {
9620
+ const stripped = stripRustGenerics(traitText).trim();
9621
+ const last = lastRustPathSegment(stripped);
9622
+ if (RUST_STDLIB_TRAITS.has(last))
9623
+ return "stdlib";
9624
+ for (const { prefix, framework } of RUST_TRAIT_FRAMEWORK_PREFIXES) {
9625
+ if (prefix.test(stripped))
9626
+ return framework;
9627
+ }
9628
+ return "unknown";
9629
+ }
9630
+ function parseInventorySubmit(macro) {
9631
+ const macroName = macro.childForFieldName("macro");
9632
+ if (!macroName)
9633
+ return null;
9634
+ const name2 = getNodeText(macroName).trim();
9635
+ if (name2 !== "inventory::submit" && name2 !== "submit")
9636
+ return null;
9637
+ if (name2 === "submit")
9638
+ return null;
9639
+ let tokenTree = null;
9640
+ for (let i2 = 0;i2 < macro.childCount; i2++) {
9641
+ const c = macro.child(i2);
9642
+ if (c && c.type === "token_tree") {
9643
+ tokenTree = c;
9644
+ break;
9645
+ }
9646
+ }
9647
+ if (!tokenTree)
9648
+ return null;
9649
+ const handlerName = firstIdentifierInTokenTree(tokenTree);
9650
+ return {
9651
+ kind: "trait_impl",
9652
+ framework: "inventory",
9653
+ registrar: {
9654
+ method: "submit",
9655
+ receiver: "inventory",
9656
+ line: macro.startPosition.row + 1,
9657
+ column: macro.startPosition.column
9658
+ },
9659
+ path: "inventory::submit",
9660
+ handler: {
9661
+ name: handlerName,
9662
+ line: tokenTree.startPosition.row + 1,
9663
+ column: tokenTree.startPosition.column
9664
+ }
9665
+ };
9666
+ }
9667
+ function firstIdentifierInTokenTree(tokenTree) {
9668
+ for (let i2 = 0;i2 < tokenTree.childCount; i2++) {
9669
+ const c = tokenTree.child(i2);
9670
+ if (!c)
9671
+ continue;
9672
+ if (c.type === "identifier" || c.type === "scoped_identifier" || c.type === "type_identifier") {
9673
+ return getNodeText(c).trim();
9674
+ }
9675
+ }
9676
+ return null;
9677
+ }
9678
+ function parseDistributedSliceAttribute(attrItem) {
9679
+ let attr = null;
9680
+ for (let i2 = 0;i2 < attrItem.childCount; i2++) {
9681
+ const c = attrItem.child(i2);
9682
+ if (c && c.type === "attribute") {
9683
+ attr = c;
9684
+ break;
9685
+ }
9686
+ }
9687
+ if (!attr)
9688
+ return null;
9689
+ const pathNode = attr.child(0);
9690
+ if (!pathNode)
9691
+ return null;
9692
+ const pathText = getNodeText(pathNode).trim();
9693
+ if (pathText !== "linkme::distributed_slice" && pathText !== "distributed_slice")
9694
+ return null;
9695
+ const parent = attrItem.parent;
9696
+ if (!parent)
9697
+ return null;
9698
+ let attrIndex = -1;
9699
+ for (let i2 = 0;i2 < parent.childCount; i2++) {
9700
+ const c = parent.child(i2);
9701
+ if (c && c.id === attrItem.id) {
9702
+ attrIndex = i2;
9703
+ break;
9704
+ }
9705
+ }
9706
+ if (attrIndex < 0)
9707
+ return null;
9708
+ let handlerNode = null;
9709
+ for (let j = attrIndex + 1;j < parent.childCount; j++) {
9710
+ const sib = parent.child(j);
9711
+ if (!sib)
9712
+ continue;
9713
+ if (sib.type === "attribute_item")
9714
+ continue;
9715
+ if (sib.type === "static_item" || sib.type === "function_item") {
9716
+ handlerNode = sib;
9717
+ }
9718
+ break;
9719
+ }
9720
+ if (!handlerNode)
9721
+ return null;
9722
+ const nameNode = handlerNode.childForFieldName("name");
9723
+ const handlerName = nameNode ? getNodeText(nameNode).trim() : null;
9724
+ return {
9725
+ kind: "trait_impl",
9726
+ framework: "linkme",
9727
+ registrar: {
9728
+ method: "distributed_slice",
9729
+ receiver: "linkme",
9730
+ line: attrItem.startPosition.row + 1,
9731
+ column: attrItem.startPosition.column
9732
+ },
9733
+ path: "linkme::distributed_slice",
9734
+ handler: {
9735
+ name: handlerName,
9736
+ line: handlerNode.startPosition.row + 1,
9737
+ column: handlerNode.startPosition.column
9738
+ }
9739
+ };
9740
+ }
9471
9741
  // ../circle-ir/dist/analysis/config-loader.js
9472
9742
  var DEFAULT_SOURCES = [
9473
9743
  { method: "getParameter", class: "HttpServletRequest", type: "http_param", severity: "high", return_tainted: true },
@@ -26205,7 +26475,9 @@ function getNodeTypesForLanguage(language) {
26205
26475
  "use_declaration",
26206
26476
  "let_declaration",
26207
26477
  "field_expression",
26208
- "scoped_identifier"
26478
+ "scoped_identifier",
26479
+ "attribute_item",
26480
+ "static_item"
26209
26481
  ]);
26210
26482
  case "python":
26211
26483
  return new Set([
@@ -26587,7 +26859,7 @@ var colors = {
26587
26859
  };
26588
26860
 
26589
26861
  // src/version.ts
26590
- var version = "3.33.0";
26862
+ var version = "3.34.0";
26591
26863
 
26592
26864
  // src/formatters.ts
26593
26865
  var SINK_SEVERITY = {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "cognium-dev",
3
- "version": "3.33.0",
3
+ "version": "3.34.0",
4
4
  "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
5
5
  "main": "dist/index.js",
6
6
  "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
65
65
  "registry": "https://registry.npmjs.org/"
66
66
  },
67
67
  "dependencies": {
68
- "circle-ir": "^3.33.0"
68
+ "circle-ir": "^3.34.0"
69
69
  },
70
70
  "devDependencies": {
71
71
  "@types/node": "^25.5.0",