cognium-dev 3.34.0 → 3.36.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/dist/cli.js +96 -1
  2. package/package.json +2 -2
package/dist/cli.js CHANGED
@@ -10381,6 +10381,22 @@ var DEFAULT_SINKS = [
10381
10381
  { method: "parse", class: "GroovyShell", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
10382
10382
  { method: "parseClass", class: "GroovyClassLoader", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
10383
10383
  { method: "run", class: "GroovyScriptEngine", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
10384
+ { method: "onMethodCall", class: "SandboxInterceptor", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
10385
+ { method: "onStaticCall", class: "SandboxInterceptor", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
10386
+ { method: "onGetProperty", class: "SandboxInterceptor", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
10387
+ { method: "onSetProperty", class: "SandboxInterceptor", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
10388
+ { method: "onGetAttribute", class: "SandboxInterceptor", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
10389
+ { method: "onSetAttribute", class: "SandboxInterceptor", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
10390
+ { method: "onMethodPointer", class: "SandboxInterceptor", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
10391
+ { method: "onSuperCall", class: "SandboxInterceptor", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
10392
+ { method: "onSuperConstructor", class: "SandboxInterceptor", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
10393
+ { method: "onMethodCall", class: "GroovyInterceptor", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
10394
+ { method: "onNewInstance", class: "GroovyInterceptor", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
10395
+ { method: "onStaticCall", class: "GroovyInterceptor", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
10396
+ { method: "onGetProperty", class: "GroovyInterceptor", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
10397
+ { method: "onSetProperty", class: "GroovyInterceptor", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
10398
+ { method: "call", class: "SandboxTransformer", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
10399
+ { method: "runInSandbox", class: "GroovySandbox", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [] },
10384
10400
  { method: "eval", class: "Bindings", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
10385
10401
  { method: "eval", class: "ScriptContext", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0] },
10386
10402
  { method: "forName", class: "Class", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0] },
@@ -20497,6 +20513,28 @@ class TaintPropagationPass {
20497
20513
  flows.push(f);
20498
20514
  }
20499
20515
  }
20516
+ const exprScanFlows = detectExpressionScanFlows(calls, sources, sinks, constProp.unreachableLines) ?? [];
20517
+ for (const f of exprScanFlows) {
20518
+ if (flows.some((x) => x.source_line === f.source_line && x.sink_line === f.sink_line && x.sink_type === f.sink_type))
20519
+ continue;
20520
+ const flowForCheck = {
20521
+ source: { line: f.source_line },
20522
+ sink: { line: f.sink_line },
20523
+ path: f.path.map((p) => ({ variable: p.variable, line: p.line }))
20524
+ };
20525
+ if (isCorrelatedPredicateFP(constProp, flowForCheck))
20526
+ continue;
20527
+ let isFP = false;
20528
+ for (const step of f.path) {
20529
+ if (isFalsePositive(constProp, step.line, step.variable).isFalsePositive) {
20530
+ isFP = true;
20531
+ break;
20532
+ }
20533
+ }
20534
+ if (isFP)
20535
+ continue;
20536
+ flows.push(f);
20537
+ }
20500
20538
  return { flows };
20501
20539
  }
20502
20540
  }
@@ -20693,6 +20731,63 @@ function detectParameterSinkFlows(types, calls, sources, sinks, unreachableLines
20693
20731
  }
20694
20732
  return flows;
20695
20733
  }
20734
+ function detectExpressionScanFlows(calls, sources, sinks, unreachableLines) {
20735
+ const flows = [];
20736
+ const sourcesWithVar = sources.filter((s) => typeof s.variable === "string" && s.variable.length > 0);
20737
+ if (sourcesWithVar.length === 0)
20738
+ return flows;
20739
+ const reCache = new Map;
20740
+ for (const s of sourcesWithVar) {
20741
+ if (reCache.has(s.variable))
20742
+ continue;
20743
+ const escaped = s.variable.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
20744
+ reCache.set(s.variable, new RegExp(`\\b${escaped}\\b`));
20745
+ }
20746
+ const callsByLine = new Map;
20747
+ for (const call of calls) {
20748
+ const existing = callsByLine.get(call.location.line) ?? [];
20749
+ existing.push(call);
20750
+ callsByLine.set(call.location.line, existing);
20751
+ }
20752
+ for (const sink of sinks) {
20753
+ if (unreachableLines.has(sink.line))
20754
+ continue;
20755
+ const callsAtSink = callsByLine.get(sink.line) ?? [];
20756
+ for (const call of callsAtSink) {
20757
+ for (const arg of call.arguments) {
20758
+ if (sink.argPositions && sink.argPositions.length > 0 && !sink.argPositions.includes(arg.position)) {
20759
+ continue;
20760
+ }
20761
+ const expr = arg.expression;
20762
+ if (!expr)
20763
+ continue;
20764
+ for (const source of sourcesWithVar) {
20765
+ if (source.line >= sink.line)
20766
+ continue;
20767
+ const re = reCache.get(source.variable);
20768
+ if (!re || !re.test(expr))
20769
+ continue;
20770
+ if (flows.some((f) => f.source_line === source.line && f.sink_line === sink.line && f.sink_type === sink.type))
20771
+ continue;
20772
+ flows.push({
20773
+ source_line: source.line,
20774
+ sink_line: sink.line,
20775
+ source_type: source.type,
20776
+ sink_type: sink.type,
20777
+ path: [
20778
+ { variable: source.variable, line: source.line, type: "source" },
20779
+ { variable: source.variable, line: sink.line, type: "sink" }
20780
+ ],
20781
+ confidence: source.confidence * sink.confidence * 0.7,
20782
+ sanitized: false
20783
+ });
20784
+ break;
20785
+ }
20786
+ }
20787
+ }
20788
+ }
20789
+ return flows;
20790
+ }
20696
20791
 
20697
20792
  // ../circle-ir/dist/analysis/interprocedural.js
20698
20793
  function analyzeInterprocedural2(graphOrTypes, callsOrSources, dfgOrSinks, sourcesOrSanitizers, sinksOrOptions, sanitizersArg, optionsArg = {}) {
@@ -26859,7 +26954,7 @@ var colors = {
26859
26954
  };
26860
26955
 
26861
26956
  // src/version.ts
26862
- var version = "3.34.0";
26957
+ var version = "3.36.0";
26863
26958
 
26864
26959
  // src/formatters.ts
26865
26960
  var SINK_SEVERITY = {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "cognium-dev",
3
- "version": "3.34.0",
3
+ "version": "3.36.0",
4
4
  "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
5
5
  "main": "dist/index.js",
6
6
  "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
65
65
  "registry": "https://registry.npmjs.org/"
66
66
  },
67
67
  "dependencies": {
68
- "circle-ir": "^3.34.0"
68
+ "circle-ir": "^3.36.0"
69
69
  },
70
70
  "devDependencies": {
71
71
  "@types/node": "^25.5.0",