cognium-dev 3.35.0 → 3.37.0

package/dist/cli.js

@@ -19451,6 +19451,15 @@ function buildPythonTaintedVars(sourceCode) {
         containerTainted.set(`${obj}['${section}']['${key}']`, i2 + 1);
       continue;
     }
+    const containerAppendMatch = line.match(/^\s*(\w+)\.(append|extend|insert|add|push|put|appendleft)\s*\(\s*(.+?)\s*\)\s*$/);
+    if (containerAppendMatch) {
+      const [, receiver, , argExpr] = containerAppendMatch;
+      const argIsTainted = [...tainted.keys()].some((v) => new RegExp(`\\b${v}\\b`).test(argExpr));
+      const argIsDirectSource = PYTHON_TAINTED_PATTERNS2.some((p) => p.pattern.test(argExpr));
+      if (argIsTainted || argIsDirectSource)
+        tainted.set(receiver, tainted.get(receiver) ?? i2 + 1);
+      continue;
+    }
     const augAssign = line.match(/^\s*(\w+)\s*\+=\s*(.+)$/);
     if (augAssign) {
       const [, augLhs, augRhs] = augAssign;
@@ -20513,6 +20522,28 @@ class TaintPropagationPass {
         flows.push(f);
       }
     }
+    const exprScanFlows = detectExpressionScanFlows(calls, sources, sinks, constProp.unreachableLines, ctx.code, ctx.language) ?? [];
+    for (const f of exprScanFlows) {
+      if (flows.some((x) => x.source_line === f.source_line && x.sink_line === f.sink_line && x.sink_type === f.sink_type))
+        continue;
+      const flowForCheck = {
+        source: { line: f.source_line },
+        sink: { line: f.sink_line },
+        path: f.path.map((p) => ({ variable: p.variable, line: p.line }))
+      };
+      if (isCorrelatedPredicateFP(constProp, flowForCheck))
+        continue;
+      let isFP = false;
+      for (const step of f.path) {
+        if (isFalsePositive(constProp, step.line, step.variable).isFalsePositive) {
+          isFP = true;
+          break;
+        }
+      }
+      if (isFP)
+        continue;
+      flows.push(f);
+    }
     return { flows };
   }
 }
@@ -20709,6 +20740,83 @@ function detectParameterSinkFlows(types, calls, sources, sinks, unreachableLines
   }
   return flows;
 }
+function detectExpressionScanFlows(calls, sources, sinks, unreachableLines, code, language) {
+  const flows = [];
+  const sourcesWithVar = sources.filter((s) => typeof s.variable === "string" && s.variable.length > 0);
+  if (sourcesWithVar.length === 0)
+    return flows;
+  if (language === "python" && typeof code === "string") {
+    const derived = buildPythonTaintedVars(code);
+    if (derived.size > 0) {
+      let anchor = sourcesWithVar[0];
+      for (const s of sourcesWithVar) {
+        if (s.line < anchor.line)
+          anchor = s;
+      }
+      const existingVars = new Set(sourcesWithVar.map((s) => s.variable));
+      for (const [varName] of derived) {
+        if (!varName || existingVars.has(varName))
+          continue;
+        sourcesWithVar.push({
+          ...anchor,
+          variable: varName
+        });
+        existingVars.add(varName);
+      }
+    }
+  }
+  const reCache = new Map;
+  for (const s of sourcesWithVar) {
+    if (reCache.has(s.variable))
+      continue;
+    const escaped = s.variable.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+    reCache.set(s.variable, new RegExp(`\\b${escaped}\\b`));
+  }
+  const callsByLine = new Map;
+  for (const call of calls) {
+    const existing = callsByLine.get(call.location.line) ?? [];
+    existing.push(call);
+    callsByLine.set(call.location.line, existing);
+  }
+  for (const sink of sinks) {
+    if (unreachableLines.has(sink.line))
+      continue;
+    const callsAtSink = callsByLine.get(sink.line) ?? [];
+    for (const call of callsAtSink) {
+      for (const arg of call.arguments) {
+        if (sink.argPositions && sink.argPositions.length > 0 && !sink.argPositions.includes(arg.position)) {
+          continue;
+        }
+        const expr = arg.expression;
+        if (!expr)
+          continue;
+        for (const source of sourcesWithVar) {
+          if (source.line >= sink.line)
+            continue;
+          const re = reCache.get(source.variable);
+          if (!re || !re.test(expr))
+            continue;
+          if (flows.some((f) => f.source_line === source.line && f.sink_line === sink.line && f.sink_type === sink.type))
+            continue;
+          flows.push({
+            source_line: source.line,
+            sink_line: sink.line,
+            source_type: source.type,
+            sink_type: sink.type,
+            path: [
+              { variable: source.variable, line: source.line, type: "source" },
+              { variable: source.variable, line: sink.line, type: "sink" }
+            ],
+            confidence: source.confidence * sink.confidence * 0.7,
+            sanitized: false
+          });
+          break;
+        }
+      }
+    }
+  }
+  return flows;
+}
 
 // ../circle-ir/dist/analysis/interprocedural.js
 function analyzeInterprocedural2(graphOrTypes, callsOrSources, dfgOrSinks, sourcesOrSanitizers, sinksOrOptions, sanitizersArg, optionsArg = {}) {
@@ -26875,7 +26983,7 @@ var colors = {
 };
 
 // src/version.ts
-var version = "3.35.0";
+var version = "3.37.0";
 
 // src/formatters.ts
 var SINK_SEVERITY = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.35.0",
+  "version": "3.37.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.35.0"
+    "circle-ir": "^3.37.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",