cognium-dev 3.36.0 → 3.38.0

package/dist/cli.js

@@ -18234,6 +18234,8 @@ class CrossFileResolver {
       }
     }
     for (const source of sources) {
+      if (source.type === "interprocedural_param")
+        continue;
       if (source.line >= method.start_line && source.line <= method.end_line) {
         return true;
       }
@@ -18242,6 +18244,8 @@ class CrossFileResolver {
   }
   getSourceType(method, sources) {
     for (const source of sources) {
+      if (source.type === "interprocedural_param")
+        continue;
       if (source.line >= method.start_line && source.line <= method.end_line) {
         return source.type;
       }
@@ -18249,15 +18253,45 @@ class CrossFileResolver {
     return;
   }
   findTaintedParams(method, ir) {
-    const taintedParams = [];
+    const taintedParams = new Set;
     const numParams = method.parameters.length;
     for (let i2 = 0;i2 < numParams; i2++) {
       const param = method.parameters[i2];
       if (param.annotations.some((a) => ["RequestParam", "RequestBody", "PathVariable"].includes(a))) {
-        taintedParams.push(i2);
+        taintedParams.add(i2);
+      }
+    }
+    const paramNameToIndex = new Map;
+    for (let i2 = 0;i2 < numParams; i2++) {
+      const name2 = method.parameters[i2].name;
+      if (name2)
+        paramNameToIndex.set(name2, i2);
+    }
+    for (const sink of ir.taint.sinks) {
+      if (sink.line < method.start_line || sink.line > method.end_line)
+        continue;
+      const callsAtSink = ir.calls.filter((c) => c.location.line === sink.line);
+      for (const call of callsAtSink) {
+        for (const arg of call.arguments) {
+          const candidates = [];
+          if (arg.variable)
+            candidates.push(arg.variable);
+          if (arg.expression) {
+            for (const [name2] of paramNameToIndex) {
+              const re = new RegExp(`\\b${name2}\\b`);
+              if (re.test(arg.expression))
+                candidates.push(name2);
+            }
+          }
+          for (const cand of candidates) {
+            const idx = paramNameToIndex.get(cand);
+            if (idx !== undefined)
+              taintedParams.add(idx);
+          }
+        }
       }
     }
-    return taintedParams;
+    return [...taintedParams].sort((a, b) => a - b);
   }
   isSanitizerMethod(methodName) {
     const sanitizerPatterns = [
@@ -18309,12 +18343,24 @@ class CrossFileResolver {
       for (const source of ir.taint.sources) {
         if (source.type === "interprocedural_param")
           continue;
+        const sourceVar = source.variable ?? this.getLocalDefVarAt(ir, source.line);
         for (const call of ir.calls) {
           if (call.location.line < source.line)
             continue;
           const resolved = this.resolveCall(call, filePath);
           if (!resolved || resolved.targetFile === filePath)
             continue;
+          if (sourceVar) {
+            const argMentions = call.arguments.some((arg) => {
+              if (arg.variable === sourceVar)
+                return true;
+              if (arg.expression && new RegExp(`\\b${sourceVar}\\b`).test(arg.expression))
+                return true;
+              return false;
+            });
+            if (!argMentions)
+              continue;
+          }
           const targetIR = this.fileIRs.get(resolved.targetFile);
           if (!targetIR || targetIR.taint.sinks.length === 0)
             continue;
@@ -18353,6 +18399,150 @@ class CrossFileResolver {
     }
     return flows;
   }
+  findInterproceduralTaintPaths() {
+    const paths = [];
+    const seen = new Set;
+    const methodIndex = this.buildMethodIndex();
+    for (const [callerFile, callerIR] of this.fileIRs) {
+      for (const type of callerIR.types) {
+        for (const method of type.methods) {
+          const tainted = new Map;
+          for (const src of callerIR.taint.sources) {
+            if (src.type === "interprocedural_param")
+              continue;
+            if (src.line < method.start_line || src.line > method.end_line)
+              continue;
+            if (!src.variable)
+              continue;
+            tainted.set(src.variable, {
+              file: callerFile,
+              line: src.line,
+              type: src.type,
+              hopChain: [{ file: callerFile, line: src.line, method: method.name, kind: "source" }]
+            });
+          }
+          const callsInMethod = callerIR.calls.filter((c) => c.location.line >= method.start_line && c.location.line <= method.end_line).sort((a, b) => a.location.line - b.location.line);
+          for (const call of callsInMethod) {
+            const resolved = this.resolveCall(call, callerFile);
+            if (!resolved)
+              continue;
+            const callee = this.methodTaintInfo.get(resolved.targetMethod);
+            if (!callee)
+              continue;
+            if (callee.returnsSource && !callee.sanitizes && callee.sourceType) {
+              const calleeNode = methodIndex.get(resolved.targetMethod);
+              const calleeSourceLine = calleeNode ? this.findRealSourceLineInMethod(calleeNode.ir, calleeNode.method) : undefined;
+              const sourceLine = calleeSourceLine ?? call.location.line;
+              const sourceFile = callee.file;
+              const sourceType = callee.sourceType;
+              const defsAtLine = callerIR.dfg.defs.filter((d) => d.line === call.location.line && d.kind === "local");
+              for (const def of defsAtLine) {
+                if (!def.variable)
+                  continue;
+                const baseChain = [
+                  { file: sourceFile, line: sourceLine, method: resolved.targetMethod, kind: "source" },
+                  { file: callerFile, line: call.location.line, method: method.name, kind: "wrapper_return" }
+                ];
+                tainted.set(def.variable, {
+                  file: sourceFile,
+                  line: sourceLine,
+                  type: sourceType,
+                  hopChain: baseChain
+                });
+              }
+            }
+            if (callee.taintedParams.length === 0 || callee.sanitizes)
+              continue;
+            for (let argIdx = 0;argIdx < call.arguments.length; argIdx++) {
+              if (!callee.taintedParams.includes(argIdx))
+                continue;
+              const arg = call.arguments[argIdx];
+              const matched = this.matchTaintedArg(arg, tainted);
+              if (!matched)
+                continue;
+              const calleeNode = methodIndex.get(resolved.targetMethod);
+              if (!calleeNode)
+                continue;
+              const sinksInCallee = calleeNode.ir.taint.sinks.filter((s) => s.line >= calleeNode.method.start_line && s.line <= calleeNode.method.end_line);
+              for (const sink of sinksInCallee) {
+                const key = `${matched.origin.file}:${matched.origin.line}→${callee.file}:${sink.line}`;
+                if (seen.has(key))
+                  continue;
+                seen.add(key);
+                const hops = [
+                  ...matched.origin.hopChain,
+                  { file: callerFile, line: call.location.line, method: method.name, kind: "sink_call" },
+                  { file: callee.file, line: sink.line, method: resolved.targetMethod, kind: "sink" }
+                ];
+                const decay = Math.max(0.3, Math.pow(0.85, Math.max(hops.length - 1, 0)));
+                paths.push({
+                  source: {
+                    file: matched.origin.file,
+                    line: matched.origin.line,
+                    type: matched.origin.type
+                  },
+                  sink: {
+                    file: callee.file,
+                    line: sink.line,
+                    type: sink.type,
+                    cwe: sink.cwe
+                  },
+                  hops,
+                  confidence: decay
+                });
+              }
+            }
+          }
+        }
+      }
+    }
+    return paths;
+  }
+  matchTaintedArg(arg, tainted) {
+    if (tainted.size === 0)
+      return null;
+    if (arg.variable && tainted.has(arg.variable)) {
+      return { var: arg.variable, origin: tainted.get(arg.variable) };
+    }
+    if (arg.expression) {
+      for (const [tv, origin] of tainted) {
+        const re = new RegExp(`\\b${tv}\\b`);
+        if (re.test(arg.expression))
+          return { var: tv, origin };
+      }
+    }
+    return null;
+  }
+  buildMethodIndex() {
+    const idx = new Map;
+    for (const [, ir] of this.fileIRs) {
+      const pkg = ir.meta.package || "";
+      for (const type of ir.types) {
+        const typeFqn = pkg ? `${pkg}.${type.name}` : type.name;
+        for (const method of type.methods) {
+          idx.set(`${typeFqn}.${method.name}`, { ir, method });
+        }
+      }
+    }
+    return idx;
+  }
+  getLocalDefVarAt(ir, line) {
+    for (const def of ir.dfg.defs) {
+      if (def.line === line && def.kind === "local" && def.variable)
+        return def.variable;
+    }
+    return;
+  }
+  findRealSourceLineInMethod(ir, method) {
+    for (const src of ir.taint.sources) {
+      if (src.type === "interprocedural_param")
+        continue;
+      if (src.line >= method.start_line && src.line <= method.end_line) {
+        return src.line;
+      }
+    }
+    return;
+  }
   getMethodTaintInfo(methodFqn) {
     return this.methodTaintInfo.get(methodFqn);
   }
@@ -18535,12 +18725,56 @@ class CrossFilePass {
         confidence: 0.7
       }];
     });
+    const ipPaths = resolver.findInterproceduralTaintPaths();
+    for (let i2 = 0;i2 < ipPaths.length; i2++) {
+      const p = ipPaths[i2];
+      const sinkIR = projectGraph.getIR(p.sink.file);
+      if (!sinkIR)
+        continue;
+      const matchedSink = sinkIR.taint.sinks.find((s) => s.line === p.sink.line);
+      if (!matchedSink)
+        continue;
+      const srcLines = sourceLines.get(p.source.file) ?? [];
+      const tgtLines = sourceLines.get(p.sink.file) ?? [];
+      const dupId = `${p.source.file}:${p.source.line}→${p.sink.file}:${p.sink.line}`;
+      if (taintPaths.some((tp) => tp.source.file === p.source.file && tp.source.line === p.source.line && tp.sink.file === p.sink.file && tp.sink.line === p.sink.line)) {
+        continue;
+      }
+      taintPaths.push({
+        id: `cf-ip-${i2}-${dupId}`,
+        source: {
+          file: p.source.file,
+          line: p.source.line,
+          type: p.source.type,
+          code: srcLines[p.source.line - 1] ?? ""
+        },
+        sink: {
+          file: p.sink.file,
+          line: p.sink.line,
+          type: matchedSink.type,
+          cwe: matchedSink.cwe,
+          code: tgtLines[p.sink.line - 1] ?? ""
+        },
+        hops: p.hops.map((h) => ({
+          file: h.file,
+          method: h.method,
+          line: h.line,
+          code: (sourceLines.get(h.file) ?? [])[h.line - 1] ?? "",
+          variable: ""
+        })),
+        sanitizers_in_path: [],
+        path_exists: true,
+        confidence: p.confidence
+      });
+    }
     const crossFileCalls = [];
     for (const filePath of projectGraph.filePaths) {
       const resolved = resolver.getResolvedCallsFromFile(filePath);
       for (const rc of resolved) {
         if (rc.sourceFile === rc.targetFile)
           continue;
+        const calleeInfo = resolver.getMethodTaintInfo(rc.targetMethod);
+        const taintedParamSet = new Set(calleeInfo?.taintedParams ?? []);
         crossFileCalls.push({
           id: `${rc.sourceFile}:${rc.call.location.line}:${rc.targetMethod}`,
           from: {
@@ -18556,7 +18790,7 @@ class CrossFilePass {
           args_mapping: (rc.call.arguments ?? []).map((_, i2) => ({
             caller_arg: i2,
             callee_param: i2,
-            taint_propagates: false
+            taint_propagates: taintedParamSet.has(i2)
           })),
           resolved: rc.resolution === "exact"
         });
@@ -19451,6 +19685,15 @@ function buildPythonTaintedVars(sourceCode) {
         containerTainted.set(`${obj}['${section}']['${key}']`, i2 + 1);
       continue;
     }
+    const containerAppendMatch = line.match(/^\s*(\w+)\.(append|extend|insert|add|push|put|appendleft)\s*\(\s*(.+?)\s*\)\s*$/);
+    if (containerAppendMatch) {
+      const [, receiver, , argExpr] = containerAppendMatch;
+      const argIsTainted = [...tainted.keys()].some((v) => new RegExp(`\\b${v}\\b`).test(argExpr));
+      const argIsDirectSource = PYTHON_TAINTED_PATTERNS2.some((p) => p.pattern.test(argExpr));
+      if (argIsTainted || argIsDirectSource)
+        tainted.set(receiver, tainted.get(receiver) ?? i2 + 1);
+      continue;
+    }
     const augAssign = line.match(/^\s*(\w+)\s*\+=\s*(.+)$/);
     if (augAssign) {
       const [, augLhs, augRhs] = augAssign;
@@ -20513,7 +20756,7 @@ class TaintPropagationPass {
         flows.push(f);
       }
     }
-    const exprScanFlows = detectExpressionScanFlows(calls, sources, sinks, constProp.unreachableLines) ?? [];
+    const exprScanFlows = detectExpressionScanFlows(calls, sources, sinks, constProp.unreachableLines, ctx.code, ctx.language) ?? [];
     for (const f of exprScanFlows) {
       if (flows.some((x) => x.source_line === f.source_line && x.sink_line === f.sink_line && x.sink_type === f.sink_type))
         continue;
@@ -20731,11 +20974,31 @@ function detectParameterSinkFlows(types, calls, sources, sinks, unreachableLines
   }
   return flows;
 }
-function detectExpressionScanFlows(calls, sources, sinks, unreachableLines) {
+function detectExpressionScanFlows(calls, sources, sinks, unreachableLines, code, language) {
   const flows = [];
   const sourcesWithVar = sources.filter((s) => typeof s.variable === "string" && s.variable.length > 0);
   if (sourcesWithVar.length === 0)
     return flows;
+  if (language === "python" && typeof code === "string") {
+    const derived = buildPythonTaintedVars(code);
+    if (derived.size > 0) {
+      let anchor = sourcesWithVar[0];
+      for (const s of sourcesWithVar) {
+        if (s.line < anchor.line)
+          anchor = s;
+      }
+      const existingVars = new Set(sourcesWithVar.map((s) => s.variable));
+      for (const [varName] of derived) {
+        if (!varName || existingVars.has(varName))
+          continue;
+        sourcesWithVar.push({
+          ...anchor,
+          variable: varName
+        });
+        existingVars.add(varName);
+      }
+    }
+  }
   const reCache = new Map;
   for (const s of sourcesWithVar) {
     if (reCache.has(s.variable))
@@ -26954,7 +27217,7 @@ var colors = {
 };
 
 // src/version.ts
-var version = "3.36.0";
+var version = "3.38.0";
 
 // src/formatters.ts
 var SINK_SEVERITY = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.36.0",
+  "version": "3.38.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.36.0"
+    "circle-ir": "^3.38.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",