npm - cognium-dev - Versions diffs - 3.37.0 → 3.38.0 - Mend

cognium-dev 3.37.0 → 3.38.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/cli.js +239 -5
package/package.json +2 -2

package/dist/cli.js CHANGED Viewed

@@ -18234,6 +18234,8 @@ class CrossFileResolver {
       }
     }
     for (const source of sources) {
+      if (source.type === "interprocedural_param")
+        continue;
       if (source.line >= method.start_line && source.line <= method.end_line) {
         return true;
       }
@@ -18242,6 +18244,8 @@ class CrossFileResolver {
   }
   getSourceType(method, sources) {
     for (const source of sources) {
+      if (source.type === "interprocedural_param")
+        continue;
       if (source.line >= method.start_line && source.line <= method.end_line) {
         return source.type;
       }
@@ -18249,15 +18253,45 @@ class CrossFileResolver {
     return;
   }
   findTaintedParams(method, ir) {
-    const taintedParams = [];
+    const taintedParams = new Set;
     const numParams = method.parameters.length;
     for (let i2 = 0;i2 < numParams; i2++) {
       const param = method.parameters[i2];
       if (param.annotations.some((a) => ["RequestParam", "RequestBody", "PathVariable"].includes(a))) {
-        taintedParams.push(i2);
+        taintedParams.add(i2);
       }
     }
-    return taintedParams;
+    const paramNameToIndex = new Map;
+    for (let i2 = 0;i2 < numParams; i2++) {
+      const name2 = method.parameters[i2].name;
+      if (name2)
+        paramNameToIndex.set(name2, i2);
+    }
+    for (const sink of ir.taint.sinks) {
+      if (sink.line < method.start_line || sink.line > method.end_line)
+        continue;
+      const callsAtSink = ir.calls.filter((c) => c.location.line === sink.line);
+      for (const call of callsAtSink) {
+        for (const arg of call.arguments) {
+          const candidates = [];
+          if (arg.variable)
+            candidates.push(arg.variable);
+          if (arg.expression) {
+            for (const [name2] of paramNameToIndex) {
+              const re = new RegExp(`\\b${name2}\\b`);
+              if (re.test(arg.expression))
+                candidates.push(name2);
+            }
+          }
+          for (const cand of candidates) {
+            const idx = paramNameToIndex.get(cand);
+            if (idx !== undefined)
+              taintedParams.add(idx);
+          }
+        }
+      }
+    }
+    return [...taintedParams].sort((a, b) => a - b);
   }
   isSanitizerMethod(methodName) {
     const sanitizerPatterns = [
@@ -18309,12 +18343,24 @@ class CrossFileResolver {
       for (const source of ir.taint.sources) {
         if (source.type === "interprocedural_param")
           continue;
+        const sourceVar = source.variable ?? this.getLocalDefVarAt(ir, source.line);
         for (const call of ir.calls) {
           if (call.location.line < source.line)
             continue;
           const resolved = this.resolveCall(call, filePath);
           if (!resolved || resolved.targetFile === filePath)
             continue;
+          if (sourceVar) {
+            const argMentions = call.arguments.some((arg) => {
+              if (arg.variable === sourceVar)
+                return true;
+              if (arg.expression && new RegExp(`\\b${sourceVar}\\b`).test(arg.expression))
+                return true;
+              return false;
+            });
+            if (!argMentions)
+              continue;
+          }
           const targetIR = this.fileIRs.get(resolved.targetFile);
           if (!targetIR || targetIR.taint.sinks.length === 0)
             continue;
@@ -18353,6 +18399,150 @@ class CrossFileResolver {
     }
     return flows;
   }
+  findInterproceduralTaintPaths() {
+    const paths = [];
+    const seen = new Set;
+    const methodIndex = this.buildMethodIndex();
+    for (const [callerFile, callerIR] of this.fileIRs) {
+      for (const type of callerIR.types) {
+        for (const method of type.methods) {
+          const tainted = new Map;
+          for (const src of callerIR.taint.sources) {
+            if (src.type === "interprocedural_param")
+              continue;
+            if (src.line < method.start_line || src.line > method.end_line)
+              continue;
+            if (!src.variable)
+              continue;
+            tainted.set(src.variable, {
+              file: callerFile,
+              line: src.line,
+              type: src.type,
+              hopChain: [{ file: callerFile, line: src.line, method: method.name, kind: "source" }]
+            });
+          }
+          const callsInMethod = callerIR.calls.filter((c) => c.location.line >= method.start_line && c.location.line <= method.end_line).sort((a, b) => a.location.line - b.location.line);
+          for (const call of callsInMethod) {
+            const resolved = this.resolveCall(call, callerFile);
+            if (!resolved)
+              continue;
+            const callee = this.methodTaintInfo.get(resolved.targetMethod);
+            if (!callee)
+              continue;
+            if (callee.returnsSource && !callee.sanitizes && callee.sourceType) {
+              const calleeNode = methodIndex.get(resolved.targetMethod);
+              const calleeSourceLine = calleeNode ? this.findRealSourceLineInMethod(calleeNode.ir, calleeNode.method) : undefined;
+              const sourceLine = calleeSourceLine ?? call.location.line;
+              const sourceFile = callee.file;
+              const sourceType = callee.sourceType;
+              const defsAtLine = callerIR.dfg.defs.filter((d) => d.line === call.location.line && d.kind === "local");
+              for (const def of defsAtLine) {
+                if (!def.variable)
+                  continue;
+                const baseChain = [
+                  { file: sourceFile, line: sourceLine, method: resolved.targetMethod, kind: "source" },
+                  { file: callerFile, line: call.location.line, method: method.name, kind: "wrapper_return" }
+                ];
+                tainted.set(def.variable, {
+                  file: sourceFile,
+                  line: sourceLine,
+                  type: sourceType,
+                  hopChain: baseChain
+                });
+              }
+            }
+            if (callee.taintedParams.length === 0 || callee.sanitizes)
+              continue;
+            for (let argIdx = 0;argIdx < call.arguments.length; argIdx++) {
+              if (!callee.taintedParams.includes(argIdx))
+                continue;
+              const arg = call.arguments[argIdx];
+              const matched = this.matchTaintedArg(arg, tainted);
+              if (!matched)
+                continue;
+              const calleeNode = methodIndex.get(resolved.targetMethod);
+              if (!calleeNode)
+                continue;
+              const sinksInCallee = calleeNode.ir.taint.sinks.filter((s) => s.line >= calleeNode.method.start_line && s.line <= calleeNode.method.end_line);
+              for (const sink of sinksInCallee) {
+                const key = `${matched.origin.file}:${matched.origin.line}→${callee.file}:${sink.line}`;
+                if (seen.has(key))
+                  continue;
+                seen.add(key);
+                const hops = [
+                  ...matched.origin.hopChain,
+                  { file: callerFile, line: call.location.line, method: method.name, kind: "sink_call" },
+                  { file: callee.file, line: sink.line, method: resolved.targetMethod, kind: "sink" }
+                ];
+                const decay = Math.max(0.3, Math.pow(0.85, Math.max(hops.length - 1, 0)));
+                paths.push({
+                  source: {
+                    file: matched.origin.file,
+                    line: matched.origin.line,
+                    type: matched.origin.type
+                  },
+                  sink: {
+                    file: callee.file,
+                    line: sink.line,
+                    type: sink.type,
+                    cwe: sink.cwe
+                  },
+                  hops,
+                  confidence: decay
+                });
+              }
+            }
+          }
+        }
+      }
+    }
+    return paths;
+  }
+  matchTaintedArg(arg, tainted) {
+    if (tainted.size === 0)
+      return null;
+    if (arg.variable && tainted.has(arg.variable)) {
+      return { var: arg.variable, origin: tainted.get(arg.variable) };
+    }
+    if (arg.expression) {
+      for (const [tv, origin] of tainted) {
+        const re = new RegExp(`\\b${tv}\\b`);
+        if (re.test(arg.expression))
+          return { var: tv, origin };
+      }
+    }
+    return null;
+  }
+  buildMethodIndex() {
+    const idx = new Map;
+    for (const [, ir] of this.fileIRs) {
+      const pkg = ir.meta.package || "";
+      for (const type of ir.types) {
+        const typeFqn = pkg ? `${pkg}.${type.name}` : type.name;
+        for (const method of type.methods) {
+          idx.set(`${typeFqn}.${method.name}`, { ir, method });
+        }
+      }
+    }
+    return idx;
+  }
+  getLocalDefVarAt(ir, line) {
+    for (const def of ir.dfg.defs) {
+      if (def.line === line && def.kind === "local" && def.variable)
+        return def.variable;
+    }
+    return;
+  }
+  findRealSourceLineInMethod(ir, method) {
+    for (const src of ir.taint.sources) {
+      if (src.type === "interprocedural_param")
+        continue;
+      if (src.line >= method.start_line && src.line <= method.end_line) {
+        return src.line;
+      }
+    }
+    return;
+  }
   getMethodTaintInfo(methodFqn) {
     return this.methodTaintInfo.get(methodFqn);
   }
@@ -18535,12 +18725,56 @@ class CrossFilePass {
         confidence: 0.7
       }];
     });
+    const ipPaths = resolver.findInterproceduralTaintPaths();
+    for (let i2 = 0;i2 < ipPaths.length; i2++) {
+      const p = ipPaths[i2];
+      const sinkIR = projectGraph.getIR(p.sink.file);
+      if (!sinkIR)
+        continue;
+      const matchedSink = sinkIR.taint.sinks.find((s) => s.line === p.sink.line);
+      if (!matchedSink)
+        continue;
+      const srcLines = sourceLines.get(p.source.file) ?? [];
+      const tgtLines = sourceLines.get(p.sink.file) ?? [];
+      const dupId = `${p.source.file}:${p.source.line}→${p.sink.file}:${p.sink.line}`;
+      if (taintPaths.some((tp) => tp.source.file === p.source.file && tp.source.line === p.source.line && tp.sink.file === p.sink.file && tp.sink.line === p.sink.line)) {
+        continue;
+      }
+      taintPaths.push({
+        id: `cf-ip-${i2}-${dupId}`,
+        source: {
+          file: p.source.file,
+          line: p.source.line,
+          type: p.source.type,
+          code: srcLines[p.source.line - 1] ?? ""
+        },
+        sink: {
+          file: p.sink.file,
+          line: p.sink.line,
+          type: matchedSink.type,
+          cwe: matchedSink.cwe,
+          code: tgtLines[p.sink.line - 1] ?? ""
+        },
+        hops: p.hops.map((h) => ({
+          file: h.file,
+          method: h.method,
+          line: h.line,
+          code: (sourceLines.get(h.file) ?? [])[h.line - 1] ?? "",
+          variable: ""
+        })),
+        sanitizers_in_path: [],
+        path_exists: true,
+        confidence: p.confidence
+      });
+    }
     const crossFileCalls = [];
     for (const filePath of projectGraph.filePaths) {
       const resolved = resolver.getResolvedCallsFromFile(filePath);
       for (const rc of resolved) {
         if (rc.sourceFile === rc.targetFile)
           continue;
+        const calleeInfo = resolver.getMethodTaintInfo(rc.targetMethod);
+        const taintedParamSet = new Set(calleeInfo?.taintedParams ?? []);
         crossFileCalls.push({
           id: `${rc.sourceFile}:${rc.call.location.line}:${rc.targetMethod}`,
           from: {
@@ -18556,7 +18790,7 @@ class CrossFilePass {
           args_mapping: (rc.call.arguments ?? []).map((_, i2) => ({
             caller_arg: i2,
             callee_param: i2,
-            taint_propagates: false
+            taint_propagates: taintedParamSet.has(i2)
           })),
           resolved: rc.resolution === "exact"
         });
@@ -26983,7 +27217,7 @@ var colors = {
 };
 // src/version.ts
-var version = "3.37.0";
+var version = "3.38.0";
 // src/formatters.ts
 var SINK_SEVERITY = {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.37.0",
+  "version": "3.38.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.37.0"
+    "circle-ir": "^3.38.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",