cognium-dev 3.39.0 → 3.41.0

package/dist/cli.js

@@ -10475,13 +10475,13 @@ var DEFAULT_SINKS = [
   { method: "readObject", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [] },
   { method: "readUnshared", class: "ObjectInputStream", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [] },
   { method: "fromXML", class: "XStream", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0] },
-  { method: "readValue", class: "ObjectMapper", type: "deserialization", cwe: "CWE-502", severity: "high", arg_positions: [0] },
-  { method: "load", class: "Yaml", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0] },
+  { method: "readValue", class: "ObjectMapper", type: "deserialization", cwe: "CWE-502", severity: "high", arg_positions: [0], safe_if_class_literal_at: 1 },
+  { method: "load", class: "Yaml", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], safe_if_class_literal_at: 1 },
   { method: "loadAll", class: "Yaml", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0] },
-  { method: "loadAs", class: "Yaml", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0] },
-  { method: "parseObject", class: "JSON", type: "deserialization", cwe: "CWE-502", severity: "high", arg_positions: [0] },
-  { method: "parseObject", class: "JSONObject", type: "deserialization", cwe: "CWE-502", severity: "high", arg_positions: [0] },
-  { method: "fromJson", class: "Gson", type: "deserialization", cwe: "CWE-502", severity: "medium", arg_positions: [0] },
+  { method: "loadAs", class: "Yaml", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], safe_if_class_literal_at: 1 },
+  { method: "parseObject", class: "JSON", type: "deserialization", cwe: "CWE-502", severity: "high", arg_positions: [0], safe_if_class_literal_at: 1 },
+  { method: "parseObject", class: "JSONObject", type: "deserialization", cwe: "CWE-502", severity: "high", arg_positions: [0], safe_if_class_literal_at: 1 },
+  { method: "fromJson", class: "Gson", type: "deserialization", cwe: "CWE-502", severity: "medium", arg_positions: [0], safe_if_class_literal_at: 1 },
   { method: "readObject", class: "XMLDecoder", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [] },
   { method: "ObjectInputStream", class: "constructor", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0] },
   { method: "search", class: "DirContext", type: "ldap_injection", cwe: "CWE-90", severity: "high", arg_positions: [0, 1] },
@@ -10690,11 +10690,11 @@ var DEFAULT_SINKS = [
   { method: "exec", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["python"] },
   { method: "compile", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0], languages: ["python"] },
   { method: "__import__", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0], languages: ["python"] },
-  { method: "loads", class: "pickle", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0] },
-  { method: "load", class: "pickle", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0] },
-  { method: "loads", class: "marshal", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0] },
-  { method: "load", class: "yaml", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0] },
-  { method: "loads", class: "yaml", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0] },
+  { method: "loads", class: "pickle", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], languages: ["python"] },
+  { method: "load", class: "pickle", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], languages: ["python"] },
+  { method: "loads", class: "marshal", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], languages: ["python"] },
+  { method: "load", class: "yaml", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], languages: ["python"] },
+  { method: "loads", class: "yaml", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], languages: ["python"] },
   { method: "execute", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["python"] },
   { method: "executemany", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["python"] },
   { method: "raw", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0], languages: ["python"] },
@@ -11092,13 +11092,29 @@ var PYTHON_TAINTED_PATTERNS = [
   { pattern: /\brequest\.query_params\b/, sourceType: "http_param" },
   { pattern: /\brequest\.path_params\b/, sourceType: "http_param" }
 ];
-function analyzeTaint(calls, types, config = getDefaultConfig(), typeHierarchy, language) {
-  const sources = findSources(calls, types, config.sources);
-  const sinks = findSinks(calls, config.sinks, typeHierarchy, language);
+function analyzeTaint(calls, types, config = getDefaultConfig(), typeHierarchy, language, code) {
+  const sourceLines = code !== undefined ? code.split(`
+`) : undefined;
+  const sources = findSources(calls, types, config.sources, sourceLines);
+  const sinks = findSinks(calls, config.sinks, typeHierarchy, language, sourceLines);
   const sanitizers = findSanitizers(calls, types, config.sanitizers);
   return { sources, sinks, sanitizers };
 }
-function findSources(calls, types, patterns) {
+function attachSourceLineCode(sources, sinks, code) {
+  const lines = code.split(`
+`);
+  for (const s of sources) {
+    if (s.code === undefined) {
+      s.code = lines[s.line - 1]?.trim();
+    }
+  }
+  for (const s of sinks) {
+    if (s.code === undefined) {
+      s.code = lines[s.line - 1]?.trim();
+    }
+  }
+}
+function findSources(calls, types, patterns, sourceLines) {
   const sources = [];
   for (const call of calls) {
     for (const pattern of patterns) {
@@ -11245,7 +11261,13 @@ function findSources(calls, types, patterns) {
       sourceMap.set(key, source);
     }
   }
-  return Array.from(sourceMap.values());
+  const result = Array.from(sourceMap.values());
+  if (sourceLines) {
+    for (const s of result) {
+      s.code = sourceLines[s.line - 1]?.trim();
+    }
+  }
+  return result;
 }
 function isInterproceduralTaintableType(typeName) {
   const baseType = typeName.split("<")[0].trim();
@@ -11341,7 +11363,17 @@ function isParameterizedQueryCall(call, pattern) {
   }
   return false;
 }
-function findSinks(calls, patterns, typeHierarchy, language) {
+var CLASS_LITERAL_RE = /^(?:[A-Za-z_][\w]*\.)*[A-Z][\w]*(?:\[\])*\.class$/;
+function argIsClassLiteral(call, position) {
+  const arg = call.arguments.find((a) => a.position === position);
+  if (!arg)
+    return false;
+  const expr = (arg.literal ?? arg.expression ?? "").trim();
+  if (!expr)
+    return false;
+  return CLASS_LITERAL_RE.test(expr);
+}
+function findSinks(calls, patterns, typeHierarchy, language, sourceLines) {
   const sinkMap = new Map;
   for (const call of calls) {
     for (const pattern of patterns) {
@@ -11349,6 +11381,9 @@ function findSinks(calls, patterns, typeHierarchy, language) {
         if (isParameterizedQueryCall(call, pattern)) {
           continue;
         }
+        if (pattern.safe_if_class_literal_at !== undefined && argIsClassLiteral(call, pattern.safe_if_class_literal_at)) {
+          continue;
+        }
         const location = formatCallLocation(call);
         const key = `${location}:${call.location.line}:${pattern.cwe}`;
         const confidence = calculateSinkConfidence(call, pattern);
@@ -11367,7 +11402,13 @@ function findSinks(calls, patterns, typeHierarchy, language) {
       }
     }
   }
-  return Array.from(sinkMap.values());
+  const result = Array.from(sinkMap.values());
+  if (sourceLines) {
+    for (const s of result) {
+      s.code = sourceLines[s.line - 1]?.trim();
+    }
+  }
+  return result;
 }
 function matchesSourcePattern(call, pattern) {
   if (pattern.method) {
@@ -19694,7 +19735,7 @@ class TaintMatcherPass {
   name = "taint-matcher";
   category = "security";
   run(ctx) {
-    const { graph, language, config } = ctx;
+    const { graph, language, config, code } = ctx;
     const { calls, types } = graph.ir;
     let mergedConfig = config;
     const plugin = getLanguagePlugin(language);
@@ -19731,7 +19772,7 @@ class TaintMatcherPass {
     }
     const hierarchy = createWithJdkTypes();
     hierarchy.addFromIR(graph.ir, graph.ir.meta.file);
-    const taint = analyzeTaint(calls, types, mergedConfig, hierarchy, language);
+    const taint = analyzeTaint(calls, types, mergedConfig, hierarchy, language, code);
     const sanitizerMethods = [];
     for (const type of types) {
       for (const method of type.methods) {
@@ -19913,6 +19954,7 @@ class LanguageSourcesPass {
         ctx.addFinding(finding);
       }
     }
+    attachSourceLineCode(additionalSources, additionalSinks, code);
     return { additionalSources, additionalSinks, pyTaintedVars, pySanitizedVars, jsTaintedVars };
   }
 }
@@ -27590,7 +27632,7 @@ var colors = {
 };
 
 // src/version.ts
-var version = "3.39.0";
+var version = "3.41.0";
 
 // src/formatters.ts
 var SINK_SEVERITY = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.39.0",
+  "version": "3.41.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.39.0"
+    "circle-ir": "^3.41.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",