cognium-dev 3.41.0 → 3.43.0

package/dist/cli.js

@@ -5321,11 +5321,22 @@ function inferJSTypeFromReceiver(receiver) {
 function buildResolutionContext(tree, cache) {
   const context = {
     className: null,
+    packageName: null,
     methodNames: new Set,
     fieldTypes: new Map,
     localVarTypes: new Map,
-    imports: new Set
+    paramTypes: new Map,
+    imports: new Map,
+    wildcardImports: []
   };
+  const packages = getNodesFromCache(tree.rootNode, "package_declaration", cache);
+  if (packages.length > 0) {
+    const text = getNodeText(packages[0]);
+    const match = text.match(/package\s+([a-zA-Z0-9_.]+)/);
+    if (match) {
+      context.packageName = match[1];
+    }
+  }
   const classes = getNodesFromCache(tree.rootNode, "class_declaration", cache);
   if (classes.length > 0) {
     const nameNode = classes[0].childForFieldName("name");
@@ -5339,6 +5350,17 @@ function buildResolutionContext(tree, cache) {
     if (nameNode) {
       context.methodNames.add(getNodeText(nameNode));
     }
+    const paramsNode = method.childForFieldName("parameters");
+    if (paramsNode) {
+      collectParameterTypes(paramsNode, context.paramTypes);
+    }
+  }
+  const constructors = getNodesFromCache(tree.rootNode, "constructor_declaration", cache);
+  for (const ctor of constructors) {
+    const paramsNode = ctor.childForFieldName("parameters");
+    if (paramsNode) {
+      collectParameterTypes(paramsNode, context.paramTypes);
+    }
   }
   const fields = getNodesFromCache(tree.rootNode, "field_declaration", cache);
   for (const field of fields) {
@@ -5371,14 +5393,112 @@ function buildResolutionContext(tree, cache) {
   const imports = getNodesFromCache(tree.rootNode, "import_declaration", cache);
   for (const imp of imports) {
     const text = getNodeText(imp);
-    const match = text.match(/import\s+(?:static\s+)?([a-zA-Z0-9_.]+)/);
-    if (match) {
-      const parts2 = match[1].split(".");
-      context.imports.add(parts2[parts2.length - 1]);
+    const match = text.match(/import\s+(?:static\s+)?([a-zA-Z0-9_.]+)(\.\*)?/);
+    if (!match)
+      continue;
+    const fqn = match[1];
+    const isWildcard = match[2] === ".*";
+    if (isWildcard) {
+      context.wildcardImports.push(fqn);
+    } else {
+      const parts2 = fqn.split(".");
+      const simple = parts2[parts2.length - 1];
+      context.imports.set(simple, fqn);
     }
   }
   return context;
 }
+function collectParameterTypes(paramsNode, out2) {
+  for (let i2 = 0;i2 < paramsNode.childCount; i2++) {
+    const child = paramsNode.child(i2);
+    if (!child)
+      continue;
+    if (child.type !== "formal_parameter" && child.type !== "spread_parameter") {
+      continue;
+    }
+    const typeNode = child.childForFieldName("type");
+    const nameNode = child.childForFieldName("name");
+    if (typeNode && nameNode) {
+      out2.set(getNodeText(nameNode), getNodeText(typeNode));
+    }
+  }
+}
+function stripGenerics(type) {
+  const ltIdx = type.indexOf("<");
+  return ltIdx === -1 ? type : type.substring(0, ltIdx);
+}
+function resolveReceiverType(receiver, context) {
+  if (!receiver)
+    return { simpleName: null, fqn: null };
+  if (receiver === "this") {
+    return resolveFqn(context.className, context);
+  }
+  if (receiver.startsWith("this.")) {
+    const fieldName = receiver.substring("this.".length);
+    const fieldType = context.fieldTypes.get(fieldName);
+    if (fieldType)
+      return resolveFqn(stripGenerics(fieldType), context);
+    return { simpleName: null, fqn: null };
+  }
+  if (receiver === "super")
+    return { simpleName: null, fqn: null };
+  const declaredType = context.localVarTypes.get(receiver) ?? context.paramTypes.get(receiver) ?? context.fieldTypes.get(receiver);
+  if (declaredType) {
+    return resolveFqn(stripGenerics(declaredType), context);
+  }
+  if (/^[A-Z]/.test(receiver)) {
+    const simple = receiver.includes(".") ? receiver.substring(receiver.lastIndexOf(".") + 1) : receiver;
+    if (/^[A-Z][A-Za-z0-9_]*$/.test(simple)) {
+      return resolveFqn(simple, context);
+    }
+  }
+  return { simpleName: null, fqn: null };
+}
+function resolveFqn(simpleName, context) {
+  if (!simpleName)
+    return { simpleName: null, fqn: null };
+  const importedFqn = context.imports.get(simpleName);
+  if (importedFqn) {
+    return { simpleName, fqn: importedFqn };
+  }
+  if (context.className === simpleName && context.packageName) {
+    return { simpleName, fqn: `${context.packageName}.${simpleName}` };
+  }
+  if (JAVA_LANG_TYPES.has(simpleName)) {
+    return { simpleName, fqn: `java.lang.${simpleName}` };
+  }
+  return { simpleName, fqn: null };
+}
+var JAVA_LANG_TYPES = new Set([
+  "String",
+  "StringBuilder",
+  "StringBuffer",
+  "Object",
+  "Class",
+  "Integer",
+  "Long",
+  "Double",
+  "Float",
+  "Boolean",
+  "Character",
+  "Byte",
+  "Short",
+  "Number",
+  "Math",
+  "System",
+  "Thread",
+  "Runnable",
+  "Throwable",
+  "Exception",
+  "RuntimeException",
+  "Error",
+  "Process",
+  "ProcessBuilder",
+  "Iterable",
+  "Comparable",
+  "CharSequence",
+  "Enum"
+]);
 function extractCallInfo(node, context) {
   const nameNode = node.childForFieldName("name");
   const methodName = nameNode ? getNodeText(nameNode) : "unknown";
@@ -5388,9 +5508,12 @@ function extractCallInfo(node, context) {
   const args2 = argsNode ? extractArguments(argsNode) : [];
   const enclosingMethod = findEnclosingMethod(node);
   const { resolved, resolution } = resolveMethodCall(methodName, receiver, context);
+  const { simpleName, fqn } = resolveReceiverType(receiver, context);
   return {
     method_name: methodName,
     receiver,
+    receiver_type: simpleName,
+    receiver_type_fqn: fqn,
     arguments: args2,
     location: {
       line: node.startPosition.row + 1,
@@ -5413,9 +5536,13 @@ function extractObjectCreation(node, context) {
     status: "resolved",
     target: `${typeName}.<init>`
   };
+  const simpleType = stripGenerics(typeName);
+  const { simpleName, fqn } = resolveFqn(simpleType, context);
   return {
     method_name: typeName,
     receiver: null,
+    receiver_type: simpleName,
+    receiver_type_fqn: fqn,
     arguments: args2,
     location: {
       line: node.startPosition.row + 1,
@@ -10059,6 +10186,17 @@ var DEFAULT_SINKS = [
   { method: "queryForObject", type: "sql_injection", cwe: "CWE-89", severity: "high", arg_positions: [0] },
   { method: "queryForList", type: "sql_injection", cwe: "CWE-89", severity: "high", arg_positions: [0] },
   { method: "queryForLong", type: "sql_injection", cwe: "CWE-89", severity: "high", arg_positions: [0] },
+  { method: "insert", class: "*Mapper", type: "mybatis_mapper_call", cwe: "CWE-89", severity: "medium", arg_positions: [0], languages: ["java"] },
+  { method: "insertSelective", class: "*Mapper", type: "mybatis_mapper_call", cwe: "CWE-89", severity: "medium", arg_positions: [0], languages: ["java"] },
+  { method: "update", class: "*Mapper", type: "mybatis_mapper_call", cwe: "CWE-89", severity: "medium", arg_positions: [0], languages: ["java"] },
+  { method: "updateByPrimaryKey", class: "*Mapper", type: "mybatis_mapper_call", cwe: "CWE-89", severity: "medium", arg_positions: [0], languages: ["java"] },
+  { method: "updateByPrimaryKeySelective", class: "*Mapper", type: "mybatis_mapper_call", cwe: "CWE-89", severity: "medium", arg_positions: [0], languages: ["java"] },
+  { method: "delete", class: "*Mapper", type: "mybatis_mapper_call", cwe: "CWE-89", severity: "medium", arg_positions: [0], languages: ["java"] },
+  { method: "deleteByPrimaryKey", class: "*Mapper", type: "mybatis_mapper_call", cwe: "CWE-89", severity: "medium", arg_positions: [0], languages: ["java"] },
+  { method: "selectOne", class: "*Mapper", type: "mybatis_mapper_call", cwe: "CWE-89", severity: "medium", arg_positions: [0], languages: ["java"] },
+  { method: "selectList", class: "*Mapper", type: "mybatis_mapper_call", cwe: "CWE-89", severity: "medium", arg_positions: [0], languages: ["java"] },
+  { method: "selectByPrimaryKey", class: "*Mapper", type: "mybatis_mapper_call", cwe: "CWE-89", severity: "medium", arg_positions: [0], languages: ["java"] },
+  { method: "selectByExample", class: "*Mapper", type: "mybatis_mapper_call", cwe: "CWE-89", severity: "medium", arg_positions: [0], languages: ["java"] },
   { method: "exec", class: "Runtime", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0, 1] },
   { method: "start", class: "ProcessBuilder", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [] },
   { method: "ProcessBuilder", class: "constructor", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
@@ -11681,6 +11819,14 @@ function matchesAnnotation(annotations, targetAnnotation) {
   return false;
 }
 function receiverMightBeClass(receiver, className) {
+  if (className.startsWith("*") && className.length > 1) {
+    const suffix = className.slice(1).toLowerCase();
+    let simpleReceiver = receiver;
+    if (simpleReceiver.includes(".") && !simpleReceiver.endsWith(")")) {
+      simpleReceiver = simpleReceiver.substring(simpleReceiver.lastIndexOf(".") + 1);
+    }
+    return simpleReceiver.toLowerCase().endsWith(suffix);
+  }
   if (receiver === className) {
     return true;
   }
@@ -18725,7 +18871,7 @@ class CrossFileResolver {
                 fieldName = exprMatch[2];
               }
             }
-            const resolveReceiverType = (rcv) => {
+            const resolveReceiverType2 = (rcv) => {
               const param = method.parameters.find((p) => p.name === rcv);
               if (param?.type)
                 return param.type;
@@ -18736,13 +18882,13 @@ class CrossFileResolver {
             };
             let receiverType = null;
             if (receiver && fieldName) {
-              receiverType = resolveReceiverType(receiver);
+              receiverType = resolveReceiverType2(receiver);
             }
             if (!receiverType) {
               for (const rcvUse of usesAtLine) {
                 if (!rcvUse.variable || rcvUse.variable === def.variable)
                   continue;
-                const rt = resolveReceiverType(rcvUse.variable);
+                const rt = resolveReceiverType2(rcvUse.variable);
                 if (!rt)
                   continue;
                 const fieldUse = usesAtLine.find((u) => u !== rcvUse && !!u.variable && u.variable !== def.variable && u.variable !== rcvUse.variable && this.typeHasField(rt, u.variable));
@@ -21046,7 +21192,8 @@ var KNOWN_SINK_TYPES = new Set([
   "log_injection",
   "xxe",
   "deserialization",
-  "code_injection"
+  "code_injection",
+  "mybatis_mapper_call"
 ]);
 function checkSanitized(_fromLine, toLine, sinkType, sanitizersByLine) {
   const sanitizersAtTarget = sanitizersByLine.get(toLine);
@@ -27632,7 +27779,7 @@ var colors = {
 };
 
 // src/version.ts
-var version = "3.41.0";
+var version = "3.43.0";
 
 // src/formatters.ts
 var SINK_SEVERITY = {
@@ -27654,7 +27801,8 @@ var SINK_SEVERITY = {
   weak_crypto: "low",
   insecure_cookie: "low",
   trust_boundary: "medium",
-  external_taint_escape: "medium"
+  external_taint_escape: "medium",
+  mybatis_mapper_call: "medium"
 };
 var SINK_CWE = {
   sql_injection: "CWE-89",
@@ -27675,7 +27823,8 @@ var SINK_CWE = {
   weak_crypto: "CWE-327",
   insecure_cookie: "CWE-614",
   trust_boundary: "CWE-501",
-  external_taint_escape: "CWE-20"
+  external_taint_escape: "CWE-20",
+  mybatis_mapper_call: "CWE-89"
 };
 var VULNERABILITY_HELP = {
   sql_injection: {
@@ -27754,6 +27903,10 @@ var VULNERABILITY_HELP = {
     description: "External input reaches a sensitive sink without proper validation",
     fix: "Validate, sanitize, or escape external input before use in sensitive operations"
   },
+  mybatis_mapper_call: {
+    description: "Tainted argument passed to a MyBatis mapper interface method — actual SQL lives in the mapper XML/annotation binding, so exploitability depends on whether ${...} string interpolation is used",
+    fix: "Audit the mapper XML/annotations: use #{...} parameter binding (PreparedStatement-backed) for any user-controlled value. Reject from SQL-injection reports unless ${...} interpolation is confirmed"
+  },
   "dead-code": {
     description: "Unreachable code block has no execution path from any entry point",
     fix: "Remove the unreachable block or fix the control flow that precedes it"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.41.0",
+  "version": "3.43.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.41.0"
+    "circle-ir": "^3.43.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",