cognium-dev 3.42.0 → 3.43.0

package/dist/cli.js

@@ -5321,11 +5321,22 @@ function inferJSTypeFromReceiver(receiver) {
 function buildResolutionContext(tree, cache) {
   const context = {
     className: null,
+    packageName: null,
     methodNames: new Set,
     fieldTypes: new Map,
     localVarTypes: new Map,
-    imports: new Set
+    paramTypes: new Map,
+    imports: new Map,
+    wildcardImports: []
   };
+  const packages = getNodesFromCache(tree.rootNode, "package_declaration", cache);
+  if (packages.length > 0) {
+    const text = getNodeText(packages[0]);
+    const match = text.match(/package\s+([a-zA-Z0-9_.]+)/);
+    if (match) {
+      context.packageName = match[1];
+    }
+  }
   const classes = getNodesFromCache(tree.rootNode, "class_declaration", cache);
   if (classes.length > 0) {
     const nameNode = classes[0].childForFieldName("name");
@@ -5339,6 +5350,17 @@ function buildResolutionContext(tree, cache) {
     if (nameNode) {
       context.methodNames.add(getNodeText(nameNode));
     }
+    const paramsNode = method.childForFieldName("parameters");
+    if (paramsNode) {
+      collectParameterTypes(paramsNode, context.paramTypes);
+    }
+  }
+  const constructors = getNodesFromCache(tree.rootNode, "constructor_declaration", cache);
+  for (const ctor of constructors) {
+    const paramsNode = ctor.childForFieldName("parameters");
+    if (paramsNode) {
+      collectParameterTypes(paramsNode, context.paramTypes);
+    }
   }
   const fields = getNodesFromCache(tree.rootNode, "field_declaration", cache);
   for (const field of fields) {
@@ -5371,14 +5393,112 @@ function buildResolutionContext(tree, cache) {
   const imports = getNodesFromCache(tree.rootNode, "import_declaration", cache);
   for (const imp of imports) {
     const text = getNodeText(imp);
-    const match = text.match(/import\s+(?:static\s+)?([a-zA-Z0-9_.]+)/);
-    if (match) {
-      const parts2 = match[1].split(".");
-      context.imports.add(parts2[parts2.length - 1]);
+    const match = text.match(/import\s+(?:static\s+)?([a-zA-Z0-9_.]+)(\.\*)?/);
+    if (!match)
+      continue;
+    const fqn = match[1];
+    const isWildcard = match[2] === ".*";
+    if (isWildcard) {
+      context.wildcardImports.push(fqn);
+    } else {
+      const parts2 = fqn.split(".");
+      const simple = parts2[parts2.length - 1];
+      context.imports.set(simple, fqn);
     }
   }
   return context;
 }
+function collectParameterTypes(paramsNode, out2) {
+  for (let i2 = 0;i2 < paramsNode.childCount; i2++) {
+    const child = paramsNode.child(i2);
+    if (!child)
+      continue;
+    if (child.type !== "formal_parameter" && child.type !== "spread_parameter") {
+      continue;
+    }
+    const typeNode = child.childForFieldName("type");
+    const nameNode = child.childForFieldName("name");
+    if (typeNode && nameNode) {
+      out2.set(getNodeText(nameNode), getNodeText(typeNode));
+    }
+  }
+}
+function stripGenerics(type) {
+  const ltIdx = type.indexOf("<");
+  return ltIdx === -1 ? type : type.substring(0, ltIdx);
+}
+function resolveReceiverType(receiver, context) {
+  if (!receiver)
+    return { simpleName: null, fqn: null };
+  if (receiver === "this") {
+    return resolveFqn(context.className, context);
+  }
+  if (receiver.startsWith("this.")) {
+    const fieldName = receiver.substring("this.".length);
+    const fieldType = context.fieldTypes.get(fieldName);
+    if (fieldType)
+      return resolveFqn(stripGenerics(fieldType), context);
+    return { simpleName: null, fqn: null };
+  }
+  if (receiver === "super")
+    return { simpleName: null, fqn: null };
+  const declaredType = context.localVarTypes.get(receiver) ?? context.paramTypes.get(receiver) ?? context.fieldTypes.get(receiver);
+  if (declaredType) {
+    return resolveFqn(stripGenerics(declaredType), context);
+  }
+  if (/^[A-Z]/.test(receiver)) {
+    const simple = receiver.includes(".") ? receiver.substring(receiver.lastIndexOf(".") + 1) : receiver;
+    if (/^[A-Z][A-Za-z0-9_]*$/.test(simple)) {
+      return resolveFqn(simple, context);
+    }
+  }
+  return { simpleName: null, fqn: null };
+}
+function resolveFqn(simpleName, context) {
+  if (!simpleName)
+    return { simpleName: null, fqn: null };
+  const importedFqn = context.imports.get(simpleName);
+  if (importedFqn) {
+    return { simpleName, fqn: importedFqn };
+  }
+  if (context.className === simpleName && context.packageName) {
+    return { simpleName, fqn: `${context.packageName}.${simpleName}` };
+  }
+  if (JAVA_LANG_TYPES.has(simpleName)) {
+    return { simpleName, fqn: `java.lang.${simpleName}` };
+  }
+  return { simpleName, fqn: null };
+}
+var JAVA_LANG_TYPES = new Set([
+  "String",
+  "StringBuilder",
+  "StringBuffer",
+  "Object",
+  "Class",
+  "Integer",
+  "Long",
+  "Double",
+  "Float",
+  "Boolean",
+  "Character",
+  "Byte",
+  "Short",
+  "Number",
+  "Math",
+  "System",
+  "Thread",
+  "Runnable",
+  "Throwable",
+  "Exception",
+  "RuntimeException",
+  "Error",
+  "Process",
+  "ProcessBuilder",
+  "Iterable",
+  "Comparable",
+  "CharSequence",
+  "Enum"
+]);
 function extractCallInfo(node, context) {
   const nameNode = node.childForFieldName("name");
   const methodName = nameNode ? getNodeText(nameNode) : "unknown";
@@ -5388,9 +5508,12 @@ function extractCallInfo(node, context) {
   const args2 = argsNode ? extractArguments(argsNode) : [];
   const enclosingMethod = findEnclosingMethod(node);
   const { resolved, resolution } = resolveMethodCall(methodName, receiver, context);
+  const { simpleName, fqn } = resolveReceiverType(receiver, context);
   return {
     method_name: methodName,
     receiver,
+    receiver_type: simpleName,
+    receiver_type_fqn: fqn,
     arguments: args2,
     location: {
       line: node.startPosition.row + 1,
@@ -5413,9 +5536,13 @@ function extractObjectCreation(node, context) {
     status: "resolved",
     target: `${typeName}.<init>`
   };
+  const simpleType = stripGenerics(typeName);
+  const { simpleName, fqn } = resolveFqn(simpleType, context);
   return {
     method_name: typeName,
     receiver: null,
+    receiver_type: simpleName,
+    receiver_type_fqn: fqn,
     arguments: args2,
     location: {
       line: node.startPosition.row + 1,
@@ -18744,7 +18871,7 @@ class CrossFileResolver {
                 fieldName = exprMatch[2];
               }
             }
-            const resolveReceiverType = (rcv) => {
+            const resolveReceiverType2 = (rcv) => {
               const param = method.parameters.find((p) => p.name === rcv);
               if (param?.type)
                 return param.type;
@@ -18755,13 +18882,13 @@ class CrossFileResolver {
             };
             let receiverType = null;
             if (receiver && fieldName) {
-              receiverType = resolveReceiverType(receiver);
+              receiverType = resolveReceiverType2(receiver);
             }
             if (!receiverType) {
               for (const rcvUse of usesAtLine) {
                 if (!rcvUse.variable || rcvUse.variable === def.variable)
                   continue;
-                const rt = resolveReceiverType(rcvUse.variable);
+                const rt = resolveReceiverType2(rcvUse.variable);
                 if (!rt)
                   continue;
                 const fieldUse = usesAtLine.find((u) => u !== rcvUse && !!u.variable && u.variable !== def.variable && u.variable !== rcvUse.variable && this.typeHasField(rt, u.variable));
@@ -27652,7 +27779,7 @@ var colors = {
 };
 
 // src/version.ts
-var version = "3.42.0";
+var version = "3.43.0";
 
 // src/formatters.ts
 var SINK_SEVERITY = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.42.0",
+  "version": "3.43.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.42.0"
+    "circle-ir": "^3.43.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",