npm - cognium-dev - Versions diffs - 3.42.0 → 3.44.0 - Mend

cognium-dev 3.42.0 → 3.44.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/cli.js +151 -9
package/package.json +2 -2

package/dist/cli.js CHANGED Viewed

@@ -5321,11 +5321,22 @@ function inferJSTypeFromReceiver(receiver) {
 function buildResolutionContext(tree, cache) {
   const context = {
     className: null,
+    packageName: null,
     methodNames: new Set,
     fieldTypes: new Map,
     localVarTypes: new Map,
-    imports: new Set
+    paramTypes: new Map,
+    imports: new Map,
+    wildcardImports: []
   };
+  const packages = getNodesFromCache(tree.rootNode, "package_declaration", cache);
+  if (packages.length > 0) {
+    const text = getNodeText(packages[0]);
+    const match = text.match(/package\s+([a-zA-Z0-9_.]+)/);
+    if (match) {
+      context.packageName = match[1];
+    }
+  }
   const classes = getNodesFromCache(tree.rootNode, "class_declaration", cache);
   if (classes.length > 0) {
     const nameNode = classes[0].childForFieldName("name");
@@ -5339,6 +5350,17 @@ function buildResolutionContext(tree, cache) {
     if (nameNode) {
       context.methodNames.add(getNodeText(nameNode));
     }
+    const paramsNode = method.childForFieldName("parameters");
+    if (paramsNode) {
+      collectParameterTypes(paramsNode, context.paramTypes);
+    }
+  }
+  const constructors = getNodesFromCache(tree.rootNode, "constructor_declaration", cache);
+  for (const ctor of constructors) {
+    const paramsNode = ctor.childForFieldName("parameters");
+    if (paramsNode) {
+      collectParameterTypes(paramsNode, context.paramTypes);
+    }
   }
   const fields = getNodesFromCache(tree.rootNode, "field_declaration", cache);
   for (const field of fields) {
@@ -5371,14 +5393,112 @@ function buildResolutionContext(tree, cache) {
   const imports = getNodesFromCache(tree.rootNode, "import_declaration", cache);
   for (const imp of imports) {
     const text = getNodeText(imp);
-    const match = text.match(/import\s+(?:static\s+)?([a-zA-Z0-9_.]+)/);
-    if (match) {
-      const parts2 = match[1].split(".");
-      context.imports.add(parts2[parts2.length - 1]);
+    const match = text.match(/import\s+(?:static\s+)?([a-zA-Z0-9_.]+)(\.\*)?/);
+    if (!match)
+      continue;
+    const fqn = match[1];
+    const isWildcard = match[2] === ".*";
+    if (isWildcard) {
+      context.wildcardImports.push(fqn);
+    } else {
+      const parts2 = fqn.split(".");
+      const simple = parts2[parts2.length - 1];
+      context.imports.set(simple, fqn);
     }
   }
   return context;
 }
+function collectParameterTypes(paramsNode, out2) {
+  for (let i2 = 0;i2 < paramsNode.childCount; i2++) {
+    const child = paramsNode.child(i2);
+    if (!child)
+      continue;
+    if (child.type !== "formal_parameter" && child.type !== "spread_parameter") {
+      continue;
+    }
+    const typeNode = child.childForFieldName("type");
+    const nameNode = child.childForFieldName("name");
+    if (typeNode && nameNode) {
+      out2.set(getNodeText(nameNode), getNodeText(typeNode));
+    }
+  }
+}
+function stripGenerics(type) {
+  const ltIdx = type.indexOf("<");
+  return ltIdx === -1 ? type : type.substring(0, ltIdx);
+}
+function resolveReceiverType(receiver, context) {
+  if (!receiver)
+    return { simpleName: null, fqn: null };
+  if (receiver === "this") {
+    return resolveFqn(context.className, context);
+  }
+  if (receiver.startsWith("this.")) {
+    const fieldName = receiver.substring("this.".length);
+    const fieldType = context.fieldTypes.get(fieldName);
+    if (fieldType)
+      return resolveFqn(stripGenerics(fieldType), context);
+    return { simpleName: null, fqn: null };
+  }
+  if (receiver === "super")
+    return { simpleName: null, fqn: null };
+  const declaredType = context.localVarTypes.get(receiver) ?? context.paramTypes.get(receiver) ?? context.fieldTypes.get(receiver);
+  if (declaredType) {
+    return resolveFqn(stripGenerics(declaredType), context);
+  }
+  if (/^[A-Z]/.test(receiver)) {
+    const simple = receiver.includes(".") ? receiver.substring(receiver.lastIndexOf(".") + 1) : receiver;
+    if (/^[A-Z][A-Za-z0-9_]*$/.test(simple)) {
+      return resolveFqn(simple, context);
+    }
+  }
+  return { simpleName: null, fqn: null };
+}
+function resolveFqn(simpleName, context) {
+  if (!simpleName)
+    return { simpleName: null, fqn: null };
+  const importedFqn = context.imports.get(simpleName);
+  if (importedFqn) {
+    return { simpleName, fqn: importedFqn };
+  }
+  if (context.className === simpleName && context.packageName) {
+    return { simpleName, fqn: `${context.packageName}.${simpleName}` };
+  }
+  if (JAVA_LANG_TYPES.has(simpleName)) {
+    return { simpleName, fqn: `java.lang.${simpleName}` };
+  }
+  return { simpleName, fqn: null };
+}
+var JAVA_LANG_TYPES = new Set([
+  "String",
+  "StringBuilder",
+  "StringBuffer",
+  "Object",
+  "Class",
+  "Integer",
+  "Long",
+  "Double",
+  "Float",
+  "Boolean",
+  "Character",
+  "Byte",
+  "Short",
+  "Number",
+  "Math",
+  "System",
+  "Thread",
+  "Runnable",
+  "Throwable",
+  "Exception",
+  "RuntimeException",
+  "Error",
+  "Process",
+  "ProcessBuilder",
+  "Iterable",
+  "Comparable",
+  "CharSequence",
+  "Enum"
+]);
 function extractCallInfo(node, context) {
   const nameNode = node.childForFieldName("name");
   const methodName = nameNode ? getNodeText(nameNode) : "unknown";
@@ -5388,9 +5508,12 @@ function extractCallInfo(node, context) {
   const args2 = argsNode ? extractArguments(argsNode) : [];
   const enclosingMethod = findEnclosingMethod(node);
   const { resolved, resolution } = resolveMethodCall(methodName, receiver, context);
+  const { simpleName, fqn } = resolveReceiverType(receiver, context);
   return {
     method_name: methodName,
     receiver,
+    receiver_type: simpleName,
+    receiver_type_fqn: fqn,
     arguments: args2,
     location: {
       line: node.startPosition.row + 1,
@@ -5413,9 +5536,13 @@ function extractObjectCreation(node, context) {
     status: "resolved",
     target: `${typeName}.<init>`
   };
+  const simpleType = stripGenerics(typeName);
+  const { simpleName, fqn } = resolveFqn(simpleType, context);
   return {
     method_name: typeName,
     receiver: null,
+    receiver_type: simpleName,
+    receiver_type_fqn: fqn,
     arguments: args2,
     location: {
       line: node.startPosition.row + 1,
@@ -11645,6 +11772,11 @@ function isKnownSafeReceiverForMethod(receiver, method, sinkType) {
   }
   return false;
 }
+var SINK_FQN_EXCLUSIONS = {
+  sql_injection: [
+    "net.sf.jsqlparser."
+  ]
+};
 function matchesSinkPattern(call, pattern, typeHierarchy, language) {
   if (pattern.languages && pattern.languages.length > 0 && language !== undefined) {
     if (!pattern.languages.includes(language)) {
@@ -11661,6 +11793,16 @@ function matchesSinkPattern(call, pattern, typeHierarchy, language) {
   if (!methodMatches) {
     return false;
   }
+  if (call.receiver_type_fqn) {
+    const exclusions = SINK_FQN_EXCLUSIONS[pattern.type];
+    if (exclusions) {
+      for (const prefix of exclusions) {
+        if (call.receiver_type_fqn.startsWith(prefix)) {
+          return false;
+        }
+      }
+    }
+  }
   if (pattern.class) {
     if (pattern.class === "constructor") {
       return true;
@@ -18744,7 +18886,7 @@ class CrossFileResolver {
                 fieldName = exprMatch[2];
               }
             }
-            const resolveReceiverType = (rcv) => {
+            const resolveReceiverType2 = (rcv) => {
               const param = method.parameters.find((p) => p.name === rcv);
               if (param?.type)
                 return param.type;
@@ -18755,13 +18897,13 @@ class CrossFileResolver {
             };
             let receiverType = null;
             if (receiver && fieldName) {
-              receiverType = resolveReceiverType(receiver);
+              receiverType = resolveReceiverType2(receiver);
             }
             if (!receiverType) {
               for (const rcvUse of usesAtLine) {
                 if (!rcvUse.variable || rcvUse.variable === def.variable)
                   continue;
-                const rt = resolveReceiverType(rcvUse.variable);
+                const rt = resolveReceiverType2(rcvUse.variable);
                 if (!rt)
                   continue;
                 const fieldUse = usesAtLine.find((u) => u !== rcvUse && !!u.variable && u.variable !== def.variable && u.variable !== rcvUse.variable && this.typeHasField(rt, u.variable));
@@ -27652,7 +27794,7 @@ var colors = {
 };
 // src/version.ts
-var version = "3.42.0";
+var version = "3.44.0";
 // src/formatters.ts
 var SINK_SEVERITY = {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.42.0",
+  "version": "3.44.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.42.0"
+    "circle-ir": "^3.44.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",