cognium-dev 3.45.0 → 3.47.0

package/dist/cli.js

@@ -3349,6 +3349,40 @@ async function parse(code, language) {
   }
   return tree;
 }
+function extractParseStatus(tree) {
+  const root = tree.rootNode;
+  if (!root.hasError) {
+    return { success: true, has_errors: false, error_count: 0, error_locations: [] };
+  }
+  const MAX_LOCATIONS = 50;
+  const locations = [];
+  let errorCount = 0;
+  const stack = [root];
+  while (stack.length > 0) {
+    const node = stack.pop();
+    if (node.type === "ERROR" || node.isMissing) {
+      errorCount++;
+      if (locations.length < MAX_LOCATIONS) {
+        locations.push({
+          line: node.startPosition.row + 1,
+          column: node.startPosition.column
+        });
+      }
+    }
+    for (let i2 = 0;i2 < node.childCount; i2++) {
+      const child = node.child(i2);
+      if (child && (child.hasError || child.isMissing)) {
+        stack.push(child);
+      }
+    }
+  }
+  return {
+    success: false,
+    has_errors: true,
+    error_count: errorCount,
+    error_locations: locations
+  };
+}
 function disposeTree(tree) {
   if (!tree)
     return;
@@ -26513,6 +26547,214 @@ class ScanSecretsPass {
   }
 }
 
+// ../circle-ir/dist/analysis/passes/spring4shell-pass.js
+var CONTROLLER_ANNOTATIONS = new Set([
+  "Controller",
+  "RestController",
+  "ControllerAdvice",
+  "RestControllerAdvice"
+]);
+var ROUTE_ANNOTATIONS = new Set([
+  "RequestMapping",
+  "GetMapping",
+  "PostMapping",
+  "PutMapping",
+  "DeleteMapping",
+  "PatchMapping"
+]);
+var BINDING_ANNOTATIONS = new Set([
+  "RequestBody",
+  "RequestParam",
+  "PathVariable",
+  "RequestHeader",
+  "CookieValue",
+  "MatrixVariable",
+  "ModelAttribute",
+  "Valid",
+  "Validated",
+  "RequestPart",
+  "SessionAttribute",
+  "RequestAttribute"
+]);
+var FRAMEWORK_PARAM_TYPES = new Set([
+  "HttpServletRequest",
+  "HttpServletResponse",
+  "ServletRequest",
+  "ServletResponse",
+  "HttpSession",
+  "ServletContext",
+  "Cookie",
+  "Model",
+  "ModelMap",
+  "ModelAndView",
+  "Map",
+  "BindingResult",
+  "Errors",
+  "RedirectAttributes",
+  "SessionStatus",
+  "WebRequest",
+  "NativeWebRequest",
+  "ServletWebRequest",
+  "UriComponentsBuilder",
+  "UriBuilder",
+  "HttpEntity",
+  "RequestEntity",
+  "ResponseEntity",
+  "HttpHeaders",
+  "InputStream",
+  "OutputStream",
+  "Reader",
+  "Writer",
+  "ServerHttpRequest",
+  "ServerHttpResponse",
+  "ServerWebExchange",
+  "Principal",
+  "Authentication",
+  "Locale",
+  "TimeZone",
+  "ZoneId",
+  "MultipartFile",
+  "Part",
+  "TimeZone"
+]);
+var SIMPLE_JAVA_TYPES = new Set([
+  "boolean",
+  "byte",
+  "char",
+  "short",
+  "int",
+  "long",
+  "float",
+  "double",
+  "void",
+  "Boolean",
+  "Byte",
+  "Character",
+  "Short",
+  "Integer",
+  "Long",
+  "Float",
+  "Double",
+  "String",
+  "CharSequence",
+  "BigInteger",
+  "BigDecimal",
+  "UUID",
+  "Date",
+  "Calendar",
+  "Instant",
+  "LocalDate",
+  "LocalTime",
+  "LocalDateTime",
+  "OffsetDateTime",
+  "OffsetTime",
+  "ZonedDateTime",
+  "Duration",
+  "Period",
+  "List",
+  "Set",
+  "Collection",
+  "Iterable",
+  "Optional"
+]);
+
+class Spring4ShellPass {
+  name = "spring4shell";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    if (language !== "java") {
+      return { controllerMethodsScanned: 0, findingsEmitted: 0 };
+    }
+    const file = graph.ir.meta.file;
+    let scanned = 0;
+    let emitted = 0;
+    for (const type of graph.ir.types) {
+      if (!isController(type))
+        continue;
+      for (const method of type.methods) {
+        if (!isRouteHandler(method))
+          continue;
+        scanned++;
+        for (const param of method.parameters) {
+          if (!isVulnerableParameter(param))
+            continue;
+          ctx.addFinding({
+            id: `${this.name}-${file}-${method.start_line}-${param.name}`,
+            pass: this.name,
+            category: this.category,
+            rule_id: this.name,
+            cwe: "CWE-94",
+            severity: "high",
+            level: "error",
+            message: `Spring MVC controller method '${type.name}.${method.name}' binds parameter '${param.name}' of type '${param.type ?? "?"}' via implicit form-data binding (no @RequestBody / @RequestParam / @ModelAttribute) — vulnerable to Spring4Shell (CVE-2022-22965) class-graph RCE on Spring < 5.3.18 / 5.2.20`,
+            file,
+            line: param.line ?? method.start_line,
+            fix: "Annotate the parameter with @RequestBody (JSON) or @ModelAttribute + @InitBinder/setAllowedFields whitelisting, upgrade Spring to ≥ 5.3.18 / 5.2.20, and ensure JDK is patched.",
+            evidence: {
+              controller_class: type.name,
+              controller_annotations: type.annotations,
+              method: method.name,
+              method_annotations: method.annotations,
+              parameter_name: param.name,
+              parameter_type: param.type
+            }
+          });
+          emitted++;
+        }
+      }
+    }
+    return { controllerMethodsScanned: scanned, findingsEmitted: emitted };
+  }
+}
+function annotationHead(annotation) {
+  const parenIdx = annotation.indexOf("(");
+  return parenIdx >= 0 ? annotation.slice(0, parenIdx) : annotation;
+}
+function hasAnnotation(annotations, names) {
+  for (const a of annotations) {
+    if (names.has(annotationHead(a)))
+      return true;
+  }
+  return false;
+}
+function isController(type) {
+  return hasAnnotation(type.annotations, CONTROLLER_ANNOTATIONS);
+}
+function isRouteHandler(method) {
+  return hasAnnotation(method.annotations, ROUTE_ANNOTATIONS);
+}
+function isVulnerableParameter(param) {
+  if (hasAnnotation(param.annotations, BINDING_ANNOTATIONS))
+    return false;
+  if (!param.type)
+    return false;
+  const type = stripGenerics2(param.type).trim();
+  if (!type)
+    return false;
+  if (type.endsWith("[]")) {
+    const elem = type.slice(0, -2).trim();
+    return !SIMPLE_JAVA_TYPES.has(elem) && isPotentialPojo(elem);
+  }
+  if (SIMPLE_JAVA_TYPES.has(type))
+    return false;
+  if (FRAMEWORK_PARAM_TYPES.has(type))
+    return false;
+  if (!isPotentialPojo(type))
+    return false;
+  return true;
+}
+function stripGenerics2(type) {
+  const ltIdx = type.indexOf("<");
+  return ltIdx >= 0 ? type.slice(0, ltIdx) : type;
+}
+function isPotentialPojo(type) {
+  if (type.length === 0)
+    return false;
+  const first = type.charCodeAt(0);
+  return first >= 65 && first <= 90;
+}
+
 // ../circle-ir/dist/graph/import-graph.js
 function dirname(filePath) {
   const idx = filePath.lastIndexOf("/");
@@ -27509,6 +27751,15 @@ async function analyze(code, filePath, language, options = {}) {
   const tree = await parse(code, language);
   try {
     logger.trace("Parsed AST", { rootNodeType: tree.rootNode.type });
+    const parseStatus = extractParseStatus(tree);
+    if (parseStatus.has_errors) {
+      logger.warn("Partial parse — IR may be incomplete", {
+        filePath,
+        language,
+        errorCount: parseStatus.error_count,
+        firstErrorLine: parseStatus.error_locations[0]?.line
+      });
+    }
     const nodeCache = collectAllNodes(tree.rootNode, getNodeTypesForLanguage(language));
     const meta = extractMeta(code, tree, filePath, language);
     const types = extractTypes(tree, nodeCache, language);
@@ -27612,6 +27863,8 @@ async function analyze(code, filePath, language, options = {}) {
       pipeline.add(new NamingConventionPass(passOpts.namingConvention));
     if (!disabledPasses.has("security-headers"))
       pipeline.add(new SecurityHeadersPass(passOpts.securityHeaders));
+    if (!disabledPasses.has("spring4shell"))
+      pipeline.add(new Spring4ShellPass);
     const { results, findings } = pipeline.run(graph, code, language, config);
     const sinkFilter = results.get("sink-filter");
     const interProc = results.get("interprocedural");
@@ -27645,7 +27898,8 @@ async function analyze(code, filePath, language, options = {}) {
       enriched,
       findings: findings.length > 0 ? findings : undefined,
       metrics: { file: filePath, metrics: metricValues },
-      runtime_registrations: runtimeRegistrations.length > 0 ? runtimeRegistrations : undefined
+      runtime_registrations: runtimeRegistrations.length > 0 ? runtimeRegistrations : undefined,
+      parse_status: parseStatus
     };
   } finally {
     disposeTree(tree);
@@ -27656,6 +27910,15 @@ async function analyzeHtmlFile(code, filePath, options) {
   const tree = await parse(code, "html");
   try {
     const meta = extractMeta(code, tree, filePath, "html");
+    const htmlParseStatus = extractParseStatus(tree);
+    if (htmlParseStatus.has_errors) {
+      logger.warn("Partial parse — IR may be incomplete", {
+        filePath,
+        language: "html",
+        errorCount: htmlParseStatus.error_count,
+        firstErrorLine: htmlParseStatus.error_locations[0]?.line
+      });
+    }
     const { scriptBlocks, eventHandlers } = extractHtmlContent(tree.rootNode);
     logger.debug("HTML extraction", {
       filePath,
@@ -27695,6 +27958,7 @@ async function analyzeHtmlFile(code, filePath, options) {
     }
     const attributeFindings = runHtmlAttributeSecurityChecks(tree.rootNode, filePath);
     const result = mergeHtmlResults(meta, scriptResults, attributeFindings);
+    result.parse_status = htmlParseStatus;
     logger.debug("HTML analysis complete", {
       filePath,
       scriptBlocks: scriptResults.length,
@@ -27794,7 +28058,7 @@ var colors = {
 };
 
 // src/version.ts
-var version = "3.45.0";
+var version = "3.47.0";
 
 // src/formatters.ts
 var SINK_SEVERITY = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.45.0",
+  "version": "3.47.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.45.0"
+    "circle-ir": "^3.47.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",