cognium-dev 3.48.0 → 3.50.0

package/dist/cli.js

@@ -4035,15 +4035,54 @@ function extractJSClassInfo(node) {
     end_line: node.endPosition.row + 1
   };
 }
+function extractDecoratorName(node) {
+  const child = node.namedChildCount > 0 ? node.namedChild(0) : null;
+  if (!child)
+    return null;
+  if (child.type === "identifier")
+    return getNodeText(child);
+  if (child.type === "call_expression") {
+    const fn = child.childForFieldName("function");
+    if (fn) {
+      if (fn.type === "identifier")
+        return getNodeText(fn);
+      if (fn.type === "member_expression") {
+        const propNode = fn.childForFieldName("property");
+        if (propNode)
+          return getNodeText(propNode);
+      }
+    }
+  }
+  if (child.type === "member_expression") {
+    const propNode = child.childForFieldName("property");
+    if (propNode)
+      return getNodeText(propNode);
+  }
+  return null;
+}
 function extractJSMethods(body2) {
   const methods = [];
+  let pendingDecorators = [];
   for (let i2 = 0;i2 < body2.childCount; i2++) {
     const child = body2.child(i2);
     if (!child)
       continue;
+    if (child.type === "decorator") {
+      const name2 = extractDecoratorName(child);
+      if (name2)
+        pendingDecorators.push(name2);
+      continue;
+    }
+    if (child.type === "comment")
+      continue;
     if (child.type === "method_definition") {
-      methods.push(extractJSMethodInfo(child));
+      const m = extractJSMethodInfo(child);
+      if (pendingDecorators.length > 0) {
+        m.annotations = pendingDecorators;
+      }
+      methods.push(m);
     }
+    pendingDecorators = [];
   }
   return methods;
 }
@@ -4214,10 +4253,19 @@ function extractJSParameters(params) {
       if (typeNode) {
         paramType = getNodeText(typeNode).replace(/^:\s*/, "");
       }
+      const decorators = [];
+      for (let j = 0;j < child.childCount; j++) {
+        const c = child.child(j);
+        if (c && c.type === "decorator") {
+          const name2 = extractDecoratorName(c);
+          if (name2)
+            decorators.push(name2);
+        }
+      }
       parameters.push({
         name: paramName,
         type: paramType,
-        annotations: [],
+        annotations: decorators,
         line: child.startPosition.row + 1
       });
     }
@@ -10798,6 +10846,18 @@ var DEFAULT_SINKS = [
   { method: "getExecutionPreamble", class: "Shell", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [] },
   { method: "setQuotedArgumentsEnabled", class: "Shell", type: "command_injection", cwe: "CWE-78", severity: "high", arg_positions: [0] },
   { method: "onNewInstance", class: "SandboxInterceptor", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
+  { method: "info", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["java"] },
+  { method: "warn", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["java"] },
+  { method: "error", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["java"] },
+  { method: "debug", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["java"] },
+  { method: "trace", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["java"] },
+  { method: "severe", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0], languages: ["java"] },
+  { method: "warning", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0], languages: ["java"] },
+  { method: "config", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0], languages: ["java"] },
+  { method: "fine", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0], languages: ["java"] },
+  { method: "finer", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0], languages: ["java"] },
+  { method: "finest", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0], languages: ["java"] },
+  { method: "log", class: "Logger", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [1, 2, 3], languages: ["java"] },
   { method: "exec", class: "child_process", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "execSync", class: "child_process", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "spawn", class: "child_process", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
@@ -10838,6 +10898,29 @@ var DEFAULT_SINKS = [
   { method: "updateMany", class: "Collection", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0] },
   { method: "deleteOne", class: "Collection", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0] },
   { method: "deleteMany", class: "Collection", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0] },
+  { method: "find", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "findOne", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "findById", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "findOneAndUpdate", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0, 1], languages: ["javascript", "typescript"] },
+  { method: "findOneAndDelete", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "findOneAndReplace", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0, 1], languages: ["javascript", "typescript"] },
+  { method: "updateOne", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0, 1], languages: ["javascript", "typescript"] },
+  { method: "updateMany", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0, 1], languages: ["javascript", "typescript"] },
+  { method: "deleteOne", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "deleteMany", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "countDocuments", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "aggregate", class: "Model", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "where", class: "Query", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "equals", class: "Query", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "findOne", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "findOneAndUpdate", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0, 1], languages: ["javascript", "typescript"] },
+  { method: "findOneAndDelete", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "findOneAndReplace", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0, 1], languages: ["javascript", "typescript"] },
+  { method: "updateOne", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0, 1], languages: ["javascript", "typescript"] },
+  { method: "updateMany", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0, 1], languages: ["javascript", "typescript"] },
+  { method: "deleteOne", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "deleteMany", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "aggregate", type: "nosql_injection", cwe: "CWE-943", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
   { method: "get", class: "axios", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "post", class: "axios", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "request", class: "axios", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
@@ -10854,6 +10937,13 @@ var DEFAULT_SINKS = [
   { method: "get", class: "superagent", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "post", class: "superagent", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "default", class: "node-fetch", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
+  { method: "log", class: "console", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "warn", class: "console", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "error", class: "console", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "info", class: "console", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "debug", class: "console", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "trace", class: "console", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2, 3], languages: ["javascript", "typescript"] },
+  { method: "redirect", type: "open_redirect", cwe: "CWE-601", severity: "medium", arg_positions: [0], languages: ["javascript", "typescript"] },
   { method: "system", class: "os", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "popen", class: "os", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "run", class: "subprocess", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
@@ -10880,7 +10970,7 @@ var DEFAULT_SINKS = [
   { method: "rmdir", class: "os", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "rmtree", class: "shutil", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0] },
   { method: "send_file", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0], languages: ["python"] },
-  { method: "render_template_string", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "render_template_string", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["python"] },
   { method: "Markup", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0], languages: ["python"] },
   { method: "mark_safe", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0], languages: ["python"] },
   { method: "get", class: "requests", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
@@ -11142,6 +11232,10 @@ var DEFAULT_SANITIZERS = [
   { method: "secure_filename", class: "werkzeug.utils", removes: ["path_traversal"] },
   { method: "basename", class: "os.path", removes: ["path_traversal"] },
   { method: "normpath", class: "os.path", removes: ["path_traversal"] },
+  { method: "realpath", class: "os.path", removes: ["path_traversal"] },
+  { method: "abspath", class: "os.path", removes: ["path_traversal"] },
+  { method: "realpath", class: "path", removes: ["path_traversal"] },
+  { method: "abspath", class: "path", removes: ["path_traversal"] },
   { method: "int", removes: ["sql_injection", "command_injection", "xss"] },
   { method: "float", removes: ["sql_injection", "command_injection"] },
   { method: "query!", removes: ["sql_injection"] },
@@ -11270,7 +11364,7 @@ var PYTHON_TAINTED_PATTERNS = [
 function analyzeTaint(calls, types, config = getDefaultConfig(), typeHierarchy, language, code) {
   const sourceLines = code !== undefined ? code.split(`
 `) : undefined;
-  const sources = findSources(calls, types, config.sources, sourceLines);
+  const sources = findSources(calls, types, config.sources, sourceLines, language);
   const sinks = findSinks(calls, config.sinks, typeHierarchy, language, sourceLines);
   const sanitizers = findSanitizers(calls, types, config.sanitizers);
   return { sources, sinks, sanitizers };
@@ -11289,7 +11383,7 @@ function attachSourceLineCode(sources, sinks, code) {
     }
   }
 }
-function findSources(calls, types, patterns, sourceLines) {
+function findSources(calls, types, patterns, sourceLines, language) {
   const sources = [];
   for (const call of calls) {
     for (const pattern of patterns) {
@@ -11344,23 +11438,31 @@ function findSources(calls, types, patterns, sourceLines) {
       }
     }
   }
-  const RUST_EXTRACTOR_TYPES = /^(?:Json|Form|Query|Path|Extension|Multipart)(?:<|$)|^(?:Body|Bytes)$/;
+  const RUST_EXTRACTOR_KIND = /(?:^|::)(Json|Form|Query|Path|Extension|Multipart|Body|Bytes)(?:<|$)/;
   for (const type of types) {
     for (const method of type.methods) {
       for (const param of method.parameters) {
-        if (param.type && RUST_EXTRACTOR_TYPES.test(param.type)) {
-          const paramLine = param.line ?? method.start_line;
-          const alreadyExists = sources.some((s) => s.line === paramLine && s.type === "http_body");
-          if (!alreadyExists) {
-            sources.push({
-              type: "http_body",
-              location: `${param.type} ${param.name} in ${method.name}`,
-              severity: "high",
-              line: paramLine,
-              confidence: 1
-            });
-          }
-        }
+        if (!param.type)
+          continue;
+        const kindMatch = RUST_EXTRACTOR_KIND.exec(param.type);
+        if (!kindMatch)
+          continue;
+        const kind = kindMatch[1];
+        if (kind === "Extension")
+          continue;
+        const sourceType = kind === "Form" || kind === "Query" || kind === "Path" ? "http_param" : "http_body";
+        const paramLine = param.line ?? method.start_line;
+        const alreadyExists = sources.some((s) => s.line === paramLine && s.variable === param.name);
+        if (alreadyExists)
+          continue;
+        sources.push({
+          type: sourceType,
+          location: `${param.type} ${param.name} in ${method.name}`,
+          severity: "high",
+          line: paramLine,
+          confidence: 1,
+          variable: param.name
+        });
       }
     }
   }
@@ -11442,6 +11544,17 @@ function findSources(calls, types, patterns, sourceLines) {
       s.code = sourceLines[s.line - 1]?.trim();
     }
   }
+  if (language === "rust" && sourceLines) {
+    const LET_BINDING = /^\s*let\s+(?:mut\s+)?([A-Za-z_]\w*)\s*(?::\s*[^=]+)?=/;
+    for (const s of result) {
+      if (s.variable && s.variable.length > 0)
+        continue;
+      const lineText = sourceLines[s.line - 1] ?? "";
+      const m = LET_BINDING.exec(lineText);
+      if (m)
+        s.variable = m[1];
+    }
+  }
   return result;
 }
 function isInterproceduralTaintableType(typeName) {
@@ -11538,6 +11651,26 @@ function isParameterizedQueryCall(call, pattern) {
   }
   return false;
 }
+function isSafePythonSubprocessCall(call, pattern, language) {
+  if (language !== "python")
+    return false;
+  if (pattern.type !== "command_injection")
+    return false;
+  if (pattern.class !== "subprocess")
+    return false;
+  const arg0 = call.arguments.find((a) => a.position === 0);
+  if (!arg0)
+    return false;
+  const expr0 = (arg0.literal ?? arg0.expression ?? "").trim();
+  if (!expr0.startsWith("["))
+    return false;
+  for (const a of call.arguments) {
+    const e = (a.expression ?? "").trim();
+    if (/^shell\s*=\s*True\b/.test(e))
+      return false;
+  }
+  return true;
+}
 var CLASS_LITERAL_RE = /^(?:[A-Za-z_][\w]*\.)*[A-Z][\w]*(?:\[\])*\.class$/;
 function argIsClassLiteral(call, position) {
   const arg = call.arguments.find((a) => a.position === position);
@@ -11556,6 +11689,9 @@ function findSinks(calls, patterns, typeHierarchy, language, sourceLines) {
         if (isParameterizedQueryCall(call, pattern)) {
           continue;
         }
+        if (isSafePythonSubprocessCall(call, pattern, language)) {
+          continue;
+        }
         if (pattern.safe_if_class_literal_at !== undefined && argIsClassLiteral(call, pattern.safe_if_class_literal_at)) {
           continue;
         }
@@ -11950,7 +12086,8 @@ function receiverMightBeClass(receiver, className) {
     "controller",
     "task",
     "thread",
-    "job"
+    "job",
+    "cur"
   ]);
   const isAmbiguous = ambiguousIdentifiers.has(lowerReceiver);
   if (!isAmbiguous && lowerReceiver.length >= 3 && lowerClass.includes(lowerReceiver)) {
@@ -11960,7 +12097,9 @@ function receiverMightBeClass(receiver, className) {
   }
   if (!isAmbiguous && lowerReceiver.length >= 2) {
     if (lowerClass.startsWith(lowerReceiver) || lowerClass.endsWith(lowerReceiver)) {
-      return true;
+      if (lowerReceiver.length / lowerClass.length >= 0.4) {
+        return true;
+      }
     }
   }
   if (!isAmbiguous && lowerReceiver.length >= 3) {
@@ -11981,6 +12120,8 @@ function receiverMightBeClass(receiver, className) {
     ps: ["PreparedStatement"],
     rs: ["ResultSet"],
     template: ["JdbcTemplate"],
+    cur: ["Cursor"],
+    cursor: ["Cursor"],
     writer: ["PrintWriter"],
     out: ["PrintWriter", "OutputStream"],
     reader: ["BufferedReader"],
@@ -14468,7 +14609,7 @@ function isFalsePositive(result, sinkLine, taintedVar) {
   if (varValue && varValue.type !== "unknown" && !result.tainted.has(taintedVar)) {
     return { isFalsePositive: true, reason: `variable_is_constant: ${varValue.value}` };
   }
-  if (result.symbols.size > 0 && !result.tainted.has(taintedVar)) {
+  if (result.symbols.has(taintedVar) && !result.tainted.has(taintedVar)) {
     return { isFalsePositive: true, reason: "variable_not_tainted" };
   }
   return { isFalsePositive: false, reason: null };
@@ -20540,6 +20681,40 @@ function buildJavaScriptTaintedVars(sourceCode, language) {
   }
   return tainted;
 }
+function buildRustTaintedVars(sourceCode, seedVars) {
+  const derived = new Map;
+  const knownTainted = new Set(seedVars);
+  const lines = sourceCode.split(`
+`);
+  let changed = true;
+  while (changed) {
+    changed = false;
+    for (let i2 = 0;i2 < lines.length; i2++) {
+      const line = lines[i2];
+      const trimmed = line.trimStart();
+      if (trimmed.startsWith("//"))
+        continue;
+      const letMatch = line.match(/^\s*let\s+(?:mut\s+)?([A-Za-z_]\w*)\s*(?::\s*[^=]+)?=\s*(.+?)(?:;|$)/);
+      const assignMatch = !letMatch ? line.match(/^\s*([A-Za-z_]\w*)\s*=\s*(.+?)(?:;|$)/) : null;
+      const m = letMatch ?? assignMatch;
+      if (!m)
+        continue;
+      const lhs = m[1];
+      const rhs = m[2];
+      if (lhs === "if" || lhs === "while" || lhs === "for" || lhs === "match" || lhs === "return")
+        continue;
+      if (knownTainted.has(lhs))
+        continue;
+      const ref = [...knownTainted].some((v) => new RegExp(`\\b${v}\\b`).test(rhs));
+      if (ref) {
+        derived.set(lhs, i2 + 1);
+        knownTainted.add(lhs);
+        changed = true;
+      }
+    }
+  }
+  return derived;
+}
 var BASH_POSITIONAL_PARAMS = new Set(["1", "2", "3", "4", "5", "6", "7", "8", "9", "@", "*"]);
 var BASH_UNTRUSTED_ENV_PATTERNS = [
   /^USER_INPUT$/i,
@@ -20962,7 +21137,23 @@ function evaluateSimpleExpression(expr, symbols) {
 }
 function isStringLiteralExpression(expr) {
   const trimmed = expr.trim();
-  return trimmed.startsWith('"') && trimmed.endsWith('"') || trimmed.startsWith("'") && trimmed.endsWith("'");
+  if (trimmed.length < 2)
+    return false;
+  const quote = trimmed[0];
+  if (quote !== '"' && quote !== "'")
+    return false;
+  let i2 = 1;
+  while (i2 < trimmed.length) {
+    const c = trimmed[i2];
+    if (c === "\\") {
+      i2 += 2;
+      continue;
+    }
+    if (c === quote)
+      return i2 === trimmed.length - 1;
+    i2++;
+  }
+  return false;
 }
 function filterCleanArraySinks(sinks, calls, taintedArrayElements, symbols) {
   const callsByLine = new Map;
@@ -21320,6 +21511,28 @@ function buildTaintFlow(source, sink, taintInfo) {
   };
 }
 
+// ../circle-ir/dist/analysis/findings.js
+function canSourceReachSink(sourceType, sinkType) {
+  const sourceToSinkMapping = {
+    http_param: ["sql_injection", "command_injection", "path_traversal", "xss", "xpath_injection", "ldap_injection", "ssrf", "mybatis_mapper_call", "code_injection"],
+    http_body: ["sql_injection", "command_injection", "deserialization", "xxe", "xss", "code_injection", "mybatis_mapper_call"],
+    http_header: ["sql_injection", "xss", "ssrf", "mybatis_mapper_call", "code_injection"],
+    http_cookie: ["sql_injection", "xss", "mybatis_mapper_call", "code_injection"],
+    http_path: ["path_traversal", "sql_injection", "ssrf", "mybatis_mapper_call"],
+    http_query: ["sql_injection", "command_injection", "xss", "ssrf", "mybatis_mapper_call", "code_injection"],
+    io_input: ["command_injection", "path_traversal", "deserialization", "xxe", "code_injection", "xss"],
+    env_input: ["command_injection", "path_traversal"],
+    db_input: ["xss", "sql_injection"],
+    file_input: ["deserialization", "xxe", "path_traversal", "command_injection", "code_injection"],
+    network_input: ["sql_injection", "command_injection", "xss", "ssrf"],
+    config_param: ["sql_injection", "command_injection", "path_traversal", "xss", "ssrf"],
+    interprocedural_param: ["sql_injection", "command_injection", "path_traversal", "xss", "xpath_injection", "ldap_injection", "ssrf", "code_injection", "mybatis_mapper_call"],
+    plugin_param: ["sql_injection", "command_injection", "path_traversal", "xss", "code_injection"]
+  };
+  const validSinks = sourceToSinkMapping[sourceType];
+  return validSinks ? validSinks.includes(sinkType) : false;
+}
+
 // ../circle-ir/dist/analysis/passes/taint-propagation-pass.js
 class TaintPropagationPass {
   name = "taint-propagation";
@@ -21330,7 +21543,11 @@ class TaintPropagationPass {
     const constProp = ctx.getResult("constant-propagation");
     const sinkFilter = ctx.getResult("sink-filter");
     const { sources, sinks, sanitizers } = sinkFilter;
-    if (sources.length === 0 || sinks.length === 0) {
+    if (sinks.length === 0) {
+      return { flows: [] };
+    }
+    const canSynthesize = ctx.language === "python" && typeof ctx.code === "string";
+    if (sources.length === 0 && !canSynthesize) {
       return { flows: [] };
     }
     const propagationResult = propagateTaint2(graph, sources, sinks, sanitizers);
@@ -21393,7 +21610,7 @@ class TaintPropagationPass {
         flows.push(f);
       }
     }
-    const exprScanFlows = detectExpressionScanFlows(calls, sources, sinks, constProp.unreachableLines, ctx.code, ctx.language) ?? [];
+    const exprScanFlows = detectExpressionScanFlows(calls, sources, sinks, sanitizers, constProp.unreachableLines, ctx.code, ctx.language) ?? [];
     for (const f of exprScanFlows) {
       if (flows.some((x) => x.source_line === f.source_line && x.sink_line === f.sink_line && x.sink_type === f.sink_type))
         continue;
@@ -21611,13 +21828,82 @@ function detectParameterSinkFlows(types, calls, sources, sinks, unreachableLines
   }
   return flows;
 }
-function detectExpressionScanFlows(calls, sources, sinks, unreachableLines, code, language) {
+function detectExpressionScanFlows(calls, sources, sinks, sanitizers, unreachableLines, code, language) {
   const flows = [];
   const sourcesWithVar = sources.filter((s) => typeof s.variable === "string" && s.variable.length > 0);
-  if (sourcesWithVar.length === 0)
-    return flows;
+  const aliasSanitizedFor = new Map;
   if (language === "python" && typeof code === "string") {
     const derived = buildPythonTaintedVars(code);
+    if (derived.size > 0) {
+      const existingVars = new Set(sourcesWithVar.map((s) => s.variable));
+      const hasRealSource = sourcesWithVar.length > 0;
+      let anchor = sourcesWithVar[0];
+      if (anchor) {
+        for (const s of sourcesWithVar) {
+          if (s.line < anchor.line)
+            anchor = s;
+        }
+      }
+      for (const [varName, originLine] of derived) {
+        if (!varName || existingVars.has(varName))
+          continue;
+        if (hasRealSource && anchor) {
+          sourcesWithVar.push({
+            ...anchor,
+            variable: varName
+          });
+        } else {
+          sourcesWithVar.push({
+            type: "http_param",
+            location: `<derived> ${varName}`,
+            severity: "high",
+            line: originLine,
+            confidence: 0.9,
+            variable: varName
+          });
+        }
+        existingVars.add(varName);
+      }
+      if (sanitizers && sanitizers.length > 0) {
+        const sanitizersByLine = new Map;
+        for (const s of sanitizers) {
+          const arr = sanitizersByLine.get(s.line) ?? [];
+          arr.push(s);
+          sanitizersByLine.set(s.line, arr);
+        }
+        const codeLines = code.split(`
+`);
+        for (const [varName, originLine] of derived) {
+          const lineSans = sanitizersByLine.get(originLine);
+          if (!lineSans || lineSans.length === 0)
+            continue;
+          const lineText = codeLines[originLine - 1] ?? "";
+          const rhsMatch = lineText.match(/^\s*\w+\s*=\s*(.+)$/);
+          if (!rhsMatch)
+            continue;
+          const rhs = rhsMatch[1];
+          for (const san of lineSans) {
+            const sanMatch = san.method.match(/^(?:(\w+)\.)?(\w+)\(\)$/);
+            if (!sanMatch)
+              continue;
+            const sanName = sanMatch[1] ? `${sanMatch[1]}.${sanMatch[2]}` : sanMatch[2];
+            if (!rhs.includes(`${sanName}(`))
+              continue;
+            let set = aliasSanitizedFor.get(varName);
+            if (!set) {
+              set = new Set;
+              aliasSanitizedFor.set(varName, set);
+            }
+            for (const t of san.sanitizes)
+              set.add(t);
+          }
+        }
+      }
+    }
+  }
+  if (language === "rust" && typeof code === "string" && sourcesWithVar.length > 0) {
+    const seedVars = new Set(sourcesWithVar.map((s) => s.variable));
+    const derived = buildRustTaintedVars(code, seedVars);
     if (derived.size > 0) {
       let anchor = sourcesWithVar[0];
       for (const s of sourcesWithVar) {
@@ -21669,6 +21955,9 @@ function detectExpressionScanFlows(calls, sources, sinks, unreachableLines, code
             continue;
           if (flows.some((f) => f.source_line === source.line && f.sink_line === sink.line && f.sink_type === sink.type))
             continue;
+          if (aliasSanitizedFor.get(source.variable)?.has(sink.type)) {
+            break;
+          }
           flows.push({
             source_line: source.line,
             sink_line: sink.line,
@@ -21686,6 +21975,39 @@ function detectExpressionScanFlows(calls, sources, sinks, unreachableLines, code
       }
     }
   }
+  const sourcesByLine = new Map;
+  for (const s of sources) {
+    if (s.variable && s.variable.length > 0)
+      continue;
+    const arr = sourcesByLine.get(s.line) ?? [];
+    arr.push(s);
+    sourcesByLine.set(s.line, arr);
+  }
+  for (const sink of sinks) {
+    if (unreachableLines.has(sink.line))
+      continue;
+    const colocSources = sourcesByLine.get(sink.line);
+    if (!colocSources || colocSources.length === 0)
+      continue;
+    for (const source of colocSources) {
+      if (!canSourceReachSink(source.type, sink.type))
+        continue;
+      if (flows.some((f) => f.source_line === source.line && f.sink_line === sink.line && f.sink_type === sink.type))
+        continue;
+      flows.push({
+        source_line: source.line,
+        sink_line: sink.line,
+        source_type: source.type,
+        sink_type: sink.type,
+        path: [
+          { variable: "<inline>", line: source.line, type: "source" },
+          { variable: "<inline>", line: sink.line, type: "sink" }
+        ],
+        confidence: source.confidence * sink.confidence * 0.85,
+        sanitized: false
+      });
+    }
+  }
   return flows;
 }
 
@@ -22122,7 +22444,7 @@ class InterproceduralPass {
     const taintProp = ctx.getResult("taint-propagation");
     const { sources, sinks, sanitizers } = sinkFilter;
     if (sources.length === 0) {
-      return { additionalSinks: [], additionalFlows: [] };
+      return { additionalSinks: [], additionalFlows: [...taintProp.flows] };
     }
     const additionalSinks = [];
     const additionalFlows = [...taintProp.flows];
@@ -22242,6 +22564,9 @@ class InterproceduralPass {
         }
       }
     }
+    if (additionalSinks.length > 0) {
+      attachSourceLineCode([], additionalSinks, ctx.code);
+    }
     return { additionalSinks, additionalFlows, interprocedural };
   }
 }
@@ -26781,6 +27106,77 @@ function isPotentialPojo(type) {
   return first >= 65 && first <= 90;
 }
 
+// ../circle-ir/dist/analysis/passes/insecure-cookie-pass.js
+var COOKIE_RESPONSE_RECEIVERS = new Set([
+  "res",
+  "response",
+  "reply"
+]);
+var SECURE_TRUE_RE = /\bsecure\s*:\s*true\b/;
+var HTTPONLY_TRUE_RE = /\bhttpOnly\s*:\s*true\b/i;
+
+class InsecureCookiePass {
+  name = "insecure-cookie";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    if (language !== "javascript" && language !== "typescript") {
+      return { insecureCookies: [] };
+    }
+    const file = graph.ir.meta.file;
+    const insecureCookies = [];
+    for (const call of graph.ir.calls) {
+      if (call.method_name !== "cookie")
+        continue;
+      const receiver = call.receiver ?? "";
+      if (!COOKIE_RESPONSE_RECEIVERS.has(receiver))
+        continue;
+      if (call.arguments.length < 2)
+        continue;
+      const opts = call.arguments.find((a) => a.position === 2);
+      const optsExpr = (opts?.expression ?? "").trim();
+      const optionsPresent = optsExpr.length > 0;
+      const missingSecure = !SECURE_TRUE_RE.test(optsExpr);
+      const missingHttpOnly = !HTTPONLY_TRUE_RE.test(optsExpr);
+      if (!missingSecure && !missingHttpOnly)
+        continue;
+      const line = call.location.line;
+      insecureCookies.push({
+        line,
+        receiver,
+        missingSecure,
+        missingHttpOnly,
+        optionsPresent
+      });
+      const missing = [];
+      if (missingSecure)
+        missing.push("`secure: true`");
+      if (missingHttpOnly)
+        missing.push("`httpOnly: true`");
+      ctx.addFinding({
+        id: `${this.name}-${file}-${line}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        cwe: "CWE-614",
+        severity: "medium",
+        level: "warning",
+        message: `Cookie set without ${missing.join(" and ")} — vulnerable to ` + `cleartext transmission (CWE-614) and client-side JS access ` + `(CWE-1004).`,
+        file,
+        line,
+        fix: 'Pass `{ secure: true, httpOnly: true, sameSite: "lax" }` as the ' + "third argument to `res.cookie()`.",
+        evidence: {
+          receiver,
+          options_present: optionsPresent,
+          missing_secure: missingSecure,
+          missing_http_only: missingHttpOnly
+        }
+      });
+    }
+    return { insecureCookies };
+  }
+}
+
 // ../circle-ir/dist/graph/import-graph.js
 function dirname(filePath) {
   const idx = filePath.lastIndexOf("/");
@@ -27891,6 +28287,8 @@ async function analyze(code, filePath, language, options = {}) {
       pipeline.add(new SecurityHeadersPass(passOpts.securityHeaders));
     if (!disabledPasses.has("spring4shell"))
       pipeline.add(new Spring4ShellPass);
+    if (!disabledPasses.has("insecure-cookie"))
+      pipeline.add(new InsecureCookiePass);
     const { results, findings } = pipeline.run(graph, code, language, config);
     const sinkFilter = results.get("sink-filter");
     const interProc = results.get("interprocedural");
@@ -28084,7 +28482,7 @@ var colors = {
 };
 
 // src/version.ts
-var version = "3.48.0";
+var version = "3.50.0";
 
 // src/formatters.ts
 var SINK_SEVERITY = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.48.0",
+  "version": "3.50.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.48.0"
+    "circle-ir": "^3.50.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",