cognium-dev 3.52.0 → 3.53.0

package/dist/cli.js

@@ -10043,6 +10043,10 @@ var DEFAULT_SOURCES = [
   { method: "getFileName", class: "BodyPart", type: "file_input", severity: "high", return_tainted: true },
   { method: "getFileName", class: "MimeBodyPart", type: "file_input", severity: "high", return_tainted: true },
   { method: "getDisposition", class: "Part", type: "file_input", severity: "medium", return_tainted: true },
+  { method: "getName", class: "ZipEntry", type: "file_input", severity: "high", return_tainted: true },
+  { method: "getName", class: "ZipArchiveEntry", type: "file_input", severity: "high", return_tainted: true },
+  { method: "getName", class: "TarArchiveEntry", type: "file_input", severity: "high", return_tainted: true },
+  { method: "getName", class: "ArchiveEntry", type: "file_input", severity: "high", return_tainted: true },
   { method: "getArgs", type: "io_input", severity: "high", return_tainted: true },
   { method: "getOptionValue", class: "CommandLine", type: "io_input", severity: "high", return_tainted: true },
   { method: "url", class: "Request", type: "http_path", severity: "high", return_tainted: true },
@@ -10380,7 +10384,6 @@ var DEFAULT_SINKS = [
   { method: "externalStaticFileLocation", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "staticFileLocation", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "getEntry", class: "ZipFile", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "getName", class: "ZipEntry", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [] },
   { method: "ClassPathResource", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "FileSystemResource", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "UrlResource", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
@@ -11716,10 +11719,9 @@ function matchesSourcePattern(call, pattern) {
       return false;
     }
     if (pattern.class && pattern.class !== "constructor") {
-      if (!call.receiver) {
+      if (call.receiver_type && call.receiver_type === pattern.class) {} else if (call.receiver_type_fqn && call.receiver_type_fqn.endsWith("." + pattern.class)) {} else if (!call.receiver) {
         return false;
-      }
-      if (!receiverMightBeClass(call.receiver, pattern.class)) {
+      } else if (!receiverMightBeClass(call.receiver, pattern.class)) {
         return false;
       }
     }
@@ -11969,13 +11971,12 @@ function matchesSinkPattern(call, pattern, typeHierarchy, language) {
     if (pattern.class === "constructor") {
       return true;
     }
-    if (call.receiver && !receiverMightBeClass(call.receiver, pattern.class)) {
+    if (call.receiver_type && call.receiver_type === pattern.class) {} else if (call.receiver_type_fqn && call.receiver_type_fqn.endsWith("." + pattern.class)) {} else if (call.receiver && !receiverMightBeClass(call.receiver, pattern.class)) {
       if (typeHierarchy && typeHierarchy.couldBeType(call.receiver, pattern.class)) {
         return true;
       }
       return false;
-    }
-    if (!call.receiver) {
+    } else if (!call.receiver && !call.receiver_type) {
       return false;
     }
   }
@@ -27422,6 +27423,61 @@ function literalAlgo2(call, position) {
   const cleaned = stripQuotes5(raw);
   return cleaned || null;
 }
+function detectStaticIvJava(call) {
+  const arg = call.arguments.find((a) => a.position === 0);
+  if (!arg)
+    return null;
+  const expr = (arg.literal ?? arg.expression ?? "").trim();
+  if (!expr)
+    return null;
+  if (/^new\s+byte\s*\[[^\]]*\]\s*$/.test(expr)) {
+    return `zero-filled ${expr}`;
+  }
+  if (/^new\s+byte\s*\[\s*\]\s*\{[^}]*\}\s*$/.test(expr)) {
+    return `literal byte[] initializer`;
+  }
+  if (/^"[^"]*"\.getBytes\s*\(/.test(expr)) {
+    return `literal string .getBytes()`;
+  }
+  if (/^"[^"]*"$/.test(expr)) {
+    return `literal string`;
+  }
+  return null;
+}
+function isJavaCtor(call, className) {
+  if (call.is_constructor === true)
+    return true;
+  if (call.receiver)
+    return false;
+  if (call.receiver_type === className)
+    return true;
+  if ((call.receiver_type_fqn ?? "").endsWith("." + className))
+    return true;
+  return false;
+}
+function detectHardcodedKeyJava(call) {
+  const arg = call.arguments.find((a) => a.position === 0);
+  if (!arg)
+    return null;
+  const expr = (arg.literal ?? arg.expression ?? "").trim();
+  if (!expr)
+    return null;
+  if (/^"[^"]*"\.getBytes\s*\(/.test(expr))
+    return `literal string .getBytes()`;
+  if (/^new\s+byte\s*\[\s*\]\s*\{[^}]*\}\s*$/.test(expr))
+    return `literal byte[] initializer`;
+  if (/^"[^"]*"$/.test(expr))
+    return `literal string`;
+  return null;
+}
+var ISSUE_CWE = {
+  "weak-cipher": "CWE-327",
+  "ecb-mode": "CWE-327",
+  "deprecated-api": "CWE-327",
+  "static-iv": "CWE-329",
+  "hardcoded-key": "CWE-321",
+  "weak-rsa-key": "CWE-326"
+};
 
 class WeakCryptoPass {
   name = "weak-crypto";
@@ -27441,13 +27497,13 @@ class WeakCryptoPass {
           pass: this.name,
           category: this.category,
           rule_id: this.name,
-          cwe: "CWE-327",
+          cwe: ISSUE_CWE[det.issue],
           severity: "high",
           level: "error",
           message,
           file,
           line,
-          fix: "Use AES-GCM (authenticated) or ChaCha20-Poly1305. Avoid DES, " + "3DES, RC2, RC4, Blowfish, and ECB mode. For asymmetric encryption " + "use RSA-OAEP with ≥2048-bit keys or modern curve-based schemes.",
+          fix: this.buildFix(det.issue),
           evidence: { ...det, language }
         });
       }
@@ -27462,10 +27518,28 @@ class WeakCryptoPass {
         return `ECB block-cipher mode used via \`${det.api}\` (\`${det.detail}\`). ` + "ECB leaks plaintext structure (identical blocks → identical ciphertext) " + "and is not semantically secure.";
       case "deprecated-api":
         return `Deprecated crypto API \`${det.api}\` used (no IV: \`${det.detail}\`). ` + "This API derives the key/IV from a password in an insecure way.";
+      case "static-iv":
+        return `Static or zero-valued IV passed to \`${det.api}\` (\`${det.detail}\`). ` + "Reusing a fixed IV with CBC/CTR/GCM breaks confidentiality and, for " + "GCM, can leak the authentication key.";
+      case "hardcoded-key":
+        return `Hardcoded symmetric key material passed to \`${det.api}\` (\`${det.detail}\`). ` + "Keys embedded in source code are trivially recoverable from binaries " + "and shared across deployments — they provide no confidentiality.";
+      case "weak-rsa-key":
+        return `Weak RSA key size \`${det.detail}\` requested via \`${det.api}\`. ` + "RSA keys below 2048 bits are factorable and not compliant with " + "NIST SP 800-57 / FIPS 186-5.";
       default:
         return `Weak cryptography: ${det.detail} (${det.api})`;
     }
   }
+  buildFix(issue) {
+    switch (issue) {
+      case "static-iv":
+        return "Generate a fresh random IV per message using SecureRandom: " + "`byte[] iv = new byte[12]; SecureRandom.getInstanceStrong().nextBytes(iv); " + "new IvParameterSpec(iv);` and prepend it to the ciphertext.";
+      case "hardcoded-key":
+        return "Load the key from a secure key management system (HSM, KMS, " + "Vault) or platform keystore. Never embed key material in source code.";
+      case "weak-rsa-key":
+        return "Initialize KeyPairGenerator with at least 2048 bits (preferably " + "3072 or 4096) for RSA, or switch to EC keys (P-256+).";
+      default:
+        return "Use AES-GCM (authenticated) or ChaCha20-Poly1305. Avoid DES, " + "3DES, RC2, RC4, Blowfish, and ECB mode. For asymmetric encryption " + "use RSA-OAEP with ≥2048-bit keys or modern curve-based schemes.";
+    }
+  }
   detect(call, language) {
     const method = call.method_name;
     const receiver = call.receiver ?? "";
@@ -27483,6 +27557,33 @@ class WeakCryptoPass {
             out2.push({ issue: "ecb-mode", detail: spec, api });
         }
       }
+      if (method === "IvParameterSpec" && isJavaCtor(call, "IvParameterSpec")) {
+        const ivDetail = detectStaticIvJava(call);
+        if (ivDetail) {
+          out2.push({ issue: "static-iv", detail: ivDetail, api: "new IvParameterSpec" });
+        }
+      }
+      if (method === "SecretKeySpec" && isJavaCtor(call, "SecretKeySpec")) {
+        const keyDetail = detectHardcodedKeyJava(call);
+        if (keyDetail) {
+          out2.push({ issue: "hardcoded-key", detail: keyDetail, api: "new SecretKeySpec" });
+        }
+      }
+      if (method === "initialize") {
+        const isKpg = call.receiver_type === "KeyPairGenerator" || (call.receiver_type_fqn ?? "").endsWith(".KeyPairGenerator");
+        if (isKpg) {
+          const sizeArg = call.arguments.find((a) => a.position === 0);
+          const expr = (sizeArg?.literal ?? sizeArg?.expression ?? "").trim();
+          const n = parseInt(expr, 10);
+          if (Number.isFinite(n) && n > 0 && n < 2048) {
+            out2.push({
+              issue: "weak-rsa-key",
+              detail: String(n),
+              api: "KeyPairGenerator.initialize"
+            });
+          }
+        }
+      }
       return out2;
     }
     if (language === "python") {
@@ -29226,7 +29327,7 @@ var colors = {
 };
 
 // src/version.ts
-var version = "3.52.0";
+var version = "3.53.0";
 
 // src/formatters.ts
 var SINK_SEVERITY = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.52.0",
+  "version": "3.53.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.52.0"
+    "circle-ir": "^3.53.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",