cognium-dev 3.52.0 → 3.54.0

package/dist/cli.js

@@ -10043,6 +10043,10 @@ var DEFAULT_SOURCES = [
   { method: "getFileName", class: "BodyPart", type: "file_input", severity: "high", return_tainted: true },
   { method: "getFileName", class: "MimeBodyPart", type: "file_input", severity: "high", return_tainted: true },
   { method: "getDisposition", class: "Part", type: "file_input", severity: "medium", return_tainted: true },
+  { method: "getName", class: "ZipEntry", type: "file_input", severity: "high", return_tainted: true },
+  { method: "getName", class: "ZipArchiveEntry", type: "file_input", severity: "high", return_tainted: true },
+  { method: "getName", class: "TarArchiveEntry", type: "file_input", severity: "high", return_tainted: true },
+  { method: "getName", class: "ArchiveEntry", type: "file_input", severity: "high", return_tainted: true },
   { method: "getArgs", type: "io_input", severity: "high", return_tainted: true },
   { method: "getOptionValue", class: "CommandLine", type: "io_input", severity: "high", return_tainted: true },
   { method: "url", class: "Request", type: "http_path", severity: "high", return_tainted: true },
@@ -10380,7 +10384,6 @@ var DEFAULT_SINKS = [
   { method: "externalStaticFileLocation", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "staticFileLocation", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "getEntry", class: "ZipFile", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "getName", class: "ZipEntry", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [] },
   { method: "ClassPathResource", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "FileSystemResource", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "UrlResource", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
@@ -11131,7 +11134,36 @@ var DEFAULT_SINKS = [
   { method: "from_str", class: "serde_yaml", type: "deserialization", cwe: "CWE-502", severity: "high", arg_positions: [0] },
   { method: "from_reader", class: "serde_yaml", type: "deserialization", cwe: "CWE-502", severity: "high", arg_positions: [0] },
   { method: "from_str", class: "serde_json", type: "deserialization", cwe: "CWE-502", severity: "medium", arg_positions: [0] },
-  { method: "from_slice", class: "serde_json", type: "deserialization", cwe: "CWE-502", severity: "medium", arg_positions: [0] }
+  { method: "from_slice", class: "serde_json", type: "deserialization", cwe: "CWE-502", severity: "medium", arg_positions: [0] },
+  { method: "match", class: "re", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "search", class: "re", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "fullmatch", class: "re", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "compile", class: "re", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "findall", class: "re", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "finditer", class: "re", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "sub", class: "re", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "subn", class: "re", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "split", class: "re", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "compile", class: "Pattern", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "matches", class: "Pattern", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "matches", class: "String", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "replaceAll", class: "String", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "replaceFirst", class: "String", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "split", class: "String", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "RegExp", class: "constructor", type: "redos", cwe: "CWE-1333", severity: "high", arg_positions: [0], languages: ["javascript", "typescript"] },
+  { method: "Compile", class: "regexp", type: "redos", cwe: "CWE-1333", severity: "medium", arg_positions: [0], languages: ["go"] },
+  { method: "MustCompile", class: "regexp", type: "redos", cwe: "CWE-1333", severity: "medium", arg_positions: [0], languages: ["go"] },
+  { method: "Match", class: "regexp", type: "redos", cwe: "CWE-1333", severity: "medium", arg_positions: [0], languages: ["go"] },
+  { method: "MatchString", class: "regexp", type: "redos", cwe: "CWE-1333", severity: "medium", arg_positions: [0], languages: ["go"] },
+  { method: "format", class: "String", type: "format_string", cwe: "CWE-134", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "format", class: "Formatter", type: "format_string", cwe: "CWE-134", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "printf", class: "System.out", type: "format_string", cwe: "CWE-134", severity: "high", arg_positions: [0], languages: ["java"] },
+  { method: "printf", type: "format_string", cwe: "CWE-134", severity: "high", arg_positions: [0], languages: ["python"] },
+  { method: "fprintf", type: "format_string", cwe: "CWE-134", severity: "high", arg_positions: [1], languages: ["python"] },
+  { method: "Sprintf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [0], languages: ["go"] },
+  { method: "Printf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [0], languages: ["go"] },
+  { method: "Errorf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [0], languages: ["go"] },
+  { method: "Fprintf", class: "fmt", type: "format_string", cwe: "CWE-134", severity: "medium", arg_positions: [1], languages: ["go"] }
 ];
 var DEFAULT_SANITIZERS = [
   { method: "setString", class: "PreparedStatement", removes: ["sql_injection"] },
@@ -11716,10 +11748,9 @@ function matchesSourcePattern(call, pattern) {
       return false;
     }
     if (pattern.class && pattern.class !== "constructor") {
-      if (!call.receiver) {
+      if (call.receiver_type && call.receiver_type === pattern.class) {} else if (call.receiver_type_fqn && call.receiver_type_fqn.endsWith("." + pattern.class)) {} else if (!call.receiver) {
         return false;
-      }
-      if (!receiverMightBeClass(call.receiver, pattern.class)) {
+      } else if (!receiverMightBeClass(call.receiver, pattern.class)) {
         return false;
       }
     }
@@ -11969,13 +12000,12 @@ function matchesSinkPattern(call, pattern, typeHierarchy, language) {
     if (pattern.class === "constructor") {
       return true;
     }
-    if (call.receiver && !receiverMightBeClass(call.receiver, pattern.class)) {
+    if (call.receiver_type && call.receiver_type === pattern.class) {} else if (call.receiver_type_fqn && call.receiver_type_fqn.endsWith("." + pattern.class)) {} else if (call.receiver && !receiverMightBeClass(call.receiver, pattern.class)) {
       if (typeHierarchy && typeHierarchy.couldBeType(call.receiver, pattern.class)) {
         return true;
       }
       return false;
-    }
-    if (!call.receiver) {
+    } else if (!call.receiver && !call.receiver_type) {
       return false;
     }
   }
@@ -21471,7 +21501,9 @@ var KNOWN_SINK_TYPES = new Set([
   "xxe",
   "deserialization",
   "code_injection",
-  "mybatis_mapper_call"
+  "mybatis_mapper_call",
+  "redos",
+  "format_string"
 ]);
 function checkSanitized(_fromLine, toLine, sinkType, sanitizersByLine) {
   const sanitizersAtTarget = sanitizersByLine.get(toLine);
@@ -27422,6 +27454,61 @@ function literalAlgo2(call, position) {
   const cleaned = stripQuotes5(raw);
   return cleaned || null;
 }
+function detectStaticIvJava(call) {
+  const arg = call.arguments.find((a) => a.position === 0);
+  if (!arg)
+    return null;
+  const expr = (arg.literal ?? arg.expression ?? "").trim();
+  if (!expr)
+    return null;
+  if (/^new\s+byte\s*\[[^\]]*\]\s*$/.test(expr)) {
+    return `zero-filled ${expr}`;
+  }
+  if (/^new\s+byte\s*\[\s*\]\s*\{[^}]*\}\s*$/.test(expr)) {
+    return `literal byte[] initializer`;
+  }
+  if (/^"[^"]*"\.getBytes\s*\(/.test(expr)) {
+    return `literal string .getBytes()`;
+  }
+  if (/^"[^"]*"$/.test(expr)) {
+    return `literal string`;
+  }
+  return null;
+}
+function isJavaCtor(call, className) {
+  if (call.is_constructor === true)
+    return true;
+  if (call.receiver)
+    return false;
+  if (call.receiver_type === className)
+    return true;
+  if ((call.receiver_type_fqn ?? "").endsWith("." + className))
+    return true;
+  return false;
+}
+function detectHardcodedKeyJava(call) {
+  const arg = call.arguments.find((a) => a.position === 0);
+  if (!arg)
+    return null;
+  const expr = (arg.literal ?? arg.expression ?? "").trim();
+  if (!expr)
+    return null;
+  if (/^"[^"]*"\.getBytes\s*\(/.test(expr))
+    return `literal string .getBytes()`;
+  if (/^new\s+byte\s*\[\s*\]\s*\{[^}]*\}\s*$/.test(expr))
+    return `literal byte[] initializer`;
+  if (/^"[^"]*"$/.test(expr))
+    return `literal string`;
+  return null;
+}
+var ISSUE_CWE = {
+  "weak-cipher": "CWE-327",
+  "ecb-mode": "CWE-327",
+  "deprecated-api": "CWE-327",
+  "static-iv": "CWE-329",
+  "hardcoded-key": "CWE-321",
+  "weak-rsa-key": "CWE-326"
+};
 
 class WeakCryptoPass {
   name = "weak-crypto";
@@ -27441,13 +27528,13 @@ class WeakCryptoPass {
           pass: this.name,
           category: this.category,
           rule_id: this.name,
-          cwe: "CWE-327",
+          cwe: ISSUE_CWE[det.issue],
           severity: "high",
           level: "error",
           message,
           file,
           line,
-          fix: "Use AES-GCM (authenticated) or ChaCha20-Poly1305. Avoid DES, " + "3DES, RC2, RC4, Blowfish, and ECB mode. For asymmetric encryption " + "use RSA-OAEP with ≥2048-bit keys or modern curve-based schemes.",
+          fix: this.buildFix(det.issue),
           evidence: { ...det, language }
         });
       }
@@ -27462,10 +27549,28 @@ class WeakCryptoPass {
         return `ECB block-cipher mode used via \`${det.api}\` (\`${det.detail}\`). ` + "ECB leaks plaintext structure (identical blocks → identical ciphertext) " + "and is not semantically secure.";
       case "deprecated-api":
         return `Deprecated crypto API \`${det.api}\` used (no IV: \`${det.detail}\`). ` + "This API derives the key/IV from a password in an insecure way.";
+      case "static-iv":
+        return `Static or zero-valued IV passed to \`${det.api}\` (\`${det.detail}\`). ` + "Reusing a fixed IV with CBC/CTR/GCM breaks confidentiality and, for " + "GCM, can leak the authentication key.";
+      case "hardcoded-key":
+        return `Hardcoded symmetric key material passed to \`${det.api}\` (\`${det.detail}\`). ` + "Keys embedded in source code are trivially recoverable from binaries " + "and shared across deployments — they provide no confidentiality.";
+      case "weak-rsa-key":
+        return `Weak RSA key size \`${det.detail}\` requested via \`${det.api}\`. ` + "RSA keys below 2048 bits are factorable and not compliant with " + "NIST SP 800-57 / FIPS 186-5.";
       default:
         return `Weak cryptography: ${det.detail} (${det.api})`;
     }
   }
+  buildFix(issue) {
+    switch (issue) {
+      case "static-iv":
+        return "Generate a fresh random IV per message using SecureRandom: " + "`byte[] iv = new byte[12]; SecureRandom.getInstanceStrong().nextBytes(iv); " + "new IvParameterSpec(iv);` and prepend it to the ciphertext.";
+      case "hardcoded-key":
+        return "Load the key from a secure key management system (HSM, KMS, " + "Vault) or platform keystore. Never embed key material in source code.";
+      case "weak-rsa-key":
+        return "Initialize KeyPairGenerator with at least 2048 bits (preferably " + "3072 or 4096) for RSA, or switch to EC keys (P-256+).";
+      default:
+        return "Use AES-GCM (authenticated) or ChaCha20-Poly1305. Avoid DES, " + "3DES, RC2, RC4, Blowfish, and ECB mode. For asymmetric encryption " + "use RSA-OAEP with ≥2048-bit keys or modern curve-based schemes.";
+    }
+  }
   detect(call, language) {
     const method = call.method_name;
     const receiver = call.receiver ?? "";
@@ -27483,6 +27588,33 @@ class WeakCryptoPass {
             out2.push({ issue: "ecb-mode", detail: spec, api });
         }
       }
+      if (method === "IvParameterSpec" && isJavaCtor(call, "IvParameterSpec")) {
+        const ivDetail = detectStaticIvJava(call);
+        if (ivDetail) {
+          out2.push({ issue: "static-iv", detail: ivDetail, api: "new IvParameterSpec" });
+        }
+      }
+      if (method === "SecretKeySpec" && isJavaCtor(call, "SecretKeySpec")) {
+        const keyDetail = detectHardcodedKeyJava(call);
+        if (keyDetail) {
+          out2.push({ issue: "hardcoded-key", detail: keyDetail, api: "new SecretKeySpec" });
+        }
+      }
+      if (method === "initialize") {
+        const isKpg = call.receiver_type === "KeyPairGenerator" || (call.receiver_type_fqn ?? "").endsWith(".KeyPairGenerator");
+        if (isKpg) {
+          const sizeArg = call.arguments.find((a) => a.position === 0);
+          const expr = (sizeArg?.literal ?? sizeArg?.expression ?? "").trim();
+          const n = parseInt(expr, 10);
+          if (Number.isFinite(n) && n > 0 && n < 2048) {
+            out2.push({
+              issue: "weak-rsa-key",
+              detail: String(n),
+              api: "KeyPairGenerator.initialize"
+            });
+          }
+        }
+      }
       return out2;
     }
     if (language === "python") {
@@ -27913,6 +28045,115 @@ class TlsVerifyDisabledPass {
   }
 }
 
+// ../circle-ir/dist/analysis/passes/jwt-verify-disabled-pass.js
+var PY_VERIFY_SIGNATURE_FALSE_RE = /["']verify_signature["']\s*:\s*False\b/;
+var PY_VERIFY_KW_FALSE_RE = /\bverify\s*=\s*False\b/;
+var PY_ALG_NONE_RE = /\balgorithms\s*=\s*[\[\(]\s*["']none["']/i;
+var JS_ALG_NONE_RE = /\balgorithms\s*:\s*\[\s*["']none["']/i;
+
+class JwtVerifyDisabledPass {
+  name = "jwt-verify-disabled";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    for (const call of graph.ir.calls) {
+      const detections = this.detect(call, language);
+      for (const det of detections) {
+        const line = call.location.line;
+        findings.push({ line, language, ...det });
+        ctx.addFinding({
+          id: `${this.name}-${file}-${line}-${det.pattern}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: this.name,
+          cwe: "CWE-347",
+          severity: "critical",
+          level: "error",
+          message: `JWT signature verification disabled via \`${det.pattern}\` in ` + `\`${det.api}\`. Any attacker can forge a token with arbitrary ` + "claims (user id, roles, expiry) since the signature is not " + "checked.",
+          file,
+          line,
+          fix: this.fixFor(language),
+          evidence: { ...det, language }
+        });
+      }
+    }
+    return { findings };
+  }
+  detect(call, language) {
+    const method = call.method_name;
+    const receiver = call.receiver ?? "";
+    const out2 = [];
+    if (language === "python") {
+      if (receiver === "jwt" && method === "decode") {
+        for (const arg of call.arguments) {
+          const expr = (arg.expression ?? "").trim();
+          if (!expr)
+            continue;
+          if (PY_VERIFY_SIGNATURE_FALSE_RE.test(expr)) {
+            out2.push({ pattern: "verify_signature: False", api: "jwt.decode" });
+          }
+          if (PY_VERIFY_KW_FALSE_RE.test(expr)) {
+            out2.push({ pattern: "verify=False", api: "jwt.decode" });
+          }
+          if (PY_ALG_NONE_RE.test(expr)) {
+            out2.push({ pattern: "algorithms=['none']", api: "jwt.decode" });
+          }
+        }
+      }
+      return out2;
+    }
+    if (language === "javascript" || language === "typescript") {
+      if (receiver === "jwt" && method === "verify") {
+        for (const arg of call.arguments) {
+          const expr = (arg.expression ?? "").trim();
+          if (!expr)
+            continue;
+          if (JS_ALG_NONE_RE.test(expr)) {
+            out2.push({ pattern: "algorithms: ['none']", api: "jwt.verify" });
+          }
+          if (/\bverify\s*:\s*false\b/i.test(expr)) {
+            out2.push({ pattern: "verify: false", api: "jwt.verify" });
+          }
+        }
+        const keyArg = call.arguments.find((a) => a.position === 1);
+        const keyExpr = (keyArg?.expression ?? keyArg?.literal ?? "").trim();
+        if (keyExpr === "null" || keyExpr === "undefined" || keyExpr === '""' || keyExpr === "''" || keyExpr === "``") {
+          out2.push({ pattern: `empty key (${keyExpr || "missing"})`, api: "jwt.verify" });
+        }
+      }
+      return out2;
+    }
+    if (language === "java") {
+      if (method === "require" && (receiver === "JWT" || receiver.endsWith(".JWT"))) {
+        const arg = call.arguments.find((a) => a.position === 0);
+        const expr = (arg?.expression ?? "").trim();
+        if (/\bAlgorithm\s*\.\s*none\s*\(/.test(expr)) {
+          out2.push({ pattern: "Algorithm.none()", api: "JWT.require" });
+        }
+      }
+      if (method === "parse" && receiver.includes("parser")) {
+        out2.push({ pattern: "parse() instead of parseClaimsJws()", api: "Jwts.parser().parse" });
+      }
+      return out2;
+    }
+    return out2;
+  }
+  fixFor(language) {
+    if (language === "python") {
+      return 'Always pass `options={"verify_signature": True}` (the default in ' + 'PyJWT 2.0+) and a concrete `algorithms=["HS256"|"RS256"]` list. ' + "Never accept `none`.";
+    }
+    if (language === "javascript" || language === "typescript") {
+      return 'Call `jwt.verify(token, secret, { algorithms: ["HS256" | "RS256"] })` ' + 'with a non-empty key. Never use `algorithms: ["none"]` or pass ' + "null/empty as the secret.";
+    }
+    if (language === "java") {
+      return "For auth0/java-jwt: use `JWT.require(Algorithm.HMAC256(secret))` or " + "an RSA algorithm. For jjwt: call `parseClaimsJws(token)` (signature " + "enforced) rather than `parse(token)` (signature ignored).";
+    }
+    return "Enforce JWT signature verification with a concrete algorithm " + "(HS256/RS256/ES256). Never accept `alg: none`.";
+  }
+}
+
 // ../circle-ir/dist/graph/import-graph.js
 function dirname(filePath) {
   const idx = filePath.lastIndexOf("/");
@@ -29033,6 +29274,8 @@ async function analyze(code, filePath, language, options = {}) {
       pipeline.add(new WeakRandomPass);
     if (!disabledPasses.has("tls-verify-disabled"))
       pipeline.add(new TlsVerifyDisabledPass);
+    if (!disabledPasses.has("jwt-verify-disabled"))
+      pipeline.add(new JwtVerifyDisabledPass);
     const { results, findings } = pipeline.run(graph, code, language, config);
     const sinkFilter = results.get("sink-filter");
     const interProc = results.get("interprocedural");
@@ -29226,7 +29469,7 @@ var colors = {
 };
 
 // src/version.ts
-var version = "3.52.0";
+var version = "3.54.0";
 
 // src/formatters.ts
 var SINK_SEVERITY = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.52.0",
+  "version": "3.54.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.52.0"
+    "circle-ir": "^3.54.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",