npm - cognium-dev - Versions diffs - 3.55.0 → 3.57.0 - Mend

cognium-dev 3.55.0 → 3.57.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/cli.js +189 -4
package/package.json +2 -2

package/dist/cli.js CHANGED Viewed

@@ -13622,6 +13622,27 @@ class ConstantPropagator {
       if (nameNode) {
         const varName = getNodeText2(nameNode, this.source);
         loopVarNames.add(varName);
+        const collectionNode = node.childForFieldName("value");
+        if (collectionNode) {
+          const collectionName = getNodeText2(collectionNode, this.source);
+          const scopedCollection = this.currentMethod ? `${this.currentMethod}:${collectionName}` : collectionName;
+          let elementIsTainted = this.tainted.has(collectionName) || this.tainted.has(scopedCollection);
+          if (!elementIsTainted) {
+            const taintedIndices = this.taintedArrayElements.get(collectionName);
+            if (taintedIndices && taintedIndices.size > 0)
+              elementIsTainted = true;
+          }
+          if (!elementIsTainted) {
+            const taintedKeys = this.taintedCollections.get(collectionName);
+            if (taintedKeys && taintedKeys.size > 0)
+              elementIsTainted = true;
+          }
+          if (elementIsTainted) {
+            const scopedVar = this.currentMethod ? `${this.currentMethod}:${varName}` : varName;
+            this.tainted.add(varName);
+            this.tainted.add(scopedVar);
+          }
+        }
       }
     }
     for (const varName of loopVarNames) {
@@ -14514,9 +14535,21 @@ class ConstantPropagator {
             this.taintedCollections.set(collectionName, new Set);
           }
           this.taintedCollections.get(collectionName).add(keyStr);
+          const scopedCollection = this.currentMethod ? `${this.currentMethod}:${collectionName}` : collectionName;
+          this.tainted.add(scopedCollection);
+          this.tainted.add(collectionName);
         }
       }
     }
+    if (methodName === "append" || methodName === "insert") {
+      const args2 = argsNode.children.filter((c) => c.type !== "(" && c.type !== ")" && c.type !== ",");
+      const valueArg = methodName === "insert" && args2.length >= 2 ? args2[1] : args2[0];
+      if (valueArg && this.isTaintedExpression(valueArg)) {
+        const scopedCollection = this.currentMethod ? `${this.currentMethod}:${collectionName}` : collectionName;
+        this.tainted.add(scopedCollection);
+        this.tainted.add(collectionName);
+      }
+    }
     if (methodName === "add" || methodName === "addLast") {
       const args2 = argsNode.children.filter((c) => c.type !== "(" && c.type !== ")" && c.type !== ",");
       if (args2.length >= 1) {
@@ -27514,6 +27547,113 @@ function detectHardcodedKeyJava(call) {
     return `literal string`;
   return null;
 }
+function detectHardcodedKeyPython(call, constProp, literalBindings) {
+  const arg = call.arguments.find((a) => a.position === 0);
+  if (!arg)
+    return null;
+  const expr = (arg.expression ?? arg.literal ?? "").trim();
+  if (!expr)
+    return null;
+  if (/^[bB][rR]?["'][^"']*["']$/.test(expr) || /^[rR][bB]["'][^"']*["']$/.test(expr)) {
+    return `literal bytes ${expr.slice(0, 24)}${expr.length > 24 ? "…" : ""}`;
+  }
+  if (/^["'][^"']*["']$/.test(expr)) {
+    return `literal string ${expr.slice(0, 24)}${expr.length > 24 ? "…" : ""}`;
+  }
+  if (arg.variable && constProp) {
+    const sym = constProp.symbols.get(arg.variable);
+    if (sym && sym.type === "string" && typeof sym.value === "string") {
+      return `constant-propagated bytes from \`${arg.variable}\``;
+    }
+  }
+  if (arg.variable) {
+    const lit = literalBindings.get(arg.variable);
+    if (lit) {
+      return `literal-bound ${arg.variable} = ${lit.slice(0, 24)}${lit.length > 24 ? "…" : ""}`;
+    }
+  }
+  return null;
+}
+function detectHardcodedKeyGo(call, constProp, literalBindings) {
+  const arg = call.arguments.find((a) => a.position === 0);
+  if (!arg)
+    return null;
+  const expr = (arg.literal ?? arg.expression ?? "").trim();
+  if (!expr)
+    return null;
+  if (/^\[\s*\]\s*byte\s*\(\s*["'`][^"'`]*["'`]\s*\)$/.test(expr)) {
+    return `literal []byte("…")`;
+  }
+  if (/^\[\s*\]\s*byte\s*\{[^}]*\}$/.test(expr)) {
+    return `literal []byte{…} composite`;
+  }
+  if (arg.variable && constProp) {
+    const sym = constProp.symbols.get(arg.variable);
+    if (sym && sym.type === "string" && typeof sym.value === "string") {
+      return `constant-propagated key from \`${arg.variable}\``;
+    }
+  }
+  if (arg.variable) {
+    const lit = literalBindings.get(arg.variable);
+    if (lit) {
+      return `literal-bound ${arg.variable} = ${lit.slice(0, 24)}${lit.length > 24 ? "…" : ""}`;
+    }
+  }
+  return null;
+}
+function parseWeakRsaKeySizePython(call) {
+  for (const arg of call.arguments) {
+    const expr = (arg.expression ?? "").trim();
+    const lit = (arg.literal ?? "").trim();
+    const m = expr.match(/^key_size\s*=\s*(-?\d+)\s*$/);
+    if (m && m[1]) {
+      const n = parseInt(m[1], 10);
+      if (Number.isFinite(n) && n > 0 && n < 2048)
+        return n;
+      return null;
+    }
+    if (/^key_size\s*=/.test(expr) && lit) {
+      const n = parseInt(lit, 10);
+      if (Number.isFinite(n) && n > 0 && n < 2048)
+        return n;
+    }
+  }
+  return null;
+}
+function scanLiteralBindings(code, language) {
+  const out2 = new Map;
+  if (!code)
+    return out2;
+  if (language === "python") {
+    const re = /^[ \t]*([A-Za-z_][A-Za-z0-9_]*)\s*=\s*(b[rR]?["'][^"']*["']|[rR]?b["'][^"']*["']|["'][^"']*["'])\s*(?:$|#)/gm;
+    let m;
+    while ((m = re.exec(code)) !== null) {
+      if (m[1] && m[2])
+        out2.set(m[1], m[2]);
+    }
+    return out2;
+  }
+  if (language === "go") {
+    const reByte = /^[ \t]*(?:var\s+)?([A-Za-z_][A-Za-z0-9_]*)\s*(?::=|=)\s*(\[\s*\]\s*byte\s*\(\s*["'`][^"'`]*["'`]\s*\))/gm;
+    let m;
+    while ((m = reByte.exec(code)) !== null) {
+      if (m[1] && m[2])
+        out2.set(m[1], m[2]);
+    }
+    const reStr = /^[ \t]*(?:var|const)\s+([A-Za-z_][A-Za-z0-9_]*)\s*=\s*(["'`][^"'`]*["'`])/gm;
+    while ((m = reStr.exec(code)) !== null) {
+      if (m[1] && m[2])
+        out2.set(m[1], m[2]);
+    }
+    const reShort = /^[ \t]*([A-Za-z_][A-Za-z0-9_]*)\s*:=\s*(["'`][^"'`]*["'`])/gm;
+    while ((m = reShort.exec(code)) !== null) {
+      if (m[1] && m[2])
+        out2.set(m[1], m[2]);
+    }
+    return out2;
+  }
+  return out2;
+}
 var ISSUE_CWE = {
   "weak-cipher": "CWE-327",
   "ecb-mode": "CWE-327",
@@ -27527,11 +27667,13 @@ class WeakCryptoPass {
   name = "weak-crypto";
   category = "security";
   run(ctx) {
-    const { graph, language } = ctx;
+    const { graph, language, code } = ctx;
     const file = graph.ir.meta.file;
     const findings = [];
+    const constProp = ctx.hasResult("constant-propagation") ? ctx.getResult("constant-propagation") : null;
+    const literalBindings = scanLiteralBindings(code, language);
     for (const call of graph.ir.calls) {
-      const detections = this.detect(call, language);
+      const detections = this.detect(call, language, constProp, literalBindings);
       for (const det of detections) {
         const line = call.location.line;
         findings.push({ line, language, ...det });
@@ -27584,7 +27726,7 @@ class WeakCryptoPass {
         return "Use AES-GCM (authenticated) or ChaCha20-Poly1305. Avoid DES, " + "3DES, RC2, RC4, Blowfish, and ECB mode. For asymmetric encryption " + "use RSA-OAEP with ≥2048-bit keys or modern curve-based schemes.";
     }
   }
-  detect(call, language) {
+  detect(call, language, constProp, literalBindings) {
     const method = call.method_name;
     const receiver = call.receiver ?? "";
     const out2 = [];
@@ -27644,6 +27786,12 @@ class WeakCryptoPass {
             out2.push({ issue: "ecb-mode", detail: "AES.MODE_ECB", api: `${receiver}.new` });
           }
         }
+        if (lastSeg === "aes" || lastSeg.endsWith(".aes") || WEAK_CIPHER_BASES.has(lastSeg)) {
+          const keyDetail = detectHardcodedKeyPython(call, constProp, literalBindings);
+          if (keyDetail) {
+            out2.push({ issue: "hardcoded-key", detail: keyDetail, api: `${receiver}.new` });
+          }
+        }
       }
       const isHazmatAlgos = receiver === "algorithms" || receiver.endsWith(".algorithms");
       if (isHazmatAlgos) {
@@ -27652,6 +27800,25 @@ class WeakCryptoPass {
         if (WEAK_CIPHER_BASES.has(normalized)) {
           out2.push({ issue: "weak-cipher", detail: normalized, api: `algorithms.${method}` });
         }
+        if (m === "aes") {
+          const keyDetail = detectHardcodedKeyPython(call, constProp, literalBindings);
+          if (keyDetail) {
+            out2.push({ issue: "hardcoded-key", detail: keyDetail, api: `algorithms.${method}` });
+          }
+        }
+      }
+      if (method === "ECB" && (receiver === "modes" || receiver.endsWith(".modes"))) {
+        out2.push({ issue: "ecb-mode", detail: "modes.ECB()", api: `${receiver}.ECB` });
+      }
+      if (method === "generate_private_key" && (receiver === "rsa" || receiver === "dsa" || receiver.endsWith(".rsa") || receiver.endsWith(".dsa"))) {
+        const n = parseWeakRsaKeySizePython(call);
+        if (n !== null) {
+          out2.push({
+            issue: "weak-rsa-key",
+            detail: String(n),
+            api: `${receiver}.generate_private_key`
+          });
+        }
       }
       return out2;
     }
@@ -27693,6 +27860,24 @@ class WeakCryptoPass {
       if ((method === "NewECBEncrypter" || method === "NewECBDecrypter") && receiver === "cipher") {
         out2.push({ issue: "ecb-mode", detail: method, api: `cipher.${method}` });
       }
+      if (receiver === "aes" && method === "NewCipher" || receiver === "des" && (method === "NewCipher" || method === "NewTripleDESCipher") || receiver === "rc4" && method === "NewCipher") {
+        const keyDetail = detectHardcodedKeyGo(call, constProp, literalBindings);
+        if (keyDetail) {
+          out2.push({ issue: "hardcoded-key", detail: keyDetail, api: `${receiver}.${method}` });
+        }
+      }
+      if (receiver === "rsa" && method === "GenerateKey") {
+        const bitsArg = call.arguments.find((a) => a.position === 1);
+        const expr = (bitsArg?.literal ?? bitsArg?.expression ?? "").trim();
+        const n = parseInt(expr, 10);
+        if (Number.isFinite(n) && n > 0 && n < 2048) {
+          out2.push({
+            issue: "weak-rsa-key",
+            detail: String(n),
+            api: "rsa.GenerateKey"
+          });
+        }
+      }
       return out2;
     }
     return out2;
@@ -29838,7 +30023,7 @@ var colors = {
 };
 // src/version.ts
-var version = "3.55.0";
+var version = "3.57.0";
 // src/formatters.ts
 var SINK_SEVERITY = {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.55.0",
+  "version": "3.57.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.55.0"
+    "circle-ir": "^3.57.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",