cognium-dev 3.56.0 → 3.57.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/dist/cli.js +34 -1
  2. package/package.json +2 -2
package/dist/cli.js CHANGED
@@ -13622,6 +13622,27 @@ class ConstantPropagator {
13622
13622
  if (nameNode) {
13623
13623
  const varName = getNodeText2(nameNode, this.source);
13624
13624
  loopVarNames.add(varName);
13625
+ const collectionNode = node.childForFieldName("value");
13626
+ if (collectionNode) {
13627
+ const collectionName = getNodeText2(collectionNode, this.source);
13628
+ const scopedCollection = this.currentMethod ? `${this.currentMethod}:${collectionName}` : collectionName;
13629
+ let elementIsTainted = this.tainted.has(collectionName) || this.tainted.has(scopedCollection);
13630
+ if (!elementIsTainted) {
13631
+ const taintedIndices = this.taintedArrayElements.get(collectionName);
13632
+ if (taintedIndices && taintedIndices.size > 0)
13633
+ elementIsTainted = true;
13634
+ }
13635
+ if (!elementIsTainted) {
13636
+ const taintedKeys = this.taintedCollections.get(collectionName);
13637
+ if (taintedKeys && taintedKeys.size > 0)
13638
+ elementIsTainted = true;
13639
+ }
13640
+ if (elementIsTainted) {
13641
+ const scopedVar = this.currentMethod ? `${this.currentMethod}:${varName}` : varName;
13642
+ this.tainted.add(varName);
13643
+ this.tainted.add(scopedVar);
13644
+ }
13645
+ }
13625
13646
  }
13626
13647
  }
13627
13648
  for (const varName of loopVarNames) {
@@ -14514,9 +14535,21 @@ class ConstantPropagator {
14514
14535
  this.taintedCollections.set(collectionName, new Set);
14515
14536
  }
14516
14537
  this.taintedCollections.get(collectionName).add(keyStr);
14538
+ const scopedCollection = this.currentMethod ? `${this.currentMethod}:${collectionName}` : collectionName;
14539
+ this.tainted.add(scopedCollection);
14540
+ this.tainted.add(collectionName);
14517
14541
  }
14518
14542
  }
14519
14543
  }
14544
+ if (methodName === "append" || methodName === "insert") {
14545
+ const args2 = argsNode.children.filter((c) => c.type !== "(" && c.type !== ")" && c.type !== ",");
14546
+ const valueArg = methodName === "insert" && args2.length >= 2 ? args2[1] : args2[0];
14547
+ if (valueArg && this.isTaintedExpression(valueArg)) {
14548
+ const scopedCollection = this.currentMethod ? `${this.currentMethod}:${collectionName}` : collectionName;
14549
+ this.tainted.add(scopedCollection);
14550
+ this.tainted.add(collectionName);
14551
+ }
14552
+ }
14520
14553
  if (methodName === "add" || methodName === "addLast") {
14521
14554
  const args2 = argsNode.children.filter((c) => c.type !== "(" && c.type !== ")" && c.type !== ",");
14522
14555
  if (args2.length >= 1) {
@@ -29990,7 +30023,7 @@ var colors = {
29990
30023
  };
29991
30024
 
29992
30025
  // src/version.ts
29993
- var version = "3.56.0";
30026
+ var version = "3.57.0";
29994
30027
 
29995
30028
  // src/formatters.ts
29996
30029
  var SINK_SEVERITY = {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "cognium-dev",
3
- "version": "3.56.0",
3
+ "version": "3.57.0",
4
4
  "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
5
5
  "main": "dist/index.js",
6
6
  "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
65
65
  "registry": "https://registry.npmjs.org/"
66
66
  },
67
67
  "dependencies": {
68
- "circle-ir": "^3.56.0"
68
+ "circle-ir": "^3.57.0"
69
69
  },
70
70
  "devDependencies": {
71
71
  "@types/node": "^25.5.0",