cognium-dev 3.62.0 → 3.65.0

package/dist/cli.js

@@ -11633,7 +11633,8 @@ function findSources(calls, types, patterns, sourceLines, language) {
           location: formatCallLocation(call),
           severity: pattern.severity,
           line: call.location.line,
-          confidence: 1
+          confidence: 1,
+          in_method: call.in_method ?? undefined
         });
       }
     }
@@ -11650,7 +11651,8 @@ function findSources(calls, types, patterns, sourceLines, language) {
                 location: `@${pattern.annotation} ${param.name} in ${method.name}`,
                 severity: pattern.severity,
                 line: paramLine,
-                confidence: 1
+                confidence: 1,
+                in_method: method.name
               });
             }
           }
@@ -11672,7 +11674,8 @@ function findSources(calls, types, patterns, sourceLines, language) {
             location: `@${pattern.method_annotation} ${param.name} in ${method.name}`,
             severity: pattern.severity,
             line: paramLine,
-            confidence: 1
+            confidence: 1,
+            in_method: method.name
           });
         }
       }
@@ -11701,7 +11704,8 @@ function findSources(calls, types, patterns, sourceLines, language) {
           severity: "high",
           line: paramLine,
           confidence: 1,
-          variable: param.name
+          variable: param.name,
+          in_method: method.name
         });
       }
     }
@@ -11722,7 +11726,8 @@ function findSources(calls, types, patterns, sourceLines, language) {
             location: `${param.type || "any"} ${param.name} in ${method.name}`,
             severity: "medium",
             line: paramLine,
-            confidence: param.type ? 0.7 : 0.5
+            confidence: param.type ? 0.7 : 0.5,
+            in_method: method.name
           });
         }
       }
@@ -11742,7 +11747,8 @@ function findSources(calls, types, patterns, sourceLines, language) {
               location: `${arg.expression} in ${call.in_method || "anonymous"}`,
               severity: "high",
               line: call.location.line,
-              confidence: 1
+              confidence: 1,
+              in_method: call.in_method ?? undefined
             });
           }
         }
@@ -11762,7 +11768,8 @@ function findSources(calls, types, patterns, sourceLines, language) {
               location: `${arg.expression} in ${call.in_method || "anonymous"}`,
               severity: "high",
               line: call.location.line,
-              confidence: 1
+              confidence: 1,
+              in_method: call.in_method ?? undefined
             });
           }
           break;
@@ -11795,6 +11802,21 @@ function findSources(calls, types, patterns, sourceLines, language) {
         s.variable = m[1];
     }
   }
+  if (language === "java" && sourceLines) {
+    const JAVA_ASSIGN_LHS = /^\s*(?:(?:final|public|private|protected|static|synchronized|volatile|transient)\s+)*(?:[A-Za-z_][\w.]*(?:\s*<[^=]*>)?(?:\s*\[\s*\])*\s+)?([A-Za-z_]\w*)\s*=(?!=)/;
+    for (const s of result) {
+      if (s.variable && s.variable.length > 0)
+        continue;
+      const lineText = sourceLines[s.line - 1] ?? "";
+      const m = JAVA_ASSIGN_LHS.exec(lineText);
+      if (!m)
+        continue;
+      const rhs = lineText.slice(m[0].length).trimStart();
+      if (/^new\b/.test(rhs))
+        continue;
+      s.variable = m[1];
+    }
+  }
   return result;
 }
 function isInterproceduralTaintableType(typeName) {
@@ -22200,6 +22222,8 @@ function findInitialTaint(sources, callsByLine, defsByLine) {
     for (const def of defsNextLine) {
       const callsOnSourceLine = callsByLine.get(source.line) ?? [];
       if (callsOnSourceLine.length > 0) {
+        if (source.variable && def.variable !== source.variable)
+          continue;
         tainted.push({
           variable: def.variable,
           defId: def.id,
@@ -22402,13 +22426,13 @@ class TaintPropagationPass {
       confidence: flow.confidence,
       sanitized: flow.sanitized
     }));
-    const arrayFlows = detectArrayElementFlows(calls, sources, sinks, constProp.taintedArrayElements, constProp.unreachableLines) ?? [];
+    const arrayFlows = detectArrayElementFlows(calls, sources, sinks, constProp.taintedArrayElements, constProp.unreachableLines, types) ?? [];
     for (const f of arrayFlows) {
       if (!flows.some((x) => x.source_line === f.source_line && x.sink_line === f.sink_line)) {
         flows.push(f);
       }
     }
-    const collectionFlows = detectCollectionFlows(calls, sources, sinks, constProp.tainted, constProp.unreachableLines, ctx.code) ?? [];
+    const collectionFlows = detectCollectionFlows(calls, sources, sinks, constProp.tainted, constProp.unreachableLines, ctx.code, types) ?? [];
     for (const f of collectionFlows) {
       if (flows.some((x) => x.source_line === f.source_line && x.sink_line === f.sink_line))
         continue;
@@ -22459,7 +22483,7 @@ class TaintPropagationPass {
       flows.push(f);
     }
     const sanitizedNames = constProp.sanitizedVars;
-    const finalFlows = sanitizedNames.size === 0 ? flows : flows.filter((f) => {
+    let finalFlows = sanitizedNames.size === 0 ? flows : flows.filter((f) => {
       if (f.path.length === 0)
         return true;
       const sourceVar = f.path[0].variable;
@@ -22473,10 +22497,74 @@ class TaintPropagationPass {
       }
       return true;
     });
+    if (ctx.language === "java" && typeof ctx.code === "string") {
+      finalFlows = finalFlows.filter((f) => {
+        if (f.sink_type !== "path_traversal" && f.sink_type !== "xxe")
+          return true;
+        if (!isInJavaSanitizedMethod(ctx.code, types, f.sink_line, f.sink_type))
+          return true;
+        return false;
+      });
+    }
+    if (finalFlows.length > 1) {
+      const bestByKey = new Map;
+      for (const f of finalFlows) {
+        const key = `${f.source_line}|${f.sink_line}|${f.sink_type}`;
+        const cur = bestByKey.get(key);
+        if (!cur || f.confidence > cur.confidence) {
+          bestByKey.set(key, f);
+        }
+      }
+      finalFlows = finalFlows.filter((f) => {
+        const key = `${f.source_line}|${f.sink_line}|${f.sink_type}`;
+        return bestByKey.get(key) === f;
+      });
+    }
     return { flows: finalFlows };
   }
 }
-function detectCollectionFlows(calls, sources, sinks, taintedVars, unreachableLines, code) {
+function isInJavaSanitizedMethod(code, types, sinkLine, sinkType) {
+  if (!types || types.length === 0)
+    return false;
+  let methodStart = -1;
+  let methodEnd = -1;
+  for (const t of types) {
+    for (const m of t.methods) {
+      if (sinkLine >= m.start_line && sinkLine <= m.end_line) {
+        methodStart = m.start_line;
+        methodEnd = m.end_line;
+        break;
+      }
+    }
+    if (methodStart > 0)
+      break;
+  }
+  if (methodStart < 0)
+    return false;
+  const lines = code.split(`
+`);
+  const body2 = lines.slice(methodStart - 1, methodEnd).join(`
+`);
+  if (sinkType === "path_traversal") {
+    if (!/\.getCanonicalPath\s*\(/.test(body2))
+      return false;
+    if (!/\.startsWith\s*\([^)]*getCanonicalPath/.test(body2))
+      return false;
+    if (!/\bthrow\s+new\b/.test(body2))
+      return false;
+    return true;
+  }
+  if (sinkType === "xxe") {
+    const setFeatureRe = /\.setFeature\s*\(\s*"(?:[^"]*disallow-doctype-decl|[^"]*external-general-entities|[^"]*external-parameter-entities|[^"]*load-external-dtd)"/;
+    if (setFeatureRe.test(body2))
+      return true;
+    if (/\.setProperty\s*\([^,]*SUPPORT_DTD[^,]*,\s*false\s*\)/.test(body2))
+      return true;
+    return false;
+  }
+  return false;
+}
+function detectCollectionFlows(calls, sources, sinks, taintedVars, unreachableLines, code, types) {
   const flows = [];
   const callsByLine = new Map;
   for (const call of calls) {
@@ -22497,8 +22585,11 @@ function detectCollectionFlows(calls, sources, sinks, taintedVars, unreachableLi
           const varName = arg.variable;
           const scopedName = call.in_method ? `${call.in_method}:${varName}` : varName;
           if (taintedVars.has(varName) || taintedVars.has(scopedName)) {
-            const source = sources[0];
+            const source = pickScopedSource(sources, sink.line, call.in_method ?? null, types, varName);
             if (source) {
+              if (source.variable && source.variable !== varName && source.in_method && call.in_method && source.in_method !== call.in_method) {
+                continue;
+              }
               if (typeof code === "string" && isReassignedToLiteralBetween(code, varName, source.line, sink.line)) {
                 continue;
               }
@@ -22534,8 +22625,11 @@ function detectCollectionFlows(calls, sources, sinks, taintedVars, unreachableLi
               const collectionVar = match[1];
               const scopedCollection = call.in_method ? `${call.in_method}:${collectionVar}` : collectionVar;
               if (taintedVars.has(collectionVar) || taintedVars.has(scopedCollection)) {
-                const source = sources[0];
+                const source = pickScopedSource(sources, sink.line, call.in_method ?? null, types, collectionVar);
                 if (source) {
+                  if (source.variable && source.variable !== collectionVar && source.in_method && call.in_method && source.in_method !== call.in_method) {
+                    continue;
+                  }
                   if (typeof code === "string" && isReassignedToLiteralBetween(code, collectionVar, source.line, sink.line)) {
                     continue;
                   }
@@ -22561,7 +22655,7 @@ function detectCollectionFlows(calls, sources, sinks, taintedVars, unreachableLi
   }
   return flows;
 }
-function detectArrayElementFlows(calls, sources, sinks, taintedArrayElements, unreachableLines) {
+function detectArrayElementFlows(calls, sources, sinks, taintedArrayElements, unreachableLines, types) {
   const flows = [];
   const callsByLine = new Map;
   for (const call of calls) {
@@ -22586,7 +22680,7 @@ function detectArrayElementFlows(calls, sources, sinks, taintedArrayElements, un
           if (taintedIndices) {
             const isTainted = taintedIndices.has(indexStr) || taintedIndices.has("*");
             if (isTainted) {
-              const source = sources[0];
+              const source = pickScopedSource(sources, sink.line, call.in_method ?? null, types, arrayName);
               if (source) {
                 flows.push({
                   source_line: source.line,
@@ -22690,11 +22784,12 @@ function isReassignedToLiteralBetween(code, variable, srcLine, sinkLine) {
   const strLit = `(?:"[^"\\\\]*(?:\\\\.[^"\\\\]*)*"|'[^'\\\\]*(?:\\\\.[^'\\\\]*)*'|\`[^\`\\\\]*(?:\\\\.[^\`\\\\]*)*\`)`;
   const reNaked = new RegExp(`^\\s*${variable}\\s*(?::?=)\\s*${strLit}\\s*;?\\s*$`);
   const reGuarded = new RegExp(`^\\s*if\\b.*\\b${variable}\\s*=\\s*${strLit}\\s*;?\\s*$`);
+  const reSwitchCase = new RegExp(`^\\s*(?:case\\b.*?|default\\s*):\\s*${variable}\\s*=\\s*${strLit}\\s*;?\\s*(?:break\\s*;?)?\\s*$`);
   for (let i2 = lo;i2 < hi; i2++) {
     const line = lines[i2];
     if (!line)
       continue;
-    if (reNaked.test(line) || reGuarded.test(line))
+    if (reNaked.test(line) || reGuarded.test(line) || reSwitchCase.test(line))
       return true;
   }
   return false;
@@ -22821,6 +22916,9 @@ function detectExpressionScanFlows(calls, sources, sinks, sanitizers, unreachabl
         for (const source of sourcesWithVar) {
           if (source.line >= sink.line)
             continue;
+          if (source.in_method && call.in_method && source.in_method !== call.in_method) {
+            continue;
+          }
           const re = reCache.get(source.variable);
           if (!re || !re.test(expr))
             continue;
@@ -22887,6 +22985,51 @@ function detectExpressionScanFlows(calls, sources, sinks, sanitizers, unreachabl
   }
   return flows;
 }
+function pickScopedSource(sources, sinkLine, methodName, types, taintedVar) {
+  if (sources.length === 0)
+    return;
+  const closestPreceding = (cands) => {
+    let best;
+    for (const s of cands) {
+      if (s.line >= sinkLine)
+        continue;
+      if (!best || s.line > best.line)
+        best = s;
+    }
+    return best;
+  };
+  if (taintedVar) {
+    const byVar = sources.filter((s) => s.variable === taintedVar);
+    const pick = closestPreceding(byVar);
+    if (pick)
+      return pick;
+  }
+  if (methodName && types && types.length > 0) {
+    let methodStart = -1;
+    let methodEnd = -1;
+    for (const t of types) {
+      for (const m of t.methods) {
+        if (m.name === methodName) {
+          methodStart = m.start_line;
+          methodEnd = m.end_line;
+          break;
+        }
+      }
+      if (methodStart > 0)
+        break;
+    }
+    if (methodStart > 0 && methodEnd >= methodStart) {
+      const inScope = sources.filter((s) => s.line >= methodStart && s.line <= methodEnd);
+      const pick = closestPreceding(inScope);
+      if (pick)
+        return pick;
+    }
+  }
+  const globalPick = closestPreceding(sources);
+  if (globalPick)
+    return globalPick;
+  return sources[0];
+}
 
 // ../circle-ir/dist/analysis/interprocedural.js
 function analyzeInterprocedural2(graphOrTypes, callsOrSources, dfgOrSinks, sourcesOrSanitizers, sinksOrOptions, sanitizersArg, optionsArg = {}) {
@@ -30904,7 +31047,7 @@ var colors = {
 };
 
 // src/version.ts
-var version = "3.62.0";
+var version = "3.65.0";
 
 // src/formatters.ts
 var SINK_SEVERITY = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.62.0",
+  "version": "3.65.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.62.0"
+    "circle-ir": "^3.65.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",