cognium-dev 3.75.0 → 3.77.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli.js +44 -2
- package/package.json +2 -2
package/dist/cli.js
CHANGED
|
@@ -23733,6 +23733,48 @@ function detectExpressionScanFlows(calls, sources, sinks, sanitizers, unreachabl
|
|
|
23733
23733
|
}
|
|
23734
23734
|
}
|
|
23735
23735
|
}
|
|
23736
|
+
const aliasChains = [];
|
|
23737
|
+
{
|
|
23738
|
+
const codeLines2 = code.split(`
|
|
23739
|
+
`);
|
|
23740
|
+
for (let i2 = 0;i2 < codeLines2.length; i2++) {
|
|
23741
|
+
const ln = codeLines2[i2];
|
|
23742
|
+
if (ln.trimStart().startsWith("#"))
|
|
23743
|
+
continue;
|
|
23744
|
+
const m = ln.match(/^\s*([\p{L}\p{N}_]+)\s*=\s*([\p{L}\p{N}_]+)\s*$/u);
|
|
23745
|
+
if (!m)
|
|
23746
|
+
continue;
|
|
23747
|
+
const lineNum = i2 + 1;
|
|
23748
|
+
const lhs = m[1];
|
|
23749
|
+
if (derived.get(lhs) !== lineNum)
|
|
23750
|
+
continue;
|
|
23751
|
+
aliasChains.push({ lhs, upstream: m[2], line: lineNum });
|
|
23752
|
+
}
|
|
23753
|
+
}
|
|
23754
|
+
if (aliasChains.length > 0) {
|
|
23755
|
+
let changed = true;
|
|
23756
|
+
let guard = 0;
|
|
23757
|
+
while (changed && guard < aliasChains.length + 2) {
|
|
23758
|
+
changed = false;
|
|
23759
|
+
guard++;
|
|
23760
|
+
for (const { lhs, upstream } of aliasChains) {
|
|
23761
|
+
const upCov = aliasSanitizedFor.get(upstream);
|
|
23762
|
+
if (!upCov || upCov.size === 0)
|
|
23763
|
+
continue;
|
|
23764
|
+
let downCov = aliasSanitizedFor.get(lhs);
|
|
23765
|
+
if (!downCov) {
|
|
23766
|
+
downCov = new Set;
|
|
23767
|
+
aliasSanitizedFor.set(lhs, downCov);
|
|
23768
|
+
}
|
|
23769
|
+
for (const t of upCov) {
|
|
23770
|
+
if (!downCov.has(t)) {
|
|
23771
|
+
downCov.add(t);
|
|
23772
|
+
changed = true;
|
|
23773
|
+
}
|
|
23774
|
+
}
|
|
23775
|
+
}
|
|
23776
|
+
}
|
|
23777
|
+
}
|
|
23736
23778
|
}
|
|
23737
23779
|
}
|
|
23738
23780
|
if (language === "rust" && typeof code === "string" && sourcesWithVar.length > 0) {
|
|
@@ -30789,7 +30831,7 @@ class JwtVerifyDisabledPass {
|
|
|
30789
30831
|
out2.push({ pattern: "Algorithm.none()", api: "JWT.require" });
|
|
30790
30832
|
}
|
|
30791
30833
|
}
|
|
30792
|
-
if (method === "parse" && receiver
|
|
30834
|
+
if (method === "parse" && /\bJwts\s*\.\s*parser\s*\(/.test(receiver)) {
|
|
30793
30835
|
out2.push({ pattern: "parse() instead of parseClaimsJws()", api: "Jwts.parser().parse" });
|
|
30794
30836
|
}
|
|
30795
30837
|
return out2;
|
|
@@ -32498,7 +32540,7 @@ var colors = {
|
|
|
32498
32540
|
};
|
|
32499
32541
|
|
|
32500
32542
|
// src/version.ts
|
|
32501
|
-
var version = "3.
|
|
32543
|
+
var version = "3.77.0";
|
|
32502
32544
|
|
|
32503
32545
|
// src/formatters.ts
|
|
32504
32546
|
var SINK_SEVERITY = {
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "cognium-dev",
|
|
3
|
-
"version": "3.
|
|
3
|
+
"version": "3.77.0",
|
|
4
4
|
"description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
|
|
5
5
|
"main": "dist/index.js",
|
|
6
6
|
"types": "dist/index.d.ts",
|
|
@@ -65,7 +65,7 @@
|
|
|
65
65
|
"registry": "https://registry.npmjs.org/"
|
|
66
66
|
},
|
|
67
67
|
"dependencies": {
|
|
68
|
-
"circle-ir": "^3.
|
|
68
|
+
"circle-ir": "^3.77.0"
|
|
69
69
|
},
|
|
70
70
|
"devDependencies": {
|
|
71
71
|
"@types/node": "^25.5.0",
|