cognium-dev 3.78.0 → 3.80.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/dist/cli.js +71 -7
  2. package/package.json +2 -2
package/dist/cli.js CHANGED
@@ -10916,8 +10916,10 @@ var DEFAULT_SINKS = [
10916
10916
  { method: "exchange", class: "RestTemplate", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
10917
10917
  { method: "get", class: "WebClient", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [] },
10918
10918
  { method: "post", class: "WebClient", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [] },
10919
- { method: "setAttribute", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0] },
10920
- { method: "putValue", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0] },
10919
+ { method: "setAttribute", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0, 1] },
10920
+ { method: "putValue", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0, 1] },
10921
+ { method: "setAttribute", class: "ServletContext", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0, 1] },
10922
+ { method: "setAttribute", class: "HttpServletRequest", type: "trust_boundary", cwe: "CWE-501", severity: "low", arg_positions: [0, 1] },
10921
10923
  { method: "outputElementContent", class: "XMLOutputter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
10922
10924
  { method: "output", class: "XMLOutputter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
10923
10925
  { method: "outputString", class: "XMLOutputter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
@@ -28793,6 +28795,30 @@ var PROVIDER_PATTERNS = [
28793
28795
  fix: "Revoke the npm token at https://www.npmjs.com/settings/<user>/tokens and load from environment."
28794
28796
  }
28795
28797
  ];
28798
+ var CRED_KEYWORD_RE = /\b([A-Za-z_$][\w$]*?(?:password|passwd|secret|api[_-]?key|auth[_-]?token|private[_-]?key|access[_-]?key)[\w$]*?)\s*[:=]\s*["'`]([^"'`\s$][^"'`\n]{2,})["'`]/i;
28799
+ var CRED_DYNAMIC_VALUE_RE = /\$\{|process\.env|os\.environ|os\.Getenv|System\.getenv/;
28800
+ var CRED_FUNCTION_DECL_RE = /\b(?:function|func|def|fn)\s+\w+\s*\(/;
28801
+ var CRED_COMPARISON_RE = /(?:===?|!==?|>=|<=|<>)\s*["'`]/;
28802
+ function isLikelyCredentialAssignment(line) {
28803
+ if (CRED_FUNCTION_DECL_RE.test(line))
28804
+ return null;
28805
+ if (CRED_COMPARISON_RE.test(line))
28806
+ return null;
28807
+ const m = line.match(CRED_KEYWORD_RE);
28808
+ if (!m)
28809
+ return null;
28810
+ const name2 = m[1];
28811
+ const value = m[2];
28812
+ if (PLACEHOLDER_RE.test(value))
28813
+ return null;
28814
+ if (CRED_DYNAMIC_VALUE_RE.test(value))
28815
+ return null;
28816
+ if (value.length < 3)
28817
+ return null;
28818
+ if (isAllSameChar(value))
28819
+ return null;
28820
+ return { name: name2, value };
28821
+ }
28796
28822
  var STRING_LITERAL_RE = /(["'`])((?:\\.|(?!\1).){8,200})\1/g;
28797
28823
  var BASE64ISH_RE = /^[A-Za-z0-9+/=_-]+$/;
28798
28824
  var HEXISH_RE = /^[a-fA-F0-9]+$/;
@@ -28896,6 +28922,33 @@ class ScanSecretsPass {
28896
28922
  break;
28897
28923
  }
28898
28924
  }
28925
+ for (let i2 = 0;i2 < lines.length; i2++) {
28926
+ const lineText = lines[i2];
28927
+ const lineNum = i2 + 1;
28928
+ const hit = isLikelyCredentialAssignment(lineText);
28929
+ if (!hit)
28930
+ continue;
28931
+ const key = `${lineNum}:hardcoded-credential`;
28932
+ if (seen.has(key))
28933
+ continue;
28934
+ seen.add(key);
28935
+ ctx.addFinding({
28936
+ id: `hardcoded-credential-${file}-${lineNum}`,
28937
+ pass: this.name,
28938
+ category: this.category,
28939
+ rule_id: "hardcoded-credential",
28940
+ cwe: "CWE-798",
28941
+ severity: "high",
28942
+ level: "error",
28943
+ message: `Hardcoded credential: \`${hit.name}\` assigned a literal value`,
28944
+ file,
28945
+ line: lineNum,
28946
+ snippet: lineText.trim().substring(0, 120),
28947
+ fix: "Move the credential to an environment variable or secrets manager; never commit live secrets to source control.",
28948
+ evidence: { kind: "named-credential", name: hit.name }
28949
+ });
28950
+ providerFindings += 1;
28951
+ }
28899
28952
  for (let i2 = 0;i2 < lines.length; i2++) {
28900
28953
  const lineText = lines[i2];
28901
28954
  const lineNum = i2 + 1;
@@ -29268,9 +29321,11 @@ class InsecureCookiePass {
29268
29321
  };
29269
29322
  }
29270
29323
  detectJavaCookieCtor(call, hasSetSecureTrue, hasSetHttpOnlyTrue) {
29271
- if (call.method_name !== "Cookie")
29324
+ const method = call.method_name ?? "";
29325
+ const isCookieCtor = method === "Cookie" || method.endsWith(".Cookie");
29326
+ if (!isCookieCtor)
29272
29327
  return null;
29273
- const looksLikeCtor = call.is_constructor || !call.receiver && call.receiver_type === "Cookie" || (call.resolution?.target ?? "").endsWith(".<init>");
29328
+ const looksLikeCtor = call.is_constructor || !call.receiver && (call.receiver_type === "Cookie" || (call.receiver_type ?? "").endsWith(".Cookie")) || (call.resolution?.target ?? "").endsWith(".<init>");
29274
29329
  if (!looksLikeCtor)
29275
29330
  return null;
29276
29331
  if (call.arguments.length < 2)
@@ -29772,8 +29827,9 @@ class WeakCryptoPass {
29772
29827
  const receiver = call.receiver ?? "";
29773
29828
  const out2 = [];
29774
29829
  if (language === "java") {
29775
- const isCipherFactory = method === "getInstance" && (receiver === "Cipher" || receiver.endsWith(".Cipher") || receiver === "KeyGenerator" || receiver.endsWith(".KeyGenerator"));
29776
- if (isCipherFactory) {
29830
+ const isCipherInstance = method === "getInstance" && (receiver === "Cipher" || receiver.endsWith(".Cipher"));
29831
+ const isKeyGenInstance = method === "getInstance" && (receiver === "KeyGenerator" || receiver.endsWith(".KeyGenerator"));
29832
+ if (isCipherInstance) {
29777
29833
  const spec = literalAlgo2(call, 0);
29778
29834
  if (spec) {
29779
29835
  const { weakBase, ecb } = classifyJavaCipherSpec(spec);
@@ -29783,6 +29839,14 @@ class WeakCryptoPass {
29783
29839
  if (ecb)
29784
29840
  out2.push({ issue: "ecb-mode", detail: spec, api });
29785
29841
  }
29842
+ } else if (isKeyGenInstance) {
29843
+ const spec = literalAlgo2(call, 0);
29844
+ if (spec) {
29845
+ const { weakBase } = classifyJavaCipherSpec(spec);
29846
+ const api = `${receiver}.getInstance`;
29847
+ if (weakBase)
29848
+ out2.push({ issue: "weak-cipher", detail: weakBase, api });
29849
+ }
29786
29850
  }
29787
29851
  if (method === "IvParameterSpec" && isJavaCtor(call, "IvParameterSpec")) {
29788
29852
  const ivDetail = detectStaticIvJava(call);
@@ -32606,7 +32670,7 @@ var colors = {
32606
32670
  };
32607
32671
 
32608
32672
  // src/version.ts
32609
- var version = "3.78.0";
32673
+ var version = "3.80.0";
32610
32674
 
32611
32675
  // src/formatters.ts
32612
32676
  var SINK_SEVERITY = {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "cognium-dev",
3
- "version": "3.78.0",
3
+ "version": "3.80.0",
4
4
  "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
5
5
  "main": "dist/index.js",
6
6
  "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
65
65
  "registry": "https://registry.npmjs.org/"
66
66
  },
67
67
  "dependencies": {
68
- "circle-ir": "^3.78.0"
68
+ "circle-ir": "^3.80.0"
69
69
  },
70
70
  "devDependencies": {
71
71
  "@types/node": "^25.5.0",