npm - cognium-dev - Versions diffs - 3.79.0 → 3.80.0 - Mend

cognium-dev 3.79.0 → 3.80.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/cli.js +60 -5
package/package.json +2 -2

package/dist/cli.js CHANGED Viewed

@@ -10916,8 +10916,10 @@ var DEFAULT_SINKS = [
   { method: "exchange", class: "RestTemplate", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "get", class: "WebClient", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [] },
   { method: "post", class: "WebClient", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [] },
-  { method: "setAttribute", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0] },
-  { method: "putValue", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0] },
+  { method: "setAttribute", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0, 1] },
+  { method: "putValue", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0, 1] },
+  { method: "setAttribute", class: "ServletContext", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0, 1] },
+  { method: "setAttribute", class: "HttpServletRequest", type: "trust_boundary", cwe: "CWE-501", severity: "low", arg_positions: [0, 1] },
   { method: "outputElementContent", class: "XMLOutputter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "output", class: "XMLOutputter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "outputString", class: "XMLOutputter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
@@ -28793,6 +28795,30 @@ var PROVIDER_PATTERNS = [
     fix: "Revoke the npm token at https://www.npmjs.com/settings/<user>/tokens and load from environment."
   }
 ];
+var CRED_KEYWORD_RE = /\b([A-Za-z_$][\w$]*?(?:password|passwd|secret|api[_-]?key|auth[_-]?token|private[_-]?key|access[_-]?key)[\w$]*?)\s*[:=]\s*["'`]([^"'`\s$][^"'`\n]{2,})["'`]/i;
+var CRED_DYNAMIC_VALUE_RE = /\$\{|process\.env|os\.environ|os\.Getenv|System\.getenv/;
+var CRED_FUNCTION_DECL_RE = /\b(?:function|func|def|fn)\s+\w+\s*\(/;
+var CRED_COMPARISON_RE = /(?:===?|!==?|>=|<=|<>)\s*["'`]/;
+function isLikelyCredentialAssignment(line) {
+  if (CRED_FUNCTION_DECL_RE.test(line))
+    return null;
+  if (CRED_COMPARISON_RE.test(line))
+    return null;
+  const m = line.match(CRED_KEYWORD_RE);
+  if (!m)
+    return null;
+  const name2 = m[1];
+  const value = m[2];
+  if (PLACEHOLDER_RE.test(value))
+    return null;
+  if (CRED_DYNAMIC_VALUE_RE.test(value))
+    return null;
+  if (value.length < 3)
+    return null;
+  if (isAllSameChar(value))
+    return null;
+  return { name: name2, value };
+}
 var STRING_LITERAL_RE = /(["'`])((?:\\.|(?!\1).){8,200})\1/g;
 var BASE64ISH_RE = /^[A-Za-z0-9+/=_-]+$/;
 var HEXISH_RE = /^[a-fA-F0-9]+$/;
@@ -28896,6 +28922,33 @@ class ScanSecretsPass {
         break;
       }
     }
+    for (let i2 = 0;i2 < lines.length; i2++) {
+      const lineText = lines[i2];
+      const lineNum = i2 + 1;
+      const hit = isLikelyCredentialAssignment(lineText);
+      if (!hit)
+        continue;
+      const key = `${lineNum}:hardcoded-credential`;
+      if (seen.has(key))
+        continue;
+      seen.add(key);
+      ctx.addFinding({
+        id: `hardcoded-credential-${file}-${lineNum}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: "hardcoded-credential",
+        cwe: "CWE-798",
+        severity: "high",
+        level: "error",
+        message: `Hardcoded credential: \`${hit.name}\` assigned a literal value`,
+        file,
+        line: lineNum,
+        snippet: lineText.trim().substring(0, 120),
+        fix: "Move the credential to an environment variable or secrets manager; never commit live secrets to source control.",
+        evidence: { kind: "named-credential", name: hit.name }
+      });
+      providerFindings += 1;
+    }
     for (let i2 = 0;i2 < lines.length; i2++) {
       const lineText = lines[i2];
       const lineNum = i2 + 1;
@@ -29268,9 +29321,11 @@ class InsecureCookiePass {
     };
   }
   detectJavaCookieCtor(call, hasSetSecureTrue, hasSetHttpOnlyTrue) {
-    if (call.method_name !== "Cookie")
+    const method = call.method_name ?? "";
+    const isCookieCtor = method === "Cookie" || method.endsWith(".Cookie");
+    if (!isCookieCtor)
       return null;
-    const looksLikeCtor = call.is_constructor || !call.receiver && call.receiver_type === "Cookie" || (call.resolution?.target ?? "").endsWith(".<init>");
+    const looksLikeCtor = call.is_constructor || !call.receiver && (call.receiver_type === "Cookie" || (call.receiver_type ?? "").endsWith(".Cookie")) || (call.resolution?.target ?? "").endsWith(".<init>");
     if (!looksLikeCtor)
       return null;
     if (call.arguments.length < 2)
@@ -32615,7 +32670,7 @@ var colors = {
 };
 // src/version.ts
-var version = "3.79.0";
+var version = "3.80.0";
 // src/formatters.ts
 var SINK_SEVERITY = {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.79.0",
+  "version": "3.80.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.79.0"
+    "circle-ir": "^3.80.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",