cognium-dev 3.79.0 → 3.81.0

package/dist/cli.js

@@ -10660,7 +10660,6 @@ var DEFAULT_SINKS = [
   { method: "addObject", class: "ModelAndView", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [1] },
   { method: "println", type: "xss", cwe: "CWE-79", severity: "medium", arg_positions: [0] },
   { method: "print", type: "xss", cwe: "CWE-79", severity: "medium", arg_positions: [0] },
-  { method: "write", type: "xss", cwe: "CWE-79", severity: "medium", arg_positions: [0] },
   { method: "append", class: "StringBuilder", type: "xss", cwe: "CWE-79", severity: "medium", arg_positions: [0] },
   { method: "append", class: "StringBuffer", type: "xss", cwe: "CWE-79", severity: "medium", arg_positions: [0] },
   { method: "handleHyperlinks", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
@@ -10916,8 +10915,10 @@ var DEFAULT_SINKS = [
   { method: "exchange", class: "RestTemplate", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "get", class: "WebClient", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [] },
   { method: "post", class: "WebClient", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [] },
-  { method: "setAttribute", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0] },
-  { method: "putValue", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0] },
+  { method: "setAttribute", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0, 1] },
+  { method: "putValue", class: "HttpSession", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0, 1] },
+  { method: "setAttribute", class: "ServletContext", type: "trust_boundary", cwe: "CWE-501", severity: "medium", arg_positions: [0, 1] },
+  { method: "setAttribute", class: "HttpServletRequest", type: "trust_boundary", cwe: "CWE-501", severity: "low", arg_positions: [0, 1] },
   { method: "outputElementContent", class: "XMLOutputter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "output", class: "XMLOutputter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "outputString", class: "XMLOutputter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
@@ -28793,6 +28794,30 @@ var PROVIDER_PATTERNS = [
     fix: "Revoke the npm token at https://www.npmjs.com/settings/<user>/tokens and load from environment."
   }
 ];
+var CRED_KEYWORD_RE = /\b([A-Za-z_$][\w$]*?(?:password|passwd|secret|api[_-]?key|auth[_-]?token|private[_-]?key|access[_-]?key)[\w$]*?)\s*[:=]\s*["'`]([^"'`\s$][^"'`\n]{2,})["'`]/i;
+var CRED_DYNAMIC_VALUE_RE = /\$\{|process\.env|os\.environ|os\.Getenv|System\.getenv/;
+var CRED_FUNCTION_DECL_RE = /\b(?:function|func|def|fn)\s+\w+\s*\(/;
+var CRED_COMPARISON_RE = /(?:===?|!==?|>=|<=|<>)\s*["'`]/;
+function isLikelyCredentialAssignment(line) {
+  if (CRED_FUNCTION_DECL_RE.test(line))
+    return null;
+  if (CRED_COMPARISON_RE.test(line))
+    return null;
+  const m = line.match(CRED_KEYWORD_RE);
+  if (!m)
+    return null;
+  const name2 = m[1];
+  const value = m[2];
+  if (PLACEHOLDER_RE.test(value))
+    return null;
+  if (CRED_DYNAMIC_VALUE_RE.test(value))
+    return null;
+  if (value.length < 3)
+    return null;
+  if (isAllSameChar(value))
+    return null;
+  return { name: name2, value };
+}
 var STRING_LITERAL_RE = /(["'`])((?:\\.|(?!\1).){8,200})\1/g;
 var BASE64ISH_RE = /^[A-Za-z0-9+/=_-]+$/;
 var HEXISH_RE = /^[a-fA-F0-9]+$/;
@@ -28896,6 +28921,33 @@ class ScanSecretsPass {
         break;
       }
     }
+    for (let i2 = 0;i2 < lines.length; i2++) {
+      const lineText = lines[i2];
+      const lineNum = i2 + 1;
+      const hit = isLikelyCredentialAssignment(lineText);
+      if (!hit)
+        continue;
+      const key = `${lineNum}:hardcoded-credential`;
+      if (seen.has(key))
+        continue;
+      seen.add(key);
+      ctx.addFinding({
+        id: `hardcoded-credential-${file}-${lineNum}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: "hardcoded-credential",
+        cwe: "CWE-798",
+        severity: "high",
+        level: "error",
+        message: `Hardcoded credential: \`${hit.name}\` assigned a literal value`,
+        file,
+        line: lineNum,
+        snippet: lineText.trim().substring(0, 120),
+        fix: "Move the credential to an environment variable or secrets manager; never commit live secrets to source control.",
+        evidence: { kind: "named-credential", name: hit.name }
+      });
+      providerFindings += 1;
+    }
     for (let i2 = 0;i2 < lines.length; i2++) {
       const lineText = lines[i2];
       const lineNum = i2 + 1;
@@ -29268,9 +29320,11 @@ class InsecureCookiePass {
     };
   }
   detectJavaCookieCtor(call, hasSetSecureTrue, hasSetHttpOnlyTrue) {
-    if (call.method_name !== "Cookie")
+    const method = call.method_name ?? "";
+    const isCookieCtor = method === "Cookie" || method.endsWith(".Cookie");
+    if (!isCookieCtor)
       return null;
-    const looksLikeCtor = call.is_constructor || !call.receiver && call.receiver_type === "Cookie" || (call.resolution?.target ?? "").endsWith(".<init>");
+    const looksLikeCtor = call.is_constructor || !call.receiver && (call.receiver_type === "Cookie" || (call.receiver_type ?? "").endsWith(".Cookie")) || (call.resolution?.target ?? "").endsWith(".<init>");
     if (!looksLikeCtor)
       return null;
     if (call.arguments.length < 2)
@@ -30107,6 +30161,606 @@ class WeakRandomPass {
   }
 }
 
+// ../circle-ir/dist/analysis/passes/_credential-helpers.js
+var CRED_KEYWORD_RE2 = /(?:password|passwd|pwd|secret|api[_-]?key|auth[_-]?token|private[_-]?key|access[_-]?key|credential)/i;
+function isCredentialIdentifier(name2) {
+  if (!name2)
+    return false;
+  if (name2.length < 3)
+    return false;
+  return CRED_KEYWORD_RE2.test(name2);
+}
+function argLooksLikeCredential(arg) {
+  if (!arg)
+    return false;
+  if (arg.variable && isCredentialIdentifier(arg.variable))
+    return true;
+  const expr = (arg.expression ?? "").trim();
+  if (!expr)
+    return false;
+  const head = expr.split(/[.\s(]/, 1)[0] ?? "";
+  return isCredentialIdentifier(head);
+}
+function stripQuotes6(s) {
+  const t = s.trim();
+  if (t.startsWith('"') && t.endsWith('"') || t.startsWith("'") && t.endsWith("'") || t.startsWith("`") && t.endsWith("`")) {
+    return t.slice(1, -1);
+  }
+  return t;
+}
+function literalAt(call, position) {
+  const arg = call.arguments.find((a) => a.position === position);
+  if (!arg)
+    return null;
+  const raw = arg.literal ?? arg.expression ?? "";
+  const trimmed = raw.trim();
+  if (trimmed.startsWith('"') || trimmed.startsWith("'") || trimmed.startsWith("`")) {
+    return stripQuotes6(trimmed);
+  }
+  if (arg.literal)
+    return stripQuotes6(arg.literal);
+  return null;
+}
+function isHashFunctionCall(call) {
+  const method = call.method_name ?? "";
+  const receiver = call.receiver ?? "";
+  const recvLower = receiver.toLowerCase();
+  if (recvLower === "bcrypt" || recvLower.endsWith(".bcrypt")) {
+    return method === "hashpw" || method === "hash" || method === "hashSync" || method === "GenerateFromPassword" || method === "generate_password_hash";
+  }
+  if (recvLower === "argon2" || recvLower.endsWith(".argon2")) {
+    return method === "hash" || method === "Hash" || method === "PasswordHash";
+  }
+  if (recvLower === "hashlib")
+    return true;
+  if (recvLower === "passlib" || recvLower.includes("passlib.hash"))
+    return true;
+  if (method === "PBKDF2HMAC" || method === "derive")
+    return true;
+  if (recvLower === "crypto") {
+    return method === "createHash" || method === "createHmac" || method === "pbkdf2" || method === "pbkdf2Sync" || method === "scrypt" || method === "scryptSync";
+  }
+  if (receiver === "MessageDigest" || receiver.endsWith(".MessageDigest")) {
+    return method === "getInstance" || method === "update" || method === "digest";
+  }
+  if (receiver === "DigestUtils" || receiver.endsWith(".DigestUtils")) {
+    return true;
+  }
+  if (receiver === "SecretKeyFactory" || receiver.endsWith(".SecretKeyFactory")) {
+    return method === "getInstance" || method === "generateSecret";
+  }
+  if (method === "PBEKeySpec")
+    return true;
+  if (receiver === "md5" || receiver === "sha1" || receiver === "sha256" || receiver === "sha512" || receiver === "sha3" || receiver.endsWith("/md5") || receiver.endsWith("/sha1") || receiver.endsWith("/sha256") || receiver.endsWith("/sha512")) {
+    return method === "New" || method === "Sum" || method === "New224" || method === "New384";
+  }
+  const m = method.toLowerCase();
+  if (m === "hash" || m === "hashpw" || m === "hashsync" || m === "pbkdf2" || m === "pbkdf2sync" || m === "scrypt" || m === "scryptsync")
+    return true;
+  return false;
+}
+function priorHashOf(varName, priorCalls) {
+  for (const c of priorCalls) {
+    if (!isHashFunctionCall(c))
+      continue;
+    for (const a of c.arguments) {
+      if (a.variable === varName)
+        return true;
+      const head = (a.expression ?? "").trim().split(/[.\s(]/, 1)[0];
+      if (head === varName)
+        return true;
+    }
+  }
+  return false;
+}
+
+// ../circle-ir/dist/analysis/passes/weak-password-hash-pass.js
+var FAST_HASH_NAMES = new Set([
+  "sha224",
+  "sha-224",
+  "sha256",
+  "sha-256",
+  "sha384",
+  "sha-384",
+  "sha512",
+  "sha-512",
+  "sha3",
+  "sha-3",
+  "sha3-256",
+  "sha3-512"
+]);
+var BCRYPT_MIN_COST = 10;
+var PBKDF2_MIN_ITERATIONS = 1e5;
+function intLiteral(s) {
+  if (s == null)
+    return null;
+  const t = s.trim();
+  if (!/^-?\d+$/.test(t))
+    return null;
+  const n = parseInt(t, 10);
+  return Number.isFinite(n) ? n : null;
+}
+function pyKwargInt(call, name2) {
+  for (const a of call.arguments) {
+    const expr = (a.expression ?? "").trim();
+    const m = expr.match(new RegExp(`^${name2}\\s*=\\s*(-?\\d+)$`));
+    if (m)
+      return parseInt(m[1], 10);
+  }
+  return null;
+}
+
+class WeakPasswordHashPass {
+  name = "weak-password-hash";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    for (const call of graph.ir.calls) {
+      const detection = this.detect(call, language);
+      if (!detection)
+        continue;
+      const { kind, api } = detection;
+      const line = call.location.line;
+      findings.push({ line, language, kind, api });
+      const message = kind === "fast-unsalted-hash" ? `Fast/unsalted hash \`${api}\` applied to a password. ` + "General-purpose hashes (SHA-256/512) are unsuitable for password storage." : kind === "low-bcrypt-cost" ? `bcrypt called with insufficient cost factor (< ${BCRYPT_MIN_COST}).` : `PBKDF2 called with insufficient iteration count (< ${PBKDF2_MIN_ITERATIONS}).`;
+      ctx.addFinding({
+        id: `${this.name}-${file}-${line}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        cwe: "CWE-916",
+        severity: "high",
+        level: "warning",
+        message,
+        file,
+        line,
+        fix: "Use a memory-hard password-hashing function with appropriate cost: " + "Argon2id (recommended), bcrypt (cost ≥ 12), scrypt, or PBKDF2 with ≥ 600k iterations.",
+        evidence: { kind, api, language }
+      });
+    }
+    return { findings };
+  }
+  detect(call, language) {
+    const method = call.method_name ?? "";
+    const receiver = call.receiver ?? "";
+    const recvLower = receiver.toLowerCase();
+    if (recvLower === "bcrypt" || recvLower.endsWith(".bcrypt")) {
+      if (method === "gensalt") {
+        const rounds = pyKwargInt(call, "rounds");
+        if (rounds !== null && rounds < BCRYPT_MIN_COST) {
+          return { kind: "low-bcrypt-cost", api: "bcrypt.gensalt" };
+        }
+      }
+      if (method === "hash" || method === "hashSync") {
+        const cost = intLiteral(literalAt(call, 1));
+        if (cost !== null && cost < BCRYPT_MIN_COST) {
+          return { kind: "low-bcrypt-cost", api: `bcrypt.${method}` };
+        }
+      }
+      if (method === "GenerateFromPassword") {
+        const arg1 = call.arguments.find((a) => a.position === 1);
+        const expr = (arg1?.expression ?? "").trim();
+        const n = intLiteral(expr);
+        if (n !== null && n < BCRYPT_MIN_COST) {
+          return { kind: "low-bcrypt-cost", api: "bcrypt.GenerateFromPassword" };
+        }
+        if (expr === "bcrypt.MinCost") {
+          return { kind: "low-bcrypt-cost", api: "bcrypt.GenerateFromPassword" };
+        }
+      }
+    }
+    if (method === "PBKDF2HMAC") {
+      const iters = pyKwargInt(call, "iterations");
+      if (iters !== null && iters < PBKDF2_MIN_ITERATIONS) {
+        return { kind: "low-pbkdf2-iterations", api: "PBKDF2HMAC" };
+      }
+    }
+    if ((method === "pbkdf2" || method === "pbkdf2Sync") && (recvLower === "crypto" || recvLower.endsWith(".crypto"))) {
+      const iters = intLiteral(literalAt(call, 2));
+      if (iters !== null && iters < PBKDF2_MIN_ITERATIONS) {
+        return { kind: "low-pbkdf2-iterations", api: `crypto.${method}` };
+      }
+    }
+    if (method === "PBEKeySpec" && language === "java") {
+      const iters = intLiteral(literalAt(call, 2));
+      if (iters !== null && iters < PBKDF2_MIN_ITERATIONS) {
+        return { kind: "low-pbkdf2-iterations", api: "PBEKeySpec" };
+      }
+    }
+    if (language === "python" && (recvLower === "hashlib" || recvLower.endsWith(".hashlib"))) {
+      if (FAST_HASH_NAMES.has(method.toLowerCase())) {
+        if (argLooksLikeCredential(call.arguments.find((a) => a.position === 0))) {
+          return { kind: "fast-unsalted-hash", api: `hashlib.${method}` };
+        }
+      }
+      if (method === "new") {
+        const algo = literalAt(call, 0)?.toLowerCase() ?? "";
+        if (FAST_HASH_NAMES.has(algo) && argLooksLikeCredential(call.arguments.find((a) => a.position === 1))) {
+          return { kind: "fast-unsalted-hash", api: `hashlib.new(${algo})` };
+        }
+      }
+    }
+    if ((language === "javascript" || language === "typescript") && method === "update") {
+      const recvExpr = (receiver ?? "").toLowerCase();
+      const hashLike = recvExpr.includes("hash") || recvExpr.includes("createhash") || recvExpr.includes("sha") || recvExpr.includes("md");
+      if (hashLike && argLooksLikeCredential(call.arguments.find((a) => a.position === 0))) {
+        return { kind: "fast-unsalted-hash", api: "crypto.createHash().update" };
+      }
+    }
+    if (language === "java" && method === "update") {
+      const recvName = (receiver ?? "").toLowerCase();
+      const looksLikeDigest = recvName.includes("digest") || recvName.includes("md") || recvName.includes("hash");
+      if (looksLikeDigest && argLooksLikeCredential(call.arguments.find((a) => a.position === 0))) {
+        return { kind: "fast-unsalted-hash", api: "MessageDigest.update" };
+      }
+    }
+    if (language === "go") {
+      const isFastPkg = receiver === "sha256" || receiver === "sha512" || receiver === "sha3" || receiver === "sha224";
+      if (isFastPkg && (method === "Sum256" || method === "Sum512" || method === "Sum224" || method === "Sum384" || method === "Sum")) {
+        const expr = (call.arguments.find((a) => a.position === 0)?.expression ?? "").trim();
+        const inner = expr.replace(/^\[\]byte\s*\(\s*/, "").replace(/\s*\)\s*$/, "");
+        if (argLooksLikeCredential({ position: 0, expression: inner, variable: inner })) {
+          return { kind: "fast-unsalted-hash", api: `${receiver}.${method}` };
+        }
+      }
+    }
+    return null;
+  }
+}
+
+// ../circle-ir/dist/analysis/passes/weak-password-encoding-pass.js
+function isBasicAuthContext(call, code) {
+  const line = call.location.line;
+  if (line < 1)
+    return false;
+  const lines = code.split(`
+`);
+  const start2 = Math.max(0, line - 2);
+  const end = Math.min(lines.length, line + 1);
+  const window2 = lines.slice(start2, end).join(`
+`);
+  return /["'`]Basic\s/i.test(window2);
+}
+
+class WeakPasswordEncodingPass {
+  name = "weak-password-encoding";
+  category = "security";
+  run(ctx) {
+    const { graph, language, code } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    for (const call of graph.ir.calls) {
+      const api = this.detect(call, language);
+      if (!api)
+        continue;
+      if (isBasicAuthContext(call, code))
+        continue;
+      const line = call.location.line;
+      findings.push({ line, language, api });
+      ctx.addFinding({
+        id: `${this.name}-${file}-${line}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        cwe: "CWE-261",
+        severity: "medium",
+        level: "warning",
+        message: `Credential encoded via \`${api}\` — encoding is NOT encryption. ` + "Base64/hex provide no confidentiality; anyone with the encoded value can decode it.",
+        file,
+        line,
+        fix: "For storage, use a password hash (Argon2id / bcrypt). " + "For transport, use TLS. For symmetric secrecy, use authenticated encryption (AES-GCM).",
+        evidence: { api, language }
+      });
+    }
+    return { findings };
+  }
+  detect(call, language) {
+    const method = call.method_name ?? "";
+    const receiver = call.receiver ?? "";
+    const recvLower = receiver.toLowerCase();
+    const arg0 = call.arguments.find((a) => a.position === 0);
+    if (language === "python") {
+      if (recvLower === "base64" && (method === "b64encode" || method === "urlsafe_b64encode" || method === "standard_b64encode")) {
+        if (argLooksLikeCredential(arg0))
+          return `base64.${method}`;
+      }
+      if (recvLower === "binascii" && method === "hexlify") {
+        if (argLooksLikeCredential(arg0))
+          return "binascii.hexlify";
+      }
+    }
+    if (language === "javascript" || language === "typescript") {
+      if (method === "toString") {
+        const encoding = literalAt(call, 0);
+        if (encoding === "base64" || encoding === "hex" || encoding === "base64url") {
+          const recv = (receiver ?? "").toLowerCase();
+          if (recv.includes("buffer.from") && /(?:password|passwd|pwd|secret|api[_-]?key|auth[_-]?token|private[_-]?key|access[_-]?key|credential)/i.test(receiver ?? "")) {
+            return `Buffer.from().toString('${encoding}')`;
+          }
+        }
+      }
+      if (method === "btoa" && receiver === "") {
+        if (argLooksLikeCredential(arg0))
+          return "btoa";
+      }
+    }
+    if (language === "java") {
+      if (method === "encodeToString") {
+        const recv = (receiver ?? "").toLowerCase();
+        if (recv.includes("encoder") || recv.includes("base64")) {
+          const expr = (arg0?.expression ?? "").trim();
+          const head = expr.split(/[.\s(]/, 1)[0] ?? "";
+          if (argLooksLikeCredential({ position: 0, expression: head, variable: head })) {
+            return "Base64.encodeToString";
+          }
+        }
+      }
+      if (method === "encodeHexString" && (receiver === "Hex" || receiver.endsWith(".Hex"))) {
+        const expr = (arg0?.expression ?? "").trim();
+        const head = expr.split(/[.\s(]/, 1)[0] ?? "";
+        if (argLooksLikeCredential({ position: 0, expression: head, variable: head })) {
+          return "Hex.encodeHexString";
+        }
+      }
+    }
+    if (language === "go") {
+      if (method === "EncodeToString") {
+        const recv = (receiver ?? "").toLowerCase();
+        if (recv.includes("base64") || recv.includes("hex") || recv.includes("encoding")) {
+          const expr = (arg0?.expression ?? "").trim();
+          const inner = expr.replace(/^\[\]byte\s*\(\s*/, "").replace(/\s*\)\s*$/, "");
+          const head = inner.split(/[.\s(]/, 1)[0] ?? "";
+          if (argLooksLikeCredential({ position: 0, expression: head, variable: head })) {
+            return recv.includes("hex") ? "hex.EncodeToString" : "base64.EncodeToString";
+          }
+        }
+      }
+    }
+    return null;
+  }
+}
+
+// ../circle-ir/dist/analysis/passes/plaintext-password-storage-pass.js
+function isWriteStorageCall(call, language) {
+  const method = call.method_name ?? "";
+  const receiver = call.receiver ?? "";
+  const recvLower = receiver.toLowerCase();
+  if (language === "python") {
+    if (method === "write" || method === "writelines") {
+      return { credPos: 0, api: `<file>.${method}` };
+    }
+    if ((recvLower === "pickle" || recvLower === "json" || recvLower === "yaml") && (method === "dump" || method === "dumps")) {
+      return { credPos: 0, api: `${receiver}.${method}` };
+    }
+    if (recvLower === "redis" && (method === "set" || method === "setex" || method === "hset")) {
+      return { credPos: 1, api: `redis.${method}` };
+    }
+  }
+  if (language === "javascript" || language === "typescript") {
+    if ((recvLower === "fs" || recvLower.endsWith(".fs")) && (method === "writeFile" || method === "writeFileSync" || method === "appendFile" || method === "appendFileSync")) {
+      return { credPos: 1, api: `fs.${method}` };
+    }
+    if ((recvLower === "localstorage" || recvLower === "sessionstorage") && method === "setItem") {
+      return { credPos: 1, api: `${receiver}.setItem` };
+    }
+    if (recvLower === "redis" && (method === "set" || method === "setex" || method === "hset")) {
+      return { credPos: 1, api: `redis.${method}` };
+    }
+  }
+  if (language === "java") {
+    if ((receiver === "Files" || receiver.endsWith(".Files")) && (method === "write" || method === "writeString")) {
+      return { credPos: 1, api: `Files.${method}` };
+    }
+    if (method === "write") {
+      const lc = (receiver ?? "").toLowerCase();
+      if (lc.includes("writer") || lc.includes("file") || lc.includes("stream")) {
+        return { credPos: 0, api: `${receiver}.write` };
+      }
+    }
+  }
+  if (language === "go") {
+    if (receiver === "os" || receiver.endsWith("/os")) {
+      if (method === "WriteFile")
+        return { credPos: 1, api: "os.WriteFile" };
+    }
+    if (receiver === "ioutil" || receiver.endsWith("/ioutil")) {
+      if (method === "WriteFile")
+        return { credPos: 1, api: "ioutil.WriteFile" };
+    }
+    if (method === "WriteString" || method === "Write") {
+      return { credPos: 0, api: `<file>.${method}` };
+    }
+  }
+  return null;
+}
+
+class PlaintextPasswordStoragePass {
+  name = "plaintext-password-storage";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    const callsByScope = new Map;
+    for (const call of graph.ir.calls) {
+      const scope = call.in_method ?? "<top>";
+      const arr = callsByScope.get(scope) ?? [];
+      arr.push(call);
+      callsByScope.set(scope, arr);
+    }
+    for (const call of graph.ir.calls) {
+      const spec = isWriteStorageCall(call, language);
+      if (!spec)
+        continue;
+      const credArg = call.arguments.find((a) => a.position === spec.credPos);
+      if (!credArg)
+        continue;
+      if (!argLooksLikeCredential(credArg))
+        continue;
+      const identExpr = (credArg.expression ?? "").trim();
+      const head = identExpr.split(/[.\s(]/, 1)[0] ?? "";
+      const identifier = credArg.variable ?? head;
+      if (!identifier)
+        continue;
+      const scope = call.in_method ?? "<top>";
+      const scopeCalls = callsByScope.get(scope) ?? [];
+      const prior = scopeCalls.filter((c) => c.location.line < call.location.line);
+      if (priorHashOf(identifier, prior))
+        continue;
+      if (/\b(?:hashpw|hash|sha\d+|md5|bcrypt|argon2|pbkdf2|digest)\b/i.test(credArg.expression ?? "")) {
+        continue;
+      }
+      const line = call.location.line;
+      findings.push({ line, language, api: spec.api, identifier });
+      ctx.addFinding({
+        id: `${this.name}-${file}-${line}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        cwe: "CWE-256",
+        severity: "high",
+        level: "warning",
+        message: `Credential \`${identifier}\` written in plaintext via \`${spec.api}\`. ` + "Passwords / secrets must be hashed (Argon2id, bcrypt) before storage.",
+        file,
+        line,
+        fix: "Hash the credential with Argon2id / bcrypt before writing it to " + "disk, cookie, KV store, or database.",
+        evidence: { identifier, api: spec.api, language }
+      });
+    }
+    return { findings };
+  }
+}
+
+// ../circle-ir/dist/analysis/passes/cleartext-credential-transport-pass.js
+var LOCALHOST_RE = /^(?:localhost|127\.0\.0\.1|0\.0\.0\.0)(?::\d+)?$/i;
+function isInsecureHttpUrl(urlLiteral) {
+  if (!urlLiteral)
+    return false;
+  if (!/^http:\/\//i.test(urlLiteral))
+    return false;
+  const rest = urlLiteral.slice("http://".length);
+  const host = rest.split("/", 1)[0] ?? "";
+  if (LOCALHOST_RE.test(host))
+    return false;
+  return true;
+}
+function anyArgCarriesCredential(call, startPos) {
+  for (const a of call.arguments) {
+    if (a.position < startPos)
+      continue;
+    if (argLooksLikeCredential(a))
+      return true;
+    const expr = (a.expression ?? "").trim();
+    if (!expr)
+      continue;
+    if (/(?:["'`]?(?:password|passwd|pwd|secret|api[_-]?key|auth[_-]?token|credential)["'`]?\s*[:=])/i.test(expr)) {
+      return true;
+    }
+    if (/\b(?:password|passwd|pwd|secret|api_key|api-key|apiKey|auth_token|authToken|credential)\w*\b/i.test(expr)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+class CleartextCredentialTransportPass {
+  name = "cleartext-credential-transport";
+  category = "security";
+  run(ctx) {
+    const { graph, language } = ctx;
+    const file = graph.ir.meta.file;
+    const findings = [];
+    for (const call of graph.ir.calls) {
+      const detection = this.detect(call, language);
+      if (!detection)
+        continue;
+      const { api, url } = detection;
+      const line = call.location.line;
+      findings.push({ line, language, api, url });
+      ctx.addFinding({
+        id: `${this.name}-${file}-${line}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        cwe: "CWE-523",
+        severity: "high",
+        level: "error",
+        message: `Credentials transmitted to \`${url}\` over HTTP via \`${api}\`. ` + "Cleartext transport exposes credentials to network observers.",
+        file,
+        line,
+        fix: "Use HTTPS (https://) for all endpoints that receive credentials. " + "For internal traffic, terminate TLS at the service boundary.",
+        evidence: { api, url, language }
+      });
+    }
+    return { findings };
+  }
+  detect(call, language) {
+    const method = call.method_name ?? "";
+    const receiver = call.receiver ?? "";
+    const recvLower = receiver.toLowerCase();
+    if (language === "python") {
+      if ((recvLower === "requests" || recvLower === "httpx" || recvLower.endsWith(".requests") || recvLower.endsWith(".httpx")) && (method === "post" || method === "put" || method === "patch" || method === "request")) {
+        const url = literalAt(call, method === "request" ? 1 : 0);
+        if (isInsecureHttpUrl(url) && anyArgCarriesCredential(call, 1)) {
+          return { api: `${receiver}.${method}`, url };
+        }
+      }
+      if (method === "urlopen" && recvLower.includes("urllib")) {
+        const url = literalAt(call, 0);
+        if (isInsecureHttpUrl(url) && anyArgCarriesCredential(call, 1)) {
+          return { api: "urllib.request.urlopen", url };
+        }
+      }
+    }
+    if (language === "javascript" || language === "typescript") {
+      if ((recvLower === "axios" || recvLower.endsWith(".axios")) && (method === "post" || method === "put" || method === "patch" || method === "request")) {
+        const url = literalAt(call, 0);
+        if (isInsecureHttpUrl(url) && anyArgCarriesCredential(call, 1)) {
+          return { api: `axios.${method}`, url };
+        }
+      }
+      if (method === "fetch" && receiver === "") {
+        const url = literalAt(call, 0);
+        if (isInsecureHttpUrl(url) && anyArgCarriesCredential(call, 1)) {
+          return { api: "fetch", url };
+        }
+      }
+      if (method === "request" && (recvLower === "http" || recvLower.endsWith(".http"))) {
+        const url = literalAt(call, 0);
+        if (isInsecureHttpUrl(url) && anyArgCarriesCredential(call, 1)) {
+          return { api: "http.request", url };
+        }
+      }
+    }
+    if (language === "java" && method === "URL" && receiver === "") {
+      const url = literalAt(call, 0);
+      if (!isInsecureHttpUrl(url))
+        return null;
+      const scope = call.in_method ?? null;
+      if (!scope)
+        return null;
+      return null;
+    }
+    if (language === "go") {
+      if (method === "Post" && (receiver === "http" || receiver.endsWith("/http"))) {
+        const url = literalAt(call, 0);
+        if (isInsecureHttpUrl(url) && anyArgCarriesCredential(call, 1)) {
+          return { api: "http.Post", url };
+        }
+      }
+      if (method === "NewRequest" && (receiver === "http" || receiver.endsWith("/http"))) {
+        const url = literalAt(call, 1);
+        if (isInsecureHttpUrl(url) && anyArgCarriesCredential(call, 2)) {
+          return { api: "http.NewRequest", url };
+        }
+      }
+    }
+    return null;
+  }
+}
+
 // ../circle-ir/dist/analysis/passes/tls-verify-disabled-pass.js
 var PY_HTTP_METHODS = new Set([
   "get",
@@ -32408,6 +33062,14 @@ async function analyze(code, filePath, language, options = {}) {
       pipeline.add(new WeakCryptoPass);
     if (!disabledPasses.has("weak-random"))
       pipeline.add(new WeakRandomPass);
+    if (!disabledPasses.has("weak-password-hash"))
+      pipeline.add(new WeakPasswordHashPass);
+    if (!disabledPasses.has("weak-password-encoding"))
+      pipeline.add(new WeakPasswordEncodingPass);
+    if (!disabledPasses.has("plaintext-password-storage"))
+      pipeline.add(new PlaintextPasswordStoragePass);
+    if (!disabledPasses.has("cleartext-credential-transport"))
+      pipeline.add(new CleartextCredentialTransportPass);
     if (!disabledPasses.has("tls-verify-disabled"))
       pipeline.add(new TlsVerifyDisabledPass);
     if (!disabledPasses.has("module-side-effect"))
@@ -32615,7 +33277,7 @@ var colors = {
 };
 
 // src/version.ts
-var version = "3.79.0";
+var version = "3.81.0";
 
 // src/formatters.ts
 var SINK_SEVERITY = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.79.0",
+  "version": "3.81.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.79.0"
+    "circle-ir": "^3.81.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",