cognium-dev 3.84.0 → 3.85.1

package/dist/cli.js

@@ -28957,6 +28957,11 @@ var TEST_FILENAME_RE = /(?:\.(?:test|spec)\.[cm]?[jt]sx?|_test\.go|_test\.py|Tes
 function isTestFile(file) {
   return TEST_PATH_RE3.test(file) || TEST_FILENAME_RE.test(file);
 }
+var GENERATED_PATH_RE = /(?:^|[\\/])(?:gen|generated|build[\\/]generated|src[\\/](?:main|test)[\\/]generated|target[\\/]generated-sources|target[\\/]generated-test-sources|node_modules[\\/]\.cache)(?:[\\/]|$)/i;
+var GENERATED_FILENAME_RE = /__[ch]\.java$|\.pb\.go$|_pb2\.py$|\.generated\.[cm]?[jt]sx?$/i;
+function isGeneratedFile(file) {
+  return GENERATED_PATH_RE.test(file) || GENERATED_FILENAME_RE.test(file);
+}
 var PROVIDER_PATTERNS = [
   {
     name: "AWS access key",
@@ -29137,15 +29142,136 @@ function shannonEntropy(s) {
   return h;
 }
 var CREDENTIAL_NAME_RE = /(?:key|secret|token|password|passwd|credential|api[_-]?key)/i;
+function findAnnotationLineRanges(code) {
+  const lines = code.split(`
+`);
+  const inAnnotation = new Set;
+  const OPEN_RE = /(?:@[A-Za-z_]\w*(?:\.[A-Za-z_]\w*)*\s*\(|#\[)/g;
+  for (let i2 = 0;i2 < lines.length; i2++) {
+    OPEN_RE.lastIndex = 0;
+    let m;
+    while ((m = OPEN_RE.exec(lines[i2])) !== null) {
+      const isRustAttr = m[0].startsWith("#[");
+      const openCh = isRustAttr ? "[" : "(";
+      const closeCh = isRustAttr ? "]" : ")";
+      let depth = 1;
+      let li = i2;
+      let col = m.index + m[0].length;
+      let lineBudget = 200;
+      inAnnotation.add(li + 1);
+      while (depth > 0 && li < lines.length && lineBudget > 0) {
+        const ln = lines[li];
+        let inStr = null;
+        while (col < ln.length && depth > 0) {
+          const ch = ln[col];
+          if (inStr !== null) {
+            if (ch === "\\") {
+              col += 2;
+              continue;
+            }
+            if (ch === inStr)
+              inStr = null;
+          } else if (ch === '"' || ch === "'" || ch === "`") {
+            inStr = ch;
+          } else if (ch === openCh) {
+            depth++;
+          } else if (ch === closeCh) {
+            depth--;
+          }
+          col++;
+        }
+        if (depth > 0) {
+          li++;
+          col = 0;
+          lineBudget--;
+          if (li < lines.length)
+            inAnnotation.add(li + 1);
+        }
+      }
+    }
+  }
+  return inAnnotation;
+}
+function findStringArrayLineRanges(code) {
+  const lines = code.split(`
+`);
+  const inArray = new Set;
+  const OPEN_RE = /=\s*([{\[])/g;
+  const STR_LITERAL_COUNT_RE = /(["'`])(?:\\.|(?!\1).)*\1/g;
+  for (let i2 = 0;i2 < lines.length; i2++) {
+    OPEN_RE.lastIndex = 0;
+    let m;
+    while ((m = OPEN_RE.exec(lines[i2])) !== null) {
+      const openCh = m[1];
+      const closeCh = openCh === "{" ? "}" : "]";
+      let depth = 1;
+      let li = i2;
+      let col = m.index + m[0].length;
+      let lineBudget = 100;
+      const spanLines = [li + 1];
+      let spanText = "";
+      while (depth > 0 && li < lines.length && lineBudget > 0) {
+        const ln = lines[li];
+        let inStr = null;
+        const start2 = col;
+        while (col < ln.length && depth > 0) {
+          const ch = ln[col];
+          if (inStr !== null) {
+            if (ch === "\\") {
+              col += 2;
+              continue;
+            }
+            if (ch === inStr)
+              inStr = null;
+          } else if (ch === '"' || ch === "'" || ch === "`") {
+            inStr = ch;
+          } else if (ch === openCh) {
+            depth++;
+          } else if (ch === closeCh) {
+            depth--;
+          }
+          col++;
+        }
+        spanText += ln.substring(start2, col) + `
+`;
+        if (depth > 0) {
+          li++;
+          col = 0;
+          lineBudget--;
+          if (li < lines.length)
+            spanLines.push(li + 1);
+        }
+      }
+      STR_LITERAL_COUNT_RE.lastIndex = 0;
+      let strCount = 0;
+      while (STR_LITERAL_COUNT_RE.exec(spanText) !== null) {
+        strCount++;
+        if (strCount >= 3)
+          break;
+      }
+      if (strCount >= 3) {
+        for (const ln of spanLines)
+          inArray.add(ln);
+      }
+    }
+  }
+  return inArray;
+}
+var FIELD_ASSIGN_RE = /(?:^|[\s,(])([A-Za-z_$][\w$]*)\s*[:=]\s*["'`]/;
+function extractEnclosingFieldName(lineText) {
+  const m = FIELD_ASSIGN_RE.exec(lineText);
+  return m ? m[1] : null;
+}
 var TEST_CALL_RE = /\b(?:expect|assert|describe|it|test)\s*\(/;
 var COMMENT_EXAMPLE_RE = /(?:\/\/|#)\s*(?:example|sample|test|fixture)/i;
+var FAST_CANDIDATE_PROBE_RE = /["'`][A-Za-z0-9+/=_-]{32,}["'`]/;
 
 class ScanSecretsPass {
   name = "scan-secrets";
   category = "security";
   run(ctx) {
     const file = ctx.graph.ir.meta.file;
-    if (isTestFile(file)) {
+    if (isTestFile(file) || isGeneratedFile(file)) {
       return { providerFindings: 0, entropyFindings: 0 };
     }
     const lines = ctx.code.split(`
@@ -29159,6 +29285,9 @@ class ScanSecretsPass {
         seen.add(`${f.line}:${f.rule_id}`);
       }
     }
+    const hasEntropyCandidate = FAST_CANDIDATE_PROBE_RE.test(ctx.code);
+    const annotationLines = hasEntropyCandidate ? findAnnotationLineRanges(ctx.code) : new Set;
+    const arrayLines = hasEntropyCandidate ? findStringArrayLineRanges(ctx.code) : new Set;
     let providerFindings = 0;
     let entropyFindings = 0;
     for (let i2 = 0;i2 < lines.length; i2++) {
@@ -29218,45 +29347,52 @@ class ScanSecretsPass {
       });
       providerFindings += 1;
     }
-    for (let i2 = 0;i2 < lines.length; i2++) {
-      const lineText = lines[i2];
-      const lineNum = i2 + 1;
-      if (TEST_CALL_RE.test(lineText))
-        continue;
-      if (COMMENT_EXAMPLE_RE.test(lineText))
-        continue;
-      STRING_LITERAL_RE.lastIndex = 0;
-      let match;
-      while ((match = STRING_LITERAL_RE.exec(lineText)) !== null) {
-        const value = match[2];
-        if (!this.isCandidate(value))
+    if (hasEntropyCandidate)
+      for (let i2 = 0;i2 < lines.length; i2++) {
+        const lineText = lines[i2];
+        const lineNum = i2 + 1;
+        if (TEST_CALL_RE.test(lineText))
           continue;
-        if (!this.passesEntropyGate(value, lineText))
+        if (COMMENT_EXAMPLE_RE.test(lineText))
           continue;
-        const key = `${lineNum}:hardcoded-credential-entropy`;
-        if (seen.has(key))
+        if (annotationLines.has(lineNum))
           continue;
-        if (seen.has(`${lineNum}:hardcoded-credential`))
+        if (arrayLines.has(lineNum))
           continue;
-        seen.add(key);
-        ctx.addFinding({
-          id: `hardcoded-credential-entropy-${file}-${lineNum}`,
-          pass: this.name,
-          category: this.category,
-          rule_id: "hardcoded-credential-entropy",
-          cwe: "CWE-798",
-          severity: "high",
-          level: "warning",
-          message: `Possible hardcoded secret: high-entropy string literal (${value.length} chars)`,
-          file,
-          line: lineNum,
-          snippet: lineText.trim().substring(0, 120),
-          fix: "If this is a credential, move it to environment / secrets manager. If it is sample data, add an `example` / `test` marker or disable this pass via `disabledPasses: ['scan-secrets']`.",
-          evidence: { kind: "entropy", length: value.length }
-        });
-        entropyFindings += 1;
+        STRING_LITERAL_RE.lastIndex = 0;
+        let match;
+        while ((match = STRING_LITERAL_RE.exec(lineText)) !== null) {
+          const value = match[2];
+          if (!this.isCandidate(value))
+            continue;
+          if (value.length < 32)
+            continue;
+          if (!this.passesEntropyGate(value, lineText))
+            continue;
+          const key = `${lineNum}:hardcoded-credential-entropy`;
+          if (seen.has(key))
+            continue;
+          if (seen.has(`${lineNum}:hardcoded-credential`))
+            continue;
+          seen.add(key);
+          ctx.addFinding({
+            id: `hardcoded-credential-entropy-${file}-${lineNum}`,
+            pass: this.name,
+            category: this.category,
+            rule_id: "hardcoded-credential-entropy",
+            cwe: "CWE-798",
+            severity: "high",
+            level: "warning",
+            message: `Possible hardcoded secret: high-entropy string literal (${value.length} chars)`,
+            file,
+            line: lineNum,
+            snippet: lineText.trim().substring(0, 120),
+            fix: "If this is a credential, move it to environment / secrets manager. If it is sample data, add an `example` / `test` marker or disable this pass via `disabledPasses: ['scan-secrets']`.",
+            evidence: { kind: "entropy", length: value.length }
+          });
+          entropyFindings += 1;
+        }
       }
-    }
     return { providerFindings, entropyFindings };
   }
   isCandidate(s) {
@@ -29277,11 +29413,12 @@ class ScanSecretsPass {
     return true;
   }
   passesEntropyGate(value, lineText) {
+    const fieldName = extractEnclosingFieldName(lineText);
+    if (fieldName === null || !CREDENTIAL_NAME_RE.test(fieldName))
+      return false;
     const isHex = HEXISH_RE.test(value);
-    const boost = CREDENTIAL_NAME_RE.test(lineText) ? 0.2 : 0;
-    const threshold = isHex ? 3.5 - boost : 4.3 - boost;
-    const h = shannonEntropy(value);
-    return h >= threshold;
+    const threshold = isHex ? 3.3 : 4.1;
+    return shannonEntropy(value) >= threshold;
   }
 }
 
@@ -33856,7 +33993,7 @@ var colors = {
 };
 
 // src/version.ts
-var version = "3.84.0";
+var version = "3.85.1";
 
 // src/formatters.ts
 var SINK_SEVERITY = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.84.0",
+  "version": "3.85.1",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.84.0"
+    "circle-ir": "^3.85.1"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",