cognium-dev 3.85.0 → 3.85.1

package/dist/cli.js

@@ -29207,7 +29207,7 @@ function findStringArrayLineRanges(code) {
       let depth = 1;
       let li = i2;
       let col = m.index + m[0].length;
-      let lineBudget = 500;
+      let lineBudget = 100;
       const spanLines = [li + 1];
       let spanText = "";
       while (depth > 0 && li < lines.length && lineBudget > 0) {
@@ -29264,6 +29264,7 @@ function extractEnclosingFieldName(lineText) {
 }
 var TEST_CALL_RE = /\b(?:expect|assert|describe|it|test)\s*\(/;
 var COMMENT_EXAMPLE_RE = /(?:\/\/|#)\s*(?:example|sample|test|fixture)/i;
+var FAST_CANDIDATE_PROBE_RE = /["'`][A-Za-z0-9+/=_-]{32,}["'`]/;
 
 class ScanSecretsPass {
   name = "scan-secrets";
@@ -29284,8 +29285,9 @@ class ScanSecretsPass {
         seen.add(`${f.line}:${f.rule_id}`);
       }
     }
-    const annotationLines = findAnnotationLineRanges(ctx.code);
-    const arrayLines = findStringArrayLineRanges(ctx.code);
+    const hasEntropyCandidate = FAST_CANDIDATE_PROBE_RE.test(ctx.code);
+    const annotationLines = hasEntropyCandidate ? findAnnotationLineRanges(ctx.code) : new Set;
+    const arrayLines = hasEntropyCandidate ? findStringArrayLineRanges(ctx.code) : new Set;
     let providerFindings = 0;
     let entropyFindings = 0;
     for (let i2 = 0;i2 < lines.length; i2++) {
@@ -29345,51 +29347,52 @@ class ScanSecretsPass {
       });
       providerFindings += 1;
     }
-    for (let i2 = 0;i2 < lines.length; i2++) {
-      const lineText = lines[i2];
-      const lineNum = i2 + 1;
-      if (TEST_CALL_RE.test(lineText))
-        continue;
-      if (COMMENT_EXAMPLE_RE.test(lineText))
-        continue;
-      if (annotationLines.has(lineNum))
-        continue;
-      if (arrayLines.has(lineNum))
-        continue;
-      STRING_LITERAL_RE.lastIndex = 0;
-      let match;
-      while ((match = STRING_LITERAL_RE.exec(lineText)) !== null) {
-        const value = match[2];
-        if (!this.isCandidate(value))
+    if (hasEntropyCandidate)
+      for (let i2 = 0;i2 < lines.length; i2++) {
+        const lineText = lines[i2];
+        const lineNum = i2 + 1;
+        if (TEST_CALL_RE.test(lineText))
           continue;
-        if (value.length < 32)
+        if (COMMENT_EXAMPLE_RE.test(lineText))
           continue;
-        if (!this.passesEntropyGate(value, lineText))
+        if (annotationLines.has(lineNum))
           continue;
-        const key = `${lineNum}:hardcoded-credential-entropy`;
-        if (seen.has(key))
+        if (arrayLines.has(lineNum))
           continue;
-        if (seen.has(`${lineNum}:hardcoded-credential`))
-          continue;
-        seen.add(key);
-        ctx.addFinding({
-          id: `hardcoded-credential-entropy-${file}-${lineNum}`,
-          pass: this.name,
-          category: this.category,
-          rule_id: "hardcoded-credential-entropy",
-          cwe: "CWE-798",
-          severity: "high",
-          level: "warning",
-          message: `Possible hardcoded secret: high-entropy string literal (${value.length} chars)`,
-          file,
-          line: lineNum,
-          snippet: lineText.trim().substring(0, 120),
-          fix: "If this is a credential, move it to environment / secrets manager. If it is sample data, add an `example` / `test` marker or disable this pass via `disabledPasses: ['scan-secrets']`.",
-          evidence: { kind: "entropy", length: value.length }
-        });
-        entropyFindings += 1;
+        STRING_LITERAL_RE.lastIndex = 0;
+        let match;
+        while ((match = STRING_LITERAL_RE.exec(lineText)) !== null) {
+          const value = match[2];
+          if (!this.isCandidate(value))
+            continue;
+          if (value.length < 32)
+            continue;
+          if (!this.passesEntropyGate(value, lineText))
+            continue;
+          const key = `${lineNum}:hardcoded-credential-entropy`;
+          if (seen.has(key))
+            continue;
+          if (seen.has(`${lineNum}:hardcoded-credential`))
+            continue;
+          seen.add(key);
+          ctx.addFinding({
+            id: `hardcoded-credential-entropy-${file}-${lineNum}`,
+            pass: this.name,
+            category: this.category,
+            rule_id: "hardcoded-credential-entropy",
+            cwe: "CWE-798",
+            severity: "high",
+            level: "warning",
+            message: `Possible hardcoded secret: high-entropy string literal (${value.length} chars)`,
+            file,
+            line: lineNum,
+            snippet: lineText.trim().substring(0, 120),
+            fix: "If this is a credential, move it to environment / secrets manager. If it is sample data, add an `example` / `test` marker or disable this pass via `disabledPasses: ['scan-secrets']`.",
+            evidence: { kind: "entropy", length: value.length }
+          });
+          entropyFindings += 1;
+        }
       }
-    }
     return { providerFindings, entropyFindings };
   }
   isCandidate(s) {
@@ -33990,7 +33993,7 @@ var colors = {
 };
 
 // src/version.ts
-var version = "3.85.0";
+var version = "3.85.1";
 
 // src/formatters.ts
 var SINK_SEVERITY = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.85.0",
+  "version": "3.85.1",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.85.0"
+    "circle-ir": "^3.85.1"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",