cognium-dev 3.85.1 → 3.86.0

package/dist/cli.js

@@ -12112,6 +12112,19 @@ function argIsClassLiteral(call, position) {
     return false;
   return CLASS_LITERAL_RE.test(expr);
 }
+var CWE_78_RECEIVER_ALLOWLIST = new Set([
+  "Runtime",
+  "ProcessBuilder",
+  "Process",
+  "CommandLine",
+  "DefaultExecutor",
+  "Executor",
+  "Exec",
+  "Launcher",
+  "ProcStarter",
+  "ProcessExecutor",
+  "RuntimeUtil"
+]);
 function findSinks(calls, patterns, typeHierarchy, language, sourceLines) {
   const sinkMap = new Map;
   for (const call of calls) {
@@ -12132,6 +12145,18 @@ function findSinks(calls, patterns, typeHierarchy, language, sourceLines) {
         if (pattern.safe_if_class_literal_at !== undefined && argIsClassLiteral(call, pattern.safe_if_class_literal_at)) {
           continue;
         }
+        if (pattern.type === "command_injection") {
+          if (call.is_constructor) {
+            if (!CWE_78_RECEIVER_ALLOWLIST.has(call.method_name)) {
+              continue;
+            }
+          } else {
+            const receiverClass = call.receiver_type;
+            if (receiverClass && !CWE_78_RECEIVER_ALLOWLIST.has(receiverClass)) {
+              continue;
+            }
+          }
+        }
         const location = formatCallLocation(call);
         const key = `${location}:${call.location.line}:${pattern.cwe}`;
         const confidence = calculateSinkConfidence(call, pattern);
@@ -29073,6 +29098,20 @@ var CRED_KEYWORD_RE = /\b([A-Za-z_$][\w$]*?(?:password|passwd|secret|api[_-]?key
 var CRED_DYNAMIC_VALUE_RE = /\$\{|process\.env|os\.environ|os\.Getenv|System\.getenv/;
 var CRED_FUNCTION_DECL_RE = /\b(?:function|func|def|fn)\s+\w+\s*\(/;
 var CRED_COMPARISON_RE = /(?:===?|!==?|>=|<=|<>)\s*["'`]/;
+var PROPERTY_KEY_RE = /^[a-z][a-zA-Z0-9_-]*\.[a-zA-Z][a-zA-Z0-9_.-]*$/;
+var PLAIN_IDENTIFIER_RE = /^[a-z][a-zA-Z_]*$/;
+function charClassDiversity(s) {
+  let n = 0;
+  if (/[a-z]/.test(s))
+    n++;
+  if (/[A-Z]/.test(s))
+    n++;
+  if (/[0-9]/.test(s))
+    n++;
+  if (/[^a-zA-Z0-9]/.test(s))
+    n++;
+  return n;
+}
 function isLikelyCredentialAssignment(line) {
   if (CRED_FUNCTION_DECL_RE.test(line))
     return null;
@@ -29091,6 +29130,18 @@ function isLikelyCredentialAssignment(line) {
     return null;
   if (isAllSameChar(value))
     return null;
+  if (value.length < 12)
+    return null;
+  if (shannonEntropy(value) < 3.5)
+    return null;
+  if (charClassDiversity(value) < 2)
+    return null;
+  if (PROPERTY_KEY_RE.test(value))
+    return null;
+  if (PLAIN_IDENTIFIER_RE.test(value))
+    return null;
+  if (/^[0-9]+$/.test(value) && value.length < 16)
+    return null;
   return { name: name2, value };
 }
 var STRING_LITERAL_RE = /(["'`])((?:\\.|(?!\1).){8,200})\1/g;
@@ -33993,7 +34044,7 @@ var colors = {
 };
 
 // src/version.ts
-var version = "3.85.1";
+var version = "3.86.0";
 
 // src/formatters.ts
 var SINK_SEVERITY = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cognium-dev",
-  "version": "3.85.1",
+  "version": "3.86.0",
   "description": "Static Application Security Testing CLI for detecting security vulnerabilities via taint tracking",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -65,7 +65,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "circle-ir": "^3.85.1"
+    "circle-ir": "^3.86.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",