CdxPass improvements for JS (#119)

prabhu · web-flow · commit add037f03a18 · 2025-06-26T12:17:52.000+01:00
* Update packages Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com> * Update eclipse cdt plugin Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com> * Update eclipse cdt plugin Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com> * Improve Cdx JS tagging. Fixes #117 Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com> * Track proto assign and no-proto for js Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com> * Track http-client and http-endpoint for js Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com> --------- Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
diff --git a/build.sbt b/build.sbt
@@ -1,6 +1,6 @@
 name                     := "chen"
 ThisBuild / organization := "io.appthreat"
-ThisBuild / version      := "2.4.2"
+ThisBuild / version      := "2.4.3"
 ThisBuild / scalaVersion := "3.6.2"
 
 val cpgVersion = "1.0.1"
diff --git a/codemeta.json b/codemeta.json
@@ -7,7 +7,7 @@
   "downloadUrl": "https://github.com/AppThreat/chen",
   "issueTracker": "https://github.com/AppThreat/chen/issues",
   "name": "chen",
-  "version": "2.4.2",
+  "version": "2.4.3",
   "description": "Code Hierarchy Exploration Net (chen) is an advanced exploration toolkit for your application source code and its dependency hierarchy.",
   "applicationCategory": "code-analysis",
   "keywords": [
diff --git a/meta.yaml b/meta.yaml
@@ -1,4 +1,4 @@
-{% set version = "2.4.2" %}
+{% set version = "2.4.3" %}
 
 package:
   name: chen
diff --git a/platform/frontends/c2cpg/build.sbt b/platform/frontends/c2cpg/build.sbt
@@ -4,8 +4,8 @@ dependsOn(Projects.semanticcpg, Projects.dataflowengineoss % Test, Projects.x2cp
 
 libraryDependencies ++= Seq(
   "org.scala-lang.modules" %% "scala-parallel-collections" % Versions.scalaParallel,
-  "org.eclipse.platform"    % "org.eclipse.equinox.common"       % "3.20.0",
-  "org.eclipse.platform"    % "org.eclipse.core.resources"       % "3.22.100" excludeAll(
+  "org.eclipse.platform"    % "org.eclipse.equinox.common"       % "3.20.100",
+  "org.eclipse.platform"    % "org.eclipse.core.resources"       % "3.22.200" excludeAll(
     ExclusionRule(organization = "com.ibm.icu", name = "icu4j"),
     ExclusionRule(organization = "org.eclipse.platform", name = "org.eclipse.jface"),
     ExclusionRule(organization = "org.eclipse.platform", name = "org.eclipse.jface.text")
diff --git a/platform/frontends/c2cpg/lib/README.md b/platform/frontends/c2cpg/lib/README.md
@@ -1,3 +1,3 @@
 org.eclipse.cdt jars were downloaded from
 
-https://download.eclipse.org/tools/cdt/releases/12.0/cdt-12.0.0/plugins/
+https://download.eclipse.org/tools/cdt/releases/12.1/cdt-12.1.0/plugins/
diff --git a/platform/frontends/c2cpg/lib/org.eclipse.cdt.core_9.1.0.202505200054.jar b/platform/frontends/c2cpg/lib/org.eclipse.cdt.core_9.1.0.202505200054.jar
diff --git a/platform/frontends/c2cpg/lib/org.eclipse.cdt.core_9.1.0.202505200054.jar.ABOUT b/platform/frontends/c2cpg/lib/org.eclipse.cdt.core_9.1.0.202505200054.jar.ABOUT
@@ -0,0 +1,13 @@
+about_resource: org.eclipse.cdt.core_9.1.0.202505200054.jar
+name: Eclipse CDT Core
+version: 9.1.0.202505200054
+homepage_url: http://eclipse.org/cdt
+download_url: https://www.eclipse.org/downloads/download.php?file=/tools/cdt/releases/12.1/cdt-12.1.0/plugins/org.eclipse.cdt.core_9.1.0.202505200054.jar
+license_expression: EPL-2.0
+licenses:
+    -   key: EPL-2.0
+        name: Eclipse Public License 2.0
+        file: LICENSE
+        url: https://github.com/eclipse-cdt/cdt/blob/main/LICENSE
+        spdx_license_key: EPL-2.0
+copyright: Copyright (c) The Eclipse Foundation.
diff --git a/platform/frontends/c2cpg/lib/org.eclipse.cdt.core_9.1.0.202505200054.jar.sha512 b/platform/frontends/c2cpg/lib/org.eclipse.cdt.core_9.1.0.202505200054.jar.sha512
@@ -0,0 +1 @@
+f690b0ceb11465e23b8112e70a60d4263144bb8efe7e6f6a2119ce46ec1e94f7c7451919c348ed819a47dbb919fc4c881aa4c11cd0b7b2dba7d33f0baedd88c4  org.eclipse.cdt.core_9.1.0.202505200054.jar
diff --git a/platform/frontends/jssrc2cpg/build.sbt b/platform/frontends/jssrc2cpg/build.sbt
@@ -11,7 +11,7 @@ libraryDependencies ++= Seq(
   "io.appthreat"              %% "cpg2" % Versions.cpg,
   "com.lihaoyi"               %% "upickle"           % Versions.upickle,
   "com.typesafe"               % "config"            % "1.4.3",
-  "com.michaelpollmeier"       % "versionsort"       % "1.0.13",
+  "com.michaelpollmeier"       % "versionsort"       % "1.0.17",
   "org.scalatest"             %% "scalatest"         % Versions.scalatest % Test
 )
 
diff --git a/platform/frontends/x2cpg/src/main/scala/io/appthreat/x2cpg/passes/taggers/CdxPass.scala b/platform/frontends/x2cpg/src/main/scala/io/appthreat/x2cpg/passes/taggers/CdxPass.scala
@@ -120,22 +120,17 @@ class CdxPass(atom: Cpg) extends CpgPass(atom):
                     if language == Languages.JAVA || language == Languages.JAVASRC then
                       bpkg = bpkg.split("\\.").take(PKG_NS_SIZE).mkString(".").concat(
                         ".*"
-                      )
-                      bpkg =
-                          bpkg.replace(File.separator, Pattern.quote(File.separator))
+                      ).replace(File.separator, Pattern.quote(File.separator))
                     if language == Languages.JSSRC || language == Languages.JAVASCRIPT
                     then
-                      bpkg = s".*${bpkg}.*"
-                      bpkg =
-                          bpkg.replace(File.separator, Pattern.quote(File.separator))
+                      bpkg = bpkg.replace(File.separator, Pattern.quote(File.separator))
                     if language == Languages.PYTHON || language == Languages.PYTHONSRC
                     then bpkg = toPyModuleForm(bpkg)
                     if language == Languages.RUBYSRC
                     then bpkg = toRubyModuleForm(bpkg)
                     if language == Languages.PHP
                     then
-                      bpkg = bpkg.replaceAll("""\\""", """\\\\""")
-                      bpkg = s"""$bpkg.*"""
+                      bpkg = bpkg.replace("\\", "\\\\").concat(".*")
                     if bpkg.nonEmpty && !donePkgs.contains(bpkg) then
                       donePkgs.put(bpkg, true)
                       // Ruby
@@ -240,15 +235,44 @@ class CdxPass(atom: Cpg) extends CpgPass(atom):
                         )
                         if language == Languages.JSSRC || language == Languages.JAVASCRIPT
                         then
-                          atom.call.code(bpkg).argument.newTagNode(
+                          atom.method.name(bpkg).external.newTagNode(
                             compPurl
                           ).store()(dstGraph)
-                          atom.identifier.code(bpkg).newTagNode(compPurl).store()(
-                            dstGraph
-                          )
-                          atom.identifier.code(bpkg).inCall.newTagNode(
+                          atom.method.name(bpkg).external.parameter.newTagNode(
                             compPurl
                           ).store()(dstGraph)
+                          atom.method.name(bpkg).external.callIn(NoResolve).argument.newTagNode(
+                            compPurl
+                          ).store()(dstGraph)
+                          if bpkg.contains(File.separator) then
+                            val segments   = bpkg.split(Pattern.quote(File.separator))
+                            val truncated  = segments.take(2).mkString(File.separator)
+                            val re_variant = s".*${truncated}.*"
+                            atom.method.fullName(re_variant).external.newTagNode(
+                              compPurl
+                            ).store()(dstGraph)
+                            atom.method.fullName(re_variant).external.parameter.newTagNode(
+                              compPurl
+                            ).store()(dstGraph)
+                            atom.method.fullName(re_variant).external.callIn(NoResolve).argument.newTagNode(
+                              compPurl
+                            ).store()(dstGraph)
+                            if compType != "library" then
+                              atom.method.fullName(re_variant).external.parameter.newTagNode(
+                                compType
+                              ).store()(dstGraph)
+                              atom.method.fullName(re_variant).external.callIn(NoResolve).argument.newTagNode(
+                                compType
+                              ).store()(dstGraph)
+                          end if
+                          if compType != "library" then
+                            atom.method.name(bpkg).external.parameter.newTagNode(
+                              compType
+                            ).store()(dstGraph)
+                            atom.method.name(bpkg).external.callIn(NoResolve).argument.newTagNode(
+                              compType
+                            ).store()(dstGraph)
+                        end if
                         if language == Languages.PYTHON || language == Languages.PYTHONSRC
                         then
                           atom.call.where(
@@ -285,17 +309,6 @@ class CdxPass(atom: Cpg) extends CpgPass(atom):
                           atom.method.fullName(bpkg).newTagNode(compType).store()(
                             dstGraph
                           )
-                          if language == Languages.JSSRC || language == Languages.JAVASCRIPT
-                          then
-                            atom.call.code(bpkg).argument.newTagNode(
-                              compType
-                            ).store()(dstGraph)
-                            atom.identifier.code(bpkg).newTagNode(
-                              compType
-                            ).store()(dstGraph)
-                            atom.identifier.code(bpkg).inCall.newTagNode(
-                              compType
-                            ).store()(dstGraph)
                           if language == Languages.PYTHON || language == Languages.PYTHONSRC
                           then
                             atom.call.where(
diff --git a/platform/frontends/x2cpg/src/main/scala/io/appthreat/x2cpg/passes/taggers/EasyTagsPass.scala b/platform/frontends/x2cpg/src/main/scala/io/appthreat/x2cpg/passes/taggers/EasyTagsPass.scala
@@ -74,6 +74,73 @@ class EasyTagsPass(atom: Cpg) extends CpgPass(atom):
     )
     atom.method.internal.name(".*(authori).*").newTagNode("authorization").store()(dstGraph)
     if language == Languages.JSSRC || language == Languages.JAVASCRIPT then
+      // proto risks
+      atom.method.name("create").external.callIn(NoResolve).argumentIndex(1).codeExact(
+        "Object.create(null)"
+      ).newTagNode(
+        "no-proto"
+      ).store()(
+        dstGraph
+      )
+      Seq(
+        "Object.assign",
+        "Object.defineProperty",
+        "Object.defineProperties",
+        "Object.setPrototypeOf",
+        "Reflect.defineProperty",
+        "Reflect.setPrototypeOf",
+        "Reflect.set"
+      ).foreach { ptypes =>
+          atom.call.filter(_.dynamicTypeHintFullName.contains(ptypes)).newTagNode(
+            "proto-assign"
+          ).store()(
+            dstGraph
+          )
+      }
+      // http client calls
+      Seq(
+        "got",
+        "axios",
+        "undici",
+        "ky",
+        "node-fetch",
+        "cross-fetch",
+        "superagent",
+        "needle",
+        "isomorphic-fetch",
+        "unfetch",
+        "wretch",
+        "request",
+        "cacheable-lookup",
+        "cacheable-request",
+        "http2-wrapper",
+        "responselike"
+      ).foreach { httpclientPkg =>
+        atom.tag.name(s"pkg:npm/${httpclientPkg}@.*").method.callIn(NoResolve).newTagNode(
+          "http-client"
+        ).store()(
+          dstGraph
+        )
+        atom.tag.name(s"pkg:npm/${httpclientPkg}@.*").method.callIn(NoResolve).argument.isIdentifier
+            .typeFullName(s"${httpclientPkg}.*").newTagNode(
+              "http-client"
+            ).store()(
+              dstGraph
+            )
+        atom.tag.name(s"pkg:npm/${httpclientPkg}@.*").method.callIn(NoResolve).argument.isLiteral.newTagNode(
+          "http-endpoint"
+        ).store()(
+          dstGraph
+        )
+        atom.tag.name(s"pkg:npm/${httpclientPkg}@.*").method.callIn(NoResolve).argument.isIdentifier
+            .typeFullNameExact(
+              "__ecma.String"
+            ).filter((i) => i.name == i.name.toUpperCase()).newTagNode(
+              "http-endpoint"
+            ).store()(
+              dstGraph
+            )
+      }
       // Tag cli source
       atom.method.internal.fullName("(index|app).(js|jsx|ts|tsx)::program").newTagNode(
         "cli-source"
diff --git a/project/Versions.scala b/project/Versions.scala
@@ -7,14 +7,14 @@ object Versions {
   val cats          = "3.6.0"
   val json4s        = "4.0.7"
   val gradleTooling = "8.10.1"
-  val circe         = "0.14.13"
+  val circe         = "0.14.14"
   val requests      = "0.9.0"
-  val upickle       = "4.1.0"
+  val upickle       = "4.2.1"
   val scalaReplPP   = "0.1.85"
   val commonsCompress = "1.27.1"
   val jRuby           = "9.4.9.0"
   val typeSafeConfig  = "1.4.3"
-  val versionSort     = "1.0.13"
+  val versionSort     = "1.0.17"
   val scalaParallel   = "1.2.0"
   val ZeroturnaroundVersion = "1.17"
 
diff --git a/project/meta-build.sbt b/project/meta-build.sbt
@@ -1,6 +1,6 @@
 libraryDependencies ++= Seq(
   "com.typesafe"          % "config"       % "1.4.3",
-  "com.michaelpollmeier"  % "versionsort"  % "1.0.13",
+  "com.michaelpollmeier"  % "versionsort"  % "1.0.17",
   "net.lingala.zip4j"     % "zip4j"        % "2.11.5",
   "com.github.pathikrit" %% "better-files" % "3.9.2",
   "net.java.dev.javacc"   % "javacc"       % "7.0.13",
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "appthreat-chen"
-version = "2.4.2"
+version = "2.4.3"
 description = "Code Hierarchy Exploration Net (chen)"
 authors = ["Team AppThreat <cloud@appthreat.com>"]
 license = "Apache-2.0"

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-{% set version = "2.4.2" %}`
	`1`	`+{% set version = "2.4.3" %}`
`2`	`2`
`3`	`3`	`package:`
`4`	`4`	`name: chen`
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,3 @@`
`1`	`1`	`org.eclipse.cdt jars were downloaded from`
`2`	`2`
`3`		`-https://download.eclipse.org/tools/cdt/releases/12.0/cdt-12.0.0/plugins/`
	`3`	`+https://download.eclipse.org/tools/cdt/releases/12.1/cdt-12.1.0/plugins/`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+f690b0ceb11465e23b8112e70a60d4263144bb8efe7e6f6a2119ce46ec1e94f7c7451919c348ed819a47dbb919fc4c881aa4c11cd0b7b2dba7d33f0baedd88c4 org.eclipse.cdt.core_9.1.0.202505200054.jar`
Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@ libraryDependencies ++= Seq(`
`11`	`11`	`"io.appthreat" %% "cpg2" % Versions.cpg,`
`12`	`12`	`"com.lihaoyi" %% "upickle" % Versions.upickle,`
`13`	`13`	`"com.typesafe" % "config" % "1.4.3",`
`14`		`- "com.michaelpollmeier" % "versionsort" % "1.0.13",`
	`14`	`+ "com.michaelpollmeier" % "versionsort" % "1.0.17",`
`15`	`15`	`"org.scalatest" %% "scalatest" % Versions.scalatest % Test`
`16`	`16`	`)`
`17`	`17`