Merge pull request #19854 from Napalys/js/sinon

JS: Explicitly Mark `Sinon` Package as Non RegExp

Author: Napalys

javascript/ql/lib/change-notes/2025-06-20-sinon.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Calls to `sinon.match()` are no longer incorrectly identified as regular expression operations.

javascript/ql/lib/semmle/javascript/Regexp.qll

@@ -998,6 +998,8 @@ private predicate isUsedAsNonMatchObject(DataFlow::MethodCallNode call) {
     or
     // Result is obviously unused
     call.asExpr() = any(ExprStmt stmt).getExpr()
+    or
+    call = API::moduleImport("sinon").getMember("match").getACall()
   )
 }
 

javascript/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp/tst-IncompleteHostnameRegExp.js

@@ -60,4 +60,8 @@
 	/^(foo.example\.com|whatever)$/; // $ Alert (but kinda OK - one disjunction doesn't even look like a hostname)
 
 	if (s.matchAll("^http://test.example.com")) {} // $ Alert
+
+	const sinon = require('sinon');
+	const megacliteUrl = "https://a.b.com";
+	sinon.assert.calledWith(postStub.firstCall, sinon.match(megacliteUrl));
 });

javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/tst.js

@@ -0,0 +1,6 @@
+const sinon = require('sinon');
+
+function testFunction() {
+  const megacliteUrl = "https://a.b.com";
+	sinon.assert.calledWith(postStub.firstCall, sinon.match(megacliteUrl));
+}