False negative in the expat-xxe detection rule

[9iang22]

Describe the bug
This is about an FN in the expat-xxe rule

If we use import to import the expat module, the rule will miss the case.

For example.

import * as expat from 'node-expat';

function test(input) {
    const parser = new expat.Parser();
    parser.parse(input);
}

Priority
How important is this to you?

• P0: blocking me from making progress
• P1: this will block me in the near future
• P2: annoying but not blocking me