Semgrep rules javascript express vm2 misses real vuln. code

[OrenGitHub]

javascript express vm2 vulnerability scanner: here misses real vulnerable code. The vulnerable file is here, and it is a part of completely reproducible docker image vulnerable to CVE-2023-37466.

It seems that not all syntactic cases were handled. Here is a minimal poc that demonstrates the cause:

$ diff original.js slightly_different_syntax.js
2c2
< const { VM } = require('vm2');
---
> const vm = require("vm2");
13c13
<   new VM({ timeout: 40 * 1000, sandbox }).run(code);
---
>   new vm.VM({ timeout: 40 * 1000, sandbox }).run(code);

when I run semgrep scan, only the original version is found, although the slightly modified version is vulnerable too ...

$ semgrep --config=rules.yaml # <--- only 1 code finding ...
┌────────────────┐
│ 1 Code Finding │
└────────────────┘

    original.js
    ❯❱ express-vm2-injection
          Make sure that unverified user data can not reach `vm2`.

           13┆ new VM({ timeout: 40 * 1000, sandbox }).run(code);