circle-ir-ai 2.12.4 → 2.12.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md
CHANGED
|
@@ -5,6 +5,83 @@ All notable changes to this project will be documented in this file.
|
|
|
5
5
|
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
|
6
6
|
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
7
7
|
|
|
8
|
+
## [2.12.5] - 2026-06-19
|
|
9
|
+
|
|
10
|
+
### Dependencies
|
|
11
|
+
|
|
12
|
+
- Bump `circle-ir` `3.75.0` → `3.82.0` (picks up the jwt-verify-disabled
|
|
13
|
+
regex fix landed in 3.77.0 — eliminated all 12 jwt-verify FPs in the
|
|
14
|
+
top-10 Java OSS harness re-run, -67% on top-10 criticals overall).
|
|
15
|
+
|
|
16
|
+
### Fixed — LLM verifier rubber-stamping assertion utilities as exploitable sinks (cognium-ai#109)
|
|
17
|
+
|
|
18
|
+
Top-10 Java OSS harness re-run on `circle-ir@3.80.0` (3.77.0 jwt-verify
|
|
19
|
+
fix landed; -67% on top-10 criticals) surfaced a second class of
|
|
20
|
+
LLM-layer FPs that the static `circle-ir` layer can't catch: the LLM
|
|
21
|
+
verifier (`openai/gpt-4o-mini` via OpenRouter) was returning
|
|
22
|
+
`llm_verified: true, llm_confidence: 0.8` on obvious no-op sinks.
|
|
23
|
+
|
|
24
|
+
Evidence — three findings on `chinabugotech/hutool`, all from one
|
|
25
|
+
file (`hutool-db/.../DialectRunner.java`):
|
|
26
|
+
|
|
27
|
+
1. `Assert.notNull(query, "[query] is null !")` flagged as critical
|
|
28
|
+
sql_injection. Definite FP — pure guard utility, no SQL semantics.
|
|
29
|
+
2. `SqlExecutor.queryAndClosePs(dialect.psForFind(conn, query), rsh)`
|
|
30
|
+
flagged as sql_injection from a library-API method parameter.
|
|
31
|
+
3. Same as 2 for `psForPage`.
|
|
32
|
+
|
|
33
|
+
All three returned `llm_confidence: 0.8` — the identical confidence
|
|
34
|
+
value across three independent prompts is a calibration smell that
|
|
35
|
+
the verifier has a "plausible-sounding default" instead of reading
|
|
36
|
+
the sink line. Same pattern seen on `baomidou/mybatis-plus` (ranks
|
|
37
|
+
11-20 harness): 9 critical sql_injection flagged in
|
|
38
|
+
`MybatisPlusInterceptor.java` framework lifecycle hooks
|
|
39
|
+
(`willDoQuery`, `beforeQuery`, `createCacheKey`, `beforePrepare`).
|
|
40
|
+
|
|
41
|
+
**This release ships fix #1 — sink-shape post-filter for assertion
|
|
42
|
+
utilities.** Drops the candidate before the LLM verifier ever sees
|
|
43
|
+
it; faster, free, and not subject to verifier hallucination.
|
|
44
|
+
|
|
45
|
+
`src/security-scan/sink-filters.ts` — added a `#109` block to
|
|
46
|
+
`NON_SINK_PATTERNS` covering:
|
|
47
|
+
|
|
48
|
+
- Spring `org.springframework.util.Assert.*` — `notNull`, `isTrue`,
|
|
49
|
+
`hasText`, `notEmpty`, `state`, etc.
|
|
50
|
+
- hutool `cn.hutool.core.lang.Assert.*` (same method surface as Spring)
|
|
51
|
+
- Guava `Preconditions.*` (`checkArgument`, `checkNotNull`,
|
|
52
|
+
`checkState`) and `Verify.*` (`verify`, `verifyNotNull`)
|
|
53
|
+
- `java.util.Objects` guard methods (`requireNonNull` family +
|
|
54
|
+
`checkIndex` family — but NOT `Objects.toString` / `hash` / `equals`
|
|
55
|
+
which can be legitimate sinks in template / log contexts)
|
|
56
|
+
- Apache Commons Lang `Validate.*` (`notNull`, `isTrue`, `notBlank`,
|
|
57
|
+
`matchesPattern`)
|
|
58
|
+
|
|
59
|
+
Method names are enumerated explicitly (not `\.\w+\(`) to avoid
|
|
60
|
+
over-suppressing user classes that happen to be named `Validate` /
|
|
61
|
+
`Verify` with unrelated APIs.
|
|
62
|
+
|
|
63
|
+
Applies the suppression across every taint-flow CWE
|
|
64
|
+
(`sql_injection`, `command_injection`, `code_injection`,
|
|
65
|
+
`deserialization`, `xss`, `path_traversal`, `nosql_injection`,
|
|
66
|
+
`ssrf`, `ldap_injection`, `xpath_injection`, `open_redirect`,
|
|
67
|
+
`template_injection`) — implemented by extending the
|
|
68
|
+
`NonSinkPattern.sinkType` field to accept `string | readonly
|
|
69
|
+
string[]` so one regex covers all sink types without 12× duplication.
|
|
70
|
+
|
|
71
|
+
`isKnownNonSink()` now dispatches via `Array.isArray()`. Public
|
|
72
|
+
API unchanged; only the internal pattern table type widened.
|
|
73
|
+
|
|
74
|
+
Validated by 8 new vitest cases in `tests/sink-filters.test.ts`
|
|
75
|
+
(`describe('isKnownNonSink — #109 …')`) — full suite 805 pass +
|
|
76
|
+
3 skipped + typecheck + build clean.
|
|
77
|
+
|
|
78
|
+
Three follow-up fixes from the issue body deferred (tracked in
|
|
79
|
+
cognium-ai#109): (a) sink-name allowlist baked into the verifier
|
|
80
|
+
prompt, (b) library-API source detection (downgrade
|
|
81
|
+
critical → high when source is a public method parameter on an
|
|
82
|
+
infrastructure repo with no entry point), (c) verifier confidence
|
|
83
|
+
calibration audit (`0.8` rubber-stamp).
|
|
84
|
+
|
|
8
85
|
## [2.12.4] - 2026-06-19
|
|
9
86
|
|
|
10
87
|
### Dependencies
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"sink-filters.d.ts","sourceRoot":"","sources":["../../src/security-scan/sink-filters.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAwBH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAAG,OAAO,CAW1E;AA6BD,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAAG,OAAO,CAK9E;
|
|
1
|
+
{"version":3,"file":"sink-filters.d.ts","sourceRoot":"","sources":["../../src/security-scan/sink-filters.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAwBH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAAG,OAAO,CAW1E;AA6BD,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAAG,OAAO,CAK9E;AAuMD,wBAAgB,cAAc,CAC5B,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,EAC/B,QAAQ,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAClC,OAAO,CAUT;AAsBD,wBAAgB,oBAAoB,CAClC,QAAQ,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,EACnC,QAAQ,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAClC,OAAO,CAGT;AAMD;;;;;;;;;;GAUG;AACH,wBAAgB,qBAAqB,CACnC,QAAQ,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,EACnC,QAAQ,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,EACnC,QAAQ,CAAC,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GACnC,OAAO,CAMT"}
|
|
@@ -95,6 +95,25 @@ export function isRequireOrImportSink(code) {
|
|
|
95
95
|
return false;
|
|
96
96
|
return REQUIRE_OR_IMPORT_RE.test(trimmed);
|
|
97
97
|
}
|
|
98
|
+
/**
|
|
99
|
+
* Sink types where assertion utilities can be mistaken for the sink.
|
|
100
|
+
* Used by the #109 patterns below. Covers every taint-flow CWE the
|
|
101
|
+
* LLM verifier was observed to rubber-stamp on hutool / mybatis-plus.
|
|
102
|
+
*/
|
|
103
|
+
const ASSERTION_SINK_TYPES = [
|
|
104
|
+
'sql_injection',
|
|
105
|
+
'command_injection',
|
|
106
|
+
'code_injection',
|
|
107
|
+
'deserialization',
|
|
108
|
+
'xss',
|
|
109
|
+
'path_traversal',
|
|
110
|
+
'nosql_injection',
|
|
111
|
+
'ssrf',
|
|
112
|
+
'ldap_injection',
|
|
113
|
+
'xpath_injection',
|
|
114
|
+
'open_redirect',
|
|
115
|
+
'template_injection',
|
|
116
|
+
];
|
|
98
117
|
const NON_SINK_PATTERNS = [
|
|
99
118
|
// #52 — code_injection
|
|
100
119
|
{ pattern: /\bproxyaddr\s*\.\s*compile\b/, sinkType: 'code_injection', ref: '#52' },
|
|
@@ -148,6 +167,54 @@ const NON_SINK_PATTERNS = [
|
|
|
148
167
|
// conventional lowercase `method.invoke(...)` (j.l.r.Method instance)
|
|
149
168
|
// and the uppercase static-reference form.
|
|
150
169
|
{ pattern: /\b[Mm]ethod\s*\.\s*invoke\s*\(/, sinkType: 'code_injection', ref: '#93' },
|
|
170
|
+
// #109 — assertion utilities rubber-stamped by LLM verifier
|
|
171
|
+
// Evidence: hutool DialectRunner.java line 241
|
|
172
|
+
// `Assert.notNull(query, "[query] is null !");`
|
|
173
|
+
// flagged as critical sql_injection with llm_verified: true,
|
|
174
|
+
// llm_confidence: 0.8 by gpt-4o-mini. The LLM saw a method named
|
|
175
|
+
// `find` with a `query` arg + a nearby `SqlExecutor` call and gave a
|
|
176
|
+
// default-plausible answer without reading the actual sink line.
|
|
177
|
+
// These methods are pure guard / null-check / state-check utilities
|
|
178
|
+
// — they cannot interpret SQL, OS shell, JSON, regex, paths, or
|
|
179
|
+
// templates. Static layer drops them before the LLM verifier ever
|
|
180
|
+
// sees the candidate. (cognium-ai#109)
|
|
181
|
+
//
|
|
182
|
+
// Receivers covered:
|
|
183
|
+
// - Spring `org.springframework.util.Assert`
|
|
184
|
+
// - hutool `cn.hutool.core.lang.Assert` (same surface as Spring)
|
|
185
|
+
// - Guava `com.google.common.base.Preconditions` / `Verify`
|
|
186
|
+
// - java.util.Objects guard methods (NOT `Objects.hash` / `equals`
|
|
187
|
+
// / `toString` — those can be real sinks in template / log
|
|
188
|
+
// contexts; only the `requireNonNull`-family is suppressed)
|
|
189
|
+
// - Apache Commons `org.apache.commons.lang3.Validate`
|
|
190
|
+
//
|
|
191
|
+
// Method names are enumerated explicitly (not `\.\w+\(`) to avoid
|
|
192
|
+
// over-suppressing user classes named `Validate` / `Verify` that
|
|
193
|
+
// happen to expose unrelated APIs.
|
|
194
|
+
// Spring Assert + hutool Assert (identical method surface).
|
|
195
|
+
{
|
|
196
|
+
pattern: /\bAssert\s*\.\s*(?:notNull|isNull|isTrue|isFalse|hasText|hasLength|notEmpty|isAssignable|isInstanceOf|state|doesNotContain|noNullElements)\s*\(/,
|
|
197
|
+
sinkType: ASSERTION_SINK_TYPES,
|
|
198
|
+
ref: '#109',
|
|
199
|
+
},
|
|
200
|
+
// Guava Preconditions + Verify.
|
|
201
|
+
{
|
|
202
|
+
pattern: /\b(?:Preconditions|Verify)\s*\.\s*(?:checkArgument|checkNotNull|checkState|checkPositionIndex|checkPositionIndexes|checkElementIndex|verify|verifyNotNull)\s*\(/,
|
|
203
|
+
sinkType: ASSERTION_SINK_TYPES,
|
|
204
|
+
ref: '#109',
|
|
205
|
+
},
|
|
206
|
+
// java.util.Objects guard methods (requireNonNull family + index checks).
|
|
207
|
+
{
|
|
208
|
+
pattern: /\bObjects\s*\.\s*(?:requireNonNull|requireNonNullElse|requireNonNullElseGet|checkIndex|checkFromIndexSize|checkFromToIndex)\s*\(/,
|
|
209
|
+
sinkType: ASSERTION_SINK_TYPES,
|
|
210
|
+
ref: '#109',
|
|
211
|
+
},
|
|
212
|
+
// Apache Commons Lang Validate.
|
|
213
|
+
{
|
|
214
|
+
pattern: /\bValidate\s*\.\s*(?:notNull|isTrue|notEmpty|notBlank|inclusiveBetween|exclusiveBetween|matchesPattern|validIndex|noNullElements)\s*\(/,
|
|
215
|
+
sinkType: ASSERTION_SINK_TYPES,
|
|
216
|
+
ref: '#109',
|
|
217
|
+
},
|
|
151
218
|
];
|
|
152
219
|
export function isKnownNonSink(code, sinkType) {
|
|
153
220
|
if (!code || !sinkType)
|
|
@@ -155,7 +222,12 @@ export function isKnownNonSink(code, sinkType) {
|
|
|
155
222
|
const trimmed = code.trim();
|
|
156
223
|
if (!trimmed)
|
|
157
224
|
return false;
|
|
158
|
-
return NON_SINK_PATTERNS.some((p) =>
|
|
225
|
+
return NON_SINK_PATTERNS.some((p) => {
|
|
226
|
+
const matchesType = Array.isArray(p.sinkType)
|
|
227
|
+
? p.sinkType.includes(sinkType)
|
|
228
|
+
: p.sinkType === sinkType;
|
|
229
|
+
return matchesType && p.pattern.test(trimmed);
|
|
230
|
+
});
|
|
159
231
|
}
|
|
160
232
|
// ---------------------------------------------------------------------------
|
|
161
233
|
// Fix 4 — nosql_injection on browser-side JS/HTML (#94)
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"sink-filters.js","sourceRoot":"","sources":["../../src/security-scan/sink-filters.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH,8EAA8E;AAC9E,4CAA4C;AAC5C,8EAA8E;AAE9E;;;;;;;;;;;GAWG;AACH,MAAM,eAAe,GAAG,2BAA2B,CAAC;AACpD,6EAA6E;AAC7E,uEAAuE;AACvE,kEAAkE;AAClE,MAAM,cAAc,GAAG,OAAO,CAAC;AAE/B,MAAM,UAAU,iBAAiB,CAAC,IAA+B;IAC/D,IAAI,IAAI,KAAK,SAAS,IAAI,IAAI,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IACrD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IAC5B,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAC1B,yDAAyD;IACzD,IAAI,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAChD,+CAA+C;IAC/C,IAAI,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAC/C,sDAAsD;IACtD,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAC/C,OAAO,KAAK,CAAC;AACf,CAAC;AAED,8EAA8E;AAC9E,wDAAwD;AACxD,8EAA8E;AAE9E;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,oBAAoB,GACxB,mEAAmE,CAAC;AAEtE,MAAM,UAAU,qBAAqB,CAAC,IAA+B;IACnE,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IACxB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IAC5B,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAC3B,OAAO,oBAAoB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AAC5C,CAAC;
|
|
1
|
+
{"version":3,"file":"sink-filters.js","sourceRoot":"","sources":["../../src/security-scan/sink-filters.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH,8EAA8E;AAC9E,4CAA4C;AAC5C,8EAA8E;AAE9E;;;;;;;;;;;GAWG;AACH,MAAM,eAAe,GAAG,2BAA2B,CAAC;AACpD,6EAA6E;AAC7E,uEAAuE;AACvE,kEAAkE;AAClE,MAAM,cAAc,GAAG,OAAO,CAAC;AAE/B,MAAM,UAAU,iBAAiB,CAAC,IAA+B;IAC/D,IAAI,IAAI,KAAK,SAAS,IAAI,IAAI,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IACrD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IAC5B,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAC1B,yDAAyD;IACzD,IAAI,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAChD,+CAA+C;IAC/C,IAAI,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAC/C,sDAAsD;IACtD,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAC/C,OAAO,KAAK,CAAC;AACf,CAAC;AAED,8EAA8E;AAC9E,wDAAwD;AACxD,8EAA8E;AAE9E;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,oBAAoB,GACxB,mEAAmE,CAAC;AAEtE,MAAM,UAAU,qBAAqB,CAAC,IAA+B;IACnE,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IACxB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IAC5B,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAC3B,OAAO,oBAAoB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AAC5C,CAAC;AAkED;;;;GAIG;AACH,MAAM,oBAAoB,GAAG;IAC3B,eAAe;IACf,mBAAmB;IACnB,gBAAgB;IAChB,iBAAiB;IACjB,KAAK;IACL,gBAAgB;IAChB,iBAAiB;IACjB,MAAM;IACN,gBAAgB;IAChB,iBAAiB;IACjB,eAAe;IACf,oBAAoB;CACZ,CAAC;AAEX,MAAM,iBAAiB,GAAqB;IAC1C,uBAAuB;IACvB,EAAE,OAAO,EAAE,8BAA8B,EAAE,QAAQ,EAAE,gBAAgB,EAAE,GAAG,EAAE,KAAK,EAAE;IACnF,EAAE,OAAO,EAAE,wCAAwC,EAAE,QAAQ,EAAE,gBAAgB,EAAE,GAAG,EAAE,KAAK,EAAE;IAE7F,mEAAmE;IACnE,EAAE,OAAO,EAAE,iCAAiC,EAAE,QAAQ,EAAE,mBAAmB,EAAE,GAAG,EAAE,KAAK,EAAE;IACzF,EAAE,OAAO,EAAE,2CAA2C,EAAE,QAAQ,EAAE,mBAAmB,EAAE,GAAG,EAAE,KAAK,EAAE;IACnG,EAAE,OAAO,EAAE,4CAA4C,EAAE,QAAQ,EAAE,mBAAmB,EAAE,GAAG,EAAE,KAAK,EAAE;IACpG,8DAA8D;IAC9D,sEAAsE;IACtE,4DAA4D;IAC5D,mEAAmE;IACnE,EAAE,OAAO,EAAE,+DAA+D,EAAE,QAAQ,EAAE,mBAAmB,EAAE,GAAG,EAAE,KAAK,EAAE;IAEvH,4DAA4D;IAC5D,+DAA+D;IAC/D,sEAAsE;IACtE,4DAA4D;IAC5D,gEAAgE;IAChE,2CAA2C;IAC3C,oEAAoE;IACpE,yDAAyD;IACzD,qDAAqD;IACrD;QACE,OAAO,EAAE,+FAA+F;QACxG,QAAQ,EAAE,eAAe;QACzB,GAAG,EAAE,KAAK;KACX;IAED,sDAAsD;IACtD,mEAAmE;IACnE,sEAAsE;IACtE,EAAE,OAAO,EAAE,qDAAqD,EAAE,QAAQ,EAAE,iBAAiB,EAAE,GAAG,EAAE,KAAK,EAAE;IAC3G,2EAA2E;IAC3E,uDAAuD;IACvD,EAAE,OAAO,EAAE,kDAAkD,EAAE,QAAQ,EAAE,iBAAiB,EAAE,GAAG,EAAE,KAAK,EAAE;IACxG,qCAAqC;IACrC,EAAE,OAAO,EAAE,oDAAoD,EAAE,QAAQ,EAAE,iBAAiB,EAAE,GAAG,EAAE,KAAK,EAAE;IAC1G,0DAA0D;IAC1D,EAAE,OAAO,EAAE,6CAA6C,EAAE,QAAQ,EAAE,iBAAiB,EAAE,GAAG,EAAE,KAAK,EAAE;IACnG,4CAA4C;IAC5C,EAAE,OAAO,EAAE,uDAAuD,EAAE,QAAQ,EAAE,iBAAiB,EAAE,GAAG,EAAE,KAAK,EAAE;IAE7G,8DAA8D;IAC9D,oEAAoE;IACpE,EAAE,OAAO,EAAE,uCAAuC,EAAE,QAAQ,EAAE,gBAAgB,EAAE,GAAG,EAAE,KAAK,EAAE;IAC5F,8DAA8D;IAC9D,sEAAsE;IACtE,kDAAkD;IAClD,EAAE,OAAO,EAAE,uDAAuD,EAAE,QAAQ,EAAE,gBAAgB,EAAE,GAAG,EAAE,KAAK,EAAE;IAC5G,8EAA8E;IAC9E,EAAE,OAAO,EAAE,qDAAqD,EAAE,QAAQ,EAAE,gBAAgB,EAAE,GAAG,EAAE,KAAK,EAAE;IAC1G,6DAA6D;IAC7D,sEAAsE;IACtE,2CAA2C;IAC3C,EAAE,OAAO,EAAE,gCAAgC,EAAE,QAAQ,EAAE,gBAAgB,EAAE,GAAG,EAAE,KAAK,EAAE;IAErF,4DAA4D;IAC5D,+CAA+C;IAC/C,kDAAkD;IAClD,6DAA6D;IAC7D,iEAAiE;IACjE,qEAAqE;IACrE,iEAAiE;IACjE,oEAAoE;IACpE,gEAAgE;IAChE,kEAAkE;IAClE,uCAAuC;IACvC,EAAE;IACF,qBAAqB;IACrB,+CAA+C;IAC/C,mEAAmE;IACnE,8DAA8D;IAC9D,qEAAqE;IACrE,+DAA+D;IAC/D,gEAAgE;IAChE,yDAAyD;IACzD,EAAE;IACF,kEAAkE;IAClE,iEAAiE;IACjE,mCAAmC;IAEnC,4DAA4D;IAC5D;QACE,OAAO,EACL,iJAAiJ;QACnJ,QAAQ,EAAE,oBAAoB;QAC9B,GAAG,EAAE,MAAM;KACZ;IACD,gCAAgC;IAChC;QACE,OAAO,EACL,iKAAiK;QACnK,QAAQ,EAAE,oBAAoB;QAC9B,GAAG,EAAE,MAAM;KACZ;IACD,0EAA0E;IAC1E;QACE,OAAO,EACL,kIAAkI;QACpI,QAAQ,EAAE,oBAAoB;QAC9B,GAAG,EAAE,MAAM;KACZ;IACD,gCAAgC;IAChC;QACE,OAAO,EACL,wIAAwI;QAC1I,QAAQ,EAAE,oBAAoB;QAC9B,GAAG,EAAE,MAAM;KACZ;CACF,CAAC;AAEF,MAAM,UAAU,cAAc,CAC5B,IAA+B,EAC/B,QAAmC;IAEnC,IAAI,CAAC,IAAI,IAAI,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAC;IACrC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IAC5B,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAC3B,OAAO,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;QAClC,MAAM,WAAW,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC;YAC3C,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAC/B,CAAC,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC;QAC5B,OAAO,WAAW,IAAI,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;AACL,CAAC;AAED,8EAA8E;AAC9E,wDAAwD;AACxD,8EAA8E;AAE9E;;;;;;GAMG;AACH,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC;AAElF,SAAS,aAAa,CAAC,IAA+B;IACpD,IAAI,CAAC,IAAI;QAAE,OAAO,EAAE,CAAC;IACrB,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,GAAG,GAAG,CAAC;QAAE,OAAO,EAAE,CAAC;IACvB,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;AACvC,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,QAAmC,EACnC,QAAmC;IAEnC,IAAI,QAAQ,KAAK,iBAAiB;QAAE,OAAO,KAAK,CAAC;IACjD,OAAO,eAAe,CAAC,GAAG,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC;AACtD,CAAC;AAED,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E;;;;;;;;;;GAUG;AACH,MAAM,UAAU,qBAAqB,CACnC,QAAmC,EACnC,QAAmC,EACnC,QAAoC;IAEpC,IAAI,iBAAiB,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7C,IAAI,oBAAoB,CAAC,QAAQ,EAAE,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IAC1D,IAAI,qBAAqB,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IACjD,IAAI,cAAc,CAAC,QAAQ,EAAE,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IACpD,OAAO,KAAK,CAAC;AACf,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "circle-ir-ai",
|
|
3
|
-
"version": "2.12.
|
|
3
|
+
"version": "2.12.5",
|
|
4
4
|
"description": "LLM-enhanced SAST analysis built on circle-ir",
|
|
5
5
|
"main": "dist/index.js",
|
|
6
6
|
"module": "dist/index.js",
|
|
@@ -95,7 +95,7 @@
|
|
|
95
95
|
"dependencies": {
|
|
96
96
|
"@ax-llm/ax": "^20.0.0",
|
|
97
97
|
"@mastra/core": "^1.18.0",
|
|
98
|
-
"circle-ir": "3.
|
|
98
|
+
"circle-ir": "3.82.0",
|
|
99
99
|
"minimatch": "^10.2.5",
|
|
100
100
|
"p-queue": "^9.1.0"
|
|
101
101
|
},
|