circle-ir-ai 2.8.10 → 2.8.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/CHANGELOG.md +89 -0
  2. package/package.json +2 -2
package/CHANGELOG.md CHANGED
@@ -5,6 +5,95 @@ All notable changes to this project will be documented in this file.
5
5
  The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
6
6
  and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
7
7
 
8
+ ## [2.8.13] - 2026-06-12
9
+
10
+ ### Changed
11
+
12
+ - **Bump `circle-ir` pin `3.37.0` → `3.38.0` (exact).** Ships the
13
+ frame-agnostic cross-file inter-procedural taint propagation landed
14
+ via `cogniumhq/cognium-dev#19`. Same fix simultaneously resolves
15
+ `cogniumhq/cognium-dev#1` (Jenkins `@DataBoundConstructor` field
16
+ binding).
17
+
18
+ Four `CrossFileResolver` changes per maintainer's close-comment:
19
+ - `isMethodTaintSource` / `getSourceType` skip `interprocedural_param`
20
+ so internal helpers with typed parameters no longer ghost-taint
21
+ callers.
22
+ - `findTaintedParams` adds a sink-arg-matching heuristic — for each
23
+ sink inside a method body, scan call args and whole-word-match
24
+ against the method's parameter names → matching indices added to
25
+ `taintedParams`. Restores propagation through sink-wrapper methods
26
+ that lack `@RequestParam`/`@RequestBody`/`@PathVariable` (e.g.
27
+ `RedirectStrategy.sendRedirect(req, res, String url)`).
28
+ - New `findInterproceduralTaintPaths()` — walks each caller method
29
+ in line order, taints DFG `local` defs on `returnsSource`-callee
30
+ returns, emits multi-hop `TaintPath` when a tainted arg reaches a
31
+ callee's `taintedParam`. Confidence decay 0.85/hop, floor 0.30.
32
+ - Variable-connectivity gate on `findCrossFileTaintFlows()` —
33
+ eliminates sanitized-wrapper FPs.
34
+
35
+ Probe-verified in our checkout: the CVE-2011-2732 shape
36
+ (`UrlHandler.determineTargetUrl` → `LoginController.login` →
37
+ `RedirectStrategy.sendRedirect`) emits a 4-hop `taint_path` with
38
+ CWE-601 / open_redirect sink at confidence 0.614. Closes
39
+ `circle-ir-ai#69` (the OAuth approval + security redirect CVE pair).
40
+
41
+ ## [2.8.12] - 2026-06-12
42
+
43
+ ### Changed
44
+
45
+ - **Bump `circle-ir` pin from `3.36.0` → `3.37.0` (exact).** 3.37.0 ships
46
+ the multi-hop Python taint-propagation fix landed via
47
+ `cogniumhq/cognium-dev#20`. Two ~50-LOC surgical changes:
48
+ - `detectExpressionScanFlows` now expands `sourcesWithVar` with synthetic
49
+ source records for every derived variable in `buildPythonTaintedVars`
50
+ (Python-only — gated by `language === 'python'`, no Java regression).
51
+ - `buildPythonTaintedVars` adds a receiver-mutation rule for
52
+ `.append/.extend/.insert/.add/.push/.put/.appendleft(taintedExpr)`,
53
+ composing with existing dict-access propagation.
54
+
55
+ Verified end-to-end against the OWASP BenchmarkPython tail probes that
56
+ previously failed:
57
+
58
+ | Test | Pattern | 3.36.0 | 3.37.0 |
59
+ |------|---------|--------|--------|
60
+ | BenchmarkTest00099 | configparser round-trip → sqli | flows=0 | flows=2 |
61
+ | BenchmarkTest00165 | list append/pop → cmdi | flows=0 | flows=1 |
62
+
63
+ Effect on the regex-co-occurrence harness scoring is roughly neutral
64
+ (TPR +0.9 pp, FPR +0.9 pp, F1 unchanged) — the harness doesn't read
65
+ `taint.flows`, so the engine improvement is only visible via direct
66
+ flow-checking consumers (mastra workflow, downstream LLM verification,
67
+ the flow-first harness migration tracked separately in
68
+ `circle-ir-ai#75`).
69
+
70
+ Cross-module / cross-file helper indirection (shape D in #20) remains
71
+ deferred — requires inter-procedural taint summaries.
72
+
73
+ ## [2.8.11] - 2026-06-12
74
+
75
+ ### Changed
76
+
77
+ - **Pin `circle-ir` to exact version `3.36.0` (was `^3.34.0`).** Drops the
78
+ semver caret to eliminate float-on-publish drift between local installs,
79
+ CI, and consumers. `3.36.0` includes the engine fixes shipped this week:
80
+ - **3.35.0** — `cogniumhq/cognium-dev#17`: 16 new Jenkins Groovy sandbox
81
+ sinks registered to both `DEFAULT_SINKS` array and the YAML config
82
+ loader (`SandboxInterceptor.onMethodCall` etc.) — closes
83
+ `circle-ir-ai#68` (Jenkins script-security CVE-2023-24422 detection).
84
+ - **3.36.0** — `cogniumhq/cognium-dev#18`: Python taint-propagation
85
+ `detectExpressionScanFlows` supplement (language-agnostic word-boundary
86
+ matching of source variables in sink call-argument text). Restores
87
+ `result.taint.flows` population for direct one-hop Python cases across
88
+ all categories (sqli, cmdi, pathtraver, codeinj, deserialization, etc.).
89
+ OWASP BenchmarkPython multi-hop indirection patterns
90
+ (configparser / list / helper-module) remain a separate follow-up —
91
+ `cogniumhq/cognium-dev#20`.
92
+
93
+ Bumps are coordinated: `cognium-ai` (CLI) follows with a matching
94
+ `2.8.11` patch that pins `circle-ir-ai@2.8.11` exact and refreshes
95
+ the transitive `circle-ir` pin.
96
+
8
97
  ## [2.8.10] - 2026-06-11
9
98
 
10
99
  ### Fixed
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "circle-ir-ai",
3
- "version": "2.8.10",
3
+ "version": "2.8.13",
4
4
  "description": "LLM-enhanced SAST analysis built on circle-ir",
5
5
  "main": "dist/index.js",
6
6
  "module": "dist/index.js",
@@ -94,7 +94,7 @@
94
94
  "dependencies": {
95
95
  "@ax-llm/ax": "^20.0.0",
96
96
  "@mastra/core": "^1.18.0",
97
- "circle-ir": "^3.34.0",
97
+ "circle-ir": "3.38.0",
98
98
  "minimatch": "^10.2.5",
99
99
  "p-queue": "^9.1.0"
100
100
  },