npm - circle-ir-ai - Versions diffs - 2.8.13 → 2.8.14 - Mend

circle-ir-ai 2.8.13 → 2.8.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/CHANGELOG.md +50 -0
package/package.json +2 -2

package/CHANGELOG.md CHANGED Viewed

@@ -5,6 +5,56 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [2.8.14] - 2026-06-12
+### Dependencies
+- **`circle-ir`** `3.38.0` → `3.39.0` **(exact pin)**. Headline:
+  **cross-instance field-binding taint propagation** — `FieldTaintInfo`
+  summaries now record constructor-bound fields, setter writers, and
+  `@Autowired` / `@Inject` annotated fields. `findFieldBindingTaintPaths()`
+  detects local variable assignments from field reads (e.g.
+  `local = receiver.field`) and marks the local as tainted when the
+  receiver's type owns a tainted field. Also: **caller-body sink
+  emission** — after marking caller-side locals as tainted via wrapper
+  returns, the engine checks whether any sink in the caller's own
+  method body consumes the tainted variable, surfacing cases where the
+  final sink (`Paths.get(p)`, `Runtime.exec(cmd)`) lives in the
+  caller's file rather than a cross-file callee. Test suite expanded
+  1935 → 1939 (4 new Jenkins/Spring DI fixtures).
+- All 643 circle-ir-ai tests (+ 3 skipped) pass against `3.39.0` —
+  no API surface changes, drop-in upgrade.
+## [Unreleased]
+### Fixed
+- **`benchmarks/runners/run-cwe-bench-java.ts`** — restore missing
+  `findFileRecursive` import from `../lib/find-file.js` (regression
+  introduced when `findFile`/`findFileRecursive` were extracted to
+  `benchmarks/lib/find-file.ts` per #66; only `findFile` was added to
+  the import, leaving the runner crashing at line 550 when it tried to
+  locate AntiSamy/ESAPI/Spring-Security config files for cross-file
+  context). Benchmark now runs end-to-end on CWE-Bench-Java with
+  `--llm-discovery`. Doc-only fix; no version bump (benchmarks/ is not
+  in the published `files` array).
+### Benchmarks
+- **CWE-Bench-Java refresh on circle-ir@3.38.0** with `gemma3:12b` via
+  OpenRouter (`google/gemma-3-12b-it`) — **100/120 strict (83.3%)**,
+  100/111 engine-evaluable (90.1%), 1/80 LLM failures (1.3%). **+6
+  CVEs over the 2026-06-09 Ollama 3.37.0 baseline** (94/120, 78.3%),
+  driven primarily by 3.38.0's frame-agnostic cross-file
+  inter-procedural taint walker (cognium-dev#19). gemma3:12b now ranks
+  #2 overall, within 4 CVEs of `claude-opus-latest` (104/120). Per-CWE:
+  CWE-022 85.5% (flat) · CWE-078 **92.3% (+23pp)** · CWE-079 **83.9%
+  (+6.5pp)** · CWE-094 **71.4% (+4.7pp)**. Wall-clock ~17 min (vs ~94
+  min local Ollama — ~5.5× speed-up from no GPU contention). Log:
+  `benchmarks/results/cwe-java-gemma3-12b-openrouter-2026-06-12.log`.
+  One transient HTTP error on OpenRouter (no retry-on-5xx in
+  `ax-client.ts` — filed as a follow-up).
 ## [2.8.13] - 2026-06-12
 ### Changed

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "circle-ir-ai",
-  "version": "2.8.13",
+  "version": "2.8.14",
   "description": "LLM-enhanced SAST analysis built on circle-ir",
   "main": "dist/index.js",
   "module": "dist/index.js",
@@ -94,7 +94,7 @@
   "dependencies": {
     "@ax-llm/ax": "^20.0.0",
     "@mastra/core": "^1.18.0",
-    "circle-ir": "3.38.0",
+    "circle-ir": "3.39.0",
     "minimatch": "^10.2.5",
     "p-queue": "^9.1.0"
   },