circle-ir-ai 2.8.22 → 2.8.23
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +36 -0
- package/package.json +2 -2
package/CHANGELOG.md
CHANGED
|
@@ -5,6 +5,42 @@ All notable changes to this project will be documented in this file.
|
|
|
5
5
|
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
|
6
6
|
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
7
7
|
|
|
8
|
+
## [2.8.23] - 2026-06-16
|
|
9
|
+
|
|
10
|
+
### Changed — bump `circle-ir` 3.49.0 → 3.50.0
|
|
11
|
+
|
|
12
|
+
Recall improvement for inline-source taint patterns. circle-ir#83
|
|
13
|
+
(subsumes #76) closes the cross-language false-negative class where
|
|
14
|
+
a taint source used inline as a call/concat argument was not
|
|
15
|
+
tracked — previously only an intermediate variable recovered the
|
|
16
|
+
flow:
|
|
17
|
+
|
|
18
|
+
- **Java**: `Runtime.getRuntime().exec("echo " + req.getParameter("u"))`
|
|
19
|
+
and `Runtime.getRuntime().exec(req.getParameter("u"))`
|
|
20
|
+
- **JavaScript/TypeScript**: `eval(req.query.x)`,
|
|
21
|
+
`vm.runInThisContext(req.cookies.c)`,
|
|
22
|
+
`child_process.exec(req.body.cmd)`
|
|
23
|
+
- **Python**: `os.system("echo " + request.args.get("u"))` plus
|
|
24
|
+
for-loop iterable patterns: `for p in request.args.getlist("p"):
|
|
25
|
+
os.system(p)` (closes the original cognium-dev#76)
|
|
26
|
+
|
|
27
|
+
Four upstream fixes combined: an inline-source colocation pass in
|
|
28
|
+
`taint-propagation-pass.ts`, Python for-loop iterable derivation
|
|
29
|
+
with virtual `http_param` anchor, loosened empty-source early
|
|
30
|
+
returns in `taint-propagation-pass.ts` / `interprocedural-pass.ts`,
|
|
31
|
+
and `canSourceReachSink` matrix expansion for JS RCE shapes
|
|
32
|
+
(`code_injection` valid sink for `http_param` / `http_query` /
|
|
33
|
+
`http_header` / `http_cookie`).
|
|
34
|
+
|
|
35
|
+
Expected impact: lifts the dominant recall gap on OWASP
|
|
36
|
+
BenchmarkPython, OWASP Benchmark Java with bare-arg variants, and
|
|
37
|
+
the JS `eval(req.query.x)` shape. Should be visible on
|
|
38
|
+
CWE-Bench-Java cmdi/code-injection runs as well.
|
|
39
|
+
|
|
40
|
+
No circle-ir-ai source change — dep-only bump to surface the
|
|
41
|
+
upstream recall fix to cognium-ai / circle-pack / mcp-server
|
|
42
|
+
consumers.
|
|
43
|
+
|
|
8
44
|
## [2.8.22] - 2026-06-16
|
|
9
45
|
|
|
10
46
|
### Changed — bump `circle-ir` 3.48.0 → 3.49.0
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "circle-ir-ai",
|
|
3
|
-
"version": "2.8.
|
|
3
|
+
"version": "2.8.23",
|
|
4
4
|
"description": "LLM-enhanced SAST analysis built on circle-ir",
|
|
5
5
|
"main": "dist/index.js",
|
|
6
6
|
"module": "dist/index.js",
|
|
@@ -94,7 +94,7 @@
|
|
|
94
94
|
"dependencies": {
|
|
95
95
|
"@ax-llm/ax": "^20.0.0",
|
|
96
96
|
"@mastra/core": "^1.18.0",
|
|
97
|
-
"circle-ir": "3.
|
|
97
|
+
"circle-ir": "3.50.0",
|
|
98
98
|
"minimatch": "^10.2.5",
|
|
99
99
|
"p-queue": "^9.1.0"
|
|
100
100
|
},
|