circle-ir-ai 2.8.22 → 2.8.24

package/CHANGELOG.md

@@ -5,6 +5,111 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.8.24] - 2026-06-16
+
+### Changed — bump `circle-ir` 3.50.0 → 3.52.0
+
+Two upstream feature releases combined:
+
+**3.51.0** (cognium-dev#88.1 + circle-ir#88.3) — JSX/CJS + Go
+text/template XSS:
+
+- `.jsx` and `.cjs` routed to the existing `javascript` plugin in the
+  CLI language map (cognium-dev#88.1). React JSX components and
+  CommonJS modules are no longer silently skipped.
+- Go `text/template` is now modeled as an `xss` / CWE-79 / high sink
+  (circle-ir#88.3). `text/template` does NOT HTML-escape interpolated
+  values (only `html/template` does), so
+  `Template.Execute(w, taintedData)` and
+  `Template.ExecuteTemplate(w, name, taintedData)` produce reflected
+  XSS. Two follow-on plumbing fixes ship alongside: Go-template
+  chained-call factory recognition in `taint-matcher.ts` (matches
+  `.Must|.New|.Parse|.ParseFiles|.ParseGlob|.ParseFS|.Clone|.Funcs|
+  .Option|.Lookup|.Delims(...)`) and `tmpl` variable-name → `Template`
+  class mapping. JSX/TSX partial-parse fix (#88.2) is deferred — needs
+  a `tree-sitter-tsx.wasm` grammar.
+
+**3.52.0** (cognium-dev#60) — **four new analysis passes** for
+config/absence vulnerability patterns. These categories were
+previously registered as `weak_random` / `weak_hash` / `weak_crypto` /
+`insecure_cookie` taint sinks but could never fire because the bad
+value is a hard-coded constant, not a tainted flow:
+
+- **`weak-hash`** (cognium-dev#17, CWE-328) — MD2/MD4/MD5/SHA-1 via
+  Java `MessageDigest.getInstance` / Apache Commons `DigestUtils`,
+  Python `hashlib.{md5,sha1,new("md5",…)}`, JS `crypto.createHash` /
+  `createHmac`, Go `crypto/md5` + `crypto/sha1`.
+- **`weak-crypto`** (cognium-dev#18, CWE-327) — DES / 3DES / RC2 /
+  RC4 / Blowfish / IDEA / SEED / CAST5 + ECB mode (incl. Java AES
+  default = ECB) via `Cipher.getInstance`, pycryptodome `*.new` /
+  `AES.MODE_ECB`, `cryptography.hazmat algorithms.*`,
+  `crypto.createCipher` (deprecated) / `createCipheriv("…-ecb")`,
+  Go `des.NewCipher` / `rc4.NewCipher`.
+- **`weak-random`** (cognium-dev#16, CWE-330) — non-CSPRNG:
+  Java `new Random()` / `Math.random` / `ThreadLocalRandom`,
+  Python `random.*`, JS `Math.random`, Go `math/rand` (import-aware
+  to suppress crypto/rand FPs when `crypto/rand` aliases the bare
+  `rand` symbol).
+- **`tls-verify-disabled`** (cognium-dev#92, **new**, CWE-295) — Go
+  `tls.Config{InsecureSkipVerify: true}` (source-text scan; composite
+  literals are not IR calls), Python
+  `requests/httpx(verify=False)` + `ssl._create_unverified_context`
+  + module override, JS `rejectUnauthorized: false` +
+  `NODE_TLS_REJECT_UNAUTHORIZED='0'`, Java
+  `setHostnameVerifier((h,s)->true)` /
+  `NoopHostnameVerifier.INSTANCE`.
+
+`insecure-cookie` (cognium-dev#19) is also extended to Python and
+Java: Flask/Django/Starlette `response.set_cookie(...)` without
+`secure=True`/`httponly=True`, and `new javax.servlet.http.Cookie(...)`
+files without `.setSecure(true)` + `.setHttpOnly(true)`.
+
+Each new pass is disable-able via `disabledPasses: ['weak-hash',
+'weak-crypto', 'weak-random', 'tls-verify-disabled']`. Upstream test
+suite: 2243 passing (was 2186), 1 skipped. Aligned with gosec
+G401/G402/G404/G405, Bandit B303/B304/B305/B311/B501, OWASP Benchmark
+hash/crypto/weakrand categories.
+
+No circle-ir-ai source change — dep-only bump to surface the upstream
+detection lift on famous-benchmark gap categories
+(weak-crypto/hash/random + TLS-verify-disabled) and Go template XSS.
+
+## [2.8.23] - 2026-06-16
+
+### Changed — bump `circle-ir` 3.49.0 → 3.50.0
+
+Recall improvement for inline-source taint patterns. circle-ir#83
+(subsumes #76) closes the cross-language false-negative class where
+a taint source used inline as a call/concat argument was not
+tracked — previously only an intermediate variable recovered the
+flow:
+
+- **Java**: `Runtime.getRuntime().exec("echo " + req.getParameter("u"))`
+  and `Runtime.getRuntime().exec(req.getParameter("u"))`
+- **JavaScript/TypeScript**: `eval(req.query.x)`,
+  `vm.runInThisContext(req.cookies.c)`,
+  `child_process.exec(req.body.cmd)`
+- **Python**: `os.system("echo " + request.args.get("u"))` plus
+  for-loop iterable patterns: `for p in request.args.getlist("p"):
+  os.system(p)` (closes the original cognium-dev#76)
+
+Four upstream fixes combined: an inline-source colocation pass in
+`taint-propagation-pass.ts`, Python for-loop iterable derivation
+with virtual `http_param` anchor, loosened empty-source early
+returns in `taint-propagation-pass.ts` / `interprocedural-pass.ts`,
+and `canSourceReachSink` matrix expansion for JS RCE shapes
+(`code_injection` valid sink for `http_param` / `http_query` /
+`http_header` / `http_cookie`).
+
+Expected impact: lifts the dominant recall gap on OWASP
+BenchmarkPython, OWASP Benchmark Java with bare-arg variants, and
+the JS `eval(req.query.x)` shape. Should be visible on
+CWE-Bench-Java cmdi/code-injection runs as well.
+
+No circle-ir-ai source change — dep-only bump to surface the
+upstream recall fix to cognium-ai / circle-pack / mcp-server
+consumers.
+
 ## [2.8.22] - 2026-06-16
 
 ### Changed — bump `circle-ir` 3.48.0 → 3.49.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "circle-ir-ai",
-  "version": "2.8.22",
+  "version": "2.8.24",
   "description": "LLM-enhanced SAST analysis built on circle-ir",
   "main": "dist/index.js",
   "module": "dist/index.js",
@@ -94,7 +94,7 @@
   "dependencies": {
     "@ax-llm/ax": "^20.0.0",
     "@mastra/core": "^1.18.0",
-    "circle-ir": "3.49.0",
+    "circle-ir": "3.52.0",
     "minimatch": "^10.2.5",
     "p-queue": "^9.1.0"
   },