circle-ir-ai 2.8.23 → 2.8.24
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +69 -0
- package/package.json +2 -2
package/CHANGELOG.md
CHANGED
|
@@ -5,6 +5,75 @@ All notable changes to this project will be documented in this file.
|
|
|
5
5
|
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
|
6
6
|
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
7
7
|
|
|
8
|
+
## [2.8.24] - 2026-06-16
|
|
9
|
+
|
|
10
|
+
### Changed — bump `circle-ir` 3.50.0 → 3.52.0
|
|
11
|
+
|
|
12
|
+
Two upstream feature releases combined:
|
|
13
|
+
|
|
14
|
+
**3.51.0** (cognium-dev#88.1 + circle-ir#88.3) — JSX/CJS + Go
|
|
15
|
+
text/template XSS:
|
|
16
|
+
|
|
17
|
+
- `.jsx` and `.cjs` routed to the existing `javascript` plugin in the
|
|
18
|
+
CLI language map (cognium-dev#88.1). React JSX components and
|
|
19
|
+
CommonJS modules are no longer silently skipped.
|
|
20
|
+
- Go `text/template` is now modeled as an `xss` / CWE-79 / high sink
|
|
21
|
+
(circle-ir#88.3). `text/template` does NOT HTML-escape interpolated
|
|
22
|
+
values (only `html/template` does), so
|
|
23
|
+
`Template.Execute(w, taintedData)` and
|
|
24
|
+
`Template.ExecuteTemplate(w, name, taintedData)` produce reflected
|
|
25
|
+
XSS. Two follow-on plumbing fixes ship alongside: Go-template
|
|
26
|
+
chained-call factory recognition in `taint-matcher.ts` (matches
|
|
27
|
+
`.Must|.New|.Parse|.ParseFiles|.ParseGlob|.ParseFS|.Clone|.Funcs|
|
|
28
|
+
.Option|.Lookup|.Delims(...)`) and `tmpl` variable-name → `Template`
|
|
29
|
+
class mapping. JSX/TSX partial-parse fix (#88.2) is deferred — needs
|
|
30
|
+
a `tree-sitter-tsx.wasm` grammar.
|
|
31
|
+
|
|
32
|
+
**3.52.0** (cognium-dev#60) — **four new analysis passes** for
|
|
33
|
+
config/absence vulnerability patterns. These categories were
|
|
34
|
+
previously registered as `weak_random` / `weak_hash` / `weak_crypto` /
|
|
35
|
+
`insecure_cookie` taint sinks but could never fire because the bad
|
|
36
|
+
value is a hard-coded constant, not a tainted flow:
|
|
37
|
+
|
|
38
|
+
- **`weak-hash`** (cognium-dev#17, CWE-328) — MD2/MD4/MD5/SHA-1 via
|
|
39
|
+
Java `MessageDigest.getInstance` / Apache Commons `DigestUtils`,
|
|
40
|
+
Python `hashlib.{md5,sha1,new("md5",…)}`, JS `crypto.createHash` /
|
|
41
|
+
`createHmac`, Go `crypto/md5` + `crypto/sha1`.
|
|
42
|
+
- **`weak-crypto`** (cognium-dev#18, CWE-327) — DES / 3DES / RC2 /
|
|
43
|
+
RC4 / Blowfish / IDEA / SEED / CAST5 + ECB mode (incl. Java AES
|
|
44
|
+
default = ECB) via `Cipher.getInstance`, pycryptodome `*.new` /
|
|
45
|
+
`AES.MODE_ECB`, `cryptography.hazmat algorithms.*`,
|
|
46
|
+
`crypto.createCipher` (deprecated) / `createCipheriv("…-ecb")`,
|
|
47
|
+
Go `des.NewCipher` / `rc4.NewCipher`.
|
|
48
|
+
- **`weak-random`** (cognium-dev#16, CWE-330) — non-CSPRNG:
|
|
49
|
+
Java `new Random()` / `Math.random` / `ThreadLocalRandom`,
|
|
50
|
+
Python `random.*`, JS `Math.random`, Go `math/rand` (import-aware
|
|
51
|
+
to suppress crypto/rand FPs when `crypto/rand` aliases the bare
|
|
52
|
+
`rand` symbol).
|
|
53
|
+
- **`tls-verify-disabled`** (cognium-dev#92, **new**, CWE-295) — Go
|
|
54
|
+
`tls.Config{InsecureSkipVerify: true}` (source-text scan; composite
|
|
55
|
+
literals are not IR calls), Python
|
|
56
|
+
`requests/httpx(verify=False)` + `ssl._create_unverified_context`
|
|
57
|
+
+ module override, JS `rejectUnauthorized: false` +
|
|
58
|
+
`NODE_TLS_REJECT_UNAUTHORIZED='0'`, Java
|
|
59
|
+
`setHostnameVerifier((h,s)->true)` /
|
|
60
|
+
`NoopHostnameVerifier.INSTANCE`.
|
|
61
|
+
|
|
62
|
+
`insecure-cookie` (cognium-dev#19) is also extended to Python and
|
|
63
|
+
Java: Flask/Django/Starlette `response.set_cookie(...)` without
|
|
64
|
+
`secure=True`/`httponly=True`, and `new javax.servlet.http.Cookie(...)`
|
|
65
|
+
files without `.setSecure(true)` + `.setHttpOnly(true)`.
|
|
66
|
+
|
|
67
|
+
Each new pass is disable-able via `disabledPasses: ['weak-hash',
|
|
68
|
+
'weak-crypto', 'weak-random', 'tls-verify-disabled']`. Upstream test
|
|
69
|
+
suite: 2243 passing (was 2186), 1 skipped. Aligned with gosec
|
|
70
|
+
G401/G402/G404/G405, Bandit B303/B304/B305/B311/B501, OWASP Benchmark
|
|
71
|
+
hash/crypto/weakrand categories.
|
|
72
|
+
|
|
73
|
+
No circle-ir-ai source change — dep-only bump to surface the upstream
|
|
74
|
+
detection lift on famous-benchmark gap categories
|
|
75
|
+
(weak-crypto/hash/random + TLS-verify-disabled) and Go template XSS.
|
|
76
|
+
|
|
8
77
|
## [2.8.23] - 2026-06-16
|
|
9
78
|
|
|
10
79
|
### Changed — bump `circle-ir` 3.49.0 → 3.50.0
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "circle-ir-ai",
|
|
3
|
-
"version": "2.8.
|
|
3
|
+
"version": "2.8.24",
|
|
4
4
|
"description": "LLM-enhanced SAST analysis built on circle-ir",
|
|
5
5
|
"main": "dist/index.js",
|
|
6
6
|
"module": "dist/index.js",
|
|
@@ -94,7 +94,7 @@
|
|
|
94
94
|
"dependencies": {
|
|
95
95
|
"@ax-llm/ax": "^20.0.0",
|
|
96
96
|
"@mastra/core": "^1.18.0",
|
|
97
|
-
"circle-ir": "3.
|
|
97
|
+
"circle-ir": "3.52.0",
|
|
98
98
|
"minimatch": "^10.2.5",
|
|
99
99
|
"p-queue": "^9.1.0"
|
|
100
100
|
},
|