npm - circle-ir-ai - Versions diffs - 2.9.0 → 2.10.1 - Mend

circle-ir-ai 2.9.0 → 2.10.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/CHANGELOG.md +132 -0
package/package.json +2 -2

package/CHANGELOG.md CHANGED Viewed

@@ -5,6 +5,138 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [2.10.1] - 2026-06-16
+### Changed — circle-ir 3.56.0 → 3.57.0
+Drop-in engine bump for upstream Sprint 8. The engine-only changes
+surface as additional / refined `findings[].type` values through the
+same `analyze()` / mastra workflow output — no API breaks, no flag
+additions on this layer.
+**Sprint 8 — Java taint propagation + cross-language precision**
+(cognium-dev #50, #51, #62, #73, #84, #90, #91)
+- **#84 — Java for-each element-taint.** `for (String x : taintedList)`
+  now propagates collection taint to the loop variable, so downstream
+  uses at sinks (`stmt.executeQuery("..." + x + "...")`) fire as
+  expected.
+- **#62 (partial) — Map.put + StringBuilder propagation.**
+  `m.put(k, tainted)` seeds `m` into `tainted` so `m.get(k)` at a
+  sink fires SQLi. `StringBuilder.append(tainted)` and
+  `StringBuffer.insert(off, tainted)` seed the builder into `tainted`
+  so `sb.toString()` at a sink fires.
+- **#51 — Go `filepath` / `path` path-traversal sanitizers.**
+  `filepath.Base`, `filepath.Clean`, `path.Clean`, and
+  `filepath.EvalSymlinks` are now recognized as `path_traversal`
+  sanitizers in `DEFAULT_SANITIZERS`, mirroring the Java
+  `getCanonicalPath` / `Path.toRealPath` treatment.
+- **#50 — `SecurityHeadersPass` global-middleware suppression.**
+  The file-level `missing-x-frame-options` and
+  `missing-csp-frame-ancestors` rules now check for a global header
+  middleware (Express `helmet()`, Spring `SecurityFilterChain`,
+  Flask `Talisman` / `@app.after_request`) before firing. Eliminates
+  per-handler false positives in projects with global header
+  installation.
+- **#73 (part 1) — Bash function-local `$1`/`$2`.**
+  `findBashTaintSources` now tracks brace depth so `$1`–`$9` /
+  `$@` / `$*` inside function bodies are no longer conflated with
+  script-CLI positional sources. Regex-allowlist guard
+  (`[[ $x =~ ^… ]]`) is deferred to Sprint 9.
+- **#90, #91, #49** — codified as regression fixtures from earlier
+  sprints (Fastjson typed-overload `parseObject`, `*Template.render`
+  receiver suppression, path canonicalization + XXE).
+Full upstream notes: `circle-ir` 3.57.0 release notes.
+## [2.10.0] - 2026-06-16
+### Changed — circle-ir 3.52.0 → 3.56.0
+Drop-in engine bump spanning four upstream feature releases. The
+engine-only changes surface as additional `findings[].type` values
+through the same `analyze()` / mastra workflow output — no API
+breaks, no flag additions on this layer.
+**3.53.0** (cognium-dev#52 + #87 partial)
+- **Text4Shell (CVE-2022-42889, CWE-94)** — `StringSubstitutor.replace`
+  now fires both via explicit-ctor and the chained
+  `createInterpolator()` form.
+- **FreeMarker SSTI (CWE-94)** — `new Template(name, new StringReader(taint), cfg)`
+  classified as `code_injection`.
+- **Zip-Slip (CWE-22)** — `ZipEntry.getName` / `ZipArchiveEntry` /
+  `TarArchiveEntry` reclassified from sink → source, eliminating
+  3×-per-vuln noise. Exactly one `path_traversal` finding per real
+  flow.
+- **Java weak-crypto config** — static / zero IV (CWE-329), hardcoded
+  symmetric key (CWE-321), weak RSA key size (CWE-326).
+- **Taint matcher fix** — both `matchesSinkPattern` and
+  `matchesSourcePattern` now consult IR-resolved `receiver_type` /
+  `receiver_type_fqn` before falling back to name heuristic.
+  Unblocks all class-qualified sink/source patterns.
+**3.54.0** (Sprint 5)
+- **`jwt-verify-disabled` (CWE-347, pass #93)** — pure pattern pass
+  for PyJWT `options={"verify_signature": False}`, jsonwebtoken
+  `algorithms: ['none']`, auth0 `Algorithm.none()`, jjwt-0.x unsigned
+  `parse(token)`.
+- **`redos` SinkType (CWE-1333)** — taint flow into regex
+  compile/match primitives (Python `re.*`, Java `Pattern.compile`,
+  JS `new RegExp`, Go `regexp.*`). Severity high (medium for Go —
+  non-backtracking).
+- **`format_string` SinkType (CWE-134)** — taint flow into format
+  primitives (Java `String.format`/`printf`, Go `fmt.*`, Python
+  `ctypes printf`).
+**3.55.0** (Sprint 6 — completes #86 9-category gap analysis)
+- **`crlf` SinkType (CWE-113)** — HTTP response splitting via
+  `setHeader`/`addHeader` (Java/JS/Go). Re-routed from `xss` for
+  header-only sinks. Severity medium.
+- **`mass_assignment` SinkType (CWE-915)** — `Object.assign`,
+  `_.merge`/`_.extend`, jQuery `$.extend`. Severity high.
+- **`csrf-protection-disabled` (CWE-352, pass #94)** — explicit
+  `http.csrf().disable()`, `csrfTokenRepository(null)`,
+  `@csrf_exempt`. Severity critical.
+- **`xml-entity-expansion` (CWE-776, pass #95)** — XXE / billion-laughs
+  via `SAXParserFactory.newInstance()` / `lxml.etree.parse` without
+  defusedxml or DTD-disable flags. Severity high.
+- **`mass-assignment` pattern (CWE-915, pass #96)** — `User(**request.form)`,
+  `{...req.body}`. Complements the taint sink. Severity high.
+- **`canSourceReachSink` coverage matrix** extended for `crlf` and
+  `mass_assignment` — without this, inline source-as-argument flow
+  (`res.setHeader('X-Tag', req.query.t)`) was silently rejected.
+**3.56.0** (#87 — Sprint 7, cross-language `weak-crypto` parity)
+- **Python weak-crypto config** — `modes.ECB()` (CWE-327),
+  `AES.new(b"literal", …)` and `algorithms.AES(b"literal")` (CWE-321),
+  `rsa.generate_private_key(key_size<2048)` (CWE-326).
+- **Go weak-crypto config** — `aes.NewCipher([]byte("literal"))` +
+  `des`/`rc4` siblings (CWE-321), `rsa.GenerateKey(rand.Reader, N)`
+  with `N<2048` (CWE-326).
+- Both languages support a regex-fallback literal-binding scan for
+  the two-line bind-then-use pattern; function parameters / runtime
+  values still ignored (no KMS/Vault FPs).
+- Python plugin emits bytes literals as `b"…"`; the `weak-crypto`
+  pass now prefers `argument.expression` over `argument.literal`
+  for the inline regex (the `literal` field strips the trailing
+  quote).
+### Counts
+Upstream now ships **24 security passes** (was 19) and **8 pattern
+passes** (was 4). Five new `SinkType` values surface through
+`findings[].type`: `crlf`, `mass_assignment`, `redos`, `format_string`,
+plus the existing `code_injection` / `path_traversal` re-routes from
+the Text4Shell / Zip-Slip / FreeMarker fixes. Downstream consumers
+that switch on `SinkType` should pick these up automatically; trust /
+quality / health scoring categories are unaffected.
+Full test suite: **766/766 passing** (3 skipped), no regressions.
 ## [2.9.0] - 2026-06-16
 ### Added — windowed source/sink batch-verification (cognium-ai#86)

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "circle-ir-ai",
-  "version": "2.9.0",
+  "version": "2.10.1",
   "description": "LLM-enhanced SAST analysis built on circle-ir",
   "main": "dist/index.js",
   "module": "dist/index.js",
@@ -94,7 +94,7 @@
   "dependencies": {
     "@ax-llm/ax": "^20.0.0",
     "@mastra/core": "^1.18.0",
-    "circle-ir": "3.52.0",
+    "circle-ir": "3.57.0",
     "minimatch": "^10.2.5",
     "p-queue": "^9.1.0"
   },