circle-ir 3.1.0

package/dist/analysis/advisory-db.js

@@ -0,0 +1,104 @@
+/**
+ * RustSec Advisory Database Integration
+ *
+ * Provides vulnerability data from the RustSec advisory database.
+ * Advisory data is bundled at build time for offline/deterministic usage.
+ */
+/**
+ * Bundled advisory database (loaded lazily)
+ */
+let bundledDb = null;
+/**
+ * Load the bundled advisory database
+ */
+export function loadBundledAdvisories() {
+    if (bundledDb) {
+        return bundledDb;
+    }
+    // Try to load bundled advisories
+    try {
+        // eslint-disable-next-line @typescript-eslint/no-require-imports
+        const json = require('../../advisory-db.json');
+        bundledDb = parseAdvisoryJson(json);
+        return bundledDb;
+    }
+    catch {
+        // Return empty database if bundled data not available
+        return {
+            advisories: new Map(),
+            lastUpdated: new Date().toISOString(),
+            source: 'bundled',
+            version: '1.0',
+            stats: { totalAdvisories: 0, uniqueCrates: 0 },
+        };
+    }
+}
+/**
+ * Parse advisory JSON into database structure
+ */
+export function parseAdvisoryJson(json) {
+    const advisories = new Map();
+    for (const advisory of json.advisories) {
+        const existing = advisories.get(advisory.package) || [];
+        existing.push(advisory);
+        advisories.set(advisory.package, existing);
+    }
+    return {
+        advisories,
+        lastUpdated: json.lastUpdated,
+        source: 'bundled',
+        version: json.version,
+        stats: {
+            totalAdvisories: json.advisories.length,
+            uniqueCrates: advisories.size,
+        },
+    };
+}
+/**
+ * Map RustSec categories to severity levels
+ */
+export function categoryToSeverity(categories) {
+    const categorySet = new Set(categories);
+    // Critical: code execution, privilege escalation
+    if (categorySet.has('code-execution') ||
+        categorySet.has('privilege-escalation')) {
+        return 'critical';
+    }
+    // High: memory safety, denial of service
+    if (categorySet.has('memory-safety') || categorySet.has('denial-of-service')) {
+        return 'high';
+    }
+    // Medium: crypto issues, information disclosure
+    if (categorySet.has('crypto-failure') ||
+        categorySet.has('information-disclosure')) {
+        return 'medium';
+    }
+    // Default to medium for unknown categories
+    return 'medium';
+}
+/**
+ * Get advisories for a specific crate
+ */
+export function getAdvisoriesForCrate(db, crateName) {
+    return db.advisories.get(crateName) || [];
+}
+/**
+ * Search advisories by CVE ID
+ */
+export function findAdvisoryByCve(db, cveId) {
+    for (const advisories of db.advisories.values()) {
+        for (const advisory of advisories) {
+            if (advisory.aliases.includes(cveId)) {
+                return advisory;
+            }
+        }
+    }
+    return undefined;
+}
+/**
+ * Get all unique crate names with advisories
+ */
+export function getVulnerableCrates(db) {
+    return Array.from(db.advisories.keys());
+}
+//# sourceMappingURL=advisory-db.js.map

package/dist/analysis/advisory-db.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"advisory-db.js","sourceRoot":"","sources":["../../src/analysis/advisory-db.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAyDH;;GAEG;AACH,IAAI,SAAS,GAA4B,IAAI,CAAC;AAE9C;;GAEG;AACH,MAAM,UAAU,qBAAqB;IACnC,IAAI,SAAS,EAAE,CAAC;QACd,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,iCAAiC;IACjC,IAAI,CAAC;QACH,iEAAiE;QACjE,MAAM,IAAI,GAAG,OAAO,CAAC,wBAAwB,CAAC,CAAC;QAC/C,SAAS,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;QACpC,OAAO,SAAS,CAAC;IACnB,CAAC;IAAC,MAAM,CAAC;QACP,sDAAsD;QACtD,OAAO;YACL,UAAU,EAAE,IAAI,GAAG,EAAE;YACrB,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACrC,MAAM,EAAE,SAAS;YACjB,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,EAAE,eAAe,EAAE,CAAC,EAAE,YAAY,EAAE,CAAC,EAAE;SAC/C,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,IAIjC;IACC,MAAM,UAAU,GAAG,IAAI,GAAG,EAAmC,CAAC;IAE9D,KAAK,MAAM,QAAQ,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;QACvC,MAAM,QAAQ,GAAG,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QACxD,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACxB,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC7C,CAAC;IAED,OAAO;QACL,UAAU;QACV,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,MAAM,EAAE,SAAS;QACjB,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,KAAK,EAAE;YACL,eAAe,EAAE,IAAI,CAAC,UAAU,CAAC,MAAM;YACvC,YAAY,EAAE,UAAU,CAAC,IAAI;SAC9B;KACF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,UAAoB;IACrD,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;IAExC,iDAAiD;IACjD,IACE,WAAW,CAAC,GAAG,CAAC,gBAAgB,CAAC;QACjC,WAAW,CAAC,GAAG,CAAC,sBAAsB,CAAC,EACvC,CAAC;QACD,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,yCAAyC;IACzC,IAAI,WAAW,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,WAAW,CAAC,GAAG,CAAC,mBAAmB,CAAC,EAAE,CAAC;QAC7E,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,gDAAgD;IAChD,IACE,WAAW,CAAC,GAAG,CAAC,gBAAgB,CAAC;QACjC,WAAW,CAAC,GAAG,CAAC,wBAAwB,CAAC,EACzC,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,2CAA2C;IAC3C,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB,CACnC,EAAoB,EACpB,SAAiB;IAEjB,OAAO,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;AAC5C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAC/B,EAAoB,EACpB,KAAa;IAEb,KAAK,MAAM,UAAU,IAAI,EAAE,CAAC,UAAU,CAAC,MAAM,EAAE,EAAE,CAAC;QAChD,KAAK,MAAM,QAAQ,IAAI,UAAU,EAAE,CAAC;YAClC,IAAI,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;gBACrC,OAAO,QAAQ,CAAC;YAClB,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,EAAoB;IACtD,OAAO,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC,CAAC;AAC1C,CAAC"}

package/dist/analysis/cargo-parser.d.ts

@@ -0,0 +1,42 @@
+/**
+ * Cargo.lock parser for extracting crate dependencies and versions
+ */
+export interface CargoLockDependency {
+    name: string;
+    version: string;
+    source?: string;
+    checksum?: string;
+}
+export interface CargoLock {
+    version: number;
+    dependencies: CargoLockDependency[];
+}
+/**
+ * Parse Cargo.lock TOML file content
+ */
+export declare function parseCargoLock(content: string): CargoLock;
+/**
+ * Parse Cargo.toml to extract direct dependencies
+ */
+export interface CargoTomlDependency {
+    name: string;
+    version?: string;
+    path?: string;
+    git?: string;
+    features?: string[];
+}
+export interface CargoToml {
+    name?: string;
+    version?: string;
+    dependencies: CargoTomlDependency[];
+    devDependencies: CargoTomlDependency[];
+}
+/**
+ * Parse Cargo.toml file content
+ */
+export declare function parseCargoToml(content: string): CargoToml;
+/**
+ * Filter dependencies to only include registry-sourced crates
+ * (excludes path and git dependencies which can't be vulnerability-checked)
+ */
+export declare function filterRegistryDeps(deps: CargoLockDependency[]): CargoLockDependency[];

package/dist/analysis/cargo-parser.js

@@ -0,0 +1,102 @@
+/**
+ * Cargo.lock parser for extracting crate dependencies and versions
+ */
+/**
+ * Parse Cargo.lock TOML file content
+ */
+export function parseCargoLock(content) {
+    const dependencies = [];
+    // Extract version from the file
+    const versionMatch = content.match(/^version\s*=\s*(\d+)/m);
+    const version = versionMatch ? parseInt(versionMatch[1], 10) : 3;
+    // Parse [[package]] sections
+    // Format:
+    // [[package]]
+    // name = "crate-name"
+    // version = "1.0.0"
+    // source = "registry+..."
+    // checksum = "abc123..."
+    const packagePattern = /\[\[package\]\]\s*\n((?:(?!^\[\[|\[package\]).*\n?)*)/gm;
+    let match;
+    while ((match = packagePattern.exec(content)) !== null) {
+        const block = match[1];
+        const nameMatch = block.match(/^name\s*=\s*"([^"]+)"/m);
+        const versionMatch = block.match(/^version\s*=\s*"([^"]+)"/m);
+        const sourceMatch = block.match(/^source\s*=\s*"([^"]+)"/m);
+        const checksumMatch = block.match(/^checksum\s*=\s*"([^"]+)"/m);
+        if (nameMatch && versionMatch) {
+            dependencies.push({
+                name: nameMatch[1],
+                version: versionMatch[1],
+                source: sourceMatch?.[1],
+                checksum: checksumMatch?.[1],
+            });
+        }
+    }
+    return { version, dependencies };
+}
+/**
+ * Parse Cargo.toml file content
+ */
+export function parseCargoToml(content) {
+    const dependencies = [];
+    const devDependencies = [];
+    // Extract package name and version
+    const nameMatch = content.match(/^\[package\][^[]*name\s*=\s*"([^"]+)"/ms);
+    const versionMatch = content.match(/^\[package\][^[]*version\s*=\s*"([^"]+)"/ms);
+    // Parse [dependencies] section
+    const depsMatch = content.match(/\[dependencies\]\s*\n((?:(?!\[(?!dependencies\.))[^\n]*\n?)*)/m);
+    if (depsMatch) {
+        parseDependencySection(depsMatch[1], dependencies);
+    }
+    // Parse [dev-dependencies] section
+    const devDepsMatch = content.match(/\[dev-dependencies\]\s*\n((?:(?!\[(?!dev-dependencies\.))[^\n]*\n?)*)/m);
+    if (devDepsMatch) {
+        parseDependencySection(devDepsMatch[1], devDependencies);
+    }
+    return {
+        name: nameMatch?.[1],
+        version: versionMatch?.[1],
+        dependencies,
+        devDependencies,
+    };
+}
+function parseDependencySection(section, deps) {
+    // Simple dependency: crate = "1.0"
+    const simplePattern = /^(\w[\w-]*)\s*=\s*"([^"]+)"/gm;
+    let match;
+    while ((match = simplePattern.exec(section)) !== null) {
+        deps.push({
+            name: match[1],
+            version: match[2],
+        });
+    }
+    // Complex dependency: crate = { version = "1.0", features = [...] }
+    const complexPattern = /^(\w[\w-]*)\s*=\s*\{([^}]+)\}/gm;
+    while ((match = complexPattern.exec(section)) !== null) {
+        const name = match[1];
+        const attrs = match[2];
+        const versionMatch = attrs.match(/version\s*=\s*"([^"]+)"/);
+        const pathMatch = attrs.match(/path\s*=\s*"([^"]+)"/);
+        const gitMatch = attrs.match(/git\s*=\s*"([^"]+)"/);
+        deps.push({
+            name,
+            version: versionMatch?.[1],
+            path: pathMatch?.[1],
+            git: gitMatch?.[1],
+        });
+    }
+}
+/**
+ * Filter dependencies to only include registry-sourced crates
+ * (excludes path and git dependencies which can't be vulnerability-checked)
+ */
+export function filterRegistryDeps(deps) {
+    return deps.filter((dep) => {
+        // Include if no source (defaults to registry) or explicitly from registry
+        if (!dep.source)
+            return true;
+        return dep.source.startsWith('registry+');
+    });
+}
+//# sourceMappingURL=cargo-parser.js.map

package/dist/analysis/cargo-parser.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cargo-parser.js","sourceRoot":"","sources":["../../src/analysis/cargo-parser.ts"],"names":[],"mappings":"AAAA;;GAEG;AAcH;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,OAAe;IAC5C,MAAM,YAAY,GAA0B,EAAE,CAAC;IAE/C,gCAAgC;IAChC,MAAM,YAAY,GAAG,OAAO,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC5D,MAAM,OAAO,GAAG,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAEjE,6BAA6B;IAC7B,UAAU;IACV,cAAc;IACd,sBAAsB;IACtB,oBAAoB;IACpB,0BAA0B;IAC1B,yBAAyB;IAEzB,MAAM,cAAc,GAClB,yDAAyD,CAAC;IAC5D,IAAI,KAAK,CAAC;IAEV,OAAO,CAAC,KAAK,GAAG,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACvD,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAEvB,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,wBAAwB,CAAC,CAAC;QACxD,MAAM,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,2BAA2B,CAAC,CAAC;QAC9D,MAAM,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC,0BAA0B,CAAC,CAAC;QAC5D,MAAM,aAAa,GAAG,KAAK,CAAC,KAAK,CAAC,4BAA4B,CAAC,CAAC;QAEhE,IAAI,SAAS,IAAI,YAAY,EAAE,CAAC;YAC9B,YAAY,CAAC,IAAI,CAAC;gBAChB,IAAI,EAAE,SAAS,CAAC,CAAC,CAAC;gBAClB,OAAO,EAAE,YAAY,CAAC,CAAC,CAAC;gBACxB,MAAM,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC;gBACxB,QAAQ,EAAE,aAAa,EAAE,CAAC,CAAC,CAAC;aAC7B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE,CAAC;AACnC,CAAC;AAoBD;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,OAAe;IAC5C,MAAM,YAAY,GAA0B,EAAE,CAAC;IAC/C,MAAM,eAAe,GAA0B,EAAE,CAAC;IAElD,mCAAmC;IACnC,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,yCAAyC,CAAC,CAAC;IAC3E,MAAM,YAAY,GAAG,OAAO,CAAC,KAAK,CAChC,4CAA4C,CAC7C,CAAC;IAEF,+BAA+B;IAC/B,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAC7B,gEAAgE,CACjE,CAAC;IACF,IAAI,SAAS,EAAE,CAAC;QACd,sBAAsB,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;IACrD,CAAC;IAED,mCAAmC;IACnC,MAAM,YAAY,GAAG,OAAO,CAAC,KAAK,CAChC,wEAAwE,CACzE,CAAC;IACF,IAAI,YAAY,EAAE,CAAC;QACjB,sBAAsB,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,eAAe,CAAC,CAAC;IAC3D,CAAC;IAED,OAAO;QACL,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;QACpB,OAAO,EAAE,YAAY,EAAE,CAAC,CAAC,CAAC;QAC1B,YAAY;QACZ,eAAe;KAChB,CAAC;AACJ,CAAC;AAED,SAAS,sBAAsB,CAC7B,OAAe,EACf,IAA2B;IAE3B,mCAAmC;IACnC,MAAM,aAAa,GAAG,+BAA+B,CAAC;IACtD,IAAI,KAAK,CAAC;IAEV,OAAO,CAAC,KAAK,GAAG,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACtD,IAAI,CAAC,IAAI,CAAC;YACR,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC;YACd,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC;SAClB,CAAC,CAAC;IACL,CAAC;IAED,oEAAoE;IACpE,MAAM,cAAc,GAClB,iCAAiC,CAAC;IAEpC,OAAO,CAAC,KAAK,GAAG,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACvD,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAEvB,MAAM,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,yBAAyB,CAAC,CAAC;QAC5D,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACtD,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC;QAEpD,IAAI,CAAC,IAAI,CAAC;YACR,IAAI;YACJ,OAAO,EAAE,YAAY,EAAE,CAAC,CAAC,CAAC;YAC1B,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;YACpB,GAAG,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC;SACnB,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAChC,IAA2B;IAE3B,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE;QACzB,0EAA0E;QAC1E,IAAI,CAAC,GAAG,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAC7B,OAAO,GAAG,CAAC,MAAM,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/analysis/config-loader.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Configuration loader for taint source/sink definitions
+ *
+ * Loads YAML configs from configs/sources/ and configs/sinks/
+ */
+import type { SourceConfig, SinkConfig, TaintConfig, SourcePattern, SinkPattern, SanitizerPattern } from '../types/config.js';
+/**
+ * Parse YAML/JSON configuration content.
+ * Uses JSON since the config files are actually JSON despite .yaml extension.
+ */
+export declare function parseConfig<T>(content: string): T;
+/**
+ * Load and merge multiple source configs.
+ */
+export declare function loadSourceConfigs(configs: SourceConfig[]): SourcePattern[];
+/**
+ * Load and merge multiple sink configs.
+ */
+export declare function loadSinkConfigs(configs: SinkConfig[]): {
+    sinks: SinkPattern[];
+    sanitizers: SanitizerPattern[];
+};
+/**
+ * Create a combined taint configuration from raw config contents.
+ */
+export declare function createTaintConfig(sourceContents: string[], sinkContents: string[]): TaintConfig;
+/**
+ * Embedded default configurations (subset for standalone use).
+ * Full configs should be loaded from files when available.
+ */
+export declare const DEFAULT_SOURCES: SourcePattern[];
+export declare const DEFAULT_SINKS: SinkPattern[];
+export declare const DEFAULT_SANITIZERS: SanitizerPattern[];
+/**
+ * Get the default taint configuration.
+ */
+export declare function getDefaultConfig(): TaintConfig;