circle-ir 3.112.0 → 3.114.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/analysis/config-loader.d.ts.map +1 -1
- package/dist/analysis/config-loader.js +14 -0
- package/dist/analysis/config-loader.js.map +1 -1
- package/dist/analysis/findings.d.ts.map +1 -1
- package/dist/analysis/findings.js +6 -1
- package/dist/analysis/findings.js.map +1 -1
- package/dist/analysis/passes/insecure-cookie-pass.d.ts +2 -0
- package/dist/analysis/passes/insecure-cookie-pass.d.ts.map +1 -1
- package/dist/analysis/passes/insecure-cookie-pass.js +107 -5
- package/dist/analysis/passes/insecure-cookie-pass.js.map +1 -1
- package/dist/analysis/passes/language-sources-pass.d.ts.map +1 -1
- package/dist/analysis/passes/language-sources-pass.js +11 -0
- package/dist/analysis/passes/language-sources-pass.js.map +1 -1
- package/dist/browser/circle-ir.js +107 -8
- package/dist/core/circle-ir-core.cjs +14 -0
- package/dist/core/circle-ir-core.js +14 -0
- package/dist/languages/plugins/bash.d.ts.map +1 -1
- package/dist/languages/plugins/bash.js +7 -3
- package/dist/languages/plugins/bash.js.map +1 -1
- package/package.json +1 -1
|
@@ -12140,6 +12140,11 @@ var DEFAULT_SINKS = [
|
|
|
12140
12140
|
{ method: "exec", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["python"] },
|
|
12141
12141
|
{ method: "compile", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0], languages: ["python"] },
|
|
12142
12142
|
{ method: "__import__", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0], languages: ["python"] },
|
|
12143
|
+
// Python dynamic import — `importlib.import_module(taint)` parallels Java's
|
|
12144
|
+
// `Class.forName`. The bare `__import__` entry above also matches the
|
|
12145
|
+
// `importlib.__import__` form because the sink-matcher is class-agnostic
|
|
12146
|
+
// when a classless entry exists. Sprint 56 #183.
|
|
12147
|
+
{ method: "import_module", class: "importlib", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0], languages: ["python"] },
|
|
12143
12148
|
// Python Deserialization — language-scoped so the lowercase `yaml` / `pickle`
|
|
12144
12149
|
// module names don't collide with Java locals named `yaml` (SnakeYAML usage).
|
|
12145
12150
|
{ method: "loads", class: "pickle", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], languages: ["python"] },
|
|
@@ -12397,6 +12402,15 @@ var DEFAULT_SINKS = [
|
|
|
12397
12402
|
// Standard library logging
|
|
12398
12403
|
{ method: "println!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2] },
|
|
12399
12404
|
{ method: "eprintln!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2] },
|
|
12405
|
+
// log:: namespaced forms — the Rust macro extractor preserves the full
|
|
12406
|
+
// path prefix in `method_name` (`log::info!`), so the bare entries above
|
|
12407
|
+
// only match the imported form `use log::info; info!(...)`. Sprint 56 #182 Slice A.
|
|
12408
|
+
{ method: "log::info!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2], languages: ["rust"] },
|
|
12409
|
+
{ method: "log::warn!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2], languages: ["rust"] },
|
|
12410
|
+
{ method: "log::error!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2], languages: ["rust"] },
|
|
12411
|
+
{ method: "log::debug!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2], languages: ["rust"] },
|
|
12412
|
+
{ method: "log::trace!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2], languages: ["rust"] },
|
|
12413
|
+
{ method: "log::log!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2], languages: ["rust"] },
|
|
12400
12414
|
// Rust sqlx SQL Injection
|
|
12401
12415
|
{ method: "query", class: "sqlx", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
|
|
12402
12416
|
{ method: "query_as", class: "sqlx", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
|
|
@@ -14549,7 +14563,12 @@ function canSourceReachSink(sourceType, sinkType) {
|
|
|
14549
14563
|
http_cookie: ["sql_injection", "xss", "mybatis_mapper_call", "code_injection", "crlf"],
|
|
14550
14564
|
http_path: ["path_traversal", "sql_injection", "ssrf", "mybatis_mapper_call"],
|
|
14551
14565
|
http_query: ["sql_injection", "command_injection", "xss", "ssrf", "mybatis_mapper_call", "code_injection", "crlf", "mass_assignment"],
|
|
14552
|
-
|
|
14566
|
+
// ssrf added Sprint 57 #200: bash CGI/webhook handlers and scripts that
|
|
14567
|
+
// take a URL on stdin or as a positional CLI arg (`curl "$1"`,
|
|
14568
|
+
// `wget "$(read line)"`) and curl/wget it server-side are textbook SSRF
|
|
14569
|
+
// (CVE-2022-41040 ProxyShell-class). Cross-language: `socket.urlopen(input())`
|
|
14570
|
+
// (Python), `axios.get(readline())` (JS) etc. also benefit.
|
|
14571
|
+
io_input: ["command_injection", "path_traversal", "deserialization", "xxe", "code_injection", "xss", "ssrf"],
|
|
14553
14572
|
env_input: ["command_injection", "path_traversal"],
|
|
14554
14573
|
db_input: ["xss", "sql_injection"],
|
|
14555
14574
|
// Second-order injection
|
|
@@ -21742,20 +21761,24 @@ var BashPlugin = class extends BaseLanguagePlugin {
|
|
|
21742
21761
|
severity: "medium",
|
|
21743
21762
|
argPositions: [1]
|
|
21744
21763
|
},
|
|
21745
|
-
// SSRF — curl/wget with externally-controlled URL
|
|
21764
|
+
// SSRF — curl/wget with externally-controlled URL.
|
|
21765
|
+
// argPositions: [] (scan all args) — curl/wget invocations commonly
|
|
21766
|
+
// interleave flags (`-s`, `-fsSL`, `-o file`) before the URL, so the
|
|
21767
|
+
// URL position is unpredictable. Sprint 57 #200; mirrors Sprint 23
|
|
21768
|
+
// exec.Command widening pattern.
|
|
21746
21769
|
{
|
|
21747
21770
|
method: "curl",
|
|
21748
21771
|
type: "ssrf",
|
|
21749
21772
|
cwe: "CWE-918",
|
|
21750
21773
|
severity: "high",
|
|
21751
|
-
argPositions: [
|
|
21774
|
+
argPositions: []
|
|
21752
21775
|
},
|
|
21753
21776
|
{
|
|
21754
21777
|
method: "wget",
|
|
21755
21778
|
type: "ssrf",
|
|
21756
21779
|
cwe: "CWE-918",
|
|
21757
21780
|
severity: "high",
|
|
21758
|
-
argPositions: [
|
|
21781
|
+
argPositions: []
|
|
21759
21782
|
},
|
|
21760
21783
|
// File inclusion — `source` and POSIX `.` execute arbitrary shell code
|
|
21761
21784
|
// from the file at the supplied path. With user-controlled input this is
|
|
@@ -24004,7 +24027,18 @@ var BASH_UNTRUSTED_ENV_PATTERNS = [
|
|
|
24004
24027
|
/^CONTENT_LENGTH$/i,
|
|
24005
24028
|
/^PATH_INFO$/i,
|
|
24006
24029
|
/^SCRIPT_NAME$/i,
|
|
24007
|
-
/^SERVER_NAME$/i
|
|
24030
|
+
/^SERVER_NAME$/i,
|
|
24031
|
+
// Sprint 57 #198: RPC/CMD/EXEC/EVAL/SHELL-class env vars seen in recent
|
|
24032
|
+
// CVE intake (CVE-2025-67038 HTTP RPC pattern and similar). These names
|
|
24033
|
+
// are conventionally used to pass attacker-controlled payloads into
|
|
24034
|
+
// shell handlers via HTTP-to-CGI bridges.
|
|
24035
|
+
/^RPC_/i,
|
|
24036
|
+
/^XMLRPC/i,
|
|
24037
|
+
/^JSONRPC/i,
|
|
24038
|
+
/^CMD_/i,
|
|
24039
|
+
/^EXEC_/i,
|
|
24040
|
+
/^EVAL_/i,
|
|
24041
|
+
/^SHELL_/i
|
|
24008
24042
|
];
|
|
24009
24043
|
var BASH_NETWORK_COMMANDS = /* @__PURE__ */ new Set(["curl", "wget", "nc", "ncat"]);
|
|
24010
24044
|
var BASH_FILE_COMMANDS = /* @__PURE__ */ new Set(["cat", "head", "tail", "less", "more", "awk", "sed", "cut", "grep"]);
|
|
@@ -31325,6 +31359,9 @@ var PY_SECURE_TRUE_RE = /\bsecure\s*=\s*True\b/;
|
|
|
31325
31359
|
var PY_HTTPONLY_TRUE_RE = /\bhttponly\s*=\s*True\b/i;
|
|
31326
31360
|
var JAVA_SET_SECURE_TRUE_RE = /\.setSecure\s*\(\s*true\s*\)/;
|
|
31327
31361
|
var JAVA_SET_HTTPONLY_TRUE_RE = /\.setHttpOnly\s*\(\s*true\s*\)/;
|
|
31362
|
+
var GO_SECURE_TRUE_RE = /\bSecure\s*:\s*true\b/;
|
|
31363
|
+
var GO_HTTPONLY_TRUE_RE = /\bHttpOnly\s*:\s*true\b/;
|
|
31364
|
+
var RUST_SET_COOKIE_MACRO_RE = /(format!|write!|writeln!)\s*\(([^()]*Set-Cookie[^()]*)\)/gis;
|
|
31328
31365
|
var InsecureCookiePass = class {
|
|
31329
31366
|
name = "insecure-cookie";
|
|
31330
31367
|
category = "security";
|
|
@@ -31355,6 +31392,19 @@ var InsecureCookiePass = class {
|
|
|
31355
31392
|
insecureCookies.push(det);
|
|
31356
31393
|
this.emit(ctx, file, det, "java");
|
|
31357
31394
|
}
|
|
31395
|
+
} else if (language === "go") {
|
|
31396
|
+
for (const call of graph.ir.calls) {
|
|
31397
|
+
const det = this.detectGo(call);
|
|
31398
|
+
if (!det) continue;
|
|
31399
|
+
insecureCookies.push(det);
|
|
31400
|
+
this.emit(ctx, file, det, "go");
|
|
31401
|
+
}
|
|
31402
|
+
} else if (language === "rust") {
|
|
31403
|
+
const dets = this.detectRustSetCookieFormat(code);
|
|
31404
|
+
for (const det of dets) {
|
|
31405
|
+
insecureCookies.push(det);
|
|
31406
|
+
this.emit(ctx, file, det, "rust");
|
|
31407
|
+
}
|
|
31358
31408
|
}
|
|
31359
31409
|
return { insecureCookies };
|
|
31360
31410
|
}
|
|
@@ -31414,11 +31464,60 @@ var InsecureCookiePass = class {
|
|
|
31414
31464
|
optionsPresent: false
|
|
31415
31465
|
};
|
|
31416
31466
|
}
|
|
31467
|
+
// ---------------- Go ----------------
|
|
31468
|
+
detectGo(call) {
|
|
31469
|
+
if (call.method_name !== "SetCookie") return null;
|
|
31470
|
+
if ((call.receiver ?? "") !== "http") return null;
|
|
31471
|
+
if (call.arguments.length < 2) return null;
|
|
31472
|
+
const cookieArg = call.arguments.find((a) => a.position === 1);
|
|
31473
|
+
const cookieExpr = (cookieArg?.expression ?? "").trim();
|
|
31474
|
+
if (!cookieExpr.includes("{") || !cookieExpr.includes("}")) return null;
|
|
31475
|
+
const missingSecure = !GO_SECURE_TRUE_RE.test(cookieExpr);
|
|
31476
|
+
const missingHttpOnly = !GO_HTTPONLY_TRUE_RE.test(cookieExpr);
|
|
31477
|
+
if (!missingSecure && !missingHttpOnly) return null;
|
|
31478
|
+
return {
|
|
31479
|
+
line: call.location.line,
|
|
31480
|
+
receiver: "http.SetCookie",
|
|
31481
|
+
missingSecure,
|
|
31482
|
+
missingHttpOnly,
|
|
31483
|
+
optionsPresent: true
|
|
31484
|
+
};
|
|
31485
|
+
}
|
|
31486
|
+
// ---------------- Rust ----------------
|
|
31487
|
+
detectRustSetCookieFormat(code) {
|
|
31488
|
+
const out2 = [];
|
|
31489
|
+
const re = new RegExp(RUST_SET_COOKIE_MACRO_RE.source, RUST_SET_COOKIE_MACRO_RE.flags);
|
|
31490
|
+
let m;
|
|
31491
|
+
while ((m = re.exec(code)) !== null) {
|
|
31492
|
+
const macro = m[1] ?? "";
|
|
31493
|
+
const body2 = m[2] ?? "";
|
|
31494
|
+
const missingSecure = !/\bSecure\b/.test(body2);
|
|
31495
|
+
const missingHttpOnly = !/\bHttpOnly\b/.test(body2);
|
|
31496
|
+
if (!missingSecure && !missingHttpOnly) continue;
|
|
31497
|
+
const line = code.slice(0, m.index).split("\n").length;
|
|
31498
|
+
out2.push({
|
|
31499
|
+
line,
|
|
31500
|
+
receiver: macro,
|
|
31501
|
+
missingSecure,
|
|
31502
|
+
missingHttpOnly,
|
|
31503
|
+
optionsPresent: true
|
|
31504
|
+
});
|
|
31505
|
+
}
|
|
31506
|
+
return out2;
|
|
31507
|
+
}
|
|
31417
31508
|
emit(ctx, file, det, flavor) {
|
|
31418
31509
|
const missing = [];
|
|
31419
|
-
if (det.missingSecure)
|
|
31420
|
-
|
|
31421
|
-
|
|
31510
|
+
if (det.missingSecure) {
|
|
31511
|
+
missing.push(
|
|
31512
|
+
flavor === "js" ? "`secure: true`" : flavor === "python" ? "`secure=True`" : flavor === "java" ? "`setSecure(true)`" : flavor === "go" ? "`Secure: true`" : "`Secure` attribute"
|
|
31513
|
+
);
|
|
31514
|
+
}
|
|
31515
|
+
if (det.missingHttpOnly) {
|
|
31516
|
+
missing.push(
|
|
31517
|
+
flavor === "js" ? "`httpOnly: true`" : flavor === "python" ? "`httponly=True`" : flavor === "java" ? "`setHttpOnly(true)`" : flavor === "go" ? "`HttpOnly: true`" : "`HttpOnly` attribute"
|
|
31518
|
+
);
|
|
31519
|
+
}
|
|
31520
|
+
const fix = flavor === "js" ? 'Pass `{ secure: true, httpOnly: true, sameSite: "lax" }` as the third argument to `res.cookie()`.' : flavor === "python" ? 'Pass `secure=True, httponly=True, samesite="Lax"` to `response.set_cookie(...)`.' : flavor === "java" ? "After constructing the cookie, call `cookie.setSecure(true)` and `cookie.setHttpOnly(true)` before adding it to the response." : flavor === "go" ? "Set `Secure: true` and `HttpOnly: true` on the `http.Cookie` struct literal passed to `http.SetCookie`." : "Append `; Secure; HttpOnly` to the `Set-Cookie` header string.";
|
|
31422
31521
|
ctx.addFinding({
|
|
31423
31522
|
id: `${this.name}-${file}-${det.line}`,
|
|
31424
31523
|
pass: this.name,
|
|
@@ -11522,6 +11522,11 @@ var DEFAULT_SINKS = [
|
|
|
11522
11522
|
{ method: "exec", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["python"] },
|
|
11523
11523
|
{ method: "compile", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0], languages: ["python"] },
|
|
11524
11524
|
{ method: "__import__", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0], languages: ["python"] },
|
|
11525
|
+
// Python dynamic import — `importlib.import_module(taint)` parallels Java's
|
|
11526
|
+
// `Class.forName`. The bare `__import__` entry above also matches the
|
|
11527
|
+
// `importlib.__import__` form because the sink-matcher is class-agnostic
|
|
11528
|
+
// when a classless entry exists. Sprint 56 #183.
|
|
11529
|
+
{ method: "import_module", class: "importlib", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0], languages: ["python"] },
|
|
11525
11530
|
// Python Deserialization — language-scoped so the lowercase `yaml` / `pickle`
|
|
11526
11531
|
// module names don't collide with Java locals named `yaml` (SnakeYAML usage).
|
|
11527
11532
|
{ method: "loads", class: "pickle", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], languages: ["python"] },
|
|
@@ -11779,6 +11784,15 @@ var DEFAULT_SINKS = [
|
|
|
11779
11784
|
// Standard library logging
|
|
11780
11785
|
{ method: "println!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2] },
|
|
11781
11786
|
{ method: "eprintln!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2] },
|
|
11787
|
+
// log:: namespaced forms — the Rust macro extractor preserves the full
|
|
11788
|
+
// path prefix in `method_name` (`log::info!`), so the bare entries above
|
|
11789
|
+
// only match the imported form `use log::info; info!(...)`. Sprint 56 #182 Slice A.
|
|
11790
|
+
{ method: "log::info!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2], languages: ["rust"] },
|
|
11791
|
+
{ method: "log::warn!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2], languages: ["rust"] },
|
|
11792
|
+
{ method: "log::error!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2], languages: ["rust"] },
|
|
11793
|
+
{ method: "log::debug!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2], languages: ["rust"] },
|
|
11794
|
+
{ method: "log::trace!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2], languages: ["rust"] },
|
|
11795
|
+
{ method: "log::log!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2], languages: ["rust"] },
|
|
11782
11796
|
// Rust sqlx SQL Injection
|
|
11783
11797
|
{ method: "query", class: "sqlx", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
|
|
11784
11798
|
{ method: "query_as", class: "sqlx", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
|
|
@@ -11456,6 +11456,11 @@ var DEFAULT_SINKS = [
|
|
|
11456
11456
|
{ method: "exec", type: "code_injection", cwe: "CWE-94", severity: "critical", arg_positions: [0], languages: ["python"] },
|
|
11457
11457
|
{ method: "compile", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0], languages: ["python"] },
|
|
11458
11458
|
{ method: "__import__", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0], languages: ["python"] },
|
|
11459
|
+
// Python dynamic import — `importlib.import_module(taint)` parallels Java's
|
|
11460
|
+
// `Class.forName`. The bare `__import__` entry above also matches the
|
|
11461
|
+
// `importlib.__import__` form because the sink-matcher is class-agnostic
|
|
11462
|
+
// when a classless entry exists. Sprint 56 #183.
|
|
11463
|
+
{ method: "import_module", class: "importlib", type: "code_injection", cwe: "CWE-94", severity: "high", arg_positions: [0], languages: ["python"] },
|
|
11459
11464
|
// Python Deserialization — language-scoped so the lowercase `yaml` / `pickle`
|
|
11460
11465
|
// module names don't collide with Java locals named `yaml` (SnakeYAML usage).
|
|
11461
11466
|
{ method: "loads", class: "pickle", type: "deserialization", cwe: "CWE-502", severity: "critical", arg_positions: [0], languages: ["python"] },
|
|
@@ -11713,6 +11718,15 @@ var DEFAULT_SINKS = [
|
|
|
11713
11718
|
// Standard library logging
|
|
11714
11719
|
{ method: "println!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2] },
|
|
11715
11720
|
{ method: "eprintln!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2] },
|
|
11721
|
+
// log:: namespaced forms — the Rust macro extractor preserves the full
|
|
11722
|
+
// path prefix in `method_name` (`log::info!`), so the bare entries above
|
|
11723
|
+
// only match the imported form `use log::info; info!(...)`. Sprint 56 #182 Slice A.
|
|
11724
|
+
{ method: "log::info!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2], languages: ["rust"] },
|
|
11725
|
+
{ method: "log::warn!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2], languages: ["rust"] },
|
|
11726
|
+
{ method: "log::error!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2], languages: ["rust"] },
|
|
11727
|
+
{ method: "log::debug!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2], languages: ["rust"] },
|
|
11728
|
+
{ method: "log::trace!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2], languages: ["rust"] },
|
|
11729
|
+
{ method: "log::log!", type: "log_injection", cwe: "CWE-117", severity: "low", arg_positions: [0, 1, 2], languages: ["rust"] },
|
|
11716
11730
|
// Rust sqlx SQL Injection
|
|
11717
11731
|
{ method: "query", class: "sqlx", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
|
|
11718
11732
|
{ method: "query_as", class: "sqlx", type: "sql_injection", cwe: "CWE-89", severity: "critical", arg_positions: [0] },
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"bash.d.ts","sourceRoot":"","sources":["../../../src/languages/plugins/bash.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,IAAI,IAAI,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC1D,OAAO,KAAK,EACV,QAAQ,EACR,QAAQ,EACR,UAAU,EACX,MAAM,sBAAsB,CAAC;AAC9B,OAAO,KAAK,EACV,iBAAiB,EACjB,iBAAiB,EACjB,aAAa,EACb,kBAAkB,EAClB,gBAAgB,EACjB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AAE/C;;GAEG;AACH,qBAAa,UAAW,SAAQ,kBAAkB;IAChD,QAAQ,CAAC,EAAE,EAAG,MAAM,CAAU;IAC9B,QAAQ,CAAC,IAAI,gBAAgB;IAC7B,QAAQ,CAAC,UAAU,WAAoC;IACvD,QAAQ,CAAC,QAAQ,2BAA2B;IAE5C,QAAQ,CAAC,SAAS,EAAE,iBAAiB,CA+BnC;IAEF;;OAEG;IACH,eAAe,CAAC,QAAQ,EAAE,iBAAiB,GAAG,aAAa,GAAG,SAAS;IAIvE;;;;OAIG;IACH,iBAAiB,IAAI,kBAAkB,EAAE;IA6BzC;;;;OAIG;IACH,eAAe,IAAI,gBAAgB,EAAE;
|
|
1
|
+
{"version":3,"file":"bash.d.ts","sourceRoot":"","sources":["../../../src/languages/plugins/bash.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,IAAI,IAAI,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC1D,OAAO,KAAK,EACV,QAAQ,EACR,QAAQ,EACR,UAAU,EACX,MAAM,sBAAsB,CAAC;AAC9B,OAAO,KAAK,EACV,iBAAiB,EACjB,iBAAiB,EACjB,aAAa,EACb,kBAAkB,EAClB,gBAAgB,EACjB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AAE/C;;GAEG;AACH,qBAAa,UAAW,SAAQ,kBAAkB;IAChD,QAAQ,CAAC,EAAE,EAAG,MAAM,CAAU;IAC9B,QAAQ,CAAC,IAAI,gBAAgB;IAC7B,QAAQ,CAAC,UAAU,WAAoC;IACvD,QAAQ,CAAC,QAAQ,2BAA2B;IAE5C,QAAQ,CAAC,SAAS,EAAE,iBAAiB,CA+BnC;IAEF;;OAEG;IACH,eAAe,CAAC,QAAQ,EAAE,iBAAiB,GAAG,aAAa,GAAG,SAAS;IAIvE;;;;OAIG;IACH,iBAAiB,IAAI,kBAAkB,EAAE;IA6BzC;;;;OAIG;IACH,eAAe,IAAI,gBAAgB,EAAE;IAoJrC;;OAEG;IACH,eAAe,CAAC,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,iBAAiB,GAAG,MAAM,GAAG,SAAS;IAInF;;OAEG;IACH,eAAe,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO;IAQ1C;;OAEG;IACH,cAAc,CAAC,IAAI,EAAE,UAAU,GAAG,MAAM,GAAG,SAAS;IAqBpD,YAAY,CAAC,QAAQ,EAAE,iBAAiB,GAAG,QAAQ,EAAE;IAIrD,YAAY,CAAC,QAAQ,EAAE,iBAAiB,GAAG,QAAQ,EAAE;IAIrD,cAAc,CAAC,QAAQ,EAAE,iBAAiB,GAAG,UAAU,EAAE;IAIzD,cAAc,CAAC,QAAQ,EAAE,iBAAiB,GAAG,MAAM,GAAG,SAAS;CAGhE"}
|
|
@@ -187,20 +187,24 @@ export class BashPlugin extends BaseLanguagePlugin {
|
|
|
187
187
|
severity: 'medium',
|
|
188
188
|
argPositions: [1],
|
|
189
189
|
},
|
|
190
|
-
// SSRF — curl/wget with externally-controlled URL
|
|
190
|
+
// SSRF — curl/wget with externally-controlled URL.
|
|
191
|
+
// argPositions: [] (scan all args) — curl/wget invocations commonly
|
|
192
|
+
// interleave flags (`-s`, `-fsSL`, `-o file`) before the URL, so the
|
|
193
|
+
// URL position is unpredictable. Sprint 57 #200; mirrors Sprint 23
|
|
194
|
+
// exec.Command widening pattern.
|
|
191
195
|
{
|
|
192
196
|
method: 'curl',
|
|
193
197
|
type: 'ssrf',
|
|
194
198
|
cwe: 'CWE-918',
|
|
195
199
|
severity: 'high',
|
|
196
|
-
argPositions: [
|
|
200
|
+
argPositions: [],
|
|
197
201
|
},
|
|
198
202
|
{
|
|
199
203
|
method: 'wget',
|
|
200
204
|
type: 'ssrf',
|
|
201
205
|
cwe: 'CWE-918',
|
|
202
206
|
severity: 'high',
|
|
203
|
-
argPositions: [
|
|
207
|
+
argPositions: [],
|
|
204
208
|
},
|
|
205
209
|
// File inclusion — `source` and POSIX `.` execute arbitrary shell code
|
|
206
210
|
// from the file at the supplied path. With user-controlled input this is
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"bash.js","sourceRoot":"","sources":["../../../src/languages/plugins/bash.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAeH,OAAO,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AAE/C;;GAEG;AACH,MAAM,OAAO,UAAW,SAAQ,kBAAkB;IACvC,EAAE,GAAG,MAAe,CAAC;IACrB,IAAI,GAAG,YAAY,CAAC;IACpB,UAAU,GAAG,CAAC,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;IAC9C,QAAQ,GAAG,uBAAuB,CAAC;IAEnC,SAAS,GAAsB;QACtC,6CAA6C;QAC7C,gBAAgB,EAAE,EAAE;QACpB,oBAAoB,EAAE,EAAE;QACxB,eAAe,EAAE,EAAE;QACnB,mBAAmB,EAAE,CAAC,qBAAqB,CAAC;QAC5C,iBAAiB,EAAE,CAAC,qBAAqB,CAAC;QAE1C,8CAA8C;QAC9C,UAAU,EAAE,CAAC,SAAS,CAAC;QACvB,YAAY,EAAE,CAAC,SAAS,CAAC;QACzB,UAAU,EAAE,CAAC,qBAAqB,CAAC;QACnC,mBAAmB,EAAE,CAAC,qBAAqB,EAAE,qBAAqB,CAAC;QAEnE,6DAA6D;QAC7D,SAAS,EAAE,EAAE;QACb,QAAQ,EAAE,EAAE;QAEZ,yCAAyC;QACzC,UAAU,EAAE,EAAE;QACd,SAAS,EAAE,EAAE;QAEb,kEAAkE;QAClE,eAAe,EAAE,EAAE;QAEnB,eAAe;QACf,WAAW,EAAE,CAAC,cAAc,CAAC;QAC7B,YAAY,EAAE,CAAC,eAAe,EAAE,uBAAuB,CAAC;QACxD,cAAc,EAAE,CAAC,iBAAiB,CAAC;QACnC,YAAY,EAAE,EAAE;QAChB,eAAe,EAAE,EAAE;KACpB,CAAC;IAEF;;OAEG;IACH,eAAe,CAAC,QAA2B;QACzC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;;;OAIG;IACH,iBAAiB;QACf,OAAO;YACL,6CAA6C;YAC7C;gBACE,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,UAAU;gBAChB,QAAQ,EAAE,MAAM;gBAChB,UAAU,EAAE,GAAG;gBACf,aAAa,EAAE,IAAI;aACpB;YACD,qEAAqE;YACrE,yDAAyD;YACzD;gBACE,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,eAAe;gBACrB,QAAQ,EAAE,MAAM;gBAChB,UAAU,EAAE,GAAG;gBACf,aAAa,EAAE,IAAI;aACpB;YACD;gBACE,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,eAAe;gBACrB,QAAQ,EAAE,MAAM;gBAChB,UAAU,EAAE,GAAG;gBACf,aAAa,EAAE,IAAI;aACpB;SACF,CAAC;IACJ,CAAC;IAED;;;;OAIG;IACH,eAAe;QACb,OAAO;YACL,oCAAoC;YACpC;gBACE,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YAED,uDAAuD;YACvD;gBACE,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,mBAAmB;gBACzB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,IAAI;gBACZ,IAAI,EAAE,mBAAmB;gBACzB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,KAAK;gBACb,IAAI,EAAE,mBAAmB;gBACzB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,KAAK;gBACb,IAAI,EAAE,mBAAmB;gBACzB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YAED,mEAAmE;YACnE;gBACE,MAAM,EAAE,OAAO;gBACf,IAAI,EAAE,eAAe;gBACrB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,eAAe;gBACrB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,SAAS;gBACjB,IAAI,EAAE,eAAe;gBACrB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YAED,yDAAyD;YACzD;gBACE,MAAM,EAAE,KAAK;gBACb,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,MAAM;gBAChB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,IAAI;gBACZ,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,MAAM;gBAChB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,IAAI;gBACZ,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,MAAM;gBAChB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,IAAI;gBACZ,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,MAAM;gBAChB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,OAAO;gBACf,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,QAAQ;gBAClB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,OAAO;gBACf,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,QAAQ;gBAClB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YAED,
|
|
1
|
+
{"version":3,"file":"bash.js","sourceRoot":"","sources":["../../../src/languages/plugins/bash.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAeH,OAAO,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AAE/C;;GAEG;AACH,MAAM,OAAO,UAAW,SAAQ,kBAAkB;IACvC,EAAE,GAAG,MAAe,CAAC;IACrB,IAAI,GAAG,YAAY,CAAC;IACpB,UAAU,GAAG,CAAC,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;IAC9C,QAAQ,GAAG,uBAAuB,CAAC;IAEnC,SAAS,GAAsB;QACtC,6CAA6C;QAC7C,gBAAgB,EAAE,EAAE;QACpB,oBAAoB,EAAE,EAAE;QACxB,eAAe,EAAE,EAAE;QACnB,mBAAmB,EAAE,CAAC,qBAAqB,CAAC;QAC5C,iBAAiB,EAAE,CAAC,qBAAqB,CAAC;QAE1C,8CAA8C;QAC9C,UAAU,EAAE,CAAC,SAAS,CAAC;QACvB,YAAY,EAAE,CAAC,SAAS,CAAC;QACzB,UAAU,EAAE,CAAC,qBAAqB,CAAC;QACnC,mBAAmB,EAAE,CAAC,qBAAqB,EAAE,qBAAqB,CAAC;QAEnE,6DAA6D;QAC7D,SAAS,EAAE,EAAE;QACb,QAAQ,EAAE,EAAE;QAEZ,yCAAyC;QACzC,UAAU,EAAE,EAAE;QACd,SAAS,EAAE,EAAE;QAEb,kEAAkE;QAClE,eAAe,EAAE,EAAE;QAEnB,eAAe;QACf,WAAW,EAAE,CAAC,cAAc,CAAC;QAC7B,YAAY,EAAE,CAAC,eAAe,EAAE,uBAAuB,CAAC;QACxD,cAAc,EAAE,CAAC,iBAAiB,CAAC;QACnC,YAAY,EAAE,EAAE;QAChB,eAAe,EAAE,EAAE;KACpB,CAAC;IAEF;;OAEG;IACH,eAAe,CAAC,QAA2B;QACzC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;;;OAIG;IACH,iBAAiB;QACf,OAAO;YACL,6CAA6C;YAC7C;gBACE,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,UAAU;gBAChB,QAAQ,EAAE,MAAM;gBAChB,UAAU,EAAE,GAAG;gBACf,aAAa,EAAE,IAAI;aACpB;YACD,qEAAqE;YACrE,yDAAyD;YACzD;gBACE,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,eAAe;gBACrB,QAAQ,EAAE,MAAM;gBAChB,UAAU,EAAE,GAAG;gBACf,aAAa,EAAE,IAAI;aACpB;YACD;gBACE,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,eAAe;gBACrB,QAAQ,EAAE,MAAM;gBAChB,UAAU,EAAE,GAAG;gBACf,aAAa,EAAE,IAAI;aACpB;SACF,CAAC;IACJ,CAAC;IAED;;;;OAIG;IACH,eAAe;QACb,OAAO;YACL,oCAAoC;YACpC;gBACE,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YAED,uDAAuD;YACvD;gBACE,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,mBAAmB;gBACzB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,IAAI;gBACZ,IAAI,EAAE,mBAAmB;gBACzB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,KAAK;gBACb,IAAI,EAAE,mBAAmB;gBACzB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,KAAK;gBACb,IAAI,EAAE,mBAAmB;gBACzB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YAED,mEAAmE;YACnE;gBACE,MAAM,EAAE,OAAO;gBACf,IAAI,EAAE,eAAe;gBACrB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,eAAe;gBACrB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,SAAS;gBACjB,IAAI,EAAE,eAAe;gBACrB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YAED,yDAAyD;YACzD;gBACE,MAAM,EAAE,KAAK;gBACb,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,MAAM;gBAChB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,IAAI;gBACZ,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,MAAM;gBAChB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,IAAI;gBACZ,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,MAAM;gBAChB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,IAAI;gBACZ,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,MAAM;gBAChB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,OAAO;gBACf,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,QAAQ;gBAClB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,OAAO;gBACf,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,QAAQ;gBAClB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YAED,mDAAmD;YACnD,oEAAoE;YACpE,qEAAqE;YACrE,mEAAmE;YACnE,iCAAiC;YACjC;gBACE,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,MAAM;gBACZ,GAAG,EAAE,SAAS;gBACd,QAAQ,EAAE,MAAM;gBAChB,YAAY,EAAE,EAAE;aACjB;YACD;gBACE,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,MAAM;gBACZ,GAAG,EAAE,SAAS;gBACd,QAAQ,EAAE,MAAM;gBAChB,YAAY,EAAE,EAAE;aACjB;YAED,uEAAuE;YACvE,yEAAyE;YACzE,mEAAmE;YACnE;gBACE,MAAM,EAAE,QAAQ;gBAChB,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;YACD;gBACE,MAAM,EAAE,GAAG;gBACX,IAAI,EAAE,gBAAgB;gBACtB,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,CAAC,CAAC,CAAC;aAClB;SACF,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,eAAe,CAAC,KAAiB,EAAE,QAA2B;QAC5D,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACH,eAAe,CAAC,IAAgB;QAC9B,OAAO,CACL,IAAI,CAAC,IAAI,KAAK,QAAQ;YACtB,IAAI,CAAC,IAAI,KAAK,YAAY;YAC1B,IAAI,CAAC,IAAI,KAAK,eAAe,CAC9B,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,cAAc,CAAC,IAAgB;QAC7B,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC;YAAE,OAAO,SAAS,CAAC;QAElD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;QACvB,8CAA8C;QAC9C,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;YAC/B,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC3B,CAAC;QACD,6CAA6C;QAC7C,IAAI,IAAI,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;YAClC,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC3B,CAAC;QACD,0CAA0C;QAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QACtC,IAAI,KAAK;YAAE,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;QAE3B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,sEAAsE;IAEtE,YAAY,CAAC,QAA2B;QACtC,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,YAAY,CAAC,QAA2B;QACtC,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,cAAc,CAAC,QAA2B;QACxC,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,cAAc,CAAC,QAA2B;QACxC,OAAO,SAAS,CAAC;IACnB,CAAC;CACF"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "circle-ir",
|
|
3
|
-
"version": "3.
|
|
3
|
+
"version": "3.114.0",
|
|
4
4
|
"description": "High-performance Static Application Security Testing (SAST) library for detecting security vulnerabilities through taint analysis",
|
|
5
5
|
"main": "dist/index.js",
|
|
6
6
|
"module": "dist/index.js",
|