circle-ir 3.16.5 → 3.16.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md
CHANGED
|
@@ -1,5 +1,8 @@
|
|
|
1
1
|
# circle-ir
|
|
2
2
|
|
|
3
|
+
|
|
4
|
+
|
|
5
|
+
|
|
3
6
|
A high-performance Static Application Security Testing (SAST) library for detecting security vulnerabilities through taint analysis, and code quality findings through an extensible 36-pass analysis pipeline. Works in Node.js and browsers.
|
|
4
7
|
|
|
5
8
|
## Features
|
|
@@ -56,11 +56,40 @@ const MEDIUM_CONFIDENCE_DB_METHODS = new Set([
|
|
|
56
56
|
* This catches both `dbConnection.query()` and `userRepository.find()`.
|
|
57
57
|
*/
|
|
58
58
|
const DB_OR_HTTP_RECEIVER_PREFIX = /^(db|conn|connection|pool|client|repo|repository|orm|em|entityManager|sequelize|mongoose|prisma|axios|http|https|api|svc|service|dao|store|cache|gql|graphql|mongo|redis|sql|pg|mysql|sqlite|dynamo|cosmos|elastic|es|solr|neo4j|cassandra|couchbase|firestore|supabase|drizzle|knex|typeorm|mikro)/i;
|
|
59
|
-
const DB_OR_HTTP_RECEIVER_SUFFIX = /(?:Repository|Repo|Dao|DataSource|DbContext|Client|Service|Store|Cache|Gateway|Adapter|Provider|Manager|Handler|Proxy|Facade|Connection|Pool|Session|Template|Mapper|Access|Query|Command|Storage|Bucket|Table|Collection
|
|
59
|
+
const DB_OR_HTTP_RECEIVER_SUFFIX = /(?:Repository|Repo|Dao|DataSource|DbContext|Client|Service|Store|Cache|Gateway|Adapter|Provider|Manager|Handler|Proxy|Facade|Connection|Pool|Session|Template|Mapper|Access|Query|Command|Storage|Bucket|Table|Collection)$/;
|
|
60
|
+
/**
|
|
61
|
+
* Receiver name patterns that indicate a built-in in-memory collection
|
|
62
|
+
* (`Map`, `WeakMap`, plain object used as a hash) rather than a DB/HTTP
|
|
63
|
+
* client. These are common in algorithm implementations where `.get()`,
|
|
64
|
+
* `.has()`, `.set()` are called inside loops without any I/O.
|
|
65
|
+
*
|
|
66
|
+
* Examples: `rpoIndex`, `nodeMap`, `idomLookup`, `byIdDict`, `nodesById`.
|
|
67
|
+
*
|
|
68
|
+
* Note: `Set`, `Cache`, `Store` are intentionally NOT here because they may
|
|
69
|
+
* legitimately refer to remote stores (`redisCache`, `sessionStore`,
|
|
70
|
+
* `resultSet`).
|
|
71
|
+
*/
|
|
72
|
+
const IN_MEMORY_COLLECTION_RECEIVER = /(?:Index|Map|Lookup|Dict|ById|ByName|ByKey|ByType|ByPath|ByFile|ByLine)$/;
|
|
73
|
+
/**
|
|
74
|
+
* Names of built-in in-memory collections commonly used as bare-word
|
|
75
|
+
* receivers in algorithm code (e.g. `idom.get(node)`, `seen.has(x)`).
|
|
76
|
+
*/
|
|
77
|
+
const IN_MEMORY_COLLECTION_NAMES = new Set([
|
|
78
|
+
'map', 'set', 'dict', 'lookup', 'index', 'cache', 'seen', 'visited',
|
|
79
|
+
'idom', 'memo', 'registry',
|
|
80
|
+
]);
|
|
60
81
|
/**
|
|
61
82
|
* Check if a receiver name indicates a DB or HTTP client.
|
|
83
|
+
*
|
|
84
|
+
* Returns false for in-memory collection patterns (`*Index`, `*Map`, etc.)
|
|
85
|
+
* even if they would otherwise match a DB suffix, to avoid false positives
|
|
86
|
+
* on JavaScript `Map` / `Set` `.get()` calls inside loops.
|
|
62
87
|
*/
|
|
63
88
|
function isDbOrHttpReceiver(receiver) {
|
|
89
|
+
if (IN_MEMORY_COLLECTION_RECEIVER.test(receiver))
|
|
90
|
+
return false;
|
|
91
|
+
if (IN_MEMORY_COLLECTION_NAMES.has(receiver.toLowerCase()))
|
|
92
|
+
return false;
|
|
64
93
|
return DB_OR_HTTP_RECEIVER_PREFIX.test(receiver) || DB_OR_HTTP_RECEIVER_SUFFIX.test(receiver);
|
|
65
94
|
}
|
|
66
95
|
function isDbOrApiCall(call) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"n-plus-one-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/n-plus-one-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAKH;;;GAGG;AACH,MAAM,0BAA0B,GAAwB,IAAI,GAAG,CAAC;IAC9D,iBAAiB;IACjB,cAAc,EAAE,eAAe,EAAE,kBAAkB,EAAE,aAAa;IAClE,oBAAoB;IACpB,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,YAAY;IAC5D,WAAW;IACX,mBAAmB,EAAE,mBAAmB;IACxC,kBAAkB,EAAE,kBAAkB;IACtC,gBAAgB,EAAE,WAAW,EAAE,UAAU;IACzC,YAAY;IACZ,UAAU,EAAE,iBAAiB,EAAE,YAAY,EAAE,YAAY;IACzD,SAAS;IACT,WAAW,EAAE,YAAY,EAAE,UAAU,EAAE,YAAY,EAAE,YAAY,EAAE,YAAY;IAC/E,UAAU;IACV,OAAO;CACR,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,4BAA4B,GAAwB,IAAI,GAAG,CAAC;IAChE,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS;IACrC,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ;IAClE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,SAAS;IACxC,MAAM,EAAE,QAAQ;CACjB,CAAC,CAAC;AAEH;;;;;;;;GAQG;AACH,MAAM,0BAA0B,GAAG,sSAAsS,CAAC;AAE1U,MAAM,0BAA0B,GAAG,
|
|
1
|
+
{"version":3,"file":"n-plus-one-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/n-plus-one-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAKH;;;GAGG;AACH,MAAM,0BAA0B,GAAwB,IAAI,GAAG,CAAC;IAC9D,iBAAiB;IACjB,cAAc,EAAE,eAAe,EAAE,kBAAkB,EAAE,aAAa;IAClE,oBAAoB;IACpB,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,YAAY;IAC5D,WAAW;IACX,mBAAmB,EAAE,mBAAmB;IACxC,kBAAkB,EAAE,kBAAkB;IACtC,gBAAgB,EAAE,WAAW,EAAE,UAAU;IACzC,YAAY;IACZ,UAAU,EAAE,iBAAiB,EAAE,YAAY,EAAE,YAAY;IACzD,SAAS;IACT,WAAW,EAAE,YAAY,EAAE,UAAU,EAAE,YAAY,EAAE,YAAY,EAAE,YAAY;IAC/E,UAAU;IACV,OAAO;CACR,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,4BAA4B,GAAwB,IAAI,GAAG,CAAC;IAChE,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS;IACrC,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ;IAClE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,SAAS;IACxC,MAAM,EAAE,QAAQ;CACjB,CAAC,CAAC;AAEH;;;;;;;;GAQG;AACH,MAAM,0BAA0B,GAAG,sSAAsS,CAAC;AAE1U,MAAM,0BAA0B,GAAG,6NAA6N,CAAC;AAEjQ;;;;;;;;;;;GAWG;AACH,MAAM,6BAA6B,GAAG,0EAA0E,CAAC;AAEjH;;;GAGG;AACH,MAAM,0BAA0B,GAAwB,IAAI,GAAG,CAAC;IAC9D,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS;IACnE,MAAM,EAAE,MAAM,EAAE,UAAU;CAC3B,CAAC,CAAC;AAEH;;;;;;GAMG;AACH,SAAS,kBAAkB,CAAC,QAAgB;IAC1C,IAAI,6BAA6B,CAAC,IAAI,CAAC,QAAQ,CAAC;QAAE,OAAO,KAAK,CAAC;IAC/D,IAAI,0BAA0B,CAAC,GAAG,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;QAAE,OAAO,KAAK,CAAC;IACzE,OAAO,0BAA0B,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,0BAA0B,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AAChG,CAAC;AAED,SAAS,aAAa,CAAC,IAAc;IACnC,IAAI,0BAA0B,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC;QAAE,OAAO,IAAI,CAAC;IAClE,IAAI,4BAA4B,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;QACvD,OAAO,IAAI,CAAC,QAAQ,IAAI,IAAI,IAAI,kBAAkB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACpE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAOD,MAAM,OAAO,YAAY;IACd,IAAI,GAAG,YAAY,CAAC;IACpB,QAAQ,GAAG,aAAsB,CAAC;IAE3C,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,GAAG,GAAG,CAAC;QACtB,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAEhC,MAAM,KAAK,GAAG,KAAK,CAAC,UAAU,EAAE,CAAC;QACjC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,WAAW,EAAE,EAAE,EAAE,CAAC;QAEnD,MAAM,WAAW,GAAe,EAAE,CAAC;QAEnC,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAClC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC;gBAAE,SAAS;YAEnC,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;YAChC,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,CAAC,UAAU,IAAI,IAAI,IAAI,CAAC,CAAC,QAAQ,CAAC,CAAC;YACzE,IAAI,CAAC,IAAI;gBAAE,SAAS;YAEpB,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAEvB,GAAG,CAAC,UAAU,CAAC;gBACb,EAAE,EAAE,cAAc,IAAI,IAAI,IAAI,EAAE;gBAChC,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,GAAG,EAAE,UAAU;gBACf,QAAQ,EAAE,QAAQ;gBAClB,KAAK,EAAE,SAAS;gBAChB,OAAO,EACL,gBAAgB,IAAI,CAAC,WAAW,+BAA+B;oBAC/D,eAAe,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,QAAQ,uBAAuB;gBACxE,IAAI;gBACJ,IAAI;gBACJ,GAAG,EAAE,UAAU,IAAI,CAAC,WAAW,+CAA+C;gBAC9E,QAAQ,EAAE;oBACR,UAAU,EAAE,IAAI,CAAC,UAAU;oBAC3B,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,SAAS;iBACrC;aACF,CAAC,CAAC;QACL,CAAC;QAED,OAAO,EAAE,WAAW,EAAE,CAAC;IACzB,CAAC;CACF"}
|
|
@@ -18974,8 +18974,24 @@ var MEDIUM_CONFIDENCE_DB_METHODS = /* @__PURE__ */ new Set([
|
|
|
18974
18974
|
"lookup"
|
|
18975
18975
|
]);
|
|
18976
18976
|
var DB_OR_HTTP_RECEIVER_PREFIX = /^(db|conn|connection|pool|client|repo|repository|orm|em|entityManager|sequelize|mongoose|prisma|axios|http|https|api|svc|service|dao|store|cache|gql|graphql|mongo|redis|sql|pg|mysql|sqlite|dynamo|cosmos|elastic|es|solr|neo4j|cassandra|couchbase|firestore|supabase|drizzle|knex|typeorm|mikro)/i;
|
|
18977
|
-
var DB_OR_HTTP_RECEIVER_SUFFIX = /(?:Repository|Repo|Dao|DataSource|DbContext|Client|Service|Store|Cache|Gateway|Adapter|Provider|Manager|Handler|Proxy|Facade|Connection|Pool|Session|Template|Mapper|Access|Query|Command|Storage|Bucket|Table|Collection
|
|
18977
|
+
var DB_OR_HTTP_RECEIVER_SUFFIX = /(?:Repository|Repo|Dao|DataSource|DbContext|Client|Service|Store|Cache|Gateway|Adapter|Provider|Manager|Handler|Proxy|Facade|Connection|Pool|Session|Template|Mapper|Access|Query|Command|Storage|Bucket|Table|Collection)$/;
|
|
18978
|
+
var IN_MEMORY_COLLECTION_RECEIVER = /(?:Index|Map|Lookup|Dict|ById|ByName|ByKey|ByType|ByPath|ByFile|ByLine)$/;
|
|
18979
|
+
var IN_MEMORY_COLLECTION_NAMES = /* @__PURE__ */ new Set([
|
|
18980
|
+
"map",
|
|
18981
|
+
"set",
|
|
18982
|
+
"dict",
|
|
18983
|
+
"lookup",
|
|
18984
|
+
"index",
|
|
18985
|
+
"cache",
|
|
18986
|
+
"seen",
|
|
18987
|
+
"visited",
|
|
18988
|
+
"idom",
|
|
18989
|
+
"memo",
|
|
18990
|
+
"registry"
|
|
18991
|
+
]);
|
|
18978
18992
|
function isDbOrHttpReceiver(receiver) {
|
|
18993
|
+
if (IN_MEMORY_COLLECTION_RECEIVER.test(receiver)) return false;
|
|
18994
|
+
if (IN_MEMORY_COLLECTION_NAMES.has(receiver.toLowerCase())) return false;
|
|
18979
18995
|
return DB_OR_HTTP_RECEIVER_PREFIX.test(receiver) || DB_OR_HTTP_RECEIVER_SUFFIX.test(receiver);
|
|
18980
18996
|
}
|
|
18981
18997
|
function isDbOrApiCall(call) {
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "circle-ir",
|
|
3
|
-
"version": "3.16.
|
|
3
|
+
"version": "3.16.7",
|
|
4
4
|
"description": "High-performance Static Application Security Testing (SAST) library for detecting security vulnerabilities through taint analysis",
|
|
5
5
|
"main": "dist/index.js",
|
|
6
6
|
"module": "dist/index.js",
|
|
@@ -81,7 +81,7 @@
|
|
|
81
81
|
"url": "https://github.com/sponsors/cogniumhq"
|
|
82
82
|
},
|
|
83
83
|
"engines": {
|
|
84
|
-
"node": ">=
|
|
84
|
+
"node": ">=20.0.0"
|
|
85
85
|
},
|
|
86
86
|
"type": "module",
|
|
87
87
|
"publishConfig": {
|