circle-ir 3.16.5 → 3.16.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/README.md +3 -0
  2. package/dist/analysis/passes/n-plus-one-pass.js +30 -1
  3. package/dist/analysis/passes/n-plus-one-pass.js.map +1 -1
  4. package/dist/browser/circle-ir.js +20 -1
  5. package/dist/core/circle-ir-core.cjs +2 -0
  6. package/dist/core/circle-ir-core.js +2 -0
  7. package/package.json +3 -3
package/README.md CHANGED
@@ -1,5 +1,8 @@
1
1
  # circle-ir
2
2
 
3
+ ![Trust Score](https://raw.githubusercontent.com/cogniumhq/circle-ir/badges/trust-badge.svg)
4
+ ![Quality Score](https://raw.githubusercontent.com/cogniumhq/circle-ir/badges/quality-badge.svg)
5
+
3
6
  A high-performance Static Application Security Testing (SAST) library for detecting security vulnerabilities through taint analysis, and code quality findings through an extensible 36-pass analysis pipeline. Works in Node.js and browsers.
4
7
 
5
8
  ## Features
package/dist/analysis/passes/n-plus-one-pass.js CHANGED
@@ -56,11 +56,40 @@ const MEDIUM_CONFIDENCE_DB_METHODS = new Set([
56
56
  * This catches both `dbConnection.query()` and `userRepository.find()`.
57
57
  */
58
58
  const DB_OR_HTTP_RECEIVER_PREFIX = /^(db|conn|connection|pool|client|repo|repository|orm|em|entityManager|sequelize|mongoose|prisma|axios|http|https|api|svc|service|dao|store|cache|gql|graphql|mongo|redis|sql|pg|mysql|sqlite|dynamo|cosmos|elastic|es|solr|neo4j|cassandra|couchbase|firestore|supabase|drizzle|knex|typeorm|mikro)/i;
59
- const DB_OR_HTTP_RECEIVER_SUFFIX = /(?:Repository|Repo|Dao|DataSource|DbContext|Client|Service|Store|Cache|Gateway|Adapter|Provider|Manager|Handler|Proxy|Facade|Connection|Pool|Session|Template|Mapper|Access|Query|Command|Storage|Bucket|Table|Collection|Index)$/;
59
+ const DB_OR_HTTP_RECEIVER_SUFFIX = /(?:Repository|Repo|Dao|DataSource|DbContext|Client|Service|Store|Cache|Gateway|Adapter|Provider|Manager|Handler|Proxy|Facade|Connection|Pool|Session|Template|Mapper|Access|Query|Command|Storage|Bucket|Table|Collection)$/;
60
+ /**
61
+ * Receiver name patterns that indicate a built-in in-memory collection
62
+ * (`Map`, `WeakMap`, plain object used as a hash) rather than a DB/HTTP
63
+ * client. These are common in algorithm implementations where `.get()`,
64
+ * `.has()`, `.set()` are called inside loops without any I/O.
65
+ *
66
+ * Examples: `rpoIndex`, `nodeMap`, `idomLookup`, `byIdDict`, `nodesById`.
67
+ *
68
+ * Note: `Set`, `Cache`, `Store` are intentionally NOT here because they may
69
+ * legitimately refer to remote stores (`redisCache`, `sessionStore`,
70
+ * `resultSet`).
71
+ */
72
+ const IN_MEMORY_COLLECTION_RECEIVER = /(?:Index|Map|Lookup|Dict|ById|ByName|ByKey|ByType|ByPath|ByFile|ByLine)$/;
73
+ /**
74
+ * Names of built-in in-memory collections commonly used as bare-word
75
+ * receivers in algorithm code (e.g. `idom.get(node)`, `seen.has(x)`).
76
+ */
77
+ const IN_MEMORY_COLLECTION_NAMES = new Set([
78
+ 'map', 'set', 'dict', 'lookup', 'index', 'cache', 'seen', 'visited',
79
+ 'idom', 'memo', 'registry',
80
+ ]);
60
81
  /**
61
82
  * Check if a receiver name indicates a DB or HTTP client.
83
+ *
84
+ * Returns false for in-memory collection patterns (`*Index`, `*Map`, etc.)
85
+ * even if they would otherwise match a DB suffix, to avoid false positives
86
+ * on JavaScript `Map` / `Set` `.get()` calls inside loops.
62
87
  */
63
88
  function isDbOrHttpReceiver(receiver) {
89
+ if (IN_MEMORY_COLLECTION_RECEIVER.test(receiver))
90
+ return false;
91
+ if (IN_MEMORY_COLLECTION_NAMES.has(receiver.toLowerCase()))
92
+ return false;
64
93
  return DB_OR_HTTP_RECEIVER_PREFIX.test(receiver) || DB_OR_HTTP_RECEIVER_SUFFIX.test(receiver);
65
94
  }
66
95
  function isDbOrApiCall(call) {
package/dist/analysis/passes/n-plus-one-pass.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"n-plus-one-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/n-plus-one-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAKH;;;GAGG;AACH,MAAM,0BAA0B,GAAwB,IAAI,GAAG,CAAC;IAC9D,iBAAiB;IACjB,cAAc,EAAE,eAAe,EAAE,kBAAkB,EAAE,aAAa;IAClE,oBAAoB;IACpB,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,YAAY;IAC5D,WAAW;IACX,mBAAmB,EAAE,mBAAmB;IACxC,kBAAkB,EAAE,kBAAkB;IACtC,gBAAgB,EAAE,WAAW,EAAE,UAAU;IACzC,YAAY;IACZ,UAAU,EAAE,iBAAiB,EAAE,YAAY,EAAE,YAAY;IACzD,SAAS;IACT,WAAW,EAAE,YAAY,EAAE,UAAU,EAAE,YAAY,EAAE,YAAY,EAAE,YAAY;IAC/E,UAAU;IACV,OAAO;CACR,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,4BAA4B,GAAwB,IAAI,GAAG,CAAC;IAChE,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS;IACrC,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ;IAClE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,SAAS;IACxC,MAAM,EAAE,QAAQ;CACjB,CAAC,CAAC;AAEH;;;;;;;;GAQG;AACH,MAAM,0BAA0B,GAAG,sSAAsS,CAAC;AAE1U,MAAM,0BAA0B,GAAG,mOAAmO,CAAC;AAEvQ;;GAEG;AACH,SAAS,kBAAkB,CAAC,QAAgB;IAC1C,OAAO,0BAA0B,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,0BAA0B,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AAChG,CAAC;AAED,SAAS,aAAa,CAAC,IAAc;IACnC,IAAI,0BAA0B,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC;QAAE,OAAO,IAAI,CAAC;IAClE,IAAI,4BAA4B,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;QACvD,OAAO,IAAI,CAAC,QAAQ,IAAI,IAAI,IAAI,kBAAkB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACpE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAOD,MAAM,OAAO,YAAY;IACd,IAAI,GAAG,YAAY,CAAC;IACpB,QAAQ,GAAG,aAAsB,CAAC;IAE3C,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,GAAG,GAAG,CAAC;QACtB,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAEhC,MAAM,KAAK,GAAG,KAAK,CAAC,UAAU,EAAE,CAAC;QACjC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,WAAW,EAAE,EAAE,EAAE,CAAC;QAEnD,MAAM,WAAW,GAAe,EAAE,CAAC;QAEnC,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAClC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC;gBAAE,SAAS;YAEnC,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;YAChC,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,CAAC,UAAU,IAAI,IAAI,IAAI,CAAC,CAAC,QAAQ,CAAC,CAAC;YACzE,IAAI,CAAC,IAAI;gBAAE,SAAS;YAEpB,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAEvB,GAAG,CAAC,UAAU,CAAC;gBACb,EAAE,EAAE,cAAc,IAAI,IAAI,IAAI,EAAE;gBAChC,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,GAAG,EAAE,UAAU;gBACf,QAAQ,EAAE,QAAQ;gBAClB,KAAK,EAAE,SAAS;gBAChB,OAAO,EACL,gBAAgB,IAAI,CAAC,WAAW,+BAA+B;oBAC/D,eAAe,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,QAAQ,uBAAuB;gBACxE,IAAI;gBACJ,IAAI;gBACJ,GAAG,EAAE,UAAU,IAAI,CAAC,WAAW,+CAA+C;gBAC9E,QAAQ,EAAE;oBACR,UAAU,EAAE,IAAI,CAAC,UAAU;oBAC3B,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,SAAS;iBACrC;aACF,CAAC,CAAC;QACL,CAAC;QAED,OAAO,EAAE,WAAW,EAAE,CAAC;IACzB,CAAC;CACF"}
1
+ {"version":3,"file":"n-plus-one-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/n-plus-one-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAKH;;;GAGG;AACH,MAAM,0BAA0B,GAAwB,IAAI,GAAG,CAAC;IAC9D,iBAAiB;IACjB,cAAc,EAAE,eAAe,EAAE,kBAAkB,EAAE,aAAa;IAClE,oBAAoB;IACpB,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,YAAY;IAC5D,WAAW;IACX,mBAAmB,EAAE,mBAAmB;IACxC,kBAAkB,EAAE,kBAAkB;IACtC,gBAAgB,EAAE,WAAW,EAAE,UAAU;IACzC,YAAY;IACZ,UAAU,EAAE,iBAAiB,EAAE,YAAY,EAAE,YAAY;IACzD,SAAS;IACT,WAAW,EAAE,YAAY,EAAE,UAAU,EAAE,YAAY,EAAE,YAAY,EAAE,YAAY;IAC/E,UAAU;IACV,OAAO;CACR,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,4BAA4B,GAAwB,IAAI,GAAG,CAAC;IAChE,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS;IACrC,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ;IAClE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,SAAS;IACxC,MAAM,EAAE,QAAQ;CACjB,CAAC,CAAC;AAEH;;;;;;;;GAQG;AACH,MAAM,0BAA0B,GAAG,sSAAsS,CAAC;AAE1U,MAAM,0BAA0B,GAAG,6NAA6N,CAAC;AAEjQ;;;;;;;;;;;GAWG;AACH,MAAM,6BAA6B,GAAG,0EAA0E,CAAC;AAEjH;;;GAGG;AACH,MAAM,0BAA0B,GAAwB,IAAI,GAAG,CAAC;IAC9D,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS;IACnE,MAAM,EAAE,MAAM,EAAE,UAAU;CAC3B,CAAC,CAAC;AAEH;;;;;;GAMG;AACH,SAAS,kBAAkB,CAAC,QAAgB;IAC1C,IAAI,6BAA6B,CAAC,IAAI,CAAC,QAAQ,CAAC;QAAE,OAAO,KAAK,CAAC;IAC/D,IAAI,0BAA0B,CAAC,GAAG,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;QAAE,OAAO,KAAK,CAAC;IACzE,OAAO,0BAA0B,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,0BAA0B,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AAChG,CAAC;AAED,SAAS,aAAa,CAAC,IAAc;IACnC,IAAI,0BAA0B,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC;QAAE,OAAO,IAAI,CAAC;IAClE,IAAI,4BAA4B,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;QACvD,OAAO,IAAI,CAAC,QAAQ,IAAI,IAAI,IAAI,kBAAkB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACpE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAOD,MAAM,OAAO,YAAY;IACd,IAAI,GAAG,YAAY,CAAC;IACpB,QAAQ,GAAG,aAAsB,CAAC;IAE3C,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,GAAG,GAAG,CAAC;QACtB,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAEhC,MAAM,KAAK,GAAG,KAAK,CAAC,UAAU,EAAE,CAAC;QACjC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,WAAW,EAAE,EAAE,EAAE,CAAC;QAEnD,MAAM,WAAW,GAAe,EAAE,CAAC;QAEnC,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAClC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC;gBAAE,SAAS;YAEnC,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;YAChC,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,CAAC,UAAU,IAAI,IAAI,IAAI,CAAC,CAAC,QAAQ,CAAC,CAAC;YACzE,IAAI,CAAC,IAAI;gBAAE,SAAS;YAEpB,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAEvB,GAAG,CAAC,UAAU,CAAC;gBACb,EAAE,EAAE,cAAc,IAAI,IAAI,IAAI,EAAE;gBAChC,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,GAAG,EAAE,UAAU;gBACf,QAAQ,EAAE,QAAQ;gBAClB,KAAK,EAAE,SAAS;gBAChB,OAAO,EACL,gBAAgB,IAAI,CAAC,WAAW,+BAA+B;oBAC/D,eAAe,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,QAAQ,uBAAuB;gBACxE,IAAI;gBACJ,IAAI;gBACJ,GAAG,EAAE,UAAU,IAAI,CAAC,WAAW,+CAA+C;gBAC9E,QAAQ,EAAE;oBACR,UAAU,EAAE,IAAI,CAAC,UAAU;oBAC3B,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,SAAS;iBACrC;aACF,CAAC,CAAC;QACL,CAAC;QAED,OAAO,EAAE,WAAW,EAAE,CAAC;IACzB,CAAC;CACF"}
package/dist/browser/circle-ir.js CHANGED
@@ -12735,6 +12735,8 @@ var ExpressionEvaluator = class {
12735
12735
  this.source = source;
12736
12736
  this.getSymbol = getSymbol;
12737
12737
  }
12738
+ source;
12739
+ getSymbol;
12738
12740
  /**
12739
12741
  * Evaluate an expression node to determine its constant value.
12740
12742
  */
@@ -17637,6 +17639,7 @@ var ConstantPropagationPass = class {
17637
17639
  constructor(tree) {
17638
17640
  this.tree = tree;
17639
17641
  }
17642
+ tree;
17640
17643
  name = "constant-propagation";
17641
17644
  category = "security";
17642
17645
  run(ctx) {
@@ -18974,8 +18977,24 @@ var MEDIUM_CONFIDENCE_DB_METHODS = /* @__PURE__ */ new Set([
18974
18977
  "lookup"
18975
18978
  ]);
18976
18979
  var DB_OR_HTTP_RECEIVER_PREFIX = /^(db|conn|connection|pool|client|repo|repository|orm|em|entityManager|sequelize|mongoose|prisma|axios|http|https|api|svc|service|dao|store|cache|gql|graphql|mongo|redis|sql|pg|mysql|sqlite|dynamo|cosmos|elastic|es|solr|neo4j|cassandra|couchbase|firestore|supabase|drizzle|knex|typeorm|mikro)/i;
18977
- var DB_OR_HTTP_RECEIVER_SUFFIX = /(?:Repository|Repo|Dao|DataSource|DbContext|Client|Service|Store|Cache|Gateway|Adapter|Provider|Manager|Handler|Proxy|Facade|Connection|Pool|Session|Template|Mapper|Access|Query|Command|Storage|Bucket|Table|Collection|Index)$/;
18980
+ var DB_OR_HTTP_RECEIVER_SUFFIX = /(?:Repository|Repo|Dao|DataSource|DbContext|Client|Service|Store|Cache|Gateway|Adapter|Provider|Manager|Handler|Proxy|Facade|Connection|Pool|Session|Template|Mapper|Access|Query|Command|Storage|Bucket|Table|Collection)$/;
18981
+ var IN_MEMORY_COLLECTION_RECEIVER = /(?:Index|Map|Lookup|Dict|ById|ByName|ByKey|ByType|ByPath|ByFile|ByLine)$/;
18982
+ var IN_MEMORY_COLLECTION_NAMES = /* @__PURE__ */ new Set([
18983
+ "map",
18984
+ "set",
18985
+ "dict",
18986
+ "lookup",
18987
+ "index",
18988
+ "cache",
18989
+ "seen",
18990
+ "visited",
18991
+ "idom",
18992
+ "memo",
18993
+ "registry"
18994
+ ]);
18978
18995
  function isDbOrHttpReceiver(receiver) {
18996
+ if (IN_MEMORY_COLLECTION_RECEIVER.test(receiver)) return false;
18997
+ if (IN_MEMORY_COLLECTION_NAMES.has(receiver.toLowerCase())) return false;
18979
18998
  return DB_OR_HTTP_RECEIVER_PREFIX.test(receiver) || DB_OR_HTTP_RECEIVER_SUFFIX.test(receiver);
18980
18999
  }
18981
19000
  function isDbOrApiCall(call) {
package/dist/core/circle-ir-core.cjs CHANGED
@@ -11528,6 +11528,8 @@ var ExpressionEvaluator = class {
11528
11528
  this.source = source;
11529
11529
  this.getSymbol = getSymbol;
11530
11530
  }
11531
+ source;
11532
+ getSymbol;
11531
11533
  /**
11532
11534
  * Evaluate an expression node to determine its constant value.
11533
11535
  */
package/dist/core/circle-ir-core.js CHANGED
@@ -11463,6 +11463,8 @@ var ExpressionEvaluator = class {
11463
11463
  this.source = source;
11464
11464
  this.getSymbol = getSymbol;
11465
11465
  }
11466
+ source;
11467
+ getSymbol;
11466
11468
  /**
11467
11469
  * Evaluate an expression node to determine its constant value.
11468
11470
  */
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "circle-ir",
3
- "version": "3.16.5",
3
+ "version": "3.16.8",
4
4
  "description": "High-performance Static Application Security Testing (SAST) library for detecting security vulnerabilities through taint analysis",
5
5
  "main": "dist/index.js",
6
6
  "module": "dist/index.js",
@@ -81,7 +81,7 @@
81
81
  "url": "https://github.com/sponsors/cogniumhq"
82
82
  },
83
83
  "engines": {
84
- "node": ">=18.0.0"
84
+ "node": ">=20.0.0"
85
85
  },
86
86
  "type": "module",
87
87
  "publishConfig": {
@@ -95,7 +95,7 @@
95
95
  "devDependencies": {
96
96
  "@types/node": "^25.5.0",
97
97
  "@vitest/coverage-v8": "^4.1.2",
98
- "esbuild": "^0.27.4",
98
+ "esbuild": "^0.28.0",
99
99
  "tree-sitter-bash": "^0.25.1",
100
100
  "tree-sitter-java": "^0.23.5",
101
101
  "tree-sitter-python": "^0.25.0",