circle-ir 3.17.0 → 3.17.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +7 -1
- package/dist/languages/index.d.ts +1 -1
- package/dist/languages/index.js +1 -1
- package/dist/languages/types.d.ts +1 -1
- package/dist/languages/types.js +1 -1
- package/docs/SPEC.md +1 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -8,7 +8,7 @@ A high-performance Static Application Security Testing (SAST) library for detect
|
|
|
8
8
|
## Features
|
|
9
9
|
|
|
10
10
|
- **Taint Analysis**: Track data flow from sources (user input) to sinks (dangerous operations)
|
|
11
|
-
- **Multi-language Support**: Java, JavaScript/TypeScript, Python, Rust, Bash/Shell
|
|
11
|
+
- **Multi-language Support**: Java, JavaScript/TypeScript, Python, Rust, Bash/Shell, HTML
|
|
12
12
|
- **High Accuracy**: 100% on OWASP Benchmark, 100% on Juliet Test Suite, 97.7% TPR on SecuriBench Micro
|
|
13
13
|
- **36-Pass Pipeline**: 19 security taint passes + 17 reliability/performance/maintainability/architecture quality passes
|
|
14
14
|
- **Metrics Engine**: 24 software quality metrics (cyclomatic complexity, Halstead, CBO, RFC, LCOM, DIT, and 4 composite scores)
|
|
@@ -207,6 +207,9 @@ const response = await analyzeForAPI(code, 'File.java', 'java');
|
|
|
207
207
|
| **Python** | tree-sitter-python | Flask, Django, FastAPI |
|
|
208
208
|
| **Rust** | tree-sitter-rust | Actix-web, Rocket, Axum |
|
|
209
209
|
| **Bash/Shell** | tree-sitter-bash | Shell scripts (.sh, .bash, .zsh, .ksh) |
|
|
210
|
+
| **HTML** | tree-sitter-html | Web extraction preprocessor (.html, .htm, .xhtml) |
|
|
211
|
+
|
|
212
|
+
HTML is handled as a preprocessor: `<script>` blocks are extracted and analyzed as JavaScript, inline event handlers are analyzed as JS snippets, and 8 attribute-level security checks (missing noopener, javascript: URIs, missing sandbox/SRI, mixed content, etc.) run directly on the HTML AST.
|
|
210
213
|
|
|
211
214
|
### Multi-Language Examples
|
|
212
215
|
|
|
@@ -219,6 +222,9 @@ const pyResult = await analyze(pyCode, 'app.py', 'python');
|
|
|
219
222
|
|
|
220
223
|
// Analyze Rust
|
|
221
224
|
const rsResult = await analyze(rsCode, 'main.rs', 'rust');
|
|
225
|
+
|
|
226
|
+
// Analyze HTML (extracts scripts, checks attributes)
|
|
227
|
+
const htmlResult = await analyze(htmlCode, 'index.html', 'html');
|
|
222
228
|
```
|
|
223
229
|
|
|
224
230
|
## Detected Security Vulnerabilities
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
* Language Plugin System
|
|
3
3
|
*
|
|
4
4
|
* Provides multi-language support through a plugin architecture.
|
|
5
|
-
* Each language (Java, JavaScript, Python, Rust) has its own plugin
|
|
5
|
+
* Each language (Java, JavaScript, Python, Rust, Bash, HTML) has its own plugin
|
|
6
6
|
* that handles AST node types, taint patterns, and framework detection.
|
|
7
7
|
*/
|
|
8
8
|
export type { SupportedLanguage, LanguageNodeTypes, LanguagePlugin, LanguageRegistry, ExtractionContext, FrameworkInfo, TaintSourcePattern, TaintSinkPattern, } from './types.js';
|
package/dist/languages/index.js
CHANGED
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
* Language Plugin System
|
|
3
3
|
*
|
|
4
4
|
* Provides multi-language support through a plugin architecture.
|
|
5
|
-
* Each language (Java, JavaScript, Python, Rust) has its own plugin
|
|
5
|
+
* Each language (Java, JavaScript, Python, Rust, Bash, HTML) has its own plugin
|
|
6
6
|
* that handles AST node types, taint patterns, and framework detection.
|
|
7
7
|
*/
|
|
8
8
|
// Registry functions
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
* Language Plugin System
|
|
3
3
|
*
|
|
4
4
|
* Defines the interface for language-specific analysis plugins.
|
|
5
|
-
* Each language (Java, JavaScript, Python, Rust) implements this interface.
|
|
5
|
+
* Each language (Java, JavaScript, Python, Rust, Bash, HTML) implements this interface.
|
|
6
6
|
*/
|
|
7
7
|
import type { Parser, Node as SyntaxNode, Tree } from 'web-tree-sitter';
|
|
8
8
|
import type { TypeInfo, CallInfo, ImportInfo } from '../types/index.js';
|
package/dist/languages/types.js
CHANGED
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
* Language Plugin System
|
|
3
3
|
*
|
|
4
4
|
* Defines the interface for language-specific analysis plugins.
|
|
5
|
-
* Each language (Java, JavaScript, Python, Rust) implements this interface.
|
|
5
|
+
* Each language (Java, JavaScript, Python, Rust, Bash, HTML) implements this interface.
|
|
6
6
|
*/
|
|
7
7
|
export {};
|
|
8
8
|
//# sourceMappingURL=types.js.map
|
package/docs/SPEC.md
CHANGED
|
@@ -73,7 +73,7 @@ File metadata and version information.
|
|
|
73
73
|
interface Meta {
|
|
74
74
|
circle_ir: "3.0";
|
|
75
75
|
file: string;
|
|
76
|
-
language: "java" | "javascript" | "typescript" | "python" | "rust" | "bash";
|
|
76
|
+
language: "java" | "javascript" | "typescript" | "python" | "rust" | "bash" | "html";
|
|
77
77
|
loc: number;
|
|
78
78
|
hash: string; // SHA256 prefix (16 chars)
|
|
79
79
|
package?: string; // PENDING: Add to implementation
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "circle-ir",
|
|
3
|
-
"version": "3.17.
|
|
3
|
+
"version": "3.17.1",
|
|
4
4
|
"description": "High-performance Static Application Security Testing (SAST) library for detecting security vulnerabilities through taint analysis",
|
|
5
5
|
"main": "dist/index.js",
|
|
6
6
|
"module": "dist/index.js",
|