circle-ir 3.21.0 → 3.22.1

package/README.md

@@ -8,7 +8,7 @@ A high-performance Static Application Security Testing (SAST) library for detect
 ## Features
 
 - **Taint Analysis**: Track data flow from sources (user input) to sinks (dangerous operations)
-- **Multi-language Support**: Java, JavaScript/TypeScript, Python, Rust, Bash/Shell, HTML
+- **Multi-language Support**: Java, JavaScript/TypeScript, Python, Go, Rust, Bash/Shell, HTML
 - **High Accuracy**: 100% on OWASP Benchmark, 100% on Juliet Test Suite, 97.7% TPR on SecuriBench Micro
 - **36-Pass Pipeline**: 19 security taint passes + 17 reliability/performance/maintainability/architecture quality passes
 - **Metrics Engine**: 24 software quality metrics (cyclomatic complexity, Halstead, CBO, RFC, LCOM, DIT, and 4 composite scores)
@@ -205,6 +205,7 @@ const response = await analyzeForAPI(code, 'File.java', 'java');
 | **Java** | tree-sitter-java | Spring, JAX-RS, Servlet API |
 | **JavaScript/TypeScript** | tree-sitter-javascript | Express, Fastify, Koa, Node.js |
 | **Python** | tree-sitter-python | Flask, Django, FastAPI |
+| **Go** | tree-sitter-go | net/http, Gin, Echo, Fiber, Chi |
 | **Rust** | tree-sitter-rust | Actix-web, Rocket, Axum |
 | **Bash/Shell** | tree-sitter-bash | Shell scripts (.sh, .bash, .zsh, .ksh) |
 | **HTML** | tree-sitter-html | Web extraction preprocessor (.html, .htm, .xhtml) |
@@ -220,6 +221,9 @@ const jsResult = await analyze(jsCode, 'server.js', 'javascript');
 // Analyze Python
 const pyResult = await analyze(pyCode, 'app.py', 'python');
 
+// Analyze Go
+const goResult = await analyze(goCode, 'main.go', 'go');
+
 // Analyze Rust
 const rsResult = await analyze(rsCode, 'main.rs', 'rust');
 

package/configs/sinks/golang.json

@@ -0,0 +1,144 @@
+{
+  "name": "Go Sinks",
+  "description": "Taint sinks for Go standard library and web frameworks",
+  "sinks": [
+    {
+      "method": "Query",
+      "class": "DB",
+      "type": "sql_injection",
+      "cwe": "CWE-89",
+      "severity": "critical",
+      "arg_positions": [0]
+    },
+    {
+      "method": "QueryRow",
+      "class": "DB",
+      "type": "sql_injection",
+      "cwe": "CWE-89",
+      "severity": "critical",
+      "arg_positions": [0]
+    },
+    {
+      "method": "Exec",
+      "class": "DB",
+      "type": "sql_injection",
+      "cwe": "CWE-89",
+      "severity": "critical",
+      "arg_positions": [0]
+    },
+    {
+      "method": "Query",
+      "class": "Tx",
+      "type": "sql_injection",
+      "cwe": "CWE-89",
+      "severity": "critical",
+      "arg_positions": [0]
+    },
+    {
+      "method": "Command",
+      "class": "exec",
+      "type": "command_injection",
+      "cwe": "CWE-78",
+      "severity": "critical",
+      "arg_positions": [0]
+    },
+    {
+      "method": "CommandContext",
+      "class": "exec",
+      "type": "command_injection",
+      "cwe": "CWE-78",
+      "severity": "critical",
+      "arg_positions": [1]
+    },
+    {
+      "method": "Open",
+      "class": "os",
+      "type": "path_traversal",
+      "cwe": "CWE-22",
+      "severity": "high",
+      "arg_positions": [0]
+    },
+    {
+      "method": "ReadFile",
+      "class": "os",
+      "type": "path_traversal",
+      "cwe": "CWE-22",
+      "severity": "high",
+      "arg_positions": [0]
+    },
+    {
+      "method": "WriteFile",
+      "class": "os",
+      "type": "path_traversal",
+      "cwe": "CWE-22",
+      "severity": "high",
+      "arg_positions": [0]
+    },
+    {
+      "method": "Fprintf",
+      "class": "fmt",
+      "type": "xss",
+      "cwe": "CWE-79",
+      "severity": "high",
+      "arg_positions": [1]
+    },
+    {
+      "method": "Write",
+      "class": "ResponseWriter",
+      "type": "xss",
+      "cwe": "CWE-79",
+      "severity": "high",
+      "arg_positions": [0]
+    },
+    {
+      "method": "Get",
+      "class": "http",
+      "type": "ssrf",
+      "cwe": "CWE-918",
+      "severity": "high",
+      "arg_positions": [0]
+    },
+    {
+      "method": "Post",
+      "class": "http",
+      "type": "ssrf",
+      "cwe": "CWE-918",
+      "severity": "high",
+      "arg_positions": [0]
+    },
+    {
+      "method": "Unmarshal",
+      "class": "json",
+      "type": "deserialization",
+      "cwe": "CWE-502",
+      "severity": "medium",
+      "arg_positions": [0]
+    }
+  ],
+  "sanitizers": [
+    {
+      "method": "Prepare",
+      "class": "DB",
+      "removes": ["sql_injection"],
+      "note": "Prepared statements prevent SQL injection"
+    },
+    {
+      "method": "Clean",
+      "class": "filepath",
+      "removes": ["path_traversal"],
+      "note": "filepath.Clean normalizes path, preventing traversal"
+    },
+    {
+      "method": "EscapeString",
+      "class": "html",
+      "removes": ["xss"],
+      "note": "html.EscapeString escapes HTML entities"
+    },
+    {
+      "method": "HTMLEscapeString",
+      "class": "template",
+      "removes": ["xss"],
+      "note": "template.HTMLEscapeString escapes HTML"
+    }
+  ]
+}

package/configs/sources/golang.json

@@ -0,0 +1,150 @@
+{
+  "name": "Go Sources",
+  "description": "Taint sources for Go web frameworks and standard library",
+  "sources": [
+    {
+      "method": "FormValue",
+      "class": "Request",
+      "type": "http_param",
+      "severity": "high",
+      "return_tainted": true,
+      "framework": "net/http"
+    },
+    {
+      "method": "PostFormValue",
+      "class": "Request",
+      "type": "http_param",
+      "severity": "high",
+      "return_tainted": true,
+      "framework": "net/http"
+    },
+    {
+      "method": "Get",
+      "class": "Header",
+      "type": "http_header",
+      "severity": "high",
+      "return_tainted": true,
+      "framework": "net/http"
+    },
+    {
+      "method": "Cookie",
+      "class": "Request",
+      "type": "http_cookie",
+      "severity": "high",
+      "return_tainted": true,
+      "framework": "net/http"
+    },
+    {
+      "method": "ReadAll",
+      "class": "io",
+      "type": "http_body",
+      "severity": "high",
+      "return_tainted": true,
+      "framework": "net/http"
+    },
+    {
+      "method": "Query",
+      "class": "Context",
+      "type": "http_param",
+      "severity": "high",
+      "return_tainted": true,
+      "framework": "gin"
+    },
+    {
+      "method": "Param",
+      "class": "Context",
+      "type": "http_path",
+      "severity": "high",
+      "return_tainted": true,
+      "framework": "gin"
+    },
+    {
+      "method": "PostForm",
+      "class": "Context",
+      "type": "http_param",
+      "severity": "high",
+      "return_tainted": true,
+      "framework": "gin"
+    },
+    {
+      "method": "GetRawData",
+      "class": "Context",
+      "type": "http_body",
+      "severity": "high",
+      "return_tainted": true,
+      "framework": "gin"
+    },
+    {
+      "method": "BindJSON",
+      "class": "Context",
+      "type": "http_body",
+      "severity": "high",
+      "return_tainted": true,
+      "framework": "gin"
+    },
+    {
+      "method": "QueryParam",
+      "class": "Context",
+      "type": "http_param",
+      "severity": "high",
+      "return_tainted": true,
+      "framework": "echo"
+    },
+    {
+      "method": "FormValue",
+      "class": "Context",
+      "type": "http_param",
+      "severity": "high",
+      "return_tainted": true,
+      "framework": "echo"
+    },
+    {
+      "method": "Param",
+      "class": "Context",
+      "type": "http_path",
+      "severity": "high",
+      "return_tainted": true,
+      "framework": "echo"
+    },
+    {
+      "method": "Getenv",
+      "class": "os",
+      "type": "env_var",
+      "severity": "medium",
+      "return_tainted": true,
+      "framework": "stdlib"
+    },
+    {
+      "method": "ReadFile",
+      "class": "os",
+      "type": "file_read",
+      "severity": "medium",
+      "return_tainted": true,
+      "framework": "stdlib"
+    },
+    {
+      "method": "Text",
+      "class": "Scanner",
+      "type": "stdin",
+      "severity": "medium",
+      "return_tainted": true,
+      "framework": "stdlib"
+    },
+    {
+      "method": "Scan",
+      "class": "fmt",
+      "type": "stdin",
+      "severity": "medium",
+      "return_tainted": true,
+      "framework": "stdlib"
+    },
+    {
+      "method": "Scanln",
+      "class": "fmt",
+      "type": "stdin",
+      "severity": "medium",
+      "return_tainted": true,
+      "framework": "stdlib"
+    }
+  ]
+}

package/dist/analysis/config-loader.js

@@ -471,9 +471,8 @@ export const DEFAULT_SINKS = [
     { method: 'FlowExecution', class: 'constructor', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
     // ActiveMQ control commands
     { method: 'processControlCommand', class: 'TransportConnection', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
-    // XStream deserialization (leads to RCE via gadget chains)
-    { method: 'fromXML', class: 'XStream', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
-    { method: 'unmarshal', class: 'XStream', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
+    // XStream deserialization — classified as CWE-502 (deserialization), not CWE-78 (command injection).
+    // The deserialization sink entries at lines ~1059 handle this correctly.
     { method: 'fromString', class: 'FileConverter', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
     // Plexus command line
     { method: 'getPosition', class: 'Commandline', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
@@ -1156,7 +1155,8 @@ export const DEFAULT_SINKS = [
     { method: 'query', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
     { method: 'query', class: 'Pool', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
     { method: 'query', class: 'Client', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
-    { method: 'query', type: 'sql_injection', cwe: 'CWE-89', severity: 'high', arg_positions: [0] },
+    // Note: classless { method: 'query' } removed — too many FPs (UriComponentsBuilder.query(), etc.)
+    // SQL query calls are covered by class-specific patterns above (Connection, Pool, Client, JdbcTemplate)
     { method: 'raw', type: 'sql_injection', cwe: 'CWE-89', severity: 'high', arg_positions: [0] },
     // Browser DOM XSS sinks
     { method: 'setAttribute', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [1] },
@@ -1353,8 +1353,8 @@ export const DEFAULT_SINKS = [
     { method: 'execute', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
     { method: 'query_row', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
     { method: 'prepare', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
-    // sqlx::query macro
-    { method: 'query', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
+    // sqlx::query macro — use class-specific pattern
+    { method: 'query', class: 'sqlx', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
     // rusqlite specific
     { method: 'prepare', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
     { method: 'execute', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },