npm - circle-ir - Versions diffs - 3.22.0 → 3.22.1 - Mend

circle-ir 3.22.0 → 3.22.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/README.md +5 -1
package/dist/analysis/config-loader.js +6 -6
package/dist/analysis/config-loader.js.map +1 -1
package/dist/analysis/taint-matcher.js +115 -22
package/dist/analysis/taint-matcher.js.map +1 -1
package/dist/browser/circle-ir.js +177 -20
package/dist/core/circle-ir-core.cjs +177 -20
package/dist/core/circle-ir-core.js +177 -20
package/dist/core/extractors/calls.js +1 -1
package/dist/core/extractors/calls.js.map +1 -1
package/docs/SPEC.md +1 -1
package/package.json +3 -1

package/README.md CHANGED Viewed

@@ -8,7 +8,7 @@ A high-performance Static Application Security Testing (SAST) library for detect
 ## Features
 - **Taint Analysis**: Track data flow from sources (user input) to sinks (dangerous operations)
-- **Multi-language Support**: Java, JavaScript/TypeScript, Python, Rust, Bash/Shell, HTML
+- **Multi-language Support**: Java, JavaScript/TypeScript, Python, Go, Rust, Bash/Shell, HTML
 - **High Accuracy**: 100% on OWASP Benchmark, 100% on Juliet Test Suite, 97.7% TPR on SecuriBench Micro
 - **36-Pass Pipeline**: 19 security taint passes + 17 reliability/performance/maintainability/architecture quality passes
 - **Metrics Engine**: 24 software quality metrics (cyclomatic complexity, Halstead, CBO, RFC, LCOM, DIT, and 4 composite scores)
@@ -205,6 +205,7 @@ const response = await analyzeForAPI(code, 'File.java', 'java');
 | **Java** | tree-sitter-java | Spring, JAX-RS, Servlet API |
 | **JavaScript/TypeScript** | tree-sitter-javascript | Express, Fastify, Koa, Node.js |
 | **Python** | tree-sitter-python | Flask, Django, FastAPI |
+| **Go** | tree-sitter-go | net/http, Gin, Echo, Fiber, Chi |
 | **Rust** | tree-sitter-rust | Actix-web, Rocket, Axum |
 | **Bash/Shell** | tree-sitter-bash | Shell scripts (.sh, .bash, .zsh, .ksh) |
 | **HTML** | tree-sitter-html | Web extraction preprocessor (.html, .htm, .xhtml) |
@@ -220,6 +221,9 @@ const jsResult = await analyze(jsCode, 'server.js', 'javascript');
 // Analyze Python
 const pyResult = await analyze(pyCode, 'app.py', 'python');
+// Analyze Go
+const goResult = await analyze(goCode, 'main.go', 'go');
 // Analyze Rust
 const rsResult = await analyze(rsCode, 'main.rs', 'rust');

package/dist/analysis/config-loader.js CHANGED Viewed

@@ -471,9 +471,8 @@ export const DEFAULT_SINKS = [
     { method: 'FlowExecution', class: 'constructor', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
     // ActiveMQ control commands
     { method: 'processControlCommand', class: 'TransportConnection', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
-    // XStream deserialization (leads to RCE via gadget chains)
-    { method: 'fromXML', class: 'XStream', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
-    { method: 'unmarshal', class: 'XStream', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
+    // XStream deserialization — classified as CWE-502 (deserialization), not CWE-78 (command injection).
+    // The deserialization sink entries at lines ~1059 handle this correctly.
     { method: 'fromString', class: 'FileConverter', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
     // Plexus command line
     { method: 'getPosition', class: 'Commandline', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
@@ -1156,7 +1155,8 @@ export const DEFAULT_SINKS = [
     { method: 'query', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
     { method: 'query', class: 'Pool', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
     { method: 'query', class: 'Client', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
-    { method: 'query', type: 'sql_injection', cwe: 'CWE-89', severity: 'high', arg_positions: [0] },
+    // Note: classless { method: 'query' } removed — too many FPs (UriComponentsBuilder.query(), etc.)
+    // SQL query calls are covered by class-specific patterns above (Connection, Pool, Client, JdbcTemplate)
     { method: 'raw', type: 'sql_injection', cwe: 'CWE-89', severity: 'high', arg_positions: [0] },
     // Browser DOM XSS sinks
     { method: 'setAttribute', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [1] },
@@ -1353,8 +1353,8 @@ export const DEFAULT_SINKS = [
     { method: 'execute', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
     { method: 'query_row', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
     { method: 'prepare', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
-    // sqlx::query macro
-    { method: 'query', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
+    // sqlx::query macro — use class-specific pattern
+    { method: 'query', class: 'sqlx', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
     // rusqlite specific
     { method: 'prepare', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
     { method: 'execute', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },