circle-ir 3.40.0 → 3.42.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (22) hide show
  1. package/configs/sinks/sql.yaml +22 -22
  2. package/dist/analysis/config-loader.d.ts.map +1 -1
  3. package/dist/analysis/config-loader.js +38 -13
  4. package/dist/analysis/config-loader.js.map +1 -1
  5. package/dist/analysis/findings.js +7 -7
  6. package/dist/analysis/findings.js.map +1 -1
  7. package/dist/analysis/rules.d.ts.map +1 -1
  8. package/dist/analysis/rules.js +9 -0
  9. package/dist/analysis/rules.js.map +1 -1
  10. package/dist/analysis/taint-matcher.d.ts.map +1 -1
  11. package/dist/analysis/taint-matcher.js +46 -0
  12. package/dist/analysis/taint-matcher.js.map +1 -1
  13. package/dist/analysis/taint-propagation.js +1 -1
  14. package/dist/analysis/taint-propagation.js.map +1 -1
  15. package/dist/browser/circle-ir.js +59 -14
  16. package/dist/core/circle-ir-core.cjs +59 -14
  17. package/dist/core/circle-ir-core.js +59 -14
  18. package/dist/types/config.d.ts +11 -0
  19. package/dist/types/config.d.ts.map +1 -1
  20. package/dist/types/index.d.ts +1 -1
  21. package/dist/types/index.d.ts.map +1 -1
  22. package/package.json +1 -1
package/configs/sinks/sql.yaml CHANGED
@@ -144,99 +144,99 @@
144
144
  {
145
145
  "method": "insert",
146
146
  "class": "*Mapper",
147
- "type": "sql_injection",
147
+ "type": "mybatis_mapper_call",
148
148
  "cwe": "CWE-89",
149
- "severity": "critical",
149
+ "severity": "medium",
150
150
  "arg_positions": [0],
151
151
  "note": "MyBatis ORM - tainted fields in entity may be interpolated via ${} syntax"
152
152
  },
153
153
  {
154
154
  "method": "insertSelective",
155
155
  "class": "*Mapper",
156
- "type": "sql_injection",
156
+ "type": "mybatis_mapper_call",
157
157
  "cwe": "CWE-89",
158
- "severity": "critical",
158
+ "severity": "medium",
159
159
  "arg_positions": [0],
160
160
  "note": "MyBatis ORM - tainted fields in entity may be interpolated via ${} syntax"
161
161
  },
162
162
  {
163
163
  "method": "update",
164
164
  "class": "*Mapper",
165
- "type": "sql_injection",
165
+ "type": "mybatis_mapper_call",
166
166
  "cwe": "CWE-89",
167
- "severity": "critical",
167
+ "severity": "medium",
168
168
  "arg_positions": [0],
169
169
  "note": "MyBatis ORM - tainted fields in entity may be interpolated via ${} syntax"
170
170
  },
171
171
  {
172
172
  "method": "updateByPrimaryKey",
173
173
  "class": "*Mapper",
174
- "type": "sql_injection",
174
+ "type": "mybatis_mapper_call",
175
175
  "cwe": "CWE-89",
176
- "severity": "critical",
176
+ "severity": "medium",
177
177
  "arg_positions": [0],
178
178
  "note": "MyBatis ORM - tainted fields in entity may be interpolated via ${} syntax"
179
179
  },
180
180
  {
181
181
  "method": "updateByPrimaryKeySelective",
182
182
  "class": "*Mapper",
183
- "type": "sql_injection",
183
+ "type": "mybatis_mapper_call",
184
184
  "cwe": "CWE-89",
185
- "severity": "critical",
185
+ "severity": "medium",
186
186
  "arg_positions": [0],
187
187
  "note": "MyBatis ORM - tainted fields in entity may be interpolated via ${} syntax"
188
188
  },
189
189
  {
190
190
  "method": "delete",
191
191
  "class": "*Mapper",
192
- "type": "sql_injection",
192
+ "type": "mybatis_mapper_call",
193
193
  "cwe": "CWE-89",
194
- "severity": "critical",
194
+ "severity": "medium",
195
195
  "arg_positions": [0],
196
196
  "note": "MyBatis ORM - tainted parameter may be interpolated via ${} syntax"
197
197
  },
198
198
  {
199
199
  "method": "deleteByPrimaryKey",
200
200
  "class": "*Mapper",
201
- "type": "sql_injection",
201
+ "type": "mybatis_mapper_call",
202
202
  "cwe": "CWE-89",
203
- "severity": "critical",
203
+ "severity": "medium",
204
204
  "arg_positions": [0],
205
205
  "note": "MyBatis ORM - tainted parameter may be interpolated via ${} syntax"
206
206
  },
207
207
  {
208
208
  "method": "selectOne",
209
209
  "class": "*Mapper",
210
- "type": "sql_injection",
210
+ "type": "mybatis_mapper_call",
211
211
  "cwe": "CWE-89",
212
- "severity": "critical",
212
+ "severity": "medium",
213
213
  "arg_positions": [0],
214
214
  "note": "MyBatis ORM - tainted parameter may be interpolated via ${} syntax"
215
215
  },
216
216
  {
217
217
  "method": "selectList",
218
218
  "class": "*Mapper",
219
- "type": "sql_injection",
219
+ "type": "mybatis_mapper_call",
220
220
  "cwe": "CWE-89",
221
- "severity": "critical",
221
+ "severity": "medium",
222
222
  "arg_positions": [0],
223
223
  "note": "MyBatis ORM - tainted parameter may be interpolated via ${} syntax"
224
224
  },
225
225
  {
226
226
  "method": "selectByPrimaryKey",
227
227
  "class": "*Mapper",
228
- "type": "sql_injection",
228
+ "type": "mybatis_mapper_call",
229
229
  "cwe": "CWE-89",
230
- "severity": "critical",
230
+ "severity": "medium",
231
231
  "arg_positions": [0],
232
232
  "note": "MyBatis ORM - tainted parameter may be interpolated via ${} syntax"
233
233
  },
234
234
  {
235
235
  "method": "selectByExample",
236
236
  "class": "*Mapper",
237
- "type": "sql_injection",
237
+ "type": "mybatis_mapper_call",
238
238
  "cwe": "CWE-89",
239
- "severity": "critical",
239
+ "severity": "medium",
240
240
  "arg_positions": [0],
241
241
  "note": "MyBatis ORM - tainted fields in example criteria may be interpolated via ${} syntax"
242
242
  }
package/dist/analysis/config-loader.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA4a1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EAkrCtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EA6LhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
1
+ {"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA4a1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EA4sCtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EA6LhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
package/dist/analysis/config-loader.js CHANGED
@@ -459,6 +459,23 @@ export const DEFAULT_SINKS = [
459
459
  { method: 'queryForObject', type: 'sql_injection', cwe: 'CWE-89', severity: 'high', arg_positions: [0] },
460
460
  { method: 'queryForList', type: 'sql_injection', cwe: 'CWE-89', severity: 'high', arg_positions: [0] },
461
461
  { method: 'queryForLong', type: 'sql_injection', cwe: 'CWE-89', severity: 'high', arg_positions: [0] },
462
+ // MyBatis mapper-interface methods (CWE-89, classified as mybatis_mapper_call)
463
+ // The actual SQL lives in the mapper's XML or @Select/@Update annotation —
464
+ // exploitability depends on whether the binding uses ${...} interpolation
465
+ // vs #{...} parameter binding. Surface as a distinct sink type so consumers
466
+ // can resolve the binding before reporting. See cognium-dev#24.
467
+ // The `class: '*Mapper'` suffix wildcard matches userMapper, OrderMapper, …
468
+ { method: 'insert', class: '*Mapper', type: 'mybatis_mapper_call', cwe: 'CWE-89', severity: 'medium', arg_positions: [0], languages: ['java'] },
469
+ { method: 'insertSelective', class: '*Mapper', type: 'mybatis_mapper_call', cwe: 'CWE-89', severity: 'medium', arg_positions: [0], languages: ['java'] },
470
+ { method: 'update', class: '*Mapper', type: 'mybatis_mapper_call', cwe: 'CWE-89', severity: 'medium', arg_positions: [0], languages: ['java'] },
471
+ { method: 'updateByPrimaryKey', class: '*Mapper', type: 'mybatis_mapper_call', cwe: 'CWE-89', severity: 'medium', arg_positions: [0], languages: ['java'] },
472
+ { method: 'updateByPrimaryKeySelective', class: '*Mapper', type: 'mybatis_mapper_call', cwe: 'CWE-89', severity: 'medium', arg_positions: [0], languages: ['java'] },
473
+ { method: 'delete', class: '*Mapper', type: 'mybatis_mapper_call', cwe: 'CWE-89', severity: 'medium', arg_positions: [0], languages: ['java'] },
474
+ { method: 'deleteByPrimaryKey', class: '*Mapper', type: 'mybatis_mapper_call', cwe: 'CWE-89', severity: 'medium', arg_positions: [0], languages: ['java'] },
475
+ { method: 'selectOne', class: '*Mapper', type: 'mybatis_mapper_call', cwe: 'CWE-89', severity: 'medium', arg_positions: [0], languages: ['java'] },
476
+ { method: 'selectList', class: '*Mapper', type: 'mybatis_mapper_call', cwe: 'CWE-89', severity: 'medium', arg_positions: [0], languages: ['java'] },
477
+ { method: 'selectByPrimaryKey', class: '*Mapper', type: 'mybatis_mapper_call', cwe: 'CWE-89', severity: 'medium', arg_positions: [0], languages: ['java'] },
478
+ { method: 'selectByExample', class: '*Mapper', type: 'mybatis_mapper_call', cwe: 'CWE-89', severity: 'medium', arg_positions: [0], languages: ['java'] },
462
479
  // Command Injection (CWE-78)
463
480
  { method: 'exec', class: 'Runtime', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0, 1] },
464
481
  { method: 'start', class: 'ProcessBuilder', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [] },
@@ -1011,15 +1028,22 @@ export const DEFAULT_SINKS = [
1011
1028
  { method: 'readObject', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [] },
1012
1029
  { method: 'readUnshared', class: 'ObjectInputStream', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [] },
1013
1030
  { method: 'fromXML', class: 'XStream', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
1014
- { method: 'readValue', class: 'ObjectMapper', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0] },
1015
- // YAML deserialization
1016
- { method: 'load', class: 'Yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
1031
+ // Jackson ObjectMapper the 1-arg `readValue(json)` form is polymorphic and
1032
+ // can deserialize attacker-controlled types (default-typing gadget chains).
1033
+ // The 2-arg typed form `readValue(json, User.class)` is safe because the
1034
+ // deserialized type is fixed at compile time; suppressed via
1035
+ // safe_if_class_literal_at. The `readValue(json, Class.forName(x))` shape
1036
+ // is NOT a class literal and remains a sink.
1037
+ { method: 'readValue', class: 'ObjectMapper', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0], safe_if_class_literal_at: 1 },
1038
+ // YAML deserialization — `Yaml.load(InputStream, Class<T>)` typed overload
1039
+ // is safe; `Yaml.load(InputStream)` and dynamic-class forms are not.
1040
+ { method: 'load', class: 'Yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0], safe_if_class_literal_at: 1 },
1017
1041
  { method: 'loadAll', class: 'Yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
1018
- { method: 'loadAs', class: 'Yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
1042
+ { method: 'loadAs', class: 'Yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0], safe_if_class_literal_at: 1 },
1019
1043
  // JSON deserialization (Java FastJSON / Jackson — NOT JavaScript's safe JSON.parse)
1020
- { method: 'parseObject', class: 'JSON', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0] },
1021
- { method: 'parseObject', class: 'JSONObject', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0] },
1022
- { method: 'fromJson', class: 'Gson', type: 'deserialization', cwe: 'CWE-502', severity: 'medium', arg_positions: [0] },
1044
+ { method: 'parseObject', class: 'JSON', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0], safe_if_class_literal_at: 1 },
1045
+ { method: 'parseObject', class: 'JSONObject', type: 'deserialization', cwe: 'CWE-502', severity: 'high', arg_positions: [0], safe_if_class_literal_at: 1 },
1046
+ { method: 'fromJson', class: 'Gson', type: 'deserialization', cwe: 'CWE-502', severity: 'medium', arg_positions: [0], safe_if_class_literal_at: 1 },
1023
1047
  // XMLDecoder
1024
1048
  { method: 'readObject', class: 'XMLDecoder', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [] },
1025
1049
  // Java serialization constructors
@@ -1303,12 +1327,13 @@ export const DEFAULT_SINKS = [
1303
1327
  { method: 'exec', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0], languages: ['python'] },
1304
1328
  { method: 'compile', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0], languages: ['python'] },
1305
1329
  { method: '__import__', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0], languages: ['python'] },
1306
- // Python Deserialization
1307
- { method: 'loads', class: 'pickle', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
1308
- { method: 'load', class: 'pickle', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
1309
- { method: 'loads', class: 'marshal', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
1310
- { method: 'load', class: 'yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
1311
- { method: 'loads', class: 'yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
1330
+ // Python Deserialization — language-scoped so the lowercase `yaml` / `pickle`
1331
+ // module names don't collide with Java locals named `yaml` (SnakeYAML usage).
1332
+ { method: 'loads', class: 'pickle', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0], languages: ['python'] },
1333
+ { method: 'load', class: 'pickle', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0], languages: ['python'] },
1334
+ { method: 'loads', class: 'marshal', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0], languages: ['python'] },
1335
+ { method: 'load', class: 'yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0], languages: ['python'] },
1336
+ { method: 'loads', class: 'yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0], languages: ['python'] },
1312
1337
  // Python SQL Injection
1313
1338
  // Language-scoped: classless `execute`/`raw` collide with Java util.concurrent
1314
1339
  // (Executor.execute, ThreadPool.execute) and other languages. See issue #14.