circle-ir 3.50.0 → 3.52.0

package/configs/sinks/golang.json

@@ -90,6 +90,24 @@
       "severity": "high",
       "arg_positions": [0]
     },
+    {
+      "method": "Execute",
+      "class": "Template",
+      "type": "xss",
+      "cwe": "CWE-79",
+      "severity": "high",
+      "arg_positions": [1],
+      "note": "text/template renders user data without HTML escaping. html/template auto-escapes (handled by html-escape sanitizer)."
+    },
+    {
+      "method": "ExecuteTemplate",
+      "class": "Template",
+      "type": "xss",
+      "cwe": "CWE-79",
+      "severity": "high",
+      "arg_positions": [2],
+      "note": "text/template.ExecuteTemplate renders named template with user data — no auto-escape."
+    },
     {
       "method": "Get",
       "class": "http",

package/dist/analysis/config-loader.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA4a1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EA4xCtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EAoMhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
+{"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA4a1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EA8wCtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EAoMhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}

package/dist/analysis/config-loader.js

@@ -1086,26 +1086,16 @@ export const DEFAULT_SINKS = [
     { method: 'get', class: 'WebClient', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [] },
     { method: 'post', class: 'WebClient', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [] },
     // =============================================================================
-    // Weak Cryptography Sinks (no taint flow required - presence alone is vulnerability)
+    // Config / Absence Vulnerabilities (handled by dedicated pattern passes)
     // =============================================================================
-    // Weak Random (CWE-330) - java.util.Random is not cryptographically secure
-    { method: 'Random', class: 'constructor', type: 'weak_random', cwe: 'CWE-330', severity: 'medium', arg_positions: [] },
-    { method: 'nextInt', class: 'Random', type: 'weak_random', cwe: 'CWE-330', severity: 'medium', arg_positions: [] },
-    { method: 'nextLong', class: 'Random', type: 'weak_random', cwe: 'CWE-330', severity: 'medium', arg_positions: [] },
-    { method: 'nextFloat', class: 'Random', type: 'weak_random', cwe: 'CWE-330', severity: 'medium', arg_positions: [] },
-    { method: 'nextDouble', class: 'Random', type: 'weak_random', cwe: 'CWE-330', severity: 'medium', arg_positions: [] },
-    { method: 'nextBoolean', class: 'Random', type: 'weak_random', cwe: 'CWE-330', severity: 'medium', arg_positions: [] },
-    { method: 'nextBytes', class: 'Random', type: 'weak_random', cwe: 'CWE-330', severity: 'medium', arg_positions: [] },
-    // Weak Hash (CWE-328) - MD5/SHA1 are cryptographically broken
-    // Note: Detection requires checking algorithm argument - handled in runner
-    { method: 'getInstance', class: 'MessageDigest', type: 'weak_hash', cwe: 'CWE-328', severity: 'medium', arg_positions: [0] },
-    // Weak Crypto (CWE-327) - DES/RC4/Blowfish are weak ciphers
-    // Note: Detection requires checking algorithm argument - handled in runner
-    { method: 'getInstance', class: 'Cipher', type: 'weak_crypto', cwe: 'CWE-327', severity: 'high', arg_positions: [0] },
-    { method: 'getInstance', class: 'KeyGenerator', type: 'weak_crypto', cwe: 'CWE-327', severity: 'high', arg_positions: [0] },
-    // Insecure Cookie (CWE-614) - cookies without secure/httpOnly flags
-    // Note: Detection requires checking if setSecure(true)/setHttpOnly(true) called - handled in runner
-    { method: 'Cookie', class: 'constructor', type: 'insecure_cookie', cwe: 'CWE-614', severity: 'medium', arg_positions: [] },
+    // weak_random  → WeakRandomPass        (src/analysis/passes/weak-random-pass.ts)
+    // weak_hash    → WeakHashPass          (src/analysis/passes/weak-hash-pass.ts)
+    // weak_crypto  → WeakCryptoPass        (src/analysis/passes/weak-crypto-pass.ts)
+    // insecure_cookie → InsecureCookiePass (src/analysis/passes/insecure-cookie-pass.ts)
+    // tls_verify_disabled → TlsVerifyDisabledPass
+    // These patterns are detected by call-site literal inspection, not taint flow,
+    // so they are NOT registered here as sinks (they could never match a "tainted
+    // value flowing into a sink" because the bad value is a hard-coded constant).
     // Trust Boundary (CWE-501) - using untrusted data as session attribute NAME
     // The vulnerability is attacker controlling which key to use, not the value
     { method: 'setAttribute', class: 'HttpSession', type: 'trust_boundary', cwe: 'CWE-501', severity: 'medium', arg_positions: [0] },