npm - circle-ir - Versions diffs - 3.79.0 → 3.81.0 - Mend

circle-ir 3.79.0 → 3.81.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (37) hide show

package/configs/sinks/xss.yaml CHANGED Viewed

@@ -418,13 +418,14 @@
     },
     {
       "method": "write",
+      "class": "ServletOutputStream",
       "type": "xss",
       "cwe": "CWE-79",
       "severity": "high",
       "arg_positions": [
         0
       ],
-      "note": "Auto-mined from CVE analysis"
+      "note": "Servlet response output stream — class-scoped (Sprint 28 #110)"
     },
     {
       "method": "newInstance",

package/dist/analysis/config-loader.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA2b1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,~~EAg~~+CtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EA4PhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
1	+ {"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA2b1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EA4+CtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EA4PhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}

package/dist/analysis/config-loader.js CHANGED Viewed

@@ -775,7 +775,12 @@ export const DEFAULT_SINKS = [
     // Class-less XSS patterns for cases where receiver type is inferred
     { method: 'println', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0] },
     { method: 'print', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0] },
-    { method: 'write', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0] },
+    // NOTE: the unscoped { method: 'write', type: 'xss' } entry was removed in
+    // Sprint 28 (#110). It mistyped every non-XSS .write() across all languages
+    // (fs.writeFile, open().write, bcrypt callbacks, credential file writes,
+    // node ClientRequest.write, etc.) as xss. Real HTML writers are covered
+    // by class-scoped entries: PrintWriter.write (line 843), ServletOutputStream.write
+    // (line 849), JspWriter.write (xss.yaml), Response.write (nodejs.json).
     { method: 'append', class: 'StringBuilder', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0] },
     { method: 'append', class: 'StringBuffer', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0] },
     // Wiki/CMS XSS sinks (JSPWiki, Confluence, etc.)
@@ -1133,10 +1138,17 @@ export const DEFAULT_SINKS = [
     // These patterns are detected by call-site literal inspection, not taint flow,
     // so they are NOT registered here as sinks (they could never match a "tainted
     // value flowing into a sink" because the bad value is a hard-coded constant).
-    // Trust Boundary (CWE-501) - using untrusted data as session attribute NAME
-    // The vulnerability is attacker controlling which key to use, not the value
-    { method: 'setAttribute', class: 'HttpSession', type: 'trust_boundary', cwe: 'CWE-501', severity: 'medium', arg_positions: [0] },
-    { method: 'putValue', class: 'HttpSession', type: 'trust_boundary', cwe: 'CWE-501', severity: 'medium', arg_positions: [0] },
+    // Trust Boundary (CWE-501) — tainted VALUE crossing into shared session
+    // state. OWASP/CWE-501 treats `session.setAttribute("k", taintedValue)` as
+    // the violation: untrusted data enters server-side state where downstream
+    // code reads it as if trusted. Both arg positions are flagged so either a
+    // tainted key (rare) or tainted value (the OWASP shape, 83 cases) trips
+    // the sink. (cognium-dev #117)
+    { method: 'setAttribute', class: 'HttpSession', type: 'trust_boundary', cwe: 'CWE-501', severity: 'medium', arg_positions: [0, 1] },
+    { method: 'putValue', class: 'HttpSession', type: 'trust_boundary', cwe: 'CWE-501', severity: 'medium', arg_positions: [0, 1] },
+    // ServletContext + request scopes — same trust-boundary semantics.
+    { method: 'setAttribute', class: 'ServletContext', type: 'trust_boundary', cwe: 'CWE-501', severity: 'medium', arg_positions: [0, 1] },
+    { method: 'setAttribute', class: 'HttpServletRequest', type: 'trust_boundary', cwe: 'CWE-501', severity: 'low', arg_positions: [0, 1] },
     // Additional XSS patterns (JDOM/XML output)
     { method: 'outputElementContent', class: 'XMLOutputter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
     { method: 'output', class: 'XMLOutputter', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },