circle-ir 3.8.0 → 3.8.3

package/dist/browser/circle-ir.js

@@ -9211,9 +9211,7 @@ var DEFAULT_SINKS = [
   { method: "resolveURI", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "resolve", class: "SourceResolver", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "getSource", class: "SourceResolver", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  // URL-based resource loading
-  { method: "URL", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [0] },
-  { method: "openStream", class: "URL", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [] },
+  // NOTE: new URL(userInput) is SSRF (CWE-918), not path traversal — see ssrf section below
   // Servlet context resource loading
   { method: "getResource", class: "ServletContext", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "getResourceAsStream", class: "ServletContext", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
@@ -9250,8 +9248,7 @@ var DEFAULT_SINKS = [
   { method: "extract", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0, 1] },
   { method: "extractAll", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0, 1] },
   { method: "unjar", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0, 1] },
-  // Additional file constructors
-  { method: "BufferedReader", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
+  // Additional file constructors — BufferedReader(Reader) is NOT a path traversal sink; it wraps a Reader, not a file path
   { method: "PrintWriter", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "Scanner", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   // Topic/queue names (for message queue systems - can be exploited for path traversal)
@@ -9278,7 +9275,6 @@ var DEFAULT_SINKS = [
   { method: "getPath", class: "BaseFileSystem", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "getPathMatcher", class: "BaseFileSystem", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "getFileStores", class: "RootedFileSystem", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "deleteRecursive", class: "CommonTestSupportUtils", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   // SftpFileSystemProvider
   { method: "move", class: "SftpFileSystemProvider", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0, 1] },
   { method: "copy", class: "SftpFileSystemProvider", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0, 1] },
@@ -9328,18 +9324,6 @@ var DEFAULT_SINKS = [
   { method: "createPlainAccessConfig", class: "MQClientAPIImpl", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   // XWiki velocity introspector
   { method: "SecureIntrospector", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  // Generic test methods that process paths
-  { method: "testLifeCycle", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [] },
-  { method: "testPathAccess", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [] },
-  { method: "single", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [] },
-  { method: "invalidPath", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [] },
-  { method: "invalidPathWithPreviousDirectoryAllEncoded", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [] },
-  // Embedded server test methods
-  { method: "create", class: "EmbeddedJettyFactoryTest", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [] },
-  { method: "create_withThreadPool", class: "EmbeddedJettyFactoryTest", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [] },
-  { method: "create_withNullThreadPool", class: "EmbeddedJettyFactoryTest", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [] },
-  // Camel file tests
-  { method: "testProducerComplexByExpression", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [] },
   // XSS (CWE-79)
   { method: "write", class: "PrintWriter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "println", class: "PrintWriter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
@@ -9774,9 +9758,12 @@ var DEFAULT_SINKS = [
   { method: "execSync", class: "child_process", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "spawn", class: "child_process", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "spawnSync", class: "child_process", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  // Also match without receiver (destructured imports)
+  // Also match without receiver (destructured imports: const { exec } = require('child_process'))
   { method: "exec", type: "command_injection", cwe: "CWE-78", severity: "high", arg_positions: [0] },
   { method: "execSync", type: "command_injection", cwe: "CWE-78", severity: "high", arg_positions: [0] },
+  { method: "spawn", type: "command_injection", cwe: "CWE-78", severity: "high", arg_positions: [0] },
+  { method: "spawnSync", type: "command_injection", cwe: "CWE-78", severity: "high", arg_positions: [0] },
+  { method: "execFile", type: "command_injection", cwe: "CWE-78", severity: "high", arg_positions: [0] },
   // Node.js File System (path traversal)
   { method: "readFile", class: "fs", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0] },
   { method: "readFileSync", class: "fs", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0] },
@@ -9819,7 +9806,9 @@ var DEFAULT_SINKS = [
   { method: "request", class: "axios", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "fetch", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "request", class: "http", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
+  { method: "get", class: "http", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "request", class: "https", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
+  { method: "get", class: "https", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   // needle library (used in NodeGoat)
   { method: "get", class: "needle", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "post", class: "needle", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
@@ -11311,7 +11300,20 @@ function analyzeInterprocedural(types, calls, dfg, sources, sinks, sanitizers, o
     "hashCode",
     "equals",
     "clone",
-    "clear"
+    "clear",
+    // StringBuilder / StringBuffer / Writer accumulator methods — taint propagates through these
+    // but the CWE-668 sink check should not fire on pure string accumulation
+    "append",
+    "insert",
+    "prepend",
+    "concat",
+    "delete",
+    "deleteCharAt",
+    "replace",
+    "reverse",
+    "write",
+    "writeln",
+    "println"
   ]);
   const safeUtilityMethods = /* @__PURE__ */ new Set([
     // Path validation and normalization
@@ -11342,7 +11344,25 @@ function analyzeInterprocedural(types, calls, dfg, sources, sinks, sanitizers, o
     "validate",
     "validateInput",
     "check",
-    "verify"
+    "verify",
+    // I/O stream wrappers — pure decorators that wrap a stream, not security sinks
+    // e.g. new InputStreamReader(proc.getInputStream()) is safe; the underlying stream is the source
+    "InputStreamReader",
+    "OutputStreamWriter",
+    "BufferedInputStream",
+    "BufferedOutputStream",
+    "ByteArrayInputStream",
+    "ByteArrayOutputStream",
+    "DataInputStream",
+    "DataOutputStream",
+    "PushbackInputStream",
+    "SequenceInputStream",
+    "BufferedReader",
+    "BufferedWriter",
+    "PrintStream",
+    "PrintWriter",
+    "ObjectOutputStream"
+    // ObjectInputStream IS a sink (deserialization), keep it out
   ]);
   const sanitizerMethods = /* @__PURE__ */ new Set();
   for (const san of sanitizers) {
@@ -16726,6 +16746,26 @@ function buildPythonTaintedVars(sourceCode) {
   }
   return tainted;
 }
+function buildJavaScriptTaintedVars(sourceCode, language) {
+  if (!["javascript", "typescript"].includes(language)) return /* @__PURE__ */ new Map();
+  const tainted = /* @__PURE__ */ new Map();
+  const lines = sourceCode.split("\n");
+  for (let i2 = 0; i2 < lines.length; i2++) {
+    const line = lines[i2];
+    const trimmed = line.trimStart();
+    if (trimmed.startsWith("//") || trimmed.startsWith("*")) continue;
+    const assignMatch = line.match(/(?:(?:var|let|const)\s+)?(\w+)\s*=\s*(.+)/);
+    if (!assignMatch) continue;
+    const [, lhs, rhs] = assignMatch;
+    if (["if", "while", "for", "return", "true", "false", "null", "undefined", "case"].includes(lhs)) continue;
+    const isDirectSource = JS_TAINTED_PATTERNS.some((p) => p.pattern.test(rhs));
+    const isTaintedPropagation = tainted.size > 0 && [...tainted.keys()].some((v) => new RegExp(`\\b${v}\\b`).test(rhs));
+    if (isDirectSource || isTaintedPropagation) {
+      tainted.set(lhs, i2 + 1);
+    }
+  }
+  return tainted;
+}
 function findPythonQuoteSanitizedVars(sourceCode) {
   const sanitized = /* @__PURE__ */ new Set();
   const lines = sourceCode.split("\n");
@@ -16771,6 +16811,25 @@ function findPythonTrustBoundaryViolations(sourceCode, language, taintedVars) {
   }
   return violations;
 }
+function findPythonReturnXSSSinks(sourceCode, language, taintedVars) {
+  if (language !== "python" || taintedVars.size === 0) return [];
+  const sinks = [];
+  const lines = sourceCode.split("\n");
+  const taintedKeys = [...taintedVars.keys()];
+  for (let i2 = 0; i2 < lines.length; i2++) {
+    const line = lines[i2];
+    if (line.trimStart().startsWith("#")) continue;
+    const returnMatch = line.match(/^\s*(?:return|yield)\s+(.+)$/);
+    if (!returnMatch) continue;
+    const expr = returnMatch[1];
+    const hasTaintedVar = taintedKeys.some((v) => new RegExp(`\\b${v}\\b`).test(expr));
+    if (!hasTaintedVar) continue;
+    const looksLikeHTML = expr.includes("<") || /['"]\s*\+/.test(expr) || /\+\s*['"]/.test(expr) || /f['"][^'"]*\{/.test(expr);
+    if (!looksLikeHTML) continue;
+    sinks.push({ sinkLine: i2 + 1 });
+  }
+  return sinks;
+}
 function findJavaScriptDOMSinks(sourceCode, language) {
   const sinks = [];
   if (!["javascript", "typescript"].includes(language)) {
@@ -17099,6 +17158,34 @@ async function analyze(code, filePath, language, options = {}) {
         });
       }
     }
+    const pyReturnXSS = findPythonReturnXSSSinks(code, language, pyTaintedVars);
+    for (const r of pyReturnXSS) {
+      const alreadyExists = taint.sinks.some(
+        (s) => s.line === r.sinkLine && s.type === "xss"
+      );
+      if (!alreadyExists) {
+        taint.sinks.push({
+          type: "xss",
+          cwe: "CWE-79",
+          line: r.sinkLine,
+          location: `return HTML with user input at line ${r.sinkLine}`,
+          confidence: 0.9
+        });
+      }
+    }
+  }
+  if (["javascript", "typescript"].includes(language)) {
+    const jsTaintedVars = buildJavaScriptTaintedVars(code, language);
+    if (jsTaintedVars.size > 0) {
+      const jsSourceLines = code.split("\n");
+      taint.sinks = taint.sinks.filter((sink) => {
+        if (sink.type !== "xss") return true;
+        const sinkLineText = jsSourceLines[sink.line - 1] ?? "";
+        if ([...jsTaintedVars.keys()].some((v) => new RegExp(`\\b${v}\\b`).test(sinkLineText))) return true;
+        if (JS_TAINTED_PATTERNS.some((p) => p.pattern.test(sinkLineText))) return true;
+        return false;
+      });
+    }
   }
   if (taint.sources.length > 0 && taint.sinks.length > 0) {
     const propagationResult = propagateTaint(
@@ -17219,6 +17306,7 @@ async function analyze(code, filePath, language, options = {}) {
       }
     );
     for (const sink of interProc.propagatedSinks) {
+      if (sink.type === "external_taint_escape") continue;
       if (!taint.sinks.some((s) => s.line === sink.line)) {
         taint.sinks.push(sink);
       }

package/dist/core/circle-ir-core.cjs

@@ -9319,9 +9319,7 @@ var DEFAULT_SINKS = [
   { method: "resolveURI", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "resolve", class: "SourceResolver", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "getSource", class: "SourceResolver", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  // URL-based resource loading
-  { method: "URL", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [0] },
-  { method: "openStream", class: "URL", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [] },
+  // NOTE: new URL(userInput) is SSRF (CWE-918), not path traversal — see ssrf section below
   // Servlet context resource loading
   { method: "getResource", class: "ServletContext", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "getResourceAsStream", class: "ServletContext", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
@@ -9358,8 +9356,7 @@ var DEFAULT_SINKS = [
   { method: "extract", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0, 1] },
   { method: "extractAll", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0, 1] },
   { method: "unjar", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0, 1] },
-  // Additional file constructors
-  { method: "BufferedReader", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
+  // Additional file constructors — BufferedReader(Reader) is NOT a path traversal sink; it wraps a Reader, not a file path
   { method: "PrintWriter", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "Scanner", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   // Topic/queue names (for message queue systems - can be exploited for path traversal)
@@ -9386,7 +9383,6 @@ var DEFAULT_SINKS = [
   { method: "getPath", class: "BaseFileSystem", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "getPathMatcher", class: "BaseFileSystem", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "getFileStores", class: "RootedFileSystem", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "deleteRecursive", class: "CommonTestSupportUtils", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   // SftpFileSystemProvider
   { method: "move", class: "SftpFileSystemProvider", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0, 1] },
   { method: "copy", class: "SftpFileSystemProvider", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0, 1] },
@@ -9436,18 +9432,6 @@ var DEFAULT_SINKS = [
   { method: "createPlainAccessConfig", class: "MQClientAPIImpl", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   // XWiki velocity introspector
   { method: "SecureIntrospector", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  // Generic test methods that process paths
-  { method: "testLifeCycle", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [] },
-  { method: "testPathAccess", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [] },
-  { method: "single", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [] },
-  { method: "invalidPath", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [] },
-  { method: "invalidPathWithPreviousDirectoryAllEncoded", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [] },
-  // Embedded server test methods
-  { method: "create", class: "EmbeddedJettyFactoryTest", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [] },
-  { method: "create_withThreadPool", class: "EmbeddedJettyFactoryTest", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [] },
-  { method: "create_withNullThreadPool", class: "EmbeddedJettyFactoryTest", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [] },
-  // Camel file tests
-  { method: "testProducerComplexByExpression", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [] },
   // XSS (CWE-79)
   { method: "write", class: "PrintWriter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "println", class: "PrintWriter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
@@ -9882,9 +9866,12 @@ var DEFAULT_SINKS = [
   { method: "execSync", class: "child_process", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "spawn", class: "child_process", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "spawnSync", class: "child_process", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  // Also match without receiver (destructured imports)
+  // Also match without receiver (destructured imports: const { exec } = require('child_process'))
   { method: "exec", type: "command_injection", cwe: "CWE-78", severity: "high", arg_positions: [0] },
   { method: "execSync", type: "command_injection", cwe: "CWE-78", severity: "high", arg_positions: [0] },
+  { method: "spawn", type: "command_injection", cwe: "CWE-78", severity: "high", arg_positions: [0] },
+  { method: "spawnSync", type: "command_injection", cwe: "CWE-78", severity: "high", arg_positions: [0] },
+  { method: "execFile", type: "command_injection", cwe: "CWE-78", severity: "high", arg_positions: [0] },
   // Node.js File System (path traversal)
   { method: "readFile", class: "fs", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0] },
   { method: "readFileSync", class: "fs", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0] },
@@ -9927,7 +9914,9 @@ var DEFAULT_SINKS = [
   { method: "request", class: "axios", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "fetch", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "request", class: "http", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
+  { method: "get", class: "http", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "request", class: "https", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
+  { method: "get", class: "https", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   // needle library (used in NodeGoat)
   { method: "get", class: "needle", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "post", class: "needle", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },

package/dist/core/circle-ir-core.js

@@ -9254,9 +9254,7 @@ var DEFAULT_SINKS = [
   { method: "resolveURI", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "resolve", class: "SourceResolver", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "getSource", class: "SourceResolver", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  // URL-based resource loading
-  { method: "URL", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [0] },
-  { method: "openStream", class: "URL", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [] },
+  // NOTE: new URL(userInput) is SSRF (CWE-918), not path traversal — see ssrf section below
   // Servlet context resource loading
   { method: "getResource", class: "ServletContext", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "getResourceAsStream", class: "ServletContext", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
@@ -9293,8 +9291,7 @@ var DEFAULT_SINKS = [
   { method: "extract", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0, 1] },
   { method: "extractAll", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0, 1] },
   { method: "unjar", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0, 1] },
-  // Additional file constructors
-  { method: "BufferedReader", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
+  // Additional file constructors — BufferedReader(Reader) is NOT a path traversal sink; it wraps a Reader, not a file path
   { method: "PrintWriter", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "Scanner", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   // Topic/queue names (for message queue systems - can be exploited for path traversal)
@@ -9321,7 +9318,6 @@ var DEFAULT_SINKS = [
   { method: "getPath", class: "BaseFileSystem", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "getPathMatcher", class: "BaseFileSystem", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   { method: "getFileStores", class: "RootedFileSystem", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  { method: "deleteRecursive", class: "CommonTestSupportUtils", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   // SftpFileSystemProvider
   { method: "move", class: "SftpFileSystemProvider", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0, 1] },
   { method: "copy", class: "SftpFileSystemProvider", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0, 1] },
@@ -9371,18 +9367,6 @@ var DEFAULT_SINKS = [
   { method: "createPlainAccessConfig", class: "MQClientAPIImpl", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
   // XWiki velocity introspector
   { method: "SecureIntrospector", class: "constructor", type: "path_traversal", cwe: "CWE-22", severity: "high", arg_positions: [0] },
-  // Generic test methods that process paths
-  { method: "testLifeCycle", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [] },
-  { method: "testPathAccess", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [] },
-  { method: "single", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [] },
-  { method: "invalidPath", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [] },
-  { method: "invalidPathWithPreviousDirectoryAllEncoded", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [] },
-  // Embedded server test methods
-  { method: "create", class: "EmbeddedJettyFactoryTest", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [] },
-  { method: "create_withThreadPool", class: "EmbeddedJettyFactoryTest", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [] },
-  { method: "create_withNullThreadPool", class: "EmbeddedJettyFactoryTest", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [] },
-  // Camel file tests
-  { method: "testProducerComplexByExpression", type: "path_traversal", cwe: "CWE-22", severity: "medium", arg_positions: [] },
   // XSS (CWE-79)
   { method: "write", class: "PrintWriter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
   { method: "println", class: "PrintWriter", type: "xss", cwe: "CWE-79", severity: "high", arg_positions: [0] },
@@ -9817,9 +9801,12 @@ var DEFAULT_SINKS = [
   { method: "execSync", class: "child_process", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "spawn", class: "child_process", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
   { method: "spawnSync", class: "child_process", type: "command_injection", cwe: "CWE-78", severity: "critical", arg_positions: [0] },
-  // Also match without receiver (destructured imports)
+  // Also match without receiver (destructured imports: const { exec } = require('child_process'))
   { method: "exec", type: "command_injection", cwe: "CWE-78", severity: "high", arg_positions: [0] },
   { method: "execSync", type: "command_injection", cwe: "CWE-78", severity: "high", arg_positions: [0] },
+  { method: "spawn", type: "command_injection", cwe: "CWE-78", severity: "high", arg_positions: [0] },
+  { method: "spawnSync", type: "command_injection", cwe: "CWE-78", severity: "high", arg_positions: [0] },
+  { method: "execFile", type: "command_injection", cwe: "CWE-78", severity: "high", arg_positions: [0] },
   // Node.js File System (path traversal)
   { method: "readFile", class: "fs", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0] },
   { method: "readFileSync", class: "fs", type: "path_traversal", cwe: "CWE-22", severity: "critical", arg_positions: [0] },
@@ -9862,7 +9849,9 @@ var DEFAULT_SINKS = [
   { method: "request", class: "axios", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "fetch", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "request", class: "http", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
+  { method: "get", class: "http", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "request", class: "https", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
+  { method: "get", class: "https", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   // needle library (used in NodeGoat)
   { method: "get", class: "needle", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },
   { method: "post", class: "needle", type: "ssrf", cwe: "CWE-918", severity: "high", arg_positions: [0] },

package/dist/utils/logger.d.ts

@@ -9,7 +9,7 @@
  *   logger.info('Processing file', { file: 'test.java' });
  *   logger.error('Failed to parse', { error: err.message });
  *
- * Injecting a custom logger (e.g. from circle-pack):
+ * Injecting a custom logger (e.g. pino):
  *   import pino from 'pino';
  *   import { setLogger } from 'circle-ir';
  *   setLogger(pino({ level: 'debug' }));

package/dist/utils/logger.js

@@ -9,7 +9,7 @@
  *   logger.info('Processing file', { file: 'test.java' });
  *   logger.error('Failed to parse', { error: err.message });
  *
- * Injecting a custom logger (e.g. from circle-pack):
+ * Injecting a custom logger (e.g. pino):
  *   import pino from 'pino';
  *   import { setLogger } from 'circle-ir';
  *   setLogger(pino({ level: 'debug' }));

package/docs/SPEC.md

@@ -952,9 +952,9 @@ interface Vulnerability {
 
 ---
 
-## TODO: TypeScript Implementation
+## Implementation Status
 
-### Phase 1: Core (Must Have)
+### Phase 1: Core
 - [x] Meta extraction
 - [x] Type extraction (classes, interfaces, methods, fields)
 - [x] Call extraction (method invocations, arguments)
@@ -965,18 +965,18 @@ interface Vulnerability {
 - [x] Import extraction
 - [x] JSON serialization matching spec
 
-### Phase 2: Enhanced (Should Have)
+### Phase 2: Enhanced
 - [x] Export extraction
 - [x] Call resolution tracking
 - [x] Sanitizer detection
 - [x] DFG chains computation
 
-### Phase 3: LLM Integration (Nice to Have)
-- [x] Unresolved section population
-- [x] Enriched section from LLM
+### Phase 3: Extension Points
+- [x] Unresolved section population (static analysis identifies unresolvable patterns)
+- [x] Enriched section schema (optional, populated by analysis consumers)
 - [x] Finding generation
 
-### Phase 4: Project-Level (Done)
+### Phase 4: Project-Level
 - [x] Cross-file call graph
 - [x] Type hierarchy
 - [x] Taint path enumeration

package/examples/node-example.ts

@@ -2,13 +2,17 @@
 /**
  * Node.js Example - Circle-IR Core Library
  *
- * This example demonstrates how to use circle-ir-core to:
+ * This example demonstrates how to use circle-ir to:
  * 1. Parse Java code
  * 2. Extract IR components (types, calls, CFG, DFG)
  * 3. Detect taint sources and sinks
  * 4. Find source-to-sink flows
  *
- * Run: npx tsx examples/node-example.ts
+ * Setup:
+ *   npm install circle-ir
+ *
+ * Run:
+ *   npx tsx node-example.ts
  */
 
 import {
@@ -25,7 +29,7 @@ import {
   analyzeConstantPropagation,
   isFalsePositive,
   getDefaultConfig,
-} from '../src/core-lib.js';
+} from 'circle-ir/core';
 
 // Sample vulnerable Java code
 const vulnerableCode = `

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "circle-ir",
-  "version": "3.8.0",
+  "version": "3.8.3",
   "description": "High-performance Static Application Security Testing (SAST) library for detecting security vulnerabilities through taint analysis",
   "main": "dist/index.js",
   "module": "dist/index.js",
@@ -26,7 +26,6 @@
     "dist",
     "configs",
     "examples",
-    "wasm",
     "docs/SPEC.md"
   ],
   "scripts": {
@@ -54,6 +53,8 @@
     "typescript",
     "python",
     "rust",
+    "bash",
+    "shell",
     "tree-sitter",
     "sql-injection",
     "xss",
@@ -65,7 +66,7 @@
     "name": "Cognium Labs",
     "url": "https://github.com/cogniumhq"
   },
-  "license": "ISC",
+  "license": "MIT",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/cogniumhq/circle-ir.git"
@@ -76,7 +77,7 @@
   },
   "funding": {
     "type": "github",
-    "url": "https://github.com/sponsors/cognitim"
+    "url": "https://github.com/sponsors/cogniumhq"
   },
   "engines": {
     "node": ">=18.0.0"
@@ -87,21 +88,18 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "web-tree-sitter": "^0.26.3",
+    "web-tree-sitter": "^0.26.7",
     "yaml": "^2.8.2"
   },
   "devDependencies": {
-    "@types/node": "^25.0.10",
-    "@types/unzipper": "^0.10.11",
-    "@vitest/coverage-v8": "^3.0.0",
-    "esbuild": "^0.27.2",
+    "@types/node": "^25.5.0",
+    "@vitest/coverage-v8": "^4.1.0",
+    "esbuild": "^0.27.4",
     "tree-sitter-bash": "^0.25.1",
     "tree-sitter-java": "^0.23.5",
     "tree-sitter-python": "^0.25.0",
     "tree-sitter-rust": "^0.24.0",
-    "ts-node": "^10.9.2",
     "typescript": "^5.9.3",
-    "unzipper": "^0.12.3",
-    "vitest": "^3.0.0"
+    "vitest": "^4.1.0"
   }
 }