npm - circle-ir - Versions diffs - 3.8.3 → 3.9.7 - Mend

circle-ir 3.8.3 → 3.9.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (159) hide show

package/README.md +82 -5
package/dist/analysis/config-loader.js +1 -1
package/dist/analysis/config-loader.js.map +1 -1
package/dist/analysis/dfg-verifier.d.ts +3 -14
package/dist/analysis/dfg-verifier.js +43 -74
package/dist/analysis/dfg-verifier.js.map +1 -1
package/dist/analysis/interprocedural.d.ts +5 -1
package/dist/analysis/interprocedural.js +62 -60
package/dist/analysis/interprocedural.js.map +1 -1
package/dist/analysis/metrics/index.d.ts +2 -0
package/dist/analysis/metrics/index.js +2 -0
package/dist/analysis/metrics/index.js.map +1 -0
package/dist/analysis/metrics/metric-pass.d.ts +27 -0
package/dist/analysis/metrics/metric-pass.js +2 -0
package/dist/analysis/metrics/metric-pass.js.map +1 -0
package/dist/analysis/metrics/metric-runner.d.ts +21 -0
package/dist/analysis/metrics/metric-runner.js +47 -0
package/dist/analysis/metrics/metric-runner.js.map +1 -0
package/dist/analysis/metrics/passes/cohesion-metrics-pass.d.ts +21 -0
package/dist/analysis/metrics/passes/cohesion-metrics-pass.js +100 -0
package/dist/analysis/metrics/passes/cohesion-metrics-pass.js.map +1 -0
package/dist/analysis/metrics/passes/complexity-metrics-pass.d.ts +15 -0
package/dist/analysis/metrics/passes/complexity-metrics-pass.js +76 -0
package/dist/analysis/metrics/passes/complexity-metrics-pass.js.map +1 -0
package/dist/analysis/metrics/passes/composite-metrics-pass.d.ts +17 -0
package/dist/analysis/metrics/passes/composite-metrics-pass.js +77 -0
package/dist/analysis/metrics/passes/composite-metrics-pass.js.map +1 -0
package/dist/analysis/metrics/passes/coupling-metrics-pass.d.ts +19 -0
package/dist/analysis/metrics/passes/coupling-metrics-pass.js +94 -0
package/dist/analysis/metrics/passes/coupling-metrics-pass.js.map +1 -0
package/dist/analysis/metrics/passes/data-flow-metrics-pass.d.ts +14 -0
package/dist/analysis/metrics/passes/data-flow-metrics-pass.js +25 -0
package/dist/analysis/metrics/passes/data-flow-metrics-pass.js.map +1 -0
package/dist/analysis/metrics/passes/documentation-metrics-pass.d.ts +15 -0
package/dist/analysis/metrics/passes/documentation-metrics-pass.js +64 -0
package/dist/analysis/metrics/passes/documentation-metrics-pass.js.map +1 -0
package/dist/analysis/metrics/passes/halstead-metrics-pass.d.ts +16 -0
package/dist/analysis/metrics/passes/halstead-metrics-pass.js +95 -0
package/dist/analysis/metrics/passes/halstead-metrics-pass.js.map +1 -0
package/dist/analysis/metrics/passes/inheritance-metrics-pass.d.ts +18 -0
package/dist/analysis/metrics/passes/inheritance-metrics-pass.js +73 -0
package/dist/analysis/metrics/passes/inheritance-metrics-pass.js.map +1 -0
package/dist/analysis/metrics/passes/size-metrics-pass.d.ts +11 -0
package/dist/analysis/metrics/passes/size-metrics-pass.js +64 -0
package/dist/analysis/metrics/passes/size-metrics-pass.js.map +1 -0
package/dist/analysis/passes/circular-dependency-pass.d.ts +18 -0
package/dist/analysis/passes/circular-dependency-pass.js +39 -0
package/dist/analysis/passes/circular-dependency-pass.js.map +1 -0
package/dist/analysis/passes/constant-propagation-pass.d.ts +22 -0
package/dist/analysis/passes/constant-propagation-pass.js +44 -0
package/dist/analysis/passes/constant-propagation-pass.js.map +1 -0
package/dist/analysis/passes/cross-file-pass.d.ts +27 -0
package/dist/analysis/passes/cross-file-pass.js +102 -0
package/dist/analysis/passes/cross-file-pass.js.map +1 -0
package/dist/analysis/passes/dead-code-pass.d.ts +25 -0
package/dist/analysis/passes/dead-code-pass.js +117 -0
package/dist/analysis/passes/dead-code-pass.js.map +1 -0
package/dist/analysis/passes/dependency-fan-out-pass.d.ts +19 -0
package/dist/analysis/passes/dependency-fan-out-pass.js +35 -0
package/dist/analysis/passes/dependency-fan-out-pass.js.map +1 -0
package/dist/analysis/passes/interprocedural-pass.d.ts +29 -0
package/dist/analysis/passes/interprocedural-pass.js +169 -0
package/dist/analysis/passes/interprocedural-pass.js.map +1 -0
package/dist/analysis/passes/language-sources-pass.d.ts +76 -0
package/dist/analysis/passes/language-sources-pass.js +491 -0
package/dist/analysis/passes/language-sources-pass.js.map +1 -0
package/dist/analysis/passes/leaked-global-pass.d.ts +34 -0
package/dist/analysis/passes/leaked-global-pass.js +108 -0
package/dist/analysis/passes/leaked-global-pass.js.map +1 -0
package/dist/analysis/passes/missing-await-pass.d.ts +29 -0
package/dist/analysis/passes/missing-await-pass.js +90 -0
package/dist/analysis/passes/missing-await-pass.js.map +1 -0
package/dist/analysis/passes/missing-public-doc-pass.d.ts +35 -0
package/dist/analysis/passes/missing-public-doc-pass.js +148 -0
package/dist/analysis/passes/missing-public-doc-pass.js.map +1 -0
package/dist/analysis/passes/n-plus-one-pass.d.ts +29 -0
package/dist/analysis/passes/n-plus-one-pass.js +100 -0
package/dist/analysis/passes/n-plus-one-pass.js.map +1 -0
package/dist/analysis/passes/null-deref-pass.d.ts +32 -0
package/dist/analysis/passes/null-deref-pass.js +130 -0
package/dist/analysis/passes/null-deref-pass.js.map +1 -0
package/dist/analysis/passes/orphan-module-pass.d.ts +21 -0
package/dist/analysis/passes/orphan-module-pass.js +38 -0
package/dist/analysis/passes/orphan-module-pass.js.map +1 -0
package/dist/analysis/passes/resource-leak-pass.d.ts +43 -0
package/dist/analysis/passes/resource-leak-pass.js +156 -0
package/dist/analysis/passes/resource-leak-pass.js.map +1 -0
package/dist/analysis/passes/sink-filter-pass.d.ts +39 -0
package/dist/analysis/passes/sink-filter-pass.js +231 -0
package/dist/analysis/passes/sink-filter-pass.js.map +1 -0
package/dist/analysis/passes/stale-doc-ref-pass.d.ts +21 -0
package/dist/analysis/passes/stale-doc-ref-pass.js +96 -0
package/dist/analysis/passes/stale-doc-ref-pass.js.map +1 -0
package/dist/analysis/passes/string-concat-loop-pass.d.ts +26 -0
package/dist/analysis/passes/string-concat-loop-pass.js +87 -0
package/dist/analysis/passes/string-concat-loop-pass.js.map +1 -0
package/dist/analysis/passes/sync-io-async-pass.d.ts +28 -0
package/dist/analysis/passes/sync-io-async-pass.js +80 -0
package/dist/analysis/passes/sync-io-async-pass.js.map +1 -0
package/dist/analysis/passes/taint-matcher-pass.d.ts +24 -0
package/dist/analysis/passes/taint-matcher-pass.js +71 -0
package/dist/analysis/passes/taint-matcher-pass.js.map +1 -0
package/dist/analysis/passes/taint-propagation-pass.d.ts +22 -0
package/dist/analysis/passes/taint-propagation-pass.js +266 -0
package/dist/analysis/passes/taint-propagation-pass.js.map +1 -0
package/dist/analysis/passes/todo-in-prod-pass.d.ts +28 -0
package/dist/analysis/passes/todo-in-prod-pass.js +71 -0
package/dist/analysis/passes/todo-in-prod-pass.js.map +1 -0
package/dist/analysis/passes/unchecked-return-pass.d.ts +34 -0
package/dist/analysis/passes/unchecked-return-pass.js +106 -0
package/dist/analysis/passes/unchecked-return-pass.js.map +1 -0
package/dist/analysis/passes/unused-variable-pass.d.ts +36 -0
package/dist/analysis/passes/unused-variable-pass.js +150 -0
package/dist/analysis/passes/unused-variable-pass.js.map +1 -0
package/dist/analysis/passes/variable-shadowing-pass.d.ts +41 -0
package/dist/analysis/passes/variable-shadowing-pass.js +211 -0
package/dist/analysis/passes/variable-shadowing-pass.js.map +1 -0
package/dist/analysis/path-finder.d.ts +3 -13
package/dist/analysis/path-finder.js +48 -63
package/dist/analysis/path-finder.js.map +1 -1
package/dist/analysis/taint-matcher.js +8 -1
package/dist/analysis/taint-matcher.js.map +1 -1
package/dist/analysis/taint-propagation.d.ts +5 -1
package/dist/analysis/taint-propagation.js +44 -41
package/dist/analysis/taint-propagation.js.map +1 -1
package/dist/analyzer.d.ts +42 -1
package/dist/analyzer.js +234 -1476
package/dist/analyzer.js.map +1 -1
package/dist/browser/circle-ir.js +3414 -1272
package/dist/core/circle-ir-core.cjs +361 -107
package/dist/core/circle-ir-core.js +361 -107
package/dist/core/extractors/imports.js +18 -0
package/dist/core/extractors/imports.js.map +1 -1
package/dist/graph/analysis-pass.d.ts +68 -0
package/dist/graph/analysis-pass.js +51 -0
package/dist/graph/analysis-pass.js.map +1 -0
package/dist/graph/code-graph.d.ts +92 -0
package/dist/graph/code-graph.js +262 -0
package/dist/graph/code-graph.js.map +1 -0
package/dist/graph/import-graph.d.ts +33 -0
package/dist/graph/import-graph.js +170 -0
package/dist/graph/import-graph.js.map +1 -0
package/dist/graph/index.d.ts +4 -0
package/dist/graph/index.js +5 -0
package/dist/graph/index.js.map +1 -0
package/dist/graph/project-graph.d.ts +43 -0
package/dist/graph/project-graph.js +80 -0
package/dist/graph/project-graph.js.map +1 -0
package/dist/graph/scope-graph.d.ts +63 -0
package/dist/graph/scope-graph.js +89 -0
package/dist/graph/scope-graph.js.map +1 -0
package/dist/index.d.ts +2 -2
package/dist/index.js +1 -1
package/dist/index.js.map +1 -1
package/dist/resolution/cross-file.js +52 -19
package/dist/resolution/cross-file.js.map +1 -1
package/dist/types/index.d.ts +151 -0
package/docs/SPEC.md +10 -6
package/package.json +3 -2

package/README.md CHANGED Viewed

@@ -1,12 +1,14 @@
 # circle-ir
-A high-performance Static Application Security Testing (SAST) library for detecting security vulnerabilities through taint analysis. Works in Node.js and browsers.
+A high-performance Static Application Security Testing (SAST) library for detecting security vulnerabilities through taint analysis, and code quality findings through an extensible analysis-pass pipeline. Works in Node.js and browsers.
 ## Features
 - **Taint Analysis**: Track data flow from sources (user input) to sinks (dangerous operations)
 - **Multi-language Support**: Java, JavaScript/TypeScript, Python, Rust, Bash/Shell
 - **High Accuracy**: 100% on OWASP Benchmark, 100% on Juliet Test Suite, 97.7% TPR on SecuriBench Micro
+- **11-Pass Pipeline**: Security taint passes + quality passes (dead code, missing await, N+1, doc coverage, TODO markers)
+- **Cross-File Analysis**: `analyzeProject()` surfaces taint flows that span multiple files
 - **Universal**: Works in Node.js and browsers with environment-agnostic core
 - **Zero External Dependencies**: Core analysis runs without network calls or external services
 - **Browser Compatible**: Tree-sitter WASM for universal parsing
@@ -31,12 +33,19 @@ await initAnalyzer();
 // Analyze Java code
 const result = await analyze(code, 'MyClass.java', 'java');
-// Check for vulnerabilities
+// Security taint flows
 for (const flow of result.taint.flows || []) {
   console.log(`Found ${flow.sink_type} vulnerability`);
   console.log(`  Source: line ${flow.source_line}`);
   console.log(`  Sink: line ${flow.sink_line}`);
 }
+// Quality findings from analysis passes (dead-code, missing-await, n-plus-one, etc.)
+for (const finding of result.findings || []) {
+  console.log(`[${finding.severity}] ${finding.rule_id} at line ${finding.line}`);
+  console.log(`  ${finding.message}`);
+  if (finding.fix) console.log(`  Fix: ${finding.fix}`);
+}
 ```
 ### Browser
@@ -78,7 +87,7 @@ interface AnalyzerOptions {
 ### `analyze(code, filePath, language, options?)`
-Analyze source code and return Circle-IR output.
+Analyze a single file and return Circle-IR output.
 ```typescript
 const result = await analyze(code, 'File.java', 'java');
@@ -92,6 +101,38 @@ result.dfg        // Data flow graph
 result.taint      // Taint sources, sinks, flows
 result.imports    // Import statements
 result.exports    // Exported symbols
+result.findings   // SastFinding[] from all 11 analysis passes
+```
+### `analyzeProject(files, options?)`
+Analyze multiple files together to detect cross-file taint flows.
+```typescript
+import { analyzeProject } from 'circle-ir';
+const result = await analyzeProject([
+  { code: controllerCode, filePath: 'UserController.java', language: 'java' },
+  { code: serviceCode,    filePath: 'UserService.java',    language: 'java' },
+  { code: daoCode,        filePath: 'UserDao.java',        language: 'java' },
+]);
+// Per-file analysis (same as analyze() per file)
+for (const { file, analysis } of result.files) {
+  console.log(`${file}: ${analysis.taint.flows?.length ?? 0} intra-file flows`);
+}
+// Cross-file taint paths (the key deliverable)
+for (const path of result.taint_paths) {
+  console.log(`Cross-file ${path.sink.type}: ${path.source.file} → ${path.sink.file}`);
+  console.log(`  Confidence: ${path.confidence.toFixed(2)}, CWE: ${path.sink.cwe}`);
+}
+// Resolved inter-file method calls
+console.log(`${result.cross_file_calls.length} cross-file calls resolved`);
+// Project metadata
+console.log(`${result.meta.total_files} files, ${result.meta.total_loc} LOC`);
 ```
 ### `analyzeForAPI(code, filePath, language, options?)`
@@ -169,6 +210,42 @@ sources:
     tainted_args: [return]
 ```
+## SAST Findings & Quality Passes
+The 11-pass pipeline emits `SastFinding[]` via `result.findings`. Each finding is SARIF 2.1.0-aligned:
+```typescript
+interface SastFinding {
+  id: string;           // e.g. "dead-code-42"
+  rule_id: string;      // e.g. "dead-code"
+  category: PassCategory; // 'security' | 'reliability' | 'performance' | 'maintainability' | 'architecture'
+  severity: string;     // 'critical' | 'high' | 'medium' | 'low'
+  level: SarifLevel;    // 'error' | 'warning' | 'note' | 'none'
+  message: string;
+  file: string;
+  line: number;
+  cwe?: string;         // e.g. "CWE-561"
+  fix?: string;         // Instance-specific remediation hint
+  evidence?: Record<string, unknown>;
+}
+```
+**Current passes** (see [docs/PASSES.md](docs/PASSES.md) for the full registry):
+| Pass | rule_id | Category | CWE | Level |
+|------|---------|----------|-----|-------|
+| TaintMatcherPass | _(produces flows)_ | security | — | error |
+| ConstantPropagationPass | _(reduces FP)_ | security | — | — |
+| LanguageSourcesPass | _(enriches sources)_ | security | — | — |
+| SinkFilterPass | _(filters sinks)_ | security | — | — |
+| TaintPropagationPass | _(propagates taint)_ | security | — | error |
+| InterproceduralPass | _(cross-method)_ | security | — | error |
+| DeadCodePass | `dead-code` | reliability | CWE-561 | warning |
+| MissingAwaitPass | `missing-await` | reliability | CWE-252 | warning |
+| NPlusOnePass | `n-plus-one` | performance | CWE-1049 | warning |
+| MissingPublicDocPass | `missing-public-doc` | maintainability | — | note |
+| TodoInProdPass | `todo-in-prod` | maintainability | — | note |
 ## Key Analysis Features
 - **Constant Propagation**: Eliminates false positives by tracking variable values and detecting dead code
@@ -191,11 +268,11 @@ All scores below are for **circle-ir static analysis only** (no LLM).
 ## Documentation
+- [Pass & Metric Registry](docs/PASSES.md) - Canonical list of every pass and metric with rule_id, CWE, and status
 - [Circle-IR Specification](docs/SPEC.md) - IR format specification
 - [Architecture Guide](docs/ARCHITECTURE.md) - Detailed system architecture
-- [Contributing Guide](CONTRIBUTING.md) - How to contribute
 - [Changelog](CHANGELOG.md) - Version history
-- [TODO](TODO.md) - Pending improvements and roadmap
+- [TODO](TODO.md) - Phase-based roadmap
 ## License

package/dist/analysis/config-loader.js CHANGED Viewed

@@ -851,7 +851,7 @@ export const DEFAULT_SINKS = [
     // Jenkins/CI Pipeline execution
     { method: 'executeScript', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
     { method: 'runScript', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
-    { method: 'evaluate', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
+    { method: 'evaluate', class: 'ScriptEngine', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
     { method: 'execute', class: 'Script', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [] },
     { method: 'run', class: 'Script', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [] },
     { method: 'checkout', class: 'SCM', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0] },