circle-ir 3.80.0 → 3.81.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (31) hide show
  1. package/configs/sinks/xss.yaml +2 -1
  2. package/dist/analysis/config-loader.d.ts.map +1 -1
  3. package/dist/analysis/config-loader.js +6 -1
  4. package/dist/analysis/config-loader.js.map +1 -1
  5. package/dist/analysis/passes/_credential-helpers.d.ts +40 -0
  6. package/dist/analysis/passes/_credential-helpers.d.ts.map +1 -0
  7. package/dist/analysis/passes/_credential-helpers.js +152 -0
  8. package/dist/analysis/passes/_credential-helpers.js.map +1 -0
  9. package/dist/analysis/passes/cleartext-credential-transport-pass.d.ts +42 -0
  10. package/dist/analysis/passes/cleartext-credential-transport-pass.d.ts.map +1 -0
  11. package/dist/analysis/passes/cleartext-credential-transport-pass.js +196 -0
  12. package/dist/analysis/passes/cleartext-credential-transport-pass.js.map +1 -0
  13. package/dist/analysis/passes/plaintext-password-storage-pass.d.ts +47 -0
  14. package/dist/analysis/passes/plaintext-password-storage-pass.d.ts.map +1 -0
  15. package/dist/analysis/passes/plaintext-password-storage-pass.js +159 -0
  16. package/dist/analysis/passes/plaintext-password-storage-pass.js.map +1 -0
  17. package/dist/analysis/passes/weak-password-encoding-pass.d.ts +40 -0
  18. package/dist/analysis/passes/weak-password-encoding-pass.d.ts.map +1 -0
  19. package/dist/analysis/passes/weak-password-encoding-pass.js +157 -0
  20. package/dist/analysis/passes/weak-password-encoding-pass.js.map +1 -0
  21. package/dist/analysis/passes/weak-password-hash-pass.d.ts +49 -0
  22. package/dist/analysis/passes/weak-password-hash-pass.d.ts.map +1 -0
  23. package/dist/analysis/passes/weak-password-hash-pass.js +225 -0
  24. package/dist/analysis/passes/weak-password-hash-pass.js.map +1 -0
  25. package/dist/analyzer.d.ts.map +1 -1
  26. package/dist/analyzer.js +12 -0
  27. package/dist/analyzer.js.map +1 -1
  28. package/dist/browser/circle-ir.js +564 -1
  29. package/dist/core/circle-ir-core.cjs +6 -1
  30. package/dist/core/circle-ir-core.js +6 -1
  31. package/package.json +1 -1
package/configs/sinks/xss.yaml CHANGED
@@ -418,13 +418,14 @@
418
418
  },
419
419
  {
420
420
  "method": "write",
421
+ "class": "ServletOutputStream",
421
422
  "type": "xss",
422
423
  "cwe": "CWE-79",
423
424
  "severity": "high",
424
425
  "arg_positions": [
425
426
  0
426
427
  ],
427
- "note": "Auto-mined from CVE analysis"
428
+ "note": "Servlet response output stream — class-scoped (Sprint 28 #110)"
428
429
  },
429
430
  {
430
431
  "method": "newInstance",
package/dist/analysis/config-loader.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA2b1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EAu+CtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EA4PhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
1
+ {"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA2b1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EA4+CtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EA4PhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
package/dist/analysis/config-loader.js CHANGED
@@ -775,7 +775,12 @@ export const DEFAULT_SINKS = [
775
775
  // Class-less XSS patterns for cases where receiver type is inferred
776
776
  { method: 'println', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0] },
777
777
  { method: 'print', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0] },
778
- { method: 'write', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0] },
778
+ // NOTE: the unscoped { method: 'write', type: 'xss' } entry was removed in
779
+ // Sprint 28 (#110). It mistyped every non-XSS .write() across all languages
780
+ // (fs.writeFile, open().write, bcrypt callbacks, credential file writes,
781
+ // node ClientRequest.write, etc.) as xss. Real HTML writers are covered
782
+ // by class-scoped entries: PrintWriter.write (line 843), ServletOutputStream.write
783
+ // (line 849), JspWriter.write (xss.yaml), Response.write (nodejs.json).
779
784
  { method: 'append', class: 'StringBuilder', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0] },
780
785
  { method: 'append', class: 'StringBuffer', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [0] },
781
786
  // Wiki/CMS XSS sinks (JSPWiki, Confluence, etc.)