circle-ir 3.83.0 → 3.85.0

package/dist/browser/circle-ir.js

@@ -13208,6 +13208,55 @@ function isSafeGoExecCommandCall(call, pattern, language) {
   if (SHELL_PROGRAMS.has(program)) return false;
   return true;
 }
+function isSafeRustCommandCall(call, pattern, language) {
+  if (language !== "rust") return false;
+  if (pattern.type !== "command_injection") return false;
+  if (pattern.class !== void 0 && pattern.class !== "Command") return false;
+  const SHELL_PROGRAMS = /* @__PURE__ */ new Set([
+    "sh",
+    "bash",
+    "zsh",
+    "dash",
+    "ash",
+    "ksh",
+    "cmd",
+    "cmd.exe",
+    "powershell",
+    "pwsh",
+    "powershell.exe",
+    "pwsh.exe"
+  ]);
+  const PROGRAM_RE = /\bCommand\s*::\s*new\s*\(\s*(?:r?"([^"]*)"|'([^']*)')/;
+  const extractProgram = (text) => {
+    const m = PROGRAM_RE.exec(text);
+    if (!m) return null;
+    const lit = m[1] ?? m[2] ?? "";
+    return lit.split("/").pop() ?? lit;
+  };
+  if (pattern.method === "new") {
+    const programArg = call.arguments.find((a) => a.position === 0);
+    if (!programArg) return false;
+    let program;
+    if (programArg.literal !== null && programArg.literal !== void 0) {
+      program = String(programArg.literal).split("/").pop() ?? String(programArg.literal);
+    } else {
+      const expr = (programArg.expression ?? "").trim();
+      if (!(expr.startsWith('"') || expr.startsWith("'"))) {
+        return false;
+      }
+      const stripped = expr.slice(1, -1);
+      program = stripped.split("/").pop() ?? stripped;
+    }
+    return !SHELL_PROGRAMS.has(program);
+  }
+  if (pattern.method === "arg" || pattern.method === "args" || pattern.method === "spawn" || pattern.method === "output") {
+    const receiverText = call.receiver ?? "";
+    const program = extractProgram(receiverText);
+    if (program === null) return false;
+    return !SHELL_PROGRAMS.has(program);
+  }
+  return false;
+}
 var CLASS_LITERAL_RE = /^(?:[A-Za-z_][\w]*\.)*[A-Z][\w]*(?:\[\])*\.class$/;
 function argIsClassLiteral(call, position) {
   const arg = call.arguments.find((a) => a.position === position);
@@ -13230,6 +13279,9 @@ function findSinks(calls, patterns, typeHierarchy, language, sourceLines) {
         if (isSafeGoExecCommandCall(call, pattern, language)) {
           continue;
         }
+        if (isSafeRustCommandCall(call, pattern, language)) {
+          continue;
+        }
         if (pattern.safe_if_class_literal_at !== void 0 && argIsClassLiteral(call, pattern.safe_if_class_literal_at)) {
           continue;
         }
@@ -22755,6 +22807,14 @@ var LanguageSourcesPass = class {
       additionalSanitizers.push(...findGoMapAllowlistGuardSanitizers(code));
       additionalSanitizers.push(...findGoHtmlTemplateImportSanitizers(code));
     }
+    if (language === "python") {
+      additionalSanitizers.push(...findPythonNetlocAllowlistGuardSanitizers(code));
+      additionalSanitizers.push(...findPythonRangeCheckGuardSanitizers(code));
+    }
+    if (language === "rust") {
+      additionalSanitizers.push(...findRustSetAllowlistGuardSanitizers(code));
+      additionalSanitizers.push(...findRustCanonicalizeGuardSanitizers(code));
+    }
     attachSourceLineCode(additionalSources, additionalSinks, code);
     return { additionalSources, additionalSinks, additionalSanitizers, pyTaintedVars, pySanitizedVars, jsTaintedVars };
   }
@@ -23751,6 +23811,178 @@ function findGoHtmlTemplateImportSanitizers(code) {
   }
   return sanitizers;
 }
+function findPythonNetlocAllowlistGuardSanitizers(code) {
+  const sanitizers = [];
+  const lines = code.split("\n");
+  const guardOpen = /^(\s*)if\s+.+?\s+not\s+in\s+([A-Za-z_][A-Za-z0-9_]*)\s*:\s*$/;
+  const allowlistName = /^(?:[A-Z][A-Z0-9_]+|.*?(allowed|accepted|whitelist|permitted|valid|approved).*)$/i;
+  const terminator = /\b(return|raise|abort\s*\(|sys\.exit\s*\()/;
+  for (let i2 = 0; i2 < lines.length; i2++) {
+    const m = guardOpen.exec(lines[i2]);
+    if (!m) continue;
+    const guardIndent = m[1].length;
+    const allowName = m[2];
+    if (!allowlistName.test(allowName)) continue;
+    let bodyHasTerminator = false;
+    let blockEnd = -1;
+    const maxScan = Math.min(lines.length, i2 + 26);
+    for (let j = i2 + 1; j < maxScan; j++) {
+      const line = lines[j];
+      if (line.trim() === "") continue;
+      const indent = line.length - line.trimStart().length;
+      if (indent <= guardIndent) {
+        blockEnd = j - 1;
+        break;
+      }
+      if (terminator.test(line)) bodyHasTerminator = true;
+    }
+    if (blockEnd === -1) blockEnd = Math.min(lines.length - 1, i2 + 25);
+    if (!bodyHasTerminator) continue;
+    for (let l = blockEnd + 2; l <= lines.length; l++) {
+      sanitizers.push({
+        type: "python_netloc_allowlist_guard",
+        method: "if",
+        line: l,
+        sanitizes: [
+          "open_redirect",
+          "ssrf",
+          "path_traversal",
+          "external_taint_escape"
+        ]
+      });
+    }
+  }
+  return sanitizers;
+}
+function findPythonRangeCheckGuardSanitizers(code) {
+  const sanitizers = [];
+  const lines = code.split("\n");
+  const rangeGuard = /^(\s*)if\s+([A-Za-z_][A-Za-z0-9_]*)\s*[<>]=?\s*(?:\d+|-?\d+\.?\d*|[A-Z][A-Z0-9_]+)\s*(?:(?:or|and)\s+\2\s*[<>]=?\s*(?:\d+|-?\d+\.?\d*|[A-Z][A-Z0-9_]+)\s*)?:\s*$/;
+  const terminator = /\b(return|raise|abort\s*\(|sys\.exit\s*\()/;
+  for (let i2 = 0; i2 < lines.length; i2++) {
+    const m = rangeGuard.exec(lines[i2]);
+    if (!m) continue;
+    const guardIndent = m[1].length;
+    let bodyHasTerminator = false;
+    let blockEnd = -1;
+    const maxScan = Math.min(lines.length, i2 + 26);
+    for (let j = i2 + 1; j < maxScan; j++) {
+      const line = lines[j];
+      if (line.trim() === "") continue;
+      const indent = line.length - line.trimStart().length;
+      if (indent <= guardIndent) {
+        blockEnd = j - 1;
+        break;
+      }
+      if (terminator.test(line)) bodyHasTerminator = true;
+    }
+    if (blockEnd === -1) blockEnd = Math.min(lines.length - 1, i2 + 25);
+    if (!bodyHasTerminator) continue;
+    for (let l = blockEnd + 2; l <= lines.length; l++) {
+      sanitizers.push({
+        type: "python_range_check_guard",
+        method: "if",
+        line: l,
+        sanitizes: ["xss", "external_taint_escape"]
+      });
+    }
+  }
+  return sanitizers;
+}
+function findRustSetAllowlistGuardSanitizers(code) {
+  const sanitizers = [];
+  const lines = code.split("\n");
+  const guardOpen = /^\s*if\s+!\s*([A-Za-z_][A-Za-z0-9_]*)\s*\.\s*(?:contains|contains_key)\s*\(/;
+  const allowlistName = /^(?:[A-Z][A-Z0-9_]+|.*?(allowed|accepted|whitelist|permitted|valid|approved).*)$/i;
+  const terminator = /\b(return|Err\s*\(|panic!\s*\(|HttpResponse::(?:Forbidden|BadRequest|Unauthorized))/;
+  for (let i2 = 0; i2 < lines.length; i2++) {
+    const m = guardOpen.exec(lines[i2]);
+    if (!m) continue;
+    const setName = m[1];
+    if (!allowlistName.test(setName)) continue;
+    let depth = 0;
+    for (const ch of lines[i2]) {
+      if (ch === "{") depth++;
+      else if (ch === "}") depth--;
+    }
+    if (depth <= 0) continue;
+    let closeLine = -1;
+    let bodyHasTerminator = false;
+    const maxScan = Math.min(lines.length, i2 + 26);
+    for (let j = i2 + 1; j < maxScan; j++) {
+      const line = lines[j];
+      if (terminator.test(line)) bodyHasTerminator = true;
+      for (const ch of line) {
+        if (ch === "{") depth++;
+        else if (ch === "}") depth--;
+      }
+      if (depth === 0) {
+        closeLine = j;
+        break;
+      }
+    }
+    if (closeLine === -1 || !bodyHasTerminator) continue;
+    for (let l = closeLine + 2; l <= lines.length; l++) {
+      sanitizers.push({
+        type: "rust_set_allowlist_guard",
+        method: "if",
+        line: l,
+        sanitizes: [
+          "ssrf",
+          "open_redirect",
+          "command_injection",
+          "external_taint_escape"
+        ]
+      });
+    }
+  }
+  return sanitizers;
+}
+function findRustCanonicalizeGuardSanitizers(code) {
+  const sanitizers = [];
+  const lines = code.split("\n");
+  const guardOpen = /^\s*if\s+!\s*[A-Za-z_][\w?.()&]*\.starts_with\s*\(/;
+  const terminator = /\b(return|Err\s*\(|panic!\s*\(|HttpResponse::(?:Forbidden|BadRequest|Unauthorized|NotFound))/;
+  for (let i2 = 0; i2 < lines.length; i2++) {
+    if (!guardOpen.test(lines[i2])) continue;
+    let depth = 0;
+    for (const ch of lines[i2]) {
+      if (ch === "{") depth++;
+      else if (ch === "}") depth--;
+    }
+    if (depth <= 0) continue;
+    let closeLine = -1;
+    let bodyHasTerminator = false;
+    const maxScan = Math.min(lines.length, i2 + 26);
+    for (let j = i2 + 1; j < maxScan; j++) {
+      const line = lines[j];
+      if (terminator.test(line)) bodyHasTerminator = true;
+      for (const ch of line) {
+        if (ch === "{") depth++;
+        else if (ch === "}") depth--;
+      }
+      if (depth === 0) {
+        closeLine = j;
+        break;
+      }
+    }
+    if (closeLine === -1 || !bodyHasTerminator) continue;
+    for (let l = closeLine + 2; l <= lines.length; l++) {
+      sanitizers.push({
+        type: "rust_canonicalize_guard",
+        method: "if",
+        line: l,
+        sanitizes: [
+          "path_traversal",
+          "xss",
+          "ssrf",
+          "external_taint_escape"
+        ]
+      });
+    }
+  }
+  return sanitizers;
+}
 
 // src/analysis/passes/sink-filter-pass.ts
 var JS_XSS_SANITIZERS = [
@@ -28613,6 +28845,11 @@ var TEST_FILENAME_RE = /(?:\.(?:test|spec)\.[cm]?[jt]sx?|_test\.go|_test\.py|Tes
 function isTestFile(file) {
   return TEST_PATH_RE3.test(file) || TEST_FILENAME_RE.test(file);
 }
+var GENERATED_PATH_RE = /(?:^|[\\/])(?:gen|generated|build[\\/]generated|src[\\/](?:main|test)[\\/]generated|target[\\/]generated-sources|target[\\/]generated-test-sources|node_modules[\\/]\.cache)(?:[\\/]|$)/i;
+var GENERATED_FILENAME_RE = /__[ch]\.java$|\.pb\.go$|_pb2\.py$|\.generated\.[cm]?[jt]sx?$/i;
+function isGeneratedFile(file) {
+  return GENERATED_PATH_RE.test(file) || GENERATED_FILENAME_RE.test(file);
+}
 var PROVIDER_PATTERNS = [
   {
     name: "AWS access key",
@@ -28779,6 +29016,117 @@ function shannonEntropy(s) {
   return h;
 }
 var CREDENTIAL_NAME_RE = /(?:key|secret|token|password|passwd|credential|api[_-]?key)/i;
+function findAnnotationLineRanges(code) {
+  const lines = code.split("\n");
+  const inAnnotation = /* @__PURE__ */ new Set();
+  const OPEN_RE = /(?:@[A-Za-z_]\w*(?:\.[A-Za-z_]\w*)*\s*\(|#\[)/g;
+  for (let i2 = 0; i2 < lines.length; i2++) {
+    OPEN_RE.lastIndex = 0;
+    let m;
+    while ((m = OPEN_RE.exec(lines[i2])) !== null) {
+      const isRustAttr = m[0].startsWith("#[");
+      const openCh = isRustAttr ? "[" : "(";
+      const closeCh = isRustAttr ? "]" : ")";
+      let depth = 1;
+      let li = i2;
+      let col = m.index + m[0].length;
+      let lineBudget = 200;
+      inAnnotation.add(li + 1);
+      while (depth > 0 && li < lines.length && lineBudget > 0) {
+        const ln = lines[li];
+        let inStr = null;
+        while (col < ln.length && depth > 0) {
+          const ch = ln[col];
+          if (inStr !== null) {
+            if (ch === "\\") {
+              col += 2;
+              continue;
+            }
+            if (ch === inStr) inStr = null;
+          } else if (ch === '"' || ch === "'" || ch === "`") {
+            inStr = ch;
+          } else if (ch === openCh) {
+            depth++;
+          } else if (ch === closeCh) {
+            depth--;
+          }
+          col++;
+        }
+        if (depth > 0) {
+          li++;
+          col = 0;
+          lineBudget--;
+          if (li < lines.length) inAnnotation.add(li + 1);
+        }
+      }
+    }
+  }
+  return inAnnotation;
+}
+function findStringArrayLineRanges(code) {
+  const lines = code.split("\n");
+  const inArray = /* @__PURE__ */ new Set();
+  const OPEN_RE = /=\s*([{\[])/g;
+  const STR_LITERAL_COUNT_RE = /(["'`])(?:\\.|(?!\1).)*\1/g;
+  for (let i2 = 0; i2 < lines.length; i2++) {
+    OPEN_RE.lastIndex = 0;
+    let m;
+    while ((m = OPEN_RE.exec(lines[i2])) !== null) {
+      const openCh = m[1];
+      const closeCh = openCh === "{" ? "}" : "]";
+      let depth = 1;
+      let li = i2;
+      let col = m.index + m[0].length;
+      let lineBudget = 500;
+      const spanLines = [li + 1];
+      let spanText = "";
+      while (depth > 0 && li < lines.length && lineBudget > 0) {
+        const ln = lines[li];
+        let inStr = null;
+        const start2 = col;
+        while (col < ln.length && depth > 0) {
+          const ch = ln[col];
+          if (inStr !== null) {
+            if (ch === "\\") {
+              col += 2;
+              continue;
+            }
+            if (ch === inStr) inStr = null;
+          } else if (ch === '"' || ch === "'" || ch === "`") {
+            inStr = ch;
+          } else if (ch === openCh) {
+            depth++;
+          } else if (ch === closeCh) {
+            depth--;
+          }
+          col++;
+        }
+        spanText += ln.substring(start2, col) + "\n";
+        if (depth > 0) {
+          li++;
+          col = 0;
+          lineBudget--;
+          if (li < lines.length) spanLines.push(li + 1);
+        }
+      }
+      STR_LITERAL_COUNT_RE.lastIndex = 0;
+      let strCount = 0;
+      while (STR_LITERAL_COUNT_RE.exec(spanText) !== null) {
+        strCount++;
+        if (strCount >= 3) break;
+      }
+      if (strCount >= 3) {
+        for (const ln of spanLines) inArray.add(ln);
+      }
+    }
+  }
+  return inArray;
+}
+var FIELD_ASSIGN_RE = /(?:^|[\s,(])([A-Za-z_$][\w$]*)\s*[:=]\s*["'`]/;
+function extractEnclosingFieldName(lineText) {
+  const m = FIELD_ASSIGN_RE.exec(lineText);
+  return m ? m[1] : null;
+}
 var TEST_CALL_RE = /\b(?:expect|assert|describe|it|test)\s*\(/;
 var COMMENT_EXAMPLE_RE = /(?:\/\/|#)\s*(?:example|sample|test|fixture)/i;
 var ScanSecretsPass = class {
@@ -28786,7 +29134,7 @@ var ScanSecretsPass = class {
   category = "security";
   run(ctx) {
     const file = ctx.graph.ir.meta.file;
-    if (isTestFile(file)) {
+    if (isTestFile(file) || isGeneratedFile(file)) {
       return { providerFindings: 0, entropyFindings: 0 };
     }
     const lines = ctx.code.split("\n");
@@ -28798,6 +29146,8 @@ var ScanSecretsPass = class {
         seen.add(`${f.line}:${f.rule_id}`);
       }
     }
+    const annotationLines = findAnnotationLineRanges(ctx.code);
+    const arrayLines = findStringArrayLineRanges(ctx.code);
     let providerFindings = 0;
     let entropyFindings = 0;
     for (let i2 = 0; i2 < lines.length; i2++) {
@@ -28858,11 +29208,14 @@ var ScanSecretsPass = class {
       const lineNum = i2 + 1;
       if (TEST_CALL_RE.test(lineText)) continue;
       if (COMMENT_EXAMPLE_RE.test(lineText)) continue;
+      if (annotationLines.has(lineNum)) continue;
+      if (arrayLines.has(lineNum)) continue;
       STRING_LITERAL_RE.lastIndex = 0;
       let match;
       while ((match = STRING_LITERAL_RE.exec(lineText)) !== null) {
         const value = match[2];
         if (!this.isCandidate(value)) continue;
+        if (value.length < 32) continue;
         if (!this.passesEntropyGate(value, lineText)) continue;
         const key = `${lineNum}:hardcoded-credential-entropy`;
         if (seen.has(key)) continue;
@@ -28900,17 +29253,25 @@ var ScanSecretsPass = class {
     return true;
   }
   /**
-   * Shannon-entropy gate. Base64-shaped strings need higher entropy than
-   * hex-shaped (hex alphabet is 4 bits/char by construction). When the
-   * surrounding line contains a credential-shaped variable name, both
-   * thresholds drop by 0.2 bits/char.
+   * Shannon-entropy gate (#125 Gate 4 — REQUIRED field-name match).
+   *
+   * The entropy layer emits ONLY when the enclosing assignment LHS
+   * identifier matches a credential keyword (password / secret / token /
+   * api_key / etc.). Without this requirement, the layer flagged every
+   * high-entropy string — attribution keys, base64 resource blobs, public
+   * encoding alphabets — as credentials. Provider patterns (Layer 1) and
+   * named-credential matcher (Layer 1b) remain the recall safety net for
+   * credentials that don't fit the `FIELD = "..."` shape.
+   *
+   * Base64-shaped strings need higher entropy than hex-shaped (hex alphabet
+   * is 4 bits/char by construction).
    */
   passesEntropyGate(value, lineText) {
+    const fieldName = extractEnclosingFieldName(lineText);
+    if (fieldName === null || !CREDENTIAL_NAME_RE.test(fieldName)) return false;
     const isHex = HEXISH_RE.test(value);
-    const boost = CREDENTIAL_NAME_RE.test(lineText) ? 0.2 : 0;
-    const threshold = isHex ? 3.5 - boost : 4.3 - boost;
-    const h = shannonEntropy(value);
-    return h >= threshold;
+    const threshold = isHex ? 3.3 : 4.1;
+    return shannonEntropy(value) >= threshold;
   }
 };
 

package/dist/core/circle-ir-core.cjs

@@ -12503,6 +12503,55 @@ function isSafeGoExecCommandCall(call, pattern, language) {
   if (SHELL_PROGRAMS.has(program)) return false;
   return true;
 }
+function isSafeRustCommandCall(call, pattern, language) {
+  if (language !== "rust") return false;
+  if (pattern.type !== "command_injection") return false;
+  if (pattern.class !== void 0 && pattern.class !== "Command") return false;
+  const SHELL_PROGRAMS = /* @__PURE__ */ new Set([
+    "sh",
+    "bash",
+    "zsh",
+    "dash",
+    "ash",
+    "ksh",
+    "cmd",
+    "cmd.exe",
+    "powershell",
+    "pwsh",
+    "powershell.exe",
+    "pwsh.exe"
+  ]);
+  const PROGRAM_RE = /\bCommand\s*::\s*new\s*\(\s*(?:r?"([^"]*)"|'([^']*)')/;
+  const extractProgram = (text) => {
+    const m = PROGRAM_RE.exec(text);
+    if (!m) return null;
+    const lit = m[1] ?? m[2] ?? "";
+    return lit.split("/").pop() ?? lit;
+  };
+  if (pattern.method === "new") {
+    const programArg = call.arguments.find((a) => a.position === 0);
+    if (!programArg) return false;
+    let program;
+    if (programArg.literal !== null && programArg.literal !== void 0) {
+      program = String(programArg.literal).split("/").pop() ?? String(programArg.literal);
+    } else {
+      const expr = (programArg.expression ?? "").trim();
+      if (!(expr.startsWith('"') || expr.startsWith("'"))) {
+        return false;
+      }
+      const stripped = expr.slice(1, -1);
+      program = stripped.split("/").pop() ?? stripped;
+    }
+    return !SHELL_PROGRAMS.has(program);
+  }
+  if (pattern.method === "arg" || pattern.method === "args" || pattern.method === "spawn" || pattern.method === "output") {
+    const receiverText = call.receiver ?? "";
+    const program = extractProgram(receiverText);
+    if (program === null) return false;
+    return !SHELL_PROGRAMS.has(program);
+  }
+  return false;
+}
 var CLASS_LITERAL_RE = /^(?:[A-Za-z_][\w]*\.)*[A-Z][\w]*(?:\[\])*\.class$/;
 function argIsClassLiteral(call, position) {
   const arg = call.arguments.find((a) => a.position === position);
@@ -12525,6 +12574,9 @@ function findSinks(calls, patterns, typeHierarchy, language, sourceLines) {
         if (isSafeGoExecCommandCall(call, pattern, language)) {
           continue;
         }
+        if (isSafeRustCommandCall(call, pattern, language)) {
+          continue;
+        }
         if (pattern.safe_if_class_literal_at !== void 0 && argIsClassLiteral(call, pattern.safe_if_class_literal_at)) {
           continue;
         }

package/dist/core/circle-ir-core.js

@@ -12437,6 +12437,55 @@ function isSafeGoExecCommandCall(call, pattern, language) {
   if (SHELL_PROGRAMS.has(program)) return false;
   return true;
 }
+function isSafeRustCommandCall(call, pattern, language) {
+  if (language !== "rust") return false;
+  if (pattern.type !== "command_injection") return false;
+  if (pattern.class !== void 0 && pattern.class !== "Command") return false;
+  const SHELL_PROGRAMS = /* @__PURE__ */ new Set([
+    "sh",
+    "bash",
+    "zsh",
+    "dash",
+    "ash",
+    "ksh",
+    "cmd",
+    "cmd.exe",
+    "powershell",
+    "pwsh",
+    "powershell.exe",
+    "pwsh.exe"
+  ]);
+  const PROGRAM_RE = /\bCommand\s*::\s*new\s*\(\s*(?:r?"([^"]*)"|'([^']*)')/;
+  const extractProgram = (text) => {
+    const m = PROGRAM_RE.exec(text);
+    if (!m) return null;
+    const lit = m[1] ?? m[2] ?? "";
+    return lit.split("/").pop() ?? lit;
+  };
+  if (pattern.method === "new") {
+    const programArg = call.arguments.find((a) => a.position === 0);
+    if (!programArg) return false;
+    let program;
+    if (programArg.literal !== null && programArg.literal !== void 0) {
+      program = String(programArg.literal).split("/").pop() ?? String(programArg.literal);
+    } else {
+      const expr = (programArg.expression ?? "").trim();
+      if (!(expr.startsWith('"') || expr.startsWith("'"))) {
+        return false;
+      }
+      const stripped = expr.slice(1, -1);
+      program = stripped.split("/").pop() ?? stripped;
+    }
+    return !SHELL_PROGRAMS.has(program);
+  }
+  if (pattern.method === "arg" || pattern.method === "args" || pattern.method === "spawn" || pattern.method === "output") {
+    const receiverText = call.receiver ?? "";
+    const program = extractProgram(receiverText);
+    if (program === null) return false;
+    return !SHELL_PROGRAMS.has(program);
+  }
+  return false;
+}
 var CLASS_LITERAL_RE = /^(?:[A-Za-z_][\w]*\.)*[A-Z][\w]*(?:\[\])*\.class$/;
 function argIsClassLiteral(call, position) {
   const arg = call.arguments.find((a) => a.position === position);
@@ -12459,6 +12508,9 @@ function findSinks(calls, patterns, typeHierarchy, language, sourceLines) {
         if (isSafeGoExecCommandCall(call, pattern, language)) {
           continue;
         }
+        if (isSafeRustCommandCall(call, pattern, language)) {
+          continue;
+        }
         if (pattern.safe_if_class_literal_at !== void 0 && argIsClassLiteral(call, pattern.safe_if_class_literal_at)) {
           continue;
         }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "circle-ir",
-  "version": "3.83.0",
+  "version": "3.85.0",
   "description": "High-performance Static Application Security Testing (SAST) library for detecting security vulnerabilities through taint analysis",
   "main": "dist/index.js",
   "module": "dist/index.js",