cognium-ai 2.5.7 → 2.5.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +16 -12
- package/package.json +2 -2
package/README.md
CHANGED
|
@@ -12,7 +12,7 @@ npm install -g cognium-ai
|
|
|
12
12
|
|
|
13
13
|
```bash
|
|
14
14
|
cognium-ai scan <path> # Scan for security vulnerabilities (LLM-enhanced)
|
|
15
|
-
cognium-ai trust <path> # Trust score across
|
|
15
|
+
cognium-ai trust <path> # Trust score across 36 passes (supply chain, security, AI safety, compliance)
|
|
16
16
|
cognium-ai quality <path> # Quality score (complexity, tests, docs, maintainability, performance)
|
|
17
17
|
cognium-ai spec-diff <path> # Spec-gap analysis (code vs Specifica spec alignment)
|
|
18
18
|
cognium-ai generate-spec <path> # Generate Specifica spec from code
|
|
@@ -34,15 +34,18 @@ are hidden from the headline `--help` until they soak.
|
|
|
34
34
|
cognium-ai scan src/ # LLM-enhanced scan (default)
|
|
35
35
|
cognium-ai scan src/ --no-llm # Static-only (no LLM)
|
|
36
36
|
cognium-ai scan src/ -f json -o results.json # JSON output to file
|
|
37
|
+
cognium-ai scan src/ -f sarif -o results.sarif # SARIF 2.1.0 (GitHub code-scanning)
|
|
37
38
|
cognium-ai scan src/ --severity high # High+ severity only
|
|
38
39
|
cognium-ai scan src/ --exclude-tests # Skip test files
|
|
39
40
|
cognium-ai scan src/ --threads 20 # Custom parallelism
|
|
40
41
|
cognium-ai scan src/ -x '**/vendor/**' # Exclude paths
|
|
42
|
+
cognium-ai scan src/ --llm-timeout 180 # Raise per-call LLM timeout (slow local models)
|
|
41
43
|
cognium-ai scan src/ --exit-code # Exit 1 on findings (CI)
|
|
42
44
|
```
|
|
43
45
|
|
|
44
|
-
|
|
45
|
-
|
|
46
|
+
`cognium-ai trust src/ -f sarif -o trust.sarif` produces SARIF 2.1.0
|
|
47
|
+
across all 36 trust passes (richer than `scan -f sarif`, which is
|
|
48
|
+
scoped to OWASP Top 10 findings only).
|
|
46
49
|
|
|
47
50
|
## LLM Configuration
|
|
48
51
|
|
|
@@ -65,9 +68,9 @@ export LLM_ENRICHMENT_MODEL=cognium/gpt-oss-120b
|
|
|
65
68
|
|------|-------------|---------|
|
|
66
69
|
| `--llm-base-url <url>` | LLM API base URL (OpenAI-compatible) | `http://localhost:4000/v1` |
|
|
67
70
|
| `--llm-api-key <key>` | LLM API key | `LLM_API_KEY` env var |
|
|
68
|
-
| `--llm-model <model>` | LLM model name | `cognium/gpt-oss-120b` |
|
|
71
|
+
| `--llm-model <model>` | LLM model name (universal — applies to all phases) | `cognium/gpt-oss-120b` |
|
|
72
|
+
| `--llm-timeout <seconds>` | Per-call LLM timeout. Raise for slow local models (e.g. `--llm-timeout 180`); lower for fail-fast iteration. | `60` |
|
|
69
73
|
| `--no-llm` | Disable LLM, use static analysis only | LLM enabled by default |
|
|
70
|
-
| `--no-llm-discovery` | Disable LLM discovery mode | discovery enabled by default |
|
|
71
74
|
|
|
72
75
|
### Provider Examples
|
|
73
76
|
|
|
@@ -141,15 +144,16 @@ jobs:
|
|
|
141
144
|
|
|
142
145
|
| Benchmark | Score |
|
|
143
146
|
|-----------|-------|
|
|
144
|
-
| OWASP Benchmark (Java
|
|
145
|
-
| Juliet Test Suite (
|
|
147
|
+
| OWASP Benchmark (Java) | 100% (1415/1415) |
|
|
148
|
+
| Juliet Test Suite (14 CWEs) | 100% (243/243) |
|
|
146
149
|
| SecuriBench Micro | 97.7% TPR, 6.7% FPR |
|
|
147
|
-
| CWE-Bench-Java (120 CVEs) |
|
|
148
|
-
|
|
|
149
|
-
|
|
|
150
|
-
|
|
|
150
|
+
| CWE-Bench-Java (120 CVEs) | 50.8% static (61/120), **86.7% +LLM Discovery** (104/120, Claude Opus) |
|
|
151
|
+
| OWASP NodeGoat / Juice Shop / DVJA | 100% |
|
|
152
|
+
| NodeJS Synthetic (25 tests) | 92.9% Score (96.2% TPR, 11.1% FPR) |
|
|
153
|
+
| CWE-Bench-Rust (30 tests) | 94.4% TPR, 0% FPR |
|
|
154
|
+
| Bash Synthetic (31 tests) | 100% TPR, 0% FPR |
|
|
151
155
|
|
|
152
|
-
CWE-Bench-Java reference: CodeQL 22.5
|
|
156
|
+
CWE-Bench-Java reference: **CodeQL 22.5%**, IRIS+GPT-4 45.8% — cognium-ai with Claude Opus is **2.85× CodeQL**.
|
|
153
157
|
|
|
154
158
|
## License
|
|
155
159
|
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "cognium-ai",
|
|
3
|
-
"version": "2.5.
|
|
3
|
+
"version": "2.5.9",
|
|
4
4
|
"description": "AI-powered static analysis CLI with LLM-enhanced vulnerability detection",
|
|
5
5
|
"main": "dist/index.js",
|
|
6
6
|
"types": "dist/index.d.ts",
|
|
@@ -42,7 +42,7 @@
|
|
|
42
42
|
],
|
|
43
43
|
"dependencies": {
|
|
44
44
|
"circle-ir": "^3.19.5",
|
|
45
|
-
"circle-ir-ai": "^2.5.
|
|
45
|
+
"circle-ir-ai": "^2.5.7",
|
|
46
46
|
"commander": "^14.0.3",
|
|
47
47
|
"minimatch": "^10.2.5"
|
|
48
48
|
},
|