cognium-dev@3.35.0 — Jenkins Groovy sandbox sink coverage (#17)
·
28 commits
to main
since this release
Highlights
Bumps circle-ir to 3.35.0. For Java projects, cognium-dev scan now flags taint reaching any org.kohsuke.groovy.sandbox.SandboxInterceptor / GroovyInterceptor dispatch hook (onMethodCall, onStaticCall, onGetProperty, onSetProperty, onGetAttribute, onSetAttribute, onMethodPointer, onSuperCall, onSuperConstructor, plus parent-class entries), SandboxTransformer.call, and GroovySandbox.runInSandbox.
Prior releases only flagged SandboxInterceptor.onNewInstance, leaving method/static dispatch (the most common CVE-2023-24422 bypass shape) silently uncovered.
Changed
- circle-ir 3.34.0 → 3.35.0 — see circle-ir@3.35.0 release notes.
Tests
- circle-ir: 1904 / 1904 pass
- cli: 125 / 125 pass
Install
npm install -g cognium-dev@3.35.0