cognium-dev 3.37.0
circle-ir upgraded 3.36.0 → 3.37.0
Closes the remaining Python false-negative tail uncovered after #18 (#20). cognium-dev scan against Python projects now emits flows for multi-hop indirection shapes that 3.36.0 still missed:
- Simple alias chains:
bar = uid; sql = "..." + bar; cur.execute(sql) - configparser round-trips:
conf.set('s','k', tainted); bar = conf.get('s','k'); cur.execute(f'... {bar}') - List/dict round-trips:
lst.append(tainted); bar = lst[0]; subprocess.run([..., bar])(and.add/.extend/.insert/.push/.put/.appendleftvariants)
These were the dominant remaining drivers of OWASP BenchmarkPython false negatives. Output formats (text, JSON, SARIF) are unchanged; previously-hidden flows now surface in all three.
Java/JS/Bash flows are unaffected — the alias expansion is gated to Python only and verified by an explicit Java sqli non-regression test plus the full 156-case Juliet suite.
Cross-module helper indirection (helpers.db_sqlite.results(cur, sql)) is not addressed and requires inter-procedural taint summaries, filed as future work.
🤖 Generated with Claude Code