cognium-dev 3.38.0 — cross-file inter-procedural taint chains

Changed

circle-ir upgraded 3.37.0 → 3.38.0 — closes the Java cross-file inter-procedural taint gap (#19) that hid CVE-2018-1260 (Spring SpEL injection) and CVE-2011-2732 (Spring open redirect) shapes.

+ "cognium-dev scan" + against multi-file Java projects now emits + "taint_paths" + for the canonical pattern:

+ "```" +
source-in-callee-A → wrapper-return-in-caller → sink-call-in-caller → sink-in-callee-B
+ "```" +

…where neither file in isolation contains both a source and the sink.

+ "cross_file_calls[].args_mapping[].taint_propagates" + is now populated from the callee's analyzed + "taintedParams" + summary (previously hard-coded + "false" + ), giving downstream consumers an at-a-glance view of which arguments carry tainted data across a resolved inter-file call.

Output formats (text, JSON, SARIF) are unchanged; previously-hidden multi-hop chains now surface with confidence-decayed paths (0.85 per hop, floor 0.30).

The fix also tightens single-hop cross-file flow detection with a variable-connectivity gate that eliminates false positives when a sanitized wrapper sits between the controller-side source and the callee-side sink.

Java/JS/Python flows for in-file and pre-existing cross-file shapes are unaffected (verified by full OWASP Benchmark Java + Juliet + SecuriBench Micro suites).

Install

+ "```bash" +
npm install -g cognium-dev@3.38.0
+ "```" +

Full diff: cognium-dev-v3.37.0...cognium-dev-v3.38.0