Skip to content

cognium-dev 3.39.0 — cross-instance field-binding taint paths

Choose a tag to compare

View all tags
@openmason openmason released this 12 Jun 07:08
· 37 commits to main since this release
cognium-dev-v3.39.0
dd3d5fd

What's New

circle-ir upgraded 3.38.0 → 3.39.0 — adds cross-instance field-binding taint propagation.

cognium-dev scan against multi-file Java projects now emits taint_paths for the canonical CWE-Bench-Java Jenkins shape and adjacent framework-DI patterns where the source is bound onto a field by one class (@DataBoundConstructor, @Autowired / @Inject / @Resource, or setter chain) and consumed by another class reading that field on an aliased instance.

Both direct field reads (String p = step.path) and getter-mediated reads (String p = step.getPath()) are now closed, and the sink may live either in the caller's own method body (Files.newInputStream(Paths.get(p))) or in a downstream cross-file callee.

What This Closes

Previously-hidden field-binding chains now surface with constructor_field or autowired_field source types and confidence-decayed multi-hop paths. The canonical Jenkins ReadTrustedStep shape (CWE-Bench-Java tail) now closes end-to-end.

Output Formats

Text, JSON, and SARIF output formats are unchanged — previously-hidden paths simply appear in all three.

Compatibility

No regressions: full circle-ir suite at 1939 passing tests (1935 baseline + 4 new fixtures).

Install

```bash

npm

npm install -g cognium-dev@3.39.0

scan a project

cognium-dev scan ./my-java-project
```

See the full circle-ir 3.39.0 release notes for technical details.

Assets 2
Loading