chore: Update version placeholders and changelog for release 0.6.0

2026-06-24 20:28:06 +02:00 · 2026-05-02 18:06:50 -04:00 · 2026-05-02 18:06:50 -04:00 · 92aaa36ed6
commit 92aaa36ed6
parent 215dd02eff
6 changed files with 86 additions and 42 deletions
--- a/tests/benchmark/RESULTS.md
+++ b/tests/benchmark/RESULTS.md
@ -8,9 +8,9 @@ Current baseline (2026-05-02):
 | Recall    | 1.000      | 1.000      | 0.944    |
 | F1        | 1.000      | 1.000      | 0.901    |

-Corpus: 499 cases across 10 languages, 496 evaluated (3 disabled). Per-run JSON lands in `tests/benchmark/results/` (`latest.json` plus dated snapshots). See `README.md` for what the scoring modes mean and how to run a subset.
+Corpus: 507 cases across 10 languages, 504 evaluated (3 disabled). Per-run JSON lands in `tests/benchmark/results/` (`latest.json` plus dated snapshots). See `README.md` for what the scoring modes mean and how to run a subset.

-The corpus is mostly synthetic 8-20 line fixtures, one vulnerability or one safe pattern per file. A smaller real-CVE replay set under `cve_corpus/` covers 20 published CVEs across all 10 languages. Both contribute to the headline numbers.
+The corpus is mostly synthetic 8-20 line fixtures, one vulnerability or one safe pattern per file. A smaller real-CVE replay set under `cve_corpus/` covers 30 published advisories across all 10 languages. Both contribute to the headline numbers.

 ## Real CVE coverage

@ -40,6 +40,9 @@ Real disclosed CVEs reduced to minimal reproducers, vulnerable + patched pair pe
 | CVE-2023-38337 | Ruby       | rswag                      | MIT                  | path_traversal  | detected |
 | CVE-2017-9841  | PHP        | PHPUnit                    | BSD-3-Clause         | code_exec       | detected |
 | CVE-2018-15133 | PHP        | Laravel                    | MIT                  | Deserialization | detected |
+| CVE-2018-20997 | Rust       | tar-rs                     | MIT OR Apache-2.0    | path_traversal  | detected |
+| CVE-2022-36113 | Rust       | cargo                      | MIT OR Apache-2.0    | path_traversal  | detected |
+| CVE-2024-24576 | Rust       | Rust stdlib                | MIT OR Apache-2.0    | CMDI            | detected |
 | CVE-2016-3714  | C          | ImageMagick (ImageTragick) | ImageMagick License  | CMDI            | detected |
 | CVE-2019-18634 | C          | sudo (pwfeedback)          | ISC                  | memory_safety   | detected |
 | CVE-2019-13132 | C++        | ZeroMQ libzmq              | MPL-2.0              | memory_safety   | detected |
--- a/tests/benchmark/ground_truth.json
+++ b/tests/benchmark/ground_truth.json
@ -15995,9 +15995,8 @@
        "sqli",
        "vulnerable"
      ],
-      "disabled": true,
-      "disabled_reason": "Validated-flow propagation through SSA-derived values and helper-summary returns is missing.  The patched counterpart applies a regex allowlist (`SAFE_STRING_REGEX.test(value)` throw) PLUS a `replace()` escape chain inside `sanitizeValue`, then interpolates the result into a SQL template literal in `createJSONQuery` and returns the string to the handler, which calls `db.execute(sql)`.  This session landed `classify_condition` recognition of `<*regex*>.test(value)` / `<*pattern*>.test(value)` as a ValidationCall whose target is the call's first arg (covered by `path_state::tests::target_regex_test_first_arg`, `target_regex_test_pattern_receiver`, `target_test_non_regex_receiver_is_not_validation`, plus the SSA-level `regex_test_allowlist_narrowing_clears_direct_flow` integration test).  But validated_must is per-symbol and consulted only at the sink site; it does NOT propagate through the SSA Assign that templates a clean `value` into a derived `sql` string, nor does it ride a helper's `param_to_return` summary back into a caller.  Disabled until that propagation path lands.  Tracked in CVE_DEFERRED.md.",
-      "notes": "CVE-2026-25544: Payload `sanitizeValue` SQL injection via Postgres jsonb_path_exists template-string interpolation.  Vulnerable form (`@payloadcms/drizzle@v3.72.0`, MIT) lets attacker-controlled JSON-query value escape the surrounding SQL string literal because `sanitizeValue` only double-quotes it without escaping `\\`/`\"`.  Disabled pending validated-flow propagation engine work, see disabled_reason."
+      "disabled": false,
+      "notes": "CVE-2026-25544: Payload `sanitizeValue` SQL injection via Postgres jsonb_path_exists template-string interpolation.  Vulnerable form (`@payloadcms/drizzle@v3.72.0`, MIT) lets attacker-controlled JSON-query value escape the surrounding SQL string literal because `sanitizeValue` only double-quotes it without escaping `\\`/`\"`.  Enabled after validated-flow propagation landed via `SsaFuncSummary.validated_params_to_return` + `propagate_validated_params_to_return`."
    },
    {
      "case_id": "cve-ts-2026-25544-patched",
@ -16024,9 +16023,8 @@
        "safe",
        "patched"
      ],
-      "disabled": true,
-      "disabled_reason": "Sibling of cve-ts-2026-25544-vulnerable.  Disabled together until validated-flow summary propagation lands.  See vulnerable counterpart's disabled_reason for the engine gap.",
-      "notes": "Patched form of `sanitizeValue` from `@payloadcms/drizzle@v3.73.0` (MIT).  Disabled together with its vulnerable counterpart pending validated-flow propagation work."
+      "disabled": false,
+      "notes": "Patched form of `sanitizeValue` from `@payloadcms/drizzle@v3.73.0` (MIT).  Enabled after validated-flow propagation landed."
    }
  ]
 }