Skip to content

v11.1.0 — Inter-procedural taint analysis, 1001 community rules

Choose a tag to compare

View all tags
@Cranot Cranot released this 25 Feb 11:57
· 164 commits to main since this release
v11.1.0
1a57a28

What's New

Inter-Procedural Taint Analysis

  • New src/roam/analysis/taint.py engine: per-function taint summaries, cross-function propagation up to 5 hops, source/sink/sanitizer detection
  • New DB tables (taint_summaries, taint_findings) populated during indexing

Dataflow-Enhanced Dead Code Detection

  • roam dead --dataflow flag: detects unused return values, dead parameter chains, and side-effect-only functions with confidence scores

Rules Engine — Inter-Procedural Dataflow

  • dataflow_match rules now support cross-function patterns with max_chain_length, min_confidence, and sanitizers keys

Community Rule Pack: 602 → 1001 YAML Rules

  • +206 security: SQL injection, command injection, path traversal, weak crypto, hardcoded secrets, SSRF, deserialization, XXE, TLS misconfig, JWT bypass, XSS, CORS, CSRF — across Python, JS, TS, Java, Go, Rust, C#, PHP, Ruby
  • +115 correctness: empty catch, mutable defaults, null deref, unused imports, resource leaks, loose equality
  • +66 performance: string concat in loops, regex compile in loops, N+1 queries, sync I/O in async, unbounded collections
  • +30 architecture: hexagonal boundary violations, DI anti-patterns, framework coupling, circular dependencies
  • +30 dataflow: cross-function SQLi, CMDi, path traversal, XSS, SSRF, deserialization

Competitive Score: 84 → 88/100

  • Static analysis: +3 (inter-procedural taint)
  • Security & governance: +1 (rule expansion)

Install / Upgrade

pip install --upgrade roam-code
pip install --upgrade "roam-code[mcp]"

Full changelog: v11.0.0...v11.1.0

Assets 2
Loading