npm - @bryan-thompson/inspector-assessment-client - Versions diffs - 1.34.2 → 1.35.2 - Mend

@bryan-thompson/inspector-assessment-client 1.34.2 → 1.35.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (39) hide show

package/lib/services/assessment/modules/securityTests/TestValidityAnalyzer.js CHANGED Viewed

@@ -11,6 +11,9 @@ const DEFAULT_CONFIG = {
     confidenceReduceThresholdPercent: 90,
     minimumTestsForAnalysis: 10,
     maxResponseCompareLength: 1000,
+    // Issue #135: Enhanced data defaults
+    maxSamplePairs: 10,
+    maxDistributionEntries: 5,
 };
 /**
  * Analyzes security test results for response uniformity.
@@ -70,12 +73,23 @@ export class TestValidityAnalyzer {
             recommendedConfidence,
             warning: isCompromised
                 ? {
+                    // Existing fields
                     identicalResponseCount: mostCommonCount,
                     totalResponses: testsWithResponses.length,
                     percentageIdentical: Math.round(percentageIdentical * 10) / 10,
                     sampleResponse: sampleResponse.substring(0, 500),
                     detectedPattern,
                     explanation: this.generateExplanation(percentageIdentical, detectedPattern, mostCommonCount, testsWithResponses.length),
+                    // Issue #135: Enhanced fields for Stage B semantic analysis
+                    responseDiversity: {
+                        uniqueResponses: responseCounts.size,
+                        entropyScore: Math.round(this.calculateEntropy(responseCounts) * 100) / 100,
+                        distribution: this.buildResponseDistribution(responseCounts, testsWithResponses.length),
+                    },
+                    toolUniformity: Object.fromEntries(toolUniformity),
+                    attackPatternCorrelation: this.analyzeAttackPatterns(testsWithResponses),
+                    samplePairs: this.collectSamplePairs(testsWithResponses),
+                    responseMetadata: this.collectResponseMetadata(testsWithResponses),
                 }
                 : undefined,
             toolUniformity,
@@ -220,4 +234,170 @@ export class TestValidityAnalyzer {
         const patternDesc = patternDescriptions[pattern] ?? patternDescriptions.unknown;
         return `${Math.round(percentage)}% of security tests (${identicalCount}/${totalCount}) returned identical responses indicating ${patternDesc}. Tests may not have reached security-relevant code paths. Resolve the underlying issue and re-run the assessment for valid security analysis.`;
     }
+    // ==========================================================================
+    // Issue #135: Enhanced data methods for Stage B semantic analysis
+    // ==========================================================================
+    /**
+     * Calculate Shannon entropy for response diversity (0=uniform, 1=max diversity)
+     */
+    calculateEntropy(counts) {
+        const total = Array.from(counts.values()).reduce((a, b) => a + b, 0);
+        if (total === 0)
+            return 0;
+        let entropy = 0;
+        for (const count of counts.values()) {
+            if (count > 0) {
+                const p = count / total;
+                entropy -= p * Math.log2(p);
+            }
+        }
+        // Normalize to 0-1 scale based on max possible entropy
+        const maxEntropy = Math.log2(counts.size);
+        return maxEntropy > 0 ? entropy / maxEntropy : 0;
+    }
+    /**
+     * Build response distribution sorted by frequency
+     */
+    buildResponseDistribution(counts, total) {
+        return Array.from(counts.entries())
+            .sort((a, b) => b[1] - a[1])
+            .slice(0, this.config.maxDistributionEntries)
+            .map(([response, count]) => ({
+            response: response.substring(0, 200),
+            count,
+            percentage: Math.round((count / total) * 1000) / 10,
+        }));
+    }
+    /**
+     * Extract attack category from test name
+     */
+    extractAttackCategory(testName) {
+        const lower = testName.toLowerCase();
+        if (lower.includes("injection") || lower.includes("sqli"))
+            return "injection";
+        if (lower.includes("xss") || lower.includes("script"))
+            return "xss";
+        if (lower.includes("path") || lower.includes("traversal"))
+            return "path_traversal";
+        if (lower.includes("command") || lower.includes("rce"))
+            return "command_injection";
+        if (lower.includes("ssrf"))
+            return "ssrf";
+        if (lower.includes("auth"))
+            return "authentication";
+        return "other";
+    }
+    /**
+     * Analyze attack pattern correlation by category
+     */
+    analyzeAttackPatterns(tests) {
+        const patterns = new Map();
+        // Group by attack category
+        for (const test of tests) {
+            const category = this.extractAttackCategory(test.testName);
+            if (!patterns.has(category))
+                patterns.set(category, []);
+            patterns.get(category).push(test);
+        }
+        // Build correlation stats
+        const result = {};
+        for (const [category, categoryTests] of patterns) {
+            const withResponse = categoryTests.filter((t) => t.response);
+            const counts = this.countNormalizedResponses(withResponse);
+            result[category] = {
+                testCount: categoryTests.length,
+                uniqueResponses: counts.size,
+                samplePayload: categoryTests[0]?.payload?.substring(0, 100),
+                sampleResponse: categoryTests[0]?.response?.substring(0, 200),
+            };
+        }
+        return result;
+    }
+    /**
+     * Collect sample payload-response pairs with category diversity
+     */
+    collectSamplePairs(tests) {
+        const pairs = [];
+        const seenCategories = new Set();
+        // Prioritize diverse categories
+        for (const test of tests) {
+            if (pairs.length >= this.config.maxSamplePairs)
+                break;
+            if (!test.response || !test.payload)
+                continue;
+            const category = this.extractAttackCategory(test.testName);
+            if (!seenCategories.has(category)) {
+                seenCategories.add(category);
+                pairs.push({
+                    attackCategory: category,
+                    payload: test.payload.substring(0, 100),
+                    response: test.response.substring(0, 300),
+                    vulnerable: test.vulnerable,
+                });
+            }
+        }
+        // Fill remaining slots with additional samples
+        for (const test of tests) {
+            if (pairs.length >= this.config.maxSamplePairs)
+                break;
+            if (!test.response || !test.payload)
+                continue;
+            const truncatedPayload = test.payload.substring(0, 100);
+            if (!pairs.some((p) => p.payload === truncatedPayload)) {
+                pairs.push({
+                    attackCategory: this.extractAttackCategory(test.testName),
+                    payload: truncatedPayload,
+                    response: test.response.substring(0, 300),
+                    vulnerable: test.vulnerable,
+                });
+            }
+        }
+        return pairs;
+    }
+    /**
+     * Collect response metadata statistics
+     */
+    collectResponseMetadata(tests) {
+        if (tests.length === 0) {
+            return {
+                avgLength: 0,
+                minLength: 0,
+                maxLength: 0,
+                emptyCount: 0,
+                errorCount: 0,
+            };
+        }
+        let totalLength = 0;
+        let minLength = Infinity;
+        let maxLength = 0;
+        let emptyCount = 0;
+        let errorCount = 0;
+        let nonEmptyCount = 0;
+        for (const test of tests) {
+            const response = test.response ?? "";
+            const len = response.length;
+            // Check for empty/minimal responses
+            if (len === 0 ||
+                /^(\s*\{\s*\}|\s*\[\s*\]|\s*null\s*|)$/i.test(response.trim())) {
+                emptyCount++;
+            }
+            else {
+                totalLength += len;
+                minLength = Math.min(minLength, len);
+                maxLength = Math.max(maxLength, len);
+                nonEmptyCount++;
+            }
+            // Check for error indicators
+            if (/error|exception|fail/i.test(response)) {
+                errorCount++;
+            }
+        }
+        return {
+            avgLength: nonEmptyCount > 0 ? Math.round(totalLength / nonEmptyCount) : 0,
+            minLength: minLength === Infinity ? 0 : minLength,
+            maxLength,
+            emptyCount,
+            errorCount,
+        };
+    }
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@bryan-thompson/inspector-assessment-client",
-  "version": "1.34.2",
+  "version": "1.35.2",
   "description": "Client-side application for the Enhanced MCP Inspector with assessment capabilities",
   "license": "MIT",
   "author": "Bryan Thompson <bryan@triepod.ai>",