@kevinrabun/judges 3.20.13 → 3.21.0

package/CHANGELOG.md

@@ -2,6 +2,60 @@
 
 All notable changes to **@kevinrabun/judges** are documented here.
 
+## [3.21.0] — 2026-03-05
+
+### Added — P0: GitHub Action CI/CD
+- **PR inline review comments** — New `pr-review` input in `action.yml` posts findings as inline PR review comments with severity badges, auto-fix hints, and judge attribution
+- **Diff-only mode** — New `diff-only` input restricts analysis to changed files using `git diff`, dramatically reducing CI noise on large repos
+- **Baseline filtering** — New `baseline-file` input suppresses known findings via a baseline JSON, surfacing only new issues in PRs
+- **Improved step summary** — GitHub Actions summary now includes findings table, score badge, and must-fix gate status
+
+### Added — P1: Core Engine Enhancements
+- **AST context in more evaluators** — `AnalyzeContext` interface pipes tree-sitter AST data into cybersecurity (scope-aware taint), performance (async/complexity detection), and authentication (decorator/import awareness) evaluators
+- **`fix_code` MCP tool** — New tool evaluates code and auto-applies all available patches, returning fixed code + summary of remaining findings
+- **Multi-language framework evaluators** — Extended `framework-safety.ts` from JS/TS-only to 8 frameworks: Django (6 rules), Flask (4), FastAPI (1), Spring Boot (6), ASP.NET Core (6), Go/Gin/Echo/Fiber (5)
+
+### Added — P2: Depth & Tooling
+- **20+ new auto-fix patches** — Added patches for Python (7), Go (2), Java (5), C# (4), Rust (2) covering SQL injection, command injection, weak hashing, empty catch, and more
+- **VS Code findings panel** — TreeView-based panel with sort-by-severity/judge, filter controls, go-to-line navigation, and 7 new commands (`judges.showFindingsPanel`, `judges.sortBySeverity`, etc.)
+- **Cross-file type/state tracking** — Three new project-level detectors: `detectSharedMutableState()`, `detectTypeSafetyGaps()`, `detectScatteredEnvAccess()` in `project.ts`
+- **Taint tracker language depth** — Expanded from 5 to 9 language-specific pattern sets with `LanguagePatternSet` interface; each set defines sources, sinks, sanitizers, assign patterns, and guard conditions
+
+### Added — P3: Breadth & Polish
+- **PHP/Ruby/Kotlin/Swift language support** — Added 4 new languages to `LangFamily`, expanded all ~35 pattern constants in `language-patterns.ts`, added 4 complete taint tracker pattern sets (PHP: 7 sources/11 sinks/11 sanitizers, Ruby: 9/11/10, Kotlin: 9/8/8, Swift: 8/9/6)
+- **Performance & snapshot tests** — 3 new test suites: performance budgets (tribunal <5s, per-judge <500ms, evaluateDiff <3s, large-block <15s), rule coverage stability (≥30 judges, 100-600 findings, required families, severity distribution), multi-language pattern coverage (8 tests for PHP/Ruby/Kotlin/Swift)
+- **Framework version awareness** — `detectFrameworkVersions()` extracts versions from 14 manifest/config patterns; `getVersionConfidenceAdjustment()` applies version-specific confidence rules for Django 4+, Spring 3+, Next.js 13+/14+, Express 5+, Rails 6+/7+, Laravel 9+, ASP.NET 8+; integrated into `applyFrameworkAwareness()`
+- **MCP workspace & streaming tools** — 3 new MCP tools: `list_files` (recursive directory listing with skip-dirs), `read_file` (content reading with line-range slicing), `evaluate_with_progress` (progressive judge-by-judge reporting with count updates)
+
+### Changed
+- **MCP tool count** — 10 → 13 tools registered in `server.json`
+- **`applyFrameworkAwareness()` rewritten** — Now combines framework mitigation with version-aware confidence adjustments and stacked provenance notes
+- **`register.ts` modular architecture** — Now orchestrates 4 registration modules: evaluation, workflow, fix, workspace
+
+### Tests
+- 19 new performance/snapshot/multi-language tests in `judges.test.ts`
+- 19 new framework version awareness tests in `subsystems.test.ts`
+- 1006 tests in judges.test.ts, 392 tests in subsystems.test.ts — all passing
+
+## [3.20.14] — 2026-03-04
+
+### Added
+- **Three new FP heuristics (H33–H35)** — Expanded the false-positive filter from 32 to 35 deterministic heuristics:
+  - **H33: Destructuring variable extraction** — Suppresses hardcoded-credential findings when the security keyword is a destructured variable name (`const { password } = req.body`), recognizing the code extracts a named field from runtime data
+  - **H34: Dictionary/map key access** — Suppresses hardcoded-credential findings when the keyword is a dictionary key being accessed (`data["password"]`, `request.form.get("token")`), not a hardcoded value; excludes LOGPRIV and exposure-related findings
+  - **H35: CLI argument/option definitions** — Suppresses findings when the keyword defines a CLI parameter in argparse, click, commander.js, or yargs (`parser.add_argument("--password")`, `.option("--token")`)
+- **Expanded H6 keyword-in-identifier patterns** — Significantly broadened compound-identifier recognition for all five security keywords:
+  - `password`: ~25 new suffixes (manager, service, handler, helper, criteria, complexity, expiry, generator, mask, etc.) and ~16 new prefixes (set, get, save, store, update, change, manage, generate, etc.)
+  - `secret`: ~14 new suffixes (holder, service, handler, helper, resolver, loader, fetcher, etc.) and ~20 new prefixes (get, set, read, fetch, load, resolve, lookup, rotate, etc.)
+  - `token`: ~18 new suffixes (manager, service, handler, provider, factory, builder, cache, parser, etc.) and ~26 new prefixes (get, set, create, generate, fetch, store, validate, revoke, etc.)
+  - `delete`: Refined to add safe lifecycle prefixes (soft, hard, mark, pre, post, async, schedule) and safe naming suffixes (scheduled, pending, mark) while deliberately excluding operation-target suffixes (many, all, records) that represent actual data operations
+  - `exec`: ~13 new suffixes (command, args, timeout, callback, handler, etc.) and ~12 new prefixes (pre, post, async, remote, batch, parallel, etc.)
+- **Three new safe idiom patterns (H7)** — Added vault/secrets-manager SDK calls, hash/digest function calls, and UI label/placeholder strings as recognized safe contexts
+
+### Tests
+- Added 29 new FP heuristic tests covering all new and expanded heuristics with both FP-suppression and TP-retention validation
+- 1666 tests, 0 failures
+
 ## [3.20.13] — 2026-03-04
 
 ### Fixed

package/dist/ast/taint-tracker.d.ts

@@ -29,7 +29,9 @@ export type TaintSinkKind = "code-execution" | "command-exec" | "sql-query" | "x
  * dangerous sinks through variable assignments and string concatenation.
  *
  * For JS/TS, uses the TypeScript compiler AST for precise variable tracking.
- * For other languages, falls back to regex-based lightweight analysis.
+ * For Python, Java, Go, C#, and Rust: uses language-specific source/sink/
+ * sanitizer patterns for deeper analysis.
+ * For other languages, falls back to generic regex-based analysis.
  */
 export declare function analyzeTaintFlows(code: string, language: string): TaintFlow[];
 //# sourceMappingURL=taint-tracker.d.ts.map

package/dist/ast/taint-tracker.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"taint-tracker.d.ts","sourceRoot":"","sources":["../../src/ast/taint-tracker.ts"],"names":[],"mappings":"AAmBA;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,0CAA0C;IAC1C,MAAM,EAAE;QACN,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,CAAC;QACnB,IAAI,EAAE,eAAe,CAAC;KACvB,CAAC;IACF,kDAAkD;IAClD,IAAI,EAAE;QACJ,IAAI,EAAE,MAAM,CAAC;QACb,GAAG,EAAE,MAAM,CAAC;QACZ,IAAI,EAAE,aAAa,CAAC;KACrB,CAAC;IACF,qDAAqD;IACrD,aAAa,EAAE,KAAK,CAAC;QACnB,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC,CAAC;IACH,2EAA2E;IAC3E,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,MAAM,eAAe,GACvB,YAAY,GACZ,YAAY,GACZ,aAAa,GACb,WAAW,GACX,eAAe,CAAC;AAEpB,MAAM,MAAM,aAAa,GACrB,gBAAgB,GAChB,cAAc,GACd,WAAW,GACX,KAAK,GACL,gBAAgB,GAChB,UAAU,GACV,UAAU,GACV,iBAAiB,CAAC;AAoPtB;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,SAAS,EAAE,CAU7E"}
+{"version":3,"file":"taint-tracker.d.ts","sourceRoot":"","sources":["../../src/ast/taint-tracker.ts"],"names":[],"mappings":"AAmBA;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,0CAA0C;IAC1C,MAAM,EAAE;QACN,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,CAAC;QACnB,IAAI,EAAE,eAAe,CAAC;KACvB,CAAC;IACF,kDAAkD;IAClD,IAAI,EAAE;QACJ,IAAI,EAAE,MAAM,CAAC;QACb,GAAG,EAAE,MAAM,CAAC;QACZ,IAAI,EAAE,aAAa,CAAC;KACrB,CAAC;IACF,qDAAqD;IACrD,aAAa,EAAE,KAAK,CAAC;QACnB,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC,CAAC;IACH,2EAA2E;IAC3E,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,MAAM,eAAe,GACvB,YAAY,GACZ,YAAY,GACZ,aAAa,GACb,WAAW,GACX,eAAe,CAAC;AAEpB,MAAM,MAAM,aAAa,GACrB,gBAAgB,GAChB,cAAc,GACd,WAAW,GACX,KAAK,GACL,gBAAgB,GAChB,UAAU,GACV,UAAU,GACV,iBAAiB,CAAC;AAguBtB;;;;;;;;GAQG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,SAAS,EAAE,CAY7E"}