@oculum/scanner 1.0.12 → 1.0.13

package/src/__tests__/score/route-scoring.test.ts

@@ -0,0 +1,156 @@
+import { ROUTE_RULES } from '../../score/adjustments'
+import type { AdjustmentContext } from '../../score/types'
+import type { Vulnerability } from '../../shared/types'
+
+function makeFinding(overrides: Partial<Vulnerability> = {}): Vulnerability {
+  return {
+    id: 'test-1',
+    filePath: 'src/api/route.ts',
+    lineNumber: 10,
+    lineContent: 'const data = req.body.userId',
+    severity: 'medium',
+    category: 'missing_auth',
+    title: 'Missing authentication',
+    description: 'No auth check',
+    confidence: 'medium',
+    layer: 2,
+    ...overrides,
+  }
+}
+
+function makeContext(overrides: Partial<AdjustmentContext> = {}): AdjustmentContext {
+  return {
+    file: {
+      isTestFile: false,
+      isExampleFile: false,
+      isDocFile: false,
+      isScannerCode: false,
+      isToolingDir: false,
+      isServerOnly: false,
+      isClientBundled: false,
+    },
+    project: { hasAuthMiddleware: false, hasTypeScript: true, orm: null, validationLib: null },
+    lineContent: 'const data = req.body.userId',
+    filePath: 'src/api/route.ts',
+    ...overrides,
+  }
+}
+
+describe('Route Scoring Rules', () => {
+  const findRule = (name: string) => ROUTE_RULES.find(r => r.name === name)!
+
+  describe('no_auth_on_route', () => {
+    const rule = findRule('no_auth_on_route')
+
+    it('fires for auth-related finding without auth on route', () => {
+      const finding = makeFinding({ category: 'missing_auth' })
+      const ctx = makeContext({ route: { hasAuth: false, isPublic: false, middleware: [], methods: ['GET'], hasRateLimiting: false } })
+      expect(rule.applies(finding, ctx)).toBe(true)
+      expect(rule.delta).toBe(0.15)
+    })
+
+    it('fires for sql_injection without auth', () => {
+      const finding = makeFinding({ category: 'sql_injection' })
+      const ctx = makeContext({ route: { hasAuth: false, isPublic: false, middleware: [], methods: ['POST'], hasRateLimiting: false } })
+      expect(rule.applies(finding, ctx)).toBe(true)
+    })
+
+    it('does NOT fire for non-auth categories', () => {
+      const finding = makeFinding({ category: 'high_entropy_string' })
+      const ctx = makeContext({ route: { hasAuth: false, isPublic: false, middleware: [], methods: ['GET'], hasRateLimiting: false } })
+      expect(rule.applies(finding, ctx)).toBe(false)
+    })
+
+    it('does NOT fire when route has auth', () => {
+      const finding = makeFinding({ category: 'missing_auth' })
+      const ctx = makeContext({ route: { hasAuth: true, isPublic: false, middleware: ['auth'], methods: ['GET'], hasRateLimiting: false } })
+      expect(rule.applies(finding, ctx)).toBe(false)
+    })
+
+    it('does NOT fire when route is public', () => {
+      const finding = makeFinding({ category: 'missing_auth' })
+      const ctx = makeContext({ route: { hasAuth: false, isPublic: true, middleware: [], methods: ['GET'], hasRateLimiting: false } })
+      expect(rule.applies(finding, ctx)).toBe(false)
+    })
+
+    it('does NOT fire when no route context', () => {
+      const finding = makeFinding({ category: 'missing_auth' })
+      const ctx = makeContext()
+      expect(rule.applies(finding, ctx)).toBe(false)
+    })
+  })
+
+  describe('has_auth_on_route', () => {
+    const rule = findRule('has_auth_on_route')
+
+    it('fires when route has auth middleware', () => {
+      const finding = makeFinding()
+      const ctx = makeContext({ route: { hasAuth: true, isPublic: false, middleware: ['authGuard'], methods: ['GET'], hasRateLimiting: false } })
+      expect(rule.applies(finding, ctx)).toBe(true)
+      expect(rule.delta).toBe(-0.15)
+    })
+
+    it('does NOT fire when route has no auth', () => {
+      const finding = makeFinding()
+      const ctx = makeContext({ route: { hasAuth: false, isPublic: false, middleware: [], methods: ['GET'], hasRateLimiting: false } })
+      expect(rule.applies(finding, ctx)).toBe(false)
+    })
+  })
+
+  describe('public_route', () => {
+    const rule = findRule('public_route')
+
+    it('fires for missing_auth on public route', () => {
+      const finding = makeFinding({ category: 'missing_auth' })
+      const ctx = makeContext({ route: { hasAuth: false, isPublic: true, middleware: [], methods: ['GET'], hasRateLimiting: false } })
+      expect(rule.applies(finding, ctx)).toBe(true)
+      expect(rule.delta).toBe(-0.25)
+    })
+
+    it('does NOT fire for non-missing_auth categories', () => {
+      const finding = makeFinding({ category: 'sql_injection' })
+      const ctx = makeContext({ route: { hasAuth: false, isPublic: true, middleware: [], methods: ['GET'], hasRateLimiting: false } })
+      expect(rule.applies(finding, ctx)).toBe(false)
+    })
+  })
+
+  describe('mutation_route', () => {
+    const rule = findRule('mutation_route')
+
+    it('fires for POST routes', () => {
+      const finding = makeFinding()
+      const ctx = makeContext({ route: { hasAuth: false, isPublic: false, middleware: [], methods: ['POST'], hasRateLimiting: false } })
+      expect(rule.applies(finding, ctx)).toBe(true)
+      expect(rule.delta).toBe(0.05)
+    })
+
+    it('fires for DELETE routes', () => {
+      const finding = makeFinding()
+      const ctx = makeContext({ route: { hasAuth: false, isPublic: false, middleware: [], methods: ['DELETE'], hasRateLimiting: false } })
+      expect(rule.applies(finding, ctx)).toBe(true)
+    })
+
+    it('does NOT fire for GET routes', () => {
+      const finding = makeFinding()
+      const ctx = makeContext({ route: { hasAuth: false, isPublic: false, middleware: [], methods: ['GET'], hasRateLimiting: false } })
+      expect(rule.applies(finding, ctx)).toBe(false)
+    })
+  })
+
+  describe('rate_limited_route', () => {
+    const rule = findRule('rate_limited_route')
+
+    it('fires when route has rate limiting', () => {
+      const finding = makeFinding()
+      const ctx = makeContext({ route: { hasAuth: false, isPublic: false, middleware: [], methods: ['GET'], hasRateLimiting: true } })
+      expect(rule.applies(finding, ctx)).toBe(true)
+      expect(rule.delta).toBe(-0.05)
+    })
+
+    it('does NOT fire when no rate limiting', () => {
+      const finding = makeFinding()
+      const ctx = makeContext({ route: { hasAuth: false, isPublic: false, middleware: [], methods: ['GET'], hasRateLimiting: false } })
+      expect(rule.applies(finding, ctx)).toBe(false)
+    })
+  })
+})

package/src/__tests__/score/scoring-integration.test.ts

@@ -0,0 +1,165 @@
+/**
+ * Integration tests for the scoring system
+ */
+
+import { scoreFindings, DEPTH_CONFIGS } from '../../score'
+import type { Vulnerability } from '../../shared/types'
+import type { ContextEngineResult } from '../../model/taint-types'
+
+const PROJECT_CONTEXT: ContextEngineResult = {
+  projectContext: {
+    summary: 'Test project',
+    auth: {
+      hasGlobalMiddleware: false,
+      authProvider: null,
+      protectedPaths: [],
+      publicPaths: [],
+      throwingHelpers: [],
+    },
+    dataAccess: {
+      orm: null,
+      hasRLS: false,
+    },
+    frameworks: {
+      primary: null,
+      usesTypeScript: true,
+    },
+    secrets: {
+      hasEnvConfig: false,
+      secretPatterns: [],
+    },
+  } as any,
+  fileTaintAnalyses: new Map(),
+}
+
+function makeFinding(overrides: Partial<Vulnerability> = {}): Vulnerability {
+  return {
+    id: 'test-1',
+    filePath: 'src/app.ts',
+    lineNumber: 10,
+    lineContent: 'const x = 1',
+    severity: 'medium',
+    category: 'hardcoded_secret',
+    title: 'Test finding',
+    description: 'Test',
+    confidence: 'medium',
+    layer: 1,
+    baseConfidence: 0.50,
+    ...overrides,
+  }
+}
+
+describe('scoreFindings', () => {
+  it('scores a batch of findings', () => {
+    const findings: Vulnerability[] = [
+      makeFinding({ id: 'f1', baseConfidence: 0.70, category: 'hardcoded_secret' }),
+      makeFinding({ id: 'f2', baseConfidence: 0.30, category: 'high_entropy_string' }),
+      makeFinding({ id: 'f3', baseConfidence: 0.15, category: 'ai_pattern' }),
+    ]
+
+    const { scored } = scoreFindings(findings, 'verified', PROJECT_CONTEXT)
+
+    expect(scored).toHaveLength(3)
+    // Each finding has a confidence_score
+    for (const s of scored) {
+      expect(s.confidence_score).toBeDefined()
+      expect(s.confidence_score.score).toBeGreaterThanOrEqual(0)
+      expect(s.confidence_score.score).toBeLessThanOrEqual(1)
+      expect(['surface', 'validate', 'suppress']).toContain(s.confidence_score.routing)
+    }
+  })
+
+  it('all findings get valid confidence_score', () => {
+    const findings: Vulnerability[] = [
+      makeFinding({ id: 'f1' }),
+      makeFinding({ id: 'f2', baseConfidence: undefined }),
+    ]
+
+    const { scored } = scoreFindings(findings, 'verified', PROJECT_CONTEXT)
+
+    expect(scored[0].confidence_score.base).toBe(0.50)
+    expect(scored[1].confidence_score.base).toBe(0.35) // default
+  })
+
+  it('test file findings get negative adjustments', () => {
+    const findings: Vulnerability[] = [
+      makeFinding({
+        id: 'f1',
+        baseConfidence: 0.50,
+        filePath: 'src/__tests__/auth.test.ts',
+      }),
+    ]
+
+    const { scored } = scoreFindings(findings, 'verified', PROJECT_CONTEXT)
+
+    expect(scored[0].confidence_score.adjustments.length).toBeGreaterThan(0)
+    expect(scored[0].confidence_score.score).toBeLessThan(0.50)
+    // test_file rule gives -0.35, so 0.50 - 0.35 = 0.15 (may also get scanner_code)
+    const testFileAdj = scored[0].confidence_score.adjustments.find(a => a.factor === 'test_file')
+    expect(testFileAdj).toBeDefined()
+    expect(testFileAdj!.delta).toBe(-0.35)
+  })
+
+  it('experimental-equivalent detectors route to suppress', () => {
+    const findings: Vulnerability[] = [
+      makeFinding({ id: 'f1', baseConfidence: 0.15, category: 'ai_pattern' }),
+      makeFinding({ id: 'f2', baseConfidence: 0.10, category: 'security_bypass' }),
+    ]
+
+    const { scored } = scoreFindings(findings, 'verified', PROJECT_CONTEXT)
+
+    // 0.15 < validateThreshold(0.20) → suppress
+    expect(scored[0].confidence_score.routing).toBe('suppress')
+    // 0.10 < validateThreshold(0.20) → suppress
+    expect(scored[1].confidence_score.routing).toBe('suppress')
+  })
+
+  it('high-confidence findings route to surface', () => {
+    const findings: Vulnerability[] = [
+      makeFinding({ id: 'f1', baseConfidence: 0.70, category: 'hardcoded_secret' }),
+    ]
+
+    const { scored } = scoreFindings(findings, 'verified', PROJECT_CONTEXT)
+    expect(scored[0].confidence_score.routing).toBe('surface')
+  })
+
+  it('medium-confidence findings route to validate in verified depth', () => {
+    const findings: Vulnerability[] = [
+      makeFinding({ id: 'f1', baseConfidence: 0.50, category: 'config_audit' }),
+    ]
+
+    const { scored } = scoreFindings(findings, 'verified', PROJECT_CONTEXT)
+    expect(scored[0].confidence_score.routing).toBe('validate')
+  })
+
+  it('local depth only surfaces high-confidence findings', () => {
+    const findings: Vulnerability[] = [
+      makeFinding({ id: 'f1', baseConfidence: 0.70 }),
+      makeFinding({ id: 'f2', baseConfidence: 0.50 }),
+      makeFinding({ id: 'f3', baseConfidence: 0.20 }),
+    ]
+
+    const { scored } = scoreFindings(findings, 'local', PROJECT_CONTEXT)
+
+    expect(scored[0].confidence_score.routing).toBe('surface')
+    expect(scored[1].confidence_score.routing).toBe('suppress') // No AI in local
+    expect(scored[2].confidence_score.routing).toBe('suppress')
+  })
+})
+
+describe('DEPTH_CONFIGS', () => {
+  it('local has AI disabled', () => {
+    expect(DEPTH_CONFIGS.local.aiEnabled).toBe(false)
+    expect(DEPTH_CONFIGS.local.surfaceThreshold).toBe(0.70)
+  })
+
+  it('verified has AI enabled', () => {
+    expect(DEPTH_CONFIGS.verified.aiEnabled).toBe(true)
+    expect(DEPTH_CONFIGS.verified.validateThreshold).toBe(0.20)
+  })
+
+  it('deep has lowest validate threshold', () => {
+    expect(DEPTH_CONFIGS.deep.aiEnabled).toBe(true)
+    expect(DEPTH_CONFIGS.deep.validateThreshold).toBe(0.10)
+  })
+})

package/src/__tests__/score/taint-adjustments.test.ts

@@ -0,0 +1,244 @@
+/**
+ * Tests for taint adjustment rules in the confidence scoring system.
+ */
+
+import { TAINT_RULES } from '../../score/adjustments'
+import type { AdjustmentContext } from '../../score/types'
+import type { Vulnerability } from '../../shared/types'
+
+function makeFinding(overrides: Partial<Vulnerability> = {}): Vulnerability {
+  return {
+    id: 'test-1',
+    filePath: 'src/app.ts',
+    lineNumber: 10,
+    lineContent: 'db.query(userInput)',
+    severity: 'medium',
+    category: 'dangerous_function',
+    title: 'Test finding',
+    description: 'Test',
+    confidence: 'medium',
+    layer: 2,
+    baseConfidence: 0.50,
+    ...overrides,
+  }
+}
+
+function makeContext(overrides: Partial<AdjustmentContext> = {}): AdjustmentContext {
+  return {
+    file: {
+      isTestFile: false,
+      isExampleFile: false,
+      isDocFile: false,
+      isScannerCode: false,
+      isToolingDir: false,
+      isServerOnly: false,
+      isClientBundled: false,
+    },
+    project: {
+      hasAuthMiddleware: false,
+      hasTypeScript: true,
+      orm: null,
+      validationLib: null,
+    },
+    lineContent: 'db.query(userInput)',
+    filePath: 'src/app.ts',
+    ...overrides,
+  }
+}
+
+function findRule(name: string) {
+  return TAINT_RULES.find(r => r.name === name)
+}
+
+describe('Taint Adjustment Rules', () => {
+  it('has exactly 4 rules', () => {
+    expect(TAINT_RULES).toHaveLength(4)
+  })
+
+  describe('confirmed_taint_unsanitised', () => {
+    const rule = findRule('confirmed_taint_unsanitised')!
+
+    it('exists with correct delta', () => {
+      expect(rule).toBeDefined()
+      expect(rule.delta).toBe(0.35)
+      expect(rule.source).toBe('taint')
+    })
+
+    it('applies when taint is confirmed, unsanitised, and not low confidence', () => {
+      const finding = makeFinding()
+      const ctx = makeContext({
+        taint: { confirmed: true, sources: ['http_body'], sinkType: 'sql_query', sanitised: false, confidence: 'high' },
+      })
+      expect(rule.applies(finding, ctx)).toBe(true)
+    })
+
+    it('applies with medium confidence', () => {
+      const finding = makeFinding()
+      const ctx = makeContext({
+        taint: { confirmed: true, sources: ['http_body'], sinkType: 'sql_query', sanitised: false, confidence: 'medium' },
+      })
+      expect(rule.applies(finding, ctx)).toBe(true)
+    })
+
+    it('does not apply when sanitised', () => {
+      const finding = makeFinding()
+      const ctx = makeContext({
+        taint: { confirmed: true, sources: ['http_body'], sinkType: 'sql_query', sanitised: true, confidence: 'high' },
+      })
+      expect(rule.applies(finding, ctx)).toBe(false)
+    })
+
+    it('does not apply with low confidence', () => {
+      const finding = makeFinding()
+      const ctx = makeContext({
+        taint: { confirmed: true, sources: ['cli_args'], sinkType: 'sql_query', sanitised: false, confidence: 'low' },
+      })
+      expect(rule.applies(finding, ctx)).toBe(false)
+    })
+
+    it('does not apply when taint is undefined', () => {
+      const finding = makeFinding()
+      const ctx = makeContext()
+      expect(rule.applies(finding, ctx)).toBe(false)
+    })
+  })
+
+  describe('confirmed_taint_sanitised', () => {
+    const rule = findRule('confirmed_taint_sanitised')!
+
+    it('exists with correct delta', () => {
+      expect(rule).toBeDefined()
+      expect(rule.delta).toBe(0.15)
+    })
+
+    it('applies when taint is confirmed and sanitised', () => {
+      const finding = makeFinding()
+      const ctx = makeContext({
+        taint: { confirmed: true, sources: ['http_body'], sinkType: 'sql_query', sanitised: true, confidence: 'high' },
+      })
+      expect(rule.applies(finding, ctx)).toBe(true)
+    })
+
+    it('does not apply when not sanitised', () => {
+      const finding = makeFinding()
+      const ctx = makeContext({
+        taint: { confirmed: true, sources: ['http_body'], sinkType: 'sql_query', sanitised: false, confidence: 'high' },
+      })
+      expect(rule.applies(finding, ctx)).toBe(false)
+    })
+  })
+
+  describe('no_taint_path', () => {
+    const rule = findRule('no_taint_path')!
+
+    it('exists with correct delta', () => {
+      expect(rule).toBeDefined()
+      expect(rule.delta).toBe(-0.10)
+    })
+
+    it('applies for sink-relevant categories when taint is not confirmed', () => {
+      const finding = makeFinding({ category: 'dangerous_function' })
+      const ctx = makeContext({
+        taint: { confirmed: false, sources: [], sinkType: null, sanitised: false, confidence: null },
+      })
+      expect(rule.applies(finding, ctx)).toBe(true)
+    })
+
+    it('applies for sql_injection category', () => {
+      const finding = makeFinding({ category: 'sql_injection' })
+      const ctx = makeContext({
+        taint: { confirmed: false, sources: [], sinkType: null, sanitised: false, confidence: null },
+      })
+      expect(rule.applies(finding, ctx)).toBe(true)
+    })
+
+    it('applies for xss category', () => {
+      const finding = makeFinding({ category: 'xss' })
+      const ctx = makeContext({
+        taint: { confirmed: false, sources: [], sinkType: null, sanitised: false, confidence: null },
+      })
+      expect(rule.applies(finding, ctx)).toBe(true)
+    })
+
+    it('does not apply for non-sink categories', () => {
+      const finding = makeFinding({ category: 'hardcoded_secret' })
+      const ctx = makeContext({
+        taint: { confirmed: false, sources: [], sinkType: null, sanitised: false, confidence: null },
+      })
+      expect(rule.applies(finding, ctx)).toBe(false)
+    })
+
+    it('does not apply when taint is confirmed', () => {
+      const finding = makeFinding({ category: 'dangerous_function' })
+      const ctx = makeContext({
+        taint: { confirmed: true, sources: ['http_body'], sinkType: 'sql_query', sanitised: false, confidence: 'high' },
+      })
+      expect(rule.applies(finding, ctx)).toBe(false)
+    })
+
+    it('does not apply when taint is undefined (unanalyzed file)', () => {
+      const finding = makeFinding({ category: 'dangerous_function' })
+      const ctx = makeContext()
+      expect(rule.applies(finding, ctx)).toBe(false)
+    })
+  })
+
+  describe('low_confidence_taint', () => {
+    const rule = findRule('low_confidence_taint')!
+
+    it('exists with correct delta', () => {
+      expect(rule).toBeDefined()
+      expect(rule.delta).toBe(0.10)
+    })
+
+    it('applies for confirmed, unsanitised, low-confidence taint', () => {
+      const finding = makeFinding()
+      const ctx = makeContext({
+        taint: { confirmed: true, sources: ['cli_args'], sinkType: 'sql_query', sanitised: false, confidence: 'low' },
+      })
+      expect(rule.applies(finding, ctx)).toBe(true)
+    })
+
+    it('does not apply for high confidence', () => {
+      const finding = makeFinding()
+      const ctx = makeContext({
+        taint: { confirmed: true, sources: ['http_body'], sinkType: 'sql_query', sanitised: false, confidence: 'high' },
+      })
+      expect(rule.applies(finding, ctx)).toBe(false)
+    })
+
+    it('does not apply when sanitised', () => {
+      const finding = makeFinding()
+      const ctx = makeContext({
+        taint: { confirmed: true, sources: ['cli_args'], sinkType: 'sql_query', sanitised: true, confidence: 'low' },
+      })
+      expect(rule.applies(finding, ctx)).toBe(false)
+    })
+  })
+
+  describe('Rule mutual exclusivity', () => {
+    it('confirmed_taint_unsanitised and low_confidence_taint do not both apply for high confidence', () => {
+      const finding = makeFinding()
+      const ctx = makeContext({
+        taint: { confirmed: true, sources: ['http_body'], sinkType: 'sql_query', sanitised: false, confidence: 'high' },
+      })
+      const unsanitised = findRule('confirmed_taint_unsanitised')!
+      const lowConf = findRule('low_confidence_taint')!
+
+      expect(unsanitised.applies(finding, ctx)).toBe(true)
+      expect(lowConf.applies(finding, ctx)).toBe(false)
+    })
+
+    it('only low_confidence_taint applies for low confidence unsanitised', () => {
+      const finding = makeFinding()
+      const ctx = makeContext({
+        taint: { confirmed: true, sources: ['cli_args'], sinkType: 'sql_query', sanitised: false, confidence: 'low' },
+      })
+      const unsanitised = findRule('confirmed_taint_unsanitised')!
+      const lowConf = findRule('low_confidence_taint')!
+
+      expect(unsanitised.applies(finding, ctx)).toBe(false)
+      expect(lowConf.applies(finding, ctx)).toBe(true)
+    })
+  })
+})

package/src/__tests__/snapshots/__snapshots__/anthropic-validation-refactor.test.ts.snap

@@ -475,43 +475,35 @@ Object {
 
 exports[`Refactor Safety - anthropic.ts Auto-Dismiss Rules Info severity auto-dismiss (core tier only) should auto-dismiss info severity for core tier findings 1`] = `
 Object {
-  "dismissed": Array [
+  "dismissed": Array [],
+  "toValidate": Array [
     Object {
-      "finding": Object {
-        "category": "dangerous_function",
-        "confidence": "high",
-        "description": "Test description",
-        "filePath": "src/handler.ts",
-        "id": "test-finding-1",
-        "layer": 2,
-        "lineContent": "const x = 1;",
-        "lineNumber": 10,
-        "severity": "info",
-        "suggestedFix": "Fix it",
-        "title": "Test Finding",
-      },
-      "reason": "Already info severity for core detector (low priority)",
-      "rule": "info_severity_core_only",
+      "category": "dangerous_function",
+      "confidence": "high",
+      "description": "Test description",
+      "filePath": "src/handler.ts",
+      "id": "test-finding-1",
+      "layer": 2,
+      "lineContent": "const x = 1;",
+      "lineNumber": 10,
+      "severity": "info",
+      "suggestedFix": "Fix it",
+      "title": "Test Finding",
     },
     Object {
-      "finding": Object {
-        "category": "hardcoded_secret",
-        "confidence": "high",
-        "description": "Test description",
-        "filePath": "src/handler.ts",
-        "id": "test-finding-1",
-        "layer": 1,
-        "lineContent": "const x = 1;",
-        "lineNumber": 10,
-        "severity": "info",
-        "suggestedFix": "Fix it",
-        "title": "Test Finding",
-      },
-      "reason": "Already info severity for core detector (low priority)",
-      "rule": "info_severity_core_only",
+      "category": "hardcoded_secret",
+      "confidence": "high",
+      "description": "Test description",
+      "filePath": "src/handler.ts",
+      "id": "test-finding-1",
+      "layer": 1,
+      "lineContent": "const x = 1;",
+      "lineNumber": 10,
+      "severity": "info",
+      "suggestedFix": "Fix it",
+      "title": "Test Finding",
     },
   ],
-  "toValidate": Array [],
 }
 `;
 
@@ -552,23 +544,6 @@ Object {
       "reason": "Uses environment variable (not hardcoded)",
       "rule": "env_var_reference",
     },
-    Object {
-      "finding": Object {
-        "category": "dangerous_function",
-        "confidence": "high",
-        "description": "Test description",
-        "filePath": "src/util.ts",
-        "id": "5",
-        "layer": 2,
-        "lineContent": "const x = 1;",
-        "lineNumber": 10,
-        "severity": "info",
-        "suggestedFix": "Fix it",
-        "title": "Test Finding",
-      },
-      "reason": "Already info severity for core detector (low priority)",
-      "rule": "info_severity_core_only",
-    },
   ],
   "toValidate": Array [
     Object {
@@ -597,6 +572,19 @@ Object {
       "suggestedFix": "Fix it",
       "title": "Test Finding",
     },
+    Object {
+      "category": "dangerous_function",
+      "confidence": "high",
+      "description": "Test description",
+      "filePath": "src/util.ts",
+      "id": "5",
+      "layer": 2,
+      "lineContent": "const x = 1;",
+      "lineNumber": 10,
+      "severity": "info",
+      "suggestedFix": "Fix it",
+      "title": "Test Finding",
+    },
   ],
 }
 `;