npm - @runsec/mcp - Versions diffs - 1.0.73 → 1.0.75 - Mend

@runsec/mcp 1.0.73 → 1.0.75

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/data/trufflehog-config.yaml +1 -1
package/dist/index.js +54 -7
package/package.json +1 -1

package/dist/data/trufflehog-config.yaml CHANGED Viewed

@@ -353,7 +353,7 @@ detectors:
       - email
       - e-mail
     regex:
-      pattern: '(?i)(?:email|e-mail)\s*[:=]\s*[\x27"]?(?!.*@(example\.(com|org|net)|test\.|mock\.|localhost|invalid|\.test|\.example|noreply\.|no-reply\.|fixture\.|sample\.|dummy\.|placeholder\.))[a-z0-9._%+-]+@[a-z0-9][a-z0-9.-]*\.[a-z]{2,}[\x27"]?'
+      pattern: '(?i)(?:email|e-mail)\s*[:=]\s*[\x27"]?[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}[\x27"]?'
   - name: PII Phone RU
     keywords:

package/dist/index.js CHANGED Viewed

@@ -413,7 +413,8 @@ var import_node_fs3 = __toESM(require("fs"));
 var import_node_path3 = __toESM(require("path"));
 // src/engine/secretHeuristics.ts
-var ENV_INTERP_RE = /\$\{[A-Z0-9_]+\}|\$[A-Z][A-Z0-9_]{2,}|%\([A-Za-z0-9_.]+\)s|process\.env\.|os\.getenv\(|getenv\(|environ\[/i;
+var STRICT_ENV_INTERP_RE = /(?:\$\{[A-Z0-9_]+\}|\$[A-Z][A-Z0-9_]{2,}|%\([A-Za-z0-9_.]+\)s|process\.env\.|os\.getenv\(|getenv\(|environ\[)/i;
+var ENV_INTERP_RE = STRICT_ENV_INTERP_RE;
 var LOCKFILE_BASENAMES = /^(?:poetry\.lock|package-lock\.json|pnpm-lock\.yaml|yarn\.lock|cargo\.lock|composer\.lock|gemfile\.lock)$/i;
 function hasEnvironmentInterpolation(text) {
   return ENV_INTERP_RE.test(text);
@@ -431,8 +432,37 @@ function isLockfileOrModulesPath(relPath) {
 function isTrufflehogVerified(verifiedFlag, description) {
   return verifiedFlag || /\(verified\)/i.test(description);
 }
+function isStaticLayoutDumpPath(relPath) {
+  const normalized = relPath.replace(/\\/g, "/").toLowerCase();
+  const base = normalized.split("/").pop() ?? normalized;
+  if (base.endsWith(".storyboard") || base.endsWith(".xib") || base.endsWith(".docx")) return true;
+  if (base.endsWith(".lock") || /\.lock$/i.test(base)) return true;
+  return false;
+}
+function matchTextHasStrictEnvInterpolation(matchText, snippet) {
+  const m = (matchText ?? "").trim();
+  const s = (snippet ?? "").trim();
+  if (m && STRICT_ENV_INTERP_RE.test(m)) return true;
+  if (s && STRICT_ENV_INTERP_RE.test(s)) return true;
+  return false;
+}
 // src/engine/cognitiveEngine.ts
+var ABSOLUTE_ENV_INTERP_CAP = 0.05;
+var ABSOLUTE_STATIC_DUMP_CAP = 0.01;
+function resolveAbsoluteSuppression(finding, relPath) {
+  if (matchTextHasStrictEnvInterpolation(finding.match_text ?? "", finding.snippet ?? "")) {
+    return { cap: ABSOLUTE_ENV_INTERP_CAP, reason: "environment_variable_interpolation" };
+  }
+  const verified = isTrufflehogVerified(
+    /\(verified\)/i.test(finding.description) || /\(verified\)/i.test(finding.match_text ?? ""),
+    finding.description
+  );
+  if (!verified && isStaticLayoutDumpPath(relPath)) {
+    return { cap: ABSOLUTE_STATIC_DUMP_CAP, reason: "static_layout_or_lockfile_unverified" };
+  }
+  return null;
+}
 var PRIMARY_LOG_THRESHOLD = 0.8;
 var CONFIDENCE_THRESHOLD = PRIMARY_LOG_THRESHOLD;
 var ELITE_LOW_CONFIDENCE_CAP = 0.28;
@@ -823,6 +853,10 @@ function attackPathConcrete(finding, confidence, eliteHard, allReasons, snippet)
   return confidence >= PRIMARY_LOG_THRESHOLD;
 }
 function baseConfidenceForFinding(finding, phase1, relPath, category, repoRoot) {
+  const absolute = resolveAbsoluteSuppression(finding, relPath);
+  if (absolute) {
+    return [absolute.cap, [absolute.reason]];
+  }
   const reasons = [];
   let score = category === "secrets" ? 0.9 : category === "dependencies" ? 0.78 : 0.82;
   const title = finding.description;
@@ -842,8 +876,8 @@ function baseConfidenceForFinding(finding, phase1, relPath, category, repoRoot)
     if (isUnverifiedTrufflehogSecret(finding)) {
       const secretBlob = `${finding.match_text} ${finding.snippet ?? ""}`;
       if (hasEnvironmentInterpolation(secretBlob)) {
-        score = Math.min(score, 0.15);
-        reasons.push("environment_interpolation_placeholder");
+        score = Math.min(score, ABSOLUTE_ENV_INTERP_CAP);
+        reasons.push("environment_variable_interpolation");
       }
       if (isLockfileOrModulesPath(relPath)) {
         score = Math.min(score, 0.1);
@@ -923,6 +957,7 @@ function downgradeSeverity(severity, cap) {
 function enrichAuditFinding(repoRoot, finding, opts) {
   const applyFp = opts?.applyFalsePositiveFilter ?? !isCalibrationTestbedPath(finding.file_path);
   const relPath = finding.file_path.replace(/\\/g, "/");
+  const absoluteSuppress = resolveAbsoluteSuppression(finding, relPath);
   const phase1 = phase1ContextResearch(repoRoot, relPath);
   let [conf, reasons] = baseConfidenceForFinding(finding, phase1, relPath, finding.category, repoRoot);
   const [boost, boostReason] = comparativeAnalysisBoost(repoRoot, relPath, applyFp);
@@ -947,11 +982,18 @@ function enrichAuditFinding(repoRoot, finding, opts) {
       }
     }
   }
-  conf = Math.max(0.05, Math.min(1, conf));
+  if (absoluteSuppress) {
+    conf = Math.min(conf, absoluteSuppress.cap);
+    if (!reasons.includes(absoluteSuppress.reason)) {
+      reasons.push(absoluteSuppress.reason);
+    }
+  } else {
+    conf = Math.max(0.05, Math.min(1, conf));
+  }
   const snippetL = snippetLower(finding);
   const attackConcrete = attackPathConcrete(finding, conf, eliteHard, reasons, snippetL);
   const critique = selfCritique(finding, conf, phase1);
-  const primaryOk = conf >= PRIMARY_LOG_THRESHOLD && !hardExcludeFromPrimaryLog(relPath, finding.description, conf, eliteHard);
+  const primaryOk = !absoluteSuppress && conf >= PRIMARY_LOG_THRESHOLD && !hardExcludeFromPrimaryLog(relPath, finding.description, conf, eliteHard);
   let severity = finding.severity;
   const originalSeverity = finding.original_severity ?? finding.severity;
   if (reasons.includes("phase1_protection_lib_present") && conf <= 0.25) {
@@ -959,6 +1001,7 @@ function enrichAuditFinding(repoRoot, finding, opts) {
   } else if (!primaryOk && conf < PRIMARY_LOG_THRESHOLD) {
     severity = downgradeSeverity(severity, critique.suggested_severity_cap);
   }
+  const forceSuppressed = Boolean(absoluteSuppress);
   return {
     ...finding,
     severity,
@@ -966,6 +1009,10 @@ function enrichAuditFinding(repoRoot, finding, opts) {
     confidence_score: Math.round(conf * 1e3) / 1e3,
     confidence_reasons: reasons,
     primary_log_eligible: primaryOk,
+    ...forceSuppressed ? {
+      suppressed: true,
+      suppression_reason: absoluteSuppress.reason
+    } : {},
     attack_path_concrete: attackConcrete,
     cognitive: {
       phase1_context_research: phase1,
@@ -1063,8 +1110,8 @@ function buildVerdict(primaryFindings) {
 function applyCognitivePipeline(workspaceRoot, findings) {
   const enriched = findings.map((f) => enrichAuditFinding(workspaceRoot, f));
   const { kept, duplicates } = deduplicateSameLineFindings(enriched);
-  const primary = kept.filter((f) => f.primary_log_eligible);
-  const suppressed = kept.filter((f) => !f.primary_log_eligible).concat(duplicates);
+  const primary = kept.filter((f) => f.primary_log_eligible && !f.suppressed);
+  const suppressed = kept.filter((f) => !f.primary_log_eligible || f.suppressed).concat(duplicates);
   return {
     primary,
     suppressed,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@runsec/mcp",
-  "version": "1.0.73",
+  "version": "1.0.75",
   "main": "dist/index.js",
   "files": [
     "dist",