npm - @runsec/mcp - Versions diffs - 1.0.83 → 1.0.85 - Mend

@runsec/mcp 1.0.83 → 1.0.85

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/index.js +155 -34
package/package.json +1 -1

package/dist/index.js CHANGED Viewed

@@ -1239,7 +1239,6 @@ function applyCognitivePipeline(workspaceRoot, findings) {
       (f) => f.suppressed || isNuclearSuppressedFinding(f) || !f.primary_log_eligible
     )
   ).concat(duplicates);
-  const allScored = [...primary, ...suppressed];
   console.error(
     `[runsec] cognitive: raw=${findings.length} nuclear=${nuclearSuppressed.length} primary=${primary.length} suppressed=${suppressed.length}`
   );
@@ -1249,7 +1248,7 @@ function applyCognitivePipeline(workspaceRoot, findings) {
     summary: {
       version: "v1.0",
       primary_log_threshold: PRIMARY_LOG_THRESHOLD,
-      findings_total: allScored.length,
+      findings_total: findings.length,
       findings_primary: primary.length,
       findings_suppressed: suppressed.length,
       false_positive_filtering: true
@@ -1871,14 +1870,6 @@ function mapTrufflehogFindings(rows, workspaceRoot) {
     const rawSecret = String(raw.Raw ?? "").trim();
     const display = redacted || rawSecret || "[secret redacted]";
     const description = `TruffleHog: exposed ${detector}${verified ? " (verified)" : ""}`;
-    if (!isTrufflehogVerified(verified, description)) {
-      const blob = `${display} ${rawSecret} ${description}`;
-      if (isLockfileOrModulesPath(rel) || isStaticLayoutDumpPath(rel)) continue;
-      if (hasEnvironmentInterpolation(blob)) continue;
-      if (blobHasDevDatabaseSecret(blob)) continue;
-      if (isHexChecksumBlob(display) || isHexChecksumBlob(rawSecret)) continue;
-      if (isUnverifiedTrufflehogNoiseDetector(detector)) continue;
-    }
     const severity = severityForSecret(detector, verified);
     findings.push({
       category: "secrets",
@@ -3294,7 +3285,8 @@ function buildAuditReportMetrics(result) {
     raw_engines: result.raw_engines,
     cwe_counts: cweCounts,
     verdict: result.verdict,
-    cognitive: result.cognitive
+    cognitive: result.cognitive,
+    findings_suppressed: result.findings_suppressed
   };
 }
 async function executeAudit(toolName, args) {
@@ -3543,6 +3535,67 @@ function countFindingsByTechStack(findings) {
   }
   return Array.from(counts.entries()).map(([tag, count]) => ({ tag, count })).sort((a, b) => b.count - a.count || a.tag.localeCompare(b.tag));
 }
+function suppressionReasonLabel(finding) {
+  const reason = String(finding.suppression_reason ?? "").trim();
+  if (reason) return reason;
+  const conf = finding.confidence_score;
+  if (typeof conf === "number" && conf <= 0.01) return "nuclear_hard_drop";
+  if (typeof conf === "number" && conf < 0.8) return "cognitive_below_threshold";
+  return "cognitive_suppressed";
+}
+function renderSuppressedFindingsSection(suppressed) {
+  const out = [];
+  if (suppressed.length === 0) return out;
+  const byReason = /* @__PURE__ */ new Map();
+  for (const row of suppressed) {
+    const key = suppressionReasonLabel(row);
+    const bucket = byReason.get(key);
+    if (bucket) bucket.push(row);
+    else byReason.set(key, [row]);
+  }
+  out.push("---");
+  out.push(`## Appendix: Cognitively suppressed findings (${suppressed.length})`);
+  out.push("");
+  out.push(
+    "These TruffleHog/Semgrep hits were processed by the cognitive engine and scored below the primary report threshold (0.8). They do **not** change `X-RunSec-Verdict`."
+  );
+  out.push("");
+  out.push("| Suppression reason | Count |");
+  out.push("|---|---:|");
+  const sortedReasons = Array.from(byReason.entries()).sort((a, b) => b[1].length - a[1].length);
+  for (const [reason, rows] of sortedReasons) {
+    out.push(`| \`${safeText(reason)}\` | ${rows.length} |`);
+  }
+  const maxFilesPerReason = 40;
+  for (const [reason, rows] of sortedReasons) {
+    out.push("");
+    out.push(`### ${safeText(reason)} (${rows.length})`);
+    out.push("");
+    out.push("**Affected files:**");
+    const locations = [
+      ...new Set(
+        rows.map((row) => `${String(row.file_path || "unknown")}:${Number(row.line ?? 0)}`)
+      )
+    ].sort();
+    for (const loc of locations.slice(0, maxFilesPerReason)) {
+      out.push(`- \`${safeText(loc)}\``);
+    }
+    if (locations.length > maxFilesPerReason) {
+      out.push(`- _+${locations.length - maxFilesPerReason} additional locations omitted._`);
+    }
+    const sample = rows.find((r) => String(r.snippet ?? r.match_text ?? "").trim());
+    const sampleText = String(sample?.snippet ?? sample?.match_text ?? "").trim();
+    if (sampleText) {
+      out.push("");
+      out.push("**Example snippet:**");
+      out.push("");
+      out.push("```text");
+      out.push(safeText(sampleText.slice(0, 400)));
+      out.push("```");
+    }
+  }
+  return out;
+}
 function renderTechStackSummary(findings) {
   const rows = countFindingsByTechStack(findings);
   const out = [];
@@ -3751,11 +3804,18 @@ function buildServerSideReportMarkdown(standard, findings, metrics) {
   out.push(
     `- **Code Vulnerabilities:** ${byCategory.code.length} | **Exposed Secrets:** ${executiveCategoryLabel("secrets", byCategory.secrets.length, es)} | **Vulnerable Dependencies:** ${executiveCategoryLabel("dependencies", byCategory.dependencies.length, es)}`
   );
+  const suppressedRows = Array.isArray(metrics.findings_suppressed) ? metrics.findings_suppressed : [];
+  const rawSecrets = es?.trufflehog?.finding_count ?? metrics.cognitive?.findings_total ?? 0;
   out.push(
-    `- **Primary findings (cognitive-filtered):** ${findings.length} | **Suppressed (.runsecignore):** ${Number(metrics.suppressed_fp_count || 0)} | **Suppressed (cognitive):** ${Number(metrics.cognitive_suppressed_count || 0)}`
+    `- **Primary findings (cognitive-filtered):** ${findings.length} | **Suppressed (.runsecignore):** ${Number(metrics.suppressed_fp_count || 0)} | **Suppressed (cognitive):** ${Number(metrics.cognitive_suppressed_count ?? suppressedRows.length)}`
   );
+  if (Number(rawSecrets) > 0 && findings.length === 0 && suppressedRows.length > 0) {
+    out.push(
+      `- **Raw TruffleHog hits:** ${rawSecrets} \u2014 see **Appendix: Cognitively suppressed findings** below.`
+    );
+  }
   out.push("");
-  out.push(...renderTechStackSummary(findings));
+  out.push(...renderTechStackSummary([...findings, ...suppressedRows]));
   out.push("");
   let sectionNum = 1;
   for (const category of CATEGORY_ORDER) {
@@ -3768,6 +3828,7 @@ function buildServerSideReportMarkdown(standard, findings, metrics) {
     out.push(...renderFindingRows(rows));
     sectionNum += 1;
   }
+  out.push(...renderSuppressedFindingsSection(suppressedRows));
   out.push("---");
   out.push("<details><summary>Telemetry (machine)</summary>\n");
   out.push("```json");
@@ -6067,6 +6128,17 @@ function buildHubComplianceBlock(result) {
 // src/telemetryClient.ts
 var HUB_UPLOAD_TIMEOUT_MS = 12e4;
+var HUB_UPLOAD_MAX_RETRIES = 4;
+var HUB_HTTPS_AGENT = new import_node_https.default.Agent({ keepAlive: true, maxSockets: 4, timeout: HUB_UPLOAD_TIMEOUT_MS });
+function sleepMs(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function isRetryableHubNetworkError(error) {
+  const code = networkErrorCode(error);
+  const message = error instanceof Error ? error.message : String(error);
+  const blob = `${code} ${message}`;
+  return /ECONNRESET|ECONNREFUSED|ETIMEDOUT|EPIPE|ENOTFOUND|ECONNABORTED|socket hang up|network/i.test(blob);
+}
 function hubAuthHeaders(apiKey) {
   return {
     Authorization: `Bearer ${apiKey}`,
@@ -6121,11 +6193,47 @@ function formatHubSyncErrorMessage(error, targetUrl, response, responseBody) {
   if (responseBody?.trim()) {
     message += `. Body: ${responseBody.trim().slice(0, 300)}`;
   }
-  if (status === "n/a" && /fetch failed|ECONNREFUSED|ENOTFOUND|ETIMEDOUT|CERT|SSL|TLS/i.test(err.message + code)) {
-    message += ". Hint: set RUNSEC_HUB_URL to your production Hub origin (same value as NEXT_PUBLIC_APP_URL on the Hub server).";
+  if (status === "n/a" && /fetch failed|ECONNRESET|ECONNREFUSED|ENOTFOUND|ETIMEDOUT|CERT|SSL|TLS/i.test(err.message + code)) {
+    message += ". Hint: check network/VPN/firewall, retry the scan, or set RUNSEC_HUB_URL to your Hub origin (NEXT_PUBLIC_APP_URL).";
   }
   return message;
 }
+function slimFindingForHubUpload(finding) {
+  return {
+    category: finding.category,
+    rule_id: finding.rule_id,
+    severity: finding.severity,
+    file_path: finding.file_path,
+    line: finding.line,
+    detector_name: finding.detector_name,
+    description: finding.description?.slice(0, 240),
+    match_text: finding.match_text?.slice(0, 120),
+    confidence_score: finding.confidence_score,
+    suppressed: finding.suppressed,
+    suppression_reason: finding.suppression_reason
+  };
+}
+function slimRunsecJsonForHubUpload(result, reportMetrics, workspacePath, verdict, metrics, compliance, complianceASVS) {
+  return {
+    source: "runsec_mcp",
+    standard: result.standard,
+    workspace_path: workspacePath,
+    verdict,
+    metrics,
+    compliance,
+    complianceASVS,
+    report_metrics: reportMetrics,
+    findings: result.findings.map(slimFindingForHubUpload),
+    findings_suppressed: result.findings_suppressed.map(slimFindingForHubUpload),
+    duration_ms: result.duration_ms,
+    findings_count: result.findings_count,
+    cognitive_suppressed_count: result.cognitive_suppressed_count,
+    engines: result.engines,
+    engine_summary: result.engine_summary,
+    cognitive: result.cognitive,
+    verdict_detail: result.verdict
+  };
+}
 function logHubSyncFailure(message, error, targetUrl) {
   if (error != null && targetUrl) {
     dumpHubNetworkError(error, targetUrl);
@@ -6155,7 +6263,8 @@ function postHubUploadNodeHttp(url, apiKey, payload) {
         path: `${parsed.pathname}${parsed.search}`,
         method: "POST",
         headers,
-        timeout: HUB_UPLOAD_TIMEOUT_MS
+        timeout: HUB_UPLOAD_TIMEOUT_MS,
+        agent: lib === import_node_https.default ? HUB_HTTPS_AGENT : void 0
       },
       (res) => {
         const chunks = [];
@@ -6183,11 +6292,12 @@ function postHubUploadNodeHttp(url, apiKey, payload) {
   });
 }
 function preferNodeHttpUpload() {
-  if (process.platform === "win32") return true;
+  if (process.env.VITEST === "true" || process.env.RUNSEC_HUB_USE_FETCH === "1") return false;
   if (process.env.RUNSEC_HUB_USE_NODE_HTTP === "1") return true;
+  if (process.platform === "win32") return true;
   return false;
 }
-async function postHubUpload(url, apiKey, payload) {
+async function postHubUploadOnce(url, apiKey, payload) {
   if (preferNodeHttpUpload()) {
     return postHubUploadNodeHttp(url, apiKey, payload);
   }
@@ -6204,6 +6314,25 @@ async function postHubUpload(url, apiKey, payload) {
     return postHubUploadNodeHttp(url, apiKey, payload);
   }
 }
+async function postHubUpload(url, apiKey, payload) {
+  let lastError = new Error("Hub upload failed");
+  for (let attempt = 0; attempt < HUB_UPLOAD_MAX_RETRIES; attempt++) {
+    try {
+      return await postHubUploadOnce(url, apiKey, payload);
+    } catch (error) {
+      lastError = error;
+      if (attempt >= HUB_UPLOAD_MAX_RETRIES - 1 || !isRetryableHubNetworkError(error)) {
+        throw error;
+      }
+      const delayMs = 1e3 * 2 ** attempt;
+      console.error(
+        `[runsec] Hub upload retry ${attempt + 2}/${HUB_UPLOAD_MAX_RETRIES} in ${delayMs}ms (${networkErrorCode(error) || "network"})`
+      );
+      await sleepMs(delayMs);
+    }
+  }
+  throw lastError;
+}
 function countSeverityMetrics(findings) {
   const metrics = { critical: 0, high: 0, medium: 0, low: 0, total: 0 };
   for (const f of findings) {
@@ -6227,24 +6356,15 @@ function buildHubUploadPayload(result, reportMetrics, workspacePath, projectId)
   const metrics = countSeverityMetrics(result.findings);
   const verdict = resolveScanVerdict(result);
   const { compliance, complianceASVS } = buildHubComplianceBlock(result);
-  const runsecJson = {
-    source: "runsec_mcp",
-    standard: result.standard,
-    workspace_path: workspacePath,
+  const runsecJson = slimRunsecJsonForHubUpload(
+    result,
+    reportMetrics,
+    workspacePath,
     verdict,
     metrics,
     compliance,
-    complianceASVS,
-    audit: result,
-    report_metrics: reportMetrics,
-    findings: result.findings,
-    findings_suppressed: result.findings_suppressed,
-    duration_ms: result.duration_ms,
-    findings_count: result.findings_count,
-    engines: result.engines,
-    engine_summary: result.engine_summary,
-    cognitive: result.cognitive
-  };
+    complianceASVS
+  );
   const resolvedProjectId = projectId?.trim() || process.env.RUNSEC_PROJECT_ID?.trim() || void 0;
   return {
     projectId: resolvedProjectId,
@@ -6260,7 +6380,8 @@ async function uploadScanResultsToHub(payload, apiKey) {
     return { success: false, message: "Sync failed: API key missing" };
   }
   const url = resolveHubUploadUrl();
-  console.error(`[runsec] Hub telemetry upload \u2192 ${url}`);
+  const payloadBytes = Buffer.byteLength(JSON.stringify(payload), "utf8");
+  console.error(`[runsec] Hub telemetry upload \u2192 ${url} (${payloadBytes} bytes)`);
   const attemptUpload = async (targetUrl) => {
     const errors = [];
     const urls = [targetUrl];

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@runsec/mcp",
-  "version": "1.0.83",
+  "version": "1.0.85",
   "main": "dist/index.js",
   "files": [
     "package.json",