@shakecodeslikecray/whiterose 1.0.7 → 1.0.9

package/dist/cli/index.js

@@ -307,14 +307,24 @@ var ClaudeCodeExecutor = class {
   }
   async runPrompt(prompt, options) {
     const claudeCommand = getProviderCommand("claude-code");
+    if (process.env.WHITEROSE_DEBUG) {
+      console.log("\n[DEBUG] Running Claude Code command:", claudeCommand);
+      console.log("[DEBUG] Prompt length:", prompt.length);
+      console.log("[DEBUG] CWD:", options.cwd);
+      console.log("[DEBUG] First 500 chars of prompt:");
+      console.log(prompt.substring(0, 500));
+    }
     try {
       const { stdout, stderr } = await execa(
         claudeCommand,
         [
           "-p",
           prompt,
-          "--dangerously-skip-permissions"
+          "--dangerously-skip-permissions",
           // Allow file reads without prompts
+          "--output-format",
+          "text"
+          // Ensure non-interactive output
         ],
         {
           cwd: options.cwd,
@@ -323,7 +333,9 @@ var ClaudeCodeExecutor = class {
             ...process.env,
             NO_COLOR: "1"
           },
-          reject: false
+          reject: false,
+          stdin: "ignore"
+          // Prevent waiting for stdin
         }
       );
       if (stderr) {
@@ -340,6 +352,13 @@ var ClaudeCodeExecutor = class {
           throw new Error(`Claude Code error: ${stderr.substring(0, 200)}`);
         }
       }
+      if (process.env.WHITEROSE_DEBUG) {
+        console.log("\n[DEBUG] Claude Code stdout length:", stdout?.length || 0);
+        console.log("[DEBUG] Claude Code stderr:", stderr?.substring(0, 300) || "(none)");
+        console.log("[DEBUG] First 1000 chars of stdout:");
+        console.log(stdout?.substring(0, 1e3) || "(empty)");
+        console.log("[DEBUG] End response\n");
+      }
       return {
         output: stdout || "",
         error: stderr || void 0
@@ -443,6 +462,17 @@ var GeminiExecutor = class {
           reject: false
         }
       );
+      if (stderr) {
+        if (stderr.includes("429") || stderr.includes("rate limit") || stderr.includes("quota exceeded")) {
+          throw new Error("Gemini API rate limit reached. Try again later.");
+        }
+        if (stderr.includes("401") || stderr.includes("403") || stderr.includes("unauthorized") || stderr.includes("invalid api key")) {
+          throw new Error("Gemini API authentication failed. Check your API key.");
+        }
+        if ((stderr.includes("Error") || stderr.includes("error")) && !stdout) {
+          throw new Error(`Gemini error: ${stderr.substring(0, 200)}`);
+        }
+      }
       return {
         output: stdout || "",
         error: stderr || void 0
@@ -483,6 +513,20 @@ var AiderExecutor = class {
           reject: false
         }
       );
+      if (stderr) {
+        if (stderr.includes("429") || stderr.includes("rate limit") || stderr.includes("RateLimitError")) {
+          throw new Error("Aider API rate limit reached. Try again later.");
+        }
+        if (stderr.includes("401") || stderr.includes("AuthenticationError") || stderr.includes("invalid api key")) {
+          throw new Error("Aider API authentication failed. Check your API key.");
+        }
+        if (stderr.includes("402") || stderr.includes("insufficient") || stderr.includes("billing")) {
+          throw new Error("Aider API billing error. Check your account credits.");
+        }
+        if ((stderr.includes("Error") || stderr.includes("error")) && !stdout) {
+          throw new Error(`Aider error: ${stderr.substring(0, 200)}`);
+        }
+      }
       return {
         output: stdout || "",
         error: stderr || void 0
@@ -522,6 +566,20 @@ var OllamaExecutor = class {
           reject: false
         }
       );
+      if (stderr) {
+        if (stderr.includes("connection refused") || stderr.includes("ECONNREFUSED")) {
+          throw new Error("Ollama server not running. Start it with: ollama serve");
+        }
+        if (stderr.includes("model") && (stderr.includes("not found") || stderr.includes("does not exist"))) {
+          throw new Error(`Ollama model '${this.model}' not found. Run: ollama pull ${this.model}`);
+        }
+        if (stderr.includes("out of memory") || stderr.includes("OOM")) {
+          throw new Error("Ollama out of memory. Try a smaller model or increase system memory.");
+        }
+        if ((stderr.includes("Error") || stderr.includes("error")) && !stdout) {
+          throw new Error(`Ollama error: ${stderr.substring(0, 200)}`);
+        }
+      }
       return {
         output: stdout || "",
         error: stderr || void 0
@@ -1156,23 +1214,18 @@ ${pass.falsePositiveHints.map((h) => `- ${h}`).join("\n")}
 ${cwePatterns ? `## KNOWN VULNERABILITY PATTERNS
 ${cwePatterns}` : ""}
 
-## CRITICAL RULES
+## REPORTING GUIDELINES
 
-1. **ONLY ${pass.name.toUpperCase()} BUGS** - Ignore all other categories
-2. **MUST HAVE FIX** - No fix = not confirmed = don't report
-3. **TRACE THE DATA** - Follow user input to the vulnerable sink
-4. **CHECK GUARDS** - Verify there's no validation you missed
-5. **BE SPECIFIC** - Exact file, line, and triggering input
-6. **CHECK CONTROL FLOW** - CRITICAL: Verify the buggy line is actually REACHABLE:
-   - Look for early returns: \`if (x.length === 0) return;\` makes later \`x[0]\` SAFE
-   - Look for throws: \`if (!user) throw new Error()\` makes later \`user.name\` SAFE
-   - Look for guard clauses that exit before the buggy line
-   - If a condition causes function exit, code after is UNREACHABLE in that case
-   - Example FALSE POSITIVE: \`if (arr.length === 0) return false; ... arr[0].name\` - the access is SAFE because empty array caused early return
+1. **ONLY ${pass.name.toUpperCase()} ISSUES** - Focus on this category
+2. **REPORT POTENTIAL ISSUES** - If something looks suspicious, report it. Better to flag potential issues than miss real bugs.
+3. **INCLUDE CODE SMELLS** - Report risky patterns even if not immediately exploitable (set kind: "smell")
+4. **TRACE THE DATA** - Follow user input to potentially vulnerable sinks
+5. **BE SPECIFIC** - Include exact file, line number, and what makes it suspicious
+6. **SUGGESTED FIX IS OPTIONAL** - Nice to have but not required. Report the issue even without a fix.
 
 ## REPORTING FORMAT
 
-When you find a CONFIRMED ${pass.name} bug:
+When you find a ${pass.name} issue (bug or code smell):
 
 <json>
 {
@@ -1181,25 +1234,23 @@ When you find a CONFIRMED ${pass.name} bug:
     "file": "src/api/users.ts",
     "line": 42,
     "endLine": 45,
-    "title": "Short description of the bug",
-    "description": "Detailed explanation of why this is a bug and how it can be exploited.",
+    "title": "Short description of the issue",
+    "description": "Explanation of why this is problematic and potential impact.",
+    "kind": "bug|smell",
     "category": "${pass.category}",
     "severity": "critical|high|medium|low",
     "confidence": "high|medium|low",
-    "triggerInput": "Exact input that triggers the bug",
-    "codePath": [
-      {"step": 1, "file": "src/api/users.ts", "line": 38, "code": "const name = req.query.name", "explanation": "User input enters here"},
-      {"step": 2, "file": "src/api/users.ts", "line": 42, "code": "db.execute(query)", "explanation": "Used unsafely here"}
-    ],
     "evidence": [
       "Evidence point 1",
       "Evidence point 2"
     ],
-    "suggestedFix": "const result = await db.query('SELECT * FROM users WHERE name = $1', [req.query.name]);"
+    "suggestedFix": "Optional: how to fix it"
   }
 }
 </json>
 
+Use kind="bug" for confirmed vulnerabilities, kind="smell" for risky patterns that need review.
+
 Progress updates:
 ###SCANNING:path/to/file.ts
 
@@ -1208,9 +1259,13 @@ When done:
 
 ## BEGIN
 
-Start by searching for ${pass.name} patterns using grep. Then read the files and trace the data flow. Report bugs as you confirm them.
+Start by searching for ${pass.name} patterns using grep. Read at least 10-15 files that match the patterns. Report issues as you find them.
 
-REMEMBER: Only ${pass.name.toUpperCase()} bugs. Quality over quantity. Every bug must have an exact fix.`;
+IMPORTANT:
+- Report ANYTHING suspicious - we'll filter false positives later
+- Include code smells and risky patterns, not just confirmed exploits
+- If unsure, report it with confidence="low"
+- Aim for thoroughness - finding 10 potential issues is better than finding 0 confirmed bugs`;
 }
 
 // src/providers/prompts/constants.ts
@@ -2515,31 +2570,46 @@ var CoreScanner = class {
     return jobs;
   }
   buildQuickScanPrompt(context) {
-    const { understanding, staticResults } = context;
+    const { understanding, staticResults, files } = context;
     const staticSignals = staticResults.length > 0 ? `
 Static analysis signals:
 ${staticResults.slice(0, 30).map((r) => `- ${r.file}:${r.line}: ${r.message}`).join("\n")}` : "";
-    return `You are a security auditor. Analyze this ${understanding.summary.type} codebase for bugs.
+    const fileList = files.slice(0, 50).map((f) => `- ${f}`).join("\n");
+    const moreFiles = files.length > 50 ? `
+... and ${files.length - 50} more files` : "";
+    return `You are a security auditor. Analyze this ${understanding.summary.type} codebase for bugs and code smells.
 
 Project: ${understanding.summary.description || "Unknown"}
 Framework: ${understanding.summary.framework || "None"}
 Language: ${understanding.summary.language}
-${staticSignals}
-
-Find bugs in these categories:
-1. Injection (SQL, command, XSS)
-2. Auth bypass
-3. Null/undefined dereference
-4. Logic errors
-5. Async/race conditions
-6. Resource leaks
-7. Data validation issues
-8. Secrets exposure
 
-Output ONLY a JSON array:
-[{"file": "path", "line": 42, "title": "Bug title", "description": "Details", "severity": "critical|high|medium|low", "category": "injection|auth-bypass|null-reference|logic-error|async-issue|resource-leak|data-validation|secrets-exposure", "evidence": ["evidence"], "suggestedFix": "fix"}]
+## FILES TO ANALYZE
+Read and analyze these files for security issues:
+${fileList}${moreFiles}
+${staticSignals}
 
-If no bugs, return: []`;
+## INSTRUCTIONS
+1. Read each file listed above
+2. Look for security issues, bugs, and code smells
+3. Report ALL suspicious patterns - false positives will be filtered later
+4. Use kind="smell" for risky patterns, kind="bug" for confirmed issues
+
+## CATEGORIES TO CHECK
+- Injection (SQL, command, XSS) - unsanitized user input
+- Auth bypass - missing auth checks, IDOR
+- Null/undefined dereference - accessing properties on potentially null values
+- Logic errors - wrong conditions, off-by-one, inverted checks
+- Async/race conditions - unhandled promises, race conditions
+- Resource leaks - unclosed handles, missing cleanup
+- Data validation - missing input validation, type coercion issues
+- Secrets exposure - hardcoded keys, leaked credentials
+- Error handling - swallowed errors, missing try/catch
+
+## OUTPUT FORMAT
+Output a JSON array (one object per issue found):
+[{"file": "path", "line": 42, "title": "Issue title", "description": "Details", "kind": "bug|smell", "severity": "critical|high|medium|low", "category": "logic-error", "evidence": ["evidence"]}]
+
+If no issues found after reading all files, return: []`;
   }
   // ─────────────────────────────────────────────────────────────
   // Response Parsing
@@ -2560,6 +2630,23 @@ If no bugs, return: []`;
       } catch {
       }
     }
+    if (bugs.length === 0) {
+      const codeBlockMatches = output.matchAll(/```(?:json)?\s*([\s\S]*?)```/g);
+      for (const match of codeBlockMatches) {
+        try {
+          const parsed = JSON.parse(match[1].trim());
+          const items = Array.isArray(parsed) ? parsed : [parsed];
+          for (const item of items) {
+            const bug = this.parseBugData(item, startIndex + bugs.length, files, passName);
+            if (bug) {
+              bugs.push(bug);
+              this.progress.onBugFound?.(bug);
+            }
+          }
+        } catch {
+        }
+      }
+    }
     if (bugs.length === 0) {
       const arrayMatch = output.match(/\[[\s\S]*\]/);
       if (arrayMatch) {
@@ -2578,6 +2665,20 @@ If no bugs, return: []`;
         }
       }
     }
+    if (bugs.length === 0) {
+      const objectMatches = output.matchAll(/\{[^{}]*"file"[^{}]*"line"[^{}]*\}/g);
+      for (const match of objectMatches) {
+        try {
+          const parsed = JSON.parse(match[0]);
+          const bug = this.parseBugData(parsed, startIndex + bugs.length, files, passName);
+          if (bug) {
+            bugs.push(bug);
+            this.progress.onBugFound?.(bug);
+          }
+        } catch {
+        }
+      }
+    }
     return bugs;
   }
   parseBugData(data, index, files, passName) {
@@ -5274,10 +5375,26 @@ async function scanCommand(paths, options) {
     if (!isQuiet) {
       const spinner6 = p3.spinner();
       spinner6.start("Scanning files...");
-      filesToScan = paths.length > 0 ? paths : await scanCodebase(cwd, config);
+      if (paths.length > 0) {
+        filesToScan = await fg3(paths, {
+          cwd,
+          ignore: ["node_modules/**", "dist/**", "build/**", ".next/**"],
+          absolute: false
+        });
+      } else {
+        filesToScan = await scanCodebase(cwd, config);
+      }
       spinner6.stop(`Found ${filesToScan.length} files to scan`);
     } else {
-      filesToScan = paths.length > 0 ? paths : await scanCodebase(cwd, config);
+      if (paths.length > 0) {
+        filesToScan = await fg3(paths, {
+          cwd,
+          ignore: ["node_modules/**", "dist/**", "build/**", ".next/**"],
+          absolute: false
+        });
+      } else {
+        filesToScan = await scanCodebase(cwd, config);
+      }
     }
   } else {
     if (!config) {