@shakecodeslikecray/whiterose 1.0.8 → 1.0.9

package/dist/cli/index.js

@@ -307,14 +307,24 @@ var ClaudeCodeExecutor = class {
   }
   async runPrompt(prompt, options) {
     const claudeCommand = getProviderCommand("claude-code");
+    if (process.env.WHITEROSE_DEBUG) {
+      console.log("\n[DEBUG] Running Claude Code command:", claudeCommand);
+      console.log("[DEBUG] Prompt length:", prompt.length);
+      console.log("[DEBUG] CWD:", options.cwd);
+      console.log("[DEBUG] First 500 chars of prompt:");
+      console.log(prompt.substring(0, 500));
+    }
     try {
       const { stdout, stderr } = await execa(
         claudeCommand,
         [
           "-p",
           prompt,
-          "--dangerously-skip-permissions"
+          "--dangerously-skip-permissions",
           // Allow file reads without prompts
+          "--output-format",
+          "text"
+          // Ensure non-interactive output
         ],
         {
           cwd: options.cwd,
@@ -323,7 +333,9 @@ var ClaudeCodeExecutor = class {
             ...process.env,
             NO_COLOR: "1"
           },
-          reject: false
+          reject: false,
+          stdin: "ignore"
+          // Prevent waiting for stdin
         }
       );
       if (stderr) {
@@ -340,6 +352,13 @@ var ClaudeCodeExecutor = class {
           throw new Error(`Claude Code error: ${stderr.substring(0, 200)}`);
         }
       }
+      if (process.env.WHITEROSE_DEBUG) {
+        console.log("\n[DEBUG] Claude Code stdout length:", stdout?.length || 0);
+        console.log("[DEBUG] Claude Code stderr:", stderr?.substring(0, 300) || "(none)");
+        console.log("[DEBUG] First 1000 chars of stdout:");
+        console.log(stdout?.substring(0, 1e3) || "(empty)");
+        console.log("[DEBUG] End response\n");
+      }
       return {
         output: stdout || "",
         error: stderr || void 0
@@ -1195,23 +1214,18 @@ ${pass.falsePositiveHints.map((h) => `- ${h}`).join("\n")}
 ${cwePatterns ? `## KNOWN VULNERABILITY PATTERNS
 ${cwePatterns}` : ""}
 
-## CRITICAL RULES
+## REPORTING GUIDELINES
 
-1. **ONLY ${pass.name.toUpperCase()} BUGS** - Ignore all other categories
-2. **MUST HAVE FIX** - No fix = not confirmed = don't report
-3. **TRACE THE DATA** - Follow user input to the vulnerable sink
-4. **CHECK GUARDS** - Verify there's no validation you missed
-5. **BE SPECIFIC** - Exact file, line, and triggering input
-6. **CHECK CONTROL FLOW** - CRITICAL: Verify the buggy line is actually REACHABLE:
-   - Look for early returns: \`if (x.length === 0) return;\` makes later \`x[0]\` SAFE
-   - Look for throws: \`if (!user) throw new Error()\` makes later \`user.name\` SAFE
-   - Look for guard clauses that exit before the buggy line
-   - If a condition causes function exit, code after is UNREACHABLE in that case
-   - Example FALSE POSITIVE: \`if (arr.length === 0) return false; ... arr[0].name\` - the access is SAFE because empty array caused early return
+1. **ONLY ${pass.name.toUpperCase()} ISSUES** - Focus on this category
+2. **REPORT POTENTIAL ISSUES** - If something looks suspicious, report it. Better to flag potential issues than miss real bugs.
+3. **INCLUDE CODE SMELLS** - Report risky patterns even if not immediately exploitable (set kind: "smell")
+4. **TRACE THE DATA** - Follow user input to potentially vulnerable sinks
+5. **BE SPECIFIC** - Include exact file, line number, and what makes it suspicious
+6. **SUGGESTED FIX IS OPTIONAL** - Nice to have but not required. Report the issue even without a fix.
 
 ## REPORTING FORMAT
 
-When you find a CONFIRMED ${pass.name} bug:
+When you find a ${pass.name} issue (bug or code smell):
 
 <json>
 {
@@ -1220,25 +1234,23 @@ When you find a CONFIRMED ${pass.name} bug:
     "file": "src/api/users.ts",
     "line": 42,
     "endLine": 45,
-    "title": "Short description of the bug",
-    "description": "Detailed explanation of why this is a bug and how it can be exploited.",
+    "title": "Short description of the issue",
+    "description": "Explanation of why this is problematic and potential impact.",
+    "kind": "bug|smell",
     "category": "${pass.category}",
     "severity": "critical|high|medium|low",
     "confidence": "high|medium|low",
-    "triggerInput": "Exact input that triggers the bug",
-    "codePath": [
-      {"step": 1, "file": "src/api/users.ts", "line": 38, "code": "const name = req.query.name", "explanation": "User input enters here"},
-      {"step": 2, "file": "src/api/users.ts", "line": 42, "code": "db.execute(query)", "explanation": "Used unsafely here"}
-    ],
     "evidence": [
       "Evidence point 1",
       "Evidence point 2"
     ],
-    "suggestedFix": "const result = await db.query('SELECT * FROM users WHERE name = $1', [req.query.name]);"
+    "suggestedFix": "Optional: how to fix it"
   }
 }
 </json>
 
+Use kind="bug" for confirmed vulnerabilities, kind="smell" for risky patterns that need review.
+
 Progress updates:
 ###SCANNING:path/to/file.ts
 
@@ -1247,9 +1259,13 @@ When done:
 
 ## BEGIN
 
-Start by searching for ${pass.name} patterns using grep. Then read the files and trace the data flow. Report bugs as you confirm them.
+Start by searching for ${pass.name} patterns using grep. Read at least 10-15 files that match the patterns. Report issues as you find them.
 
-REMEMBER: Only ${pass.name.toUpperCase()} bugs. Quality over quantity. Every bug must have an exact fix.`;
+IMPORTANT:
+- Report ANYTHING suspicious - we'll filter false positives later
+- Include code smells and risky patterns, not just confirmed exploits
+- If unsure, report it with confidence="low"
+- Aim for thoroughness - finding 10 potential issues is better than finding 0 confirmed bugs`;
 }
 
 // src/providers/prompts/constants.ts
@@ -2554,31 +2570,46 @@ var CoreScanner = class {
     return jobs;
   }
   buildQuickScanPrompt(context) {
-    const { understanding, staticResults } = context;
+    const { understanding, staticResults, files } = context;
     const staticSignals = staticResults.length > 0 ? `
 Static analysis signals:
 ${staticResults.slice(0, 30).map((r) => `- ${r.file}:${r.line}: ${r.message}`).join("\n")}` : "";
-    return `You are a security auditor. Analyze this ${understanding.summary.type} codebase for bugs.
+    const fileList = files.slice(0, 50).map((f) => `- ${f}`).join("\n");
+    const moreFiles = files.length > 50 ? `
+... and ${files.length - 50} more files` : "";
+    return `You are a security auditor. Analyze this ${understanding.summary.type} codebase for bugs and code smells.
 
 Project: ${understanding.summary.description || "Unknown"}
 Framework: ${understanding.summary.framework || "None"}
 Language: ${understanding.summary.language}
-${staticSignals}
-
-Find bugs in these categories:
-1. Injection (SQL, command, XSS)
-2. Auth bypass
-3. Null/undefined dereference
-4. Logic errors
-5. Async/race conditions
-6. Resource leaks
-7. Data validation issues
-8. Secrets exposure
 
-Output ONLY a JSON array:
-[{"file": "path", "line": 42, "title": "Bug title", "description": "Details", "severity": "critical|high|medium|low", "category": "injection|auth-bypass|null-reference|logic-error|async-issue|resource-leak|data-validation|secrets-exposure", "evidence": ["evidence"], "suggestedFix": "fix"}]
+## FILES TO ANALYZE
+Read and analyze these files for security issues:
+${fileList}${moreFiles}
+${staticSignals}
 
-If no bugs, return: []`;
+## INSTRUCTIONS
+1. Read each file listed above
+2. Look for security issues, bugs, and code smells
+3. Report ALL suspicious patterns - false positives will be filtered later
+4. Use kind="smell" for risky patterns, kind="bug" for confirmed issues
+
+## CATEGORIES TO CHECK
+- Injection (SQL, command, XSS) - unsanitized user input
+- Auth bypass - missing auth checks, IDOR
+- Null/undefined dereference - accessing properties on potentially null values
+- Logic errors - wrong conditions, off-by-one, inverted checks
+- Async/race conditions - unhandled promises, race conditions
+- Resource leaks - unclosed handles, missing cleanup
+- Data validation - missing input validation, type coercion issues
+- Secrets exposure - hardcoded keys, leaked credentials
+- Error handling - swallowed errors, missing try/catch
+
+## OUTPUT FORMAT
+Output a JSON array (one object per issue found):
+[{"file": "path", "line": 42, "title": "Issue title", "description": "Details", "kind": "bug|smell", "severity": "critical|high|medium|low", "category": "logic-error", "evidence": ["evidence"]}]
+
+If no issues found after reading all files, return: []`;
   }
   // ─────────────────────────────────────────────────────────────
   // Response Parsing
@@ -2599,6 +2630,23 @@ If no bugs, return: []`;
       } catch {
       }
     }
+    if (bugs.length === 0) {
+      const codeBlockMatches = output.matchAll(/```(?:json)?\s*([\s\S]*?)```/g);
+      for (const match of codeBlockMatches) {
+        try {
+          const parsed = JSON.parse(match[1].trim());
+          const items = Array.isArray(parsed) ? parsed : [parsed];
+          for (const item of items) {
+            const bug = this.parseBugData(item, startIndex + bugs.length, files, passName);
+            if (bug) {
+              bugs.push(bug);
+              this.progress.onBugFound?.(bug);
+            }
+          }
+        } catch {
+        }
+      }
+    }
     if (bugs.length === 0) {
       const arrayMatch = output.match(/\[[\s\S]*\]/);
       if (arrayMatch) {
@@ -2617,6 +2665,20 @@ If no bugs, return: []`;
         }
       }
     }
+    if (bugs.length === 0) {
+      const objectMatches = output.matchAll(/\{[^{}]*"file"[^{}]*"line"[^{}]*\}/g);
+      for (const match of objectMatches) {
+        try {
+          const parsed = JSON.parse(match[0]);
+          const bug = this.parseBugData(parsed, startIndex + bugs.length, files, passName);
+          if (bug) {
+            bugs.push(bug);
+            this.progress.onBugFound?.(bug);
+          }
+        } catch {
+        }
+      }
+    }
     return bugs;
   }
   parseBugData(data, index, files, passName) {
@@ -5313,10 +5375,26 @@ async function scanCommand(paths, options) {
     if (!isQuiet) {
       const spinner6 = p3.spinner();
       spinner6.start("Scanning files...");
-      filesToScan = paths.length > 0 ? paths : await scanCodebase(cwd, config);
+      if (paths.length > 0) {
+        filesToScan = await fg3(paths, {
+          cwd,
+          ignore: ["node_modules/**", "dist/**", "build/**", ".next/**"],
+          absolute: false
+        });
+      } else {
+        filesToScan = await scanCodebase(cwd, config);
+      }
       spinner6.stop(`Found ${filesToScan.length} files to scan`);
     } else {
-      filesToScan = paths.length > 0 ? paths : await scanCodebase(cwd, config);
+      if (paths.length > 0) {
+        filesToScan = await fg3(paths, {
+          cwd,
+          ignore: ["node_modules/**", "dist/**", "build/**", ".next/**"],
+          absolute: false
+        });
+      } else {
+        filesToScan = await scanCodebase(cwd, config);
+      }
     }
   } else {
     if (!config) {