@vulcn/engine 0.3.2 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/CHANGELOG.md +58 -0
  2. package/dist/index.d.cts +2 -2
  3. package/dist/index.d.ts +2 -2
  4. package/package.json +1 -1
package/CHANGELOG.md CHANGED
@@ -1,5 +1,63 @@
1
1
  # Changelog
2
2
 
3
+ ## 0.5.0
4
+
5
+ ### Minor Changes
6
+
7
+ - 56eb043: ### @vulcn/plugin-report
8
+ - **SARIF v2.1.0 output** — new `generateSarif()` generator produces reports compatible with GitHub Code Scanning, Azure DevOps, and other SARIF-consuming tools
9
+ - Added `"sarif"` to the `format` config option (`html | json | yaml | sarif | all`)
10
+ - CWE mappings for all vulnerability types including passive scan categories
11
+ - CVSS-like security-severity scores for GitHub Security tab sorting
12
+ - Fingerprinting and deduplication for stable result tracking across runs
13
+
14
+ ### @vulcn/plugin-passive
15
+ - **New plugin** — passive security scanner that analyzes HTTP responses during session replay without injecting payloads
16
+ - Detects missing security headers (HSTS, CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy) with value validation
17
+ - Detects insecure cookie configurations (missing Secure, HttpOnly, SameSite flags)
18
+ - Detects information disclosure (Server version, X-Powered-By, debug tokens)
19
+ - Detects CORS misconfigurations (wildcard origins, credentials with wildcards)
20
+ - Detects mixed content (HTTP resources on HTTPS pages)
21
+ - Automatic deduplication — each unique issue reported once per origin
22
+ - Configurable severity levels and per-check enable/disable toggles
23
+
24
+ ### @vulcn/engine
25
+ - Added `"security-misconfiguration"` and `"information-disclosure"` to `PayloadCategory` type
26
+ - These new categories support passive scanner findings in reports and SARIF output
27
+
28
+ ### vulcn (CLI)
29
+ - Added `--passive` flag to `vulcn run` to enable the passive security scanner
30
+ - Added `"sarif"` to the `--report` format option
31
+ - Auto-loads `@vulcn/plugin-passive` when `--passive` is specified
32
+ - Updated help text with passive scanning and SARIF examples
33
+
34
+ ## 0.4.0
35
+
36
+ ### Minor Changes
37
+
38
+ - d4fd4df: ### Breaking: Remove built-in payloads, PayloadBox is now the default
39
+
40
+ All hardcoded built-in payloads have been removed. Payloads are now fetched on demand from [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings), the largest community-curated security payload collection.
41
+
42
+ **`@vulcn/engine`**
43
+ - Removed `"builtin"` from `PayloadSource` type — valid sources are now `"custom" | "payloadbox" | "plugin"`
44
+
45
+ **`@vulcn/plugin-payloads`**
46
+ - Removed all built-in payload sets and the `builtin`, `include`, `exclude`, `payloadbox` config options
47
+ - New config: `types` (short aliases), `limit`, `files`
48
+ - Short aliases for payload types: `xss`, `sqli`, `xxe`, `cmd`, `redirect`, `traversal`
49
+ - Removed legacy `payloadbox:` prefix — use short aliases directly
50
+
51
+ **`vulcn` (CLI)**
52
+ - Default payload changed from `xss-basic` to `xss` (PayloadBox)
53
+ - `vulcn payloads` now lists PayloadBox types with short aliases
54
+ - `vulcn run` help updated with payload type reference
55
+ - Auto-loads `@vulcn/plugin-detect-sqli` when `sqli` payloads are used
56
+
57
+ **`@vulcn/plugin-detect-sqli`**
58
+ - SQL injection detection plugin with error-based, response diffing, and timing-based strategies
59
+ - Auto-loaded by CLI when SQLi payloads are selected
60
+
3
61
  ## 0.3.2
4
62
 
5
63
  ### Patch Changes
package/dist/index.d.cts CHANGED
@@ -7,11 +7,11 @@ import { z } from 'zod';
7
7
  /**
8
8
  * Valid payload categories
9
9
  */
10
- type PayloadCategory = "xss" | "sqli" | "ssrf" | "xxe" | "command-injection" | "path-traversal" | "open-redirect" | "reflection" | "custom";
10
+ type PayloadCategory = "xss" | "sqli" | "ssrf" | "xxe" | "command-injection" | "path-traversal" | "open-redirect" | "reflection" | "security-misconfiguration" | "information-disclosure" | "custom";
11
11
  /**
12
12
  * Payload source types
13
13
  */
14
- type PayloadSource = "builtin" | "custom" | "payloadbox" | "plugin";
14
+ type PayloadSource = "custom" | "payloadbox" | "plugin";
15
15
  /**
16
16
  * Runtime payload structure - used by plugins and the runner
17
17
  */
package/dist/index.d.ts CHANGED
@@ -7,11 +7,11 @@ import { z } from 'zod';
7
7
  /**
8
8
  * Valid payload categories
9
9
  */
10
- type PayloadCategory = "xss" | "sqli" | "ssrf" | "xxe" | "command-injection" | "path-traversal" | "open-redirect" | "reflection" | "custom";
10
+ type PayloadCategory = "xss" | "sqli" | "ssrf" | "xxe" | "command-injection" | "path-traversal" | "open-redirect" | "reflection" | "security-misconfiguration" | "information-disclosure" | "custom";
11
11
  /**
12
12
  * Payload source types
13
13
  */
14
- type PayloadSource = "builtin" | "custom" | "payloadbox" | "plugin";
14
+ type PayloadSource = "custom" | "payloadbox" | "plugin";
15
15
  /**
16
16
  * Runtime payload structure - used by plugins and the runner
17
17
  */
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@vulcn/engine",
3
- "version": "0.3.2",
3
+ "version": "0.5.0",
4
4
  "description": "Fast, modern security testing engine — record browser sessions, replay with attack payloads, and detect vulnerabilities automatically. Pluggable driver and detection system for web application penetration testing.",
5
5
  "type": "module",
6
6
  "main": "./dist/index.cjs",