@vulcn/engine 0.4.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/CHANGELOG.md +31 -0
  2. package/dist/index.d.cts +1 -1
  3. package/dist/index.d.ts +1 -1
  4. package/package.json +1 -1
package/CHANGELOG.md CHANGED
@@ -1,5 +1,36 @@
1
1
  # Changelog
2
2
 
3
+ ## 0.5.0
4
+
5
+ ### Minor Changes
6
+
7
+ - 56eb043: ### @vulcn/plugin-report
8
+ - **SARIF v2.1.0 output** — new `generateSarif()` generator produces reports compatible with GitHub Code Scanning, Azure DevOps, and other SARIF-consuming tools
9
+ - Added `"sarif"` to the `format` config option (`html | json | yaml | sarif | all`)
10
+ - CWE mappings for all vulnerability types including passive scan categories
11
+ - CVSS-like security-severity scores for GitHub Security tab sorting
12
+ - Fingerprinting and deduplication for stable result tracking across runs
13
+
14
+ ### @vulcn/plugin-passive
15
+ - **New plugin** — passive security scanner that analyzes HTTP responses during session replay without injecting payloads
16
+ - Detects missing security headers (HSTS, CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy) with value validation
17
+ - Detects insecure cookie configurations (missing Secure, HttpOnly, SameSite flags)
18
+ - Detects information disclosure (Server version, X-Powered-By, debug tokens)
19
+ - Detects CORS misconfigurations (wildcard origins, credentials with wildcards)
20
+ - Detects mixed content (HTTP resources on HTTPS pages)
21
+ - Automatic deduplication — each unique issue reported once per origin
22
+ - Configurable severity levels and per-check enable/disable toggles
23
+
24
+ ### @vulcn/engine
25
+ - Added `"security-misconfiguration"` and `"information-disclosure"` to `PayloadCategory` type
26
+ - These new categories support passive scanner findings in reports and SARIF output
27
+
28
+ ### vulcn (CLI)
29
+ - Added `--passive` flag to `vulcn run` to enable the passive security scanner
30
+ - Added `"sarif"` to the `--report` format option
31
+ - Auto-loads `@vulcn/plugin-passive` when `--passive` is specified
32
+ - Updated help text with passive scanning and SARIF examples
33
+
3
34
  ## 0.4.0
4
35
 
5
36
  ### Minor Changes
package/dist/index.d.cts CHANGED
@@ -7,7 +7,7 @@ import { z } from 'zod';
7
7
  /**
8
8
  * Valid payload categories
9
9
  */
10
- type PayloadCategory = "xss" | "sqli" | "ssrf" | "xxe" | "command-injection" | "path-traversal" | "open-redirect" | "reflection" | "custom";
10
+ type PayloadCategory = "xss" | "sqli" | "ssrf" | "xxe" | "command-injection" | "path-traversal" | "open-redirect" | "reflection" | "security-misconfiguration" | "information-disclosure" | "custom";
11
11
  /**
12
12
  * Payload source types
13
13
  */
package/dist/index.d.ts CHANGED
@@ -7,7 +7,7 @@ import { z } from 'zod';
7
7
  /**
8
8
  * Valid payload categories
9
9
  */
10
- type PayloadCategory = "xss" | "sqli" | "ssrf" | "xxe" | "command-injection" | "path-traversal" | "open-redirect" | "reflection" | "custom";
10
+ type PayloadCategory = "xss" | "sqli" | "ssrf" | "xxe" | "command-injection" | "path-traversal" | "open-redirect" | "reflection" | "security-misconfiguration" | "information-disclosure" | "custom";
11
11
  /**
12
12
  * Payload source types
13
13
  */
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@vulcn/engine",
3
- "version": "0.4.0",
3
+ "version": "0.5.0",
4
4
  "description": "Fast, modern security testing engine — record browser sessions, replay with attack payloads, and detect vulnerabilities automatically. Pluggable driver and detection system for web application penetration testing.",
5
5
  "type": "module",
6
6
  "main": "./dist/index.cjs",