npm - @vulcn/engine - Versions diffs - 0.9.1 → 0.9.3 - Mend

@vulcn/engine 0.9.1 → 0.9.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,55 @@
 # Changelog
+## 0.9.3
+### Patch Changes
+- 90b60ed: Docs: align all documentation with v0.9 refactored architecture
+  - Replace all `vulcn.config.yml` references with `.vulcn.yml` flat config
+  - Remove `vulcn plugin` command (deleted `cli/plugin.mdx`, removed from nav)
+  - Update `vulcn run` examples to argless format (auto-discovers sessions from `sessions/`)
+  - Update auth path from `.vulcn/auth.enc` to `auth/state.enc`
+  - Replace `driverManager`/`pluginManager` singletons with `new DriverManager()`/`new PluginManager()` + `loadFromConfig()`
+  - Replace `Runner.execute()` with `DriverManager.executeScan()`
+  - Remove legacy exports section from API overview, add Project Config exports
+  - Rewrite plugins overview to document auto-loading from flat config keys
+  - Update drivers/browser config, auth workflow, and programmatic examples
+  - Update drivers/creating-drivers to remove config-based driver registration
+  - Rewrite plugin-api.mdx Session/Step types and PluginManager methods
+  - Fix plugin-report, plugin-passive, plugin-payloads, plugin-detect-sqli examples
+- 90b60ed: Improve reflection detection accuracy — eliminate XSS false positives
+  **@vulcn/driver-browser**
+  - `checkReflection`: verbatim-only matches now use type `"reflection"` instead of the payload category, distinguishing low-confidence reflection from confirmed exploitation
+  - `checkReflection`: detect patterns only run when the payload appears verbatim in rendered content, preventing false matches on partially-encoded reflections
+  - `checkReflection`: encoding suppression now explicitly checks for dangerous HTML chars before calling `isHtmlEncoded`
+  - `confirmedTypes` early-exit now only triggers on high-confidence findings (type matches payload category), allowing the scanner to continue trying payloads that may trigger actual execution (e.g. `alert()`)
+  **@vulcn/plugin-detect-reflection**
+  - Skip payloads without dangerous HTML characters — reflecting plain text like `alert(1)` is not a vulnerability
+  - Include authentication cookies when fetching raw content for encoding checks
+  - Simplified encoding check flow
+  **benchmarks**
+  - Exclude `"reflection"` findings from XSS benchmark evaluation (reflection ≠ confirmed XSS)
+  - Add Youden's J score with qualitative label to per-case summary output
+  **WAVSEP XSS benchmark (before → after)**
+  - False Positives: 6 → 0
+  - True Negatives: 1 → 7
+  - Precision: 88.5% → 100%
+  - Youden's J: 0.051 → 0.479
+## 0.9.2
+### Patch Changes
+- 800f9db: Fix multi-session report aggregation and CLI exit code behavior.
+  - **`@vulcn/plugin-report`**: Added `onScanEnd` hook for aggregate report generation. Multi-session scans (`vulcn run <session-dir>`) now produce a single report containing all findings instead of overwriting per-session. Per-session `onRunEnd` reports are skipped during scans; single-session runs are unaffected. Extracted `writeReports()` helper shared by both hooks.
+  - **`vulcn` CLI**: `vulcn run` now exits with code `0` on successful completion regardless of whether findings were detected. Exit code indicates tool success, not vulnerability presence — consistent with standard security tooling (OWASP ZAP, Nuclei, etc.).
+  - **Benchmark runner**: Fixed report path to read from `<dir>/vulcn-report.json` (matching plugin output). Bumped per-command timeout from 2min to 5min for CI. Added `VULCN_KEY` env default for non-interactive credential encryption.
 ## 0.9.1
 ### Patch Changes